Barracuda NG Firewall Admin Guide

Barracuda NG Firewall 4.2.
10
Administrators Guide
Revision 3.5
Barracuda Networks Inc.

3175 S. Winchester Blvd
Campbell, CA 95008
http://www.barracuda.com
Barracuda NG Firewall 4.2.10 | Revision 3.5

Barracuda Networks Inc., February 2010, Revision 3.5. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No
portion of may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of
Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this
document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Barracuda Networks
Barracuda NG Firewall 4.2.10
Contents
1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3 Configuration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6 Mail Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
7 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8 Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
9 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
10 Eventing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
11 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
12 Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
13 FTP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
14 Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
15 Wireless LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
16 SSH Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
17 Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
18 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
19 Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
20 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
21 OSPF and RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
22 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
23 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

4 | Conventions in this Administrators Guide > Text Conventions Preface
1. Conventions in this Administrators Guide
1.1 Text Conventions

Table 01 Text conventions of the documentation
Convention Font Description
Bold Interstate This style is used for highlighting certain parts of text.
Italic Interstate This style is used for indicating examples.
Bold & Italic Interstate This style is used for items that can be found directly in your Barracuda NG Admin User Interface.
Regular Courier This style is used for items that got to be/may be entered (for example on command line or URLs)
> Interstate This character indicates a multiple step path. For example "Select Box > Infrastructure Services" means: first
select the Box entry, then select the Infrastructure Services entry
Signal word: Attention Interstate Text equipped with the signal word Attention indicates important information concerning security features, potential
problems, performance loss,
Signal word: Note Interstate Text equipped with the signal word Note indicates useful information for operating/configuring the Barracuda NG
Firewall.
1.2 Parameter Lists, Tables and 1.2.1 Example

Figures As you can see in the following figure, the dialog Common
Settings consists of three sections:
There are two kinds of tables:
z Common
z A table containing parameters is called parameter list
z Network Routes
(numbering example: list 39, page 55).
z Access Control List (ACL)
z A table containing no parameters is called table
(numbering example: table 01, page 4). Fig. 01 Example: Common Settings
The numbering of parameter lists, tables, and figures

occurs in the following way: chapter increasing number.
Example: figure 314 means that the figure is located in
chapter 3 (Configuration Service) and is the 14th figure in
this chapter.
Note:
Tables and parameter lists have their own range of
numbers.
Directories:
z Parameter List Directory, page 557
z Table Directory, page 591
z Figure Directory, page 595
Three parameter lists follow this figure, one for every

section:
z list 531 VPN Configuration - Client to Site - External CA
Tab > Common Tab Common Section
Tab > Common Tab Network Routes Section
Tab > Common Tab ACL Section
(Origin: VPN 2.6.2.6 Common Tab, page 228)

Preface Course of Action < How to Gather Information from this Documentation | 5
2. How to Gather Information from this Documentation
2.1 Course of Action 2.2 Feedback

How can you find what you are looking for? Try these If you encounter any inconsistencies, errors, mistakes
procedures: or outdated information within this documentation,
then please dont hesitate to contact the Barracuda
z For information about a particular parameter use the
Networks Support in order to get the information you
Index of Configuration Parameters, page 567.
need. Wed furthermore appreciate it very much if you
At the end of the entry you see the chapter in which the
would also let us know about the documentation
parameter occurs.
problem you discovered. This enables us to fix it within
z For information about a particular section use the Index the upcoming release.
of Dialog Sections, page 550.
At the end of the entry you see the chapter in which the
section occurs.
Fig. 02 Example section Condition
Section
Condition
z If you are looking for a certain parameter list, table, or

figure use the Parameter List Directory, page 557, Table
Directory, page 591 or Figure Directory, page 595.
z For general information use the main directory

(Contents, page 3) first, then go through the directory of
the choosen chapter.
z Whats new? Take a look at the Log of Changes, page 621.

6 | How to Gather Information from this Documentation > Feedback Preface

1
Getting Started
1. Installation of a Barracuda NG Firewall

1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2 Installation from Scratch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 Installation with a Saved Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Crash Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Installation & Configuration Walk-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2. Barracuda NG Installer
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Creating a "standard" Kickstart Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Creating a Disk in "Kickstart Only" Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Creating a Kickstart Disk for Installation via Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Barracuda Networks Multi-Platform Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3. Barracuda NG Admin
3.1 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.1 Start Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.2 Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.3 Tool Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.4 Box Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.5 Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.6 Mini Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.7 Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. Settings
4.1 Boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3 Admin & CC Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Certificates & Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.1 Using Keys on a Barracuda NG Firewall 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5 Public Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5. Inverted CIDR notation

5.1 Comparison CIDR - Inverted CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

8 | Installation of a Barracuda NG Firewall > General Getting Started
1. Installation of a Barracuda NG Firewall
1.1 General 1.3 Installation with a Saved

Configuration
There are two ways of installing a Barracuda NG Firewall:
z Installation from Scratch The reinstallation of an already configured Barracuda NG
Firewall is prepared in two steps. First of all a
z Installation with a Saved Configuration
PAR file (Portable Archive) containing the complete
system configuration is required. Second, the kickstart disk
has to be created using the option Create Kickstart only.
1.2 Installation from Scratch Copy the PAR file onto the same disk as the kickstart file
or, alternatively, make it available for network access. The
Note:
PAR file name has to begin with "box" (for example box.par,
This is only a short summary of the installation process. box_boxname.par).
A more detailed step-by-step installation guide can be Insert Gateway Installation flash USB stick and kickstart
found in the Quick Start Guide located on the Barracuda disk into your system to begin installation of the Barracuda
Networks CD. Detailed information concerning the NG Firewall.
usage of the Barracuda NG Installer installation tool can
be found at 2. Barracuda NG Installer, page 10. Note:
Make sure that booting from flash USB stick is enabled
The basic configuration of a Barracuda NG Firewall is done in the computers BIOS.
with the Barracuda NG Installer installation tool.
Note:
Start Barracuda NG Installer from the Application & For details on PAR file creation see Configuration Service
Documentation flash USB stick and leave the wizard mode 5.3 Creating PAR Files, page 119.
at the default setting Full.
Enter a hostname and all other information that is needed Note:
for creation of the kick-start disk. For details on kickstart disk creation see 2.3 Creating a
Disk in "Kickstart Only" Mode, page 15.
After the kick-start disk has been created, insert the
Gateway Installation flash USB stick and kick-start disk into
your system to begin installation of the Barracuda NG
Firewall. 1.4 Crash Recovery
Note:
Make sure that booting from flash USB stick is enabled Note:
in the computers BIOS. A backup of the recent configuration is an absolute must
The installation process itself is fully automatic and for successful and fast crash recovery. A current backup
needs minimum user interaction. should always be available (Configuration Service
5.3 Creating PAR Files, page 119).
After successful installation you should be able to connect
to the box using the Barracuda NG Admin administration
GUI. All further configuration of the Barracuda NG Firewall
is done with the Barracuda NG Admin.
1.4.1 Crash Recovery with Identical
Hardware
Crash recovery itself works as described in 1.3 Installation
with a Saved Configuration, page 8.
Attention:
This method only works if identical hardware (CPU-ID,
MAC addresses, motherboard ID) is used for recovery.

Getting Started Installation & Configuration Walk-through < Installation of a Barracuda NG Firewall | 9
1.4.2 Crash Recovery with New 1.5 Installation & Configuration

Hardware Walk-through
Crash recovery itself works as described in 1.3 Installation
Step 1 Installation of the box
with a Saved Configuration, page 8.
Gather needed information, create a kick-start floppy disk
Use of a different hardware than the license has been with Barracuda NG Installer (see 2. Barracuda NG Installer,
issued to will cause the license to be invalid. The box will page 10), and start installation. For more information, see:
now run in so-called grace mode. Nevertheless, even in
z Quick Start Guide
grace mode the complete functionality of the Barracuda
NG Firewall is guaranteed. z 2. Barracuda NG Installer, page 10
A pop-up window will be displayed as soon as grace mode z Getting Started, page 7
expires. If, until then, no new license is available, the box
gets deactivated. Step 2 Basic configuration
Configure networking and box services (SSH, statistics,
Attention: logging, box settings, ). For more information, see:
To keep up the integrity of the Barracuda NG Firewall it
is of great importance to obtain new licenses for the z Configuration Service, page 41
system as soon as possible.
Step 3 Server configuration
To import a new license, enter the Configuration window Create a new server and configure it. For more
( Config) of the box. There select Box and information, see:
double-click Box Licenses. z Configuration Service, page 41
Fig. 11 Window Box Licenses in read/write mode
Step 4 Check settings
Log into the box with the Barracuda NG Admin
administration GUI and check if all servers have been
introduced and if box services are up and running. For
more information, see:
z Control, page 27
Step 5 Create dedicated HA box (optional)

Create a DHA box and configure its network settings. For
more information, see:
Now lock the window, select the license and remove it by
clicking Delete. Import the new license by use of the z High Availability, page 399
pull-down menu and selection of Import (from File or
Clipboard). Step 6 Create Services
Create one or more services and configure them. For more
information, see:
z Firewall, page 131
z VPN, page 211
z DNS, page 331
z Mail Gateway, page 259
z DHCP, page 287
z Proxy, page 339
Step 7 Licensing
Obtain licenses for your system (gather necessary
information first) and import them. For more information,
see:
z Licensing, page 529
Step 8 Backup configuration

After completion of the configuration, create a first backup
(PAR file) of your system. For more information, see:
z Configuration Service 5.3 Creating PAR Files, page 119

10 | Barracuda NG Installer > General Getting Started
2. Barracuda NG Installer
2.1 General 2.2 Creating a "standard"

Kickstart Disk
All information required for installing a Barracuda NG
Firewall and/or a Barracuda NG Control Center can be To start the configuration procedure, copy nginstall.exe
configured using the tool Barracuda NG Installer. The onto your local workstation and double-click it.
kickstart file, created at the end of a successful Barracuda
NG Installer session, is essential for installation. Step 1 Selecting the wizard mode
The executable Barracuda NG Installer is available on your Select Full mode (default) when installing a system for the
Barracuda NG Firewall - Application & Documentation flash first time. Select Create Kickstart only when reinstalling a
USB stick and on the Gateway Installation flash USB stick. Barracuda NG Firewall (for example for disaster recovery)
or when installing a Barracuda NG Firewall that is
Note: administered by a Barracuda NG Control Center (see 2.3
Before starting Barracuda NG Installer, we Creating a Disk in "Kickstart Only" Mode, page 15).
recommended gathering information about: Continue with Next.
z Hostname
Step 2 Configuring Installation-Mode Settings
z Time zone (local or UTC) Select your installation source here. This can either be a
z Keyboard layout z Flash USB Stick (default)
z Size of hard disk(s) z Barracuda USB Stick
z Manufacturer or chip set type of network card(s) z or a network server (Network).
z Management IP of the Barracuda NG Firewall
Selecting server-based installation mode activates the
z Password for root and support user
configuration section on the right side providing the
following parameters:
Note:
For installation via network (either HTTP or FTP server) List 11 Configuring Installation Settings with Barracuda NG Installer
you need to have a proper boot image for the kickstart Parameter Description
disk (available on your Gateway Installation flash USB URL Enter the path to the CD image here. The following
stick, directory /images) and you need to know the syntax is appropriate:
path to the CD image. For information concerning how ftp://user:password@server_ipaddress/path
user:password@server_ipaddress/path/
to create a bootable kickstart disk, please have a look at
IP address Enter an installation IP address here. This IP will be
2.4 Creating a Kickstart Disk for Installation via active during setup and must be able to communicate
Network, page 15. with the installation source.
Subnet mask Enter an appropriate subnet mask here (default:
Note: 255.255.255.0).
Local administration rights are needed to install files on Gateway Enter a gateways IP address here if it is needed.
an USB stick. Nameserver You may optionally specify a DNS server here.
Device Configure the network interface card here, which is
active during installation (default: eth0).
Note:
For installation with USB stick, a supported and properly Continue with Next.
formatted USB stick is needed. One of the following
formattings should be used:
Table 11 USB stick Formatting
Installation system FAT16 FAT32

Barracuda NG Firewall Appliances
SECUDOS Appliances
Heavensgate Appliances
Standard-hardware
Crossbeam Appliances C-series

Getting Started Creating a "standard" Kickstart Disk < Barracuda NG Installer | 11
Step 3 Defining Box Type settings Step 4 Defining System Settings
Fig. 12 Defining Box Type Settings with Barracuda NG Installer Fig. 13 Configuring System Settings with Barracuda NG Installer
Here select the hardware type you are installing. List 12 Configuring System Settings with Barracuda NG Installer
The Model/Appliance combination determines product Parameter Description
specific default settings and availability of services, again Hostname Specify a name for the host you are installing without
its domain suffix. In a hostname only characters (a-z,
with typical default settings. Make the correct selection to A-Z), numbers (0-9), and hyphens ("-") are allowed. The
achieve full profit from this feature. maximum length of this parameter is 25 characters.
Later change of the hostname is possible
Combine standard/standard-hardware if you are not (Configuration Service 2.2.3.1 System Access,
page 54).
using one of the listed appliance models. Barracuda NG
Note:
Firewall default settings then apply for all services. This is a mandatory field. Installation cannot continue
without a hostname.
Combine controlcenter/standard-hardware, if you are
Time Zone Select the proper time zone for the Barracuda NG
installing a Barracuda NG Control Center. menu Firewall.
Each types typical characteristics are listed at the end of Keyboard This menu allows you to select the required keyboard
Layout layout.
this chapter (2.5 Barracuda Networks Multi-Platform
Note:
Product Support, page 16). For a list of default values see If the suggested keyboard layouts are insufficient,
2. Barracuda NG Firewall Appliances Parameter Defaults, experienced users may select the appropriate setting
page 548. by using the Advanced option.
Serial Console Ticking this checkbox activates the interface for serial
Select the Demo or Export Mode checkbox if you are console.
installing a system for testing purposes. Attention:
Make sure to activate a serial port in your servers BIOS
Note: when using this option.
On unlicensed Barracuda NG Firewalls (DEMO Mode) List 13 Configuring System Settings with Barracuda NG Installer section DNS
encryption is restricted to DES. Stronger encryption is
Parameter Description
only available on systems without export flag.
Attention:
If the DNS servers are located in a different subnet
Table 12 Types of DEMO versions in Barracuda NG Firewall 4.2 than the box and the Barracuda NG Admin
Version Characteristics administration computer, routing has to be configured
correspondingly in order to make these addresses
DEMO cryptographic weak (DES, RSA-512) accessible for the box (Configuration Service
Testing License with export flag cryptographic weak (DES, RSA-512) 2.2.5.5 Network Routes, page 68).
Testing License without export flag cryptographic strong Primary / These fields are used for defining DNS servers.
Secondary
Domain Suffix If the box is located in a DNS domain, the
Note: corresponding domain can be entered in this field.
Box Type Settings defines the content of the
configuration file Box Properties (Configuration Service List 14 Configuring System Settings with Barracuda NG Installer section
Network Time Protocol
2.2.2 Box Properties, page 52).
Attention:
If the NTP server is located in a different subnet than
the box and the Barracuda NG Admin administration
computer, the routing has to be configured
correspondingly in order to make the address
accessible for the box (Configuration Service
2.2.5.5 Network Routes, page 68).

12 | Barracuda NG Installer > Creating a "standard" Kickstart Disk Getting Started
List 14 Configuring System Settings with Barracuda NG Installer section List 15 Configuring Partition Settings with Barracuda NG Installer
Network Time Protocol
Parameter Value
Parameter Description Size Assign disk space of your choice here.
Use NTP If a timeserver is available you can activate its use by Disk menu Disk names are assigned according to the selected Disk
ticking the checkbox 'Use NTP'. This will activate the Type:
following parameters.
Disk IDE SCSI CCISS RD
IP This field holds the IP address of the NTP server. No. (Linux) (Linux)
Change HW This checkbox can be used for changing the BIOS clock 1 hda sda cciss/c0d0 rd/c0d0
clock to UTC to universal time.
2 hdb sdb cciss/c0d1 rd/c0d1
Note:
Using this option is highly recommended. 3 hdc sdc cciss/c0d2 rd/c0d2
4 hdd sdd cciss/c0d3 rd/c0d3
Continue with Next. 5 hde sde cciss/c0d4 rd/c0d4
Select the all checkbox to display all disk types in the
Step 5 Configuring Partition Settings Disk list.
Select the change all checkbox to change the disk type
Select the Disk Type that suits your system. The following for all partitions and not only for the selected one.
disk types are available for selection: File system The following file systems are available for selection:
menu ext2 - standard Linux file system
z IDE (default) ext3 (default) - journal extension to ext2 on Linux;
journaling can result in a massively reduced time spent
z SCSI recovering a file system after a crash, and therefore this
is recommended for high demand environments, where
z CCISS high availability is important.
reiserfs - journaling file system
z RD
grow checkbox By ticking this checkbox, the selected partition will grow
to the maximum available size. This way you do not need
Thereafter insert the Fixed Disk Capacity and click to specify the exact size of your disk.
Suggest. This will lead to an automatic partitioning
suggestion, which will work for most systems. Of course Note:
you still have the option to edit each partition manually If you have selected a specific appliance model in the
after suggestion. Select the partition you want to modify box type settings screen (see Step 3) partitioning
(this is now highlighted in yellow) and edit the fields shown settings will be suggested.
below the partition list.
Continue with Next.
The following parameters are available for editing the
partition suggestion: Step 6 Configuring your network interfaces
In the next step the appropriate network interface cards
Fig. 14 Configuring Partition Settings with Barracuda NG Installer
(NICs) are to be configured.
For adding a new NIC, click Add This opens a NIC reseller
list.
Select a Reseller to display a list of available NICs. If you
use more cards of a single model, you can enter the
number of these cards in the upper right corner of this
dialog (field Number).
Attention:
If you use multi-port cards, each port counts as one card
(for example, a dual-port card counts as two cards).
Should the offered NICs not suit your system click
Advanced (lower left corner) where you can select a
certain module that fits your NIC.
Note:
Linux does not have special drivers for every single
model of network card but a family of cards using the
same network chip set. Again you can insert the number
of cards you wish to use.

Getting Started Creating a "standard" Kickstart Disk < Barracuda NG Installer | 13
When you click OK the NIC is added to your configuration Step 7 Configuring Security Settings
and is ready for adapting. So select the NIC (now This dialog offers several security-relevant parameters:
highlighted in yellow) and either click on Properties or
List 17 Configuring Security Settings with Barracuda NG Installer
simply double-click.
Fig. 15 NIC adapter configuration parameters Licenses list This listing displays the available licenses. In order to
import licenses, click Import License from File and
select the corresponding .lic file.
Note:
If no license is imported here, your Barracuda NG
Firewall will run in demo mode until a valid license is
applied.
ACL list The Access Control List (ACL) contains IP
addresses/netmasks which have exclusive access to the
management IP address. The ACL protects the box
from Denial of Service (DoS) attacks.
Note:
In order to avoid unnecessary exposure of the
Barracuda NG Firewall to DoS attacks, restrict the
scope of the ACL to addresses from which access to the
management IP address is to be granted.
List 18 Configuring Security Settings with Barracuda NG Installer section Root

Login
Root RSA Key This section enables you to handle the RSA key for
login on the Barracuda NG Firewall. The pull-down
menu Create/Ex/Import offers several options for this
occasion.
Authentication This parameter is used for defining the required
Mode security features for a successful login. Available
The following parameters are available for configuration: options are: Key-OR-Password (default), Password,
Key and Key-AND-Password.
List 16 NIC Adapter configuration parameters Password This parameter is mandatory for security reasons, in
Parameter Description order to protect the Barracuda NG Firewall from
unauthorized login on root level.
Default NIC Selecting the checkbox makes this NIC the default one,
checkbox which means that management access to the
List 19 Configuring Security Settings with Barracuda NG Installer section Login
Barracuda NG Firewall will be provided across this
network interface. The default NIC has a hook symbol Parameter Description
assigned in the main dialog.
Password The parameter Password is mandatory for security
Management IP This is the IP address through which your Barracuda reasons in order to protect the Barracuda NG Firewall
address / NG Firewall will be administered. from unauthorized login on support level.
Subnet mask
Additional This checkbox has to be selected if the box
gateway route administrators workstation is in a subnet. Selecting the
Continue with Next.
checkbox checkbox makes the parameters Target Network,
Subnet Mask and Gateway IP available for Step 8 Selecting required Software Packages
configuration. Configure the route from the
workstation, which will be administering with
List 110 Configuring Software Packages with Barracuda NG Installer section
Barracuda NG Admin, to the host here.
Software Packages
Module Experienced Linux users may use this field to insert
parameters field further module options for network cards. Parameter Description
Note: Barracuda NG This checkbox is selected by default and cannot be
Be aware that incorrect parameters can disable correct Firewall base deactivated. This is because every Barracuda NG
module loading. system Firewall requires certain packages to run (for example
checkbox NGFW OS, )
Install Utilities Selecting this checkbox adds several additional
Other network cards besides the default one can either be checkbox programs, utilities, and, the kernel sources.
configured later using Barracuda NG Admin or immediately Note:
with Barracuda NG Installer. For configuration with Activating this option is not recommended and only
Barracuda NG Installer simply add new NICs as mentioned useful if you want to compile your own kernel and/or
modules. Lifecycle management (for example
above and configure them as needed. upgrades) is not supported for systems with utilities
installed.
Note: Architecture This menu provides the following types of software
If you have selected a specific appliance model in the menu architecture:
Auto (default) - installer selects the proper
box type settings screen (see Step 3) interface naming architecture automatically
settings will be suggested. i386 - architecture required for regular systems
Continue with Next.

14 | Barracuda NG Installer > Creating a "standard" Kickstart Disk Getting Started
List 111 Configuring Software Packages with Barracuda NG Installer section Step 10 Configuring USB Stick Settings
Advanced
(only available if parameter Write USB stick is set to yes)
Kernel This field allows to enter kernel-related parameters. This configuration dialog provides USB stick-relevant
Parameter field Attention: settings and additionally allows importing the ISO image.
When using this field be absolutely sure to know what
you are doing. Contact Barracuda Networks support Fig. 16 Configuring USB stick settings with Barracuda NG Installer
before entering anything into this field.
Note:
This parameter takes no effect when parameter
Kickstart only or Install mode > USB Stick has been
selected.
LILO linear Selecting this checkbox may be required by some
checkbox controllers.
No graphic Select this checkbox if your system does not employ a
adapter graphic adapter and you intend administering it via a
available serial console.
No ACPI Select this checkbox if your system does not employ an
Advanced Configuration and Power Interface (ACPI).
Note:
This parameter takes no effect when parameter
Kickstart only or Install mode > USB Stick has been
selected.
Continue with Next.
Step 9 Configuring Script Settings

List 112 Configuring Script Settings with Barracuda NG Installer section
Attention:
Installation scripts
Consider the following restrictions:
Only USB sticks with one partition are supported.
Preinstall- Click Modify if you want to insert a script that is
script started prior to the installation process. This could be
Some BIOS versions seem to be able to manage a USB
some preparation of the system in order to tweak harddisk but in fact they are not.
system parameters. When using Unattended Installation the USB stick may
Note: contain only one par-file or one pgz-file.
Before doing so, please contact Barracuda Networks
Support Any data on the USB stick will be lost.
Postinstall- Click Modify to modify the script provided by
script Barracuda Networks that is started right after the
The following parameters are available:
installation process. Especially when installing via
network and having a PAR file with pre-defined List 115 Configuring USB Stick Settings with Barracuda NG Installer section
configuration, modifying this script comes handy as it Installation Mode Settings (1)
also allows you to install the PAR file via network (see
below for an example).
USB Device on Linux handles USB sticks as SCSI devices and therefore
... Box addresses them as sda, sdb, sdc, On the box which is
for i in /mnt/floppy/box*.par; do prepared for setup the USB stick with the installation
/bin/echo copying par \$i files thus has to be mounted onto an available Linux
/bin/cp -f \$i /opt/phion/update/box.par device. There, depending on the number of already
done installed SCSI hard disks, the USB stick can be
addressed as displayed in the following table:
cd /tmp SCSI Harddisks Addressed as USB stick
wget ftp://user:password@server/ addressed as
box_name.par
cp box_name.par /opt/phion/update/box.par 0 - sda1 (default)
1 sda sdb1
List 113 Configuring Script Settings with Barracuda NG Installer section 2 sda, sdb sdc1
Installation-script files
3 sda, sdb, sdc sdd1
Write USB stick Set this parameter to yes (default: no) to allow saving Unattended Setting this parameter to yes (default: no) starts the
installation script files to a USB stick. Installation installation process completely without any user
Save to This field specifies the kickstart files saving location. interaction (no Welcome screen, no Installation
When parameter Write USB stick is set to yes, the Complete screen) as soon as the USB stick is plugged in.
USB stick is selectable in this field. Attention:
Note: Use USB sticks with activated Unattended Installation
If parameter Write USB stick is set to yes but no with extreme caution to avoid an "accidentally" initiated
option is available, simply reconnect the USB stick, box installation.
switch back to no and then to yes again. Note:
This type of installation should only be used in
List 114 Configuring Script Settings with Barracuda NG Installer section Box conjunction with appliances.
public key Enable serial Selecting this checkbox redirects installation output to
console the serial console.
Save to Disk Select this checkbox to save the box public key to the
checkbox kickstart disk (path defined above).
Enter in Select this checkbox to insert the box public key to the
Registry local registry (Default).
checkbox

Getting Started Creating a Disk in "Kickstart Only" Mode < Barracuda NG Installer | 15
List 116 Configuring USB Stick Settings with Barracuda NG Installer section Fig. 17 Box Type Settings window in Create Kickstart only mode
Installation Mode Settings (2)
Image The pull-down menu of this parameter allows selecting
the installation media:
Create from CD - creates an ISO image directly from a
CD-ROM selected in the list
Copy ISO image - imports an already existing ISO
image file to the USB stick
Attention:
Any selection starts the related process immediately
without user interaction.
Portable If you are installing with USB stick you may add
Archive Files portable archive files (*.par) and compressed portable
archive files (*.pgz) files to the kickstart disk in order to
take over complete box configurations when installing.
If you have added more then one archive file you will be
queried which one to apply during installation.
2.3 Creating a Disk in "Kickstart

Only" Mode
Note:
For a description of system installation with a PAR file see
Kickstart files created in this mode can only be applied
1.3 Installation with a Saved Configuration, page 8.
together with a Portable Archive (PAR) file (Configuration
Service 5.3 Creating PAR Files, page 119). The PAR file
has to be available on either disk or network. If the PAR
(.par) file is too big to be saved to the floppy disk, 2.4 Creating a Kickstart Disk for
consider creating a compressed PAR (.pgz) file instead.
Installation via Network
Create Kickstart only mode may be used when:
For creating a bootable kickstart disk, simply enter
z reinstalling a Barracuda NG Firewall (disaster recovery /images on your Gateway Installation flash USB stick.
for example).
z installing a Barracuda NG Firewall administered by a Step 1 Starting rawwritewin.exe
Barracuda NG Control Center. Via this tool the boot disk is equipped with the boot image.
Start the tool by double-clicking rawwritewin.exe.
When creating a kickstart file using mode "kickstart only",
it can only include settings that cannot be included in the Fig. 18 rawwritewin.exe - Start screen
PAR file. These settings are:
z Box Type Settings / Software Packages pre-selection
assigned to a specific Model/Appliance type
z Partition Settings
To create a kickstart file in "kickstart only" mode, proceed

as described in 2.2 Creating a "standard" Kickstart Disk.
Note:
Only the settings stated above will be effective when
installing the system. Effective settings included in the
PAR file will NOT be overwritten.

16 | Barracuda NG Installer > Barracuda Networks Multi-Platform Product Support Getting Started
Step 2 Selecting the proper boot image 2.5 Barracuda Networks

The boot image has to be created in dependence of the
used network interface card. For determination of the
Multi-Platform Product
correct image have a look at the README file within the Support
/images directory.
Then select the chosen file in parameter Image file, insert Barracuda NG Firewall 4.2 may be installed on standard
a floppy disk and click Write to start the boot disk creation. server systems (A list of supported hardware can be
obtained on the Barracuda Networks homepage), but also
Attention: offers support for a big variety of appliance models
The disk will be formatted when creating the boot disk. distributed by Barracuda Networks partners. Each
appliance model is equipped with specific default settings
Step 3 Configuring a kickstart disk for network and is designated for installation of specific services.
installation When creating a kickstart disk, the installation tool
You can now start the configuration of the kickstart disk Barracuda NG Installer asks for information about the
for network installation as mentioned above. to-be-installed system. Each specific Model/Appliance
combination (see Step 3 Defining Box Type settings,
page 11) therefore determines product specific default
settings and availability of services in conjunction with
typical default settings.
The list below gives an overview of service availabilities for
the respective systems. Availability of services applies to
both, box and CC systems likewise. A listing with the
respective default settings is available in the Appendix (see
2. Barracuda NG Firewall Appliances Parameter Defaults,
page 548).
Table 13 Availability of services on Appliance Models
Barracuda
Product Module standard NG Firewall
F10
Firewall Firewall
DHCP Relay DHCP-Relay
VPN Server VPN-Service
HTTP Proxy HTTP-Proxy -
URL Filter URL-Filter -
Mail Gateway Mail-Gateway -
SPAM Filter SPAM-Filter -
FTP Gateway FTP-Gateway -
SSH Proxy SSH-Proxy -
Virus Scanner Virus-Scanner -
Secure Web Proxy sslprx -
Access Control Server Access-Control-
Service
DNS Server DNS-Service -
DHCP Enterprise Server DHCP-Service -
SNMPd snmp
OSPF/RIP Service ospf -

Getting Started Logging in < Barracuda NG Admin | 17
3. Barracuda NG Admin
The program Barracuda NG Admin (available on your The header of this dialog displays the version and build
Application flash USB stick) - is the tool to administer number of the Barracuda NG Admin tool:
Barracuda NG Firewall.
z buttons Box / CC
Note:
These two buttons define which kind of Barracuda NG
It is highly recommended to use the Barracuda NG Firewall system you are logging into. Especially when
Admin delivered with the Application CD to ensure that logging into a Barracuda NG Control Center (CC) a
all features of the Barracuda NG Firewall are available. If correct selection is required due to the different IP
it is necessary to change the Barracuda NG Admin, addresses that are used (Box - IP address of the
please contact the Barracuda Networks Support for Barracuda NG Firewall itself; CC - Management IP
detailed information which version of Barracuda NG address).
Admin should be used. z Box-Address / CC-Address line & menu
Enter the IP address or DNS-resolvable name to which
you wish to connect. For enhanced comfort, the menu
provides every IP address that was used for connection
3.1 Logging in via Barracuda NG Admin before. At the same time, the
selection Box or CC address (see above) is reassigned
Login is started by clicking twice on the Barracuda NG and does not need to be re-entered.
Admin executable. This opens the login dialog (figure 19). z Login line
Fig. 19 Login dialog
Enter the login name of the administrator.
z Password line
Enter the password.
3.2 User Interface

The User Interface is divided into five functional sections.
The upper frame contains the Barracuda NG Admin menu
and tool bar. The left frame contains the box menu. The
right frame, also called mini map, displays either the
currently open box configuration or a history of boxes and
MCs you have already connected to. You can click on the
symbols to connect to these systems again. On the bottom
of the user interface you will find the status bar with a
status indication. Finally, the center of the screen contains
the main configuration window.
Fig. 110 Barracuda NG Admin User Interface

Note:
When logging in for the first time, an additional window
pops up where you may define whether you want to use
Barracuda NG Admin in Basic or Advanced mode.
The advanced view provides additional configuration
options and addresses experienced administrators.
Select your configuration view by clicking either Basic
Mode or Advanced Mode.
However, you may change your selection globally via
Settings > Client tab through option Advanced Mode
Configuration.
Additionally, if available, you may change the currently
active view per session on the fly by selecting either
Basic View or Advanced View in the navigation bar of
the corresponding configuration window.

18 | Barracuda NG Admin > User Interface Getting Started
3.2.1 Start Screen Table 14 Contents of the Overview segment

Line Description
When connecting to a Barracuda NG Firewall, the first Memory Bar graph displaying the current memory load of the
screen shows a summary of the system (figure 111). This Usage system. On the right side of the bar the currently used and
the maximum available memory are shown.
screen is accessible any time by selecting Status Info Uptime Displays uptime of the system
from the box menu. System Time Displays current system time
CPU usage Displays average CPU load (first value: load within the last
Fig. 111 Start screen
minute; second value: load within the last 5 minutes; third
value: load within the last 15 minutes)
CPU Info Displays information concerning systems CPU
CC-Managed Displays whether the Barracuda NG Firewall is administered
via a Barracuda NG Control Center.
CC-Address If the Barracuda NG Firewall is administered via a CC, the
management IP address of the CC is displayed here.
Release Info Displays the software version (inclusive build number)
installed on this Barracuda NG Firewall.
Release Displays software version status (Control 2.5 Licenses
State Tab, page 37)
The Services section gives a quick overview of the

services on the Barracuda NG Firewall. Each configured
service is shown with its icon, name, and type in brackets.
The status of the services is displayed by four types of
icons on the left:
z Service is up
z Service is blocked
The line Information Box displays the systems uptime in
hours. z Service is stopped
Table 14 Contents of the Overview segment z Service is blocked, stopped or disabled (inherited
Line Description property because the server has been blocked,
Overview Displays an overview of the system by using a color code stopped, or disabled)
(green - everything is OK; yellow - something is not
working properly and a check is recommended; red -
something is not working properly and a check is
Additionally, this section informs about the number of
mandatory) and the following icons: active Administration Sessions.
Status of the servers (Control 2.1 Server
Tab, page 29)
The License State line shows the current operation mode
Status of the network (Control
(Control 2.5 Licenses Tab, page 37).
2.2 Network Tab, page 30)
The Box Login Message section displays the messages
Status of the processes (Control
2.3 Processes Tab, page 36)
that are configured as described in Configuration Service
Disk usage (Control 2.4 Resources Tab,
5.1.6 Message Board, page 105.
page 36)
Validity of certificates/licenses (Control
2.5 Licenses Tab, page 37) 3.2.2 Menu Bar
Status of the box (Control 2.6 Box Tab,
page 38)
The menu bar consists of the Barracuda Networks logo
Status of the operative-relevant event
monitoring (Eventing 2.1.2 Severity Tab, and the menus File, Edit, Box, View, Window and ?.
page 323)
Status of the security-relevant event
monitoring (Eventing 2.1.2 Severity Tab, 3.2.2.1 Barracuda Networks Logo Menu
page 323)
Disk Usage Bar graph displaying the current load on the system
System partition (root). On the right side of the bar the currently
This menu contains commands that are known from
used and the maximum available disk space are shown. MS Windows, such as Restore, Move, Size, The
Disk Usage Bar graph displaying the current load on the data partition additional menu item Next allows you to switch from
Data (/phion0). On the right side of the bar the currently used
the and maximum available disk space are shown.
one box interface to another (as long as multiple boxes are
opened within the Barracuda NG Admin).

Getting Started User Interface < Barracuda NG Admin | 19
3.2.2.2 File Menu Log Viewer, page 305

z Statistics
z Menu entry Login Statistics, page 311
This command starts the login window which is needed z Event
to get access to a Barracuda NG Firewall system (see 3.1 Eventing, page 321
Logging in, page 17).
z SSH
z Menu entry Login SSH see documentation Command Line Interface
This entry starts the login screen as shown in figure 19,
page 17. The difference is that after successful login a z Message
SSH connection to the box is started. Configuration Service 5.1.6 Message Board, page 105
z MailGW
Note: Mail Gateway, page 259
For security reasons it is necessary to enter the
correct user and password once again when entering z DHCP
the SSH interface. DHCP, page 287
z Proxy
z Menu entry Lock
Proxy, page 339
This command allows you to lock the Barracuda NG
Admin user interface (for example when leaving the z Reload Box Service
workplace). To unlock the Barracuda NG Admin, This command refreshes the service icons view in the
re-enter the correct user and password into the login box menu of the Barracuda NG Admin user interface.
screen, which is opened as soon as the Barracuda NG Apply it for instance after having created a service.
Admin is locked.
z Menu entry Settings 3.2.2.5 View Menu
Due to its complexity please refer to a description of
this menu item at 4. Settings, page 21 z Menu item Toolbars
z Menu entry Print Setup This item allows you to hide or to customize the tool
The Barracuda NG Admin allows you to print log files, bar.
rule sets, Configure your printer by using this menu z Menu item Status Bar
item. This item allows you to hide the Status Bar (figure 110,
z Menu entry Exit page 17).
This command closes the Barracuda NG Admin z Menu item Mini Map
application. This item allows you to hide the Mini Map (figure 110,
page 17).
3.2.2.3 Edit Menu Fig. 112 Dialog for customising the tool bar
The items within this menu have the same meaning and
function as known from MS Windows.
3.2.2.4 Box Menu
The box menu contains all available services.
Note:
The service item order of the pull-down box menu does
not match with the order of the Barracuda NG Admin
user interface box menu.
Currently, the following box menu entries are available: 3.2.2.6 Window Menu
z Config The functions of this menu are the same as known from MS
Configuration Service, page 41 Windows. The menu item Windows manages views of
z Control currently open windows.
see chapter "Control" - Control
z Firewall 3.2.2.7 ? Menu
Firewall, page 131
z VPN The ? menu contains one item About Barracuda NG

VPN, page 211 Admin. Select this item to display version and build
number of Barracuda NG Admin, for example in case this
z Logs
information is of interest to the Barracuda Networks

20 | Barracuda NG Admin > User Interface Getting Started
3.2.3 Tool Bar 3.2.5 Main Window
Note: The main window contains the configuration and

The tool bar can be customized to personal needs. information part of the Barracuda NG Admin. Depending
Please note that in this manual the default look of the on the selected item of the box menu this display changes.
tool bar is displayed (figure 113). For detailed information have a look at the corresponding
Chapter of the documentation.
Fig. 113 Tool bar
Login Window list
3.2.6 Mini Map
Lock Barracuda NG Admin About
Settings The mini map is an optional view and lists all open boxes
and, if available, open Barracuda NG Control Centers. It
allows quick navigation between the systems.
All buttons that are available in the tool bar are also 3.2.7 Status Bar
accessible via the menu bar:
The status bar displays information about the SSL
z Lock Barracuda NG Admin
connection status (including used encryption algorithm, if
see 3.2.2.2 File Menu, Menu entry Lock, page 19
available), the certificate and the time zone specified in the
z Login box time settings (translated to the corresponding GMT
see 3.2.2.2 File Menu, Menu entry Login , page 19 time zone as used in Microsoft Windows operating
z Settings systems). A few linux specific time zones exist, which
see 3.2.2.2 File Menu, Menu entry Settings , page 19 cannot be translated into GMT time zones. In this case, the
system time of the client running Barracuda NG Admin will
z Window list be displayed instead of box time settings.
see 3.2.2.6 Window Menu, page 19
Fig. 114 Status bar
z About
see 3.2.2.7 ? Menu, page 19 Connection info
SSL status Certificate information
3.2.4 Box Menu

The box menu of the Barracuda NG Admin user interface Time zone
(figure 110, page 17) amongst others provides an icon for
each "major" service. For example, such "major" services
are the mail gateway service and the VPN Service.
Note:
The entries listed under 3.2.2.4 Box Menu, page 19 are
also valid for the user interface box menu though the
item order varies.

Getting Started Boxes < Settings | 21
4. Settings
4.1 Boxes z Button Remove Selected

Select a list entry and click this button to remove the
This tab allows organising boxes for quick-access in the box from the list and its shortcut from the mini map.
mini map.
Note:
Fig. 115 Barracuda NG Admin Settings - Boxes Pressing the keys SHIFT and/or CTRL during
selection allows you to mark multiple entries at once.
The following buttons are available:
z Button Change Group
This button allows you to change the group assignment
of the selected entry/entries (see Button Enter New
Box , page 21).
z Button Load From Master
Use this button to load the boxes from a Barracuda NG
Control Center (Master). Only MCs you have already
connected to using Barracuda NG Admin are available
for selection. The root password of the CC will be
requested to load the settings.
z Button Enter New Box
This button opens a dialog for creating short-cuts
manually.
Fig. 116 Enter New Box dialog
The list contains the following columns:

z Box Name
Name of the box
z IP
IP address of the box
z Group
Group the box is assigned to (see Button Enter New
Box , page 21) Enter the name for the short-cut and the IP address of
z Description the box into the fields Name and IP Address.
Optional box description The field Group is used for defining categories to sort
the short-cuts. According to these groups the mini map
z Master (if available) sorts the short-cuts into directories when the settings
Name of the administering Barracuda NG Control window is closed. This feature enables you to easily
Center access and survey even big Barracuda NG Firewall
z Master-IP (if available) installations.
Displays the IP address of the Barracuda NG Control
Note:
Center
If no group is entered, the short-cut will be sorted
into the directory Root within the mini map.
Note:
As soon as you are logged into a box the short-cut of
the box is also available in the group Active.

22 | Settings > Client Getting Started
4.2 Client List 119 Configuring Barracuda NG Admin settings - Client tab section Timeouts
Use this tab to configure your Barracuda NG Admin client. Configuration Specifies the duration a connection attempt (through
Read utilisation of the Connect button) may last until in case
[sec.] of failure the attempt is stopped and a failure message
Note: is displayed (default: 30 seconds). Furthermore this
All parameters set here affect only the currently used setting determines the read timeout of the
Barracuda NG Admin. They are not saved on the configuration file effective in the Box Control > Licenses
tab view (see 2.5 Licenses Tab, page 37).
Barracuda NG Firewall for example. You will need to
Note:
repeat the configuration if you use another Barracuda The read timeout also has impact on PAR file creation
NG Admin. of comprehensive configurations. Temporarily set to
200 seconds or higher if necessary. See Configuration
Service 5.3 Creating PAR Files, page 119 for details.
Fig. 117 Barracuda NG Admin Settings - Client tab
Statistic Defines how long (in seconds) a statistic-view attempt
[sec.] may last until the attempt is stopped and a message is
displayed (default: 30 seconds). Increase this
parameter if you expect large statistics files.
List 120 Configuring Barracuda NG Admin settings - Client tab section System
Disable Events Clear this checkbox to disable the icon in the system
System Tray tray which indicates an active event.
Always use This setting triggers Barracuda NG Admin always to
session use the last known password when reconnecting to a
password box after a session has been disconnected. The session
password loses its validity when Barracuda NG Admin is
closed.
Print Header Allows entering a custom header for prints. Especially
when multiple administrators use one printer this
feature becomes handy because it allows identifying
the owner very easily.
List 121 Configuring Barracuda NG Admin settings - Client tab section Show
Short/Long Date
This setting determines the date format display which
is used in various overview listings (for example CC
Control)
List 117 Configuring Barracuda NG Admin settings - Client tab section

List 122 Configuring Barracuda NG Admin settings - Client tab section
Compression
Configuration Settings
Parameter Description Parameter Description
Enable This parameter activates/deactivates data compression Advanced Mode Clear this checkbox to enable the Advanced View for
Compression for Barracuda NG Admin connections (default: No - Configuration configuration entities by default.
inactive) and increases efficiency just like responsive
management, especially over "thin" lines. Read Only This button opens a window for defining the
Color background colorcolor for configuration files in
Note:
read-only mode.
This feature is backward-compatible, for example even
older Barracuda NG Firewall releases not capable of
handling compressed management connections List 123 Configuring Barracuda NG Admin settings - Client tab section Desktop
properly may still be connected. Background
When compression is active the connection status icon
in the top right corner ( ) changes to an icon with a
This section allows defining a bmp file as "wallpaper"
cyan colored background ( ). for Barracuda NG Admin start screen (for example your
company logo).
Attention:
To activate the changed compression, please reconnect File Define a wallpaper (.bmp files only) for Barracuda NG
to the system after having edited this parameter. Admin here.
Browse Select or clear a wallpaper here, or define a general
List 118 Configuring Barracuda NG Admin settings - Client tab section Clear background color for the Barracuda NG Admin main
Cryptography BK Color window.
Parameter Description Position Align the wallpaper here. Available options are: Tile,
Center, Stretch, and Bottom Right.
Advanced Opens the Advanced Crypto API Settings
Cryptographic configuration window (figure 118, page 23).
List 124 Configuring Barracuda NG Admin settings - Client tab section SSH
Settings
Colors
List 119 Configuring Barracuda NG Admin settings - Client tab section Timeouts Parameter Description
Parameter Description Define the layout of the SSH Login interface here.
Socket Connect Defines the duration a login attempt may last until in Modify Chose one of the modifiable options (Background, Bold
[sec.] case of failure it is stopped and a failure message is Background, Cursor Text, Cursor Color) and change its
displayed (default: 6 seconds). color with Modify
Note:
The socket connect timeout also has impact on PAR file
creation of comprehensive configurations. Temporarily
set to 200 seconds or higher if necessary. See
Configuration Service 5.3 Creating PAR Files,
page 119 for details.

Getting Started Admin & CC Settings < Settings | 23
The following parameters are available for configuration in 4.3 Admin & CC Settings
the Advanced Cryptographic Settings dialog:
z Section CC Selection
Fig. 118 Configuring Advanced Cryptographic Settings
This section allows you to view the certificates of
Barracuda NG Control Center(s) you have logged into
using this Barracuda NG Admin. To remove MCs from
the view of Barracuda NG Admin click Remove Entry.
Otherwise chose an available CC in the field CC and
click Show Certificate to display a detailed view of the
certificate.
Note:
After having removed a CC you got to accept the
certificate again when logging into it the next time.
z Section Change Administrator Password
This section offers the opportunity to change
passwords of Barracuda NG Control Center and single
List 125 Configuring Advanced Cryptographic API Settings box local administrators.
Parameter Description To change a password of a Barracuda NG Control Center
Disable Note: marked in the section CC Selection, select Change
Smartcard Selecting the checkbox Disable Smartcard / Token Admin Credentials for CC Admin from the pull-down
/Token deactivates the complete configuration section.
menu, enter the administrator's login name, the current
Cryptographic Barracuda Networks supports all CSPs (Cryptographic
Service Service Provider) using the Microsoft Crypto API. All
(old) password and the new password (twice, for
Provider CSPs installed on your local workstation are enlisted. security reasons). Click Change Password to activate
Key Length The key length depends on the selected CSP. Minimum, the new settings.
maximum and default value for key lengths are To change the password of a single box local
displayed in the Cryptographic Service Provider menu.
administrator, select Change Admin Credentials for
List 126 Configuring Advanced Cryptographic API Settings section Store Local Admin (Single Box) from the pull-down menu. A
Parameters new field Box IP Address now appears to the right of
Parameter Description the menu. Enter the box IP address and proceed as
Default Store This parameter defines the default store for certificates described above to change the password.
(default: MY).
z Section Change Administrator Key
Specifies the This parameter allows defining where the certificate is
provider type living. The following options are available: If, for a successful login procedure, key files are needed
CERT_STORE_PROV_SYSTEM - Certificate available in addition to the password, this administration key is to
in MS Management Console
CERT_STORE_PROV_PHYSICAL - Certificate
be edited/assigned in this section.
available on eToken/Smartcard To change an administrator key, enter the correct login
Flags This parameter defines the availability of the name and password and import the proper key via
certificate. Possible values are 'current user only' or Import. Change Admin Key activates the new settings.
'local workstation' regardless of the logged-in user. Use
one of the values below for configuring:
CERT_SYSTEM_STORE_CURRENT_USER -
Certificate is dedicated to this user only
CERT_SYSTEM_STORE_LOCAL_MACHINE -
Certificate is dedicated to local workstation
4.4 Certificates & Private Keys
Select Allows selecting an available Smartcard Reader. If no
Smartcard Smartcard Reader is available on the system, this z This tab contains the private key administration. Login
Reader parameter is inactive.
and authentication of the administrator on a Barracuda
NG Firewall are processed using a 2-factor
authentication technique. The authenticity of the admin
workstation is verified with a challenge-response
method. Beyond this the administrator has to
authenticate himself with a personal password.
Note:
Despite the fact that it is not mentioned in the tab
header, it is also possible to use eToken and smartcards.
However, they are used in the same way.
z Creating a new Certificate
To generate a new certificate/key by using Microsoft
Strong Cryptographic Provider v1.0 click Create New
Certificate/Key This opens a window where several
values (for example Country, State, Name, Expiring
date, ) are to be entered. After confirming your entry
the new certificate is displayed in the list.
The columns in the main tab derive from the
information entered while creating the certificate.
However, two columns differ:

24 | Settings > Public Host Keys Getting Started
4.5 Public Host Keys

column Hash contains a short information
concerning the key in order to make it easier to Fig. 119 Barracuda NG Admin Settings - Public Host Keys tab
verify whether keys are equal or not.
column Key Container displays the unique name of
the CSP key container
New certificates are usually not generated with

Barracuda NG Admin. They will normally be available on
the domain controller and will from there be
transferred to the specified default store.
z Deleting a Certificate
This is done by selecting the required certificate and
clicking Delete Certificate/Key.
z Viewing and Exporting a Certificate
Certificates cannot be viewed and exported with
Barracuda NG Admin. You can use Microsoft
Management Console (MMC) for this purpose instead.
Please refer to the manuals provided by the
manufacturer for further information.
z Section Public Keys
This section shows all Barracuda NG Firewalls which
4.4.1 Using Keys on a Barracuda NG were accessed with this computer. The list includes the
Firewall 4.2 Box IP Address, a Short Hash of the key and the
unique Box Fingerprint.
Keys in PEM format cannot be used on Barracuda NG The button Remove Selected is used for deleting a
Firewall systems. Barracuda NG Admin 4.2 enables selected entry from the list. A security request will pop
conversion of already existing keys into certificates, up the next time you log in to the box.
though. The button Import PEM allows you to import
If you have older keys in your registry, Barracuda NG PEM-files. Security is increased by using certificates in
Admin for Barracuda NG Firewall 4.2 provides an this place, at the same time a security request is
additional button in this dialog called Migrate Keys to avoided.
Cert Click this button to open a password request for z Section SSH Keys
the available keys. This section shows all Barracuda NG Firewalls which
After entering the proper password, the keys are were accessed via a SSH connection from this
converted into certificates. The subsequent dialog computer. The list includes the SSH IP Address and the
(Registry Keys converted to Microsoft Certificate unique SSH Fingerprint.
Management - Remove Registry Keys?) offers two In addition to the buttons Remove Selected and Import
options: PEM , both having the same purpose as described
above, the button Enter Fingerprint is available.
z Yes - Removes the keys in PEM format from the Click this button to enter the unique fingerprint and the
registry; Recommended when only administering corresponding IP address manually into a dialog box.
Barracuda NG Firewall 3.2/3.4/3.6/4.0.
z No - Keeps the keys in PEM format in the registry;
Recommended when administering both, Barracuda NG
Firewall 2.4.1 and Barracuda NG Firewall 3.2/3.4/3.6/4.0
from the same workstation.

Getting Started Comparison CIDR - Inverted CIDR < Inverted CIDR Notation | 25
5. Inverted CIDR Notation

The Inverted CIDR Notation, which may be used for
configuration purposes within Barracuda NG Firewall, is
different from the CIDR netmask notation. As a rough
guide, keep in mind that the higher the inverted CIDR
notation the bigger the network (in contrary to CIDR
notation). The inverted CIDR notation can be calculated
very easily: "Inverted" = 32 - "CIDR".
5.1 Comparison CIDR - Inverted

CIDR
Table 15 Comparison CIDR - inverted CIDR notation
Quad CIDR Inverted CIDR

255.255.255.255 32 0
255.255.255.254 31 1
255.255.255.252 30 2
255.255.255.248 29 3
255.255.255.240 28 4
255.255.255.224 27 5
255.255.255.192 26 6
255.255.255.128 25 7
255.255.255.0 24 8
255.255.254.0 23 9
255.255.252.0 22 10
255.255.248.0 21 11
255.255.240.0 20 12
255.255.224.0 19 13
255.255.192.0 18 14
255.255.128.0 17 15
255.255.0.0 16 16
255.254.0.0 15 17
255.252.0.0 14 18
255.248.0.0 13 19
255.240.0.0 12 20
255.224.0.0 11 21
255.192.0.0 10 22
255.128.0.0 9 23
255.0.0.0 8 24
254.0.0.0 7 25
252.0.0.0 6 26
248.0.0.0 5 27
240.0.0.0 4 28
224.0.0.0 3 29
192.0.0.0 2 30
128.0.0.0 1 31
0.0.0.0 0 32
z Inverted CIDR Notation is indicated blue.

z CIDR netmask notation is indicated red.

26 | Inverted CIDR Notation > Comparison CIDR - Inverted CIDR Getting Started

2
Control
1. Overview
1.1 Control Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2. Control Tabs
2.1 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.1 Section Server Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.2 Section Service Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2 Network Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.1 Interface/IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.2 IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.3 Interfaces Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.4 Proxy ARPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.5 ARPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.6 Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.7 OSPF Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.8 Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3 Processes Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4 Resources Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Licenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.1 Section Version Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.2 Section Active Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.3 Section License Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.4 Section Host IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6 Box Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.6.1 Section Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.6.2 Section Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.3 Section Time Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.4 Section Dynamic Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.5 Section Authentication Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.6 Section BOX SCEP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.7 Sessions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.8 Mainboard Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

28 | Overview > Control Window Control
1. Overview
The Control window is an essential monitoring and 1.1 Control Window
administration tool that provides real-time information
about the status of a system and makes a variety of The contents of the Control window are arranged in eight
fundamental administration tasks available. Important tabs:
information it displays is related to the following:
z Server tab - see 2.1 Server Tab, page 29
z Server/Service and Network status
z Network tab - see 2.2 Network Tab, page 30
z Status of disk usage
z Processes tab - see 2.3 Processes Tab, page 36
z Status of currently active processes and sessions
z Disks tab - see 2.4 Resources Tab, page 36
z Hardware information
z Licenses tab - see 2.5 Licenses Tab, page 37
z License information
z Box tab - see 2.6 Box Tab, page 38
(keys and status of installed licenses)
z Sessions tab - see 2.7 Sessions Tab, page 40
z Release information
(version numbers and build-dates of installed z Mainboard tab - see 2.8 Mainboard Tab, page 40
Barracuda Networks software modules)
All tabs but the latter two are flagged by a status indicator
To access the Control window, click Control in the box icon, which indicates the current status of the respective
menu. box subsystem.
Note: Table 21 Status icons flagging tabs in the Control window
The Control window may as well be accessed from the Icon Meaning Comment
Status Map tab in the Barracuda NG Control Center OK Normal operation
Control Center (Barracuda NG Control Center
5.2 Status Map Tab, page 515). Warning / Abnormal condition not affecting
Activation normal operation and activation box
- network
Critical condition Seriously abnormal condition
Fig. 21 Tabs in the Control window flagged by status icons

Normal operation mode
Warning Fault
In addition, the connection status is indicated by the icons

listed below. To connect to or to disconnect from the
system, click the Connect or Disconnect button
respectively.
Table 22 Connection status icons
Icon Meaning Comment
Connected
Compressed connected
Not connected
Disconnected Established connection terminated

abnormally

Control Server Tab < Control Tabs | 29
2. Control Tabs
2.1 Server Tab z Status column

This column displays the states of server and HA
partner box. Column entries have the following
The Server Tab displays status information about the
significance:
Barracuda Networks server/service subsystem and allows
influencing server and service operation. The view of the Table 23 Server status and configuration
Server tab is divided into two sections, the upper SERVER
Entry Comment
STATUS section displaying information about the status of
Primary Server is up and running, either as a single system
available servers, and the lower SERVICE STATUS section or as the primary part of a high availability setup.
displaying information about the status of available Secondary Server is up and running on the backup machine of
services. a high availability setup.
Standby Server is in standby state and is waiting to take
At the bottom of each section, buttons are arranged that over if the high availability partner goes down.
allow changing the operational status of a server or Down Server is not running but able to start
service. In addition, the operational status may be changed automatically when triggered.
by selecting a server or service, then right-clicking to open Block Server is blocked and unable to start automatically
even if the high availability partner goes down.
the context menu, and then clicking the appropriate menu
Note:
item in the list. A blocked server always has to be started
manually.
Fig. 22 Server Tab
Disabled Server is disabled due to environmental conditions
for example because monitoring IP or monitoring
interface is not available.
The en dash () indicates a server running
stand-alone without configured HA (High
Availability) partner.
z Status HA Partner column

This column displays the status of the HA partner.
Column entries have the same significance as in the
Status column.
z IP Addresses column
This column lists the IP address(es) a server is listening
on.
At the bottom of the Server Status section, buttons are

arranged that allow changing the operational status of a
server:
z Block Server
z Start Server
z Stop Server
z Restart Server
2.1.1 Section Server Status
To perform a status change, select a server, then click the
appropriate button. Else, select a server, then right-click to
The listing in the Server Status section displays status and
open the context menu, then click the appropriate menu
configuration information of servers available on the box.
item in the list.
z Server column
In this column, servers and sub-elements defining their
state are arranged in a hierarchical structure. 2.1.2 Section Service Status
The root entry indicates the server name. Below that
Status, HA (optional) and IP are arranged as The listing in the Service Status section displays status and
sub-elements, whereby the IP tree item again contains configuration information of services available on the box.
sub-elements for each defined server IP (Configuration z Server / Service column
Service 3. Configuring a New Server, page 210). In this column, servers and their services as
sub-elements are arranged in a hierarchical structure.
Icons indicate the current status of each server: The main level indicates the server name. Below that
Server is up available services are arranged as sub-elements. The
Server is blocked listing begins with the main level box. Sub-elements of
Server is stopped this entry are all global services, such as boxfw, control,
Server is disabled event, log, Other main levels begin with the
corresponding server name. Sub-elements of these

30 | Control Tabs > Network Tab Control
entries are specific services available on the 2.2 Network Tab

corresponding server.
The Network Tab gives a detailed account of the current
Icons indicate the current status of each server and status of the network subsystem of the box.
service:
Service is up Fig. 23 Network Tab
Service is blocked
Service is stopped
Interface/IPs Tab, page 146
Service is blocked, stopped or disabled IPs Tab, page 147
(inherited property because the server has been Interfaces Tab, page 147
blocked, stopped or disabled) Proxy ARPs Tab, page 148
ARPs Tab, page 148
Note:
When evaluating a service status, make sure to
evaluate the current server status.
z Num Proc column
This column displays the number of processes for each
service.
z Num FD column
This columns displays the number of file descriptors
used by the service processes. Tables, page 148
z Mem KB column
This column displays the total memory (exclusive and
shared) used by the service processes.
z Module column 2.2.1 Interface/IPs Tab
This column displays name and corresponding icon of
the installed software module. This information is This tab contains all interfaces, their current state
important regarding services running on user defined (visualized with an icon, see below) and the IP addresses
servers, as these may be named without indication to that are assigned to the interface.
the service type. Fig. 24 Interface/IPs Tab
At the bottom of the Service Status section, buttons are

arranged that allow changing the operational status of a
service:
z Block Service
z Start Service
z Stop Service
z Restart Service
z Interface/IP column
Select a service, then click the appropriate button to In this column, network interfaces and their assigned IP
perform a status change. Else, select a service, then addresses as sub-elements are arranged in a
right-click to open the context menu, then click the hierarchical structure. The main level indicates the
appropriate menu item in the list. network interface name with corresponding icon and,
regarding Ethernet network adapters, additional
Attention:
information on speed and duplex setting.
In order to block/start/stop/restart the firewall service Below the main level IP addresses living on the network
the service box > boxfw has to be restarted. interface are arranged in sublevels issued with
Blocking/starting/stopping/restarting the service corresponding netmasks (inverted CIDR notation). Each
<servername> > fw will have no effect. sublevel is issued with a status icon.
The following icons indicating the network interface
type are available:
Table 24 Icons for network interface types
Icon Description
Ethernet network adapter
Token ring network adapter
Loopback interface
Barracuda Networks queuing interface (used for traffic
shaping)
DHCP interface; used for xDSL/DHCP connections
gre0; used for IP-to-IP tunnelling

Control Network Tab < Control Tabs | 31
Table 24 Icons for network interface types This tab contains the same information as given in the
Icon Description Interface/IPs Tab, but the content is sorted according to IP
tap interface (internal interface for SYN proxying & VPN) addresses instead of interfaces.
Tunnel interface The State column shows the state of the IP
address/netmask as does the icon in the IP column.
The following icons indicating the network connection
The Interface column is formatted as follows: Name of the
status are available:
interface used (for example, eth0, tr0, tap0, ) followed by
Table 25 Icons for network connection status a colon and the label of the interface. For a description of
the label syntax, please have a look at 2.2.1 Interface/IPs
Icon Description
Tab, Label column, page 147.
up
signal strength, varying from red (low) to green (high)
down or duplicate 2.2.3 Interfaces Tab

This tab allows a quick view at all necessary interface
Note: settings at a glance.
Any IP address changing to state "down" will trigger
z Interface column
change of the network subsystem to a critical
This column displays similar parameters as the
condition. Critical conditions are flagged with the
Interface/IP column described above. Speed and
icon in the tab label.
duplex settings are arranged in a separate column
though (see below).
Note:
A single network connection status change will not z MAC column
lead to a network tab indicator status change. The unique MAC address for each interface is displayed
here.
Note:
z Link column
Not all UMTS cards support the signal strength
The data here lets you verify if an interface is physically
feature.
connected or not.
To use this feature you need an UMTS card with 2
channels and youve got to set the parameter z Speed column
Activate 2nd Channel to yes (Network > UMTS > Here the maximum transfer rate for an adapter is
UMTS Connection Details). displayed in Mbit/s.
For parameter description see Configuration
z Duplex column
Service 2.2.5.7 UMTS, page 193.
This columns displays the duplex settings of the NIC
z Label column (Half or Full).
A label is available for every interface that is in state z Neg. column
"up" ( icon). Multiple predefined labels exist, such as Shows whether auto negotiation is on or off.
mip0 (for the primary administrative network of the
z MTU column
box), loop (for the loopback interface 127.0.0.1/24), fw
This columns displays the set MTU size (Maximum
(for network 127.0.1.1/24 on interface tap0), vpn (for
Transmission Unit) of the NIC. This parameter is
network 127.0.2.1/24 on interface tap1), and vpnpers (for
described in 2.2.5.1 Networks, page 178.
network 127.0.3.1/24 on interface tap3).
IP addresses associated with server processes are z Bytes column
labelled according to the name of the server. Shows the byte throughput and is calculated by the
Additionally configured networks are named according average number of bytes/s (obtained from a 10 second
to the label name in the network in the configuration sampling interval) passing through the interface.
file/dialog.
z Packets column
z Ping column Shows the packet throughput and is calculated by the
This column indicates whether the corresponding IP average number of packets/s (obtained from a
address is configured to reply to pings (entry ok) or not 10 second sampling interval) passing through the
(entry NO) (Configuration Service 3. Configuring a interface.
New Server, page 210).
z Errors column
z MAC of duplicate IP column This column contains the total number of errors and is
As soon as an IP address is used twice, the MAC address calculated by the average number of all errors on the
of the other interface is shown. interface (obtained from a 10 second sampling interval).
z Realm column
For each interface, the appropriate Interface Realm
can be configured (Configuration Service Interface
Realm, page 186). This realm is shown in this column.
z Flags column
The following entries are possible:
2.2.2 IPs Tab UP - interface is up
BROADCAST - broadcast active

LOOPBACK - loopback active 2.2.6 Statistics Tab

NOARP - ARP requests will not be responded
POINT-TO-POINT - used for PPTP Shows informations about the routing and ARP cache of
PROMISC - accepts every packet regardless the box.
whether the MAC address matches
Note:
z Features column Loading these informations takes some seconds. In the
The following entries are possible: meantime Data Pending and please wait are shown
SGI/O - Scather gather Input/Output (DMA) in the list.
NOCSUM - no checksum required
HWCSUM - interface is capable of hardware
checksum
2.2.7 OSPF Tab
IPCSUM - interface is capable of checksum for IP Shows information about the OSPF states Neighbour and
packets Interfaces of the box if applicable (if a OSPF/RIP service is
HW-VLAN-TX - interface is capable of VLAN running on the box).
tagging transmits
HW-VLAN-RX - interface is capable of VLAN
tagging receives 2.2.8 Tables
HIGH-DMA - I/O memory above 64 K
This section of the Network tab shows the defined routing
DYNALLOC - used for virtual interfaces tables. Without policy routing there are two of them, the
z IRQ column main table and the default table, where the default route
This columns contains the IRQ number (Interrupt lives.
ReQuest line) for each interface.
Fig. 25 Table section
z Base-Addr column
I/O port address
2.2.4 Proxy ARPs Tab

Proxy ARPs are additional IP addresses/netmasks the
firewall responds to. The pull-down menu on the top of this section allows you
z IP/Mask column to filter for predefined table types (for example, ALL
This columns shows all configured/created IP shows all routing tables, whereas main hides all other
addresses/netmasks. tables except for the main table).
z Interface column Without policy routing activated, all routes except the
Displays the interface where the IP address/netmask default routes will go into table main. Default routes will go
resides. into table default. With policy routing activated additional
tables become available as specified in the configuration
z Origin column
dialog.
Contains the origin of the Proxy ARP (by whom it is
created). The context menu contains the option Delete Wild Route
that can be used to delete routes marked as wild. Wild
z Exclude column
routes are routes for which there is no corresponding
Displays networks that are excluded from proxy APR
entry in the network configuration file. Usually wild routes
creation.
appear as a consequence of manual introduction of
z Source Restriction column additional routes through the command line interface or
Displays network addressed to which the proxy ARP when direct or gateway routes have been deleted using the
request has been limited. option Soft network activation (see 2.6 Box Tab, Soft,
page 154).
2.2.5 ARPs Tab z Table / Src Filter column

This column is structured according to the routing
The Address Resolution Protocol is needed for translating tables to provide all required information about the
an IP address into a physical address. routed netmasks at a glance.
The sublevel of the structure contains the netmasks
z IP column concerned and their current status (depicted using the
Shows the used IP addresses icon described above).
z MAC column z State column
Displays the MAC address of each assigned IP address Displays the state of the routing. Available entries are
z Vendor column up, down, wild, disabled, off.
Shows the NIC manufacturer For detailed information see 2.2.8.1 Handling of Routes
by the Control Daemon, page 149.

z Type column The behavior of controld is now governed by the

The following types of routes are available: configuration parameter Foreign IP Sufficient. Initially
direct routes point to directly connected networks. controld will display the route as in state off (icon ). If the
No next hop is involved. The network is directly mentioned parameter is set to y (yes default) then any IP
accessible via the specified interface. activated on the associated interface will bring up the
gateway routes are routes to networks which are route. Typically this IP is a server IP. You would use this
only accessible via a next hop. The next hop must be feature if you wish to make a route available only when a
reachable through a direct route. certain server functionality is available. If this parameter is
set to no then only an IP address belonging to the target
z Interface column network will trigger activation of the route.
Shows the interface through which traffic to the
destination network passes. In order to illustrate this in more detail consider the
following example. Assume box 10.0.8.112 is configured to
Note: have a leg in three networks:
For direct routes the interface must be specified
Table 26 Example: Route handling, networks
within the network configuration.
For gateway routes it is automatically determined Network Local IP address on Interface
from the available direct routes. 10.0.0.0/24 10.0.0.18 eth0
10.14.55.64/27 10.14.55.66 eth1
z Src IP column 10.11.22.0/24 10.11.22.33 tr0
Contains the route source IP address.
Bringing up each of these networks will automatically
Note: trigger the introduction of a corresponding direct route:
The control daemon will pick the most appropriate
source address automatically from the pool of Table 27 Example: Route handling, corresponding direct route
available IPs unless a source address has been Source IP
Target network Table on Interface
explicitly specified in the network configuration. address
10.0.0.0/24 10.0.0.18 main eth0
z Pref column 10.14.55.64/27 10.14.55.66 main eth1
The preference of the route, with 0 indicating the 10.11.22.0/24 10.11.22.33 main tr0
highest preference.
z Gateway column Box 10.0.0.18 is additionally connected to a further
Shows the address of the next hop for gateway routes. network 1.2.3.0/29 accessible through interface eth2 but
For direct routes this field is left empty (denoted by a the box itself does not have a leg in this network as
single -). depicted in figure 26.
z Name column Fig. 26 Network diagram illustrating the concept of a pending route
This column shows the given name of the route.
2.2.8.1 Handling of Routes by the Control

Daemon 10.0.0.100
10.0.0.0/24
controld reads out the currently active network 10.11.22.0/24
configuration from file
/opt/phion/config/active/boxnet.conf. One of
the tasks of the controld daemon is to verify that the eth0: 10.0.0.18/24 tr0: 10.11.22.33/24
routes configured therein are actually valid. The basis logic
goes as follows: eth1: 10.14.55.66/27 eth2
BOX
controld does not introduce IPs with a mask other than 0
(single IPs). By this means controld looks after server IPs
and proxyARPs but not after networks local to the box. 10.14.55.64/27 1.2.3.0/29 1.2.3.1
This does however not mean that controld will not mark
networks as down. It will merely refuse to reintroduce Now suppose you have already configured a corresponding
deleted box IP addresses. direct route under section Section Main Routing Table
As far as routing is concerned controld will play a more (Configuration Service 2.2.5.5 Network Routes,
lively role and will activate and deactivate routes page 184) of the network configuration dialog.
depending on available configuration information and
Table 28 Example: Route handling, no Source IP address
environmental conditions.
Source IP
Target network Table on Interface
One of the features of Barracuda NG Firewall boxes is that address
you may configure what we call pending direct routes. 1.2.3.0/29 - main eth2
These routes are special insofar as they point to a target
network via an available interface to which no IP address Quite evidently this route cannot be introduced right away
has yet been assigned. As such the route cannot be as no valid source IP address is available. However, since it
introduced directly as no source IP address is available. has been configured it will be displayed as in state off (icon
) by the control daemon.

We now assume that the following gateway routes have The Network diagram in figure 27 illustrates the way in
also been introduced: which pending direct routes and gateway routes depending
on them are activated by firing up an IP address on the so
Table 29 Example: Route handling, gateway routes
far not configured interface eth2:
Target network Gateway Table Preference
0.0.0.0/0 1.2.3.1 default 100 Fig. 27 Network diagram, pending direct routes and gateway routes
0.0.0.0/0 10.0.0.100 default 200
Note:
A route is automatically assigned to table default if and 10.0.0.100
only if the target is equal to 0.0.0.0/0.
10.0.0.0/24
Clearly the preferred default route via gateway 1.2.3.1 10.11.22.0/24
cannot be activated as no active route to address 1.2.3.1 is
available. The control daemon will thus display this route
as in state off (icon ). We refer to such gateway routes as eth0: 10.0.0.18/24 tr0: 10.11.22.33/24
pending gateway routes, as their introduction only takes eth1: 10.14.55.66/27 eth2
place pending a prior successful introduction of a not yet BOX Server IP address: 1.2.3.2
available but configured direct route.
If gateway 10.0.0.100 is pingable and the address is not
local to the box itself then this route will be active, which 10.14.55.64/27 1.2.3.0/29 1.2.3.1
means in state up , as the presently preferred default

route. If gateway 10.0.0.100 is not pingable then the route The route will immediately have its status changed from
will be marked as in state dis (disabled). Since no off to up . All pending gateway routes requiring this
alternative route is available to the same target network direct route will also be introduced into the routing tables.
icon is used to indicate that the networking subsystem is If gateway 1.2.3.1 is pingable and the address is not local to
in a critical condition. the box (as in the example) then this route will be displayed
as in state up , as the presently preferred default route
Note:
(due to its lower preference number). If gateway 10.0.0.100
If the gateway address is pingable but local to the box
is not pingable then the route will be marked as in state dis
the route will be considered as in state off (icon ). We (disabled). Since an alternative route is available to the
will come back to a discussion of why and when such a same target network the icon is used to indicate that the
scenario will arise when we discuss special aspects of networking subsystem is in an unsound yet uncritical
interoperation with a router further below. Note that condition.
routes marked as off are not part of the routing tables
of the box and thus only known to the control daemon. If gateway 10.0.0.100 is pingable or arpable then this route
will be marked as in state up as well.
Now assume that a stand alone server IP 1.2.3.2/32 is
activated on the box (figure 27). Due to the available Note:
routing information this IP must reside on interface eth2. Whenever a gateway is not pingable and not arpable
As a consequence a valid source IP has become available controld will change its preference (metric) to a new
for our inactive pending direct route allowing the control value by adding 65536 to the assigned preference
daemon to introduce it as a valid route into table main. number.
Table 210 Example: Route handling, valid source IP address
Source IP
Target network
address
Table on Interface 2.2.8.2 Interoperation with a Router
1.2.3.0/24 1.2.3.2 main eth2
An interesting routing issue arises when the firewall box is
meant to work together with a router in what is called a
screened host setup commonly used to separate LAN
segments from one another.
Fig. 28 Example for a screened host setup
Source
LAN A + Transit LAN

Router/Gateway
Destination LAN B

With help of a small transit LAN scenarios may be Table 212 Router configuration
visualized in which a logical separation of LAN A and Interface
Firewall Additional routing table entries
LAN B may even be achieved with a single NIC at the address
firewall. In order for this to work the firewall and a router not active no transit LAN
10.x.y.100
or gateway exclusively share a small transit network
(usually 2 to 3 bits). As far as the routing setup for the firewall is concerned the
The advantages of such a single homed setup are evident. firewall boxes must clearly have two default routes with
If youve got to deal with various kinds of network traffic different preferences configured. The preferred one will be
within a large WAN or LAN at the same time, for example the one corresponding to active firewall operation.
SNA, IPX, and IP, youve got to let SNA and IPX traffic The following scenarios may occur:
bypass the firewall. At the same time you would like to use
the firewall to manage and monitor your IP traffic. This is z the router operates in its firewall configuration
not possible if the firewall is dual homed in the traditional
Table 213 Routing state on active firewall box
sense since then everything has to run through the
firewall. Thus it is better to resort to a dual homed setup in Target
Gateway Table Preference Status
network
address space. The single firewall NIC is configured to have
0.0.0.0/0 10.255.128.1 default 100 up
network addresses that make it part of LAN A and
0.0.0.0/0 10.x.y.100 default 200 up
additional network addresses from a small transit network
it shares exclusively with the router/gateway component.
The router/gateway does not have a valid IP address Note:
within LAN A. The backup default route is not up but off since
10.x.y.100 is pingable but also local to the currently
For all IP traffic the router will use one of the transit active firewall.
network IPs of the firewall box as its next hop for traffic
from LAN B to LAN A. Within LAN A routing is configured Table 214 Routing state on backup firewall box
in such a way that one of the firewalls addresses in LAN A Target
is the default gateway for traffic into LAN B. The firewall Gateway Table Preference Status
network
passes on this traffic via the transit network to the 0.0.0.0/0 10.255.128.1 default 100 up
router/gateway, which then knows where to send it 0.0.0.0/0 10.x.y.100 default 200 up
further.
At the same time all non IP traffic passes unharmed from Note:
LAN A to LAN B via the router/gateway since a direct Both default routes are up since 10.x.y.100 is pingable
physical link is established and all IP routing information is on the active firewall box.
ignored.
z router operates in its non firewall configuration
Below is an example configuration for the successful
interplay of router and firewall (redundant scenario Table 215 Routing state on both firewall boxes
included) to create a single homed setup: Target
Gateway Table Preference Status
network
Table 211 Example configuration for router and firewall 0.0.0.0/0 10.255.128.1 default 100 dis
Object Address 0.0.0.0/0 10.x.y.100 default 200 up
LAN A 10.x.y.0/24
LAN A default gateway 10.x.y.100 Note that the preferred default route is not up but
Transit LAN 10.255.128.0/29 (shared by firewall and router) disabled since 10.255.128.1 is no longer pingable. In
FW-box-IP 10.x.y.108 order to make sure that the box still has a valid default
FW2-box-IP 10.x.y.109 (optional in case of a redundant setup) route the firewall IP 10.x.y.100 will be deactivated on the
FW-default GW 10.255.128.1 (routers transit LAN address) when active firewall box.
active
10.x.y.100 when inactive Note:
FW-Transit Netw.-IP 10.255.128.2 This behavior is only triggered by specifying the
FW2-Transit Netw.-IP 10.255.128.3 (optional in case of a redundant routers transit LAN IP 128.255.128.1 to be pingable
setup)
as a necessary prerequisite for firewall operation.
Firewall service IP 10.x.y.100 and 10.255.128.4
z router failure
The two different router configurations needed for an If the router is down completely both default routes
active and inactive firewall, respectively: would be in state disabled.
Table 212 Router configuration Table 216 Routing state on both firewall box
Interface Target
Firewall Additional routing table entries Gateway Table Preference Status
address network
active transit LAN: static routes: 0.0.0.0/0 10.255.128.1 default 100 dis
10.255.128.1 10.x.y.0/24 via 10.255.128.4 + OSPF
propagation 0.0.0.0/0 10.x.y.100 default 200 dis
10.x.y.108 via 10.255.128.2
10.x.y.109 via 10.255.128.3

36 | Control Tabs > Processes Tab Control
2.3 Processes Tab Table 217 Tabular listing of the elements of the process status panel.
Label Meaning Comment

The character of the processes view is purely Last ACK Number of sockets in state
LAST_ACK owned by processes with
informational. A single panel lists status information about this name
all currently active processes on the box. An additional
single status line displays the current time, machine After selecting a single process name from the status
uptime, number of logged in users, load average and panel the button Show Details may be used to retrieve
memory usage. Three average load values are listed: first more in-depth information about the status of the selected
value - average load within the last minute; second value - process.
average load within the last five minutes; third value -
average load within the last fifteen minutes. Memory usage Fig. 210 Sample Info Dialogdialog window
is additionally illustrated graphically by a status bar. As for
disk usage the bar is divided into three sections.
Throughout the first section 0 < memory < 70 % the bar is
green, for 70 % memory < 90 % the bar is yellow, and for
memory 90 % the bar is red. The memory status affects
the overall status of the processes view.
Fig. 29 Sample process status view
This pop-up window allows you to retrieve more detailed

information on the following items:
z process IDs of all processes with the same name
z detailed list of all open files
z IP addresses and ports of listening TCP sockets
z local IP:port and remote IP:port combinations of all
established sockets
z IP addresses and ports of UDP sockets
Using the option Single PID allows tracking each task
down to single processes. This can be helpful for tasks
such as ssh which forks one process for each
For each of the listed processes or process groups the
connection or for the firewall processes.
following information is displayed:
Table 217 Tabular listing of the elements of the process status panel.
Label
Name
Meaning
Name of the process
Comment
2.4 Resources Tab
Proc Number of processes with the same
name This tab displays the current usage (fill state) of all
%CPU Used CPU load in percent currently mounted file systems. Each file system is
Num FD Number of file descriptors used by identified by its mount point. The current usage is
processes with this name indicated by a colored bar and a small line of text. The
Memory Memory in kB used exclusively by colored bar is separated into three distinct regions. Within
processes with this name
the first region (0 %-70 %) the bar is green, within the
Shared Shared memory in kB used by
processes with this name next region (70 % < usage < 90 %) the bar is yellow, and
Listen Number of listening TCP sockets within the last region (usage > 90 %) the bar will be red.
owned by processes with this name Status information is updated in real time.
Establ. Number of established sockets
owned by processes with this name Note:
UDP Number of UDP sockets owned by The status condition of the disk subsystem as a whole
changes from green to yellow or red as soon as
Syn Sent Number of unanswered SYN packets Number of
sent by processes with this name unanswered SYN a single file system reaches the respective status.
packets for
which the time Usage will hardly ever fall short of 5 % for an ext2 file
out has not yet system as this amount is reserved by default for
expired.
operating system specific purposes.
Close Number of sockets owned by

Control Licenses Tab < Control Tabs | 37
In a Barracuda NG Firewall default installation, the described in detail in a separate chapter (Licensing,
following file systems should at least be present: page 615).
z / - file system root directory

z /boot - holds boot images (usually located at the 2.5.1 Section Version Status
beginning of a disk)
This section lists the version and build date of the installed
z /phion0 - holds logs and statistical data Barracuda Networks software modules. Double-click an
entry to view information in more detail. The following is of
Note:
major importance:
CD-ROMs and floppy disks are not shown in this view.
Table 218 Version Status - Properties
Furthermore, the following speed and temperature
information is presented: Label Value Description
Module Module name
z Chassis-Fan1 - speed of fan 1 Type Type of module
z Chassis-Fan2 - speed of fan 2 Version Version number
Status Latest Kernel The latest NGFW OS compiled
z CPU-Temperature - temperature of the CPU kernel
Clean Release Release Version number/binary
z Mainboard-Temperature - temperature of the main match
board Dirty Release Release Version number/binary
mismatch
Fig. 211 Sample Resources tab
No License No license found for this module
Found
Not Used This module is not used
Comment Comment
2.5.2 Section Active Licenses

This section lists all active licenses. The list content can be
edited by using the following available buttons:
z Import Clipboard
Imports a license from the clipboard.
z Import File
Imports a license from a (.lic) file.
2.5 Licenses Tab z Remove
Removes a selected license from the system.
Fig. 212 Box Control > Licenses Tab
z Show
Displays the certificate the license is included in.
z Export
Exports the license to a (.lic) file. Use this feature for
saving and recovery purposes.
z Software Update
Specify the path to the update package (*.rpm or .tgz)
and click Open. A consistency check is performed and
after a positive check the install routine has to be
confirmed to install a Software Update.
2.5.3 Section License Values

This section lists important license details.
2.5.4 Section Host IDs

The Licenses tab is the license management tool serving
license control. It gives an overview of the license status, This section lists hardware IDs available in the system
can be used to import and export licenses and to execute node-locked licenses can be attached to. For details on
software updates on single boxes. License handling is significance of HOST IDs see Licensing, page 615.

38 | Control Tabs > Box Tab Control
2.6 Box Tab opens a window with the following buttons and
corresponding functions:
The Box tab of the control window is used for controlling List 21 Types of network activation
key aspects of box operation. It consists of three sections
Network
and a report window. activation type
Impact
Failsafe Fail-safe network activation is the safest way to

Fig. 213 Network Activation dialog
activate configuration changes. Always use this
network activation type on productive systems,
for example, to:
add/delete network interfaces
change network interface configurations
add/delete policy routes
delete direct/gateway routes
Failsafe network activation is processed in the

following way:
The system creates a backup file of the active
network configuration.
It then temporarily activates the configuration
changes and verifies that the system can still be
contacted by the graphical administration
interface Barracuda NG Admin.
If this verification is successful the network is
Fig. 214 View of the box control window restarted so that the changes are activated
permanently.
If verification fails within the timeout defined in
the Set Timeout field, the original network
configuration is restored.
Note:
Especially when activating network configuration
changes via a VPN connection, you might
sometimes lose connection to the box. This will
lead to connection verification failure between the
system and the graphical administration tool
Barracuda NG Admin and cause that the original
configuration is restored. You might need to use
Force network activation if you experience this
2.6.1 Section Network Configuration issue.
Use with due care.
Force Forced network activation immediately activates
This section allows the administrator to control the the new network configuration without the
network configuration of a box. checking routine described above and without
backup creation.
z Verify New Attention:
Used to verify a new network configuration. Use forced network activation with due care.
Soft The following additions may be done through soft
Attention: network activation:
Altering the network configuration of a remotely adding of direct routes
controlled box represents a critical operation. A new adding of gateway routes
configuration file will not automatically be activated Soft network activation appends routes that have
upon transmission from the single box or master been configured in the Routing tab (Configuration
server (if managed via a CC). This button will thus Service 2.2.5.5 Network Routes, page 184) of the
box network configuration to the systems routing
only be active when a new network configuration file table.
has been sent but not yet activated. You must first Note:
locally (on the box itself) verify the logical Soft network activation cannot be used to
add/delete policy routes or to delete direct or
consistency of the new network configuration file. gateway routes permanently.
The report window will display the results of the Note:
consistency check. In case of a seemingly flawed file Direct/gateway routes that have been deleted
you must not activate the new configuration. Correct using Soft network activation will be marked as
wild in the Box Control > Network tab (see 2.2.8
the errors and scrutinize the altered network Tables, page 148). Use Failsafe network activation
configuration file again. instead or subsequently activate route deletion
permanently by restarting the network (see
Restart button below).
Note:
Cancel Cancels activation of network configuration
The newly received network configuration file is changes.
stored in /opt/phion/preserve/boxnet.conf.
z Restart
z Activate New
Re-initializes networking. Shuts down and subsequently
Activates the new network configuration.
restarts networking.
When the new network configuration file has
successfully passed the consistency check, the new Note:
configuration may be activated. Clicking this button The server subsystem is unaffected by this
procedure. Yet, server/service functionality will be
unavailable for a short time as the network goes
down and up.

Control Box Tab < Control Tabs | 39
2.6.3 Section Time Control

z Verify Active
Verifies the active network configuration. Does exactly This section provides functionality for adjustment of time
the same as Verify New but using the active settings.
configuration file. z Get Time/Date
Click this button to view current time and date.
2.6.2 Section Operating System z Show Settings

Click this button to view current NTP settings.
z OS Restart z Set Time/Date
Clicking this button will shutdown and subsequently Insert date and time into the fields above, and click this
restart all servers and services belonging to the NGFW button to change current time settings. Remember that
Subsystem. This includes the firewall engine. on systems, which are configured to synchronize date
and time with an external time server, manual changes
Attention:
will be overwritten by the succeeding time
All connections will be lost after clicking this button. synchronisation.
This includes non-Barracuda proprietary services
such as secure shell (SSHd) and network time z Restart NTP
protocol (NTPd). Click this button to restart all NTP services.
Clicking on this button is almost the same as invoking z Sync

the following two commands from the command line: Click this button to synchronize time settings with a
/opt/phion/bin/phionctrl shutdown NTP server manually.
/opt/phion/bin/phionctrl startup If the Using Time Server / Own IP is unspecified, the
The only difference is that the control daemon itself is synchronisation process binds to the system's primary
not stopped and started. To perform this, youve got to management IP. This synchronisation method will work
actually login on the shell. flawlessly with a time server that is placed in the same
network as the primary management IP.
z Reboot Box For time synchronisation with a public time server,
As a more radical re-initialisation you can perform a insert the external IP address of the firewall into the
reboot of the box. Some systems might have problems Own IP field, to prevent that the time server's response
with BIOS settings and do not perform the reboot is blocked by the firewall.
correctly or get stuck on a lower layer. You may need to
worry about getting the box back online if it is not
easily physically accessible to you. Use with adequate 2.6.4 Section Dynamic Network
care. Connections
z Reset SMS Counter
This button resets the SMS parameters described in If configured and available, dynamic network connections
Configuration Service 2.2.3.7 SMS Control, page 174. can be manually manipulated (off, on, start, stop, restart,
reset) by selecting the appropriate item from the menu
z Domain Control and clicking the Execute button. The following network
Click this button to display the registration status of a connections may appear in the list: xDSL-, ISDN-, and DHCP
box at a Windows domain (Show Registration Status) (cable)-connections, UMTS and MGMT (box management)
or to register a box as Windows domain member at a tunnel connections.
domain controller (Register at Domain). Utilisation of
this button requires prior MSCHAP profile configuration
(Configuration Service 5.2.1.2 MS-CHAP 2.6.5 Section Authentication Level
Authentication, page 228). After clicking the button a
User Authentication window expects authentication of This section allows selecting the level of authentication
a user with appropriate administrative rights to add the that is effective for non-interactive Barracuda NG Control
box to the domain. Center logins and HA synchronisation. The following
authentication levels are available:
Fig. 215 Box Domain Registration dialog
Table 219 Possible authentication options
Setting Meaning and effect

No Level -1: anything goes. The system allows any attempt
Authentication to send or fetch configuration data.
Note:
Use only if necessary and revoke as soon as possible.
Check Key or IP Level 0: Login is accepted if either IP address or key
address challenge are successful. Still quite insecure.
Check IP address Level 1: Still quite insecure.
Check Key Level 2
Check Key and IP Level 3: This is the default setting that should not be
address changed unless there is need to lower the security level
temporarily.
The default setting Check Key and IP address is the

highest authentication level and should not be changed

40 | Control Tabs > Sessions Tab Control
unless necessary. A change might be required when IP 2.8 Mainboard Tab

addresses of CC or HA partner or the CC key change.
Attention:
The Mainboard Tab shows some hard core information
Authentication level changes are effective immediately. which is available about the system hardware including
Use with due care. Mainboard and CPU information, PCI interfaces, Some
vendors do not use DMI standard thus producing
incomprehensible results.
2.6.6 Section BOX SCEP Status The aim of this view is purely informative.
Table 220 Box control BOX SCEP Status commands Fig. 216 Typical view of the CPU information panel
Command Description
Show Shows information about the certificated retrieved by
Certificate Info SCEP, or shows the reason of failure
Save Certificate Exports the certificate to the Clipboard (PEM)
to Clipboard
Save Certificate Exports the certificate to a file (PEM)
to File
Initiate Pending Instructs the SCEP subsystem to initiate the enrollment
Request process immediately
Force SCEP Instructs the SCEP subsystem to initiate a SCEP update
Update immediately
Set SCEP Turns SCEP debugging ON or OFF.
Debug ON Additional debugging information will be included in
Set SCEP the SCEP log (Box/Control/SCEP) when turned on.
Debug OFF
Set SCEP Prompt for the SCEP Password.
Password This option is available only if the SCEP password
policy is set to Enter-Password-At-Box
2.7 Sessions Tab

The Sessions Tab lists active login-sessions on the box. To
terminate a session, select the session entry in the list and
click the Kill Session button.
The following columns are available:
Table 221 Session types overview
Column Meaning
Service Icon The following icons describe the service responsible for
the session:
Firewall control session (Service firewall_)
Login session (peer = local -> box_login via console;

peer = IP -> box_login via SSH)
VPN control session (Service VPN-Service_*vpn)
Log viewer session (Service box_logd)
Statistics viewer session (Service box_qstatd)
Box control session (Service box_control)
Barracuda NG Admin session (Service phiona)
Service session
PID This is the internal, unique Process ID.

Service This is the name of the service that has been accessed.
Peer This is the IP address from where the session was
started.
Start This is the period that has passed since the session has
started.
Idle Time the session has been idle.
Admin This is the name of the administrative account that has
logged in.

3
Configuration Service
1. Overview
1.1 Barracuda NG Firewall Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.1.1 The Administrative Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.1.2 The Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.1.3 The Logical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.1.4 The Functional Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.2 Elements of the Configuration Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2. Configuring a New System

2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.1.1 Screenshots. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.1.2 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2 Setting up the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.1 Context Menus of the Configuration Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.2.2 Box Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.2.3 Administrative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.2.4 Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.2.5 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.2.6 Traffic Shaping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.2.7 Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2.2.8 Box Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3. Configuring a New Server

3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
3.2 Server Configuration on Single Boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3.2.3 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.3 Server Configuration on CC-administered Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.3.1 Identity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.3.2 GTI Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4. Introducing a New Service

4.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.1.1 General view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.1.2 Statistics view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.1.3 Notification view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

42 | Configuration Service Barracuda NG Firewall
5. Managing the System

5.1 Box Settings Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.1.1 System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.1.2 Bootloader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.1.3 System Scheduler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.1.4 Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1.5 Log Cycling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1.6 Message Board. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.1.7 Access Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.1.8 SSH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.1.9 Software Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.1.10 Watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.1 Box Settings Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.2.1 Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.2.2 Host Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.2.3 Syslog Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.2.4 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.2.5 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2.6 Eventing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2.7 General Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2.8 Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.3 Creating PAR Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.4 Restoring/Importing from PAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6. Repository
6.1 Working with a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
7. Troubleshooting
7.1 Live Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.2 Initiate Support Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.3 Barracuda NG Live Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4 From Our Supports Point of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.5 System Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Configuration Service Barracuda NG Firewall Concept < Overview | 43
1. Overview
1.1 Barracuda NG Firewall functionality and system design. The module entity is thus
on par with the service entity.
Concept
Fig. 31 Interdependencies of the various basic configuration entities
Before delving into the depths of configuration issues we

first need to get acquainted with the basic configuration
entities which Barracuda Networks operated systems rely Software modules
on. It is of paramount importance to develop an
understanding for these entities and to understand how Functional
layer
they are linked together to achieve the required
administrative and operative interaction of function units. Assigned Services
Barracuda NG Firewall management is based on the

following three configuration entities: Logical
Virtual Server
layer
z Box
z Virtual Servers Box Physical
layer
z Assigned Services
These are the key elements of a hierarchical data model.

Administrative
They also exist as separate elements in the configuration Administrator
layer
tree. A further entity is module. You will encounter module
only indirectly when specifying the very nature of a
service. We may assign a particular configuration layer to each
entity:
To represent the Barracuda NG Firewall management
model a hierarchical database design has been adopted. z The Box as a piece of hardware represents the physical
For lean database management and simple database layer.
backup, it has been chosen to implement this proprietary z The Virtual Servers represent the network addresses
database entirely in file-space. The database is session and under which certain services are made available. Since
transaction based. Referential integrity is warranted by a server can be assigned to more than one box (for high
database design and assisted by separate tree availability purposes) it extends the traditional notion of
maintenance and reconstruction utilities. a server as a piece of hardware. The server entity
The available configuration entities and their belongs to what we refer to as the logical layer.
interdependencies are visualized by help of the schematic z The Assigned Services as the actual workhorse
diagram depicted in figure 31, page 43. The diagram belongs to the functional layer. To provide the required
shows four distinct layers to which the entities are functionality the services make use of software
assigned. We distinguish between a physical, a logical, a modules.
functional, and an administrative layer. Note that the
module entity is associated with required software z Administrator=Root constitutes a further
administrative layer which is of no particular
significance in case of a single box.
1.1.1 The Administrative Layer

This layer comprises the only administrator of a single box,
the root administrator. As such it is of no particular
relevance for a single box. Whereas the single box
management does not foresee administrative roles it
allows for the introduction of root aliases. Root aliases
make it possible that several administrators (in each case
with root permission) may manage the box. Each of them
has his own login ID and password or public RSA key. For
each configuration item in the tree a history file with
detailed file actions, origin, and root alias exists. Tree
history will thus show which of the root aliases has
modified which files respectively.
The remaining three layers comprise what might be
referred to as the operational entities.

44 | Overview > Elements of the Configuration Window Configuration Service
1.1.2 The Physical Layer This layer contains a single entity named server. For NGFW
OS operated systems the server in main incorporates one
This layer contains a single entity named box. The box or several IP addresses, which enables utilisation of
corresponds to a piece of hardware with an operating higher-level software functionality. The functionality itself
system and a number of Barracuda NG Firewall software is not directly provided by the server but by software
modules required for the management of the box. The box modules called services (see 1.1.4 The Functional Layer). In
acts as the basic platform for higher-level software contrast to the traditional concept of a server as a piece of
functionality (or example firewalling, VPN Service, hardware providing some functionality, the Barracuda NG
SMTP-gatewaying, ) provided by server/service Firewall approach facilitates a separation into a physical
combinations. The box contents itself with providing the server (box) and logical server(s) (server).
required underlying networking functionality, basic
Note:
administrative services, such as logging or accumulation of
statistical data, and a daemon for remote configuration Since all software functionality is made available under
updates. Most notably it also hosts the control daemon the servers own IP addresses we may easily transfer
which is in charge of watching and controlling the functionality from one box to another by simply
operation of all additional advanced software functionality transferring the respective IP addresses. High
just like advanced networking needs. availability is thus achieved by assigning a server to a
primary and a secondary box, which both hold all
In a manner of speaking one could refer to the primary IP relevant configuration data. Moreover it becomes quite
address of the box as a default server address under which simple to migrate a server from one box or from a pair
all functionality required for the management of the box is of boxes to another box or a pair of boxes.
made available. We refer to the services providing this
functionality as box services, see also the section on the A server has to be assigned to at least one box to have any
control, event, log, and statistics windows. operational impact. Moreover a server can be assigned to a
pair of boxes to achieve High Availability (High Availability,
Each box service corresponds to a different software page 399).
module.
The following modules are available as box services:
1.1.4 The Functional Layer
Table 31 Required software modules sufficient for management and controlled low
level operation of a box
The functional layer comprises two entities, service and
Module name Daemon Task module, as shown in figure 31, page 43.
bdns bdns Local DNS service
Barracuda Networks ships all available software modules
boxconfig boxconfigd Management of configuration
updates as part of the standard distribution. You will need an
boxfw boxfw Local Firewall appropriate license key to activate a modules functionality
bsms bsms Service for control via SMS beyond the trial period.
bsyslog bsyslogd Syslog streaming of log data to a The service entity is basically the outer shell for a software
remote log host
module. Therefore a service provides the software
control controld Control of box and server/service
operation functionality it inherits from an encapsulated software
cstat cstatd Collection of statistics module. Moreover, a service carries all further information
dist distd Transfer daemon for High required to actually harness the software functionality.
Availability and Barracuda NG This includes the IP port under which the functionality is
Control Center
made available, just like other settings.
event eventd Configurable active notification via
mail, SNMP traps or pop-up window A service is explicitly assigned to a single server.
log logd Logging
logwrap logwrapd Log file rotation and indexing
phibs phibsd Authentication service facility
psyslog psyslogd Connectivity bridge to syslogd 1.2 Elements of the
qstat qstatd Handling of statistics queries
Configuration Window
Note:
As soon as you establish a connection to the box
The box services (except for cstat which does require a configuration daemon (boxconfig) you are allotted your
license to write statistics to the disc) do not require a own private session. The ID of your session is shown in the
license to be active. They form, what we refer to as, the window bar of the config dialog window.
Barracuda NG Firewall box infrastructure.
Note:
Since the box represents the platform that hosts
The GCSID (Generic Configuration Session ID) contains
higher-level software functionality it may also operate
the following elements: IP and source port of connecting
completely independently. For this reason the box itself as
client followed by the PID of the server process (daemon
a configuration object does not need to know anything
boxconfigd) handling the current connection.
about servers or services.
Session based operation is a necessary prerequisite for
two major reasons: Firstly, it forms the basis for
1.1.3 The Logical Layer simultaneous access of several administrators to non
overlapping regions of configuration space. Secondly,
changes are made to a copy of the configuration tree,

Configuration Service Elements of the Configuration Window < Overview | 45
thereby not affecting the momentary operational status. In The box configuration window is divided into three main
case you wish to have changes made undone sessioning areas:
lets you carry out an undo. In order to commit your
changes you need to click Activate, which requires a z The upper part is reserved for several control buttons
separate willful act. and combo boxes used to retrieve tree, session, and
update status information, change the view of the tree,
Fig. 32 Box configuration window in compressed connection state and activate or undo configuration changes made
during the current session.
z The left frame contains all configuration entities.
z The right frame shows all open configuration files
In order to prevent inconsistencies in the tree

configuration files, an administrator who wishes to modify
has to lock the configuration. This guarantees that only
one single authority has write access to the file at one
time.
To create a lock move the mouse over the desired
configuration item in the configuration tree, press the right
mouse button and select Lock from the menu.
Note:
If you lock a directory or a whole branch of the tree, all
items belonging to this directory or branch will also be
locked.
Fig. 33 Menu after pressing right mouse button on yet unlocked item
Table 32 Lock indicator icons
Symbol Meaning Comments

Own lock on After locking a whole branch of the
branch tree this icon is displayed next to
the branch icon.
Foreign lock on Icon denoting a lock on a whole
branch branch by another session.
Own sublock After locking a whole branch of the
tree this icon is displayed next to
the icon of each item in the branch.
Foreign sublock Icon denoting a lock on an item of a
branch by another session.
Fig. 34 Menu after pressing right mouse button on locked item from another
session
If someone else has created a lock you may want to find

out to whom the lock belongs to. Therefore simply move
the mouse over the locked item in question and press the

46 | Overview > Elements of the Configuration Window Configuration Service
right mouse button. Then, select Show Lock info from The following states are available:
the menu.
Table 33 Box configuration window icons
You may break foreign locks if they belong to broken
Icon Description
sessions older than 10 minutes. Locks belonging to intact
no changes in session
or active sessions may not be broken. This is necessary in
order to not interfere with other administrator's sessions. node: changes in session but not yet sent
global: changes not yet activated
However, you may kill the session that owns the lock. Your
session locked (read-write mode)
ability to do so depends on both, your range affiliation
(principal range) and authorisation level. session locked by another administrator (read-only
mode)
Note: RCS file imported but not yet accepted
An active session turns into a broken session when the
associated client is suddenly disconnected and has not configuration file write protected
successfully reconnected.
linked configuration file
Attention:
configuration file is going to be deleted
Killing a session means initiating a forced undo on the
database. As a consequence the admin owning the
session will lose all not yet activated configuration
Note:
changes made to the tree.
Status changes of the tree (locks triggered by someone
The Configuration Sessions window is invoked by clicking else) are not necessarily immediately visible to you as
on the Sessions button located in the upper part of the the management console only periodically retrieves tree
configuration window. status information. You may speed up the process by
making use of the right mouse button menu item
Fig. 35 Configuration Sessions window Refresh From Here / Refresh Complete Tree (right
mouse button on the box itself).
It is advisable to unlock (again by holding down the right
mouse button) all locked configuration files before quitting
a session or temporarily quitting after another task. You
may find out about your own locks by making use of
Locks located in the upper part of the configuration
window.
An active session that gets terminated unexpectedly may
be resumed by simply reconnecting to the box. This
feature gives extra protection against loss of configuration
changes due to network hick-ups. If you disconnect or
We strongly advise against indiscriminate killing of active logout properly your session will be cleared (undo on
foreign sessions. We recommend to make use of the Show database).
Locks and Show Transactions buttons of the session Note that configuration dialog windows (for each item) are
window to retrieve detailed information on the current and issued with a Lock and a Send Changes button. Thus after
past activities inside the targeted session. double-clicking a yet unlocked item you may also lock the
Newly introduced elements are marked by the "new item from within the respective configuration dialog.
indicator" icon . Altered items such as edited files are Send Changes is of particular importance as all changes
marked with the "changed indicator" icon . Items to be that have not been sent only reside within the GUI, but
deleted are marked with a "deleted indicator" icon . have not yet been added to your session. This means that
further configuration changes depending on not yet sent
Note: changes will not be possible. Moreover, unsent
You may not delete arbitrary items. Deletable items configuration information will not be recoverable by a
need to be deleted via the right mouse button menu. reconnect in case of unexpected connection termination.
Currently only services, servers, and HA partner boxes The notable difference here is introduction or deletion of
are deletable. either server or service, where invoking the action as such
automatically involves a send changes operation. In order
All of these indicators apply to items inside your session.
to actually activate the changes made within a session you
The cumulative session status (upper part, figure 32, need to activate them.
page 45) will automatically change from a "no
To this end the main configuration window features a
modifications" state to a "some modifications" state if only
button labelled Activate. Before activating you may
a single item has been introduced, changed or marked for
investigate the effects your configuration changes will
deletion.
have on the various configuration entities and the tree.
Fig. 36 Box configuration window detail
z Clicking Send Changes only sends the changed
configuration to the Barracuda NG Control Center (or
Box configuration service if the changes are performed
directly on a Barracuda NG Firewall) were it is
associated with the current session ID. In this state the
Configuration Service Elements of the Configuration Window < Overview | 47
performed changes are neither sent to the gateway nor Clear Dirty Status - If the primary box fails,
merged into the configuration tree at the Barracuda NG configuration changes are to be performed on the
Control Center. The latter also means that the secondary box. In normal operation it is not possible
configuration changes are not visible to other to alter configuration via the secondary box. If there
administrators, as each configurative connection gets is the need to do so, the HA box has to be switched
its own session ID assigned. to the Emergency Override mode. After
z Clicking Transactions opens a new window listing all re-establishing the primary box, the synchronisation
pending changes associated with the current session ID has to be started manually.
(for example changes executed from the current Previous versions of Barracuda NG Firewall required
Barracuda NG Admin window). As configuration shell access with root permissions to manually
changes may depend on each other (changing the bind restore a clean configuration state. Instead of using
IP in the Service Configuration section may require the command line Barracuda NG Firewall 4.2 allows
server IP changes in the Server Configuration section) restoring a clean configuration state by using the
configurative changes are not activated immediately. GUI. The administrative role "Manage HA Sync"
Activate pending changes by clicking Activate. grants this privilege even to non-root
administrators.
z When you click on Undo all pending transactions
Refresh - Refreshes the current window thus
(configuration changes which have not been activated
reflecting the new Synchronisation Status and
yet) are undone. Click Transactions to view currently
displays up to date information in the "Last Action"
pending configuration changes.
field.
z HA Sync allows management of the configuration Close - Closes the HA Box synchronisation window.
synchronisation between the boxes and visualizes the
synchronisation status (in case of HA boxes or a HA Table 34 Buttons of configuration window for session management and status
retrieval
Barracuda NG Control Center). The window contains the
following elements: Button Description
Send Changes Transfers changes from the management console to
Synchronisation Status - Status of the the session held at the CAS.
configuration synchronisation. If a HA sync is HA Sync Displays update status in case of a HA reinforced
pending the appropriate information is displayed, installation.
otherwise the informational text will be "Nothing to Transactions Displays transaction to be carried out to the tree by
synchronize". changes made during the session.
Undo Undoes all not yet activated changes made during a
Last Action - displays details about the last HA session.
sync, for example date and time when the last Activate Activates changes made during the session on the
synchronisation sequence was performed or failure configuration tree on the CAS.
reasons if the last sync failed.
HA Partner IP - This field allows configuration on
how synchronisation should be performed. The HA
partner IP can either be the primary Box IP of a HA
partner or in case of a dedicated HA link a
management IP within the HA network. Selecting
the checkbox on the left labelled Change Address
enables read-write mode.
Use Sender IP - Here the sender IP for the HA
synchronisation can be changed. In general this IP
will be the primary Box IP. Selecting the checkbox
on the left labelled Change Address enables
read-write mode.
Do Update - If a HA sync is pending the
synchronisation can be triggered immediately by
clicking this button. If configuration has not
changed since the last successful synchronisation
procedure, nothing is done.
Do Complete Update - Synchronizes the complete
configuration tree of the current box to the HA
partner box.
Discard Update - Discards a pending configuration
synchronisation.

48 | Configuring a New System > General Configuration Service
2. Configuring a New System
2.1 General Fig. 38 Config tree Emergency Override
2.1.1 Screenshots
The screenshots below are examples, hence some or all of
them may differ slightly from the current display of your
system. When configuring a Barracuda NG Firewall, the
parameter sequence described in this document has to be
adjusted to your settings.
2.1.2 User Interface As soon as the box is in emergency override mode the
box icon changes from to .
Please consider that any configuration change on a box
2.1.2.1 General Buttons in emergency override mode has to be repeated on the
Barracuda NG Control Center.
Fig. 37 User Interface
z Close button
This button closes the configuration dialog. When
closing a modified dialog without sending changes, a
pop-up with respective information will open. Chose the
appropriate answer to confirm or cancel your action.
The upper button bar (figure 37, page 48) is described in

Elements of the Configuration Window, page 44.
First let us have a look at the lower button bar (figure 37):
z Send Changes button
With regard to the multi-administrator concept of 2.1.2.2 Configuration User Interface
Barracuda NG Firewall, configuration changes are not
carried out in the productive environment of the Mandatory parameters / parameter sections are indicated
Barracuda NG Firewall. The concept requires you to using the icon.
send modifications to the Barracuda NG Firewall system Modified parameters / parameter sections are indicated
manually, and thereafter activate the new configuration
using the icon.
explicitly by clicking Activate in the upper button bar
(described below). The following Barracuda NG Admin-specific configuration
masks need closer examination:
z Reload button
Pressing this button reloads the currently active z Edit / Insert / Delete mask
settings. Use Reload to undo configuration changes. Some masks will display a listing with the format
Edit/Insert/Delete.
Attention:
Clicking Reload undoes all configuration changes Fig. 39 Example for an Edit / Insert / Delete mask
which have not yet been sent with Send Changes.
z Lock / Unlock button
With regard to the multi-administrator concept of
Barracuda NG Firewall, the default state of a
configuration object is set to read-only. Its state has to
be set to read-write to make it editable. Click Lock to
To edit an already existing entry, select it and click
lock an object for your exclusive use. You will now be
Edit
able to edit it. Click Unlock to allow locking for other
To create a new entry, click Insert
administrators. When sending changes you will be
Both, Edit and Insert , open the same
asked if locks should be kept.
configuration dialog.
Note: To remove an existing entry, select it and click Delete.
Should it be required to edit the configuration of a z Change / Insert / Delete mask
CC-managed box locally, the state of the box has to This mask supplies a field for entering values on the left
be set to Emergency Override mode. Select side and a list of possibly already existing values on the
Emergency Override from the context menu of the right side.
box to do so (see below). The example in figure 310 shows 10.0.8.1 in the value
list and 10.8.8.12 in the field meant for adding new
entries. Sending changes and activating them will only
activate 10.0.8.1. 10.0.8.12 will be ignored as it has not
Configuration Service General < Configuring a New System | 49
yet been added to the list. Always be aware that only Consider the following example for better
values appearing in the list will be added to the understanding:
configuration.
Fig. 311 Barracuda NG Admin Configuration list and part of Clipboard
Fig. 310 Change / Insert / Delete mask content after Copy to Clipboard
To edit an already existing entry, select it, modify the

value in the field on the left side and click Change.
To create a new entry, enter the desired value into the
field on the left side and click Insert Copy to
Clipboard
To remove an existing entry, select it and click button
Delete.
As shown in the screenshots above, each parameter keeps

the icon ready. Click on the icon to allow for the
following interaction with the clipboard:
z Copy to Clipboard
Copies the value (or several values in case of lists or
subsections) from the current parameter to the
clipboard. The clipboard contains a special header. The
content is formatted as plain text.
z Replace With Clipboard
If the clipboard contains a valid configuration entry
(plain text and a special header as is generated by
copying to clipboard using Barracuda NG Admin) the
current section/parameter is replaced by the clipboard
content.
z Merge With Clipboard
The current section/parameter is merged and/or Let us assume the following modifications:
replaced with the values from the clipboard. new routing net192 (using net194 as template)
interface (entry DEV =) of routing net62 from eth3

50 | Configuring a New System > Setting up the Box Configuration Service
to eth2
Fig. 312 Part of Clipboard content and Barracuda NG Admin Configuration

list after Merge with Clipboard
In this part of the document you will get familiar with the
configuration aspects that are directly associated with the
box as a piece of hardware, such as the network
configuration, which is the most notable one, as most
services can never function without the network being
configured correctly.
Fig. 313 Structure of the config tree
Merge with
Clipboard
As you can see in figure 312, a merge of the modified

clipboard content with the configuration file content Unless already open click on the topmost tree element Box
results in: to unfold the configuration tree.
overwritten interface value of entity net62 You will encounter the following distinct elements:
added entity net194
z Four files named Box Properties, Administrative
untouched entity net192 Settings, Identity and Network
Note: z A directory named Advanced Configuration
The clipboard functions are only available within fields
z A directory named Infrastructure Services
of the same kind.
z A directory named Virtual Servers
2.2 Setting up the Box The configuration scope of a box borrows from all these
elements.
The box is a vital configuration entity which actually In a first step of issuing a box with more advanced
corresponds to a solid piece of hardware. The box as a capabilities, it initially suffices to concentrate on the two
whole is a rather complex configuration object. However, principal configuration files named Administrative
as far as the basic configuration is concerned only very Settings and Network. We will thus start out with a
little information has to be supplied. However, the settings discussion of these two. Next in line is Identity which is
the box comes up with after installation will not suffice to security related and is used to set or change the identity,
exploit the full potential of a Barracuda NG Firewall with which the box advertises itself to the world.
system.
Note:
The box is special insofar as it represents the hosting The plus sign (+) is used to emphasize the importance of
platform for a Barracuda NG Firewall system. It is essential a file. Importance normally goes hand in hand with a
that all relevant aspects of the basic box operations are certain inherent complexity. The networking
individually adjustable. As a consequence of this the tree configuration is always box specific as it contains the
belonging to an individual box contains a number of box box' IP addresses and thus must not be shared.
specific configuration files.

Configuration Service Setting up the Box < Configuring a New System | 51
Table 35 Box specific configuration items
Icon GUI label Importance File name Description see

Box Properties ++ box.conf identification and operational settings page 52
Administrative ++ boxadm.conf administrative parameters, DNS settings, root password, NTP settings, page 54
Settings
Identity ++ boxkey.conf digital certificate and keys identifying the box page 60
Network +++ boxnet.conf network configuration of the box page 61
Traffic Shaping boxqos.conf configuration for traffic shaping page 82
Administrators admindb.conf specifications of administrators rights page 91
Box Licenses boxlic.conf contains the license information required for non-demo mode operation of the box page 103
System Settings ++ boxsys.conf important system settings (kernel sysctrls) page 91
Bootloader bootloader.conf boot behavior and Linux kernel update settings page 101
System Scheduler + boxcron.conf custom cron jobs, for example log file deletion, cooking of statistical data page 102
Inventory boxtype.conf hardware inventory without operational component page 103
Log Cycling logstore.conf settings for the log storage utility, the utility is invoked by crond as specified by the page 103
settings in cron
Message Board messageboard.conf enabling/disabling welcome messages for Barracuda NG Admin and system login page 105
Access Notification notification.conf contains eventing or notification policy for GUI and system logins page 105
SSH + ssh.conf fine tuning of settings for openssh based SSH daemon page 106
Software Update swupdate.conf behavior upon successful or flawed completion of a software update page 108
Watchdog watchdog.conf set certain limits on critical system resources and ensure to have them checked at page 108
least once a minute
Authentication authentication contains configuration for external authentication schemes like MSNT, Radius, LDAP page 111
Schemes schemes.conf
Host Firewall Rules ++ boxfw.lfwrule7 defines the local firewall rule set page 116
Syslog Streaming bsyslog.conf used for (filterable) log data streaming page 116
Control control.conf settings for automatic session logout, configurable limits for Events 30/31 and page 118
parameters for HA partners
Statistics + cstat.conf settings for all statistics modules (cstat, qstat, dstats) page 119
Eventing ++ event.conf settings for the event daemon page 119

General Firewall ++ fwparam.conf settings for both local and forwarding firewalls page 119
Configuration
Log Configuration log.conf settings for the log daemon page 119
2.2.1 Context Menus of the z Emergency Override

This entry is only available if the box is administered by
Configuration Tree a Barracuda NG Control Center. It allows local
configuration of a box.
2.2.1.1 Box Context Menu Attention:
Be aware that if doing so the synchronisation with
The context menu is opened by clicking with the right
the Barracuda NG Control Center has to be carried
mouse-button onto Box in the configuration tree. It out manually
provides the following items:
z Refresh Complete Tree
z Collapse All
Updates the view of the configuration tree.
Closes all open nodes in the configuration tree down to
the top level. z Collapse
z Create DHA box
the top level.
Creates an additional node named HA Box. This
node holds an entry HA Network where the network z Expand
settings for the HA partner are to be configured. The Opens all nodes in the configuration tree.
configuration itself is the same as the regular network z Create Repository
configuration (2.2.5 Network, page 61). You can only See 6. Repository, page 121 for details.
create one HA partner for each box.
z Create PAR file
Note: See 5.3 Creating PAR Files, page 119 for details.
When initially creating the HA box IPs in section z Restore from PAR file
Additional Local Networks the IP addresses are See 5.4 Restoring/Importing from PAR File, page 120
automatically set in the HA network. Before for details.
installing the HA box check for correct additional IPs
in the HA Network node.

2.2.1.2 Other Context Menus Note:

On a CC you can also use a wizard to create a box, see
z Collapse All
Barracuda NG Control Center 6.6.1 Create Box Wizard,
page 444.
the top level.
Open the box configuration by double-clicking Box
z Lock / Unlock
Properties.
Changes the status of the corresponding file from
read-only to read-write (and vice versa) and thus makes Note:
it editable/static. To view configuration options of the read-only fields in
z Create Server / Create Service the box config file browse to Multi-Range >
These menu items are only available when opening the <rangename> > <clustername> > Boxes on the CC
context menu of the nodes Virtual Servers or and select Create Box from the context menu
Assigned Services. (figure 314). The Box Config itself is shown in
figure 315.
z Copy To Repository
Copies the selected configuration file to the
corresponding repository section. This menu item will
2.2.2.1 Creating a Box - Identification Settings
only be available if a repository has already been
created. Fig. 314 Creating a box on a CC
z Refresh From Here
Updates the view of the configuration tree from the
selected position on downward.
z Show RCS Versions
This entry is only available in on the Barracuda NG
Control Center box. It provides RCS (Revision Control
System) information for the selected configuration files,
including exact date/time and administrators name/IP
address with reference to the config modification made.
z Show History
Displays a list with the config modification history since
creation of the box.
z Remember Position / Clear Position List 31 Box Config section Identification Settings
This item allows you to save the current position in the Parameter Description
configuration tree. On next start Barracuda NG Admin Box Name This is the name of the box as specified during box
will open at the saved position. creation on the CC. The box name may differ from the
box hostname (see Hostname, page 11). The maximum
Clear Position removes the saved position. length of this parameter is 25 characters. Once
defined, the box name may not be altered, thus this is a
read-only field.
2.2.2 Box Properties The Box Name field is empty on self-managed
Barracuda NG Firewalls and on the CC itself.
Description This field takes optional additional information (no
The file Box Properties contains box specific length limitation).
configuration data (box name, description, ). It is either Box Unique This is the name of the box that is used in the
created as part of the kickstart disk when installing a new Name management unit. The content of this field is generated
when the box is added to the configuration tree of the
system with Barracuda NG Installer (Getting Started CC. The name is generated as follows:
2.2 Creating a "standard" Kickstart Disk, page 10, and then boxname_clustername_rangename.
Step 3 Defining Box Type settings), or when creating a new The Box Unique Name field is empty on self-managed
Barracuda NG Firewalls and on the CC itself.
box in the configuration tree of a Barracuda NG Control
OS Platform This setting specifies the OS platform the Barracuda
Center using Create Box from the context menu NG Firewall is installed on. Selection can be made
(Barracuda NG Control Center 6.10.1.1 Create Box , between Barracuda NG Firewall and crossbeam-X.
page 448). Once created only few file contents may be Note:
Once created, this setting cannot be changed. The OS
changed retroactively. platform determines the values available through
parameters Product Type and Hardware Model (see
The box config file is divided into two sections: below).
Identification Settings and Operational Settings Note:
(available on CC-administered boxes only). The operational On Barracuda NG Control Centers this field is defined
settings define information needed for interoperation by the entry Barracuda NG Control Center.
between box and CC. The box config file has to be Product Type Depending on the value specified for OS Platform, the
available Product Type choice varies in this place. Each
maintained for each box individually. selection limits the view to compatible Appliance
Models shown in the next field.
Note: Note:
On CC-administered boxes the box configuration should The Product Type corresponds with the field Model in
Barracuda NG Installer (Getting Started 2.2 Creating
always be edited on the Barracuda NG Control Center a "standard" Kickstart Disk, page 10, and then Step
and not on the box itself. 3 Defining Box Type settings).

List 31 Box Config section Identification Settings List 31 Box Config section Identification Settings

Hardware Model Available appliance model types are dependent on the Storage This attribute allows for discrimination between
selection for the product type. In this place choose the Architecture Harddisk based and Flash-RAM (CF-Card) based
appliance type, which matches the label of your boxes. The following properties are applicable for
appliance model. Flash-RAM based boxes:
Note: Harddisk size between 2 and 8 GB.
The Appliance Model corresponds with the field No SMART values
Appliance in Barracuda NG Installer (Getting Started No DMA
2.2 Creating a "standard" Kickstart Disk, page 10, and
then Step 3 Defining Box Type settings). Note that when CF-based is selected additional
Note: configuration options become available within the
Each OS Platform, Product Type, and Appliance Model System Settings configuration node (see 5.1.1.5
combination determines product specific default Flash Memory, page 101).
settings. It also determines availability of services and Misconfiguration of the storage architecture option
default settings of these services. To profit from this triggers the event [70] Flash RAM auto detection. An
feature, correct settings already must be configured, error is reported when one of the following situations
either when creating the box installation file with arises:
Barracuda NG Installer (Getting Started 2.2 Creating Flash-RAM has been configured but cannot be
a "standard" Kickstart Disk, page 10, and then Step detected.
3 Defining Box Type settings) or when creating the box
on the CC. Have a look at Getting Started Flash-RAM has not been configured but is detected.
2.5 Barracuda Networks Multi-Platform Product Flash-RAM has not been configured but hardware
Support, page 16 to find out about each types typical properties indicate that the box might possibly be a
characteristics. Flash-RAM based box.
Show Legacy This parameter enables the listing of out-dated Serial Number This field has informational character. For example it
Models hardware and appliance models. allows you to enter the hardware ID of the system. This
field is only available on CC-administered boxes.
Detect Appl. If the configured hardware / appliance does not match
Model the detected model, an appropriate event (id 34) will be
Mismatch triggered.
Note:
Encryption This setting determines the systems suitability for
Level productional use. Unlicensed systems or systems with The configuration parameters OS Platform, Product
export-restricted licenses with weak encryption are to Type and Hardware Model are designed to offer
be set to Export-Restricted-Encryption. Licensed enhanced multi-platform product support. The types
systems may be set to Full-Featured-Encryption. Have
a look at table 12, page 11 for an overview of Barracuda chosen determine specific default settings of the box
NG Firewall demo versions. and in some cases they determine, which services can
Note: be installed and configured. Have a look at Getting
Export-Restricted-Encryption will be set in this field
Started 2.5 Barracuda Networks Multi-Platform Product
if the checkbox Demo or Export Mode has been
selected when defining box type settings with Support, page 16 to find out about each types typical
Barracuda NG Installer (Getting Started 2.2 Creating characteristics.
a "standard" Kickstart Disk, page 10).
2.2.2.2 Creating a Box - Operational Settings
Note:
The section Operational Settings is only available on
CC-administered boxes.

2.2.3 Administrative Settings List 37 Administrative Settings - System Access section Serial Access
The configuration file Administrative Settings contains Serial Access / Click the Edit button to enter the configuration
information relevant for proper operation of a Barracuda Serial Settings dialog.
Firewall NG system as the one contained in file Network. Access Types ConsoleOnly This setting enables box access
(COM1) using a terminal emulation program
Its nature is, however, such that per se it does not such as hyperterm via a the serial
interface COM1 (terminal emulation:
necessarily contain data specific to the exact location of a ansi; baud rate: 19200).
box within the network. Thus a single instance of this file Note:
may be shared amongst a number of boxes. The parameters Mgmt COM Port
and Mgmt Baud Rate are inactive
Open the network configuration by double-clicking the when this option is set.
Administrative Settings node. Management With this setting the box can be
Only accessed with the Barracuda NG
Admin GUI via COM1 (therefore
Mgmt COM Port is inactive; default
2.2.3.1 System Access Mgmt Baud Rate: 57600).
Console(COM1) This option combines the two above
Fig. 316 Administrative Settings - System Access And (default Mgmt COM Port: COM1;
Management default Mgmt Baud Rate: 57600).
Mgmt COM Port This option defines the serial port
that is to be used.
Mgmt Baud With this setting the Baud Rate is
Rate defined.
2.2.3.2 Advanced System Access
Note:
This parameter group is only available in Advanced
View mode.
List 38 Administrative Settings section Advanced Access Settings
Authentication Choose from Key-OR-Password, Password, Key or
Mode Key-AND-Password. Note that the usage of keys should
always be favoured over usage of passwords, as no
security relevant information needs to be exchanged
when authentication takes place via public-key
cryptography (challenge-response approach).
List 34 Administrative Settings - System Access section Root Password
Root Public Allows you to import a public RSA key from a file or the
Parameter Description RSA Key clipboard. With an appropriate authentication mode the
New Root The root password of the NGFW Subsystem and the Barracuda NG Firewall box will authenticate an admin
Passwd Linux OS. Passwords with less than 5 characters are via public key cryptography. As a necessary prerequisite
not permitted. Barracuda NG Admin needs to have loaded the
matching private RSA key.
List 35 Administrative Settings - System Access section Service Password Note:
For security reasons you should not use unencrypted
Parameter Description private keys.
New Service The password of an unprivileged Linux OS user for Note:
Password support purposes. The root public RSA key is only applicable for controlled
Note: Barracuda NG Admin logins. If a key for automated SSH
Passwords with less than 5 characters are not login is required use the Authorized Root Keys option
permitted. instead (see below).
Root Aliases Note:
List 36 Administrative Settings - System Access section Access Control List Root Aliases are only available on CC-administered
boxes. On single boxes multiple administrator roles may
Parameter Description be created in Admins (accessible via Config > Box,
ACL Access control list to protect the box from denial of see 2.2.7 Administrators, page 91).
service (DOS) attacks. Array of IP/mask pairs for which Click the Insert button to insert a new root alias name.
exclusive access to the administrative IP addresses of
the box at TCP port 22 (secure shell) and TCP Inactive A newly introduced root alias is
ports 800-820 is granted. TCP based access from all ready for use immediately after
other addresses to these port/address combinations is creation (default setting: no). Set
administratively prohibited. By default, access is to yes to disable its login
allowed from an arbitrary address. temporarily.
Attention: Authentication These values specify the root

To avoid unnecessary exposure of your Baracuda NG Mode/Password/Pu aliases authentication mode.
Firewall system to DOS attacks against administrative blic RSA Key See the same named parameters
addresses you should restrict the scope of the ACL to above for further information.
the set of IP addresses from which administrative
access is required.
Attention:
Changing the access control list does not terminate
already established sessions. Manually terminate
active sessions within the Firewall Active tab to enforce
ACL changes.

List 38 Administrative Settings section Advanced Access Settings List 39 Administrative Settings - DNS section Basic DNS Settings
Authorized The Authorized Root Keys field may be used to insert DNS Server IP List of DNS server IP addresses serving the domain
Root Keys public keys assigned to user root in OpenSSH format. specified above.
Public keys apply for key-based authentication using Note:
SSH and can be employed, for example to enable Both, Box DNS Domain and DNS Server IP, are to be
automated key based SSH logins for backup creation set when using a proxy service. Otherwise the proxy
reasons, service cannot start.
The inserted string is appended to the
authorized_keys2 file assigned to user root, thus The resolver system layer does not monitor the
permitting login with an OpenSSH Client disposing of /etc/resolv.conf file. Thus, services using this
the corresponding private key. Details on OpenSSH layer (in contrast to services using the Barracuda NG
Client configuration are available at Firewall resolver) will not recognize changed DNS
http://www.redhat.com/docs/manuals/linux/ server settings automatically. Examples for services
RHL-9-Manual/custom-guide/s1-openssh-clie using the resolver layer are a number of phibs
nt-config.html. authenticators, proxy, snmp and dhcpe. Therefore,
when changing DNS Server IP settings Barracuda NG
Note: Firewall services should be restarted manually. Do so
Insert multiple keys one per line. by clicking the OS Restart button (see OS Restart,
Public keys available in another than SSH format may page 39).
be converted using the ssh-keygen utility (refer to man
ssh-keygen for details). On UNIX systems, the user's List 310 Administrative Settings - DNS section Advanced DNS Settings
public keys are usually written to
~/.ssh/id_rsa.pub (for RSA based keys) or Parameter Description
~/.ssh/id_dsa.pub (for DSA based keys). DNS Search Names of those domains, which should automatically
Note: Domains be appended to an alias name when performing a DNS
The Authorized Root Keys option is only required for query. Separate multiple domains with spaces.
automated logins by user root. Key-based SSH login DNS Query Note:
option (controlled and automated) for non-root users is Rotation This parameter is only available in Advanced View
configurable in the following places: mode.
On single boxes When multiple DNS servers are used, this parameter
Config > Box > Administrators > Public RSA defines whether DNS queries should regularly rotate
Key (see 2.2.7 Administrators, page 91) between them. Set to yes (default: no) to activate
On CC-administered boxes rotation.
Admins > Details tab > Public Key (Barracuda NG DNS Query Note:
Control Center 8.3 Admin User Interface, Timeout This parameter is only available in Advanced View
page 458) mode.
Defines the timeout [sec] for DNS queries. When the
timeout exceeds the specified value, the next DNS
2.2.3.3 DNS server is queried.
Known Hosts Note:
Fig. 317 Administrative Settings - DNS This parameter is only available in Advanced View
(Host mode.
Name/Host Use this section to add user-defined entries to the
IP/Full system's file /etc/hosts.
Name/Aliases) This file will by default always be consulted first for
name resolution. It is useful to specify address/name
pairs of locally known hosts here, for which no name
resolution via DNS is available. The name specified in
the first column Name of this section will as well be
used as alias.
To open the Known Hosts configuration window click
Insert.
As the bare minimum you willve got to supply the
Host IP address. This address is associated with the
name of the section instance. Optionally, you may
specify a fully qualified domain name (dots as name
space delimiter) and a whole list of additional Aliases
(no dots).
2.2.3.4 Caching DNS Service
List 39 Administrative Settings - DNS section Basic DNS Settings Note:

View mode.
Box DNS Name of the DNS domain the box belongs to. You may
Domain only specify a single domain. The length of the
domain's name is limited to 46 characters. List 311 Administrative Settings - Caching DNS Service section Advanced DNS
Settings
Run This parameter activates/deactivates a local caching or
Forwarding / forwarding DNS service (default no = deactivated). DNS
Caching DNS queries will be forwarded to or cached from the servers
specified under DNS Server IP. Setting to yes activates
the field Log DNS Queries (see below).
Attention:
Forwarding/Caching DNS (bdns) configuration collides
with a running DNS Server (DNS 2. Installation,
page 332). The bdns service must run exclusively. Do
NOT install both services.

List 311 Administrative Settings - Caching DNS Service section Advanced DNS 2.2.3.5 TIME/NTP Tab
Settings
Parameter Description Fig. 318 Administrative Settings - TIME/NTP
Run Slave DNS This parameter activates/deactivates a local Slave DNS
service (default no = deactivated). Setting to yes
activates the fields Default Master DNS and DNS
Slave Zones (see below). The slave DNS service obtains
its slave zone configuration from the entries specified
through DNS Slave Zones field and additionally fetches
further zone configuration files from the servers
specified in the Default Master DNS field.
Query Source This parameter allows to specify which IP address to use
Address as source address when querying the DNS or Master
DNS server(s). The following settings are possible:
Wildcard (default) - IP selection is accounted for
dynamically according to definitions in the routing
table.
VIP (on CC administered boxes only) - Uses the
systems Virtual Management IP.
MIP - Uses the systems management IP, which is the
Main Box IP.
Select checkbox Other to specify an IP address
explicitly.
DNS Query Here single IP addresses or netmasks can be defined
ACL that may access the DNS service via a local redirect List 312 Administrative Settings - TIME/NTPs section Time Settings
firewall rule.
Note: Parameter Description
Do not forget to create this rule in the Forwarding Timezone Select the desired time zone for your NGFW OS system.
Firewall Rule set. Note that changing the time zone later on is a rather
Log DNS If this parameter is set to yes (default: no) every DNS momentous measure as far as its implications for data
Queries query will be logged. accounting, logging, and eventing are concerned.
Default Master This parameter takes a single or a list of DNS servers, Note:
DNS the local slave DNS service queries for zone files. Time zones available for configuration in the pull-down
menu are stated in POSIX compliant style according to
DNS Slave Click the Insert button to create a new slave zone their derivation from a UNIX system. This means that in
Zones entry. Enter the fully qualified domain name of the zone Etc/GMT time zones, hours preceded by a minus (-) are
into the Name field of the newly opened DNS Slave counted to the east of the Prime Meridian, and hours
Zone window. The following parameters are then preceded by a plus (+) are counted to the west of the
available for configuration: Prime Meridian. Conversion to daylight saving time
Active Zone A newly created zone is active by (DST) is not considered in Etc/GMT time zones. To do so,
default (setting: yes). The time settings in Country/City format must be used.
configuration can be deactivated Accordingly, Etc/GMT-1 (GMT+1 without the preceding Etc
temporarily by setting the on Microsoft Windows operating systems) specifies the
parameter value to no. time zone 1 hour to the east of Greenwich Mean Time
without, and Europe/Berlin specifies the same time zone
Zone Type This value determines the DNS zone
with consideration of DST conversion.
type (Forward (default), Reverse or
Both). Setting to Reverse or both Note:
activates the fields Reverse Lookup Please consider that daylight saving times are an
Net and Reverse Lookup Netmask unreliable factor in cross-national networks. If you are
below. administering multiple systems situated in different time
zones with an optional Barracuda NG Control Center,
DNS Master IP This parameter takes a single or a
switching to UTC uniformly is recommended.
list of DNS servers, which the local
slave DNS service queries for this Set HW Clock Choose yes to set the hardware clock (aka CMOS or
zone. If specified, this setting to UTC BIOS clock) to UTC (Universal Time, Coordinated)
overrides the globally defined DNS (default: no). Reference time will be your system time.
Master IP. If left empty, the field is Running the hardware clock with UTC will immunize your
ignored. system against unexpected time lapses caused by
changes from or to daylight saving time (DST). We
Reverse Lookup These fields define network and
recommend to use this feature in combination with a
Net netmask the specified zone resides
prior synchronisation to an external reference clock
Reverse Lookup in.
(time server), as explained below.
Netmask
Transfer Source This parameter allows specifying List 313 Administrative Settings - TIME/NTPs section NTP Settings
Address which IP address to use as source
address when querying the Master Parameter Description
DNS server(s), thus overriding the NTP sync on If set to yes the box will try to obtain the correct time
globally defined value. The following Startup from an external reference clock whenever the network
settings are possible: is restarted.
Wildcard (default) - IP selection Note:
is accounted for dynamically Continuous time synchronisation may be achieved by
according to definitions in the running an NTP daemon on the system.
routing table. The box will use its primary box IP as source address
Query Source - This setting uses when contacting a time server. Consequently, a
the IP address of the client Barracuda NG Firewall system placed at the border of
initiating the query. your network will typically contact a time server
VIP (on CC administered boxes belonging to the protected LAN side.
only) - Uses the systems Virtual Event-IDs 2080/2081/2082 may be generated in
Management IP. conjunction with parameter Start NTPd set to yes
(System Information 5. List of Default Events,
MIP - Uses the systems
page 536).
management IP (Main Box IP).
Select checkbox Other to specify Note:
an IP address explicitly. Every synchronisation attempt with a time server will
be brought to your attention by eventing in NTPd has
been started. This is due to the fact that we consider
maintaining an appropriate time standard on the
system as a prerequisite for reliable system operation.

List 313 Administrative Settings - TIME/NTPs section NTP Settings 2.2.3.6 A small Digression into Linux Time
Parameter Description Management
Time Server IP Array of IP addresses of NTP protocol conform time
servers. (excerpted from "Linux-Clock HOWTO", v2.1, Nov. 2000 by
Try to specify as many independent server addresses
as possible. These addresses will be contacted in turn Ron Bean)
during every restart of the network subsystem for the
purpose of time synchronisation. The first successful The Linux "system clock" actually just counts the number
synchronisation will suppress further synchronisation of seconds past Jan. 1, 1970, and is always in UTC. UTC
attempts until the next restart occurs. For continuous
synchronisation you must run an NTP daemon on your
does not change as DST (Daylight Savings Time) comes
system (see comment below) or run ntpdate from a and goes what changes is the conversion between UTC
cronjob every so often. and local time. The translation to local time is done by
Note that the latter approach may incur backwards
time glitches causing the log and statistics daemons to library functions that are linked into the application
complain about clock skews. programs.
Note:
On a firewall system you may not bind to 0.0.0.0 and This has two consequences: First, any application that
youll need to specify the source address to be used by needs to know the local time also needs to know what time
ntpdate. You may do so by making use of our additional zone you're in, and whether DST is in effect or not. Second,
flag -A <IP>.
Note that the network consistency check logic will also there is no provision in the kernel to change either the
check whether or not these addresses are reachable system clock or the RTC (real time clock) as DST comes
(routes available) from the box with the box
management IP as source address. If you run the
and goes, because UTC doesn't change. Therefore,
system as a remote box (administration via a tunnel to machines that only run Linux should have the RTC set to
a management instance) then the source address is the UTC, not local time. Unfortunately, there are no flags in the
so-called virtual IP (VIP) instead.
RTC or the CMOS RAM to indicate standard time vs. DST.
Note:
If available, Barracuda Networks recommends using This means that, if the RTC has been set to local time, the
the Barracuda NG Control Center as time server. system must assume that the RTC always contains the
Start NTPd If set to yes the system will continuously aim for correct local time.
keeping its time in sync with the external references
specified above in order to improve the reliability of If Linux is running when the seasonal time change occurs,
your time standard. Note that the trade-off here is the system clock is unaffected and applications will make
increased UDP traffic from the box to those IPs. Your
Barracuda NG Firewall system in turn also becomes an the correct conversion. But if Linux has to be rebooted for
NTP time server that may be queried by clients on your any reason, the system clock will be set to the time in the
LAN. The addresses under which this service is made
available are the administrative IPs at UDP port 123.
RTC, which might be off by up to an hour since DST
Attention:
information is not stored in the RTC or CMOS RAM.
Be aware that running an NTP daemon on your
Barracuda NG Firewall system makes the system
Some other documents have stated that setting the RTC to
vulnerable to NTP specific exploits and UDP based UTC allows Linux to take care of DST properly. This is not
denial of service attacks. Never direct your Barracuda really wrong, but it doesn't tell the whole story as long as
NG Firewall system to not trusted reference time
servers or run a time server in a completely hostile you don't reboot, it does not matter which time is in the
environment. RTC (or even if the RTCs battery dies). Linux will maintain
Local Clock This setting configures the stratum value of the local the correct time either way, until the next reboot. In
Stratum clock for the NTP daemon. The time reference has a theory, if you only reboot once a year (which is not
fixed stratum value n and each subsequent computer in
the NTP chain has a stratum value n+1. The unreasonable for Linux), DST could come and go and you'd
preconfigured default value 10 should be set to 9 on never notice that the RTC had been wrong for several
the CC box to make clear that the CC box is the
preferred source.
months, because the system clock would have stayed
Event on NTPd Only relevant when Start NTPd is set to yes.
correct all along. But since you can't predict when you'll
You may configure the NTPD related conditions that want to reboot, it's better to have the RTC set to UTC if
trigger event notification (Event-IDs 2070-2073). You you're not running another OS that requires local time.
may choose from 4 different settings:
start-failure (default)
+stop-failure
++start-success
2.2.3.7 SMS Control
+++stop-success
The list is additive, which means items further down Fig. 319 Administrative Settings - SMS Control
the list automatically include all previous ones.
Events will as well be triggered when the NTP daemon
is restarted via the Control > Box tab in (Control
2.6 Box Tab, page 38):
Restart NTP button
In this scenario the control daemon induces NTPd to
restart.
Sync button
Synchronisation processes are triggered through
the script ctrltime. ctrltime stops NTPd and
then executes ntpdate on port 123.
Note:
You will not be notified when NTPd is killed manually or
just dies unexpectedly. The settings here only pertain
to NTPd behavior during controlled start or stop
sequences.

For gateways that have been equipped with the UMTS 2.2.3.8 SCEP
extension and a UMTS modem card that is compatible with
the adopted SMS implementation (see Inbound SMS
Note:
Handling, page 77) remote execution of four restorative
See Appendix 1.3 How to set up for SCEP, page 546 for more
maintenance tasks is possible.
detailed information.
Use the SMS Control Settings to define how to deal with
inbound SMS triggering command execution. List 317 Administrative Settings SCEP section BOX SCEP Settings
List 314 Administrative Settings - SMS Control section SMS Control Settings
Enable SCEP Setting to yes (default: no) activates SCEP and enables
Parameter Description the corresponding configuration parameters below.
Remote Control Set this to yes (default: no) to allow for SMS triggered SCEP Settings Choose Set or Edit to set the SCEP parameters.
via SMS command execution. This feature will only work if an
appropriate GSM/UMTS card supporting it is installed. Fig. 320 Administrative Settings - SCEP
The following events are associated to this feature
when it is activated:
[135] Resource Limit Pending
Less than 50 % of maximum command value
remain.
[136] Resource Limit Exceeded
The maximum command counter has been reached
or has been exceeded.
[4111] Authentication Failure Warning
The ACL does not match.
[4112] Authentication Failure Alert
Password authentication failure and/or unsuccessful
command match.
[4126] Remote Command Execution Alert
Successful authentication and command is
accepted.
List 315 Administrative Settings - SMS Control section Access Limitations

Allowed Phone Access is controlled via a mandatory phone ACL, which
Numbers matches either sender number or in its absence SMSC
number. Insert the numbers, which are allowed to
trigger command execution with SMS into the list.
Include country prefixes in the phone number omitting
leading zeros and plus sign.
Successive This setting limits the maximum number of successive
Command commands that the interface will accept (default: 8).
Maximum Note that once this limit has been reached the counter
needs to be reset manually by the super user via SSH
access or remote command execution from a CC (file
/var/phion/preserve/bsms/cmdcter needs to be
reset to a value of 0).
List 316 Administrative Settings - SMS Control section Command Codes

The four commands listed below can be triggered
remotely by SMS. Each command is associated with a
password. Insert the password into the field right of the
the parameter label and retype it in the Confirm field.
The commands are only accepted when the sender ACL
matches, the maximum successive command counter
has not yet been reached, and both, keyword and
password match. Simply send an SMS to your interface
with a single line containing space separated keyword
and associated password. The system will always
attempt to send a confirmation SMS.
Note:
The keyword needs to start with a lower case letter.
Reboot Send reboot in a SMS followed by this string to enforce
a box reboot.
Restart Send restart in a SMS followed by this string to enforce
Services a restart of the NGFW Subsystem.
Reconnect Send reconnect in a SMS followed by this string to
Network enforce a restart of the network subsystem.
Rebuild Mgmt Send rebuild in a SMS followed by this string to enforce
Tunnel a restart of the MGMT tunnel.
List 318 Administrative Settings SCEP SCEP Settings section SCEP Server
SCEP Server IP The IP address or hostname of the SCEP server where
or Hostname the SCEP requests will be sent to.
If a DNS hostname is used, make sure the DNS resolver
of the gateway has been configured and is able to
resolve it.

List 318 Administrative Settings SCEP SCEP Settings section SCEP Server List 321 Administrative Settings SCEP SCEP Settings section SCEP X509
Request Password
SCEP server The TCP port number where the SCEP server listens to Parameter Description
port number requests. SCEP Password The path and text to look for on the CAs website when
The default value is 80, which generally suites for the URL Path the SCEP password policy option is set to
HTTP protocol (see below). SCEP Password Get-Password-From-Website.
SCEP server Choose between http or https Search Pattern
protocol
SCEP URL path The complete URL path on the SCEP server which must List 322 Administrative Settings SCEP SCEP Settings section Connection
be used to send the requests. Details
Refresh The certificate will be refreshed after this percent of Parameter Description
[% Lifetime] the certificate lifetime is reached (between 10 % and
90 %). Proxy Settings Choose Set or Edit to enter the configuration.
Parameter description see table 323.
Failure Retry The number of minutes to wait until the next retry.
Intervals SCEP HTTPS Click Ex/Import to import a key
[Minutes] Client Key
HTTP Choose Set or Edit to set the HTTP authentication. SCEP HTTPS Click Show to view the certificate or click Ex/Import
Authentication Parameter description see list 319. Client Cert. to import a certificate.
List 319 Administrative Settings SCEP SCEP Settings section SCEP Server List 323 Administrative Settings SCEP SCEP Settings section Connection
section SCEP HTTP Server Authentication Details section SCEP HTTP Proxy Settings
Authentication Choose between Proxy IP The IP address of the proxy server.

Type Address
None
Proxy Port The TCP port number on which the proxy server listens
Basic-Authentication
Number for requests.
NTLM-Authentication
Proxy The type of authentication used at the proxy server.
User Name Defines the users name. Authentication None
Password Enter the (new) password and confirm it by re-entering Type
Basic-Authentication
into the confirm field (existing entries require the
current password to unlock the fields Password and NTLM-Authentication
Confirm). Proxy User The credentials to use for authentication at the proxy
Domain Set the domain Name server when the authentication type is not set to None.
Proxy Password
List 320 Administrative Settings SCEP SCEP Settings section SCEP X509 Proxy Domain The domain name to use when NTLM-Authentication
Request is used.
List 324 Administrative Settings SCEP SCEP Settings section Encoding
Common Name The common name of the certificate. Default is Parameters
$BOXNAME. This value will be replaced with the real
hostname of the box when the request is created. Parameter Description
Alternative The alternative name of the certificate. Default is Transaction ID The transaction ID field can be sent in a binary or
Name IP:$BOXIP. This value will be replaced with the real IP Encoding base64 encoded. Some SCEP servers support both.
address of the box when the request is created. Although some certificate authorities support the
EMail Address Optional additional X.509 fields to include into the binary format, problems can occur when using it.
certificate request. Falling back to the text format might help in this case.
Organization
PKCS7 Cipher These are the encryption settings used when
Unit communicating with the CA. Must be set accordingly to
PKCS7 Hash
Location the CA settings.
PKCS7 Replay
State Protection
Country Select Choose between
Unstructured Encryption By-Key-Usage
Name Certificate
Use-Any
Unstructured
Address
X509 Key Specific key usage. Leave empty for general purpose
Usage key usage.
Key pairs may be intended for particular purposes,
such as encryption only, or signing only. The usage of
any associated certificate can be restricted by adding
key usage and extended key usage attributes to the
PKCS#10.
List 321 Administrative Settings SCEP SCEP Settings section SCEP X509
Request Password
SCEP Password No-Password
Policy No challenge password will be included in the
certificate request.
Password-from-Configuration
The challenge password is statically configured on
the CC and will be included in the certificate request.
Enter-Password-at-Box
The challenge password will be prompted at the box
when the certificate request is created.
Get-Password-From-Website
The challenge password is fetched from a web site
(typically the CA itself)
SCEP Password Static challenge password, needed when the SCEP
password policy option is set to
Password-from-Configuration.

2.2.4 Identity Barracuda NG Firewall boxes make use of x.509 conform

digital certificates. For a single box without supervision of
Password and username are to be supplied over an a Barracuda Networks trust center, the certificate is
SSL-encrypted connection in most cases to be granted basically identical to a mere RSA public key. It may be
administrative access to a box. Before supplying your viewed as a neat way of storing information regarding the
credentials to the server, for example the Barracuda NG organisational affiliation of the box. As the certificate
Firewall system, you may want to verify its identity. contains the public RSA key of the box it is rebuilt every
time the key is changed. Editing the certificate on the
To enable this verification the server authenticates itself
other hand does not mean that the key is updated.
to the client via a x.509-compatible digital certificate.
Precisely speaking it is the public RSA key contained in this In order to edit the certificate simply click on the Edit
certificate that is used to establish the SSL connection in button.
the first place. In order for this to work the administration
Fig. 322 Certificate window
console needs to associate a public RSA key with a
particular Barracuda NG Firewall box and network address.
The management console will prompt for a decision how to
proceed every time when access to a new box is requested
or when the key of a box has changed.
The same applies to accessing to the box via the SSH
version 2 protocol. The box will try to proof its identity by
means of a public 1024-bit DSA host key.
Only on first connection to a SSH server you need to trust
that the server is the one it claims to be. To avoid further
moments of uncertainty a dialog will then allow for
creation of the box's private SSH DS. In this way the
associated public key by which the SSH server can be
identified is extracted.
The configuration dialog Identity serves two major
purposes. First it allows you to issue the contents of the
certificate which the box uses to advertise its legitimacy to
the world. Second it allows you to trigger the generation of
a new private RSA box key or a new private SSH DSA key.
Open the network configuration by clicking twice on
Identity.
Fig. 321 Box Identity

For better understanding the actual structure of an x.509
conform digital certificate figure 323 contains a human
readable textual representation of a x.509 digital
certificate as used by Barracuda NG Firewall systems to
authenticate themselves.
The key elements are issuer and subject (which are
identical in case of an unsigned or self-signed certificate),
RSA public key (1024 bits), and a signature of the
List 325 Identity section Box Certificate certificate's contents. The latter is created with the private
Parameter Description part of the issuer's RSA key and may be verified using the
Box Private Key The current base-64 encoded 1024-bit long RSA key of corresponding public counterpart. Evidently, in case of a
the box. The corresponding public RSA key is part of self-signed certificate there is no point in checking the
the box certificate.
signature and thus initially a human decision as to whether
Note:
Every time the key is regenerated the digital identity of or not trusting a box is required. In case you run the box in
the box changes. conjunction with a Barracuda NG Firewall cluster
Box Certificate Digital x.509v3 compatible box certificate. administration server, the cluster server will take on the
role of a trust center originating certificates. Then it would
List 326 Identity section SSH Private Key
suffice to check whether or not the certificate produced by
SSH Private Click on New Key to generate a new base-64 encoded
Key 1024-bit long DSA private host key for use by the SSH
daemon of the box. You may wish to locally store the
corresponding public DSA key (Settings) in order to
establish an a priori trust-relationship for SSH access.
A key may be identified by its hash with high
probability.

the box has been signed by the cluster server and contains 2.2.5 Network
the management IP address it has been contacted under.
To open the network configuration, double-click
Fig. 323 Output of a certificate at the command line interface
Network.
Certificate:
Data:
The following configuration entities are available:
Version: 3 (0x2) Issuer
Serial Number: 0 (0x0) Table 36 Classification of the available sections
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AT, O=Unknown, CN=Unknown, ST=Unknown, L=Unknown, Tab Icon Entry see
OU=Unknown/Email=office@barracudanetworks.com
Validity
Networks mandatory page 61
Subject = box
Not Before: Jan 1 00:00:01 1970 GMT Interfaces mandatory page 63
Not After: May 18 03:33:20 2033 GMT
Subject: C=AT, O=Unknown, CN=Unknown, ST=Unknown, L=Unknown, Virtual LANs optional page 65
OU=Unknown/Email=office@barracudanetworks.com
Subject Public Key Info: Management Access optional page 66
Public Key Algorithm: rsaEncryption
Network Routes mandatory page 68
RSA Public Key: (1024 bit)
Modulus (1024 bit): xDSL/ISDN/DHCP optional page 70
00:bf:95:46:c7:10:ee:a8:bf:06:8e:03:37:f1:e2:
RSA public key

ab:db:56:80:3b:69:26:3c:f7:2e:62:c6:18:42:b3: UMTS optional page 77
ca:09:6a:0a:b8:b7:36:f1:fd:bf:2b:d7:e4:33:e7:
IP Tunnelling optional page 79
0e:4d:a3:95:d1:c5:09:9f:9e:3d:9f:9d:fd:9a:5c:
74:09:40:22:67:b6:fb:af:4c:84:dd:e8:f5:1d:3a: Integrity Check optional page 80
61:0f:f8:28:0b:70:65:1f:b2:53:5c:28:6f:9e:05:
9b:45:5d:6a:f1:13:de:0f:1e:0a:6d:1a:95:1e:5d: Special Needs optional page 80
2a:ff:8c:be:4f:d3:ee:d5:fe:e7:73:fb:fd:86:64:
ab:43:fc:a4:07:2d:07:86:09
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption 2.2.5.1 Networks
b3:a3:3e:0c:97:f6:12:94:22:8f:0a:a9:15:50:b9:08:81:02:
3d:8f:f3:1f:1d:df:c2:4a:69:5f:cb:86:5c:2e:4f:d9:33:32:
Signature
51:3a:f5:28:b4:ec:96:98:d6:9b:19:d7:2d:a3:7e:6a:74:9e: This section is used to specify the primary network address

4f:41:a6:f2:a0:8c:47:3b:b4:9b:1a:fa:cd:a2:36:68:66:96:
f9:12:3d:2b:6a:28:f2:b0:da:54:f2:78:d3:79:49:5d:05:3e: of the box.
65:f1:15:c7:93:4f:be:ec:ea:7e:98:65:75:03:cd:b5:02:d7:
90:dd:51:2d:2f:25:13:78:49:ee:6d:b9:1f:17:eb:7f:37:07: The associated network is referred to as the primary box
-----BEGIN CERTIFICATE-----
MIIChjCCAe+gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEB network. All services required for system management will
EDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAMTB1Vua25vd24xEDAOBgNVB bind to the specified IP address by default.
a25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xH
base64 representation
NTE4MDMzMzIwWjCBiDELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1Vua25vd
BgNVBAMTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB
This section is special in several ways:
d24xEDAOBgNVBAsTB1Vua25vd24xHzAdBgkqhkiG9w0BCQEWEG9mZmljZ
bi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+VRscQ7qi/B z Only one single mandatory instance exists.
q9tWgDtpJjz3LmLGGEKzyglqCri3NvH9vyvX5DPnDk2jldHFCZ+ePZ+d/
Ime2+69MhN3o9R06YQ/4KAtwZR+yU1wob54Fm0VdavET3g8eCm0alR5dK z The specified IP address is pingable by default (ICMP
7tX+53P7/YZkq0P8pActB4YJAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAs
EpQijwqpFVC5CIECPY/zHx3fwkppX8uGXC5P2TMyUTr1KLTslpjWmxnXL echo).
T0Gm8qCMRzu0mxr6zaI2aGaW+RI9K2oo8rDaVPJ403lJXQU+ZfEVx5NPv
dQPNtQLXkN1RLS8lE3hJ7m25HxfrfzcHvs8= z This IP is used as source address by the box services to
-----END CERTIFICATE-----
contact an optional Barracuda NG Control Center
unless the box is classified as a remote box and has
assigned a VIP (see below). Common activities regarded
Note: would be renewal of license stamp or forwarding of
The shown certificate is generated by the box itself and events, and synchronisation with an NTP server.
is therefore self-signed. In the absence of a Barracuda
Networks trust center, the certificate is not signed by a Fig. 324 Box Network configuration
trusted authority. Authentication thus relies on
recognising the public key of the box. In this regard
single-box authentication works in a similar fashion as
SSH server authentication.

List 327 Network - Management Network section Device Name List 328 Network - Management Network section Management Network
Hostname Note: Responds to Ping Governs whether ICMP echo
This parameter is only available in Advanced View requests will be replied to. The
mode. default setting is no.
The maximum length of this parameter is Management IP To have box services bound to this
25 characters. IP chose yes (default: no). If yes is
This is the box hostname without domain suffix. selected the Additional IP
Note: becomes Management IP
Entering a box hostname is obligatory (indicated by the supplementary to the Main Box IP.
icon ). The hostname is inserted into the file Bind NTPd Value yes causes NTPd to bind to
/etc/hosts. this address. The default setting is
no.
List 328 Network - Management Network section Management Network Note:
NTPd has to be activated
Parameter Description separately. (see Administrative
Management The principal IP address of the box. Settings, page 54).
IP (MIP) Barracuda NG Firewall systems do not have dedicated
administrative interfaces but rather use administrative Section Additional Local Networks
IP addresses. The existence of this IP is required for
access to the box via SSH and to the Barracuda NG This section is used to specify additional network
Firewall system via the administration console.
addresses of the box besides those in the primary box
Note:
Access to the MIP may be limited through specification
network. Transit networks, external networks, networks
in an ACL (at kernel level). describing demilitarized zones (DMZ) or secure server
Associated The mask (or extent in bits) of the network the MIP is networks (SSN) could be accounted for by such a section.
Netmask embedded in. You may choose the netmask from a IP addresses utilized in a private uplink network between
pull-down menu with 8 bits being the default.
HA partners must be inserted here as well (see 5.2.4.1
Note:
A netmask smaller than 2 bits does not really make Monitoring Setup, page 118).
sense.
In general, it is not advantageous to have additional box IP
Interface Name For convenience a small pull-down menu containing the
interfaces eth0, eth1, tr0, and tr1 is present. Select the addresses beyond the one required to administer the box.
check box labelled Other to declare another interface. As an alternative strategy you could use a combination of
Always remember that your choice is limited to pending direct routes and server IP addresses to grant the
interfaces on NICs for which you have requested driver
support. box access to additional networks.
Responds to Governs whether ICMP echo requests will be replied to Barracuda Networks recommends this latter approach as it
Ping or not for this address. The default setting is no.
leads to increased system security, especially when
Bind NTPd Value yes causes NTPd to bind to this address. The
default setting is no. connecting a system to an untrusted network.
Note:
NTPd has to be activated separately (see 2.2.3.5 Note:
TIME/NTP Tab, page 56). To a direct route is referred as pending if it cannot be
Interface This parameter determines what kind of IP address is to activated without the presence of a dynamically
Realm be counted by the firewall for traffic on this interface
(Licensing 5.5 Policy No. 5: General Case, page 540). activated IP address (for example a server IP) (see
The interface can be classified to one of the following: Network Routes, page 68).
unspec
internal (default) Like the primary box network, each additional network
dmz
external contains a subsection allowing the introduction of further
MTU Here the MTU (Maximum Transmission Unit) can be set. isolated additional IPs within the network (see Networks,
Packets above this value are being sent fragmented. page 61).
Note:
MTUs may also be set for NICs (list 329, page 63), To open the configuration dialog, click the Insert button.
virtual LANs (list 330, page 65), additional networks
(Networks, page 61) and standard routing Fig. 325 Additional Local Networks configuration
(2.2.5.5 Network Routes, page 68). The unwritten rule is
that the maximum accepted MTU of the next hop will be
used.
Advertise If set to yes (default: no) all routes will be advertised via
Route Routing Protocols, provided an OSPF or RIP router
service is active on the gateway.
Additional IP Note:
Addresses This parameter is only available in Advanced View
mode.
Optionally you may specify additional addresses to be
active within the primary box network.
In general there is no need to make use of this option.
Special circumstances may arise when doing so
becomes desirable.
Note:
We consider this an advanced option which is prone to
cause unexpected behavior when misused. Thus make
sure you understand the implications of the individual
options selected for the introduced additional IPs
entirely.
IP Address The address must be valid and
within the associated network. It
will be introduced as a stand alone
IP with mask 0.

2.2.5.2 Interfaces List 329 Box Network section Network Interface Configuration
List 329 Box Network section Network Interface Configuration
Network Driver Note:
Parameter Description Interface Options This parameter is only available in
Cards Advanced View mode.
Appliance This pull-down menu contains all available pre-configured
Model appliances. Selecting the corresponding appliance sets the Used only in conjunction with module
Visible Interface Name to the name that is engraved on based driver support. Refer to the list of
the front of the appliance. supported NICs for more information on
this topic.
Note:
Options are typically used to set the ring
Each appliance model forces its typical corresponding set
speed for token ring interfaces or to
of interface names (naming eth<n>, port<n>, LAN<n>, ).
bypass media type auto negotiation for
This directly influences values shown below in parameter
ethernet interfaces. Note that several
group Physical Interfaces (page 64).
interface specific option strings may be
Note: specified, formatted as key=value1
Selecting the entry USER enables the section called Port valueN, with N being the number of
Labelling. interfaces.
Port Internal Note: Number of The number of interfaces (integer) of the
Labelling Interface This parameter is only available in Interfaces NIC or NICs that may be in simultaneous
Name Advanced View mode. use.
Visible This configuration section allows defining Note:
Interface alternative Visible Interface Names for The Number of Interfaces indicates the
Name each interface with a maximum of 5 number of ports and NOT the number of
alphanumeric characters. However, only cards of the particular type, for example
eth interfaces may be renamed. Interfaces one dual-port NIC counts as 2 interfaces,
like tap, ppp*, dhcp, loopback are but 1 combo-type card with support for
pre-defined and cannot be modified. three different connectors (for example
Note: BNC, AUI, RJ45) counts as 1, because only
The interface names that are defined one connection is active at one time.
within this section should also be used for You may set the number to zero. In this
configuration purpose to avoid "messy" case the respective module will not be
configurations. loaded.
Note: If more than seven cards (ports) are
Please consider that interfaces, which present, select the checkbox Other and
have been renamed cannot be enter the number of cards manually.
dynamically updated in the parameter Fallback Note:
group Physical Interfaces. Enabled This parameter is only available in
Network NIC Type Type of Network Interface Card; Advanced View mode.
Interface information required for logical With this parameter it is possible to
Cards consistency checks. In conjunction with activate an alternative NIC driver that is
the specified number of interfaces it defined via the entries Fallback Module
becomes possible to check whether a Name and Fallback Driver Options, both
particular interface may be referenced in mentioned below. This may be helpful
some of the other sections. during/after updating sequences. If the
Available NICs are: Ethernet primary driver does not work, this fallback
Driver Type Informs the system as whether the driver driver is used. In case the fallback driver
support is module or kernel based. Default as well does not work both drivers are
is Loadable_Module. If module based loaded.
driver support is not available select Fallback Note:
Compiled_In. This will automatically Module Name This parameter is only available in
deactivate several consistency checking Advanced View mode.
routines.
See Driver Module Name, page 63
Note:
Fallback Note:
When selecting Compiled_In please check
Driver This parameter is only available in
whether the systems current kernel
Options Advanced View mode.
provides the required support. Barracuda
Networks considers this an advanced See Driver Module Name, page 63
option whose utilisation requires a Ethernet When using an ethernet NIC (NIC Type,
profound understanding of the Barracuda MTU page 64), it is possible to set the MTU size
Networks adapted Linux OS. (Maximum Transmission Unit) through
Activate With this option the driver can be this field. Packets exceeding this value will
Driver activated/deactivated (default: yes). be sent fragmented.
Driver Youve got to instruct the system which Note:
Module Name driver to use for any given kind of The MTU specified in this place is used as
interface card. The selection offered default value for all existing interfaces. It
corresponds to those cards recommended can be adapted individually per interface
by Barracuda Networks. using parameter MTU in parameter group
Consult the list of supported NICs if you Physical Interfaces below (list 329).
wish to use another card. In this case you Note:
willve got to select the checkbox labelled MTUs may also be set for virtual LANs
Other and enter the module name (2.2.5.3 Virtual LANs, page 65), box
manually. network (2.2.5.1 Networks, page 61),
Attention: additional networks (Section Additional
If you are using a Marvel network adapter Local Networks, page 62) and standard
that requires the module sk98lin_cb.o, routing (Section Main Routing Table,
pay attention that interface naming has to page 68). The rule of thumb is that the
begin with eth1. Interface eth0 is NOT maximum accepted MTU of the next hop
supported will be used.
Note:Example 1: If you have a NIC with
MTU size 1500 and a Standard Route with
MTU size 2000, the valid MTU size will be
1500.
Example 2: If you have a NIC with MTU
size 2000 and a Standard Route with MTU
size 1500, the valid MTU size will be 1500.

List 329 Box Network section Network Interface Configuration

Interface The Interface Usage parameter is a read only field. It
Usage displays the effective network configuration status and is
set to OK, if configuration is in a clean state and all
configured interfaces work properly. Otherwise, a warning
is displayed.
Interface The parameter Interface Computation steers the
Computation dynamical updating of values in parameter group Physical
Interfaces. If set to yes (default) the view is updated each
time the network configuration is changed. If set to no, the
view remains at the formerly known values.
Physical MTU In general, the MTU size configured in the
Interfaces Box Network section Network Interface
Configuration is valid for all existing
interfaces by default. You may use the
MTU field in this place to customize the
MTU setting to individual values per
interface.
Availability If nothing else has been configured, all
recognized interfaces are generally
available by default. Interfaces may be
claimed for exclusive use by xDSL
(Connection Type: PPPOE) and DHCP
Links (2.2.5.6 xDSL/ISDN/DHCP,
page 70). When an interface has been
claimed as Modem Interface or DHCP
Interface, its usage is set to status
reserved. If an interface is claimed by
multiple services concurrently, its usage
status is set to overbooked.
Note:
Interfaces marked as overbooked cannot
work properly. They will not be available
for any of the configured services.
References An interface which has not been claimed
by a service exclusively is flagged with
none. Interfaces claimed by xDSL or
DHCP Links are flagged with xdsl or
dhcp respectively, followed by the link
name as specified in the xDSL/DHCP
configuration area when creating the link
(for example xdsl::xDSLLinkName).
Name of NIC This is the network card Interface Name
as specified when inserted into Interfaces
section (see page 63).
NIC Type This is the Network Interface Card type as
specified when inserted into the
Interfaces section (page 63).
Used Driver This is the module driver name as defined
in parameter Driver Module Name in
2.2.5.1 Networks, page 61.
Enable Auto If the driver, that has been defined
negotiation through the Driver Module Name (see
page 63), does not support the driver
options below, this parameter may be set
to No in order to enable them. Speed and
duplex mode options, which cannot be
steered through the NIC driver, can by this
means be set manually to a static value
through the underlying utility ethtool.
Note that this option has been introduced
in netfence 3.6.3 because of known issues
regarding the Intel e100 driver, and that
in systems earlier than netfence 3.6.3
ethtool has to be applied manually at
the command line interface. Refer to the
support section of the Barracuda
Networks homepage for details on the
usage of ethtool on Barracuda NG
Firewall systems.
Forced Speed This is the NICs static network speed
(Mbps) (10/100/1000 Mbps).
Duplex Mode This is the NICs static duplex mode
(half/full).

List 329 Box Network section Network Interface Configuration List 329 Box Network section Network Interface Configuration
Ethernet Name Note: Interface Note:
Trunks Following parameters are only available in Name This parameter is only available in Advanced View mode.
Advanced View mode. This is the name of the interface. Its labelling is triggered
The name of the trunk is a read-only field through Appliance Model selection (list 329, page 63).
(after introduction). It may contain up to 8
characters (digits, "-", the 26 characters
from the english alphabet).
2.2.5.3 Virtual LANs
Virtual The name the trunking interface is
Interface referred to. Legitimate names are bond0
and bond1. When using a single trunk
Note:
select bond0 as the name of the master
interface. In the case of two trunks make Configuration of this section is only of avail in
sure that the first trunk uses bond0 and combination with a properly configured 802.1q capable
the second trunk uses bond1. Any other
combination will cause the configuration switch.
to be rejected.
With a Virtual LAN, several LANs on one network
Trunked Select at least one ethernet interface
Interfaces (eth0, ,eth7) from the list. Note that any interface (but only one MAC address) can be simulated.
meaningful configuration should rely on The interface will behave as if it were several interfaces;
at least two (different) ethernet the switch will behave as if it were multiple switches.
interfaces. Keep in mind that these
interfaces are reserved for exclusive use
by the trunking interface. Do not explicitly Virtual LANs are needed if too few slots for PCI interfaces
reference the selected slave interfaces
anywhere else in the configuration. Use exist on the machine. By using virtual LANs it would be
button Insert to apply the values to the possible to run a firewall with only one network interface.
list.
Operation The following trunking modes are Note:
Mode available:
On Barracuda NG Firewalls, only the following NICs
In mode Fallback (active backup policy)
at least two interfaces are required supported by the listed drivers are capable of VLAN
with only a single slave interface being technology. Furthermore, Barracuda Networks
active at any one time. A prolonged recommends the usage of Intel NICs.
failure of the link check on the active
interface will trigger the activation of a
backup slave interface. Table 37 NICs supporting VLAN technology
In mode Bundle (round-robin policy) as Supported NIC Module
many configured slave interfaces as
possible are activated. The kernel will Intel 100 MBit Driver by Intel e100.o
distribute network traffic sent to the Intel 100 MBit Driver by Intel (certified by Compaq) e100compaq.o
master interface to all slave interfaces
Intel 100 MBit Driver eepro100.o
involved. In a similar fashion inbound
traffic to any of the slave interfaces is Intel 1000 MBit Driver by Intel e1000.o
directed to the master interface. Intel 1000 MBit Driver by Intel (certified by Compaq) e1000compaq.o
In mode Broadcast everything is Broadcom 1000 MBit Driver by Broadcom bcm57xx.o
transmitted on all slave interfaces.
Broadcom 1000 MBit Driver tg3.o
In mode XOR the same slaves are
selected for each destination MAC
address. To open the VLAN configuration dialog, click the Insert
Mode LinkAggregation button:
If this option is selected parameter
LACPDU Packet Rate becomes
configurable. Fig. 326 Virtual LAN configuration
Link Check Here the checking method can be defined.

Mode The following options are available:
Compatibility (default)
Efficiency
Link Check The bonding driver can regularly check all
(ms) its slaves links by checking the MII status
registers. Link Check takes an integer
that specifies the check interval in
milliseconds.
Note:
Barracuda Networks recommends to leave
this parameter at its default setting,
100 ms. Thus an inactive or dead link will
be detected at the most 100 ms after it
has gone down. List 330 Network - Virtual LANs Configuration section Virtual LAN
Configuration
Activation The time it takes before a backup slave
Lag (ms) interface is activated. Use this if it is Parameter Description
desirable not to activate a backup
Name This is the name of the virtual LAN.
interface immediately after a link has
gone down. It has to be an integer VLAN Provide the VLAN with a significant description
multiple of the Link Check interval. Description (optional).
Deactivation Time in milliseconds by which the moment Hosting Physical interface on which the virtual LAN should live
Lag (ms) when a link will be completely disabled is Interface (for example eth0).
delayed. It has to be an integer multiple of VLAN ID This ID has to be the same as on the switch (for
the Link Check interval. example 5).
LACPDU The default is Slow meaning that a Note:
Packet Rate request ist sent to the switch every In network configuration dialogs, a VLAN interface may
30 seconds, if set to Fast it will happen be addressed with its Supporting Interface name and
once every second. This parameter is VLAN ID, separated by a point (for example eth0.5).
configurable when parameter Operation
Mode is set to LinkAggregation.
List 330 Network - Virtual LANs Configuration section Virtual LAN z Specify a value for parameter Foreign IP Sufficient
Configuration
(page 69).
MTU The Maximum Transmission Unit defines up to what Fig. 327 Direct route configuration for Virtual LAN
size packets are sent directly. Packet sizes over this
value are sent fragmented.
Note:
MTUs may also be set for NICs (2.2.5.1 Networks,
page 61), box network (list 329, page 63), additional
networks (Section Additional Local Networks, page 62)
and standard routing (Section Main Routing Table,
page 68).
The rule of thumb is that only MTUs smaller than the
one of the supporting interface make sense.
Header Ticking this checkbox causes tag reordering in the
Reordering Ethernet header of VLAN tagged packets so that the
VLAN interface appears as common Ethernet interface.
Header reordering might become necessary in rare
cases if external software components connecting to
the VLAN interface experience communication
problems.
Note:
Header reordering is disabled by default. Do NOT
change the default setting without explicit need.
Note:
The label of a network interface is put together by
interface name, VLAN-ID and server name, separated
from one another by punctuation marks. The label
construct looks alike the following: Step 3 Confirm the changes
interfacename.vlanid:servername (for example
eth0.99:foo). z Click the Send Changes and Activate buttons to
A label, including punctuation marks, must not be longer confirm your configuration changes.
than 15 characters.
Step 4 Activate the new network configuration
z Browse to Control > Box tab.
Configuring and activating VLANs
z Click the Activate New button and choose Failsafe to
Proceed as follows to configure and activate a virtual LAN activate the new network configuration.
in the network configuration:
z This action will introduce the VLAN interface and a
Step 1 Create the virtual interface in the VLANS tab pending direct route in the Control > Box tab
(Control 2.2.8.1 Handling of Routes by the Control
z Browse to Config > Box > Network > Virtual Daemon, page 33).
LANs.
z Specify the Hosting Interface. Therefore, either select Step 5 Activate the VLAN
the interface from the pull-down menu or select Depending on the intended use, introduce the VLANs IP
checkbox Other and enter the name of the interface address either in:
the VLAN should live on manually (for example eth0). z the Networks configuration area as Section Additional
z Specify the VLAN ID (for example 5). Local Networks ( Box > Network > Networks,
page 62).
z Optionally, adapt the MTU size.
z the Server configuration area as Server Address (see
Step 2 Create a direct route for the VLAN 3. Configuring a New Server, page 94 3.2.1 General,
page 95).
z Browse to Config > Box > Network > Network
Routes.
As soon as the VLANs IP address has been introduced, the
z Insert a route into the Section Main Routing Table inserted direct route will be activated.
field.
z Specify the address of the VLAN in the Target Network
2.2.5.4 Management Access
Address field (for example 192.168.8.10).
z Set the Route Type field to direct. Note:
z Insert the name of the virtual interface into the This section is only available on CC-administered boxes.
Interface Name field. Therefore, select checkbox Other Configuration is recommended for systems that are
and enter the interface name manually (for example managed over the Internet.
eth0.5).
List 331 Management Access section Remote Management Tunnel
Enable Tunnel Setting to yes (default: no) activates remote control
options and enables the corresponding configuration
parameters below.

List 331 Management Access section Remote Management Tunnel List 333 Remote Management Access Tunnel Details section Management
Tunnel Configuration (CC-managed box)
Virtual IP (VIP) The Virtual IP (VIP) is used for management access to Parameter Description
the Barracuda NG Firewall system. When specified, all Type of Proxy This option allows configuring the server type, in case
communication between Barracuda NG Control Center the management setup provides management tunnel
(CC) and box is processed through the VIP. The VIP may establishment through a Proxy server. By default
as well be addressed as Box Login address by client (setting: none), it is assumed that no Proxy server is
workstations administering the systems. Therefore, the used. Other Proxy server types are secure-http,
VIP must be defined uniquely and it must reside in a socks5 and socks4.
Box VIP Network Range (Barracuda NG Control Transport Choose TCP or UDP for VPN transports.
Center 6.3.10 Global Settings - Box VIP Network Protocol
Ranges, page 439).
Encryption Ciphers used for encryption. Choose AES, AES-256,
Tunnel Details Choose Set to set the Tunnel Details. Description Cipher CAST, Blowfish, DES or 3DES.
see list 333, page 67
VPN Local IP If a special source IP is required (e.g. for policy routing
purposes) the VPN local IP can be specified here. If this
Note: field is empty a source IP according to the routing table
is used.
VPN Interface Defines the interface that is to be used for VPN
View mode. connections (default: tap3).
Proxy Server IP In case the management setup provides a Proxy server,
List 332 Management Access section Serial Console specify its IP address in this field.
Parameter Description Proxy Server Enter the proxy server port here.
Port
Note:
See also 2.2.3.3 DNS, page 55. Proxy User If using secure-http enter a user name for
authentication on the proxy here.
To open the configuration dialog, click the Show
button. To delete current settings, click the Clear Proxy Password Enter the proxy users password here.
button. Target Enter the destination addresses that should be reached
PPP Remote IP This is the IP address connecting via the serial IP. Networks by the local box via the tunnel.
PPP Local IP This is the Box Management IP. If this field is empty, the Attention:
Box IP itself will be used. Minimum requirement: IP address of the Barracuda NG
Control Center.
Require PAP With this option active the connecting client is required
to authenticate itself to the Barracuda NG Firewall Reachable IPs To check the availability of the remote management
[possible users: root or support user]. tunnel the box periodically sends ICMP echo request
packets to the configured Reachable IPs. By default the
Server IP of the Barracuda NG Control Center is used
Tunnel Details CC-managed box as reachable IP. If the destination host does not
respond the box VPN client assumes that the remote
List 333 Remote Management Access Tunnel Details section Management management tunnel is broken and tries to re-establish
Tunnel Configuration (CC-managed box) the tunnel.
List 334 Remote Management Access Tunnel Details section Connection
Used VPN Choose the appropriate protocol Monitoring
Protocol VPN2 (default) or
legacy
No. of ICMP Number of ICMP echo packages that are sent via the
VPN Point of For establishing the remote management tunnel the
Probes VPN tunnel (default: 2).
Entry box VPN client uses the Point of Entry IP as a
destination IP. Thus the Point of Entry must be Waiting Period Number of seconds per probe while answering of the
reachable by routing to successfully establish a remote [s/probe] ping is awaited (e.g. probes=3 and waiting period=2
management tunnel. In most cases the Point of Entry results in 3x2 s waiting time; default: 1).
will be an external IP address (e.g. from an external Run Probes This parameter defines the time period in seconds for
firewall at the headquarters which redirects the VPN Every [s] ICMP probes (default: 15).
port to the CC server IP).
Failure Standoff If no connection is possible, this time period is waited
Note: [s] prior to a retry (default: 45).
Keep in mind that when the remote management
tunnel is established through a Proxy server, the VPN Alarm Period If this time limit is exceeded without establishing a
Point of Entry IP inherits the Proxy server's port [s] connection successfully, an alarm is set off (default:
information. To achieve correct mapping, a rule that 120).
translates port addresses in connection requests to the Key Time Limit rekey period
VPN Port (see below) has to be created in the [Minutes]
forwarding firewall of the gateway presenting the VPN Tunnel Probing Keep alive packets sent to the remote tunnel end.
Point of Entry. For translation of port addresses, use [Seconds]
action type Redirect.
Tunnel Timeout Tunnel is considered as down if no answer has been
VPN Port The VPN Port defines the destination port used by the [Seconds] received after specified time by the vpnc process.
box VPN client to establish a remote management Should be a smaller value than the one used for Tunnel
tunnel (default: 692). Probing.

2.2.5.5 Network Routes the box as such will never be directly accessible as a target
for malicious activity.
Section Main Routing Table Gateway routes now specify through which host within a
Before discussing this section in detail a short digression is directly attached network a particular remote network
required to explain the way in which routing is handled by may be reached.
Barracuda NG Firewall boxes.
Note:
We distinguish between two basic types of routes: Direct routes are a necessary prerequisite for the
z direct routes successful introduction of gateway routes since in the
first place you must be able to contact the next hop
z gateway routes address.
The latter comprises all routes which utilize a next hop We therefore realize that an active gateway route is
address. By default each introduced network (primary determined by five key parameters:
network and all additional networks) automatically effects
z Target network
a corresponding direct route.
z Target netmask
For example, if you have configured a network 10.0.0.8/24
on interface eth0 then the corresponding route will imply z Next hop address
that network 10.0.0.0 with mask 255.255.255.0 (and z Interface
broadcast 10.0.0.255) can be reached directly via interface
eth0. Furthermore the box would use address 10.0.0.8 as z Source address
its source address to which replies should be sent.
As far as its configuration is concerned only the first three
We thus realize that an active direct route is fully parameters are mandatory, as interface and source
determined by four key parameters: address are inherited from the direct route leading up to
z Target network the next hop or gateway address.
z Target netmask One of the advanced features of Barracuda NG Firewall
boxes is that you may configure so-called pending
z Interface
gateway routes. Their next hop addresses are only
z Source address reachable via a pending direct route. They will be hidden
from the operating system until the underlying required
Direct routes state how addresses in directly attached direct route becomes available. Yet once configured the
networks may be reached. Each network (BOX NETWORK status of both, pending direct routes and pending gateway
and each of the optional Additional Local Networks) routes, will always be visible from the control window.
corresponds to exactly one direct route.
To develop a better understanding consider the following
What about stand alone direct routes? example:
Assume you know that network 10.255.0.0/24 may also be Box "Sega" is a border firewall using three ethernet
reached directly via interface eth0 but you do not wish to interfaces:
introduce this network on your box. eth0: 10.0.0.8/24 internal network
eth1: 192.168.0.1/24 DMZ
Since you have not introduced a network the issue arises
eth2: external connection
as to which source address should the direct route adopt?
The operating system would automatically assign an
Assume that the box has been assigned a single
address from an already existing network on the same
internationally valid IP address 1.2.3.4 within the
interface. If several networks already exist you even have
provider's network 1.2.4.0/27. Its default gateway has
a choice of source address. The route dialog then allows
address 1.2.3.1.
you to explicitly specify the desired source. Picking the
right source address may be crucial under certain
We would now configure a pending direct route into the
circumstances, as it can be the key factor whether traffic is
provider's net:
routed back to the box or not.
1.2.3.0/27 via dev eth2
In case no network has been introduced on an interface the and a corresponding pending gateway route (which
Linux operating system would not allow you to introduce a means the default route)
direct route, since no valid source address is available. 0.0.0.0/0 via 1.2.3.1
One of the advanced features of Barracuda NG Firewall
boxes is that you may still configure so-called pending At boot time none of these would be activated. If we
direct routes, which will be hidden from the operating assign the firewall module address 1.2.3.4 as one of its
system until an appropriate source address becomes addresses, both routes will be activated by the control
available. In the context of firewalling this would allow you daemon as soon as the firewall module is activated. If
to configure a routing setup, which only becomes active the firewall is blocked both routes will be deactivated
when the firewall is active. The advantage of this is that again and the box is no longer accessible from the
Internet.

To open the configuration dialog, click the Insert button. List 335 Network section Main Routing Table
Fig. 328 Main Routing configuration
Interface This parameter determines what kind of IP address is to
Realm be counted by the firewall for traffic on this interface
(Licensing 5.5 Policy No. 5: General Case, page 540).
- Only available with Route Type direct.
The interface can be classified to one of the following:
unspec (default), internal, dmz, external.
Route Direct routes do not generally need to be equipped with
Preference preference numbers. An exception worth mentioning
Number can be regarded as given if several routes to the same
target network exist. Preference numbers may then be
assigned to each direct route. Flag the preferred route
with a lower preference number. In case the gateway
becomes unreachable the route with the higher
preference number will be used as a backup option.
MTU Here the MTU (Maximum Transmission Unit) can be set.
Packets over this value are sent fragmented.
Note:
MTUs may also be set for NICs (2.2.5.2 Interfaces,
page 63), virtual LANs (list 330, page 65), box network
(2.2.5.1 Networks, page 61) and additional local networks
(Section Additional Local Networks, page 62). The rule
of thumb is that the maximum accepted MTU of the
next hop will be used.
Reachable IPs Note:
This parameter is only available in Advanced View
List 335 Network section Main Routing Table
mode.
Parameter Description Insert the IP addresses of hosts into this field that
Target Network Network base address and netmask of the target should be reachable via this route.
Address network. Re-Reachable Note:
Route Type Type of route. Set to direct for a direct route. For a Command This parameter is only available in Advanced View
gateway route choose gateway. For usage of multiple mode.
gateways choose multipath. If using multipath further Insert commands that should be run Into this field when
values under Multipath Gateway (see below) must be formerly unreachable IPs become accessible again.
set.
Unreachable Note:
Gateway This field is only available with route type gateway and Command This parameter is only available in Advanced View
contains the address of the next hop or gateway. The mode.
gateway must be reachable by a direct route. This
Here insert commands that should be run when neither
means the gateway address must be within the bounds
gateway nor IP addresses that have been defined as
of one of the target networks of the box direct routes.
Reachable IPs (see above) are accessible.
Note:
The control daemon will disable the route for as long as
the gateway is not reachable. Section Policy Based Routing
Multipath This field is only available with route type multipath. As stated at the end of the preceding section policy routing
Gateway Multipath Next hop IP address of the is a way to implement more complex routing scenarios.
Gateway multipath route.
The implementation provided by your Barracuda NG
Weight Number Weight number of path (valid range
from 0 -10). Lower preference Firewall system only uses a subset of the functional scope
number means higher preference. of policy routing. We base the decision as to whether or
Assigned Source Source address of traffic associated not a certain routing table is consulted solely on the source
IP with the given multipath gateway. address used to establish a connection.
Note:
If one of the gateways is no longer available, the metric Since the firewall configuration (on a per rule basis) allows
is shifted automatically. you to specify the address with which an allowed
For further information and configuration examples connection is established, policy routing represents an
with route type multipath see Firewall
2.2.6.2 Barracuda NG Firewall Multipath Routing, extremely powerful instrument to manage firewalling in
page 155. topologically complex environments. Virtual private
Packet Load Set to yes to activate packet based load balancing over networks (VPN) and IP tunnels in general will routinely
Balancing multiple next hops.
need to make use of some sort of policy routing.
Foreign IP Set to yes (default) to bring up a pending route when
Sufficient any IP becomes available on the interface, even if it Policy routing is all about rules and routing tables. A rule
does not belong to the target network. Set to no to
activate a pending direct route only if a local IP
assigns an IP address range (source addresses) to a named
belonging to the target network is or becomes available. routing table. Rules are organized in an ordered list, which
Note: means each rule is associated with a preference number. A
The control daemon will always try to select the best routing decision by the operating system now involves a
match by definition.
walk through of the rule set, starting from the rule with
Interface You need to specify an existing interface (list 329,
Name page 63). When having VLANs, it is mandatory to add lowest preference number, until a match based on source
the VLAN ID (for example eth0.5; 2.2.5.3 Virtual LANs, address is attained. In this case the routing table the rule
page 65). points to is consulted. If a matching route to the
Source Optional entry allowing you to specify the used source destination address is found in the particular table it will be
Address address manually. This address must have been
configured in one of the preceding two sections. applied. Otherwise the remaining rules are consulted until
a match is found or if there are no more rules. In the latter
case the destination is said to be unreachable.

When introducing a new policy routing section you create a List 336 Network Routes - Policy Routing section Policy Source Matching
table and at least one rule at the very same time. More Parameter Description
precisely, the name of the table you create is the name of Source Array of source networks or single hosts for which this
the section; for every source (IP/mask pair) you specify Networks policy routing table is looked up.
IP/mask notation is expected. For a single host, you
you will create a rule (all with the same preference) must supply 0 as its netmask. (Getting Started
pointing to this table. 5. Inverted CIDR Notation, page 25)
Table Governs placement of the table.
On every Barracuda NG Firewall system at least the Placement You may choose between the default option postmain
following routing rules are always present: and the advanced option premain. Only seldom you
should need to introduce a table positioned before the
Table 38 Routing rules main table. You would use this option if you would wish
to create exceptions from the general routing
Rule Source Table framework (gateway routes) of table main for certain
0 0.0.0.0//0 local source addresses.
1 VIP vpn2mc Note:
Direct routes refer to routes to directly attached
2 VIP vpn2inet (prohibit) networks. Direct routes based on tunnel interfaces will
3 0.0.0.0/0 vpnlocal clearly not fall into this category.
10000 0.0.0.0/0 main In any case, direct routes automatically go into table
32767 0.0.0.0/0 default local, thus being omnipresent.
A postmain placement makes sense if you wish to
implement an alternative default route for certain
Table local will contain all routing information related to source addresses. In the majority of all cases you will
local addresses, directly attached networks (direct routes), probably want to use postmain.
and broadcast addresses. All routes introduced under List 337 Network Routes - Policy Routing section Policy Table Contents
Section Main Routing Table wind up in table main unless
their target network is 0.0.0.0/0 in which case they are
Routes Note:
placed into table default. This parameter is only available in Advanced View
mode.
Table vpn2mc is defined but empty unless the box comes
Subsection containing the routing content of this table.
available via a VPN tunnel. Barracuda NG Firewall supports gateway routes only
since direct routes are already contained in table main.
Table vpn2inet is used for blocking additional route look In appearance the corresponding dialog is essentially
up. the same as the one for gateway routes within list 335,
page 69, with all direct route specific options removed.
Consequently, it will usually make a marked difference The parameter Route Type contains the additional
whether or not a rule is inserted before or after the one entry throw. This route type is special as a match is not
treated as a termination of the route lookup. Instead
pointing to table main (preference 10000). We thus have only the route lookup in the current table is terminated
made provisions to specify on a per table basis, if the table and the lookup continues with the remainder of the
is inserted before or after table main. Thus the routing structure.
administrator will now need to worry about preference

numbers which are automatically generated in descending
2.2.5.6 xDSL/ISDN/DHCP
order from 9999 for premain placement or in ascending
order from 10001 for postmain placement, respectively. Fig. 330 xDSL/ISDN/DHCP configuration
The one thing the administrator must worry about is that

there is no overlap between source addresses belonging to
different rules and therefore tables.
To open the configuration dialog, click the Insert button.
Fig. 329 Policy Routing configuration
Section xDSL Setup

The configuration allows for the integration of up to four
asymmetric digital subscriber lines (xDSL). xDSL (in its
many variants ADSL, SDSL ) has become popular as a low
cost medium performance alternative to leased lines.
Standard Linux implementations rely on the use of a
combination of PPP (point-to-point protocol) and PPTP
(point-to-point tunnelling protocol) or PPPOE
(point-to-point protocol over ethernet). In order to bring up
the xDSL link youve got to identify yourself to the xDSL

provider by supplying a special username and password List 338 Network - xDSL configuration section Link Properties
combination. Parameter Description
xDSL links are special as they involve a dynamic Link Active If set to yes the link is taken into account for link
management, otherwise it is ignored.
component. The IP address assigned to you by your xDSL
Standby Mode If set to no (default) the link is supposed to be activated
provider will change every time the link is brought up. and monitored as a consequence of a network
Consequently, an xDSL link to the internet would not be activation. If set to yes, its activation and subsequent
monitoring needs to be triggered externally. Note that
convenient to grant others access to parts of your for a PPP multi-link bundle the setting of the respective
network. primary link is adopted for all links.
Enable PPP Note:
Note: Multilink This parameter is only available in Advanced View
Alternatively, you might try to coax your provider into mode.
assigning you your own fixed IP address. If set to yes the two entries below are activated and
the link will become part of a PPP multilink bundle
(note that the ISP providing the links needs to explicitly
Moreover, telecom providers are known to be in the habit support this feature).
of disconnecting your xDSL modem from the network after Primary Link Note:
a given period of time. This parameter is only available in Advanced View
mode.
For this reason, the xDSL link management automatically Selects the primary link of a PPP multilink bundle. A
introduces and deactivates routes, rules, and tables link becomes primary when its own name is selected
required by the xDSL link. It continuously monitors the link here.
status and the reachability of certain configurable Endpoint Optional entry that may be used to describe the local
Descriptor system in a unique fashion. It sets the endpoint
addresses. If required the link will be brought down and discriminator sent by the local machine to the peer
subsequently re-established. This ensures that if there is a during multilink negotiation to this value.
The default is to use the MAC address of the first
way to have the link up it will be up. ethernet interface on the system, if any, otherwise the
IPv4 address corresponding to the host-name, if any,
By selecting yes for the entry xDSL Enabled the other provided it is not in the multicast or locally-assigned IP
configuration areas for xDSL connections will be activated. address ranges, or the localhost address. The endpoint
discriminator can be the string null or of the form
The entry Standby Mode allows combining HA setups to type: value, where type is a decimal number or one of
achieve high available xDSL connections. Setting this the strings local, IP, MAC, magic, or phone.
The value is an IP address in dotted-decimal notation
parameter to yes implements two different working steps: for the IP type, or a string of bytes in hexadecimal,
separated by periods or colons for the other types. For
z The involved routes are set to pending state, and it is the MAC type, the value may also be the name of an
not checked whether they are established. ethernet or similar network.
Synchronous If set to yes PPP and the transport protocol daemons -
z The configuration is completely run through but the PPP as determined by the parameter below will initiate a
connection is not yet established. Connecting is connection in synchronous mode.
handled via a server-side script that is used for starting
This is usually of higher performance but requires
and stopping the connection with corresponding appropriate support by the opposite server end.
command lines: Connection Specifies the transport protocol for the PPP protocol.
connection start: Type Note that in case of PPP multilink bundles all links must
use the same connection types.
/etc/phion/dynconf/network/openxdsl start
<name> List 339 Network - xDSL configuration section PPTP Connection Details
connection stop:
/etc/phion/dynconf/network/openxdsl stop
Modem IP Address of the xDSL modem or PPTP server to which a
<name> PPTP connection is supposed to be established.
This way it is guaranteed that as soon as the server is Local IP This parameter offers the following options:
up, the connection is established automatically, Selection Static
whereas when the server is to be deactivated, the Static is the standard one, where the local address is
specified
connection is stopped automatically. By doing so, it is
DHCP
possible to implement HA setups with broadband links. DHCP is the old get address from DHCP option
Dynamic
Attention: Dynamic is the option, it means that the device will
To avoid routing conflicts in multi-provider pick the one address that is provided by routing to
reach the PPTP server. This address is then reported
environments, be aware that every provider usually to the firewall engine for GRE registration.
assigns the same gateway to a dynamically assigned IP Required DHCP This field is only active with Local IP via DHCP set to
address. Do not configure multiple xDSL links managed Link yes. Name of the DHCP section this xDSL link relies
by the same provider, unless you are sure that the upon for providing a routing path to the configured
Modem IP address.
assigned addresses stem from distinctive IP pools and
Local IP Only needed with PPTP selected. Determines the Local
use clearly distinguishable gateways. IP address, which is used to establish a connection with
the Modem IP address. The local address must be an
To open the configuration dialog, set xDSL Enabled to yes already configured local IP address. The specified
and then click the Insert button. address is used for local GRE protocol registration with
the local firewall.
List 338 Network - xDSL configuration section Link Properties Note:
This option and the Local IP via DHCP option are
Parameter Description mutually exclusive.
Name This is the name of the xDSL link.
Note:
Only ciphers and characters from the Latin character
set excluding special characters are allowed in the link
name

List 339 Network - xDSL configuration section PPTP Connection Details List 341 Network - xDSL configuration section Authentication
Gateway to Optional entry that may be used to handle scenarios Wildcard Setting this parameter to yes (as it
Modem IP where the xDSL Modem or PPTP server are not directly Support is per default) allows the resolution
attached to the gateway. Note that this option and the to sub-hostnames (regardless of the
Local IP via DHCP option are mutually exclusive. domain, the IP address pointed to is
Note: the same).
A gateway route will automatically be created for PPTP. MX Record This parameter specifies the mail
Max MTU/MRU default: 1492 handler (Mail eXchanger) for the
Size Possible values from 60 to 1492. given domain. MXs are used for
directing mail to other servers than
List 340 Network - xDSL configuration section PPPOE Connection Details the one the hostname points to.
Parameter Description Backup MX Setting this parameter to yes

triggers that the configured MX
Modem Name of the ethernet interface to which the xDSL Record works as a backup mail
Interface modem or PPPOE server is attached. In the latter case server. The registered Dyndns
use of a crossover cable is required. Name will be used as primary mail
Max. Segment Specifies the maximum segment size for the server.
Size encapsulated traffic. The default value is 1412 bytes. Setting the parameter to no induces
that only the MX Record is used.
List 341 Network - xDSL configuration section Authentication Note:
Parameter Description It is not recommended to use the
MX parameters offered. If you
Authentication Select the method for authentication here. nevertheless do so, then please
Method Authentication protocols can be set to PAP (default), consult www.dyndns.org for
CHAP, PAP_or_CHAP or NONE. detailed information.
User Access ID Principal account name (PPP user name) assigned to Retry Time Standoff time in minutes until a new
you by your provider.
[mins] update try is started if the
User Access PPPOE-only option. Some providers (for example preceding one has failed.
Sub-ID Deutsche Telekom) assign this sub-ID, which is
separated from the User Access ID by a hash sign '#'. List 342 Network - xDSL configuration section Routing
Note that the hash sign must not be typed in.
Access PPP password assigned to you by your ISP. Parameter Description
Password Note:
Provider Name PPPOE-only option. Some providers assign user access For PPP multilink bundles the routing settings of the
IDs, which contain a provider name separated from the primary link are adopted for the bundled link. Routing
actual User Access ID (and optional Sub-ID) by an '@' settings of other non-primary link members are tacitly
symbol. Note that the '@' must not be typed in. It will ignored.
be automatically generated (for example Own Routing Note:
username#subid@provider). Table This parameter is only available in Advanced View
Access PPPOE-only option. The name of the Access mode.
Concentrator Concentrator (pppoe Server) entered here has to be If set to no (default) routes will only be inserted into
specified by the provider. This is an optional value. Use tables main or default. If set to yes policy routing will
only if required. be used. With policy routing activated a new table
Service Name Set to yes if you wish to use the DNS server(s) assigned named adslN (where N is the positional index of the
by your provider. section in the list of xDSL sections) is introduced to the
main routing table. Routes are inserted into this table
Use Provider Set to yes (default: no) if you wish to use the DNS
only unless Clone Routes (see below) is set to yes. All
DNS server(s) assigned by your provider. routes involving the xDSL link make use of this policy
Use Dynamic Setting to yes (default: no) activates Dynamic DNS and routing table.
DNS enables Dynamic DNS Params configuration. Note:
Note: If this parameter is set to yes, the only available
To use this feature it is necessary to register with Monitoring Method will be LCP.
www.dyndns.org. Check with your provider whether Note:
Use Assigned
usage of dynamic DNS is advisable when using a static This parameter is only available in Advanced View
address or an address that rarely changes. Note that IP
mode.
when using static or rarely changing addresses
dynamic DNS might not be appropriate as the address When set to yes the IP address dynamically assigned
needs to change once a month. by your Internet provider is used as source network for
policy routing. Initially, until the ISP has successfully
Dynamic DNS Click the Set button to access the Dynamic DNS assigned an address, the rule will have 0.0.0.0 as a
Params Params configuration section: source address. The field is only active when Own
Service Type DynamicDNS (default) Routing Table is used.
StaticDNS Source Note:
CustomDNS Networks This parameter is only available in Advanced View
For additional information about mode.
available DynDNS Service Types
visit Array of source networks or single hosts that will point
http://www.dyndns.com/services/ to the policy routing table adslN. IP/mask notation is
expected. For a single host supply "0" as its netmask.
Dyndns Name Here the dyndns name that was (Getting Started 5. Inverted CIDR Notation, page 25)
registered at dyndns.org has to be
Create Default If set to yes (default: no) the default route assigned by
entered.
Route the provider is automatically introduced.
Secure Update This parameter defines whether Attention:
HTTP (no) or HTTPs (default: yes) is When set to yes in an environment where multiple
used for updating. dynamic links are available, configuring a Route
User Access ID User ID for accessing the server as Preference Number (see below) is mandatory
defined during registration at Target Target networks that are supposed to be reachable
dyndns.org. Networks through this link.
Access Password for accessing the server Advertise If set to yes (default: no) all routes will be advertised
Password as defined during registration at Route via Routing Protocols, provided an OSPF or RIP router
dyndns.org. service is active on the gateway.

List 342 Network - xDSL configuration section Routing and stopping the connection with corresponding
Parameter Description command lines:
Interface Realm This parameter determines what kind of IP address is connection start:
to be counted by the firewall for traffic on this interface /etc/phion/dynconf/network/dhcprestart
connection stop: /etc/phion/bin/wipecable
unspec This way it is guaranteed that as soon as the server is
internal up, the connection is established automatically,
dmz
external (default) whereas when the server is shut down the connection is
Route Preference number or metric assigned to the routes to stopped automatically.
Preference the specified target networks. You will need to set this
Number parameter to a value larger than 0 if you wish to use To open the configuration dialog, set DHCP Enabled to
your xDSL uplink as a backup connection
(provider-failover) to the internet, for example. yes and then click the Insert button.
Clone Routes Note:
This parameter is only available in Advanced View List 344 Networks - DHCP configuration
mode. Parameter Description
Note: Name This is the name of the DHCP link.
If set to yes all routes will be cloned from the table
adslN to tables main or default (depending on the route Note:
target). This parameter is aiming at setups where Only numbers and characters from the Latin character
application based selection (explicit binding in a firewall set excluding special characters are allowed in the link
rule) of a traffic path is supposed to coexist with link name.
failover (proxy dynamic). Link Active If set to yes the link is taken into account for link
GRE with Note: management, otherwise it is ignored.
Assigned IP This parameter is only available in Advanced View Standby Mode If set to no (default) the link is supposed to be activated
mode. and monitored as a consequence of a network
Set this parameter to Yes to register the assigned IP activation. If set to yes, its activation and subsequent
for IP protocol 47. monitoring needs to be triggered externally.
DHCP Connect Timeout for connection attempts [s] from configured
List 343 Network - xDSL configuration section Connection Monitoring Timeout DHCP Links to unreachable interfaces or networks.
Parameter Description List 345 Networks - DHCP configuration section Connection Details
For configuration details, see 2.2.5.8 Connection
Monitoring of Dynamic Links, page 78. Parameter Description
DHCP Interface Name of the ethernet interface connected to the cable
Section DHCP Client Setup modem. This interface is reserved for exclusive use by
the cable link. No further IP addresses or networks may
The configuration allows the integration of a single cable reside on it. The interface is renamed to dhcp and will
accordingly be displayed in the control window.
connection (broadband or general assignment of
devmtu MTU setting of the selected DHCP interface.
addresses via a DHCP server). Cable connections are a
very popular medium performance alternative to leased List 346 Networks - DHCP configuration section DNS
lines.
Cable connections are special in so far as they involve a Use Provider Set to yes (default: no) if you wish to use the DNS
dynamic component. The IP address is assigned via DHCP DNS server(s) assigned by your provider.
and will change from time to time. The Barracuda Use Dynamic Setting to yes (default: no) activates Dynamic DNS and
DNS enables Dynamic DNS Params configuration.
Networks implementation will only accept IP and gateway
Note:
addresses from the DHCP server. All other assigned To use this feature it is necessary to register with
parameters or any static routes are silently dropped. www.dyndns.org. Check with your provider whether
usage of dynamic DNS is advisable when using a static
Since certain pieces of information are unknown at address or an address that rarely changes. Note that
configuration time, the system will only request filling in dynamic DNS might not be appropriate as the address
the interface that will serve for link establishment just like needs to change once a month.
for some routing information. An associated Barracuda Dynamic DNS This button provides the following parameters:
Networks cable link management will automatically Params
monitor the link and introduce routes, rules, and tables as Dyndns Name Here the dyndns name that was
soon as the missing information becomes available or entered.
changes. The system continuously monitors the link status Secure Update This parameter defines whether
and the reachability of a set of user-defined addresses. If HTTP (no) or HTTPs (default: yes) is
required the link will be brought down and up again. This used for updating.
ensures that if there is a way to have the link up, it will be User Access ID User ID for accessing the server as
defined during registration at
up. dyndns.org.
By selecting yes for the entry DHCP Enabled the Access Password for accessing the server
Password as defined during registration at
configuration areas for DHCP connections are activated. dyndns.org.
The entry Standby Mode allows having high available Wildcard Setting this parameter to yes (as it
Support is per default) allows the resolution
DHCP/cable connections. Setting this parameter to yes to sub-hostnames (regardless of the
implements two different working steps: domain, the IP address pointed to is
the same).
z The affected routes are set to pending state and it is not MX Record This parameter specifies the mail
checked whether they are established. handler (Mail eXchanger) for the
given domain. MXs are used for
z The configuration is completely run through but the directing mail to other servers than
the one the hostname points to.
connection is not yet established. Connecting is

List 346 Networks - DHCP configuration section DNS List 347 Networks - DHCP configuration section Routing
Backup MX Setting this parameter to yes GRE with Note:
triggers that the configured MX Assigned IP This parameter is only available in Advanced View
Record works as a backup mail mode.
server. The registered Dyndns Name Set this parameter to Yes to register the assigned IP
will be used as primary mail server. for IP protocol 47.
Setting the parameter to no induces
List 348 Networks - DHCP configuration section Connection Monitoring
Note:
It is not recommended to use the Parameter Description
MX parameters offered. If you For configuration details, see 2.2.5.8 Connection
nevertheless do so, then please Monitoring of Dynamic Links, page 78.
consult www.dyndns.org for detailed
information.
Section ISDN Setup
Retry Time Standoff time in minutes until a new
[mins] update try is started if the With this section it is possible to integrate a ISDN
preceding one has failed.
connection.
List 347 Networks - DHCP configuration section Routing
By selecting yes for the entry ISDN Enabled the
Parameter Description configuration areas for ISDN connections are activated.
Own Routing Note:
Table This parameter is only available in Advanced View The entry ISDN on Standby allows having high available
mode. ISDN connections. Setting this parameter to yes
If set to yes policy routing will be activated. In the implements two different working steps:
current context this means that a new table named
dhcp is introduced after the main routing table. All z The affected routes are set to pending state. It is not
routes involving the cable link (via interface dhcp) use
these policy routes.
checked whether they are established.
Note: z The configuration is completely run through but the
If this parameter is set to yes, the only available
Monitoring Method will be LCP.
connection is not yet established. Connecting is
Use Assigned Note:
IP This parameter is only available in Advanced View and stopping the connection with corresponding
mode. command lines:
When set to yes the IP address dynamically assigned by connection start:
your Internet provider is used as source network for
policy routing. Initially, until the ISP has successfully /etc/phion/dynconf/network/isdnrestart
assigned an address, the rule will have 0.0.0.0 as a connection stop: /etc/phion/bin/wipeisdn
source address. The field is only active when Own
Routing Table is used.
This way it is guaranteed that as soon as the server is
Source Note:
Networks This parameter is only available in Advanced View up, the connection is established automatically,
mode. whereas when the server is shut down the connection is
Array of source networks or single hosts which point to stopped automatically.
the policy routing table DHCP. IP/mask notation is
expected. For a single host you supply "0" as its
netmask. (Getting Started 5. Inverted CIDR Notation, To open the configuration dialog, click the ISDN Settings >
page 25) Set button.
Create Default If set to yes (default) the default route assigned by the
Route provider is automatically introduced. List 349 Networks - ISDN configuration section Connection Details
Attention:
When set to yes in an environment where multiple
dynamic links are available, configuring a Route Provider Phone Insert the phone number here that has been assigned
Preference Number (see below) is mandatory Number to you by your provider for connection establishment.
Target Target networks that are supposed to be reachable Dial Out Prefix If needed, insert a dial out prefix here (optional).
Networks through this link. ISDN MSN Compared to a normal telephone connection an ISDN
Advertise If set to yes (default: no) all routes will be advertised via connection can have more than one phone number -
Route Routing Protocols, provided an OSPF or RIP router each of these numbers is called MSN (Multiple
service is active on the gateway. Subscriber Number). If your provider has supplied you
with a MSN number fill it into this field.
Interface Realm This parameter determines what kind of IP address is
to be counted by the firewall for traffic on this interface ISDN Modem Select the name of the ISDN card you are using.
(Licensing 5.5 Policy No. 5: General Case, page 540). Card Note:
The interface can be classified to one of the following: Please contact Barracuda Networks if you are using an
unspec unsupported ISDN card, which is not in the list.
internal
dmz Encapsulation The following modes are available:
external (default) Mode SyncPPP (default)
bit oriented transfer protocol
Route Preference number or metric assigned to the routes to
Preference the specified target networks. You will need to set this RawIP
Number parameter to a value larger than 0 if you wish to use no PPP; IP addresses will are to be specified
your low-cost cable uplink as a backup connection manually (attention: static)
(provider-failover) to the internet, for example.
Clone Routes Note:
mode.
Note:
If set to yes all routes will be cloned from the table
dhcp to tables main or default (depending on the route
target). This parameter is aiming at setups where
application based selection (explicit binding in a firewall
rule) of a traffic path is supposed to coexist with link
failover (proxy dynamic).

List 349 Networks - ISDN configuration section Connection Details List 351 Networks - ISDN configuration section Authentication
Dial Mode Dialling can be handled in two ways: User Access Insert an optional SUB-ID here if it has been assigned
Dial-On-Demand Sub-ID to you by your ISP. The User SUB-ID complements the
The ISDN subsystem connects itself to the provider User Access ID separated from it by a hash (#). Insert
only when there is traffic on the line. The connection the SUB-ID without the hash as it will automatically be
is detached after an adjustable Idle Hangup Time. prefixed to it.
The advantage of automatic dialling is that on Access Insert the password here that has been assigned to you
leased lines it may save money. The disadvantage on Password by your ISP.
the other hand is that users connecting to systems
Provider Name If required insert the name of your ISP here, which is
externally (system administrators for example)
supposed to be appended to your User Access ID.
cannot rely on the line being up all the time.
Authentication Select the method for authentication here.
Note:
Method Authentication protocols can be set to NONE, PAP,
Do not use Dial-On-Demand mode on boxes managed
CHAP or PAP_or_CHAP.
by a Barracuda NG Control Center. Box management
requires the link to be up incessantly. Use Provider Set to yes (default: no) if you wish to use the DNS
DNS server(s) assigned by your provider.
Always-On
The connection is initiated at startup of the box and Use Dynamic Setting to yes (default: no) activates Dynamic DNS and
is kept open all the time. DNS enables Dynamic DNS Params configuration.
Idle Hangup When the Dial Mode is set to Dial-On-Demand, this Note:
Time field is used to specify after how many seconds the line To use this feature it is necessary to register with
will be disconnected when being idle. www.dyndns.org. Check with your provider whether
usage of dynamic DNS is advisable when using a static
Use Channel If set to yes (default: no) the ISDN subsystem will open
address or an address that rarely changes. Note that
Bonding a second ISDN channel to the provider when the first
line is saturated, therefore doubling the bandwidth.
dynamic DNS might not be appropriate as the address
After some time, when the traffic falls below a certain
needs to change once a month.
rate, the second line will be closed again.
Dynamic DNS Click the Set button to access the Dynamic DNS
Note:
Params Params configuration section:
Your provider has to support channel bonding (=mppp).
Service Type DynamicDNS (default)
Channel Use this section to adjust the way in on-demand
StaticDNS
Bonding bandwidth allocation works.
CustomDNS
Settings Transfer Rate Limit [Bytes/s] For additional information about
Limit for bringing up/down the slave channel available DynDNS Service Types
depending. See Slave Channel Policy for bringing visit
down the slave. Values range from 4000 Bytes/s to http://www.dyndns.com/services/
7999 Bytes/s.
Dyndns Name Here the dyndns name that was
Slave Channel Policy registered at dyndns.org has to be
Stay up policy for the slave channel, choose between entered.
Stay Only Up While Transfer Limit Exceeded and
Stay Permanently Up Till Hangup Timeout Secure Update This parameter defines whether
Reached HTTP (no) or HTTPs (default: yes) is
used for updating.
Minimum Slave Uptime [s]
Minimum time the slave channel once brought up User Access ID User ID for accessing the server as
will unconditionally stay up. Values range from 1 s to defined during registration at
3600 s. dyndns.org.
Dial Allowed Use these lists to specify a time interval within which Access Password for accessing the server
From/Dial an ISDN dial-in is permissible. One interval valid for all Password as defined during registration at
Allowed Until days of the week may be specified. Temporal dyndns.org.
granularity is limited to 30 minutes. Wildcard Setting this parameter to yes (as it
Dynamic When set to yes (default) the IP address/mask pair and Support is per default) allows the resolution
Address the gateway address will be provided by the ISP to sub-hostnames (regardless of the
Assignment dynamically. In case you are equipped with a static domain, the IP address pointed to is
addresses, set the value to no and fill in a Static the same).
IP/Mask and Static Gateway IP below. MX Record This parameter specifies the mail
Static IP/Mask If available define a static IP address/mask here. handler (Mail eXchanger) for the
given domain. MXs are used for
Static Gateway If a static IP/Mask is used define the gateway IP
directing mail to other servers than
IP address here.
the one the hostname points to.
List 350 Networks - ISDN configuration section Compression Backup MX Setting this parameter to yes
triggers that the configured MX
Parameter Description Record works as a backup mail
server. The registered Dyndns Name
In general you can leave the all compression settings
will be used as primary mail server.
off, which is the default. The ippp daemon will
Setting the parameter to no induces
negotiate these settings in accordance with the PPP
partners capabilities anyway.
Note:
VJ TCP Header Negotiation of Van Jacobson style TCP/IP header
It is not recommended to use the
compression.
MX parameters offered. If you
VJ When set to off the connection-ID compression in Van nevertheless do so, then please
Connection-ID Jacobson style TCP/IP header is disabled. ipppd will consult www.dyndns.org for detailed
neither omit the connection-ID byte from Van information.
Jacobson compressed TCP/IP headers, nor ask the
Retry Time Standoff time in minutes until a new
peer to do so.
[mins] update try is started if the
Address Control Address/Control compression. preceding one has failed.
Protocol Field Protocol field compression.
BSD BSD-Compress scheme.
CCP Control Point to point compression protocol. Build upon the
Protocol LCP protocol (Link Control Protocol).
List 351 Networks - ISDN configuration section Authentication

User Access ID Insert the user ID here that has been assigned to you
by your ISP.

List 352 Networks - ISDN configuration section Routing List 353 Networks - ISDN configuration section Connection Monitoring

Normally routing is configured by the ISDN subsystem For configuration details, see 2.2.5.8 Connection
itself. Youll only need to supply the Target Networks. Monitoring of Dynamic Links, page 78.
If your default route should be set dynamically when
the ISDN connection is established, then you can add
the entry 0.0.0.0/0 into the Target Networks field.
Setting an own routing table is useful when you want to
route single IP addresses or networks over the ISDN
interface. The dialog Route Preference Number lets
you configure backup routes that can be activated
when another connection type (for example xDSL,
DHCP) fails.
Own Routing Note:
Table This parameter is only available in Advanced View
mode.
Specify the networks which should by routed by the
ISDN interface. Set this value to yes to use own routing
tables and subsequently define Source Networks
below. If set to no all traffic to the target networks will
be routed by this interface.
Note:
If this parameter is set to yes, the only available
Use Assigned Note:
IP This parameter is only available in Advanced View
mode.
When set to yes the IP address dynamically assigned by
your Internet provider is used as source network for
policy routing. Initially, until the ISP has successfully
assigned an address, the rule will have 0.0.0.0 as a
source address. The field is only active when Own
Routing Table is used.
Source Note:
Networks This parameter is only available in Advanced View
mode.
Add networks here that should be routed by the ISDN
interface. IP/mask notation is expected (Getting
Started 5. Inverted CIDR Notation, page 25). For a
single host use "0" as its netmask - for example
192.168.0.55/32.
Create Default If set to yes (default) the default route assigned by the
Route provider is automatically introduced.
Attention:
When set to yes in an environment where multiple
dynamic links are available, configuring a Route
Preference Number (see below) is mandatory.
Target Target networks that are supposed to be reachable
Networks through the ISDN interface. Note hat this information is
obligatory.
to be counted by the firewall for traffic on this interface
unspec
internal
dmz
external (default)
Route You may specify a preference number to use the ISDN
Preference link in a multi-provider environment.
Number
Clone Routes Note:
mode.
If set to yes the dynamic routes will be cloned to tables
main or default (depending on the route target).
This parameter is aiming at setups where application

based selection (explicit binding in a firewall rule) of a
traffic path is supposed to coexist with link failover
(proxy dynamic).
GRE with Note:
Assigned IP This parameter is only available in Advanced View
mode.
Set this parameter to Yes to register the assigned IP
for IP protocol 47.

2.2.5.7 UMTS List 355 Networks - UMTS configuration section UMTS Connection Details
UMTS (Universal Mobile Telecommunications System) PDP Context Click the Set button to access PDP Context
defines a mobile communication standard using the configuration. This section allows for a more fine
grained specification of the Packet Data Protocol (PDP)
3G specification in Europe. One UMTS card may be that is used for accessing the provider network.
included into the network configuration of a Barracuda NG Context Specify the numeric "Context
Firewall. Identifier Identifier" (CID).
PDP Type Specify the PDP Type (IP or PPP).
Note: Usually the default values of 1 and IP, respectively, will
The UMTS extension is available only for appliances suffice. If unsure, enquire with your provider.
directly supported by Barracuda Networks. Phone Number This is the number the modem has to dial.
Note:
List 354 Networks - UMTS configuration section UMTS (3G) Setup The dialled number always needs to end with a hash
(#), but this hash must not be inserted into this field.
Parameter Description Note:
UMTS Enabled Setting to yes (default: no) enables support for one The last digit in the phone number is used to set the
UMTS card. Context Identifier (see above). Note that when your
Standby Mode If set to no (default) the link is supposed to be activated provider does not assign you a number ending with "1",
and monitored as a result of network activation. If set youll need to adapt the setting in the PDP Context
to yes its activation and subsequent monitoring needs section accordingly.
to be triggered externally. Allow If set to yes the Barracuda NG Firewall box will agree to
Register in This option allows for the registration of the card in the Compression negotiate compression settings with the dial-in server.
Standby provider network even when Standby Mode is If set to no (default) compression is disabled.
selected. This allows for a faster dial-in process when
the link is fully activated. List 356 Networks - UMTS configuration section Authentication
Setting Inbound SMS Handling (see below) to yes will
also lead to an immediate registration in the network. Authentication Select the method for authentication here.
Method Authentication protocols can be set to PAP, CHAP
(default), PAP_or_CHAP or NONE.
List 355 Networks - UMTS configuration section UMTS Connection Details
User Access ID This is the principal account name (PPP user name)
Parameter Description assigned by the provider.
UMTS Modem Configure your UMTS card here. User Access Insert an optional SUB-ID here if it has been assigned
Card Sub-ID to you by your ISP. The User SUB-ID complements the
Modem This parameter specifies the terminal interface User Access ID separated from it by a hash (#). Insert
Interface associated with the UMTS Card. Typically, this is noz0 the SUB-ID without the hash as it will automatically be
for the card Option Globetrotter 3G+ - NZ and prefixed to it.
ttyUSB0 for the other cards. Select checkbox Other to Access This is the PPP password assigned by the ISP.
define another value. Password
Active 2nd Select Yes when you want to use the second modem Use Provider Set to yes if you wish to use the DNS server(s) assigned
Channel channel. DNS by your provider.
Radio Choose the way how the modem connects to the radio Use Dynamic This parameter activates (default setting: no) Dynamic
Preference network: DNS DNS and enables the configuration of Dynamic DNS
-- Not Applicable -- Params.
GPRS/EDGE Preferred Note:
3G/UMTS Preferred To use this feature it is necessary to register with
www.dyndns.org. Check with your provider whether
GPRS/EDGE Only usage of dynamic DNS is advisable when using a static
3G/UMTS Only address or an address that rarely changes. Note that
Inbound SMS When set to yes (default: no) the modem card will be when using static or rarely changing addresses
Handling polled at regular intervals for inbound SMS messages. dynamic DNS might not be appropriate as the address
needs to change once a month.
Depending on the settings in the SMS Control tab (see
2.2.3.7 SMS Control, page 57), the SMS is either deleted
right away or further processed. The respective log
output goes into the log file Auth > SMS.
Speed [baud] This is the UMTS cards connection speed. Select a
predefined default value from the pull-down menu or
select the checkbox Other to define an individual value.
Connect This value defines the period of time (in seconds) until
Timeout a connection attempt is expected to have succeeded.
Register The register timeout is the time in seconds that the box
Timeout will wait for the network registration to be completed
before actually dialling out.
Note:
Registration in standby will exactly avoid this waiting
period thus speeding up the dial-out.
Note:
The waiting period only applies to the first dial-out
after a network configuration activation, restart, or
boot. Subsequent dial-out will take place without a
prior registration.
SIM PIN This is the SIM card's Personal Identification Number
(PIN) usually consisting of four digits.
APN Name Insert the Access Point Name (APN) for GPRS into this
field.

List 356 Networks - UMTS configuration section Authentication List 357 Networks - UMTS configuration section Routing
Dynamic DNS Click the Set button to access the Dynamic DNS Create Default If set to yes (default) the default route assigned by the
Params Params configuration section: Route provider is automatically introduced.
Service Type DynamicDNS (default) Attention:
StaticDNS When set to yes in an environment where multiple
CustomDNS dynamic links are available, configuring a Route
For additional information about Preference Number (see below) is mandatory.
available DynDNS Service Types Target Target networks that are supposed to be reachable
visit Networks through this link.
http://www.dyndns.com/services/
Remote Peer IP Use this override mechanism if your provider does not
Dyndns Name Here the dyndns name that was assign a remote gateway IP.
entered. Advertise If set to yes (default: no) all routes will be advertised
Route via Routing Protocols, provided an OSPF or RIP router
Secure Update This parameter defines whether service is active on the gateway.
HTTP (no) or HTTPs (default: yes) is
used for updating. Interface Realm This parameter determines what kind of IP address is
to be counted by the firewall for traffic on this interface
User Access ID User ID for accessing the server as (Licensing 5.5 Policy No. 5: General Case, page 540).
defined during registration at The interface can be classified to one of the following:
dyndns.org.
unspec
Access Password for accessing the server
internal
Password as defined during registration at
dyndns.org. dmz
Wildcard Setting this parameter to yes (as it external (default)
Support is per default) allows the resolution Route Preference number or metric assigned to the routes to
to sub-hostnames (regardless of the Preference the specified target networks. You will need to set this
domain, the IP address pointed to is Number parameter to a value larger than 0 if you wish to use
the same). your UMTS uplink as a backup connection
MX Record This parameter specifies the mail (provider-failover) to the internet, for example.
handler (Mail eXchanger) for the Clone Routes Note:
given domain. MXs are used for This parameter is only available in Advanced View
directing mail to other servers than mode.
the one the hostname points to. Note:
Backup MX Setting this parameter to yes If set to yes all routes will be cloned from the table
triggers that the configured MX umts1 to tables main or default (depending on the route
Record works as a backup mail target). This parameter is aiming at setups where
server. The registered Dyndns application based selection (explicit binding in a firewall
Name will be used as primary mail rule) of a traffic path is supposed to coexist with link
server. failover (proxy dynamic).
Setting the parameter to no induces GRE with Note:
that only the MX Record is used. Assigned IP This parameter is only available in Advanced View
Note: mode.
It is not recommended to use the Set this parameter to Yes to register the assigned IP
MX parameters offered. If for IP protocol 47.
nevertheless used, please consult
www.dyndns.org for detailed
information. List 358 Networks - UMTS configuration section Connection Monitoring
Retry Time Standoff time in minutes until a new Parameter Description

[mins] update try is started if the For configuration details, see 2.2.5.8 Connection
preceding one has failed. Monitoring of Dynamic Links.
List 357 Networks - UMTS configuration section Routing

Parameter Description 2.2.5.8 Connection Monitoring of Dynamic Links
Own Routing Note:
Table This parameter is only available in Advanced View Connection monitoring options allow specifying a list of IP
mode.
addresses that must be reachable through the dynamical
If set to no (default) routes will only be inserted into
tables main or default. If set to yes policy routing will xDSL, DHCP, ISDN or UMTS link. If these addresses are not
be used. With policy routing activated a new table pingable the network subsystem will be restarted and error
named umts1 is introduced to the main routing table.
Routes are inserted into this table only unless Clone
messages will be reported in the log file.
Routes (see below) is set to yes. All routes involving the
UMTS link make use of this policy routing table. Note:
Note: For PPP multilink bundles in xDSL configurations the
If this parameter is set to yes, the only available connection monitoring settings of the primary link are
adopted for the bundled link. Monitoring settings of
Use Assigned Note:
IP This parameter is only available in Advanced View other non-primary link members are tacitly ignored.
mode.
When set to yes the IP address dynamically assigned List 359 Connection monitoring of dynamic links section Connection Monitoring
by your Internet provider is used as source network for
policy routing. Initially, until the ISP has successfully Parameter Description
assigned an address, the rule will have 0.0.0.0 as a Log Level Set to debug (default: standard) in case you encounter
source address. The field is only active when Own configuration problems and temporarily need verbose
Routing Table is used. log files.
Source Note:
Networks This parameter is only available in Advanced View
mode.
Array of source networks or single hosts that will point
to the policy routing table umts1. IP/mask notation is
expected. For a single host supply "0" as its netmask.
(Getting Started 5. Inverted CIDR Notation, page 25)

List 359 Connection monitoring of dynamic links section Connection Monitoring systems a VPN tunnel will offer significant benefits as it is
Parameter Description attached to a server and not to a box.
Monitoring Selects the method adopted for link quality Moreover, if you wish to establish a tunnel hub (which
Method assessment.
By selecting ICMP the reachable IP addresses (set in
means a box sustaining many tunnels, each with a different
parameter Reachable IPs) are probed first. If there peer) a VPN server will turn out to be a much better
is no response the gateways are probed. choice.
If the Internet provider does not allow pings, the
monitoring method has to be set to LCP. The Dial-In To open the configuration dialog, click the Insert button.
daemon is then probed directly.
By selecting StrictLCP absolutely no ICMP probing Fig. 331 IP Tunnels configuration
occurs.
Note:
ICMP is not available when parameter Own Routing
Table is set to yes.
Note:
LCP checks are automatically performed by the pppd
according to the LCP parameterisation below.
Note:
The DHCP link monitoring method is ICMP by default
and therefore not customisable.
Note:
Regardless of the monitoring method which is set, the
monitoring of the gateway-IP is not affected (for
example: if LCP for monitoring method is chosen it
does not prevent the gateway-IP from being pinged).
Reachable IPs Probing target IP addresses that are pinged in order to
see whether the link is still functioning or not. At least
one single IP address that is meant to be accessible
only via the xDSL link has to be specified. Each of the
specified IPs is pinged every 20 seconds (2 ICMP
packets each). If none of the IPs responds the remote
end of the PPP-connection to the ISP is checked. In
case of no response the link is dismantled and it is
attempted to re-establish it.
LCP Check Time between two successive LCP echo checks.
Interval
No. of LCP Number of successive failed LCP echo checks before
Checks the PPP connection is terminated by the local pppd.
No. of ICMP Number of ICMP echo requests sent to each probing
Probes target IP address (maximum value: 9, default: 2).
Waiting Period Number of seconds per probe that a reply is waited for.
[s/probe]
Check Interval The time between two successive link state
[s] assessments.
Failure The time to wait immediately after a failed link List 360 Networks - IP Tunnels configuration section Tunnel Configuration
Standoff[s] establishment before trying to connect again. The idea
here is that blunt retrying usually does not improve the
situation but rather leads to vast amounts of unwanted Encapsulation Choose the type of encapsulation. Default setting is
log output. Mode GRE(47) (Generic Routing Encapsulation).
Alternatively there is support for plain IP in IP
encapsulation (IPinIP(4)).
Note: Tunnel TTL This optional parameter allows setting the TTL for
For further information on monitoring mechanisms encapsulated tunnel traffic. Leaving this field blank
corresponds to the hitherto standard behavior of TTL
refer to 2.2.5.12 Further Reading: Probing Policies and inherit and Nopmtudisc (no path MTU discovery).
Mechanisms, page 81. Set Multicast If set to yes (default: no) the multicast flag will be set
Flag for the tunnel interface.
Source IP Type Select the type of source IP here. Available values are
2.2.5.9 IP Tunnelling ServerIP and BoxIP (default). If ServerIP is selected no
source IP has to be specified as the IP will be provided
by a server. If BoxIP is selected a local source IP
IP Tunnelling address has to be specified (see below).
Note:
Note: In absence of a local source IP the box itself cannot use
The following parameters are only available in the tunnel for local traffic.
Advanced View mode. Source IP Specify a routable source address if the box itself is
meant to use the tunnel. The IP is activated on the
tunnel interface.
This section allows the introduction of simple
Source Mask Enter the source IPs netmask here. A non-zero mask
point-to-point tunnels using generic routing or plain IP in specifies a local network.
IP encapsulation.
Note:
If you wish to establish a secure tunnel between two
firewalls you should rather make use of a VPN tunnel.
The box-based tunnels you may configure here do neither

offer peer authentication nor encryption support.
Especially in conjunction with high availability (HA)

List 360 Networks - IP Tunnels configuration section Tunnel Configuration 2.2.5.10 Integrity Check
Route Preference number of this route. Use only when two The Integrity check performs a logical test on the network
Preference routes to the same target exist. configuration.
Number Assigning a route preference number only makes sense
under the following premises. You do not wish to use
List 361 Integrity Check configuration section Integrity Check Settings
policy routing for tunnelling thus the respective tunnel
routes go either into table main or default (in the case Parameter Description
the target needs to be network 0.0.0.0/0). You wish to
use policy routing but plan to assign the routes to an Consistency (default: Always)
already existing table. In both cases the preference will Verification Box-Only
only have an effect if there exists another route to one Never
of the specified target networks. As mentioned in the Include Server (default: yes)
preceding section it is not sensible to introduce IPs no
redundant routes to a target net with a direct route
being the preferred path.
Remote End IP IP address of the remote tunnel end. Guarantee, that
the routing setup allows accessing this address from 2.2.5.11 Special Needs
the local tunnel end, which means with source address
as specified in Local End IP.
Note:
Check If set to yes (as it is by default) a check is performed
Reachability whether the remote tunnel end is directly reachable The following parameters are only available in
from the local end IP. If this check fails the tunnel is not Advanced View mode.
introduced, if verification is active already a Send
Changes will fail.
Setting this parameter to no disables this check. Select Section User Scripts
no when the remote tunnel end is only accessible via a
VPN route. The Special Needs section is provided to satisfy rare
Local End IP IP address of local tunnel end. network-related demands that are difficult to cover with
Note: standardized configuration settings. This part of the
This address must already exist. configuration clearly addresses the well-versed system
In particular it must correspond to one of the administrator. Section instances of this type allow
addresses introduced in a network related section.
specifying bash2-conform user-defined commands. The
to be counted by the firewall for traffic on this interface integration of these command sections into the graphical
(Licensing 5.5 Policy No. 5: General Case, page 540). user interface has several significant advantages. There is
unspec (default)
no need to alter any of the standard utilities required to
internal bring up the networking subsystem thus software updates
dmz are not an issue. Modifications to the way in which
external
networking is brought up are kept track of and may not
Target Array of IP/mask pairs that are meant to be accessible
Networks through the tunnel. They are thus target networks of easily be forgotten.
routes that rely on the existence of the tunnel
interface. Each specified target will rely on a At the very same time such a user-interface has the
corresponding direct route. potential to wreak havoc on your system as all commands
Advertise If set to yes (default: no) all routes will be advertised are run with super user privileges. Therefore use only with
Route via Routing Protocols, provided an OSPF or RIP router due care.
Use Policy Select yes to activate a source filter for the tunnel
Note:
Routing routes. If set to yes the three policy routing related
entries below will be activated. Barracuda Networks recommends to input only
Table Controls placement of the table. Choose between the commands that have previously been tested on the
Placement default setting postmain, and the advanced options command line and which are guaranteed to produce the
premain and existing. The latter allows referencing an
already existing table. The rule preference of this table desired results.
will be inherited.
Please do not use this as a personal playground.
Use Table Note:
Only enabled when Table Placement has been set to
existing.
To open the configuration dialog, click the Insert button:
Allows you to specify an existing policy routing table to
Fig. 332 Special Needs configuration
which the tunnel routes are added. For each source
network defined an appropriate rule pointing to this
very table (with the table's original preference) is also
appended. Do not use the tables local, main or default
in this parameter.
Source Array of source networks or single hosts for which a
Networks yet to be defined policy routing table is looked up.
Note:
By default the name of the table would be identical to
the name of the tunnel section entry. You may however
assign the routes to another already existing table.
IP/mask notation is expected. For a single host you will
need to supply "0" as its netmask. (Getting Started
5. Inverted CIDR Notation, page 25)
For example, we have labelled the section spec. The

activation command resets the maximum transmission
unit of tokenring interface tr0 to 1400 bytes (the default
value is 2000 bytes). The shutdown command has
intentionally been left blank.

Note that the full path must be given (for example List 362 The monitoring executable openxdsl and its commands
/usr/bin/, /sbin/, ) Command Operation Mode Description
In the section instance list the presence of a command will /epb/openxdsl signal Same as above but only
stop stops/starts/restarts the links
only be indicated by a string reading either -set- or -not /start/restart associated with the supplied
set-. This is due to the potentially significant length of the <names> section names.
individual commands. Note:
Names of non-primary multilink
members are no valid
arguments. You may only stop,
2.2.5.12 Further Reading: Probing Policies and start or restart the link as a
whole. Use the name or the
Mechanisms primary link member to do so.
/epb/xdsl[1-4] -> worker When invoked as xdsl[n] the
z Monitoring Method: ICMP /epb/openxdsl same executable openxdsl
Before probing actually commences the existence of a behaves differently, for
example as a worker starting
meaningful address assignment on the associated up a particular link or link
ppp-interface (ppp1-4) is checked for. If no meaningful bundle. The integer n denotes
assignment is found the link is deemed dead and no the list position of the link in
the list of xDSL section entries.
further probing is required. Note that this index also
Only if the address assignment appears correct the determines the used
ppp[n]-interface.
actual probing takes place. If ICMP has been chosen as
monitoring method the configured reachable IPs are Beyond this an auxiliary cleanup utility called
probed first. If at least one reachable IP has been /epb/wipexdsl is provided.
specified and an echo reply is received, then the link is
deemed functional. A process list output for a link bundle with two pptp
In case no reachable IPs have been specified (which is connections maintained by an xdsl1- worker:
not smart) or none of the addresses specified have
Fig. 333 Process list output for a link bundle
replied, the probing continues with the gateway address
assigned by the ISP. |-openxdsl(29801)-+-sleep(30144)
| `-xdsl1(29829)-+-sleep(30137)
If then this gateway address replies to an ICMP echo |
|-xdsl1(29876)---xdsl1(29881)---pppd_xdsl1.0(29882)---pptp_xdsl1.
request the link is deemed functional. 0(29883) [link handler]
If the gateway address does not reply then the link is |
`-xdsl1(30089)---xdsl1(30094)---pppd_xdsl1.1(30097)---pptp_xdsl1.
deemed inoperative and is shut down. 1(30098) link handler]
z Monitoring Method: LCP |-pptp_xdsl1.0(29885) [pptp call manager for primary link ]
For probing policy LCP the ICMP ISP gateway check
(which is performed as final step with ICMP selected as Note that each worker forks at least one link handler (with
monitoring method) is also carried out but its result is identical name) which in turn starts a pppd daemon. The
interpreted in a different way. If the gateway does not individual pppd-processes and their forked pptp or pppoe
respond no further check is attempted and the current transport handlers have distinct names which allow tracing
probing failure is ignored. However, if the gateway them back to the worker and link handler.
responds further regular probing is carried out. Should
one of these then fail in the future the link will be z File Locations
deemed inoperative and will be shut down. The xDSL implementation writes all volatile temporary
data (pid-files, state-files ) into
z Monitoring Engine Changes
The executable used to start and monitor all ADSL /var/phion/run/boxnet/xDSL. Data-files required at
connections is now called /epb/openxdsl. runtime which only change as a consequence of a full
The executable openxdsl has three distinctively network configuration activation are written into
different operation modes. These are called daemon, /var/phion/config/boxnet/xDSL. The idea behind
signal, and worker. this separation is to easily facilitate the migration to a
flash-RAM-based appliance platform, where
List 362 The monitoring executable openxdsl and its commands /var/phion/run may be linked against a directory in a
Command Operation Mode Description RAM-disk.
/epb/openxdsl daemon All configured links in
non-standby mode are Fig. 334 Listing of /var/phion/run/boxnet/xDSL
activated and monitored. The prw-r--r-- 1 root root 0 Aug 24 16:26 fifo_xdsl1.0
executable becomes a daemon prw-r--r-- 1 root root 0 Aug 24 16:05 fifo_xdsl1.1
and detaches from the lrwxrwxrwx 1 root root 14 Aug 19 11:48 pppd_xdsl1.0 ->
controlling terminal. The /usr/sbin/pppd
daemon starts a separate lrwxrwxrwx 1 root root 14 Aug 19 11:48 pptp_xdsl1.0 ->
worker process for each xDSL /usr/sbin/pptp
link or link bundle. -rw-r--r-- 1 root root 4 Aug 24 16:26 xdsl1.0.state
-rw-r--r-- 1 root root 4 Aug 24 16:24 xdsl1.1.state
/epb/openxdsl deamon Same as above but runs in lrwxrwxrwx 1 root root 38 Aug 10 13:23 xdsl1_master ->
void foreground, which means the /var/phion/run/boxnet/xDSL/xdsl1.0.pid
deamon does not detach.
/epb/openxdsl signal Instructs a running daemon
stop process to stop (= block), start
/start/restart or restart all running worker
processes (links or bundled
links).

Fig. 335 Listing of /var/phion/config/boxnet/xDSL Since the firewall rule set is only consulted during
-rwx------ 1 root root 1230 Aug 23 10:31 ip-up.xdsl1 session initiation we call the above classification static
lrwxrwxrwx 1 root root 44 Aug 23 10:31 xdsl1 -> classification. Once the session is initiated the
/var/phion/config/boxnet/xDSL/xdsl_PPTP_ppp1
-rw------- 1 root root 0 Aug 23 10:31 xdsl1_reachips classification performed by the rule set does not
-rw------- 1 root root 0 Aug 23 10:31 xdsl1_reachips.last change. In order to also handle dynamic parameters like
-rw------- 1 root root 100 Aug 23 10:31 xDSL.opconf
-rw------- 1 root root 100 Aug 23 10:31 xDSL.opconf.now daytime or download volume, which vary during the
-rw------- 1 root root 504 Aug 24 16:23 xdsl_PPTP_ppp1
session lifetime, we add an element called shaping
connector to the concept. These shaping connectors
(described in more detail later on) take the dynamic
2.2.6 Traffic Shaping parameters of a network session into account and allow
taking shaping decisions accordingly.
Note:
z Enforcement
Please have a look at the document Once traffic is classified, traffic shaping enforcement
HowTo: Traffic Shaping downloadable at the Myphion has to take place. The shaping enforcement is
area at www.phion.com in order to acquire in-depth performed by processing network data before it is
information on this feature. delivered to a network interface (outbound shaping)
or after it is received by a network interface (inbound
Note:
shaping). The enforcement is produced by delaying
Hardware based on i386 compatible CPUs does not (queuing) or even discarding network traffic according
provide the functions required for traffic shaping. Thus to the present bandwidth utilisation status using the
traffic shaping does not work on i386 kernels. Enter results of traffic classification. To implement this
rpm -q kernel --qf %{ARCH}\\n enforcement we make use of a tree of virtual
on the command line to find out which kernel is present. interfaces (virtual tree), which may be attached to
network interfaces indicating that traffic shaping is
intended.
2.2.6.1 Enterprise Shaping
Fig. 336 Enterprise Shaping Enforcement
This design satisfies the requirements necessary for
executing any of the following application schemes:
z Data Traffic Classification
Important traffic is distinguished from unimportant
data traffic.
z Prioritisation
Important traffic is given preferential treatment (either
more bandwidth and/or lower latency).
z Bandwidth Partition
Certain types of traffic are not allowed to exceed a z Virtual Interface
bandwidth limit. The active element of traffic shaping is called the
Virtual Interface. As its name implies, the virtual
z Network Overflow Protection interface involves a non-physical (abstract) network
Prohibits protocols not having a flow control adapter. Data is transmitted over a virtual interface and,
mechanism from congesting the network. depending on the settings, is systematically transmitted
z Dynamically Adjusted Shaping onward.
Shaping is adjusted according to dynamic parameters The most important characteristics of a virtual
like daytime or download volume. interface are:
z Shaping of VPN Transports a limiting bandwidth and
Shaping may not only be used for physical network a priority weighting (high, medium or low).
interfaces but also for VPN transports. The bandwidth limit specifies the maximum amount of
data rate available for the virtual interface. If the virtual
When implementing traffic shaping, one distinguishes interface is congested (more data arrives than the
between traffic classification and shaping enforcement: bandwidth limit allows), the priority weighting
The results of traffic classification are used as input for determines how the available bandwidth will be
shaping enforcement in order to implement a shaping partitioned according to individual priorities.
policy. Partitioning is never static. In other words, if all
available traffic has a low priority, it will be assigned the
z Static Classification
whole bandwidth. The Weighted Random Early Drop
Network traffic may be classified according to
(WRED) queue management algorithm is used for
configurable conditions. Since the firewall rule set is
prioritisation.
already used to classify network traffic regarding
security, we also use the rule set to classify network z Virtual Tree
traffic for traffic shaping. It is therefore possible to Virtual trees are constructed of a root virtual interface,
treat network traffic for certain services (for example which may be attached to a real network interface and
http, ftp, ) just like traffic originating from certain IP an arbitrary number of sub nodes forming a tree. The
source/destination addresses differently. output of any number of virtual interfaces can be fed
into the input of a super ordinate virtual interface. Each
z Dynamic Classification

and every virtual interface of a virtual tree can be reverse direction by traffic generated by the responder
configured individually. Virtual trees are built as (server). As shown in figure 337 we have four different
templates and will only operatively perform traffic traffic types. For each type shaping may be
shaping when they are referred to by a physical enabled/disabled or configured differently.
network interface.
This way the same virtual tree can be reused for several Fig. 337 Enterprise Shaping Firewall Rule Parameter
physical network interfaces. As a consequence of this

re-usage, the limiting bandwidth rates are configured in
relative numbers (percent), which become absolute
values when assigning a physical network interface with
absolute bandwidth values. When assigning virtual
trees to physical network interfaces, it is possible to
decide if inbound and/or outbound traffic should be
performed by the traffic shaping mechanism. With the
assignment the effective rates (in- and outbound) of the The following steps should be taken to configure traffic
physical network interfaces are specified. Note that shaping:
these rates do not need to be identical with the rate the
z Prerequisites (configurative)
interface is capable of, but should rather specify the
expected effective bandwidth (for example 2 MBit Create a virtual tree template.
Provider Line accessed over a 100Mbit Ethernet Assign the template to a network interface and
interface) specify a maximum bandwidth for outbound and/or
inbound traffic. Not specifying a bandwidth implies
z Shaping connector
no in- or outbound shaping.
Virtual interfaces, their associated virtual trees, and the
active elements of data flow modelling are based on the Create one or more shaping connectors which point
presupposition that the data has already been to virtual interface names according to the specified
classified. This classification is the role of the shaping conditions.
connector. As its name suggests, the shaping Refer to the shaping connector in firewall rule
connector is responsible for the connection between advanced settings for forward and/or reverse traffic.
the rule-based static classification (session) and traffic z Operating sequence
shaping. Not only do shaping connectors evaluate and
The session is constructed according to a firewall
prioritize traffic (high, medium or low), they also specify
rule and the configured rule shaping connectors
the name of the virtual interface into which the data is
(forward and reverse) are registered for the session.
fed. Ultimately, the virtual interface is selected
according to the sessions routing information. This
information is used to define the network interface or Once this is completed, every packet is processed:
VPN transport, then determines whether a virtual tree
exists for the designated virtual interface. The shaping The associated shaping connectors are determined
connector has its own set of rules that accommodate according to packet direction (forward or reverse).
the dynamic character. These rules are evaluated as The shaping connector rules, which are conditions
soon as the session starts and are continually on TOS, daytime and data volume, are evaluated,
re-evaluated throughout the sessions entire duration. resulting in a priority and a virtual interface name.
The rules evaluate the following characteristics: an IP Packet routing is evaluated (input and output
packets TOS (type of service), current data volume for interface are determined).
the associated session, and absolute time domain If the resulting interface (inbound shaping applies to
within the period of one week. The goal of these rules is input interfaces and outbound shaping applies to
to prioritize traffic and decide where the data should be outbound interfaces) has a virtual tree attached, the
sent to. Due to its dynamic character, completely result of the shaping connector rules is used to
different shaping schemes can be used over the course assign a virtual interface by name. In case no virtual
of one single session. interface with this name exists but the physical
Since shaping connectors do not completely identify interface has a virtual tree assigned, the root node
the virtual interface (they only specify the name of the of the virtual tree is assigned by default.
linked network interface), it is possible to construct
If a virtual interface is assigned, traffic is not
routing-dependent traffic shaping schemes (different
delivered immediately but diverted to the assigned
shaping schemes for the Internet connection in normal
virtual interface first. It must traverse through the
and fallback (ISDN) operation).
shaping tree (shaping enforcement), where it might
z Firewall Rule Parameter be propagated, delayed, or even discarded
In order to use a shape connector it must be referred to depending on the available bandwidth and queues
in a firewall rule. When selecting shape connectors fill status.
(formerly called bands for the old traffic shaping) one Traffic with no virtual interface assigned is
can distinguish between the forward and the reverse processed immediately.
direction. The forward direction is defined by traffic
generated by the session initiator (client) and the

Example 1: Simple traffic prioritisation to 4 customers, where one should get 40 MBits and the
other three 20 bits each. The assigned bandwidth of each
Fig. 338 Enterprise Shaping Example 1: Simple traffic prioritisation customer should not be exceeded even if the total
bandwidth is not saturated.
Fig. 339 Enterprise Shaping Example 2: ISP customer bandwidth assignment
The following goals should be achieved:

z Traffic is classified according to the source IP and
network service into three types, which should be
prioritize with the ratio 5:2:1 (high:medium:low).
Configuration for Example 2:
Configuration for Example 1:
A virtual tree consisting of a virtual root interface and four
A virtual tree consisting of a single virtual interface with a subnodes (A-D) with a limiting bandwidth of 40 % (one)
partition priority of 5:2:1. Three shaping connectors, where and 20 % (three). Four shaping connectors where each
one results in a high, one in a medium and one in a low one results in medium priority selection (unimportant for
priority selection, all pointing to the root node (note: we this example) and points to each one of the sub nodes. A
have only one node to point to anyway). A firewall rule set firewall rule set that exists of four rules each referring to
that exists of three rules, each referring to one of the three one of the four shaping connectors. And finally a physical
shaping connectors. And finally a physical network device, network device where we expect network traffic to be
where we expect network traffic to be delivered with the delivered with the virtual tree attached to it.
virtual tree attached to it.
For this example we observe the following behavior:
For this simple setup we observe the following behavior:
z The total bandwidth (sum over all customers) is never
z The configured total in and outbound bandwidth is exceeded.
never exceeded.
z The available per customer bandwidth is never
z The three types (low, medium and high) of network exceeded. There is no bandwidth borrowing between
traffic share the bandwidth. Should not all three types customers (nodes).
of traffic be in operation, the total bandwidth is divided
amongst the available traffic according to the partition z The setup can be extended by introducing more than
priority. If the preset bandwidth limit is not reached, one shaping connector per customer with varying
traffic shaping does not take place and there is no priorities.
prioritisation.
Example 3: Advanced traffic shaping
Note:
Prioritisation only occurs when the available The advanced traffic shaping example makes use of the
bandwidth is insufficient. prioritisation of example 1 and the bandwidth assignment
of example 2. Furthermore, the dynamic parameters of the
Since all three types of traffic operate on the same session download volume is taken into account in order to
limiting unit datagram delivery latency of a specific demonstrate the purpose of the shaping connector rules.
traffic type will highly depend on the amount of traffic The setup describes an internet gateway which services:
of the other types, since they share the same datagram
queue. z An application which needs low delivery latency (for
VoIP for example).
z The prescribed priority partition is an estimated ratio,
which is more likely to be exact the more network traffic z Internet access from the internal network (mainly HTTP
is sent (See note on TCP traffic, page 85). web traffic).
z VPN traffic over the internet.
Example 2: ISP customer bandwidth assignment
z Web access from the internet (Web Shop).
Assume an ISP with an internet access providing a total
bandwidth of 100 Mbits. The bandwidth should be assigned

z Multiprovider setup with a fallback ISDN line (bundled operate in Drop Mode. This way the ISDN line is
to 512 kbit). ISDN fallback is implemented with protected against unwanted web traffic.
redundant network routes.
Note:
Fig. 340 Enterprise Shaping Example 3: Advanced traffic shaping TCP traffic
The TCP protocol uses a flow control mechanism to
throttle the rate at which it is sending data. Since traffic
shaping interferes with the packet delivery (packet
delaying or discarding) it will affect the TCP flow control
mechanism. Ideally, the TCP flow control will reduce its
flow rate to an amount where the shaping mechanism is
no longer forced to discard packets. This is only possible
if the traffic shaping mechanism can delay packets long
enough that the TCP flow control "detects" a smaller
bandwidth by measuring longer RTTs (round trip times).
A longer delay involves larger queue sizes that should
be considered when configuring virtual interface nodes.
Also long delays result into larger latency values, which
might be unwanted for other protocols. Therefore, in
the case of mixed TCP and other protocol traffic, one
might consider using separate traffic shaping nodes for
TCP with different queue size settings.
It is also the TCP flow control mechanism which makes
the priority weights approximate values. Assume we
have 20 TCP sessions, where 10 are classified as high
and 10 are classified as medium priority, all trying to get
the maximum bandwidth possible. If we configured a
ratio of 1:2 for the two priorities we will indeed observe
this ratio when measuring the output for the two
priorities. But if we change to setup to 1 high priority
TCP session and 39 medium TCP sessions the result will
change. In fact we will see that the single TCP session
From this setup we expect the following:
gets less bandwidth than we expected. The reason is
z Low latency delivery for the VoIP application. This is simply that the flow control mechanism of the 39 TCP
achieved by feeding the VoIP traffic directly into the sessions generates more traffic while trying to find its
root node, whereas other traffic has to pass either the optimum rate than the single high priority session. So if
"B2B" or "Web" node first, where they are queued your know beforehand that you want to favour a small
(delayed) if bandwidth saturation occurs. This way the number of TCP sessions over a large number of
VoIP traffic may even overtake the traffic waiting in the unprivileged TCP sessions you should anticipate a
Web or B2B queues. larger ratio in order to get the wanted output ratio.
z A minimum of 40 % of the internet bandwidth for VPN Traffic Shaping Configuration:
traffic. By limiting the Web node to 60 % we guarantee
that the B2B node will get at least 40 % of the To configure virtual trees, go to the dialog Box > Traffic
available bandwidth (Assuming that the amount of VoIP Shaping > Virtual Shaping Trees, lower window:
traffic is negligible).
Fig. 341 Traffic Shaping Settings Virtual Shaping Trees
z High priority treatment for Web access form the
internet (Web Shop).
z Medium priority treatment for Web access from the
internal network to the internet.
z Low priority treatment for downloads from the internal
network which are larger than 10 MB.
z For ISDN Fallback operation (Provider Failure) deliver
only the VPN and the VoIP application traffic. This is
achieved by setting the Web node for the ISDN tree to
Commands on the context menu:

Table 39 Traffic Shaping Settings Virtual Tree commands
Command Description
Add new virtual tree Create a new virtual tree.
Add new virtual interface Create a new virtual interface for
the selected virtual tree.
Copy virtual tree Copy a selected virtual tree and
give it another name.
Remove virtual tree Delete a selected virtual tree

Table 39 Traffic Shaping Settings Virtual Tree commands List 365 Traffic Shaping configuration section Inbound (traffic received by
device)
Command Description
Remove virtual interface Delete a selected virtual interface. Parameter Description
Operation Mode Choose the operational mode from the following
The dialog box for creating a new virtual tree: possibilities:
As-Outbound
Fig. 342 Traffic Shaping Settings dialog box Virtual Device Shape: The virtual interface limits traffic according
to the settings.
Passthrough: Every packet received is immediately
passed to the next tree node or to the associated
network interface.
Drop: Every packet received is immediately
discarded.
Assumed Rate See section Outbound.
Priority See section Outbound.
Weights
Priority See section Outbound.
Adjustment
Queue Size See section Outbound.
(Bytes)
List 363 Traffic Shaping configuration
A new virtual interface can be created on the subordinate
level of an existing virtual interface. Choose an existing
Tree Name The name of the virtual tree.
virtual interface (which means Virtual Tree Root Virtual
Device Name The name of the virtual interface.
Interface) and select Add new virtual interface.
List 364 Traffic Shaping configuration section Outbound (traffic sent over the
device)
The dialog box for creating a new virtual interface:
Parameter Description Fig. 343 Traffic Shaping Settings dialog box, new virtual interface
Operation Mode Choose the operational mode for the root virtual
interface from the following possibilities:
Shape The virtual interface limits traffic according
to the settings.
Passthrough Every packet received is immediately
passed to the next tree node or to the associated
network interface.
Drop Every packet received is immediately
discarded.
Priority: Every packet received is passed-through
the shaping tree without passing any queue.
Assumed Rate This is the limiting bandwidth for the virtual interface.
The rate is specified relatively in percent and becomes
an absolute value as soon as a physical interface is
assigned to a virtual tree. Note:
Note: For Parameter description see list 363, page 86,
Do not produce values lower than 512 kbit. With values
lower than 512 kbit the shaping engine may not provide list 364 and list 365.
acceptable results.
Note:
To assign a virtual tree to a physical interface, go to the
The assignment uses effective interface rates rather dialog Box > Traffic Shaping > Virtual Shaping Trees and
than physical line speeds. open the context menu.
Note:
When using decimals be sure to use a period (.) as The following commands are available:
separator.
Priority The relative weight of the three priorities high (H), Table 310 Traffic Shaping Settings Interface commands
Weights medium (M), low (L) or NoDelay. These weights specify
Command Description
the ratio of the traffic being propagated by a virtual
node assuming that the input traffic is evenly Add new interface/tunnel Assign a virtual tree to a physical
distributed among the three priorities. interface.
Priority When a datagram is passed to the next node in the tree Edit/Show Change an existing physical
Adjustment its priority may be adjusted before processing is interface assignment.
continued. This way packets may be treated with high Remove Interface/Tunnel Delete an existing physical interface
priority in one node and with medium or even low assignment.
priority in the next node.
Queue Size Size of the virtual interface's internal queue (in bytes).
(Bytes) If set at '0', a suitable value is calculated for the virtual
To configure a physical interface assignment, use the
interface rate. If not using the default value note that following dialog box:
small queue sizes imply low latencies and large queue
sizes imply better TCP handling. Fig. 344 Traffic Shaping Settings dialog box Device/Tunnel Tree Mapping
List 365 Traffic Shaping configuration section Inbound (traffic received by

device)
The parameters may be configured explicitly
(asymmetric case) for the inbound mode or, if selected,
the inbound configuration parameters are taken from
the outbound configuration (symmetric case).

List 366 Device/Tunnel Tree Mapping To define and edit shaping connectors, choose dialog Box >
Parameter Description Traffic Shaping > Shaping Connectors, upper window.
Interface / Specify the name of the physical interface (for example
Tunnel Name eth1). Fig. 346 Traffic Shaping Settings Shaping Connectors
Assigned Specify the virtual tree which should be assigned to the
Virtual Tree network interface.
Outbound Rate Specify the effective outbound rate of the physical
interface.
Note:
This may differ from the rate the physical interface is
capable. (Internet provider access using a 100 Mbit
interface but only 10 Mbit are effectively available).
Inbound Rate Specify the effective inbound rate of the physical The following commands are available:
interface.
Table 311 Traffic Shaping Settings Shaping connector commands
For VPN transports, virtual trees are assigned in the TI
Command Description
settings of the VPN transport.
Add new connector Create a new shaping connector.
Fig. 345 Traffic Shaping Settings dialog box TINA Tunnel Remove connector Delete an existing shaping
connector and all its associated
rules.
Append new connector rule Add a new connector rule. The new
rule will be appended at the bottom
of the existing list of rules for the
selected shaping connector.
Remove connector rule Delete a connector rule from the list
of rules for the selected shaping
connector.
Move connector rule down Move the selected connector rule
back a position.
Move connector rule up Move the selected connector rule
forward a position.
To create or change a shaping connector, go to the

following dialog box:
Fig. 347 Traffic Shaping Settings dialog box Shape connector
List 367 Traffic Shaping configuration Shaping connector

ID The shaping connector's index number. For legacy
purposes the index numbers 1 to 8 correspond to Band
Sys and Band A-G as used for the old traffic shaping.
This way existing firewall rules which use the old traffic
shaping bands may be migrated to the new traffic
shaping.
Name Give the shaping connector a name.
To edit connector rules, use the following dialog box:

To carry out the assignment, choose the option Assign
Fig. 348 Traffic Shaping Settings dialog box Shape Connector Rule
Shaping Tree found in the Bandwidth Policy parameter.
The maximum bandwidth is defined using the following two
fields:
z Maximum rate of outbound traffic [kbit/s]
z Maximum rate of inbound traffic [kbit/s]
A0 (zero) rate indicates no shaping.

A inbound rate of -1 indicates outbound and inbound
rate being the same.
List 368 Shape Connector Rule
Priority Defines the data packet's priority (high, medium, low)
should the rule apply. This is the priority at which the
packet will eventually be fed into the virtual interface

List 368 Shape Connector Rule The traffic shaping file contains the configuration settings
Parameter Description for bandwidth management. Shaping is performed by
Virtual Device The name of the virtual interface into which the data classifying the traffic into one of the 8 available shaping
packet will be fed, should this rule apply. bands:
List 369 Shape Connector Rule section Condition z Band A to G
Parameter Description z System Traffic (Management Traffic)
A connector rule applies if all specified conditions
apply:
The firewall rules define to which band traffic is assigned.
TOS Indicates that the TOS in the IP header must match the
specified value.
The classification of the traffic can be monitored in the
Traffic Limit Indicates that network sessions must not exceed the
Status tab of the firewall service..
specified amount of data being sent.
Time Period Indicates an absolute time span during which this rule Attention:
applies. When planning the deployment of traffic shaping take
Weekday/Hour Defines the hours of the week during which this rule the CPU resources of the traffic shaping equipment into
applies. consideration. Especially on low-end machines the
shaping process on links with high utilisation can cause
Realtime Information
performance degradation, resulting in high CPU loads
Realtime information of the traffic shaping mechanism is and reduced network connectivity. Depending on the
shown in the operative firewall GUI (Shaping). The system configuration, Barracuda Networks recommends
provided information shows all physical interfaces or VPN a maximum interface shaping bandwidth of 10MBits/s on
transports with an assigned virtual tree. For each tree systems with a CPU clock of 800MHz or lower.
node traffic information is provided.
Fig. 350 Config Section - Traffic Shaping
Fig. 349 Realtime Information Shaping
The individual columns contain the following information.

Table 312 Realtime Information Shaping List 370 Traffic Shaping configuration
Column Description Parameter Description

Interface The physical network interface or VPN transport Enable Traffic This option can be used to quickly enable or disable the
Dir Shaping Direction (In Inbound ; Out Outbound) Shaping traffic shaping subsystem. For the convenience of the
system administrator it is still possible to edit the
VirtualIF The name of the virtual interface. Here the hierarchy of traffic shaping configuration while the subsystem is
the virtual tree is presented in a typical tree structure. disabled. The default setting is no.
Rate-Max The maximum bandwidth available for each virtual
interface. List 371 Traffic Shaping configuration section Policy Definition
Rate-Sum The actual utilized bandwidth of the virtual interface.
(Sum over all priorities)
This list contains the shaping policies that can be
Rate-H The actual traffic rate of the three priorities (high,
assigned to the shaping enabled interfaces. The policy
Rate-M medium, low)
defines how the different shaping bands are processed
Rate-l by the network queuing mechanism.
Sessions The number of active sessions operating on the virtual Management The management traffic is a class that is reserved for
interface. The first number indicates the number of Traffic traffic, which is generated by the network management
sessions directly fed into this virtual interface. protocols of the Barracuda NG Firewall. It can be used
to ensure that a minimum of bandwidth is available for
Bytes Number of bytes propagated by the virtual interface. the management protocols. This bandwidth is not lost
Packets Number of packets propagated by the virtual interface when it is not fully used up by the management
Drops Number of drops on the virtual interface due to protocols, but instead the other bands may use the
shaping. otherwise idle link to extend their bandwidth. This
"borrowing" of bandwidth can also be restricted by the
Max. Bandwidth setting, which allows you to set a
The following commands can be found in the context maximum bandwidth share for a single traffic band.
menu: Management traffic is different from the traffic from
the other bands. Instead of getting a relative share
from the total available bandwidth, the management
Table 313 Realtime Information Shaping commands band rates are calculated in absolute numbers. So a
Command Description setting of 10 % bandwidth means that 10 % of the total
interface bandwidth is reserved for management. The
Reset Interface Resets all the virtual trees statistics. rest of the bandwidth, just like the bandwidth that was
Statistics not used up by management, is available to the A, B
Show Interface Provides information on the effective values operating and C bands. If these bands do not exhaust the full
Configuration on the virtual interface. Shows the actual maximum capacity of the link, the rest can be used by the
rate and selected values for the size of internal queues. management traffic up to its "max. Bandwidth" setting,
This command is also accessible by double-clicking on which is 100 % by default.
one of the virtual interfaces.
2.2.6.2 Legacy Shaping

List 371 Traffic Shaping configuration section Policy Definition In the configuration dialog of the Policy Definition,
Parameter Description bandwidth settings must be configured only for
Band A to G These seven bandwidth classes can be used to classify effective bands. Settings of ineffective bands will be
the network traffic of any given network individually. ignored until those bands are activated in a rule set.
The classification can be done by the firewall rule set or
manually in the "Status" tab of the firewall. The A-G z Calculation of Traffic Shaping quotas:
traffic bands share their bandwidth in the relation of
their bandwidth settings. A maximum setting may also
Two variants exist how Traffic Shaping quotas can be
be defined to limit the total traffic bandwidth of any calculated (in the example, an interface bandwidth of
band. The share that is not consumed by the A-G bands 1 Mbit/s is assumed):
is available to the managed traffic until its maximum
share limit is exhausted.
Bandwidth (%) The bandwidth defines the share of the total traffic 1. Calculation by ratio
that is available to a band. When there is still bandwidth This calculation method is the easiest way to keep
available after every band has claimed its share, then overview of the configured settings. In Variant 1 a
additional resources can be used until the link is fully
utilized. defined absolute share is first assigned to Management
Max. Bandwidth The maximum bandwidth defines an upper limit of Traffic, the remaining interface bandwidth is then
(%) traffic bandwidth that may be used by a band. Any assumed to match 100 %. In the example, 10 % of the
band is not allowed to exceed its limit.
total available interface bandwidth is assigned to
List 372 Traffic Shaping configuration section Devices Management Traffic. The settings of the other bands
(excluding Management Traffic settings) are then
configured to equal 100 %. The bandwidth calculation is
The interfaces that are going to be used by the traffic
queuing must be listed here. The total bandwidth that thus based on a remaining total bandwidth of
is available for the inbound and outbound traffic has to 900 kbit/s instead of 1 Mbit/s.
be entered here.
Device This is the network interface that should be used for Table 314 Bandwidth calculation by ratio
application of the shaping policy. Only static interfaces
may be used (eth0, tr1, ). Network interfaces that Available
Bandwidth
establish the network connection dynamically (for Band Ratio Interface
Setting
example, ppp0) may not be entered here. In these Bandwidth
cases the symbolic names DYNAMIC_adsl should be Management 10 / 100 10 % of total interface 100 kbit/s
used for ADSL connections and DYNAMIC_isdn should Traffic bandwidth 1 Mbit/s
be used for ISDN connections Band A 40 / 100 40 % of total 360 kbit/s
Outbound The outbound bandwidth defines the maximum bandwidth remainder
Bandwidth bandwidth in kbit that may be utilized by network 900 kbit/s
(kbit) traffic. This can also be used for setting a maximum Band B 60 / 100 60 % of total 540 kbit/s
egress traffic limit on the given interface. bandwidth remainder
Policy The policy of the interface defines how the bands share 900 kbit/s
the available network bandwidth.
Enable Inbound If this option is set to yes the shaping mechanism is 2. Calculation by total percentage
Shaping also applied to inbound traffic. The same traffic policy,
which is used for outbound traffic, is then also used for The settings in Variant 2 lead to the same result. The
inbound traffic. sum of all bandwidth settings is configured not to
Inbound The inbound bandwidth defines the maximum inbound exceed 100 %. Keep in mind that the bandwidth setting
Bandwidth bandwidth in kbit that may be utilized by network for Management Traffic takes a special position, as it is
(kbit) traffic. This can also be used for setting a maximum
ingress traffic limit on the given interface. If this field is calculated as absolute share from the total available
left blank, the same bandwidth setting is used that was interface bandwidth.
defined in the entry Outbound Bandwidth (in kbit).
In the example, 10 % of the interface bandwidth are
Calculation of Bandwidth Settings assigned to Management Traffic, 36 % and 54 %
respectively are assigned to Bands A and B.
The main purpose of traffic shaping is to confine the
maximum available network bandwidth an application may Table 315 Bandwidth calculation by total percentage
utilize, in order to guarantee full functionality and Available
Bandwidth
availability of another application with higher priority. Band Ratio Interface
Setting
Bandwidth
Moreover, traffic shaping can be used to limit the speed of
Management 10 / 100 10 % of total interface 100 kbit/s
network connections. Traffic bandwidth 1 Mbit/s
Bandwidth Calculation Band A 36 / 100 36 % of total 360 kbit/s
bandwidth 1 Mbit/s
Regarding the interaction between traffic shaping Band B 54 / 100 54 % of total 540 kbit/s
parameters, the following applies: bandwidth 1 Mbit/s
z Bandwidth percentage settings:

Example Configurations for Traffic Shaping

Note:
The following traffic shaping scenarios are imaginable: Settings for Band C to Band G may as well be left at
the default setting 100 / 100. As long as the Bands
z Example 1
are not allotted, the settings are ignored.
A company network is connected to the Internet with
DSL through an exclusive interface (transfer rates
Step 5
2048 kbit/s downstream, 768 kbit/s upstream). The aim
Assign policy dslconnection to an interface through
is to guarantee bandwidth for Remote Desktop
parameter Devices. The following configuration
connections running beside other common Internet
settings apply:
applications.
Table 317 Example 1 Interfaces configuration
Fig. 351 Traffic Shaping scenario 1 - Bandwidth configuration for inbound
and outbound connections Parameter Description
Name dslconnection
DSL Connection
Outbound Bandwidth (kbit) 768 (upstream)
eth0 Downstream Interface eth0
2048 kbit/s
Policy dslconnection
Enable Inbound Shaping yes
Inbound Bandwidth (kbit) 2048 (downstream)
Upstream
768 kbit/s
Through the configured settings, the following effective
values apply:
Band A: 70 / 100
Note: Band A may use 70 % out of available 2048 kbit/s
In setups where only one traffic-shaping interface is downstream and 768 kbit/s upstream, that is
involved, both, inbound and outbound bandwidth, 1433.6 kbit/s and 537.6 kbit/s, respectively. If Band B
must be configured, as outbound traffic arrives at does not claim its share, it may use all available
the gateway without prioritisation. bandwidth up to 100 % of the total amount.
Step 1 Band B: 30 / 100

Configure a Forwarding Firewall Rule Set allowing DSL Band B may use 30 % out of available 2048 kbit/s
connections from the company network to the Internet downstream and 768 kbit/s upstream, that is
for common Internet applications. Assign a Band to the 614.4 kbit/s and 230.4 kbit/s, respectively. If Band A
Rule Set in the Parameter Section of the Edit/Create does not claim its share, it may use all available
Rule configuration window. By default Band A is bandwidth up to 100 % of the total amount.
preselected. If Traffic Shaping is not enabled, the Band
selection is nothing more than an unused parameter in
z Example 2
the configuration. As soon as Traffic Shaping is enabled,
A company network spans two locations, which
the selected Band comes into effect.
continuously perform common tasks such as browsing
the Internet, sharing files, utilising terminal sessions,
Step 2
and so on. The two locations are connected via Frame
Configure a Forwarding Firewall Rule Set allowing
Relay supporting speeds up to 1 Mbit/s. The aim is to
Remote Desktop connections over the DSL interface.
guarantee non disrupted e-mail traffic and constant
Assign a Band to the Rule Set in the Parameter
room for management traffic.
Section of the Edit/Create Rule configuration window.
In the example, usage of Band B is assumed. Fig. 352 Traffic Shaping scenario 2 Prioritisation of applications
Step 3 Frame Relay

On the box browse to Config > Box > Traffic Shaping. LAN 1 eth0 eth0 LAN 2
Enable Traffic Shaping by setting the parameter of the
same name to yes.
Step 4
1 Mbit/s
Define a shaping policy through parameter Policy
Definition. The following policy would suit the needs:
Table 316 Example 1 Policy Definition configuration Step 1
On Barracuda NG Firewalls 1 and 2 configure Forwarding
Firewall Rule Sets allowing connections to the desired
Policy Name dslconnection
application such as Internet, file sharing, terminal
Management Ratio:
Traffic bandwidth 0 % / maximum bandwidth 0 % sessions and so on. Assign the same Band to all these
Band A 70 / 100 rule sets in the Parameter Section of the Edit/Create
Band B 30 / 100 Rule configuration window. In the example, usage of
Band C - Band G 0/0 Band A is assumed.

Step 2 used by other bands it may use all available bandwidth

On Barracuda NG Firewalls 1 and 2, configure a up to 100 % of the total amount.
Forwarding Firewall Rule Sets controlling e-mail traffic
between the company locations. Assign a Band to this
rule set in the Parameter Section of the Edit/Create 2.2.7 Administrators
Rule configuration window. In the example, usage of
Band B is assumed. Multiple administrators with different rights managing the
stand-alone Barracuda NG Firewall can be managed with
Step 3 this configuration file.
On both boxes browse to Config > Box > Traffic To enter the admin configuration, simply double-click the
Shaping. config-tree entry Administrators, change to read-write
Enable Traffic Shaping by setting the parameter of the mode by clicking Lock. Now click Insert to start the
same name to yes. configuration sequence by entering the administrator login
name.
Step 4
On both boxes, define shaping policies through Note:
parameter Policy Definition. The following policy would Please consider that the login name may contain digits
suit the needs: and Latin characters devoid of special characters only.
Table 318 Example 2 Policy Definition configuration In order to modify an already existing profile, select it from
Parameter Description the list and click the Edit button which opens the
Policy Name emailpriority configuration dialog.
Management Ratio: To delete a profile, select it from the list, and click the
Traffic bandwidth 10 % / maximum bandwidth 100 %
Delete button.
Band A 40 / 100
Band B 60 / 100 List 373 Administrators configuration section Account Description
Band C - Band G 0/0
Disabled A newly configured profile is active by default (default:
Step 5 No). Disable an administrators profile by setting the
Assign policy emailpriority to an interface through value to yes. With disabled profile logging into the
system is no longer possible.
parameter Devices. The following configuration
Attention:
settings apply: As soon as an administrator's profile is disabled, all
processes owned by him are killed, and his home
Table 319 Example 2 Interfaces configuration directory is removed.
Parameter Description Full Name Enter a name here using Latin characters devoid of
special characters. The entry is mandatory.
Name emailpriority
Outbound Bandwidth (kbit) 1000 List 374 Administrators configuration section Administrator Authorization
Interface eth0
(On each box, select the interface, Parameter Description
which connects the other Roles Six predefined roles exist which can be assigned to
location.) each additional administrator - Manager, Operator, Mail,
Policy emailpriority Security, Audit, and Cleanup. For detailed information
on permissions and restrictions associated with each
Enable Inbound Shaping no role please check table 320, page 92.
Inbound Bandwidth (kbit) - Shell Level This menu provides options to control the shell access
of the administrator. The following entries are
Through the configured settings, the following effective available:
No_Login effects that the administrator cannot access
values apply: the shell.
Standard_Login allows access to the system on the OS
layer via a default/standard user account (home
Management Traffic: 10 / 100 directory: user/phion/home/username).
As the highest priority is always assigned to Restricted_Login permits system access via a
administration tasks, Management Traffic may at all restricted shell (rbash). As its name already implies,
this type of shell has some limitations such as
times use 10 % of the interfaces bandwidth, that is specifying commands containing slashes, changing
100 kbit/s. If not used by other bands it may use all directories by entering cd,
available bandwidth up to 100 % of the total amount. A restricted login confines any saving action to the
users home directory.
Attention:
Band A: 40 / 100 Data saved to the home directory will be deleted as
As 10 % of all available bandwidth is allotted to soon as the administrator with restricted access logs
out again.
Management Traffic, Band A may use 40 % out of still
available 900 kbit/s, that is 360 kbit/s. If not used by List 375 Administrators configuration section Administrator Authentication
other bands it may use all available bandwidth up to
100 % of the total amount, that is 1 Mbit/s. In this case,
Authentication This menu allows specifying the type of required
if Management Traffic does not claim its share, it may Level authentication. The available settings are
use its bandwidth as well. Key-OR-Password, Password (default), Key and
Key-AND-Password. Depending on the selection in
this menu, the parameters described below will or will
Band B: 60 / 100 not be available.
Band B may use 60 % out of still available 900 kbit/s, External Choose the authentication method for external
that is 540 kbit/s (see Band A for explanation). If not Authentication authentication of an administrator. For further
information on authentication schemes see 5.2.1
Authentication Service, page 111.

List 375 Administrators configuration section Administrator Authentication

List 376 Administrators configuration section Administrator Access Control
External Login Specify an external login name for the administrator.
Name Parameter Description
Password Specify the administrators password here. Confirm the Peer IP Via this field it is possible to grant the administrator
password in the Confirm field. Restriction access to systems within her/his scope. Enter the
Next Forced Here the validity period of the password (in days) is required IP address into this field and click the
Change [d] specified. As soon as this period expires, the Insert button to the right in order to add the address
administrator is forced to change the password. to the configuration. To modify an already existing
entry, select it in the list, edit the entry and then click
Warning Period Here it is defined how many days prior to the the Change button. To delete an entry, simply select it
[d] password-expiration date a warning message is and click the Delete button.
displayed to the administrator.
Login Event This menu specifies the way a login is recorded. The
Expiry Grace Here it is defined for how many days the administrator entry Service_Default (default) is a reference to the
Period [d] may exceed the parameter Next Forced Change [d]. settings made within the Access notification (see
Change Mode Via the entries provided by this menu, it can be defined Access Notification, page 105). The entry Silent
whether a password may be used again as it is (entry suppresses event notification except login failure
allow_reuse_of_previous, default) or if a different events, which always revert to Service_Default
password is mandatory (entry settings.
force_different_password).
Public RSA Key As soon as the parameter Authentication Level
contains a Key component, this parameter is
mandatory. This menu is used for importing the Public
RSA Key (required for successful certificate
verification) either via a file, clipboard or from the
certificate management.
Table 320 Authorisations associated with administrator roles
Box menu Software item Manager Operator Mail Security Audit Cleanup
Antivir - - - -
Update Pattern - - - -
Disable/Enable Pattern Update - - - -
Config - - -
Create a DHA box - - - - -
Create a PAR file - - - - -
Create a repository - - - - -
Create a server - - - - -
Create a service - - - - -
Kill configuration sessions - - - - -
HA synchronisation - - - -
Control - - -
Activate new network configuration - - - -
Block a server - - - -
Block a service - - - -
Time control - - - - -
Delete Wild Route - - - -
Import license - - - - -
Kill sessions - - - -
OS Restart - - - -
Reboot Box - - - -
Remove license - - - - -
Restart network configuration - - - -
Show license - - - -
Start a server - - - -
Stop a server - - - -
DHCP - - - -
GUI commands - - - -
Events -
Confirm events - - -
Delete events - - - -
Mark events as read - - -
Set events to silent - - -
Stop alarm - - -
Firewall - -
Access to trace tab - - - -
Remove entries from cache - - - -
Terminate connections - - -
Create dynamic rules - - -
Kill a process - - -
Modify connections - - -
Modify traces - - - -
Toggle traces - - - -

Table 320 Authorisations associated with administrator roles
Box menu Software item Manager Operator Mail Security Audit Cleanup
View rules - - - -
Logs - -
Delete resource logs (box_) - - - -
Delete service logs - - - -
Read resource logs (box_) - -
Read service logs - -
Mail - - -
GUI commands - - - -
View Stripped Attachments - - -
Retrieve Stripped Attachments - - - -
Delete Stripped Attachments - - - -
Access Control
Service
Enable Commands - - - -
Block Sync - - - -
SSL-Proxy
Access Cache Management - - - -
Ticket Management - - - -
Cert Authorities Management - - - -
XML Services Management - - - -
Statistics - -
Delete resource logs (box_) - - - -
Delete service logs - - - -
Read resource logs (box_) - -
Read service logs - -
VPN - -
Disable VPN connections - - -
Disconnect VPN connections - - -
View Configuration - - - -
2.2.8 Box Licenses List 377 Advanced Configuration section License Configuration
The configuration file Box Licenses is a container for all Licenses To import a Barracuda Networks license (.lic), click the
Import button and depending on how the license file
license data a system requires for non-demo mode has been delivered, select a suitable context menu
operation. Purchased licenses may be imported from entry from the list.
clipboard or directly from the license file. Licenses are
immediately active on the system after activation change.
Note:
Importing licenses within the Box Licenses node has the
same effect as making use of the license import facility
of the control daemon. This means that licenses, which
are imported or deleted from the box control licenses
view, will be inserted into or removed from the
configuration file Box Licenses. On a stand-alone
system, both approaches may be used interchangeably.
To open the configuration file, double-click

Box Licenses.
Fig. 353 License Configuration

94 | Configuring a New Server > General Configuration Service
3. Configuring a New Server
3.1 General Because the configuration parameters in the Server

Properties section slightly vary in detail, note that servers
can be introduced on the following systems and places in
A server may be configured with one or multiple IPs. It can
the configuration tree:
either run on a single box or, in case of a redundant or high
availability (HA) setup, on two boxes. z on single boxes (3.2 Server Configuration on Single
Boxes, page 95)
A server name may contain a maximum of eight
characters. It must not contain underscores and special z on Barracuda NG Control Centers (Barracuda NG Control
characters except the minus sign. Center 3.1 Configuring the Box, page 418)
Gather information about the following before introducing z on CC-administered boxes (3.3 Server Configuration on
a server: CC-administered Boxes, page 96)
z How will the server be named?
The deviances between the configuration details are based
z Which IP addresses will it employ? on the interconnection between service availability and the
platform the Barracuda NG Firewall system is installed on
The introduction of servers and services is the first (Getting Started 2.5 Barracuda Networks Multi-Platform
action required after having installed a Barracuda NG Product Support, page 16).
Firewall system.
The opportunity to specify the Product Type when
Unless doing so, the box will stay without special functions. creating a server is given in order to avoid the possibility of
creating services later on that will not be executable on the
Fig. 354 Context-menu of the Servers directory
purchased system. The selection displayed in the product
type field is determined and narrowed by the specifications
appointed in the Box Properties (2.2.2 Box Properties,
page 52).
Consider the following example for understanding:
You have installed a single box using the installation tool
Barracuda NG Installer (Getting Started 2.2 Creating a
"standard" Kickstart Disk, page 10, and then Step
3 Defining Box Type settings) and have specified the
following values for the box configuration:
Table 321 Example Box configuration
Parameter Value
OS Platform Barracuda NG Firewall
Product Type sectorwall
Appliance Model standard-hardware
As you proceed with creating a server on this box you will

To enter the configuration dialog right-click Virtual notice that youve got to choose sectorwall as Product
Servers and select Create Server from the context Type again, because otherwise no box will be offered for
menu. selection in the Active and Backup Box fields.
Note: Correspondingly, when administering multiple
Creating a new server is only available for Barracuda NG non-identical boxes on a Barracuda NG Control Center, the
Firewalls on standard-hardware (parameter Appliance view in the boxes fields will always be narrowed down to
Model). the systems suitable for server creation with the chosen
product type.
Attention:
To guarantee clearly arranged log files avoid naming a Note:
server "box". Choose a significant name instead. Note that servers cannot be moved to boxes set up
using another product type.
The data inserted into the server configuration dialog is
stored in the Server Properties file, which is a standard
component of each server branch of the tree.
Note:
Consult this instance to alter server/service
configuration settings, such as IP addresses.

Configuration Service Server Configuration on Single Boxes < Configuring a New Server | 95
3.2 Server Configuration on List 379 Server configuration - General settings on single boxes section Virtual
Server IP Addresses
Single Boxes Parameter Description
Additional IP Array of additional IPs that should be activated. Again
the parameter Reply to Ping controls whether an
3.2.1 General address will respond to ICMP echo requests.
Note:
Maximum entries that do not reply to a ping: 256
Fig. 355 Server configuration (single box) - General (including First-IP and Second-IP).
3.2.2 Monitoring
List 380 Server configuration (single box) - Monitoring settings section
Operation Mode
Enable When Monitoring on Secondary is enabled (default
Monitoring on setting: yes), the activated HA partner will also disable
Secondary this server as soon as the monitored interfaces
respectively IPs are not available anymore from its own
position. Set to no,, the non-availability won't be
noticed and the server will continue to run.
Note:
Even when the server is running on the secondary box,
the probing conditions will be recognized.
This setting only influences the behavior of the server
if it is active on the secondary box and
the probing conditions do not match.
List 378 Server configuration - General settings on single boxes section Virtual List 381 Server configuration (single box) - Monitoring settings section IP
Server Definition Monitoring
Server Name The server name is created the moment the server is IP Monitoring Here you may specify the monitoring policy. The
introduced and cannot be changed later on. The name Policy following policies are available:
may contain a maximum of eight characters (digits, "-",
no-monitoring (default)
and characters from the Latin character set excluding
special characters). all-OR-all-present
Expects the IPs from at least one IP pool to be
Description Provide a brief but significant description of your completely present. If you are monitoring multiple
server here. IPs in pool Monitor IPs I only, all these addresses
Product Type Each product type allocates a specific range of services must be available. If you are monitoring multiple IPs
(Getting Started 2.5 Barracuda Networks in both pools Monitor IPs I and Monitor IPs II, the
Multi-Platform Product Support, page 16). The product IP addresses of at least one of these pools must be
type chosen in this place determines, which services completely available.
will be available for creation. Choose the product type one-AND-one-present
matching the box(es) you are creating the server for. Expects one IP to be available from each pool used.
Active Box The box on which the service is meant to run has to be If you are monitoring multiple IPs in the pool
specified as Active Box. In high availability Monitor IPs I only, at least one IP from this pool has
(HA)-setups, two boxes can run active servers to be available. If you are monitoring multiple IPs in
alternating to achieve a load-balanced system (High both pools Monitor IPs I and Monitor IPs II, at least
Availability, page 399). When creating a server on a one IP address has to be available in each pool.
single box, the box itself has to be specified as active Monitor IPs I/ II Here you may specify IP addresses that must be
box. In HA-setups, where the configuration is always reachable via the ICMP protocol by the box hosting the
done on the primary box, the HA-partner has to be server in order for the server to stay up. Reachability is
specified as active box if it should run the server checked at 10 s intervals. In case no answer is received
actively. the IPs are probed every second for a 10 s period.
Note: Depending on the current monitoring settings, either if
When creating a server for the first time, the Active no response at all or no response from one of the IPs is
Box field cannot be edited. Nevertheless, the server will received, the server is deactivated. The server is
be allocated to it. reactivated as soon as subsequent probes at 10 s
intervals yield a positive result. The probing is carried
Backup Box In HA-setups (High Availability, page 399) this field
out by the control daemon (a box service).
expects definition of the HA-partner.
Encryption Set the encryption level to Full-Featured-Encryption
Level when installing a fully licensed system. Otherwise,
select Export-Restricted-Encryption when installing
a DEMO mode or export-restricted gateway.
List 379 Server configuration - General settings on single boxes section Virtual
Server IP Addresses
First-IP [S1] This address is the primary address of the server. The
IP entered here usually reflects the internal side, which
means the primary box network.
Reply to Ping Controls whether the primary address of the server will
respond to an ICMP echo request (default: no).
Second-IP [S2] This address is the secondary address of the server.
Reply to Ping Controls whether the secondary address of the server
will respond to an ICMP echo request (default: no).

96 | Configuring a New Server > Server Configuration on CC-administered Boxes Configuration Service
List 382 Server configuration (single box) - Monitoring settings section Interface List 384 Server configuration (CC) - General configuration section Virtual
Monitoring Server Definition
Interface Here you may specify the interface monitoring policy. Secondary Box In HA-setups (High Availability, page 399) this field
Monitoring The following policies are available: expects definition of the HA-partner.
Policy no-monitoring (default)
all-OR-all-present
Expects the interfaces from at least one interface 3.3.1 Identity Tab
pool to be completely present. If you are monitoring
multiple interfaces in pool Monitor Devs I only, all
List 385 Server configuration - IDENTITY tab section Virtual Server Identity
these interfaces need to be available. If you are
monitoring multiple interfaces in both pools Monitor Parameter Description
Devs I and Monitor Devs II, the interfaces of at
least one of these pools must be completely Server Private On CC administered boxes a servers private key is
available. Key automatically generated when a server is created. In
conjunction with VPN this key is used to identify the
one-AND-one-present VPN servers against one another, which are located at
Expects one interface to be available from each the tunnels endpoints. Click on the New Key button
interface pool used. If you are monitoring multiple to generate a new 1024 bit long private RSA key. The
interfaces in the pool Monitor Devs I only, at least key is automatically updated in the view of the VPN GTI
one interface from this pool has to be available. If Editor.
you are monitoring multiple interfaces in both pools
Monitor Devs I and Monitor Devs II, at least one Server This is the servers master signed server certificate.
interfaces has to be available in each pool. Certificate
Monitor Here you may specify physical interfaces which must
Interfaces I / II have a link in order for the server to stay up. The link
status is checked on a regular basis.
Depending on the current monitoring settings, either if
3.3.2 GTI Networks
no link at all or no link on one of the interfaces is
recognized, the server is deactivated. The server is This configuration section is relevant in conjunction with
reactivated as soon as the link status of the monitored VPN GTI (Barracuda NG Control Center 15. VPN GTI,
interface is up again. The probing is carried out by the
control daemon (a box service). page 490).
List 386 Server configuration - NETWORKS tab section Virtual Server/GTI
Networks
3.2.3 Scripts
List 383 Server configuration (single box) - Scripts configuration section Server Server/GTI If VPN tunnels have been configured with the VPN GTI
Scripts Networks Editor, all networks, which must be reachable behind
the tunnels endpoints, need to be entered here. These
Parameter Description reachable networks are displayed in read only view in
Start Script Free text area containing command sequences which the Server/Service Settings tab of the VPN service
are executed whenever the server is started up. Use configuration area (see 15.2.2.3 Defining VPN Service
7-bit ASCII characters and standard BASH (Version 2 Properties, page 494).
compliant) syntax.
Stop Script Free text area containing command sequences which
are executed whenever the server is shut down. Use
7-bit ACII characters and standard BASH (Version 2
compliant) syntax.
Attention:
Using phionctrl in the Start and Stop Server fields
might cause a deadlock. Do not use phionctrl in this
place.
3.3 Server Configuration on

CC-administered Boxes
On CC-administered boxes the Active Box and Backup
Box fields are named slightly different (see list 378,
page 95). The implications remain similar though:
List 384 Server configuration (CC) - General configuration section Virtual
Server Definition
Primary Box The box on which the service is meant to run has to be
specified as Primary Box. In high availability
(HA)-setups, two boxes can run active servers
alternating to achieve a load-balanced system (High
Availability, page 399). When creating a server on a
single CC-administered box, the box itself has to be
specified as primary box. In HA-setups, where the
configuration is always done on the primary box, the
HA-partner has to be specified as secondary box, if it
should run the server actively.

Configuration Service Configuration < Introducing a New Service | 97
4. Introducing a New Service

Services are server elements, thus a server must already List 387 Service Configuration - General section Service Definition
exist before a service can be created. Each Server Parameter Description
directory contains a Assigned Services sub-directory. Software Select the software module and thus the functionality
Services are created in this directory as depicted in Module you wish to be provided by the service. Currently
available choices for instance are Firewall, VPN-server,
figure 356. DHCP-Server, DNS, SNMPd (SNMP daemon for Tivoli
NetView network discovery), Proxy, Mail Gateway, and
Fig. 356 Context menu of the Services directory SPAM Filter.
Note:
It depends on the type of license you have purchased
whether you will actually be able to use all possible
service types.
Note:
If Model and Appliance type (Getting Started
2. Barracuda NG Installer, page 10, then Step 4 Defining
System Settings) have been determined during box
installation, only the services available for the
corresponding model will be displayed.
List 388 Service Configuration - General section Bind IPs

Bind Type The Bind Type determines the method how the service
is made available.
By default and if available, the service will bind to both
server IP addresses (All-IPs). Alternatively, it may be
instructed to exclusively bind to either first or second
server IP (First-IP, Second-IP) or any other explicitly
defined server IP address(es) (Explicit).
Note:
Explicitly defined IP addresses must be available in the
Additional IP list in the Server Configuration file (see
3. Configuring a New Server, page 94).
Explicit Bind Into this list insert the explicit IP addresses the service
IPs should bind to. Available IP addresses are listed in the
Server Address Labels list below.
Note:
4.1 Configuration Only IP addresses that have been specified in the
Server Configuration file the service belongs to may be
used (see above).
Select Create Service in the Assigned Services Note:
context menu to enter the configuration dialog. On a VPN server you may define up to 32 Bind IPs.
A service name may contain a maximum of six characters List 389 Service Configuration - General section Available Server IPs
and must be unique. Services are either server-services or Parameter Description
box-services. Box services provide functionality required Server Address This list displays all IP addresses that are available in
to run the Barracuda NG Firewall system. They are factory Labels the Server Configuration file and may be used by the
defined and cannot be removed or introduced manually. service. First and Second Server IP are flagged with the
labels S1 and S2, respectively.
Administrators may only introduce server-services.
Server-services are made available under an adjustable
subset of IP addresses bound to the assigned server. 4.1.2 Statistics view
List 390 Service Configuration - Statistics section Statistics Settings
Note:
According to this structure, server deletion will Parameter Description
automatically result in concurrent deletion of assigned Generate This flag defines whether to generate statistical data for
Statistics the service (default: yes).
services. Create backups of your configuration before
Src Statistics This flag defines whether to generate IP source based
changing server and service settings (5.3 Creating PAR statistical data for the service (default: yes). Only
Files, page 119). volume over time but no correlation with temporal
evolution will be recorded.
Src Time- This flag defines whether to generate IP source based
4.1.1 General view Statistics statistical data for the service (default: yes). Both
volume and correlation with temporal evolution will be
recorded.
List 387 Service Configuration - General section Service Definition Dst Statistics This flag defines whether to generate IP destination
Parameter Description based statistical data for the service (default: yes). Only
volume over time but no correlation with temporal
Disable Service This parameter allows deactivating the service. By evolution will be recorded.
default this parameter is set to no, that means the
service will be active upon creation. Dst Time- This flag defines whether to generate IP destination
Statistics based statistical data for the service (default: yes). Both
Service Name The service's name supplied before. The name may volume and correlation with temporal evolution will be
contain up to 6 characters (digits, "-", and characters recorded.
from the Latin character set excluding special
characters). This is a read-only field, which means that Src-Dst This flag defines whether to generated IP
an existing service cannot be renamed. Statistics source/destination pair based statistical data for the
service (default: yes). Only volume over time but no
Description Provide a brief but significant description of your correlation with temporal evolution will be recorded.
service here.

98 | Introducing a New Service > Configuration Configuration Service
Note:
Depending on the service, some statistics will
z be collected how they have been set in the configuration, yes or no: symbol
z will allways be collected, even if they are set to no in the configuration: symbol +
z will not be available: symbol
Table 322 Service configuration Statistics dependent or independent from the statistics settings
Service Generate Statistics Src Statistics Src Time Statistics Dst Statistics Dst Time Statistics Src Dst Statistics
DHCP Service
DHCP Relay
DNS
Firewall
FTP Gateway +
[a]
HTTP Proxy [a] [a] [a] [a] [a]
URL Filter
Mail-Gateway
OSPF/RIP Service
SNMPd +
SPAM Filter + + + + + +
SSH Proxy
Secure Web Proxy [a] [a] [a] [a] [a] [a]
Virus Scanner + + + + + +
VPN Service
Access Control Service +
a. after changing this setting a restart of the service is required
4.1.3 Notification view List 391 Service Configuration - Notification section Access Notification
List 391 Service Configuration - Notification section Access Notification Note:
Parameter Description The event User Unknown is generated when the Admin
ID is not known to the underlying Barracuda Networks
In this section you may specify the service specific authentication module. Event type Authentication
default level at which event based notification takes Failure is used when password or key do not match or
place in case of an attempted system access. the admin is not authorized to access the service (multi
Note: admin environment, only in conjunction with a
These settings are only meaningful for services that Barracuda NG Control Center).
allow administrative access.
Service Default Service specific default notification type in case of Fig. 357 Service directory
(Success) successful administrative access to the service (if
available). Barracuda NG Firewall applications generate
"NGFW Subsystem Login" notifications every time a
user has successfully logged into an application that
interacts with the graphical administration tool
Barracuda NG Admin (for example control, event,
statistics, config). The default setting is Notice.
Value Event type (ID)
Silent no event
Notice NGFW Subsystem Login Notice [2420]
Warning NGFW Subsystem Login Warning [2421]
Alert NGFW Subsystem Login Alert [2422]
Service Default Service specific notification type in case of an
(Failure) unsuccessful administrative access attempt (unknown
admin, insufficient authorisation, wrong authorisation
token) to the service (if available). The default setting is
Notice.
Value Event type (ID)
Silent no event Beside other module dependent configuration items, the
Notice Authentication Failure Notice [4110] or User file Service Properties will always be present upon
Unknown [4100]
creation of a service.
Warning Authentication Failure Warning [4111] or
User Unknown [4100]
Alert Authentication Failure Alert [4111] or User
Unknown [4100]

Configuration Service Configuration < Introducing a New Service | 99
The service ffw for example, illustrated in figure 357, is a

firewall service and therefore requires a file named
Firewall Forwarding Settings with service specific
information such as port or maximum number of
connections, and another file named Forwarding Rules
for accommodation of the firewall rule set.
For further service specific information on this topic, see
the service specific operative sections of the
documentation.

100 | Managing the System > Box Settings Advanced Configuration Configuration Service
5. Managing the System

In this part we will discuss the remaining configuration 5.1.1.2 ARP Settings
instances that may be used to customize box operation.
List 393 System Settings section ARP Settings
ARP Src IP Define different restriction levels for announcing the
5.1 Box Settings Advanced Announcement local source IP address from IP packets in ARP requests
sent on an interface. This settings field uses the
Configuration arp_announce parameter, whose values have been
translated by Barracuda Networks to any (internal
value = 0), best (internal value = 1) and primary
(internal value = 2).
5.1.1 System Settings Note the following excerpt from the kernel
documentation:
This configuration instance addresses the seasoned Linux any (internal value = 0) - Use any local address,
expert. Normally there is no need to consult this file as the configured on any interface.
best (internal value = 1, default) - Try to avoid local
default settings have been chosen so as to comply with addresses that are not in the target's subnet for this
standard Barracuda NG Firewall system requirements. interface. This mode is useful when target hosts
reachable via this interface require the source IP
If you wish to use the Barracuda NG Firewall system as a address in ARP requests to be part of their logical
generic managed Linux platform you may come up against network configured on the receiving interface. When
we generate the request we will check all our
situations where modifications might be desirable. Most subnets that include the target IP and will preserve
people will, however, simply use this file to get an overview the source address if it is from such subnet. If there
as to what certain kernel relevant parameters are set to. is no such subnet we select source address
according to the rules for setting primary.
To open the system settings, double-click System primary (internal value = 2) - Always use the best
local address for this target. In this mode we ignore
Settings (Node Advanced Configuration). the source address in the IP packet and try to select
local address that we prefer for talks with the target
host. Such local address is selected by looking for
primary IP addresses on all our subnets on the
5.1.1.1 IPv4 Settings outgoing interface that include the target IP
address. If no suitable local address is found we
List 392 System Settings section General IP Settings select the first local address we have on the
outgoing interface or on all other interfaces, with
Parameter Description the hope we will receive reply for our request and
TCP ECN Active With TCP ECN Active (Explicit Congestion even sometimes no matter the source IP address we
Notification) set to Yes it is possible to reduce the TCP announce.
traffic when a router load is at a maximum and Note:
therefore packet loss is possible. Increasing the restriction level gives more chance for
Attention: receiving answer from the resolved target while
Do not activate this parameter when using Barracuda decreasing the level announces more valid sender's
NG Firewalls with Proxy or MailGW services configured. information and thus is prone to violate privacy
non-Barracuda NG Firewall systems and some requirements.
application filters may not be able to handle the ECN ARP Cache Size Defines the maximum number of entries allowed in the
header options. ARP cache (default: 8192).
When such external systems fetch the TCP header flags
a 2-bit mistake occurs because of the way the ECN
options are implemented into the TCP header. And this
causes that the Barracuda NG Firewall does not 5.1.1.3 Routing Cache
establish the connection due to the not correctly
answered SYN.
Note: Note:
For more detailed information concerning ECN have a
look at RFC 3168.
Garbage Collection is done regularly by the kernel, the
IP Dyn Address Only set this to yes if you are experiencing problems
entries shown here provide full access to all relevant
with network connections using dynamic IP address kernel parameters.
allocation (ADSL, cable modem). If the forwarding
interface changes socket (and packet) along with this List 394 System Settings - Routing Cache section Routing Cache Settings
parameter set to yes, the source address while in
SYN_SENT state gets rewritten ON Parameter Description
RETRANSMISSIONS. Max Routing Specifies the maximum number of entries in the
Cache Entries kernels routing cache (min: 8192, max: limited by the
available memory , default: 32768).
On systems with a large number of sessions and routed
IP addresses this value may need to be increased.
Note:
Increasing this parameter increases memory
consumption marginally, on small appliances value
8192 will most likely suffice).
List 395 System Settings - Routing Cache section Garbage Collection

GC Elasticity Specified as integer log2 of an internal parameter used
to steer the sensitivity of the garbage collection
algorithm. It is provided for completeness only.
Changing it requires a thorough understanding of the
GC algorithm to achieve the desired effect (default: 8,
allowed values: 1, 2, 4, 8, 16, 32).

Configuration Service Box Settings Advanced Configuration < Managing the System | 101
List 395 System Settings - Routing Cache section Garbage Collection 5.1.1.5 Flash Memory
GC Interval [s] This parameter is used by the kernel's regular GC loop Note:
and defines the loop time in seconds between two
regular GC events (min: 1, max: 120, default: 60). Flash settings will be ignored for all non-flash
GC Min Interval The minimum time in seconds between two garbage RAM-based appliances.
[s] collections (min: 1, max: 120, default: 60). This
parameter is provided since GC may either occur List 397 Box Tuning - Flash Memory section RAM Partition
throughout a regular GC loop (see above) or may be
triggered by a kernel event outside the regular loop. Parameter Description
This parameter warrants that in the latter case GC is Size (%) This is the percental size of the tmpfs RAM partition
not run too frequently. related to the total available RAM (default: 20).
Note: Clearing this field makes the Size (MB) field below
Both parameters above (GC Interval [s] and GC Min available, allowing specification of the the RAM
Interval [s]) may be decreased when the routing cache partition size in MB.
has a tendency of growing very quickly thereby Size (MB) This is the size of the tmpfs RAM partition specified in
running the risk of a cache overflow. Frequent and MB. This field only becomes available if the Size (%)
unnecessary GC events will however decrease the field above is cleared.
system performance.
GC Threshold A threshold value of cache entries which is used to List 398 Box Tuning - Flash Memory section Log Settings
determine the necessity of garbage collection and to
which extent (that is, how radical) entries need to be Parameter Description
removed (min: 1024, max: 65535, default: 8192). Size Settings This configuration section allows specifying the size
Note: settings for all log file types.
This parameter should always be significantly smaller
than the max number of cache entries. List 399 Box Tuning - Flash Memory section Flash Appliance Settings
GC Timeout [s] Time in seconds after which an inactive routing cache
entry is removed from the cache. Note that active
entries may not be removed from the cache (min: 1, Force Non Flash Setting to yes (default: No) causes the box not to start
max: 300, default: 60). in flash RAM mode, regardless of the storage
architecture the flash RAM auto detection recognizes.
Note:
Decreasing this value will help in keeping the routing Attention:
cache smaller. If the same routing entry is typically Enabling this feature may cause hardware damage. Use
needed again shortly afterwards a full routing lookup with due care.
needs to be performed instead of a quick cache lookup. Force Flash Setting to yes (default: No) causes the box to start in
flash RAM mode, regardless of the storage architecture
the flash RAM auto detection recognizes.
5.1.1.4 I/0 Settings
The remaining block of configuration entries is special in 5.1.2 Bootloader

so far as the IDE-tuning option is only activated by
rebooting the system. This prevents the user from The configuration dialog Bootloader addresses the
repeatedly activating and deactivating this low-level difficult but nevertheless omnipresent issue of Linux
setting on a running system. Doing so during full operation kernel updates and boot time behavior. As these two
may cause a freeze of the operating system. things are intimately interrelated, they are dealt with by a
single configuration instance.
List 396 System Settings - I/O Settings
Under normal circumstances you will hardly ever need to
make any changes to the default settings of this
IDE-DMA Most recent IDE hard drives are capable of using direct
Support memory access (DMA) which is by default not enabled configuration instance. However, the one thing you will
by the Linux OS. Performance gains of up to 600 % are want to change is the boot loader password.
realistic when DMA is activated (on a per drive basis on
DMA capable drives). If your system uses IDE hard disks The dialog consists of three logical groups of configuration
you could try to change this setting to yes. Youve got
to reboot your system for this to have any noticeable
parameters with two of them exclusively reserved for
effect. Note that there is a non-zero chance that your kernel software updates whilst the remaining one is
system might freeze. dedicated to influencing boot time/prompt behavior.
Advanced IDE This section may be used for optimising the IDE option.
Options Attention: Note:
(only available Do not modify these settings unless exactly knowing
with parameter Remember that sending and activating a new
about the effects.
IDE-DMA Barracuda Networks recommends to contact your configuration will not cause the boot loader
Support set to
yes)
Barracuda Networks partner for details on maintenance module to trigger a kernel update. It will
configuration and to test the settings in a test
environment before using them on active systems.
merely alter the header part of the loader configuration
I/O Tuning Set to yes if you wish to alter the default values of the
file while leaving the kernel untouched.
maximum number of file handles and nodes the OS
kernel will be able to handle. Note:
Open Files Maximum number of open file descriptors the If you do not have any special hardware requirements
(max) Barracuda NG Firewall system is prepared to handle
(min. 8192, max. 655536). Leave at default setting if you will find the default settings sufficient for proper
you do not experience any problems. As a rule of operation. Setting the Kernel Update parameters to
thumb you would not allot more than 256 files per non-default settings requires a sound knowledge of the
4 MB of RAM.
way in which the bootloader of a Linux system works.
In order to initiate a modification of the boot loader
configuration as to which linux kernel to use when booting,
youll need to either carry out a kernel software update or
invoke a particular utility program from the command line

to use the settings reserved for custom/manual kernel List 3101 Advanced Configuration - Bootloader section Header Settings
updates. Parameter Description
No matter whether you have just changed the boot Global Append Use this to enter different commands to the kernel.
Option Attention:
behavior or actually updated your kernel to a more recent
For experts only.
version: it is necessary to reboot your system for the
The options will be written to /etc/lilo.conf at the
changes to have any noticeable effect. The Box view of the end of the append dialog.
control window will always inform you of the current append="console=tty0
console=ttyS0,19200n8r *your option*"
kernel/bootloader status.
Note:
To open, select Advanced Configuration > If a Barracuda NG Firewall has more than 768 MB RAM
and ACPF memory parameters (see Firewall
Bootloader and double-click. Parameters below) are increased it could be necessary
to increase the so-called 'vmalloc' kernel parameter.
List 3100 Advanced Configuration - Bootloader section Kernel Updates To increase the memory available for 'vmalloc' add
"vmalloc=400M" here.
Default Image By setting this value you can define a different default
Update Policy Governs the way in which the system deals with a Name boot image for loading the Barracuda NG Firewall
kernel update. The policies are: system. You are required to reference the name of the
automatic (default) "Boot Images" defined in "/etc/lilo.conf".
A freshly installed kernel is automatically set as Note:
default boot kernel. If you do not know what a boot image is, read the
noupdate online system manuals on LILO first.
When installing new kernels the update process of No ACPI Setting this option to yes will instruct the Linux kernel
the bootloader configuration is disabled. to disable ACPI when the box is booted. Use this when
Reconfiguration of the bootloader has to be the interrupt routing in the ACPI table is wrong and you
performed manually. want to fall back to standard interrupt routing or if
SMP Kernel Set this parameter to yes (default: no) when the ACPI functions in the BIOS cause problems.
multiprocessor systems are in use (used during
updates to find out which kernel is to be used).
List 3101 Advanced Configuration - Bootloader section Header Settings

5.1.3 System Scheduler
Parameter Description This configuration dialog is used to configure the settings
Use Linear Advises the bootloader (LILO) to use linear sector of Barracuda Networks proprietary and other user-defined
Mode addresses instead of sector/head/cylinder addresses.
Linear addresses are translated at run time and do not cronjobs. Note that the configuration dialog represents a
depend on disk geometry. When using linear mode with graphical front end to a special crontab named
large disks, the bootloader may generate references to
inaccessible disk areas, because 3D sector addresses
/etc/cron.d/phioncron. Standard crontab syntax is
are not known before boot time. used for all entries in this file.
Loader Delay Sets a timeout (in tenths of a second) for keyboard
input. If no key is pressed within the specified time, the
Since most cronjobs fall into one of five categories, which
first or default image is automatically booted. are hourly, daily, weekly, monthly, or annual jobs,
The Barracuda Networks settings for the boot loader appropriate configuration sections are provided. For more
allocate a range from 1 to 10 seconds, which means
values ranging from 10 to 100, with 30 being the exotic jobs a special section Generic Schedule is provided,
default. which lets you harness the full power of crontab syntax.
Password When selected (as is the Barracuda Networks factory You may for instance configure a job that is run every
Protection default), a password is required to boot the image if other day of the week but only in May and then every
additional parameters are specified on the command
line (for example single). Doing so increases physical 5 minutes between 05:00 and 06:00.
security of the system and requires you to specify an
appropriate loader password. Note:
Loader Plain text boot password required for authorisation to The Barracuda Networks crontab should contain at least
Password supply additional boot parameters to the boot loader
and kernel manually. two factory defined jobs pertaining to log file and
Note that you should choose your own loader password statistics data management.
before using the system in a productive environment.
The factory default is ph10n. The storage policies are written to the file
Note: /opt/phion/active/config/logstor.conf on the
The password can only be stored in plain text format in
the loader configuration file (/etc/lilo.conf) box. This file needs to be read in (handed over as an
The remaining parameters are only considered when argument) by the log file management utility
update policy is set to custom and the loader /opt/phion/modules/box/logstor/bin/logstor
configuration is changed by invoking a utility program and governs the way in which log files are treated.
on the command line.
For any other update policy or in case of header
updates they are ignored. Note:
Boot Loader The default setting and thus behavior is to determine The utility program logstor is meant to be invoked by
Location the boot loader location from the current system setup crond. It is thus mandatory to include an appropriate
(that is the configuration at the time the new settings
are activated). By changing this parameter you can entry into the Barracuda Networks specific crontab. In
force a different location of the bootloader. particular it is important to reconcile the settings
Note: adopted for log storage with the times when logstor is
A bootable partition or a master boot record must be run by crond.
specified.
Serial Console This is the serial port, which is used to connect to the
box by a serial connection. As default "COM1" is used. If Note:
there is no serial console on your system enter none. Barracuda Networks recommends running this program
on a daily basis. An appropriate entry should thus be
made into section Daily Schedule.

To open, select Advanced Configuration > System As far as generic jobs are concerned you may make use of
Scheduler and double-click. almost the full extent of available crontab formatting
options.
z Schedule Parameters
Section containing key/value definitions of environment Fig. 358 Example: condensed excerpt from Paul Vixie's man page on crontab
variables. These variables are intended to be used in Commands are executed by cron(8) when the minute, hour,
conjunction with jobs. and month of year fields match the current time, and when
at least one of the two day fields (day of month, or day
Three variables are already pre-defined: of week) match the current time.
LOGCONF set to The day of a command's execution can be specified by
two fields -- day of month, and day of week. If both
/opt/phion/config/active/logstore.conf fields are restricted (ie, aren't *), the command will be
MAILTO (left empty) run when either field matches the current time. For example
``30 4 1,155'' would cause a command to be run at 4:30
SHELL set to /bin/bash. am on the 1st and 15th of each month, plus every Friday.
These three are directly interpreted by crond. Note that this means that non-existant times, such as
"missing hours" during daylight savings conversion, will
Note: never match, causing jobs scheduled during the "missing
times" not to be run. Similarly, times that occur more
Variables must be prepended with $ when referenced in than once (again, during daylight savings conversion) will
cause matching jobs to be run twice.
a cronjob entry.
z Daily Schedule cron(8) examines cron entries once every minute.
cronjobs which are run on a hourly and daily basis. The time and date fields are:
z Monthly Schedule field allowed values

----- --------------
cronjobs which are run on a weekly and monthly basis. minute 0-59
hour 0-23
z Yearly Schedule day of month 1-31
cronjobs which are run on a yearly basis. month 1-12
day of week 0-7 (0 or 7 is Sun)
We use a range from 0 to 6
z Generic Schedule with 0 denoting Sunday
Advanced section for accommodating cronjobs, which
A field may be an asterisk (*), which always stands for
do not fit into one of the preceding categories. Placing ``first-last''.
jobs in this section requires a basic understanding of Ranges of numbers are allowed. Ranges are two numbers
standard crontab syntax. separated with a hyphen. The specified range is inclusive
For example, 8-11 for an ``hours'' entry specifies
execution at hours 8, 9, 10 and 11.
All dialog windows contain the same basic elements. First,
Lists are allowed. A list is a set of numbers (or ranges)
there is a description field which is well suited for separated by commas. Examples: ``1,2,5,9'', ``0-4,8-12''.
mnemonic purposes and of which we advise to make
Step values can be used in conjunction with ranges. Following
frequent use. a range with ``/<number>'' specifies skips of the
number's value through the range. For example, ``0-23/2''
Next, you will need to specify at least one command, which can be used in the hours field to specify command execution
every other hour (the alternative in the V7 standard
will be run at the times configured in the remainder of the is ``0,2,4,6,8,10,12,14,16,18,20,22''). Steps are also
section instance. Since sometimes it might be convenient permitted after an asterisk, so if you want to say `èvery
two hours'', just use ``*/2''.
to be able to run several commands at the same time we handled by option every in the dialog;
have made provisions for specifying more than one should not be used as entry to the
command for each cronjob. list option
The entire command portion of the
Finally, you will need to instruct the cron daemon when to line, up to a newline or % character, will be executed by
/bin/sh or by the shell specified in the SHELL variable of
run the desired command or commands. For the five the cronfile. Percent-signs (%) in the command, unless
predefined categories hourly, daily, weekly, monthly, and escaped with backslash (\), will be changed into newline
characters, and all data after the first % will be sent to
annual we have restricted the choice of options available the command as standard input.
for the date field of a crontab entry to what is needed most
often. Everything that cannot be handled by these
categories must be configured as a generic job. 5.1.4 Inventory
Within each of the predefined categories you have
extended control over the next smaller temporal element, This configuration file is purely optional and may assist
that is for an hourly job over the minutes, for a daily job you in keeping track of the kind of hardware your system
over the hours of the day. Even smaller temporal consists of.
configuration elements may only be set to a single value
All other temporal elements are implicitly set to always (*) 5.1.5 Log Cycling
and do not appear within the dialog. In brief this warrants
that a daily job is run every day of the year. This configuration file is used to configure the utility
For the central temporal element (for example, daily - logstor, whose sole purpose is the storage management
hours) you may specify either a comma separated list or a of log files. logstor is able to move log files (and
periodicity (run every ). optionally compress) to a destination directory or to
remove files based on certain adjustable conditions. The
utility is run periodically as a cron job.
The appropriate cron daemon settings are configurable
through configuration dialog System Scheduler (see 5.1.3
System Scheduler, page 102). What, however, happens

when logstor is run by the cron daemon is exclusively List 3103 Log Cycling - File Specific Settings section Log File Selection
specified here. Parameter Description
Range IDs Enter the desired ranges. An entry may either be a
List 3102 Advanced Configuration - Log Cycling section Common Settings single number, an interval, or literally void to denote no
Parameter Description range. Leave it empty if their are no ranges.
Verbose If set to yes the actions taken and the names of the
Logging affected files will be output to the specified log file. The Log Cycling Actions
default is no to reduce the amount of logged
information. Variable number of subsection each specifying a particular
action to be taken. The action is only applied to log files of
File Specific Settings the specified type.
Array of sections that describe the way in which certain To open the configuration dialog, click Insert.
types of log files are meant to be processed. It is advisable
List 3104 Log Cycling - File Specific Settings - section Log Cycling Actions
to create a separate section instance for each individual
log file category, for example box, server, misc,
Fig. 359 Log Cycling - section File Specific Settings
List 3105 Box Misc - Log Cycling - File Specific Settings - section Log Cycling
Actions
Action Predefined categories include rm (delete files), move
(move files to an archiving directory), and purge (a
more ruthless version of rm).
Storage Dir Only enabled when action move has been selected. It
determines the target directory for the move action.
Keep Log Only enabled when action move has been selected. It
Structure determines whether or not both the logs and the
logcache subdirectories of /var/phion are replicated
for the files to be moved. Leave set to the default of
yes.
To open the the configuration dialog, click the Insert Compression Only enabled when action move has been selected. If
set to yes the files to be moved will be piped through
button. gzip -6 and thus compressed. An extension ".gz" is
automatically appended.
List 3103 Log Cycling - File Specific Settings section Log File Selection Storage Time Enabled for actions move and rm. Determines the keep
Parameter Description (days) time of a file (with respect to its modification date)
before the specified action is applied to it.
Type of Logfile Predefined categories are:
Max Storage Enabled for action purge only. If a file is older (with
all - everything containing the string .log in its Time (days) respect to its modification date) than this number of
name, days it will be removed regardless of whether or not is
box - all logs whose names start with box_ and represents the sole file instance. This option is used for
contain string .log the removal of log files that are not maintained any
boxfw - all logs whose names start with boxfw_ and longer.
contain string .log Always Keep Enabled for actions move and rm only. The respective
fatal - all logs containing fatal and panic (File instances) action is not taken if not at least this number of
misc - all logs containing string .log in their names instances of this type of log file remain untouched. It
but not starting on box_ or srv_ thus overrules entry Storage Time.
server - all logs whose names start with srv_ and
contain string .log
user - user defined pattern match (see below).
Logfile Name Only enabled when type user has been selected. You
Patterns may enter a list of wild card expressions. Still only files
with the suffix .log will be affected.
Note:
Protect wildcards with single quotes.

5.1.6 Message Board As consequence the Barracuda Networks model makes use
of five notification schemes, which provide ability to link an
In this section you can configure the messages which are admin with a particular service specific notification setting:
displayed at login time via SSH, the Barracuda NG Admin
Table 323 Overview of the five notification schemes on Barracuda NG Firewall
GUI and on the console. Use only: systems
z Alphabetic characters Scheme Description
Multi-admin
option
z Numerics service default Default notification settings for all no
Barracuda Networks and system
z #!_,. services capable of allowing access
to the system. These settings are
Fig. 360 Configuration Dialog - Messages always in effect for user root. The
same applies to all system-only
users.
silent Automatically assigned to invisible no
users "ha" and "master". The
scheme suppresses notification in
case of successful access.
Unsuccessful attempts are treated
according to scheme "service
default".
type 1 Multi-admin option, freely yes
customisable
customisable
customisable
Each administrator is explicitly or implicitly equipped with

a particular scheme which, in essence, is a collection of
notification settings. These settings assign particular
notification types to each Barracuda NG Firewall service or
otherwise relevant system service (for example SSHd or
Note:
console login). Notification triggering for success and
Empty breaks, repeated spaces, and a single period (.) in
failure events can usually be configured individually,
an empty line will be ignored.
except for one notable exception - direct system access
failure or access by an unknown user will always trigger an
Note:
event.
Check the display of the message at the login after
editing. The following notification types are currently in use:
z Silent (no event)
5.1.7 Access Notification z Notice
z Warning
Each system access constitutes an action with a
substantial inherent security risk. In order to keep track of z Alert
system access on all levels (operating system, Barracuda
Networks infrastructure, and Barracuda NG Firewall The latter three may be used to modify the severity of a
services) Barracuda NG Firewall systems are equipped with context dependent event type. A listing of generated
an elaborate event based notification model. The events (Event-IDs 4100, 4110, 4111, 4112, 4130, 4131, 4132)
advantage of active notification over simple log file based can be found in System Information 5. List of Default Events,
accounting is that a potential intruder will find it very page 536.
difficult to conceal his actions. Moreover, a significant level
of accountability of successful or unsuccessful system Fig. 361 Various configuration instances the notification model relies upon
access attempts may be attained.
Notification is a complex matter and has been built on the System
PAM_pwdb Infrastructure Services
following conceptual cornerstones:
z notification should be adjustable on a per service basis
z notification should be adjustable on a per administrator
basis (Barracuda NG Control Center option)
Access notification Service notification
Event Event Event

The way in which services determine which event to z <Service> (Success)

generate upon a successful or unsuccessful Notification type for successful access to
authentication/access attempt is illustrated in figure 361. infrastructure service <service>.
The service uses the login ID attempting access to verify
its legitimacy on the system. Next, it determines the
associated notification scheme for the login ID with service 5.1.8 SSH
default constituting a fallback option. Finally, it determines
the service-specific notification type from the applicable This configuration instance is used to configure certain
notification scheme. It then generates an appropriate aspects of the operation of the SSH daemon (based on
event. OpenSSH, www.openssh.org).
To open, select Advanced Configuration > Access Note:

Notification and double-click. OpenSSH is a free version of the SSH protocol suite of
network connectivity tools. SSH is part of the underlying
Fig. 362 Configuration Dialog - Access Notification
Barracuda Networks Linux distribution which is
available free of charge.
Each Barracuda NG Firewall system is routinely equipped

with a SSH daemon listening on TCP port 22 on all
administrative IP addresses (the primary box IP and all
further IPs to which administrative services are supposed
to bind).
Access to a Barracuda NG Firewall system via the SSH
protocol is meant to be used for the purpose of software
updates and rare maintenance tasks. All routine
administrative tasks may normally be dealt with via the
management console Barracuda NG Admin.
The management console Barracuda NG Admin allows
direct access to a Barracuda NG Firewall system via SSH
protocol version 2 by means of integrated terminal
functionality. Simply click on the icon SSH located on
List 3106 Box Misc - Access Notification section Console Access the left hand side navigation area and the following
Parameter Description window will appear.
Sys-CMD: su Notification type for the su (Substitute User) command
line tool. The notification settings used are not those of Note:
the system user invoking su but the system user whose
identity is adopted.
Barracuda Networks has modified the SSH daemon so
Sys-CMD: login Notification type for a successful login. Note that login
as to provide relevant information such as system
here denotes direct system access via the console. access and remote command execution just like protocol
SSH: login Notification type for a successful system access via requests via the log and event notification logic. The
SSH protocol. corresponding log file is entitled sshd and may be found
SSH: rexec Notification type for an access via SSH protocol for the under the Box section of the log tree.
purpose of remote command execution. Note that
remote copy (scp) and secure FTP (sftp) would also fall
into this category. To open, select Advanced Configuration > SSH and
Note: double-click.
The preceding four service instances do not have
adjustable settings for the case of a failed access
attempt. This is due to the fact that we believe that
access failures at level operating system must always 5.1.8.1 Basic Setup
be recorded. To this end we have hardcoded the
corresponding failure policy. List 3107 Box Misc - SSH Basic Setup section General Settings
Two simple scenarios may be distinguished: Event on SSH You may configure the SSHd related conditions that
trigger event notification (Events Daemon Startup
z Login is attempted with an unknown login ID thus Failed/Succeeded [2070/2071] and Daemon
triggering Event-ID 4100 User Unknown. Shutdown Failed/Succeeded [2072/2073]). Choose
from four different settings:
z The authentication process fails for some other reason start-failure (default)
creating Event-ID 4110 Authentication Failure Notice. +stop-failure
Authentication failure on the second login attempt ++start-success
generates Event-ID 4111 Authentication Failure +++stop-success
The list is additive, which means items further down
Warning. Finally, if the maximum number of the list automatically include all previous ones.
authentication attempts (usually 3) is exceeded Note:
notifications with Event-ID 4112 Authentication You will not be notified when SSHd is killed manually or
Failure Alert are generated. Note that the latter will just dies unexpectedly. The settings here only pertain
to SSHd behavior during controlled start or stop
only be possible if an internal system error has sequences.
occurred.
Throughout the remainder <service> will represent all

Barracuda Networks infrastructure services:

List 3107 Box Misc - SSH Basic Setup section General Settings List 3109 Box Misc - SSH Advanced Setup section Protocol Version 1 Options

Allow TCP Note: Server Key Defines the number of bits in the ephemeral protocol
Forwarding This parameter is only available in Advanced View Length (Bits) version 1 server key. The minimum value is 512, and the
mode. default is 768. This setting applies only to protocol
Specifies whether TCP forwarding is permitted. The version 1.
default is no. Key In protocol version 1, the ephemeral server key is
Note: Regeneration automatically regenerated after this many seconds (if
Disabling TCP forwarding does not improve security Period it has been used). The purpose of regeneration is to
unless users are also denied shell access, as they can prevent decrypting captured sessions by later breaking
always install their own forwarders by means of the ssh into the machine and stealing the keys.
command. The key is only stored in memory. If the value is 0, the
key is never regenerated. The Barracuda Networks
Login Timeout The server disconnects after this time if the user has default is 900 (seconds). This setting applies only to
not successfully logged in. The minimum time limit is 10 protocol version 1.
(seconds). The default is to wait for 90 (seconds).
Permit Root This parameter defines whether a SSH login with user
Login name root is possible/allowed.
5.1.8.3 Handling Forced Key Authentication
Note:
Denying root login via SSH causes the following
configuration entities not to work: Box Exec tab and For various administrative purposes, for example statistics
Software Update tab. collection with external tools, it may be desired to
Check User Note: randomly connect to a box with an external SSH client,
Home This parameter is only available in Advanced View
mode. thereby omitting user interaction. Unfortunately, the
Specifies whether sshd should check file modes and certificates private key, which can be exported from the
ownership of the user's files and home directory before Certificate Store in encrypted PFX file format using the
accepting login. This is normally desirable because Microsoft Management Console (MMC), cannot be
novices sometimes accidentally leave their directories
or files writeable. The default is yes. understood by the Barracuda NG Firewall. The PFX file has
Send Keepalives Specifies whether the server should send keepalive to be converted to a UNIX understandable unencrypted
messages to the other side. If they are sent, death of private key in PEM format. Proceed as follows to prepare
the connection or crash of one of the machines will be
properly noticed. However, this means that
your system for remote SSH client usage:
connections will die if the route is down temporarily,
and some people find it annoying. On the other hand, if Step 1 Create an administrative login
keepalives are not sent, sessions may hang indefinitely
on the server, leaving "ghost" users and consuming
server resources. The default is yes and the server will
z In the configuration tree of the box browse to Box >
notice if the network goes down or the client host Administrators.
reboots. This avoids infinitely hanging sessions.
Supported Note: z Add a new administrative account to the configuration.
Protocols This parameter is only available in Advanced View (For a description how to create an administrative
mode.
account, see 2.2.7 Administrators, page 91.)
Specifies the protocol versions sshd should support.
The possible values are protocol version 2 only and z Specify a significant Name. Set the administrators
protocol versions 2 and 1 (with version two being the
preferred choice).
Authentication Level to Key. Import the Public RSA
Note:
Key, which has been issued for this user, from the
Barracuda Networks recommends not to enable Microsoft Certificate Management Store.
backwards compatibility support for protocol version 1
clients as protocol version 1 has been proven to be
vulnerable to man-in-the-middle attacks. The
Barracuda Networks client tries to use version 2 by Step 2 Export the private key from the Certificate
default. Management Store
z Open the Certificate Management Store by typing
5.1.8.2 Advanced Setup C:\windows\system32\certmgr.msc at the DOS
prompt.
List 3108 Box Misc - SSH Advanced Setup section Protocol Version 2 Options
z Browse to the folder Personal > Certificates.
Allow This parameter activates/deactivates using z Select the certificate, right-click and choose All Tasks >
Compression compression for SSH clients. Export from the context menu. The Certificate
Force Key Via this parameter key usage is enforced for SSH Export Wizard opens.
Authentication clients.
Note: z Select Yes, export the private key.
If key usage is mandatory for external SSH clients
when connecting to a box and automated login is z In the PKCS #12 tab clear the checkbox Enable strong
desired without further user interaction, the client protection.
certificates private key residing on the Microsoft
Windows system has to be shaped into a UNIX z Enter a password.
understandable format. See 5.1.8.3 Handling Forced
Key Authentication below for a description how to z Specify a file name (private_key.pfx in the example
generate the required key.
below).
Secure FTP Setting this to yes (default: no) instructs sshd to
Support implement the "sftp" file transfer subsystem. By
default no subsystem is defined. Note that this option Step 3 Copy the PKCS12 (.pfx) file to a UNIX client
applies to protocol version 2 only. Secure FTP may be
viewed as a more comfortable alternative to the
supporting OpenSSL (for example the Barracuda NG
humble scp command when trying to transfer bulk data Firewall box)
to or from the box.
Step 4 Convert the RSA Key from PKCS12 format to
PEM format (encrypted)

z On the UNIX client, browse to the RSA Key. List 3110 Advanced Configuration - Software Update section Common Settings
Type the following at the command line interface: Parameter Description
Clear on Failure Should delete the rpm-file (the update-file) on failure
# openssl pkcs12 -in private_key.pfx update (default no).
-nocerts -out priv.key
List 3111 Advanced Configuration - Software Update section Release Check
priv.key specifies the files name after conversion. Parameter Description

Boottime If this option is set to no on startup of the Barracuda
Release Check NG Firewall box no release consistency check is
Step 5 Extract the private key and generate and performed. especially on machines with a slower CPU
OpenSSH SSH-2 private key (unencrypted) this may reduce startup time by several minutes
(default: yes).
z Therefore, type the following at the command line
interface:
5.1.10 Watchdog
# openssl rsa -in priv.key > ~/.ssh/
id_rsa_my_priv_key The Watchdog facility is a means by which you may set
certain limits on critical system resources and ensure to
id_rsa_my_priv_key specifies the files name after have them checked at least once a minute. In the
decryption. emergence of massive resource over-consumption or
~/.ssh/ is an arbitrarily chosen path on the UNIX unexpected termination of core processes, such as the
client. control daemon or the SSH daemon, the watchdog will try
to remedy the situation by means of a repair facility or, as
Step 6 Log into the Barracuda NG Firewall a last resort, resetting the system.
z Type the following at the command line interface: As such the watchdog complements the functionality
provided by the control daemon. Amongst other things the
# ssh -i ~/.ssh/id_rsa_my_priv_key watchdog is useful to ensure that the control daemon
-lloginname dest-ip remains up and running at all times. It is equally useful to
ensure a swift take-over by an optional high-availability
lloginname specifies the name of the administrative partner in case the system freezes due to hardware or
account as defined in Step 1. file-system problems.
dest-ip specifies the Barracuda NG Firewalls login IP. The downside of running a watchdog is that the system can
get reset by watchdog if a configurable number of repair
Depending on the client, the key has been converted on, attempts in a row have not sufficed to remove the
file permissions of the private key file possibly must be problem. In this case the system may not be able to
adapted. If the gateway refuses key usage, change file complete the bootstrap without human intervention due to
permissions by typing: file system inconsistencies, which have been incurred by a
chmod 600 ~/.ssh/id_rsa_my_priv_key potential emergency shutdown. It is therefore imperative
to understand the working principle of the watchdog
Note:
before activating it on systems, to which you do not have
The transformed private key may be used with third
immediate physical access.
party remote SSH clients. It may for example be
utilized with SSH agents or be imported into As an intermediate step to full operation watchdog may be
PuTTYGen for further conversion into PuTTYs own run in monitoring mode in which it will only report
file format (.ppk). problems but not reboot the system.
Yet, certain severe error conditions such as a full process
table will still cause watchdog to carry out an unconditional
5.1.9 Software Update reboot.
The Software Update facility describes the
delete-behavior on a software update. 5.1.10.1 General Working Principle
To open, select Advanced Configuration > Software
Update and double-click. The Linux kernel provides a special device
/dev/watchdog, which, when opened, must be written to
Fig. 363 Configuration Dialog - Software update within a minute, or the system will be reset. Each write
delays the reboot time for another minute. Watchdog is the
daemon process delaying this reset by writing to
/dev/watchdog at least once every minute if the system
is still healthy. What healthy means is configurable to a
certain extent. If the system is found to have a non fatal
problem watchdog will pass the respective error code to a
repair routine (/usr/sbin/repair). If the routine
List 3110 Advanced Configuration - Software Update section Common Settings returns a zero exit code to watchdog the system is
considered successfully repaired. If this is not the case the
Clear on Should delete the rpm-file (the update-file) on
system will be soft-booted by the watchdog. The watchdog
Success successful update (default yes). achieves this by making use of its own built-in shutdown

procedure, so it has not to rely on the availability of these tests last longer than one minute the machine will be
potentially critical system resources. rebooted as well.
Note:
If the shutdown fails the system is hard-reset by the 5.1.10.3 Repair Logic
kernel. Since this is all about a software watchdog the
ability to reboot will always depend on the hardware A "last resort" repair system must remain sufficiently
state of the machines and its interrupts. simple to accomplish its task. If the checks or repair
routine try to be too smart the decision process becomes
error prone with the effect that appropriate reaction is
5.1.10.2 Tests and Monitored Resources delayed and the kernel will eventually force a hard-reset of
the system. The odd premature yet smooth reboot
Watchdog performs the following checks: represents a mere nuisance whilst a single unnecessary
hard reset can compromise system integrity. Still it is
Table 324 Overview of the checks watchdog runs
undesirable to have a system always reboot whenever the
Check whether Configurable Parameterisation Recovery slightest resource limit infringement occurs. We thus
process table is full no none immediate provide the administrator with a choice of four repair
reboot
policies by way of which watchdog's reaction to a problem
file table overflow no none repair policy
occurred dependent
may be influenced:
enough free yes as percentage of repair policy
memory available total RAM plus swap dependent Note:
load average yes separately for 1, 5 repair policy The maximum number of repair attempts applies to
exceeds a max value and 15 min. averages dependent each monitored entity separately. This means that file
a give process is still yes separate settings for repair policy table overflow, memory shortage, each is allotted a
running control and SSH dependent separate counter.
daemon
Note:
If any of these checks except for the process table check
fails, watchdog will invoke the repair binary Negative error codes designate special errors generated
(/usr/sbin/repair). If the process table is full the by the check routines of watchdog. All other errors
repair binary cannot be executed, therefore an immediate conform to the standard error coding scheme of Linux.
soft reset is the only available consequence. Should any of
Table 325 Listing of the four available error handling policies offered by the repair utility of the watchdog module
Policy [index] Parameters Description

Ignore_Errors none Monitoring mode: if the repair binary is invoked, it will just log the error condition and then return 0 to the watchdog
[0]
Repair_or_Ignore number of repair Default mode: The following severe errors will cause repair action if the maximum number of consecutive attempts has
[1] attempts not been exceeded for the particular error type. Otherwise, a reboot is triggered.
Error name Error number Description
ENFILE 23 Too many open files in system
ENOMEM 12 Cannot allocate memory
ESRCH 3 No such process
ENOENT 2 No such file or directory
EINVMEM -7 /proc/meminfo contains invalid data
EMAXLOAD -3 Load average too high
ENOLOAD -5 /proc/loadavg contains no data
All other errors are ignored and 0 is returned to watchdog
Repair_or_Reboot number of repair Strict mode: behavior is exactly the same as described above except that all other not explicitly listed errors are returned
[2] attempts to watchdog causing a re-boot of the system.
The idea behind this is that a repair action is only meaningful when the error cause is relatively well known.
Always_Reboot none Paranoid mode: if the repair binary is invoked the error condition is logged and the error code is returned to watchdog,
[3] causing a re-boot of the system
5.1.10.4 Repair Strategy Table 326 Error code to error origin assignment assumed by the repair utility
Error code Assumed system problem
Depending on the passed type of error the repair binary EMAXLOAD (-3) Maximum allowed system load average exceeded
will attempt to remedy the situation by appropriate ENOLOAD (-5)
counter measures. To this end we have assumed the ESRCH (3) Monitored process has died or its pid-file is missing
ENOENT (2)
following simple assignment of handed over error types to
system problems: z File table overflow
Table 326 Error code to error origin assignment assumed by the repair utility If a file table overflow occurs the repair binary will
increase the number of available file descriptors by
Error code Assumed system problem
10 %. If the error condition persists it will continue
ENFILE (23) Out of file descriptors (that is file table overflow)
increasing the number of available file descriptors until
ENOMEM (12) Low on memory
EINVMEM (-7) the maximum number of repair attempts has been
exhausted. The number of already undertaken repair

attempts is written to file already undertaken repair attempts is written to file

/var/run/watchdog.state.fd. /var/run/watchdog.state.mem.
Note:
z Maximum load exceeded
Increasing the number of available file descriptors The NGFW Subsystem is shut down (/opt/phionctrl
will raise kernel memory consumption and may shutdown) and subsequently restarted
eventually lead to a memory shortage. (/opt/phionctrl startup). The number of such
already undertaken repair attempts is written to file
z Process termination /var/run/watchdog.state.load.
Watchdog will at most monitor two daemon processes,
the control daemon and the SSH daemon. It does so by Note:
checking whether the processes corresponding to the The repair counters just like the service indicator file
process ids given in /var/run/control.pid and are automatically reset during a reboot, since all
/var/run/sshd.pid are still running, respectively. contents of /var/run are automatically purged by
The strategy of the repair binary differs for the two the system. Furthermore, all counter files but not the
daemons. If the control daemon is down it will first be service file, are deleted when watchdog is restarted,
stopped (/opt/phionctrl box stop control) and that also means whenever the configuration is
subsequently started (/opt/phionctrl box start changed.
control). Immediately afterwards a check is
z Operational Events
performed to determine whether or not the restart
Errors the repair binary generates related to system
attempt has been successful. Only if the restart attempt
information are the events 34 [Critical System
has failed the repair counter is incremented and written
Condition], 510 [Invalid Argument], and 4202 [System
to file /var/run/watchdog.state.pid. Finally, if
Reboot] (see 5.2 Operational Events, page 537).
the maximum number of repair attempts has been
reached a last attempt to recover from the failure
condition is made by shutting down and restarting the 5.1.10.5 Watchdog GUI - Basic Setup
whole NGFW Subsystem (/opt/phionctrl
shutdown; /opt/phionctrl startup). If the error Select Advanced Configuration > Watchdog and
condition persists, which means controld is still not
double-click.
running, a reboot is requested.
List 3112 Advanced Configuration - Watchdog Basic Setup section Monitoring
If the SSH daemon is down an attempt to restart it is Policy
made by invoking /etc/rc.d/init.d/ssh Parameter Description
condrestart. The repair counter is never Run S.M.A.R.T This parameter (default: yes) creates an event if a
incremented thus allowing for an arbitrary number of critical condition occurs on a HD (Event-ID 34).
restart attempts. The idea here is that repeated failures Run Watchdog States whether or not watchdog is active. Default is no.
to activate SSHd are not deemed a sufficient condition List 3113 Advanced Configuration - Watchdog Basic Setup section Watchdog
to autonomously restart the system. Repair Policy
Note:
Repair Mode Only active when RUN WATCHDOG is set to yes.
In order to facilitate system maintenance, for example Defines the way in which errors are dealt with by the
for software updates which involve a temporary repair utility. See explanation above. Default is
shutdown of either controld or sshd, the repair binary Repair_or_Ignore.
will ignore error code ESRCH, if a file Repair Number of repair attempts per checked entity
Attempts (default: 3). See explanation above.
/var/run/watchdog.state.service exists. The Barracuda
NG Firewall software update procedure will
automatically create and remove this file. If you interact 5.1.10.6 Watchdog GUI - Watchdog Details
with the system on the command line make sure to
touch and subsequently remove this file when shutting List 3114 Advanced Configuration - Watchdog Details section Watchdog
down or blocking controld. Alternatively, you may Operational Setup
shutdown [restart] watchdog by invoking: Parameter Description
/etc/rc.d/init.d/watchdog stop [start] Realtime Mode Set to yes (default) watchdog locks itself into memory,
so it does never get swapped out. On a system under
Due to the fact that Barracuda NG Firewalls are operated heavy load this setting minimizes the risk that the
daemon process possibly might not manage to write to
as dedicated systems resource problems are most likely the kernel device in due time (60 s).
caused by Barracuda NG Firewall service processes being Scheduler Sets the scheduler priority for operation in realtime
under too heavy load for the size of the system. To be on Priority mode. Leave this set to 1 unless you are a savvy Linux
the safe side memory shortages or excessive loads are expert with deep operating system knowledge.
Watchdog uses round-robin scheduling (SCHED_RR).
thus attributed to the operation of the NGFW Subsystem The larger the number the higher the priority of the
as a whole. process. Standard user-space processes are usually
assigned priority 0.
To block the watchdog-repair-routine it is necessary to Check Interval The interval in seconds between two writes to the
start the /etc/phion/bin/servicemode and enter the [sec] kernel device. The kernel drivers expects a write
operation at least once every 60 s. Each write is
required time in minutes. accompanied by a check on all monitored system
entities.
z Memory shortage
The NGFW Subsystem is shut down (/opt/phionctrl
shutdown) and subsequently restarted
(/opt/phionctrl startup). The number of such

Configuration Service Box Settings Infrastructure Services < Managing the System | 111
List 3114 Advanced Configuration - Watchdog Details section Watchdog

Operational Setup Note:
OCSP is not available for direct end user authentication
Verbose Set to yes for verbose mode. This mode will log status
but is used for online certificate verification by the VPN
Logging information to syslogd with facility LOG_LPR. Syslogd server.
will forwards this log traffic to the syslog interface
psyslogd which in turn will redirect the log stream into The internal mechanism is as follows:
log tree node Box > Watchdog > Monitor. Load average,
monitored process (pid) status, memory usage, and
alive time of watchdog are reported. Step 1 A service like vpn or proxy is configured to
Logtick Logtick allows adjustment of the number of intervals perform external user authentication. In its
skipped before a verbose log message is written to configuration it has to know a scheme to do that.
syslogd. The default value of 3 already reduces log
traffic and consequently disc space consumption by
66 %. Step 2 It gives the authentication request together
with the scheme name to the Barracuda Networks
List 3115 Advanced Configuration - Watchdog Details section Watchdog infrastructure daemon which tries to authenticate the
Monitored Entities
user according to the received scheme by itself.
Parameter Description To provide both, referential integrity and flexibility, there
Max Memory Sets an upper bound for memory usage before the are predefined schemes, which can be referenced by all
Used repair binary steps into action (default: 95 %).
services. Due to their underlying authentication facility
Note:
Both RAM and swap space are taken into account. they are called:
Check System Set to yes (default) in order to have watchdog monitor z MSNT (see 5.2.1.7 MSNT Authentication)
Load the average system load.
Max Load Maximum 1 min average system load. Default is 24. z Active Directory (see 5.2.1.1 MSAD Authentication,
[1min] page 111 and 5.2.1.2 MS-CHAP Authentication, page 112)
Max Load Maximum 5 mins average system load. Default is 18.
[5mins] z LDAP (see 5.2.1.3 LDAP Authentication, page 113)
Max Load Maximum 15 mins average system load. Default is 12.
[15mins]
z RADIUS (see 5.2.1.4 Radius Authentication, page 114)
Watch Control Set to yes to have watchdog monitor the process state z RSA ACE (see 5.2.1.5 RSA-ACE Authentication, page 114)
Daemon of control daemon. See the explanation above for
details. z OCSP (Online Certificate Status Protocol; see 5.2.1.8
Watch SSH Set to yes to have watchdog monitor the process state OCSP Authentication, page 115)
Daemon of SSH daemon. See the explanation above for details.
Note: Note:
Whenever the repair utility is invoked it will log the
error passed to it by watchdog and all actions taken by For testing your authentication schemes without
it into log tree node Box > Watchdog > Sysrepair. having/configuring proxy and VPN, Barracuda Networks
Moreover you will be actively notified by the event provides a tool called phibstest (located in
notification mechanism.
/opt/phion/bin). Use extension phibstest -h for
additional information concerning the usage of this tool.
5.2 Box Settings Infrastructure Furthermore, you can introduce more schemes to
authenticate users, but you are not allowed to give them
Services one of the names above. It is also forbidden to use the
name local since it is used by the services to use internal
authentication.
5.2.1 Authentication Service To open, select Infrastructure Services >
External user authentication for different services is Authentication Service and double-click.
provided by the Barracuda Networks infrastructure
daemon (aka phibsd).
5.2.1.1 MSAD Authentication
Fig. 364 Scheme for external authentication provided by the Barracuda Networks
infrastructure daemon Fig. 365 Configuration Dialog - MSAD Authentication
Barracuda NG Firewall Authentication

Schemes
MSNT ADS/NT
MSAD Directory
Service MS-CHAP
LDAP
Laptop VPN
RADIUS
RSA ACE
LDAP
OCSP Directory
User /
Password RADIUS Attention:
Authentication MSAD RSA ACE Server
Scheme Server Server
If the Active Directory of the Windows 2003 Server
domain is running in Native mode, it is mandatory to
deactivate Kerberos pre-authentication for each user.

112 | Managing the System > Box Settings Infrastructure Services Configuration Service
List 3118 MSAD Authentication Basic section Mail Lookup

Attention:
Having the domain as BaseDN (for example
Additional Mail Enhanced mail lookup for mail-gateways recipient
DC=xyz,DC=com) can cause problems as Active Fields lookup:
Directory may refuse the BaseDN lookup. The behavior The MSAD-field proxyAddresses, which is used in
is irrational, though. If possible, add an OU= entry to MSAD for the mail-aliases: all in MSAD configurable
your BaseDN. mail-addresses will be found by a Mail-Gateway
recipient lookup.
Configuration field Additional Mail Fields: this field
Note: takes a comma separated list of meta-directory field
Please consider that the administrator must have names, which are searched for a mail address too.
This configuration field may not contain spaces.
corresponding read access. Only LDAP attributes are allowed (explicit), and no
GUI description fields. If you are not sure use an
List 3116 MSAD Authentication LDAP browser.
in contrast to the default fields mail and
Parameter Description proxyAddresses, all additional fields are search by
Activate Setting to yes (default: no) starts the corresponding means of pattern search (prepended * and
Scheme authentication processes and makes the configuration appended *)
section Domain Controller Name available.
Method This is the authentication method the scheme utilizes List 3119 MSAD Authentication Basic section Extented
(read-only).
Basic Click the Insert button to enter the domain
controller configuration dialog. See list 3117, list 3118, Use SSL Select the Use SSL checkbox to establish the
and list 3119 for parameter description. connection to the LDAP directory using SSL.
User Info Helper Select one of the authentication schemes in the combo Follow Referrals Select the Follow referrals check box to search the
Scheme box if users group information should be gained from a MSAD Global Catalogue and follow LDAP Referrals.
different authentication scheme. For example, if the Max. Hops for This field specifies the maximum referrals to follow.
identity verification should use the radius scheme, but Referrals
group information should be queried from a LDAP
directory. In this case configure "LDAP" as User Info
Helper Scheme in the RADIUS scheme and use the
RADIUS scheme as authentication scheme (in the VPN 5.2.1.2 MS-CHAP Authentication
configuration).
Only authentication schemes of type MSAD or LDAP The Microsoft Challenge Handshake Authentication
may be used as User Info Helper Scheme.
Number of Number of authentication processes that are launched
Protocol Version 2 (MS-CHAP V2) authentication method
Processes to handle requests. Increase if you have slow can be used to authenticate VPN clients over PPTP and
authentication servers (default: 5). L2TP. In addition, it can be used for proxy authentication.
To use the MSCHAPv2 authentication method with a
List 3117 MSAD Authentication Basic section Basic
Barracuda NG Firewall it is required to integrate the
Parameter Description Barracuda NG Firewall as a member into a Windows
Domain This is the name of the primary domain controller domain (NT4, Windows 2000, and Windows 2003
Controller without domain suffix. The name must be
Name DNS-resolvable. domains).
Domain Optionally, insert the IP address of the domain
Controller IP controller. If given, the IP address overrules the host Note:
name. Use the Domain Control button, accessible through the
Active This is the DN (Distinguished Name) of the user with
directory permission to search MSAD (Microsoft Active
Box tab in the Control Center to add a Barracuda
searching user Directory) and to view group information. NG Firewall to a Windows domain (Control 2.6 Box Tab,
Note: page 38).
The distinguished name can be viewed in the attribute
field of the user (management console) (Appendix List 3120 Parameters for MS-CHAP Authentication
1.1.1 MSAD, page 544).
AD searching These fields expect the searching users password. Parameter Description
user password Activate Setting to yes (default: no) starts authentication
Base DN This parameter specifies where to search for user Scheme processes required for this scheme and activates
information. domain configuration fields below.
The more ample the Base DN is configured (for Method This is the authentication method the scheme utilizes
example only DC= ) the longer the search will take. (read-only).
Use Set to yes (default: no) to synchronize user groups Domain Realm This is the name of the Windows domain the
MSAD-groups from MSAD periodically and let the Barracuda NG authenticator is going to query.
with NTLM Firewall handle them offline. MSAD offline-groups are
Netbios Domain If the Netbios domain name differs from the MS Active
needed for NTLM-authentication.
Name Directory domain name, insert the NetBIOS domain
Note: name into this field.
If you have configured an MS-CHAP Authentication The Netbios domain name is applicable when a user
Scheme at the same time, see Netbios Domain Name, logs on to a Windows domain. Domain name
page 112 for details on domain name assignment. association must therefore be specified
Cache Setting to yes (default: no) enables the MSAD unambiguously, in order to guarantee a user's correct
MSAD-groups searching user to retrieve group information from the group assignment.
periodically synchronized database. Querying the Note:
database will reduce network-traffic and server-load on This configuration option is of importance especially in
the MSAD server. conjunction with:
Note: user group synchronisation, which is needed for NTLM
Set parameter Use MSAD-groups with NTLM (see authentication (see Use MSAD-groups with NTLM,
above) to yes if you want to use this function. page 112).
URL Filter configuration when user group filters apply
Offline sync This parameter specifies how often to synchronize the (see Affected Groups / Users, page 363).
(every n offline database. Default setting is every 60 minutes
min./hour) per hour. Workgroup MS Active Directory workgroup name. Use this field if
Name the workgroup name differs from the MS Active
Directory domain name (Domain Realm).

List 3120 Parameters for MS-CHAP Authentication List 3121 Parameters for LDAP Authentication section LDAP
Domain This is the IP address of the domain controller. LDAP Base DN If set to yes (default: no) the corresponding
Controller Note: authentication processes are started and the
If you have additionally configured an MSAD configuration section LDAP Base DN is available.
authentication scheme (see 5.2.1.1 MSAD LDAP Base DN Distinguished name for user
Authentication) utilising the option Use MSAD-groups organisational unit.
with NTLM (see page 112), the Barracuda NG Firewall LDAP Server IP address the LDAP authenticator
must be able to resolve the DNS name of the Domain asks.
Controller.
LDAP Server Port of the LDAP server (default:
WINS Server This is the IP address of the domains Windows Internet Port 389).
Name Service (WINS) server.
LDAP User Name of the User field in the LDAP
Note: Field directory.
If you have additionally configured an MSAD
authentication scheme (see 5.2.1.1 MSAD LDAP Password Name of the Password field in the
Authentication) utilising the option Use MSAD-groups Field LDAP directory.
with NTLM (see page 112), the Barracuda NG Firewall LDAP Admin Name of an administrator who is
must be able to resolve the DNS name of the WINS DN authorized to perform requests.
server.
LDAP Admin Password of an administrator who is
User Info Helper Select one of the authentication schemes in the combo Password authorized to perform requests.
Scheme box if users group information should be gained from a
Group Attribute Name of the attribute field on the
different authentication scheme. For example, if the
LDAP server containing group
identity verification should use the radius scheme, but
information. Note that attribute
fields on LDAP server are
directory, then configure "LDAP" as User Info Helper
customisable. If you are unsure
Scheme in the RADIUS scheme and use the RADIUS
about the required field name, the
scheme as authentication scheme for example in the
LDAP server administrator will be
VPN configuration.
able to provide the correct
Only authentication schemes of type MSAD or LDAP
information.
Note:
Services that process group
Processes to handle requests. Increase if you have slow
information (for example URL Filter,
authentication servers (default: 5).
see Affected Groups / Users,
Net Join Status This field is a read only informational field showing the page 363) require Group Attribute
status of the join to the Windows domain. specification. They will not be able
to match group conditions if the
attribute field is not or is specified
incorrectly.
5.2.1.3 LDAP Authentication
Use SSL When selected the authenticator
uses SSL for connections to the
List 3121 Parameters for LDAP Authentication section LDAP
authentication server.
Parameter Description Bind To When selected the authenticator
Activate If set to yes (default: no) the corresponding Authenticate directly logs on to the LDAP server
Scheme authentication processes are started and the for verification of user
configuration section LDAP Base DN is available. authentication data. Use this option,
when the LDAP server does not
Method Displays the selected method (read-only field). expose user passwords but instead
hides them even from an
administrator's view.
User Info Helper Select one of the authentication
Scheme schemes in the combo box if users
group information should be gained
from a different authentication
scheme. For example, if the identity
verification should use the radius
scheme, but group information
should be queried from a LDAP
directory, then configure "LDAP" as
User Info Helper Scheme in the
RADIUS scheme and use the
RADIUS scheme as authentication
scheme for example in the VPN
configuration.
Only authentication schemes of
type MSAD or LDAP may be used as
User Info Helper Scheme.
Number of Number of authentication
Processes processes that are launched to
handle requests. Increase if you
have slow authentication servers
(default: 5).

5.2.1.4 Radius Authentication List 3123 Parameters for RSA-ACE Authentication
Fig. 366 Configuration Dialog - Radius
Activate If set to yes the corresponding authentication
Scheme processes are started.
Method Displays the selected method (read-only field).
RSA Unique Displays the name of the RSA server (read-only field).
Name
RSA This parameter serves to import/export the
Configuration configuration file that is provided by the RSA SecurID
File server (sdconf.rec).
RSA Server IP This IP address is the one of the RSA Server.
RSA Optionally it is possible to enter a slave server in order
Slave-Server IP to maintain connectivity.
DNS Resolved This IP address indicates the one that is used to
IP connect to the RSA server. If this IP address does not
correspond to the configured client IP the server has,
List 3122 Parameters for Radius Authentication the connection will be refused.
Parameter Value User Info Helper Select one of the authentication schemes in the combo
Activate If set to yes the corresponding authentication different authentication scheme. For example if the
Scheme processes are started. identity verification should use the radius scheme, but
Method Displays the selected method (read-only field). group information should be queried from a LDAP
Radius Server IP address the RADIUS authenticator asks. directory, then configure "LDAP" as User Info Helper
Address Scheme in the RADIUS scheme and use the RADIUS
scheme as authentication scheme, for example in the
Radius Server Port of the RADIUS server (default: 1812). VPN configuration.
Port Only authentication schemes of type MSAD or LDAP
Radius Server Pre-shared secret to authorize the request. may be used as User Info Helper Scheme.
Key Attention: Number of Number of authentication processes that are launched
Do not use backslashes in your key. Processes to handle requests. Increase if you have slow
Group Attribute Due to the structure of RADIUS and its implementation
into Barracuda NG Firewall, the group information has
to be entered into Login-LAT-Group (as defined in this
read-only-field) in order to be processed. 5.2.1.6 TACACS+ Authentication
Group Attribute The delimiter divides groups and therefore allows you
Delimiter to use more than one group. The standard options are Fig. 368 Configuration Dialog - TACACS+
None (default) and Blank. By ticking the check box
Other it is possible to enter any character that
indicates a group info change.
Group Attribute Through this parameter you define the group
Usage information that is going to be used (for example,
CN=, OU=, DC=). The available options are All
(default), First and Last.
User Info Helper Select one of the authentication schemes in the combo
different authentication scheme. For example if the
scheme as authentication scheme for example in the
VPN configuration. List 3124 Parameters for MSNT Authentication
Only authentication schemes of type MSAD or LDAP
Activate Setting to yes (default: no) starts the corresponding
NAS-ID This is the NAS identifier.
Scheme authentication processes and makes the configuration
NAS IP Address Some radius server require NAS credentials to be set. section TAC+ IP Address available.
Define in this field the IP address.
Method This is the authentication method the scheme utilizes
NAS IP Port Some radius server require NAS credentials to be set. (read-only).
Define in this field the IP port.
TAC+ IP This is the host name of the system the authenticator
Number of Number of authentication processes that are launched Address asks. The host name has to be DNS-resolvable by the
Processes to handle requests. Increase if you have slow name server the Barracuda NG Firewall queries. Click
authentication servers (default: 5). the Insert button to enter the domain controller
TAC+ IP Address IP address of the TACACS+ server.
5.2.1.5 RSA-ACE Authentication TAC+ ID Port ID Port information. E.g.: tty10
TAC+ Server TCP port of the TACACS+ server.
Fig. 367 Configuration Dialog - RSA SECURID Port
TAC+ Key DES encryption key.
Timeout (s) Authentication timeout in seconds.
TAC+ Login Type TACACS+ login type (inbound).

5.2.1.7 MSNT Authentication List 3126 Parameters for OCSP Authentication
Fig. 369 Configuration Dialog - MSNT
5.2.1.9 Additional Schemes
Use this configuration section to introduce additional

authentication schemes. An additional scheme may for
example configure usage of a second proxy server in your
network with an alternative authentication server. The
number of additional schemes has no limitation.
List 3125 Parameters for MSNT Authentication The available settings/options are the same as the ones
Parameter Description described under 5.2.1 Authentication Service, page 111.
Activate Setting to yes (default: no) starts the corresponding
Scheme authentication processes and makes the configuration Note:
section Domain Controller Name available. References to additional schemes are not checked for
Method This is the authentication method the scheme utilizes integrity. Be aware that schemes may be deleted though
(read-only).
VPN users rely on their existence.
Domain This is the host name of the system the authenticator
Controller asks. The host name has to be DNS-resolvable by the
Name name server the Barracuda NG Firewall queries. Click
the Insert button to enter the domain controller
5.2.1.10 Explicit Groups
Domain This is the name of the primary
Controller domain controller without domain This tab allows assigning user names to groups (especially
Name suffix. The name must be for authentication schemes that do not provide group
DNS-resolvable.
information such as MSAD or RSA ACE).
Domain Name This is the name of the domain.
Domain Insert the IP address of the domain List 3127 Parameters for Explicit Authentication
Controller IP controller. This IP address overrules
the host name. Parameter Description
User Info Helper Select one of the authentication schemes in the combo Use the Edit , Insert and Delete buttons to modify
Scheme box if users group information should be gained from a the configuration of Explicit Groups.
different authentication scheme. For example if the Explicit Groups Group Name Define a group name here.
Login Name Create users here which should
belong to the group just defined. Be
sure to add the users to the listing
on the right by clicking Insert
scheme as authentication scheme, for example in the
VPN configuration. External DB If group/user information is already available in Berkley
Only authentication schemes of type MSAD or LDAP Files DB files, a reference to these files may be placed here.
5.2.1.11 Timeouts and Logging
List 3128 Parameters for Timeouts and Logging section Log Settings
5.2.1.8 OCSP Authentication
Log Groups Set to yes if user group information should be reported
in the log.
Fig. 370 Configuration Dialog - OCSP
Log Add. Set to yes if additional meta-directory fields should be
Meta-directory reported in the log.
Fields
List 3129 Parameters for Timeouts and Logging section Timeout Settings
Request Define here authentication timeout.
Timeout (sec)
Challenge Define here the NTLM/MS-CHAP challenge timeout.
Timeout (sec)
List 3126 Parameters for OCSP Authentication RSA Next Token RSA/ACE timeout reset period.
Timeout (sec)
Cache Timeout Timeout for negative authentication in seconds. A
Activate If set to yes (default: no) the corresponding (sec) negative authentication will be cached for the defined
Scheme authentication processes are started. period, thus rapid retries will not block the
Method Displays the selected method (read-only field). authentication worker.
Max. Validity Defines the time gap between Barracuda NG Firewall
Discrepancy and the OCSP server (default: 300 seconds). If the time List 3130 Parameters for Timeouts and Logging section Expert Settings
(sec.) difference exceeds this limit, requests are counted as
not valid.
Client Codepage Defines the translation of characters between systems
Max. Status Specifies the maximum status age of requests (default:
that are using different Codepages.
Age (sec.) -1 that is unlimited). OCSP servers hold files containing
the current status and attach this value to the info
section. As soon as this threshold is exceeded the
request is counted as not valid.

5.2.2 Host Firewall Rules List 3132 Infrastructure Services - Syslog Streaming - Basic Setup section
System Identification & Authentication
See Firewall 3. Local Rules, page 171 Parameter Description

Use Box Defines the certificate/key used by the box for SSL
Certificate/Key based authentication to a destination system. Setting
this parameter to yes (as it is by default) means that
5.2.3 Syslog Streaming actual box certificate and private key as listed in
configuration node Identity are used. No means that a
separate service specific certificate is used (see entries
The Syslog Streaming configuration defines the handling below).
of log file messages which are to be transferred to another Note:
system for analysing purposes. Log messages of Set this parameter to yes if log files a streamed without
CC-administered boxes can be transmitted to their CC SSL Encapsulation, as setting no turns SSL Private Key
and Certificate into mandatory values.
(CC Syslog server), but they can just as well be transmitted
SSL Private If the parameter above is set to no, this value contains
to any other system designed for log file collection. The Key the 1024 bit RSA key optionally used for SSL based
following configuration sections allow specification of the authentication.
transmission process. SSL Certificate If the parameter above is set to no, this value contains
the digital x.509v3 compliant self signed certificate (by
key above) used for SSL based authentication.
Note:
If log messages are transferred to a Barracuda Networks
CC Syslog Server please consult Barracuda NG Control 5.2.3.2 Logdata Filters
Center 11. CC Syslog, page 471 for additional
information. Section LOG FILTERS
This section enables defining profiles specifying the log file
types to be transferred / streamed
5.2.3.1 Basic Setup
Fig. 371 Infrastructure Services - Syslog Streaming - Logdata Filters section Top
List 3131 Infrastructure Services - Syslog Streaming - Basic Setup section Level Logdata
Operational Setup
Data Selection The log files offered for selection here are
Idle Mode Syslogging is activated by default (setting no, which superordinate log files built up of several instances of
means not idle). If Idle Mode is set to yes, the box and service levels. The following data can be
Barracuda NG Firewall box does not stream log files to selected:
the defined syslog server. Fatal_log: These are the log contents of the fatal log
Max Queued Via this parameter, the maximum possible number of (log instance name: fatal)
Messages log entries fitting into the output queue can be defined
(default 4096). The out-message queue is used when Firewall_Audit_Log: These are the log contents of the
writing to disk, transferring to CC or when having relay firewall's machine readable audit data stream. Whether
targets (external log host). data is streamed into the Firewall_Audit_Log has to be
configured in the Firewall Parameter Settings on
If the number of entries in the output queue exceeds box-level (see SECTION Audit Info Generation >
this limit, further log entries are lost. It is therefore Audit-Delivery: Syslog-Proxy). The log instance name
important to set this parameter to the estimated corresponding to Syslog-Proxy selected will be trans7.
number of messages in a message burst. If bursts Note:
extend the bandwidth of the external log host, the When "Log-File" is selected in the firewall's
syslog-engine can buffer the messages and feed them configuration the data will go into a log file named
into the destination pipe after the burst has collapsed. Box->Firewall->audit (which means the instance is
Max Int TCP This parameter applies to the maximum number of named box_Firewall_audit) and thus this filter setting
Conns concurrent loopback connections to the syslog proxy. is not applicable. The pertinent one then would be a
Since this number normally is very low the default selection of category "Firewall" within the box
value (50) can be used. selection portion of the filter.
TCP Retry The time to wait before an expired connection (to CC or
Interval external log host) is re-established. Note that this List 3133 Infrastructure Services - Syslog Streaming - Logdata Filters section
parameter only applies to log destinations with TCP Affected Box Logdata
specified as Transmission Mode.
GC Idle Note:
Threshold This parameter is only available in Advanced View Data Selector This parameter defines what kind of box logs are to be
mode. affected by the syslog daemon. The following options
are available: All (any kind of box log is affected), None
This parameter defines the threshold (number of (none is affected) and Selection (default; activates
objects in memory) after which garbage collection is parameter group Data Selection, see below).
initiated when idle (no messages within 10 ms; default:
200).
GC Busy Note:
Threshold This parameter is only available in Advanced View
mode.
This parameter defines the threshold (number of
objects in memory) after which garbage collection is
initiated even when busy (default: 3000).
If this limit is exceeded messages will be lost.
List 3132 Infrastructure Services - Syslog Streaming - Basic Setup section

System Identification & Authentication
Note:
View mode.

List 3133 Infrastructure Services - Syslog Streaming - Logdata Filters section This section enables defining profiles specifying the
Affected Box Logdata
transfer / streaming destination of log messages.
Take into consideration that this parameter group is List 3135 Infrastructure Services - Syslog Streaming - Logstream Destinations
Data Selection
only available if parameter Data Selector is set to section Destination Address
Selection. The following parameters are available for Parameter Description
configuration:
Remote Since a CC-administered box knows its corresponding
Log Groups This menu offers every log group for Loghost MCs IP address, a predefined destination Barracuda
selection that is available on a NG Control Center can be selected. When an external
Barracuda NG Firewall (For example, log host is used, the setting explicit IP (default)
Control, Event, Firewall, ). activates the parameter Loghost IP Address (see
Log Message This parameter is used for defining below) where the destination IP has to be entered.
Filter the affected log types: Loghost IP This parameter is only available if Remote Loghost has
Selection (activates parameter Address been set to explicit IP. In this case, the destination IP
Selected Message Types, see address of an external log host has to be entered here.
below)
All (default) Loghost Port This parameter defines the destination port for
All-but-Internal delivering syslog messages. The Barracuda Networks
Notice-and-Higher CC syslog service listens on port TCP 5143 for SSL
Warning-and-Higher connections and on TCP and UDP port 5144 for
Error-and-Higher unencrypted streaming. The default is to use
As can be seen the available options encryption for delivery, therefore port 5143 is
are "group selections". If one preconfigured.
explicit log type is required, choose Attention:
Selection and set the wanted type If you change the port assignment to another port,
in parameter Selected Message adjusting the local firewall rule set might become
Types, see below. necessary.
Selected - Selected Message Types
Message Types This parameter allows setting List 3136 Infrastructure Services - Syslog Streaming - Logstream Destinations
explicit log types to be affected by section Data Transfer Setup
syslogging. The following types are
available: Parameter Description
Panic Transmission This parameter allows selecting the transmission
Security Mode protocol (TCP or UDP - default; for SSL connections
Fatal TCP is automatically set).
Error
Sender IP Defines the IP address used for sending the log data.
Warning
Notice Use SSL This option may be turned off when the log stream is
Info Encapsulation transmitted to the CC and the box has a management
Internal tunnel to the CC. For CC transmission without box
tunnel activating this option is recommended. Note
List 3134 Infrastructure Services - Syslog Streaming - Logdata Filters section also that transmission to a non-Barracuda NG Firewall
Affected Service Logdata system should be SSL encapsulated for reasons of
privacy.
Parameter Description Peer SSL This parameter is only active if the destination system
Certificate is not a Barracuda NG Control Center. The Peer SSL
Certificate is needed when
Data Selector This parameter defines what kind of logs created by
verify_peer_with_locally_installed_certificate has
services are to be affected by the syslog daemon. The
been defined at parameter SSL Peer Authentication
following options are available: All (any kind of service
and parameter Use SSL Encapsulation has been set
log is affected), None (none is affected) and Selection
to yes.
(default; activates parameter group Data Selection,
see below). SSL Peer Defines the way in which a destination system is
Authentication authenticated when using SSL based authentication
Data Selection Take into consideration that this parameter group is
(authentication of the destination server by the box
only available if parameter Data Selector is set to
being a client). The list offers the following choices:
Selection.
verify_peer_with_locally_installed_certificate
Log Here you define server and service (default) - The destination system is verified against a
Server-Services where log messages are streamed locally stored certificate either in the respective
from. destination section or the MCs certificate. This setting
Log Message This parameter is used for defining is useful when log messages are delivered to a system
Filter the affected log types: outside the scope of Barracuda NG Control Centers.
Selection (activates parameter Note:
Selected Message Types, see For centrally administered Barracuda NG Firewalls this
below) is the only applicable option.
All (default) verify_peer_certificate - The destination system is
All-but-Internal verified against a locally stored CA certificate.
Notice-and-Higher no_peer_verification - The peer is considered as
Warning-and-Higher trusted without verification.
Error-and-Higher
Attention:
Selected This parameter allows setting For security reasons it is NOT recommended to use
Message Types explicit log types to be affected by no_peer_verification.
syslogging. The following types are
available: List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations
Panic section Log Data Tagging
Security
Fatal Parameter Description
Error
Override Node The log entities sent to an external log host contain the
Warning
Name name and structural information (range/cluster) of the
Notice
sending box and the name of the log file. With this
Info
parameter set to yes this information can be
Internal
overridden (default: no).
Explicit Node Only available if Override Node Name set to yes.
Name Setting this value an explicit node name can be set.
5.2.3.3 Logstream Destinations This node name is inserted into each log entity sent to
the external log host.

List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations List 3139 Infrastructure Services - Control - Monitoring Setup section
section Log Data Tagging Monitoring Parameters
Prepend Only available if Override Node Name set to yes. Regular Poll This parameter defines the amount of time between
Hierarchy Info This parameter allows fine tuning of the prefix which is Interval [secs] the HA heartbeats. The smaller the values are, the
inserted into each log entity sent to the external log faster HA reaction can take place (default: 5 seconds).
host. The default value prevents too fast HA take-overs.
Add UTC Offset Log files generated on a box are stamped with the local When you are using the Firewall with transparent
box time. The UTC time offset compared to the local failover feel free to set this parameter to 1 second. But
time is recorded though, and can be examined in the take into consideration that the partner system reacts
TZ column in the log viewer (Log Viewer 2.3 View instantly with a take-over during server starts/stops or
Segment, page 308). The UTC time offset information network activation. In this case first block the server
is not included by default (setting: no) when log files before doing anything else.
are streamed to the Barracuda NG Control Center. Note:
Setting to yes adds the UTC time offset information to This parameter also affects the reaction time for
streamed log files, so that these files may be analyzed activating/deactivating routes and server (Monitor IPs).
uniformly in case the CC collects log files from multiple
boxes placed in various time zones. List 3140 Infrastructure Services - Control - Monitoring Setup section HA
Monitoring Parameters
5.2.3.4 Logdata Streams Translated HA Translated HA For network setups providing a
IP IP private uplink between two HA
By configuring this section relations between log patterns Alternative HA boxes, it is possible to define a
and log destinations are established. Thus it is possible to IP translation table specifying the IP
address to use for communication
make a combination of each log pattern (a sort of filter) Usage Policy between the two HA partners. The
and log destination to allow fine granulated target Description Translated HA IP thereby identifies
a box primary Management IP as
selection. specified in the Box Network
configuration dialog (Management
Note: IP (MIP), page 62). The Alternative
With Barracuda CC Control selected as Remote HA IP is part of the private uplink
network defined through Section
Loghost the streamed log files will be stored under Additional Local Networks,
/phion0/mlogs/range/cluster/box on the CC. page 62,.
The parameter Usage allows
specifying, how to proceed if the
List 3138 Infrastructure Services - Syslog Streaming - Logdata Streams section alternative HA IP becomes
Stream Configuration unavailable.
Parameter Description Attention:
Active This parameter allows you to activate/deactivate the Take into consideration that the
selected log stream profile. By default, for example Alternative IP addresses must be
when creating a new profile, this parameter is set to added manually to the
yes. corresponding firewall rule
(inbound).
Log Here the available log destinations (defined in5.2.3.3
Destinations Logstream Destinations, page 117) can be selected. Note:
See High Availability 2. Setting
Log Filters Here the available log patterns (defined in5.2.3.2 up a HA System, page 402 for a
Logdata Filters, page 116) can be selected. configuration example using
Translated HA IPs in a private uplink
network.
5.2.4 Control List 3141 Infrastructure Services - Control - Monitoring Setup section ICMP
Gateway Monitoring Exemptions
Browse to Infrastructure Services > Control to open Parameter Description
the configuration area. The configuration options in this No Probing for This parameter allows excluding gateways that are
place amongst others allows you to define the limits Interfaces reachable via the offered interface items from regular
determining when the events High System Load (Event-ID ICMP-based probing.
The following interfaces are available:
30) and Excessive System Load (Event-ID 31) are UMTS-Link
generated. It as well allows you to customize the time xDSL-Link
DHCP-Link
interval, after which idle Barracuda NG Admin- and ISDN-Link
SSH-sessions are automatically terminated. SERIAL-Link
5.2.4.1 Monitoring Setup 5.2.4.2 Administrative Sessions

List 3139 Infrastructure Services - Control - Monitoring Setup section List 3142 Infrastructure Services - Control - Administrative Sessions section
Monitoring Parameters Auto Logout Setup

Startup Poll This parameter specifies the period of time that has to Barracuda NG This parameter defines the maximum idle time for a
Interval [secs] expire after booting or activating the network until a Admin Max. Idle Barracuda NG Admin session (default: 60min).
HA action can take place (default: 10). This is important [Mins.] Note:
especially with "slow learning" NICs that need quite a After this time interval the session is closed and it must
time after booting/activating until the link is activated. be re-established.
Console Max. This parameter defines the maximum idle time for a
Idle [Mins.] shell/SSH session (default: 60min).

Configuration Service Creating PAR Files < Managing the System | 119
List 3143 Infrastructure Services - Control - Administrative Sessions section

Session Password Setup
5.2.8 Log Configuration
Parameter Description The log daemon is a box service and represents an integral
Disable Session Creates a session password after the first successful part of the Barracuda NG Firewall box infrastructure.
Passwords login to a box. In the course of this first login the login
credentials are verified against the information stored Operation characteristics of the log daemon and
on the Smartcard/eToken. Subsequent access will then instructions as to extract information from the system are
use the dynamically created session password thereby
speeding up authentication.
to be found in Log Viewer, page 305.
List 3147 Infrastructure Services - Log Configuration section Log Configuration
5.2.4.3 CPU-Load Monitoring Parameter Description

Log to Disk This parameter activates/deactivates writing of log
files to disk (default: yes).
Use this tab to define threshold values triggering
Note:
generation of the events High System Load [30] and Take into consideration that even when setting this
Excessive System Load [31]. parameter to no VPN server (IKE) and proxy will keep
writing log files to the disk.
The values entered into the configuration fields specify the
maximum number of processes that may simultaneously
wait for execution (in either inbound or outbound
direction) within the given time until an event message is 5.3 Creating PAR Files
created. For example, the default value of 24 in the
parameter field Critical 1 Min. Average means that as For backup and recovery reasons, the complete box
soon as the load has reached the number of 24 waiting configuration may be exported into the Barracuda
processes within an average time of 1 minute, the event Networks proprietary PAR (portable Archive) file.
Excessive System Load [31] is to be created.
A PAR file stores the following configuration elements:
List 3144 Infrastructure Services - Control - CPU-Load Monitoring section
Performance z Box configuration and settings
Parameter Description z Server and service settings
Performance Select yes to collect performance statistic data.
Statistics z Repository settings
List 3145 Infrastructure Services - Control - CPU-Load Monitoring section PAR files are applicable for the following tasks:
CPU-Load Warning Thresholds
z Restore box and Barracuda NG Control Center
Average 1/5/15 These three parameters define threshold values for
Configurations (see 5.4 Restoring/Importing from PAR
Mins generation of Event-ID High System Load [30]. File)
List 3146 Infrastructure Services - Control - CPU-Load Monitoring section CPU z Re-install a system with kickstart disk and PAR file
Load Error Thresholds (Getting Started 1.3 Installation with a Saved
Parameter Description Configuration, page 8)
Average 1/5/15 These three parameters define threshold values for
Mins generation of Event-ID Excessive System Load [31].
PAR files may be created from the following places in the
configuration tree:
5.2.5 Statistics Fig. 372 Creating a PAR file
For a description of Statistics see Statistics 3.1 Service

Configuration, page 316.
5.2.6 Eventing
For a description of Eventing settings see Eventing,
page 321.
5.2.7 General Firewall Configuration On single boxes and on box level of Barracuda NG
Control Centers:
For a description of Firewall Settings see Firewall
2.1.1 General Firewall Configuration, page 134. z Right-click Box in the configuration tree and select
Create PAR file from the context menu.
On server level of Barracuda NG Control Centers:

z Right-click Multi-Range in the configuration tree and
select Create PAR file from the context menu. This
action creates a master PAR file of the complete CC
configuration tree.

120 | Managing the System > Restoring/Importing from PAR File Configuration Service
z Right-click Box (accessible through Multi-Range > Restoring Barracuda NG Control Center configurations
<rangename> > <clustername> > Boxes) and Execute this task when restoring the backup of a complete
select Create PAR file for box from the context Barracuda NG Control Center tree.
menu. This action creates a PAR file of the specific box'
configuration only. Note:
If you are restoring the configuration of a CC that has
PAR files may either be saved as regular .par or as been installed freshly after crash recovery, do not forget
compressed .pgz files. to restore the box configuration of the CC as well.
Note: z Right-click Multi-Range in the configuration tree and

Consider the following settings when creating PAR files select Restore from PAR file from the context menu.
of comprehensive configurations: z Browse for the .par or .pgz file that should be restored.
The time provided for PAR file generation is determined
by Socket Connect and Read values configurable in the z The applicable configuration changes will not be
Barracuda NG Admin Settings > Client tab > section activated immediately. Click the Undo button, if you
Timeout (Getting Started 4.2 Client, page 22). If these want to withdraw from restoring. Otherwise, click the
timeouts are exceeded the PAR file cannot be created. Activate button to restore the CC configuration.
Should you experience problems creating a PAR file,
change both values to approx. 200 sec. (or higher) Importing box configurations into the Barracuda NG
temporarily. Remember to revoke settings when Control Center
having finished your tasks as these timeouts are a factor Execute this task when importing new or former box
in other configuration areas as well. configurations into the Barracuda NG Control Center.
Note: z Right-click Boxes (accessible through

It is recommendable to create PAR files on a regular Multi-Range > <rangename> > <clustername>)
basis. and select Import Box from PAR from the context
menu.
Note:
z Browse for the .par or .pgz file that should be imported.
PAR files may also be created at the command line
interface (command phionar; see Command Line z Insert a Box Name.
Interface documentation for further information). Thus,
z Click the Activate button to activate configuration
with a cronjob, you may automate PAR file creation and
changes.
archiving.
Installing a box with PAR file and kickstart disk
Use PAR files deriving from box configurations to install a
5.4 Restoring/Importing from preconfigured system.
PAR File Refer to Getting Started 1.3 Installation with a Saved

Configuration, page 8 for details on installation with PAR
PAR files allow you to restore/import specific box or file and kickstart disk.
complete Barracuda NG Control Center configurations.
PAR files are applicable for the following tasks:
Restoring single boxes and box configurations of
Barracuda NG Control Centers
Execute this task when restoring the backup of a box
configuration.
z Right-click Box in the configuration tree and select
Restore from PAR file from the context menu.
z Browse for the .par or .pgz file that should be restored.
z The applicable configuration changes will not be
activated immediately. Click the Undo button, if you
want to withdraw from restoring. Otherwise, click the
Activate button to restore the box configuration.
Note:
Box configurations may not be restored on CC level. To
restore a functional backup of a misconfigured box,
delete the box in the Barracuda NG Control Center tree
and thereafter use Import Box from PAR instead (see
below).

Configuration Service Working with a Repository < Repository | 121
6. Repository
To the Barracuda NG Firewall box configuration tree, a
further top level element may be added: the so-called
Repository. Repositories are available for each
configuration instance of the tree, for example Settings or
Cron. 6.1 Working with a Repository
Fig. 373 Way of Supplying a Box with a Repository
6.1.1 Creating a Repository
Click the Activate button in order to create a
Repository tree element. With the creation of a
repository, the options available for configuration nodes in
the context menu will be augmented by entries named
Copy to Repository and Copy From Repository. The new
items become visible by locking the corresponding node.
In order to obtain more information as to when or by whom
a node was created, modified or locked, the context menu
furthermore contains the Show History option.
Fig. 374 Show History window
You may use the individual repository subdirectories as

storage containers for edited configuration data of the
respective type.
Note:
Due to compatibility reasons, two nodes are structured
in a different way in the box repository tree than within
the box range tree configuration:
This may be of particular interest in combination with the
z Authentication Service is placed in Advanced usage of root aliases.
Configuration and not in Infrastructure Services
A freshly installed Barracuda NG Firewall always contains a
z System Settings is placed in Box and not in default box repository containing predefined data
Advanced Configuration consisting of the most widely used settings. For instance,
there is a default data set for appliances, and many more.
6.1.2 Copying (Storing) Configuration

Data into a Repository
By selecting Copy To Repository, which is also available
for unlocked tree nodes, a dialog will appear allowing you
to select the destination. The settings will then be stored
within this destination file.
Note:
The destination file must only be locked if an existing
archive file is to be overwritten. If the file is not existing
yet, you may simply click on the directory in order to
create an input field at the bottom of the dialog. There
you may enter the new archive name for the node.

122 | Repository > Working with a Repository Configuration Service
z Step 1: 6.1.3 Linking Configuration Data from

Right-click the desired configuration node and choose
Copy To Repository from the context menu:
within a Repository
Fig. 375 Copy to Repository z Step 1:

Right-click the desired configuration node and choose
Link From Repository from the context menu:
Fig. 378 Link from Repository
z Step 2:
Within the pop-up window, either select an existing
destination file or create a new one in order to store the
chosen node. Click OK when done:
z Step 2:
Fig. 376 Select Destination Select the desired node within the repository and click
OK:
Fig. 379 Repository Node Containing Data to Link
z A copy of your configuration node now resides within

the repository and may from now on be copied or linked
from there:
Fig. 377 Location in Repository

z From now on, the chosen configuration nodes settings
are linked from the repository. Within the config tree, a
linked node is marked with an arrow symbol:
Fig. 380 Configuration Node Linked from Repository

6.1.4 Overriding Repository-Linked Once Override Entry has been activated, manipulation
of the entry is not disabled anymore but may be freely
Configuration Settings toggled instead:
z Step 1: Fig. 384 Now Locally Overridden Boolean Entry
Lock the desired configuration node.
z Step 2:
Right-click the node and select Override Link Data
from the context menu:
Fig. 381 Override Link Data

z Overriding a Text-Type Entry
Text-type setting fields do have only the
Override Entry option, just like boolean fields:
Fig. 385 Repository Linked Text Entry
Fig. 386 Activating Override for the Text Entry
Fig. 387 Locally Overriding the Text Entry

z The arrow-like icon will now be extended by a plus ("+")
character to indicate that this node houses overrides:
Fig. 382 Override Link Data Icon

z Overriding a List-Type Entry
This type of configuration entry offers two different
overriding modes. One of them is
Strict Override (Clear):
Fig. 388 Activating Strict Override (Clear) on a List
Once Override Link Data has been activated as

described, the menu reachable by left-clicking the icon Once this has been activated, the linked configuration
on the right-hand side of many configuration fields will data will locally be cleared:
contain one or more additional entries regarding to
repository data overriding. Fig. 389 Locally Cleared List
z Overriding a Boolean-Type Entry

This type of configuration field offers the option
Override Entry:
Fig. 383 Activating Override Entry on a Boolean Field
Subsequently, it may be filled locally:
Fig. 390 Entering Local Data into a List

The other overriding mode, Strict Override (Copy), will Once Merge Override has been selected, the section
copy the repository data back to the box into the local entry becomes editable. In this example, a new
configuration: configuration item is added:
Fig. 395 Adding a Local Item

Fig. 391 Activating Strict Override (Copy) on a List
Once activated, the list values remain the same:
Fig. 392 List with Copied Data from the Repository
The newly added item appears with an icon on the

left side of its name, indicating that this item is locally
stored:
Fig. 396 Locally Stored Item and a Repository Stored Item within a Section
From there, the list may locally be manipulated, i.e. by

adding new values:
Fig. 393 Copied and then Locally Modified List
z Unoverriding an Entry
You may switch back to the data linked from the
repository by selecting Unoverride Entry. This works
on all types of overridden entries:
Fig. 397 Unoverride Entry

z Overriding a Section-Type Entry
Section-Type entries basically offer the same two
overriding methods as lists. However, in addition, they
do have one more , the Merge Override. This is the
most powerful overriding mode, as it enables single
configuration items within a section to be locally edited
while others remain linked from the repository.
Choose Merge Override from the appropriate menu:
Fig. 394 Activating Merge Override on a Section

6.1.5 Copying (Retrieving) z Step 2:

Right-click it and select Copy From Repository from
Configuration Settings from a within the context menu.
Repository
Fig. 398 Copying from Repository
Sometimes it may be needed to write back a complete set
of configuration data that had previously been stored to
the Repository, replacing the data within the configuration
node.
z Step 1:
Lock the desired configuration node.
z Step 3:
A dialog will open allowing you to browse the contents
of the respective repository. Simply click on the file
containing the data you wish to be written into the
locked configuration instance. When done, click the OK
button.
z The configuration settings data stored within the
repository will now be written into the configuration
node.


Configuration Service Live Assist < Troubleshooting | 127
7. Troubleshooting
7.1 Live Assist Table 327 Support Call Parameters

The Barracuda NG Admin client is capable of sharing the Live Assist Entry Host name of the Barracuda Networks support service
Point Note:
currently displayed Barracuda NG Admin screen with
This is automatically filled in.
Barracuda Networks support personnel. This feature
SRQ Number of the Support Request. This ticket number
facilitates quick and effective troubleshooting with the will be assigned by the Barracuda Networks support
help of Barracuda Networks support without the need for a staff.
third party screen-sharing application like Webex or Block Remote If this checkbox is enabled, Barracuda Networks
Input(View Only) support staff is only able to view the current Barracuda
others. NG Admin screen.
If disabled, Barracuda Networks support has full
Unless otherwise explicitly configured, the remote control of the clients input devices within your client
connection will be fully SSL encrypted and can be application.
established through a proxy server. Enable File Enables the possibility to send or receive files to or
transfer from the Barracuda Networks support staff.
Attention: Use Proxy The connection to the Barracuda Networks support
To achieve a maximum of privacy, Barracuda Networks Server to service can be forwarded by a HTTP proxy server.
connect
support personnel is only able to view the current
User/password User credentials to authenticate at the HTTP proxy
Barracuda NG Admin administration screen. Any other server.
applications running at the client workstation will not be Proxy[:Port] Network address and Port of the HTTP proxy.
visible and usable to others. Also pop-up windows and Full Barracuda Shares the full Barracuda NG Admin client with the
the windows task bar is hidden to Barracuda Networks NG Admin Barracuda Networks support staff. The support
personnel is capable of navigating through the
support staff. complete Barracuda NG Admin client and its functions.
Box/CC only Only the currently connected Barracuda NG Control
Center or gateway will be visible to the Barracuda
Networks support personnel.
7.2 Initiate Support Calls There is no possibility for Barracuda Networks to
connect to other Barracuda NG Control Centers or
gateways.
A support call to the Barracuda Networks support Screen Any other windows of the desktop will be transmitted
Application too, but the content of these windows will be not visible
personnel using Live Assist is initiated by clicking the Protection for the Barracuda Networks support staff. See 7.4
Support button in the upper menu bar. From Our Supports Point of View, page 128
Fig. 399 initiate support calls
7.3 Barracuda NG Live Assist

The Barracuda NG Admin Remote Agent, called Live
Assist, is the interface between the customer and the
Barracuda Networks support personnel and displays all
relevant information of the current support session.
Fig. 3101 initiate support calls
As soon as a Support Call will be initiated, some credentials

are to be set for a successful session initiation.
Fig. 3100 Support Call Configuration
Table 327 Support Call Parameters

Name Customer Name

128 | Troubleshooting > From Our Supports Point of View Configuration Service
The connection status of Barracuda Live Assist is indicated Remote desktop sharing is always a delicate matter
in the top-left corner. regarding privacy and security. Therefor we want to
provide our customers and partners a look behind the
Fig. 3102 Live Assist Connection Status scenes of the Barracuda Networks support with the
Barracuda NG Admin Live Assist tool.
The screenshot is showing a distorted frame of a windows
application that is lying on top of the shared Barracuda NG
Admin screen.
Fig. 3103 Barracuda NG Admin Live Assist support view
Table 328 Connection Status
Icon Color Connection Status

Red Connection to the Barracuda Networks support service
could not be established.
Yellow Connection is in progress and in waiting state. The
remote connections needs to be accepted by the
Barracuda Networks support team.
Green Connection has been established and accepted.
Barracuda Networks support is connected to the
Barracuda NG Admin client and ready to operate.
7.3.1 Remote Session Tabs

The Barracuda NG Remote Agent offers four tabs that can 7.5 System Report
be navigated while the remote connection is established.
In order to improve and ease diagnostics and
z General
troubleshooting between customers, partners and
This tab lists all important information regarding the
Barracuda Networks support, it is possible to generate a
remote session:
so-called System Report. The System Report collects basic
Support ticket number system information and relevant diagnostic data for the
Support Host support partner without the need for immediate remote
Proxy IP address access.
Current State of the connection In general, the system report only collects data that is also
The area of the desktop that is shared with the available within Barracuda NG Admin. Therefore, analyzing
Barracuda Networks support the system report is not required for the Barracuda NG
Information of the remote input configuration Firewall administrator, as Barracuda NG Admin typically
File transfer information fits better for troubleshooting since it offers filtering
criteria, customized sorting and realtime status
z Chat information.
To interact with the Barracuda Networks support the
Barracuda NG Remote Agent has an implemented chat. Attention:
Confidential data, such as passwords and keys, are
z Session
removed during the data collection, therefore it is not
The session tab shows the current established remote
contained in the system report. However, if you
session and its duration.
choose to include a PAR file within the System
z Logging Report, please be aware that the PAR file contains
The logging tab lists all actions such as connection such confidential data!
initiations, connection errors or initiated file up and
downloads.
7.5.1 Content of a System Report
A System Report can contain the following informations of
7.4 From Our Supports Point of a Barracuda NG Firewall:
View z Configuration Data
z System Data
Barracuda Networks wants to provide quick and selective
support to all our customers and partners and this support z Service Data
should be as transparent as possible. z Version information
z Log Files
Configuration Service System Report < Troubleshooting | 129
z Statistic Files Table 329 Contents of System Reports
z Access Cache Icon Color Connection Status

Configuration Informations of the system configuration.
z operating System Data Data
System Data Basic informations about the Barracuda NG Firewall
z Events system.
z Configuration Archive (par file) Service Data Informations regarding the currently introduced
services and their configuration.
Note: Version Informations regarding the currently installed version

Information of the Barracuda NG Firewall software.
When generating a System Report the Barracuda NG
Log Files All log files currently available at the Barracuda NG
Firewall administrator can decide which information Firewall.
should be included in the report. Statistic Files All statistic files currently available at the Barracuda
NG Firewall.
Access Cache A snapshot of the current Access Caches current state.
7.5.2 How To Create System Reports Operating Information of the configuration of the NGFW OS.
System Data
Events All events currently available at the Barracuda NG
System Reports can only be generated at box level for a Firewall.
specific Barracuda NG Firewall. Configuration portable archive file of the Barracuda NG Firewall.
Archive(par)
Therefor, connect to a Barracuda NG Firewall on box level
and After confirming the generation process of a System
open: Control > Box tab ( see 2.6 Box Tab, page 38) Report, the Barracuda NG Firewall starts to collect all
A System Report will be generated by clicking the desired contents and displays a progress window.
Generate... button.
Fig. 3106 System Report Progress Window
Fig. 3104 Generating System Reports
Before a System Report will be generated, the Barracuda When collection of all necessary data is finished, Barracuda
NG Firewall administrator has to select the contents of the NG Admin client asks for a destination to save the System
report. Report file.
The System Report is saved in a *.tgz archive file and can
Fig. 3105 Choose the Contents of System Reports
so be easily transmitted to the Barracuda Networks
support team via e-mail.

130 | Troubleshooting > System Report Configuration Service

4
Firewall
1. Overview
1.1 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.2 Firewall Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.3 Firewall GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
2. Firewall Configuration
2.1 Global Parameters and Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
2.2 Rule Set Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
2.3 Advanced Options for Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
2.4 Delete, Copy and Paste within the Firewall Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
2.5 Cascaded Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
3. Local Rules
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
3.2 Restrictions of Local Action and Connection Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
4. Testing and Verifying of Rule Sets

4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4.2 Overlapping Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4.3 Rule Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
4.4 Test Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
5. Example Configuration
5.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.2 Advanced Settings in the Example Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
6. Real Time Information and Manipulation

6.1 GUI Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6.4 Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.4 Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
6.5 Authenticated User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.6 Dynamic Rules and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
6.7 Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
6.8 Tracing Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
6.9 FW Audit Log Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7. Firewall Rule Sets

7.1 Direct Modification and Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
8. Log Files
8.1 Standard Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9. Bridging
9.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.2 Bridging Goals and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.3 Bridging Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.5 Implementation of Logical Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.6 Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

132 | Firewall Barracuda NG Firewall
10. Firewall Authentication

10.1 Configuring Firewall Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
10.2 Barracuda NG Authentication Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
10.3 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
11. RPC
11.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
11.2 ONCRPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
11.3 DCERPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.4 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Firewall Firewall Configuration < Overview | 133
1. Overview
The heart of the available Barracuda NG Firewall software Step 3 Introduce a firewall service on your system
modules is the firewall module. This chapter deals with the
configuration of the firewall module and with the tools, Note:
which allow the administrator to define the firewalls The forwarding firewall is only active either without any
behavior while it is active. license key or with a valid license including the firewall
module.
The chapter is basically divided into three parts:
To create a new rule, lock the affected rule set (either
z Overview
Local Rule Set or Forwarding Rule Set) and click the
z Detailed description of the configuration (including a context menu entry New.
real-world example)
Attention:
z Insights in the runtime steering of the firewall engine
Rule names may contain a maximum of 50 characters
and digits.
The Barracuda NG Firewall module handles any IP traffic
that is handled by the system. Basically it is divided into
four different types of traffic:
z Loopback
1.2 Firewall Notions
Traffic where source AND destination are local
addresses and processes The firewall module is able to handle two types of
transport mechanisms:
z Local In (Local rules - Inbound)
Traffic with a local destination address and process z stateful ACPF (Application Controlled Packet
Forwarding)
z Local Out (Local rules - Outbound)
Traffic with a local source address and process z TAP (Transparent Application Proxying)
z Forward (Forwarding rules)

Traffic traversing the system The latter method is only available for TCP traffic, because
it does not make sense to simulate connections for
connectionless protocols.
Since all netfence versions before version 2.4 used
1.1 Firewall Configuration exclusively TAP as forwarding mechanism, the notions are
still the same as it is in socket based notions.
The behavior of the system as a whole is basically
determined of four configuration layers: Fig. 41 Basic connection diagram describing the notions used throughout the
firewall engine
z System Network and Server Configuration
Destination address: 192.168.99.120:80 Connection address:
z Host Firewall Rules 172.31.1.110:80
FW
z General Firewall Configuration Source address:
192.168.0.56:2305
z Firewall Forwarding Settings
Bind address: 192.168.0.56:2305
The first part is covered by the global configuration

Table 41 Firewall notions
chapter of this manual. This chapter takes the correct
network and server configuration for granted. That means IP: Port Description
that the routing table of the system is configured to work Source Origin of IP request
properly and the IPs of the server the firewall service is Destination Target of original IP request
connected to are correct and active. Bind Origin of IP request initiated by the firewall system
Connection Target of IP request initiated by the firewall system
All configuration tasks are principally done either on the
Barracuda NG Control Center tree or on the tree of a
single-managed box. The firewall rule set, however, can be
configured in an alternative way by means of the operative 1.3 Firewall GUI
firewall GUI itself. This way underlies the same mechanism
the ordinary way does. It is thus not possible to circumvent Like most of the Barracuda NG Firewall services, the
the transaction mechanism of the configuration procedure. firewall service incorporates a specific graphical
administration user interface providing real-time data and
Attention:
tools for real-time manipulation. Additionally, it enables
If you do not find any rule set on your system to
rule set configuration.
configure, go back to the configuration chapter and
perform the following steps:
Step 1 Configure network properties of your system
Step 2 Introduce a server on your system

134 | Firewall Configuration > Global Parameters and Default Settings Firewall
2. Firewall Configuration
2.1 Global Parameters and The following global options are available:
Default Settings List 41 Box Services - General Firewall Configuration - Peer-to-Peer Detection
and Protocol Detection
Beside the rule set there are several global parameters,
Enable Protocol Setting to yes (default: no) enables P2P-detection.
which steer the behavior of the firewall engine as a whole. Detection
Changing some of these parameters makes it necessary to Peer-To-Peer From the list select the handling policy for detected
restart the firewall service. Policy P2P traffic.
No-Detection
Attention: Detect-Only
All active connections will get lost during this procedure. Detects and reports P2P traffic in the firewall access
cache but takes no action.
The settings are divided into two parts: the first part Limit-Bandwidth
Limits the bandwidth for detected P2P traffic
regarding the firewall engine as a whole (see 2.1.1 General considering the limit value specified below.
Firewall Configuration, page 134), which is actually a box Drop-Traffic
service, and the part which is only valid for the service Blocks detected P2P traffic.
layer part and affects the forwarding and service Shape-Connectors
Assign Peer to Peer traffic to a Shape Connector.
infrastructure issues only (see 2.1.2 Firewall Forwarding
Peer-To-Peer This option is enabled by policy setting to
Settings, page 139). Bandwidth Limit-Bandwidth. It specifies the maximum bandwidth
(KBit/s) that should be allowed for P2P traffic.
Fig. 42 Tree locations of the general firewall settings Peer-To-Peer Assigns detected Peer-to-Peer traffic to a pre-defined
Shape Shape Connector.
Connector
List 42 Box Services - General Firewall Configuration - Peer-to-Peer Protocol

Detection Selection
All Enables or disables the detection of all known Peer to
P2P/IM/Game Peer, Instant Messaging and Game Application
Protocols protocols.
All P2P Enables or disables the detection of all known Peer to
Local Rules, page 171 Protocols Peer protocols.
All Stream Enables or disables the detection of all known
Protocols streaming protocols.
General Firewall Configuration, All Game Enables or disables the detection of all known game
page 134 Protocols application protocols.
All VOIP Enables or disables the detection of all known Voice
Protocols over IP protocols.
All Tunnel Enables or disables the detection of all known
Rule Set Configuration, Protocols tunnelling protocols.
page 140 Explicitly Add A set of known protocols can be defined for a more
Protocols granulate detection.
Explicitly Skip A set of known protocols can be defined that should
Protocols not be detected.
Firewall Forwarding Settings,
page 139
Note:
Changes regarding Peer-to-Peer Detections need a
restart of the Barracuda NG Firewall ACPF.
2.1.1 General Firewall Configuration
Informations, how to restart ACPF, can be found in the
Barracuda Networks CLI Tools for Experts, chapter 3,
Note:
acpfctrl.
To activate changes made in this part of the
configuration, click button OS Restart (for further
information concerning effects of OS Restart see 2.6
2.1.1.2 Global Limits
Box Tab, page 38).
Note:
2.1.1.1 Protocol Detection After increasing Session Limits and Memory Settings
restarting the firewall service may fail if there is not
P2P-detection is assigned per firewall rule and can be used sufficient kernel address space available.
in the local just like in the forwarding firewall rule set. See
2.3.2 Peer to Peer Detection, page 161 for general information The default size of kernel address space that is reserved
and configuration details. for the firewall is 256 MB. The address space can be
extended by using the vmalloc kernel parameter. The
syntax of vmalloc is:

Firewall Global Parameters and Default Settings < Firewall Configuration | 135
vmalloc=<Size>K|M|G List 44 General Firewall Configuration - Global Limits section Access Cache
Settings
<Size> is the new size of the kernel address space
reserved for storing the firewall data. Parameter Description
K, M or G is the unit of <Size> which is Kilobyte, Max. Drop min: 128; max: 8192; default: 2048
Entries
Megabyte or Gigabyte.
Max. Fail min: 128; max: 8192; default: 2048
Example: vmalloc=512M reserves 512 Megabytes for the Entries
firewall. Max. ARP min: 128; max: 8192; default: 2048
Entries
In order o increase the kernel address space, enter the Max. SIP Calls min: 64; max: 8192; default: 512; see 4. SIP, page 378
vmalloc parameter in Config > Box > Advanced for details
Max. SIP min: 64; max: 8192; default: 512; see 4. SIP, page 378
Configuration > Bootloader > Global Append Options. Transactions for details
Then activate the new settings and reboot the box. Max. SIP Media min: 64; max: 16384; default: 1024; see 4. SIP, page 378
for details
List 43 General Firewall Configuration - Global Limits section Session Limits
Max. DNS Maximum number of DNS queries triggered through
and Memory Settings
Entries creation of network objects of type Hostname (see
Parameter Description 2.2.4.1 Hostname (DNS Resolvable) Network Objects,
page 257) (default: 512).
ACPF Memory This parameter is read-only and displays the estimated 75 % of the configured value are reserved for use by
[MB] memory requirement according to the settings below. the forwarding, the remaining 25 % for use by the local
If the following settings are increased and the firewall rule set. The combination of maximum value
displayed read-only value exceeds 200 MB an and percentage determines the Index number of
additional bootloader parameter may be required. network objects that are visualized in the Firewall
Monitoring GUI (see 6.6 Dynamic Rules and Data,
On i686 boxes with more than 768MB RAM that require page 185).
additional vmalloc space to satisfy the increased
memory demand of non-default firewall settings we Attention:
recommend to increase the vmalloc area in steps of DNS queries will not be executed for network objects
128MB, starting at the 384MB. Reboot the box after exceeding the maximum values and consequently,
setting the parameter and wait if the firewall service firewall rules using these objects will never match.
successfully starts after the system boot. Do not use Note:
vmalloc areas bigger than 640MB. The vmalloc area is A network object that is used by forwarding and local
shared among several kernel subsystems. Therefore firewall at the same time will trigger two DNS queries
the exact size of the allocated vmalloc area that is and will be counted twice.
required to load the firewall cannot be predetermined.
Setting the "vmalloc" parameter to enable increased

acpf memory operation is discouraged on systems with 2.1.1.3 Session Limits
768MB of RAM or on "i386" architecture systems.
Setting this parameter on those boxes could negatively List 45 General Firewall Configuration - Session Limits
affect the system performance and/or stability. The
architecture of a installed Barracuda NG Firewall box Parameter Description
can be determined with the following command: Max UDP (%) Maximum percentage of granted UDP sessions (min: 1;
rpm -q kernel --qf %{ARCH}\\n max. 100; default: 30; parameter Max. Session Slots
Max. Session Maximum number of session slots: 800000 (min: (see 2.1.1.2 Global Limits, page 134) defines the
Slots 2000; default: 65536). number of available sessions, and this is 100 %).
Note: Note:
If this parameter is set to its maximum, set With eventing activated (parameter UDP Limit
vmalloc=896M Exceeded set to yes), the event FW UDP Connection
Limit Exceeded [4009] is generated when the limit is
Note:
exceeded.
A value of 32768 requires around 40 MB RAM.
Max Echo (%) Maximum percentage of granted ICMP sessions (min: 1;
Max Acceptors Maximum pending accepts for inbound rules (min:
max. 100; default: 30; parameter Max. Session Slots
2000; max: 2000000; default: 8192).
(see 2.1.1.2 Global Limits, page 134) defines the
An acceptor is a dynamic implicit rule that is generated
number of available sessions, and this is 100 %).
by plugins handling dynamic connection requests.
The FTP protocol for example uses a data connection Note:
beside the control connection on TCP port 21 to With eventing activated (parameter Echo Limit
perform the actual file transfer. By analysing the FTP Exceeded set to yes), the event FW ICMP-ECHO
protocol, the firewall knows when such data Connection Limit Exceeded [4027] is generated
connections occur and thus creates an acceptor when the limit is exceeded.
allowing the corresponding data transfer session. Max Other (%) Maximum percentage of granted sessions of any IP
Max. Pending Maximum number of pending TCP inbound requests Protocol except TCP, UDP, ICMP (min: 1; max. 100;
Inbounds (min: 2000; max: 65536; default: 16384). This default: 10; parameter Max. Session Slots (see 2.1.1.2
parameter only comes into effect, when inbound traffic Global Limits, page 134) defines the number of
is activated in the corresponding rule. available sessions, and this is 100 %).
Max. Plugins Maximum number of rules using plugins (min: 0; Note:
max: 65536; default: 8192). With eventing activated (parameter Other Limit
Exceeded set to yes), the event FW OTHER-IP
Dyn. Service Maximum number of dynamic service name entries
Session Limit Exceeded [4029] is generated when
Name Entries (min: 0; max: 65536; default: 8192).
the limit is exceeded.
Max. Dynamic Maximum number of dynamically activated rules
Max Local-In Maximum number of sessions per source IP. If this
Rules (min: 1; max: 1024; default: 128).
Session/Src number is larger than Max. Session Slots (see 2.1.1.2
Max. Multiple Maximum number of IPs in rules with multiple redirect Global Limits, page 134), it is restricted by that (min: 1;
Redirect IPs target IPs (min: 1; max: 1024; default: 128). max. -; default: 8192).
Note:
List 44 General Firewall Configuration - Global Limits section Access Cache With eventing activated (parameter Session/Src Limit
Settings Exceeded set to yes), the event FW Global
Connection per Source Limit Exceeded [4024] is
generated when the limit is exceeded.
Max. Access min: 128; max: 8192; default: 2048
Entries
Max. Block min: 128; max: 8192; default: 2048
Entries

List 45 General Firewall Configuration - Session Limits List 46 General Firewall Configuration - Operational
Max Local-In Maximum number of UDP sessions per source IP Global Reverse The options of this parameter specify whether requests
UDP/Src (min: 1; max: -; default: 512). Device Policy and replies must use the same (outgoing) interface to
Note: be accepted (device-fixed; default) or not
With eventing activated (parameter UDP/Src Limit (device-may-change).
Exceeded set to yes), the event FW UDP Connection
per Source Limit Exceeded [4008] is generated when Firewall Firewall Firewall
OK
the limit is exceeded. OK
outgoing
Max Local-In Maximum number of ICMP Echo sessions per source IP
interfaces OK
Echo/Src (min: 1; max: -; default: 512).
Denied
Note:
With eventing activated (parameter Echo/Src Limit The figure shows: Request (left) - Reply for setting
Exceeded set to yes), the event FW ICMP-ECHO device-fixed (middle) - Reply for setting device-may
Connection per Source Limit Exceeded [4026] is change (right).
Attention:
Max Local-In Maximum number of sessions of any IP protocol This parameter specifies the global policy. You may
Other/Src (except TCP, UDP, ICMP) per source IP (min: 1; max: -; change the policy per rule, though it is NOT
default: 128). recommended to do so.
Note: Allow Active-Active firewall operation mode is deactivated by
With eventing activated (parameter Other/Src Limit Active-Active default (setting: no). It has to be enabled in preparation
Exceeded set to yes), the event FW OTHER-IP Mode for operation of multiple active firewalls on one box
Connection per Source Limit Exceeded [4028] is with a load balancer connected upstream.
Log Synced This setting determines logging of access cache
Inbound If the number of pending accepts exceeds the Sessions sessions, which have been synchronized between HA
Threshold (%) threshold, the firewall switches to inbound mode (min: partners (default: yes). Set to no to disable logging.
1; max: 100; default: 20).
Enable FW The setting of this parameter determines utilisation
Note: Compression ability of firewall compression in connection objects.
With eventing activated (parameter Pending Accepts Firewall compression is deactivated by default (default:
Critical set to yes), the event FW Activating No).
Perimeter Defence (inbound mode) [4004] is
Note:
Firewall compression is only applicable between
SYN Cookie Percentage (of maximum pending inbounds) of pending firewalls operating on Barracuda NG Firewall. When
High Watermark inbound accepts to switch to SYN cookie usage for activated, option Enable FW Compression MUST be
(%) enhanced SYN flooding protection (min: 0; max: 100; set to yes on all systems participating in compressed
default: 20). traffic.
SYN Cookie Low Percentage (of maximum pending inbounds) of pending Attention:
Watermark (%) inbound accepts to go back to ordinary SYN handling Do not enable firewall compression on gateways
(min: 0; max: 100; default: 15). situated at the rim of untrustworthy networks in order
Max Pending Maximum number of pending accepts per source IP to avoid DoS attacks based on bulk sending of
Local (min: 5; max: 1024; default: 64). compressed data packets.
Accepts/Src An attacker might forward IPCOMP packet copies
originating from the compressed session to the
Max TAP (min: 5; max: 1024; default: 100). firewall, thus forcing it to load consuming
Worker decompression tasks.
Max Socks (min: 5; max: 1024; default: 20). If compressed traffic is required at the perimeter, make
Worker use of compressed VPN traffic. Authentication
mechanisms included in VPN technology prevent the
DoS exploit stated above (see 2.7.1.2 Traffic
Intelligence (TI), page 235).
2.1.1.4 Operational
Disable By default these Assembler Ciphers are enabled.
Assembler Due to the assembler implementation for
List 46 General Firewall Configuration - Operational Ciphers AES/SHA/MD5 the VPN performance has been
Parameter Description increased significantly.
Use Kernel Rule no: Kernel Rule Set not enabled VPN Rate Limit Limits the measure at which VPN traffic is encrypted
Set yes: Kernel Rule Set enabled (MBits/sec) and decrypted respectively. The default value 0 does
[default: no] accelerated: Kernel Rule Set in accelerated-mode not impose any restriction.
enabled Note:
If you experience excessive CPU load in an
Setting to yes or accelerated transfers the forwarding environment with many VPN tunnels, then change this
firewall rule set into kernel space. Opting for rule value.
matching directly within the operating system kernel Attention:
improves the performance of the firewall's connection If the value has been changed, a restart of the VPN
establishment rate. For achievable rates refer to the service is necessary in order to take effect.
documentation data sheets.
As a rule of thumb for about 1000 session/s the kernel VPN HW If you have installed and intend to use a crypto
rule set should be enabled for better firewall Modules hardware accelerator board for encryption load
performance. Additionally if many firewall objects splitting with VPN, select the hardware module, which
(> 200) are used the accelerated option is is required to load the corresponding functions.
recommended. Momentarily Barracuda NG Firewalls support the
Broadcom_582x module.
Note:
Activating this parameter deactivates the option to use Note:
Tracing conditions (6.8.2 Tracing of Connections When operating a hardware accelerator card the
Matching Defined Conditions, page 187). encryption engine may be chosen per tunnel (TINA
tunnels, see 2.7.1 Configuring TINA Tunnels
Global TCP Decides if Nagle algorithm is used by default. Can be (Firewall-to-Firewall Tunnels), page 233 and see 2.7.2
Delay Policy overruled for single connection objects (default: Configuring IPsec Tunnels, page 239)
NagleEnabled).
Rule Change Specifies whether an existing connection is terminated
Accept Policy Possible values are inbound or outbound. The value Behavior (Terminate-on-change; default) or
configured here is used as Server default value in the not(Keep-on-change) if the rule set changes and the
Accept Policy section of the rule creation/editing dialog session is no longer allowed by the new rule set.
(see 2.3.4.3 Accept Policies, page 166).
ARP Reverse Setting this parameter to yes causes that answers to
Route Check ARP requests are checked whether Source IP and
interface are correct.

List 46 General Firewall Configuration - Operational List 410 General Firewall Configuration - Audit and Reporting tab section
Connection Tracing
Generic Traffic between networks inserted into this field will be Parameter Description
Forwarded excluded from firewall monitoring and will be Settings see list 414, page 138
Networks forwarded without source and destination
differentiation, even if no forwarding firewall is Section Eventing Settings
installed.
Attention: Fig. 43 Config Section - Eventing Settings
Local sessions are not reevaluated on rule change. This
parameter has only effect on forwarding session.
Workflow for enforcing changed local rules: manually
terminate local sessions in the Firewall Active tab.
Only make use of this feature, if you are operating your
Barracuda NG Firewall system for routing and NOT for
firewall purposes, as generic network forwarding might
cause severe security issues.
No Rule Update This option allows defining a time range during which
Time Range firewall rules may not be updated. Use international
time format, for example to disallow rule update from
14:00 through 22:00, insert 14-22.
Send TCP RST Firewall sends TCP RST packets to these networks if it
for OOS Pkts. detects packets not belonging to an active session. This
is useful to avoid timeouts on certain servers.
2.1.1.5 Audit and Reporting
Section Limits and Operational Settings

List 47 General Firewall Configuration - Audit and Reporting tab section Limits
and Operational Settings
Resolve Access Setting this parameter to yes (default: no) causes that
Cache IPs IP addresses can be resolved to hostnames in the
firewall access cache (see 6.4.1 Available Filter
Options, page 182). This section consists of the pull-down menu Generate
Port Scan If the number of blocked requests exceeds this limit Events (default: yes) and Settings.
Threshold (within Port Scan Detection Interval), a port scan is
detected (min: 2; max: 1000000000; default: 10). The To open the configuration dialog, click the Set button.
eventing setting Port Scan defines whether to
generate an event or not, when a port scan is detected. List 411 General Firewall Configuration - Eventing Settings
Port Scan Detection interval in seconds to check for not allowed
activity (min: 0; max: 1000000000; default: 60). In Parameter Description
Detection
Interval combination with the parameter Port Scan Threshold Rule Limit Setting yes creates the event FW Rule Connection
it defines the condition when to report a port scan. Exceeded Limit Exceeded [4016] when the limit for Max.
Forward Log This parameter defines whether server specific FFW Number of Sessions is exceeded.
Policy logs should be written to both box and server log Source/Rule Setting yes creates the event FW Rule Connection
(Box-And-Server File; default), only to the server logs Limit Exceeded per Source Limit Exceeded [4018] when the limit for
(Server-File-Only) or only to the box logs Max. Number of Sessions per Source is exceeded.
(Box-File-Only). Accept Limit Setting yes creates the event FW Pending TCP
Log Level Cumulative logging allows some reduction of log file Exceeded Connection Limit Reached [4006] when the limit for
lengths and tries to avoid indirect denial of service Max Pending Accepts/Scr is exceeded.
(DoS) attacks. Session/Src Setting yes creates the event FW Global Connection
Cumulative Interval (in sec) for which cumulative logging is Limit Exceeded per Source Limit Exceeded [4024] when the limit for
Interval [s] activated for either matching or similar log entries. To either Max Local-In Session/Src or Max. Forwarding
enter cumulative logging the entries need to be Session/Src is exceeded.
identical in all of the identifiers of a log entry except of UDP Limit Setting yes creates the event FW UDP Connection
the source port (min: 1; max: 60; default: 1). Exceeded Limit Exceeded [4009] when the limit for Max UDP
Cumulative Maximum number of log entries within the same rule (%) is exceeded.
Maximum and resulting in the same reason which triggers UDP/Src Limit Setting yes creates the event FW UDP Connection
cumulative logging (default: 10). Exceeded per Source Limit Exceeded [4008] when the limit for
Statistics for This option enables the creation of statistics for the either Max Local-In UDP/Src or Max. Forwarding
Local Firewall local firewall. UDP/Src is exceeded.
Use Service Via this parameter you define whether statistics Echo Limit Setting yes creates the event FW ICMP-ECHO
Names for contain the port (no; default) or the set service name Exceeded Connection Limit Exceeded [4028] when the limit for
Statistics (yes, see 2.2.5.1 Parameters of Services, page 152) Max Echo (%) is exceeded.
Echo/Src Limit Setting yes creates the event FW ICMP-ECHO
List 48 General Firewall Configuration - Audit and Reporting tab section Exceeded Connection per Source Limit Exceeded [4026] when
Eventing Settings the limit for either Max Local-In Echo/Src or Max.
Forwarding Echo/Src is exceeded.
Other Limit Setting yes creates the event FW OTHER-IP Session
Generate Enables configuration of Eventing Settings below. Exceeded Limit Exceeded [4029] when the limit for Max Other
Events (%) is exceeded.
Settings see list 410, page 137 Other/Src Limit Setting yes creates the event FW OTHER-IP
Exceeded Connection per Source Limit Exceeded [4028] when
List 49 General Firewall Configuration - Audit and Reporting tab section Audit the limit for either Max Local-In Other/Src or Max.
Information Generation Forwarding Other/Src is exceeded.
Parameter Description Large ICMP Setting yes creates the event FW Large ICMP Packet
Packet Dumped [4012] when the limit for Max Ping Size
Generate Audit Enables configuration of Firewall Audit below. (Firewall > Service Objects > ICMP Echo) is exceeded
Info and the packet is dropped.
Settings see list 411, page 137

List 411 General Firewall Configuration - Eventing Settings List 413 Audit Information Generation Settings section Recorded Conditions

Oversized SYN Setting yes creates the event FW Oversized SYN This section expects specification of conditions, which
Packet Packet Dumped [4010] when an oversized SYN packet should be reported. The following event types can be
is dropped by the firewall. reported:
Local Setting yes triggers the events FW Forwarding Loop Allowed Sessions
Redirection / Suppressed [2500] and FW Local Redirection Blocked Sessions
Local Routing Suppressed [2502] when the FW server IP is Session Termination
Loop addressed directly and no proper rule set is defined.
Failed Sessions Termination
Port Scan Setting yes creates the event FW Port Scan Detected
Dropped Packets
[4000] when the limit for Port Scan Threshold is
exceeded. Invalid ARPs
Flood Ping Setting yes creates the event FW Flood Ping Allowed Local Sessions
Protection Activated [4002] when the minimum ping Blocked Local Sessions
delay (Firewall > Service Objects > Min Delay) is Log Local Session Termination
underrun. Failed Local Sessions
Pending Setting yes creates the event FW Activating
Accepts Critical Perimeter Defence (inbound mode) [4004] when the List 414 Audit Information Generation Settings section Log File Rotation and
limit for Inbound Threshold (%) is exceeded. Removal
IP Spoofing Setting yes generates the events FW IP Spoofing
Attempt Detected [4014] or FW Potential IP Spoofing Parameter Description
Attempt [4015] when the firewall identifies an IP After Number of Number of days until log file entries will be purged.
spoofing attempt (interface mismatch) or SYN flooding Days
attack (see 2.3.4.3 Accept Policies, page 166). Exceeding Optional parameter. Sets the maximum size of the log
Note: MBytes file in MBytes until purging begins.
The detection option only applies to rules configured Move Files to Optional parameter, Defines the directory where to
with Source (and/or Reverse) Device setting matching Directory move purged log data.
(see 2.2.8 Interface Groups, page 158).
An audit event entry consists of a CR terminated line of

Section Audit Information Generation
ASCII characters. Each line holds 23 pipe ("|") separated
The firewall audit facility allows propagating firewall values. Sample:
events to other facilities, which may process the
1129102500|Block:|FWD|eth0|ICMP|BLOCKALL|10.
information for further usage (for example storing it into
0.3.80|0|10.0.3.73|0||4002|Block by
an SQL database).
Rule|0.0.0.0|0|0.0.0.0|0||00:07:e9:09:04:30|
Activate firewall audit by enabling parameter Generate 0|0|0|0|0
Audit Info.
Table 42 Audit events
The following methods are available for event propagation:
Column Value Type
List 412 Audit Information Generation Settings section Audit Info Transport 1 Time Unix seconds
2 Log Operation Table: Log Operations
3 Session Type Table: Session Type
Audit Delivery Local-File
Local-File-And-Forward 4 Input Network Device String
Forward-Only 5 IP Protocol String
Legacy-Log-File 6 Firewall Rule String
Log into self-contained file. 7 Source IP Address IP Address
Legacy-Syslog-Proxy 8 Source Port Number 0-65535
Forward via syslog streaming.
9 Destination IP Address IP Address
Legacy-Executable
Pipe log stream into an executable (stdin). All 10 Destination Port Number 0-65535
processing or propagation is performed by the 11 Service Name String
executable
12 Reason Code Number
Legacy-Send-UDP-Packet
Send log stream entries as UDP packets to an IP 13 Reason String
address/port. 14 Bind IP Address IP Address
Executable Only available with Audit Delivery type 15 Bind Port Number 0-65535
Legacy-Executable. Specify the executable in this
16 Connection IP Address IP Address
place.
17 Connection Port Number 0-65535
Send to IP Only available with Audit Delivery type set to
Address Local-File-And-Forward, Forward-Only, or 18 Output Network Device String
Send to Port Legacy-Send-UDP-Packet . Specify IP address and 19 MAC Address 6 colon separated hex bytes
port the log stream should be addressed to in this
place. If no IP and port is set, data will be send to the 20 # of Input Packets Number
Barracuda NG Control Center. 21 # of Output Packets Number
ACPF Allowed Number of ACPF buffered bytes to allow messages. 22 # of Input Bytes Number
Msg Buffer 23 # of Output Bytes Number
ACPF Blocked Number of ACPF buffered bytes to block messages. 24 Duration 1/100 seconds
Msg Buffer
ACPF Dropped Number of ACPF buffered bytes to drop messages.
Msg Buffer

Section Connection Tracing List 416 Firewall Forwarding Settings - Firewall section Server Specific
Firewall Settings
To open the configuration dialog, click the Edit button.
Fig. 44 Connection Tracing configuration Max. Maximum number of sessions of any IP protocol
Forwarding (except TCP, UDP, ICMP) per source IP (min: 1; max: -;
Other/Src default: 128).
Note:
With eventing activated (parameter Other/Src Limit
Exceeded set to yes, see page 246), the event FW
OTHER-IP Connection per Source Limit Exceeded
[4028] is generated when the limit is exceeded.
Maximum number of sessions of any IP protocol
(except TCP, UDP, ICMP) per source IP (min: 1; max: -;
default: 128).
List 415 General Firewall Configuration - Connection Tracing Note:
With eventing activated (parameter Other/Src Limit
Parameter Description Exceeded set to yes), the event FW OTHER-IP
Data Limit (kB) Max. size of trace per connection (min: 10; max: 4096; Connection per Source Limit Exceeded [4028] is
default: 256). generated when the limit is exceeded.
File Limit Max. number of files=traces (min: 10; max: 1024; Max. Pending Maximum number of pending accepts per source IP
default: 512). Forward (min: 5; max: 1024; default: 64).
Accepts/Src Note:
With eventing activated (parameter Accept Limit
2.1.2 Firewall Forwarding Settings Exceeded set to yes), the event FW Pending TCP
Connection Limit Reached [4006] is generated, when
this limit is exceeded.
2.1.2.1 Firewall
2.1.2.2 RPC
Fig. 45 Config Section - Firewall Forwarding Settings - Firewall
This section is used in conjunction with RPC. For a detailed
description, see 11.2.2.1 Configuring Active&Passive ONCRPC
(recommended), page 206.
2.1.2.3 Bridging
This section is used to configure Bridging Groups and

Interfaces. For a detailed description, see 2.1.2.3 Bridging,
page 139.
List 416 Firewall Forwarding Settings - Firewall section Server Specific
Firewall Settings
Parameter Description 2.1.2.4 Authentication

Socks Port on Port of socks connections on first server IP.
1st IP This section is used in conjunction with Firewall
Socks Port on Port of socks connections on second server IP. Authentication. For a detailed description, see 2.1.2.4
2nd IP Authentication, page 139.
Max. Maximum number of sessions per source IP (min: 1;
Forwarding max: -; default: 8192).
Session/Src Note:
With eventing activated (parameter Session/Src Limit 2.1.2.5 Phibs
Exceeded set to yes), the event FW Global
Connection per Source Limit Exceeded [4024] is This section is used in conjunction with Firewall
Authentication. For a detailed description, see 2.1.2.5 Phibs,
Max. Maximum number of UDP sessions per source IP
Forwarding (min: 1; max: -; default: 512). page 139.
UDP/Src Note:
With eventing activated (parameter UDP/Src Limit
Exceeded set to yes), the event FW UDP Connection 2.1.2.6 WWW
per Source Limit Exceeded [4008] is generated when
the limit is exceeded.
Max. Maximum number of ICMP Echo sessions per source IP
This section is used in conjunction with Firewall
Forwarding (min: 1; max: -; default: 512). Authentication. For a detailed description, see 2.1.2.6 WWW,
Echo/Src Note: page 139.
With eventing activated (parameter Echo/Src Limit
Exceeded set to yes), the event FW ICMP-ECHO
Connection per Source Limit Exceeded [4026] is
generated when the limit is exceeded. 2.1.2.7 H.323 / SIP
These sections are used in conjunction with Voice over IP.

Please see 1. Overview, page 374, for additional information.

140 | Firewall Configuration > Rule Set Configuration Firewall
2.2 Rule Set Configuration establish it, then transferring the packet or the data
stream from the Source-Destination connection to the
Bind-Connection link. We speak of different types of rules,
There is a slight difference between managing a firewall
for example pass, redirecting, mapping, source-nat,
rule set locally or on a Barracuda NG Control Center. On a
destination-nat, , depending on how bind and connection
locally administered system, the rule sets are edited either
address are related to source and destination address.
via the firewall GUI or the boxconfig GUI. Nevertheless it is
the same rule set, whereas on the Barracuda NG Control The real core of the firewall configuration is the rule set. It
Center the rules are part of the data tree which holds all consists of an ordered set of rules, which interconnects a
configuration data of the boxes, servers and services. source-IP:source-port / destination-IP:destination-port
Therefore, rule administration via a Barracuda NG Control quadruple to a bind-IP:bind-port /
Center is strictly separated from the control and status connection-IP:connection-port. The firewall engine uses
overview of the firewall. the so-called first-match algorithm to decide which rule is
to be applied. This means the action taken by the firewall
Nevertheless, the firewall configuration GUI of the
engine is uniquely defined by source IP, destination IP,
configuration daemons is the same as the configuration
destination port.
part of the firewall GUI itself. Hence it is not described
separately. The Barracuda NG Firewall rule set knows two basic
entities to describe and fix the behavior of the firewall
Firewall configuration uses a set of notions which is
engine:
necessary to know. Firewalls in general are confronted
with a request of the following kind: z Action types (see 2.2.3.3 Action Section, page 144)
The action type first decides whether the firewall
Source-IP:Source-Port wants to connect to
should do anything at all, then describes the
Destination-IP:Destination-Port
relationship between destination and connection.
z Connection Elements (see 2.2.6 Connection Elements,
The rule set of the firewall now decides what should page 153)
happen with such a request. Generally, there are three The connection type describes the relation between
ways to handle a request: source and bind address.
z it can be blocked
z it can be allowed 2.2.1 General Characteristics of the
z it can be rewritten Firewall Graphical Interface
Note: It is desirable that data sets can be arranged in such a way
Depending on what kind of rule set is currently that the most wanted information catches the eye. Giving
created/modified, the following has to be taken into consideration to these needs, the Barracuda NG Firewall
consideration: GUI incorporates several sortation mechanisms.
Local FW: When introducing a new rule that blocks an
To simplify matters, the main characteristics regarding
established connection, the connection has to be
arrangement and ordering of data in the various windows
terminated manually in order to set the new rule and its
will be described together in this chapter. Characteristics
connection block active.
exceeding this description are positioned in the respective
Forwarding FW: When introducing a new rule that
chapter itself.
blocks an established connection, it can be configured
whether the active connection should be blocked.
Before describing the details of creating rules, we must 2.2.1.1 Title Bar(s)
look at the basics of establishing connections with a
Barracuda NG Firewall. z Changing the column sequence
Information situated in the main window of each
Fig. 46 Schematic of terms involved in establishing a network connection through a configuration window is captioned with a title bar. The
Barracuda NG Firewall data sets themselves are arranged in columns. The
column sequence may be adjusted to personal needs,
Destination address: 192.168.99.120:80
Connection address: either by using the standard context menu (see 4.2
172.31.1.110:80 Standard Context Menu, page 420) or by dragging and
Source address: dropping the respective column to another place.
192.168.0.56:2305
z Ordering data sets
In most windows, data sets may be arranged ascending
Bind address: 192.168.0.56:2305 or descending respectively by clicking into the column
labelling of the respective title bar.
Establishing a connection handled by a Barracuda NG

Firewall generally involves four IP addresses with ports (if 2.2.1.2 Context Menu Entries
the IP protocol uses them). They are called source,
destination, bind, and connection. Without a firewall there z Right-clicking into any configuration area without
would be only source and destination. The firewall rule set selected item makes the standard context menu
deduces the link connection between Bind-IP and available through the menu item Tools (see 4.2 Standard
Connection-IP and authorizes the firewall engine to Context Menu, page 420).

Firewall Rule Set Configuration < Firewall Configuration | 141
z Right-clicking on a selected item in any configuration Table 43 Rule marks utilized in the rule overview window
window makes the same menu items available as shown Icon Action Indication to
in the navigation bar of the respective section displayed Block This icon is added to rule elements in the
on the left side. In each case, the items are valid for the column display, which have been configured
to BLOCK on Mismatch in the Rule
specific section only. Mismatch Policy section of the Advanced
settings dialog (see 2.3.4 Advanced Rule
z In some windows the context menu item Set Color Parameters, page 162).
allows flagging data sets with a user-specific color for Deny This icon is added to rule elements in the
the purpose of highlighting them. column display, which have been configured
to DENY on Mismatch in the Rule Mismatch
z In some windows the context menu item Show in Policy section of the Advanced settings
Groups allows switching between two views, the dialog (see 2.3.4 Advanced Rule
Parameters, page 162).
classical view, a continuous list, or a list combining
User This icon is added to the Name column if the
groups of elements. authentication rule requires user authentication due to
required configuration of the Authentication
parameter in the Advanced configuration
dialog (see 2.2.3.8 Authenticated User
2.2.1.3 The Object Viewer Section, page 147).
Timed This icon is added to the Name column if the
The Object Viewer is designed to assist in creating or rule has been configured as dynamic rule (see
modifying a rule set, by making distinct objects, such as 2.3.6 Dynamic Activation, page 168).
network, service, connection, ICMP, and time objects Time restricted This icon is added to the Name column if a
time restriction has been configured for the
quickly available. respective rule using a Time Object (see see
2.2.3.10 Time Objects, page 147) or the
Open a rule by double-clicking it and select the checkbox Time Restriction parameter (see see 2.3.4.2
Object Viewer in the rules navigation bar or select Rules > Time Restriction, page 165) in the Advanced
Object Viewer from the Configuration navigation bar to settings dialog.
open the Object Viewer. 2-way This icon is added to the Name column if a
rule has been configured to apply in both
When opened from the rule window the Object Viewer is directions.
opened sticking to the right of it. Grab the viewer and drag Content filter This icon is added to the Name column if a
set content filter has been configured in the rule
it to a place, where it does not disturb other configuration through parameter Content Filter in the
windows. Adjust the viewer to stay on top permanently by Content/IPS configuration dialog (see 2.3.1
Content Filter (Intrusion Prevention),
sticking the blue needle. page 159).
When opened directly from the rule creation/modification Source IP This icon is added to the Action column if
exposed connection type Client is set, which causes
dialog by ticking the checkbox Object Viewer in the the clients source IP to be exposed in a
navigation bar, a special function is available: Selecting a connection (see 2.2.6 Connection Elements,
specific tab in the viewer then immediately changes the page 153).
navigation bar items in the rule window. Selecting an Stream is This icon is added to the Action column if
forwarded Stream Forwarding is configured as data
object hence activates the specific menu items related to transfer Method in the TCP Policy section of
it. It is thus not only possible to configure existing objects the Advanced configuration dialog (see 2.3.4
in the rule set; new objects can additionally be created by Advanced Rule Parameters, page 162).
launching the object editing dialogs from the navigation Source This icon is used when the Source Interface
Interface is set has been set to Continue on Mismatch (see
bar. Furthermore, existing objects can be dragged from the to Continue on 2.2.3.9 Source Interface Section / Reverse
object viewer into the rule set directly, and be dropped at a Mismatch Interface Section, page 147).
place where they fit. Data flow is This icon is added to the Action column when
compressed the Connection Object the rule references to
has been configured with traffic compression
in either direction (see 2.2.6 Connection
2.2.1.4 Rule Markers Elements, page 153).
In the rule overview window rules are sometimes flagged

with diverse icons in various columns. The icons are 2.2.2 Navigation Bar Items
intended to give a quick overview of a rules main
characteristics and are and indicate policy limitations. The The Barracuda NG Firewall rule set consists of various
following icons are in use: configuration entities (Networks, Services, Connections,
Proxy ARPs and Content Filters), which can be created and
Table 43 Rule marks utilized in the rule overview window maintained independently from the rule set itself. They are
Icon Action Indication to then pieced together building a logical formation.
Attention! This icon (displayed in the rule view of the The firewall configuration window is divided into two
rule window) and the conjoint labelling
!!! ATTENTION !!! Changed values! indicate organisational areas:
that for the respective rule Content Filter
and/or Advanced settings values have been z a navigation bar on the left side and
changed (see 2.3.1 Content Filter (Intrusion
Prevention), page 159 and see 2.3.4
Advanced Rule Parameters, page 162).

z the configuration area in the main window. List 417 Items of the Navigations Bars main element "Configuration"
View Description see

Fig. 47 Rule set configuration interface
Interface Click Interface groups to define 2.2.8 Interface
Groups interface objects (for referencing Groups,
purpose within the Firewall -Device page 158
Groups window).
Proxy ARPs Click Proxy ARPs to define proxy 2.2.9 Proxy
ARP objects (for referencing ARPs, page 158
purpose within the Firewall - Proxy
ARPs window).
Content Filter Click Content Filters to define filter 2.3.1 Content
patterns for intrusion prevention Filter (Intrusion
purpose in the Firewall - Content Prevention),
Filter window. page 159
Rule Tester Click Rule Tester to test the 2.2.10 Rule
integrity of rules in the Firewall - Tester & Test
Rule Tester window. Report,
page 159
Test Report Click Test Report to archive and/or 2.2.10 Rule
modify executed test reports in the Tester & Test
Firewall - Test Report window. Report,
page 159
The item Configuration is the navigation bars main
element. Clicking a sub-item of it displays further
navigation items directly related to the element that is to Note:
be configured. Regard the following navigation bar items in the

Firewall - Rules window with special attention:
Fig. 48 Open navigation bar
z Show
Use the Show function to get a quick overview of
objects used in a rule set.
Select a rule in the rule set overview (Firewall - Rules)

window and click Show in the main navigation bar. The
following sub-items are now displayed for further
choice:
Source Addresses
Destination Addresses
Service Addresses
Click each of these items in the sub-menu. For every

link clicked, a new window opens, displaying Source,
Destination, and Service Addresses of the selected rule
respectively.
Browse through the rules in the rule overview window
and notice the changing addresses in the address
windows.
The following organisational segments are made available z Hide/Show Inactive
through the navigation bar: Rules can be disabled temporarily by ticking the
List 417 Items of the Navigations Bars main element "Configuration" checkbox inactive. Click Hide Inactive to remove an
inactive rule from the view. Click Show Inactive to fade
View Description see
it in again.
Rules Click Rules to configure general 2.2.3 Rules
settings applying to the rule set, Configuration, z Select Overlapping
and to create and modify single page 143
rules and rule list in the Firewall This feature can be used to test a rule sets integrity. For
-Rules window. a detailed description 4.2 Overlapping Rules, page 172.
Networks Click Networks to define network 2.2.4 Network
objects (for referencing purpose Objects, Note:
within the Firewall -Networks page 148
window).
Regard the following context menu items in the
Services Click Services to define service 2.2.5 Services
Firewall - Rules window with special attention:
objects (for referencing purpose Objects,
within the Firewall -Services page 151 z New / Edit / Delete Section
window). Sections are available with firewall Feature Level set to
Connections Click Connections to define 2.2.6 Release 3.6.0, 4.0.0 and 4.2.0 (list 417, page 142).
connections objects (for referencing Connection
purpose within the Firewall - Elements,
Sections can be introduced to tidy up the view in large
Connections window). page 153 rule sets. Select New Section to create a section and
User Groups Click User Groups to define 2.2.7 User specify a name for it. All existing rules are automatically
users/user groups (for referencing Groups, assigned to the first created section. As soon as
purpose within the Firewall - User page 158
window).

multiple sections have been created, rules can be z Information

dragged from it to other sections. Elements in this navigation bar item apply to global rule
set settings. The following actions are available:
Attention:
Rules should be arranged in sections according to List 418 Subordinate elements of the item Information in the
navigation bar
their processing workflow.
Action Description
When a section is deleted with Delete Section , only Setup Via this button the version compatibility of the rule
the section header is removed, the sortation order of set is defined.
the rules remains unchanged. Attention:
To use all features of the firewall rule set it is
necessary to set the feature level explicitly to
Note:
3.4.0/3.6.0/4.0.0/4.2.0. This is necessary since a
Changing the Feature Level to a lower level than rule set containing 3.4.0/3.6.0/4.0.0/4.2.0 features
3.4.0 irreversibly deletes configured sections. is not compatible with a firewall of release 3.2.0 or
2.4.2. For setting the rule set version, lock the rule
set and enter the menu by clicking Setup in the
z Show in Sections navigation bar.
Creating a section automatically activates the view Export Clicking this item exports the rule list to a file. Rule
Show in Sections. Clear this menu item to switch back Rulelist list files (.fwrule7 files) should be created as
to the default view. backup files before modifying a working rule set.
Import Clicking this item allows importing contents of a
Rulelist rule list (.fwrule7) file.
2.2.3 Rules Configuration Reload
Externals
Global firewall objects are updated.
Reload GTI This function is only available for CC administered

The rule set is configured and managed in the Firewall - Objects firewalls in combination with a running VPN
Rules window. To enter the rules configuration window service. A global GTI Object is created for every
tunnel endpoint inserted into the Global VPN GTI
click Configuration > Rules in the navigation bar. Editor (see 15. VPN GTI, page 490). The function
Reload GTI Objects reloads networks objects,
The Firewall - Rules window displays the rule set in the which have been introduced in the graphical
main window and makes the following further main tunnel interface through creation of tunnel
navigation bar items available: endpoints. Lock the Global Firewall Objects node
and click Reload GTI Objects to refresh the view
z Test Report after new tunnel endpoints have been introduced.
GTI objects are arranged in the dynamic networks
This item allows testing the rule sets integrity (see 4. section and their names begin with a prefixed
Testing and Verifying of Rule Sets, page 172 for a detailed GTI-Server label.
description). Note:
GTI-Server objects are inherited as references by
z Edit Rule the Local and Forwarding Firewall rule sets of each
This item makes elements available allowing creation Firewall service related to the tunnel endpoint and
may be used for rule specification.
and modification of rules (see 2.2.3.1 Creating a New Rule,
page 143).
2.2.3.1 Creating a New Rule
Note:
With multiple rules selected in the rule overview
To create a new rule, lock the rule set and click Edit Rule >
window the right-click context menu entry Edit
New in the navigation bar. This opens the New Rule
Multiple Rules becomes available. See 2.3.4.1 Multiple
dialog:
Rules Editing, page 165 for a summary of attributes,
which can be edited together. Fig. 49 New Rule dialog
Note:
The option Edit Multiple Rules is not available if the
view is set to Show in Sections and a section is
selected. Select real rules only.
z Edit Rulelist
This item allows the creation of subordinate rule lists, to
which specific items from the main rule list can be
cascaded (see 2.5.1 Cascaded Rule Lists, page 169 for a
detailed description).
Note:
Forwarding Firewall: The actions New Rulelist and
Remove Rulelist can be executed through the
context menu on the tabs of the rulelist(s).

Contents of the navigation bar 2.2.3.3 Action Section

The rule configuration window opens with its default view,
This section defines the handling of a connection attempt.
the Rule view. Further available views, which can be
The following actions are available:
chosen by clicking the elements in the navigation bar item
Views in the rule window, are the following: List 420 Firewall configuration - Action section
z Content/IPS Icon Action

Defining
Additional parameters
property
Allows selecting a content filter applying to the rule.
Block Ignore all traffic
Creation and modification of content filters is described which matches
in 2.3.1 Content Filter (Intrusion Prevention), page 159. the rule and do
not answer to any
z Advanced matching packet.
Allows configuring advanced settings applying to the Deny Dismiss any
rule. A summary of existing advanced settings traffic and send
TCP-RST (for
parameters is given in 2.3.4 Advanced Rule Parameters, TCP requests)
page 162. ICMP Port
Unreachable (for
z ICMP Handling UDP requests)
ICMP Denied by
Allows configuring a specific ICPM handling applying to Filter (for other IP
the rule. A summary of ICPM settings is given in 2.3.5 protocols) to the
ICMP Handling, page 167. source.
Pass Destination 2-Way This opens the route
z Clicking the checkbox Object Viewer opens the viewer IP/Port is the other way
directly adhering to the rule window. The object identical to around.
Connection Attention:
viewers behavior pattern is described in 2.2.1.3 The Object IP/Port. This can be a severe
Viewer, page 141. security hole if you
do it carelessly.
Depending on the
Contents of the main rule window connection type of
the rule the rule
The range of fields available or activated in the main rule type of the reverse
window is predetermined by specific selections made in direction can be of
pass or a redirect
previous fields. A rule, for example defining to block a type. Activating the
connection attempt, can never apply both ways. The check box will work
regardlessly.
checkbox 2-way is thus already activated, when Block
Redirect General Fallback Policy for the use of
is selected. Selecting Pass on the other hand, activates Destination the IPs in the target
the 2-way checkbox and expects input in the Connection IP/Port Rewriting. Cycle list. Fallback always
Connection type redirects to the first
section. can be chosen available IP in the
freely (can be list. Cycle calculates
Amongst others, the following parameters are always used to have which one to use
available for configuration, regardless of the configured source NAT and from the source IP.
action: destination NAT So the same source
at once). will be redirected to
the same target
List 419 Firewall configuration - Rule Creation/Editing every time.
Parameter Description Redirect General Fallback Policy for the use of
Name This uppermost field of the rule window takes the rules Object Destination the IPs in the target
name. Assigning a name to the rule is mandatory. The network/Port Cycle list. Fallback always
maximum length of this parameter is 50 characters. Rewriting. redirects to the first
Connection type available IP in the
Description Enter a significant description of the rule. can be chosen list. Cycle calculates
Timed checkbox Via this checkbox it is possible to activate the rule freely (can be which one to use
dynamically. Due to the complexity of this feature, have used to have from the source IP.
a look at the description under 2.3.6 Dynamic source NAT and So the same source
Activation, page 168. destination NAT will be redirected to
at once). the same target
inactive Ticking this checkbox deactivates the rule. For
every time.
checkbox reactivation of the rule simply clear the checkbox
again. Inactive rules can be removed from or faded in
the view by clicking Show/Hide Inactive in the
navigation bar.
Forward Band These parameters are used with traffic shaping
Reverse Band activated (see 2.2.6 Traffic Shaping, page 82).
2.2.3.2 Source Section
This section describes the source IP address/netmask of

the connection affected by the rule. You may select an
already existing network object from the menu or enter an
explicit IP address/netmask.
The configuration dialog in this place, is the same as
described under 2.2.4 Network Objects, page 148.

List 420 Firewall configuration - Action section 2.2.3.4 Destination Section

Defining
Icon Action Additional parameters
property The available settings in this section depend on the
Map One destination 2-Way This opens the route configured Action type:
IP or a whole the other way
subnet can be around.
List 421 Firewall configuration - Destination section
mapped to Attention:
another IP-object This can be a severe Icon Action Destination Additional parameters
of some size. The security hole if you
map is also Block You may select an Explicit You may enter an
use it carelessly. The already existing explicit IP
available the type of a reverse
reversed way. The network object address/netmask.
map would be of Deny from the menu. The configuration
connection type pass type with
can either be The configuration dialog in this place,
explicit source NAT. dialog in this is the same as
client (destination Activating the check Pass
NAT) or any place is the same described under
box will work as described 2.2.4 Network
pre-defined regardless.
Translation Map under 2.2.4 Objects, page 148.
(see 2.2.6.3 Attention: Network
Translation Map, When using a map Objects,
page 157). object in parameter page 148.
Connection Type all Redirect IP address to be Create Activate if you want
connections not redirected Proxy ARP a Proxy ARP to be
affected by this map (Destination IP) generated by the
rule are forwarded firewall. If the IP is
with connection already in the list,
type proxy dyn. you do not need to
Local Traffic is activate it, but it
Redirect redirected to a does not bother
local application anyway.
(Transparent Attention:
Proxying) Due to fact that
Note: using Proxy ARPs is
Advanced not without a risk,
parameters and please consult 2.2.9
timeouts of this Proxy ARPs,
type behave like page 158, for
in the local further information.
firewall. Redirect You may select an Explicit You may enter an
Local Traffic is Object already existing explicit IP
Redirect redirected to a network object address/netmask.
Object network object. from the menu or The configuration
enter an explicit dialog in this place,
Note:
IP is the same as
Advanced
address/netmask. described under
parameters and
The configuration 2.2.4 Network
timeouts of this
dialog in this Objects, page 148.
type behave like
place, is the same
in the local
as described
firewall.
under 2.2.4
Broad- Traffic is Propagation Defines the Network
Multicast propagated to list field interface Objects,
multiple distributing page 148.
interfaces (only broad-and multicast
Map One destination Create Activate if you want
needed with messages.
IP or a whole Proxy ARP a Proxy ARP to be
Bridging, see 9.
subnet can be generated by the
Bridging,
mapped to firewall. This option
page 190).
another IP-object does not
Cascade No traffic is yet Rule set list Defines the rule set of same size. The necessarilyneed to
affected. It is a traffic is cascaded map is also be activated if the IP
jump into other to. available the is already included
Cascade parts of the rule reversed way. The in the Proxy ARP
Back set (see 2.5.2 connection type list. Ticking the
Cascaded Rule can either be checkbox will not
Sets, page 169). client (destination disturb the existing
Execute All traffic is piped Executable Name of the binary NAT) or any object, though.
into the STDIN field (full pathname) pre-defined Attention:
(STanDard IN) of Translation Map. Due to fact that
a program using Proxy ARPs is
running on the not without a risk,
server. please consult 2.2.9
Proxy ARPs,
page 158, for
further information.
A referenced
translation map will
be read from right to
the left.
Proxy ARPs will be
generated only if the
netmask is at most
8bit long (inverted
CIDR notation -
255.255.255.0). (5.
Inverted CIDR
Notation, page 25)

List 421 Firewall configuration - Destination section z Failover: All IPs from the redirect list are tested and IPs
Icon Action Destination Additional parameters where no connection could be established are marked
Local Note: Create Activate if you want as unreachable. The process lists for how long the IP
Redirect Advanced Proxy ARP a Proxy ARP to be was unreachable (last time) and how often retries took
parameters and generated by the
timeouts of this firewall. If the IP is
place. As soon the retry time is smaller than the last
type behave like already in the list, time, the IP is considered as reachable and a new
in the local you do not need to connection attempt is started.
firewall. activate it, but it
does not bother z Load Sharing: The principle is the same as for failover,
anyway.
except for that the valid index for the connection
Attention:
Due to fact that establishment results from the SRC IPs.
using Proxy ARPs is
not without a risk,
please consult2.2.9 The available settings of this section are depending on the
Proxy ARPs, set Action type:
page 158, for
further information.
List 422 Firewall configuration - Redirection section
Local Traffic is
Redirect redirected to a Icon Action Parameter Description
Object network object. Block not available
Note:
Advanced
parameters and Deny not available
timeouts of this
type behave like
in the local Pass not available
firewall.
Broad- Traffic is Redirect Target List of targets that the clients should be
Multicast propagated to List redirected to (possible connection IPs).
multiple By entering a colon it is possible to
interfaces (only define the port.
needed with
Bridging,see 9. Attention:
Bridging, When entering a specific port be sure to
page 190). have the correct service selected.
Otherwise it will not work at all.
Cascade No traffic is yet Rule set list Defines the rule set
affected. It is a traffic is cascaded List of By default, the available/unavailable
jump into other to. Critical policy considers all ports of the allowed
parts of the rule Ports rule services. If a connection to such a
Cascade port fails the target is marked
Back set (see 2.5
Cascaded Rule unavailable and the rest of the targets
Sets, page 169). are used as the new list. If there are
entries in the critical ports list, only
Execute Redirects traffic failed connections to these ports lead to
to an executable a state change of the respective target
(std_in - incoming from available to unavailable.
traffic; std_out - Separate multiple critical port entries
outgoing traffic) with a space.
Redirect Target List of targets that the clients should be
Object List redirected to (possible connection IPs).
2.2.3.5 Redirection Section By entering a colon it is possible to
define the port.
Depending on the relative properties of the redirected IP Attention:
When entering a specific port, be sure to
Range and the target IP, there are four types of have the correct service selected.
redirecting: Otherwise it will not work at all.
List of By default, the available/unavailable
z The target IP range is as large as the redirected range Critical policy considers all ports of the allowed
(for example 10.0.0.128/28 to 192.168.32.0/28). The IP Ports rule services. If a connection to such a
addresses are mapped one to one. port fails, the target is marked
unavailable and the rest of the targets
z The target IP range is larger than the redirected range are used as the new list. If there are
entries in the critical ports list, only
(for example 10.0.0.128/28 to 192.168.32.0/24). The failed connections to these ports lead to
"most fitting" IP address is taken, for example 10.0.0.130 a state change of the respective target
from available to unavailable.
to 192.168.32.130. Separate multiple critical port entries
with a space.
z The target IP range is smaller than the redirected range
Map Real IP to be redirected (Destination IP)
(for example 192.168.32.0/24 to 10.0.0.128/28). The IP/Mask
larger range is mapped to the smaller range, for Reference Instead of explicit mapping you can also
example 192.168.32.2 and 192.168.32.130 to 10.0.0.130, d Map refer to a pre-defined connection object
and 192.168.32.30 to 10.0.0.142. of type translation map.
Local Local Local address the request is redirected
z One IP is redirected to several other IPs (for example Redirect Address to.
192.168.32.3 to [10.0.0.23 10.0.0.68]. Depending on the Note:
chosen policy (Fallback or Cycle) requests are Advanced parameters and timeouts of
this type behave like in the local firewall.
redirected to one of the target IPs.
Local Local Local address the network object is
Redirect Address redirected to.
Object Note:
Multiple Redirecting (Failover and/or Load Sharing)
Advanced parameters and timeouts of
this type behave like in the local firewall.

List 422 Firewall configuration - Redirection section 2.2.3.8 Authenticated User Section
Icon Action Parameter Description
Broad- not available This section is needed for Firewall Authentication (see 10.
Multicast Firewall Authentication, page 199) and defines the
Cascade not available user(s)/usergroup(s) affected by this rule.
You may select an already existing user/usergroup from
Cascade not available the menu or enter an explicit user/group.
Back
Execute not available
described under 2.2.7 User Groups, page 158.
If the rules requires user authentication at the firewall, the
rule is depicted with a icon in the Name column in the
2.2.3.6 Service Section rule overview window.
This section provides all already configured service objects

affected by the rule. The objects describe the used 2.2.3.9 Source Interface Section / Reverse
protocol just like the used port/port range. Interface Section
You may select an already existing service object from the
menu or enter an explicit service object. This section specifies, which interfaces should be utilized
when the rule is processed. For a description of
The configuration dialog in this place, is the same as configuration details see 2.2.8 Interface Groups, page 158.
described under 2.2.5 Services Objects, page 151.
2.2.3.10 Time Objects

2.2.3.7 Connection Section
Note:
The available settings in this section depend on the
Starting with netfence 3.4, Time Objects have been
configured Action type:
introduced to configure rules with a time restriction.
List 423 Firewall configuration - Connection section Select New Time Object in the Time Objects tab
Icon Action Description from the Object Viewer to create a New Time Object.
Block not available Time Objects cannot be combined with a Time
Restriction. Either the former or the novel method has
to be used.
Deny not available
The granularity of time limitation is 1 hour on a weekly

Pass The connection element of a firewall rule defines the
bind address. This is the address which is used by the base.
firewall to connect to the target computer.
Redirect You may select an already existing service object from Fig. 410 Time Object configuration dialog
the menu or enter an explicit service object.
Redirect described under 2.2.6 Connection Elements,
Object page 153.
Map A more advanced type of connection is the translation
map. Here you can define more sophisticated
source-NAT rules.
For more information concerning maps have a look at
2.2.6 Connection Elements, page 153.
Local not available
Redirect
Local not available

Redirect
Object
Broad- The connection element of a firewall rule defines the
Multicast bind address. This is the address which is used by the
firewall to connect to the target computer.
You may select an already existing service object from
the menu or enter an explicit service object.
described under 2.2.6 Connection Elements,
page 153.
Cascade not available
A rule is allowed at all times by default, that is all
Cascade not available checkboxes in the Time Object dialog window are
Back unchecked. Checking a box denies a rule for the given time.
Execute not available
List 424 Firewall configuration - Time Object
Time Object Specify a name for the time object.
Name
Set allow Select to clear selected checkboxes.

List 424 Firewall configuration - Time Object z Range Firewall Objects

Parameter Description (accessible through Multi-Range > <rangename> >
Set deny Select to select checkboxes as disallowed time Range Settings) (requires activation of Own Firewall
intervals.
Objects in the Range Config file, see 6.4 Range
Set Invert Select to configure allowed and disallowed time Configuration, page 440)
intervals simultaneously.
Continue if Process the rule set even if time restriction denies it. z Cluster Firewall Objects
mismatch
(default) (accessible through Multi-Range > <rangename> >
Block if Do not allow connection if time restriction denies it. <clustername> > Cluster Settings) (requires
mismatch activation of Specific Firewall Settings in the Cluster
Terminate If checked an active session is terminated as soon as Config file, see 6.5 Cluster Configuration, page 442)
existing time restriction applies.
Create Time Select this checkbox to create a time limited interval
Note:
Interval for for the specific rule instead of a validity based on days
Rule checkbox of the week. Exact dates and times of day may be CC-administered boxes inherit all network objects
specified by selection in the calendar list. created in these configuration areas as external objects.
Note:
If selected, the condition of this Time Object will only Networks objects may consist of the following:::
be complied if the appropriate day and time interval of
the calendar above is selected too. List 425 Net Object configuration parameters
2.2.4 Network Objects Type Generic Network Objects may combine network
addresses of all types. All network objects that are
available on Barracuda NG Firewall systems by
The Firewall - Networks window assorts network objects default are configured as generic network objects.
that have been assigned with labels for easier recognition Single IP Address
Selecting this type allows inserting a single IP
and handling. Network objects are designed to be used for address into the IP / Ref list.
example in the following way: List of IP Addresses
Selecting this type allows inserting single IP
Instead of itemising single web servers running on the IPs addresses and/or references to other single IP
192.168.23.2, 192.168.23.21, 192.168.23.25, and address objects into the IP / Ref list.
192.168.23.32, all servers can be summed up in a network Single Network Address
Selecting this type allows inserting a single network
object called allwebservers. This network object can be address into the IP / Ref list.
used to define actions applying for all servers. Again, if a List of Network Addresses
further web server is created running on the IP address Selecting this type allows inserting multiple network
192.168.23.34, there is no need to create further rules addresses (networks and IP addresses) and/or
references to other network address objects into the
applying to it. The additional web server simply has to be IP / Ref list.
added to the network object allwebservers. It will thus Hostname (DNS Resolved)
inherit all properties from the existing object. Selecting this type allows specifying a DNS
resolvable host name as network address.
Fig. 411 Creating/editing a net object called allwebservers Attention:
Network objects of type Hostname come along with a
number of specialities and potential security issues
when applied wrongly. Pay regard to their attributes
with essential care. Seesee 2.2.4.1 Hostname (DNS
Resolvable) Network Objects, page 149 for a detailed
description of configuration options.
List 426 Net Object configuration parameters section Excluded Entry

This section allows excluding specific networks from a
network object. A preconfigured network object using
this feature is the object Internet located in the Local
Networks list of every Forwarding Firewall service
created on a Barracuda NG Firewall. The Internet
object excludes the networks 10.0.0.0/8, 172.16.0.0/12,
and 192.168.0.0/16 from the network object World
(0.0.0.0/0), which is the mostly intended use, when
creating rules assigned to Internet access.
Note:
For transparency and consistency reasons references
are not available in the Excluded Entry section.
Beside the local and forwarding firewall, network objects

may reside in the following configuration areas of
Barracuda NG Control Centers:
z Global Firewall Objects
(accessible through Multi-Range > Global
Settings) (see 6.3.2 Global Settings - Global Firewall
Objects, page 435)

List 427 Net Object configuration parameters section Bridging

Note:
Once created, a network object's type may not be
Note:
The configuration options in the Bridging section are
changed.
only applicable for Layer3 Bridging. See 9.3.3 Layer3
Bridging, page 191 for general information and 9.6.2.4 Note:
Using Layer3 Bridging, page 196 for exemplary
configuration details. Character restriction: you may use spaces for the Name
When bridging is activated on an interface, host routes of your global firewall object. But this object will only be
and PARPs may automatically be generated by the visible within the firewall rule set, it cannot be selected
Barracuda NG Firewall. This section allows you to as reference from the Network Objects dialog.
specify the information required for this task. The
Bridging section is only available in the Local
Networks list of the Forwarding Firewall Service. Select Attention:
Bridging ENABLED (Advanced Settings) from the list
(default: Bridging NOT Enabled) if you want to
Network objects may not be deleted, if other objects are
configure bridging details. referencing to it. They may be deleted when referenced
Device Insert the name of the interface here, on which by configuration files, though. Make sure that network
Addresses bridging is to be enabled (for example eth1). objects are not referenced before deleting them. If
Reside
objects are referenced can be seen in the RefBy column
Parent Network Insert the superordinate network here, from which the
bridged interface has been separated (see example in the Network Objects listing.
setup in 9.6.2.4 Using Layer3 Bridging, page 196).
Introduce Select this checkbox if you want the Barracuda NG Fig. 412 Firewall - Networks window - Listing of Network Objects
Routes Firewall to introduce host routes to the IP addresses to
checkbox be separated from the superordinate network (IPs
enlisted in the network object) automatically.
Restrict PARP Select this checkbox if you want the Barracuda NG
to Parent Firewall only to answer the automatically introduced
Network ProxyARPs to hosts within the parent (superordinate)
checkbox network.
Create and make use of network objects to benefit from

the following:
z Labelled IP and network addresses can easily be
identified and handled by their name.
z Network objects may easily be edited and extended
when network addresses in productive environments
change.
z Working with network objects instead of explicit 2.2.4.1 Hostname (DNS Resolvable) Network
IP addresses allows you to construct a consistent Objects
hierarchical structure of your network and to
implement consistent security policies Note:
z In firewall rule sets that employ references to network Hostname network objects are available as from
objects instead of explicit IP addresses, rule netfence 3.6.3. Always use the correct Barracuda NG
configurations must not be edited when IP addresses Admin version when editing Hostname objects.
within objects change.
Attention:
z Network objects may be referenced in all generic Do not import rule sets containing Hostname network
configuration dialogs of the Barracuda NG Control objects on Barracuda NG Firewalls with version
Center configuration tree in places where IP addresses numbers 3.6.3 or lower.
or networks are to be inserted (IP/network address field
flagged with the icons), with the exception of DNS Firewall rule sets steer the processing of IP packets. As IP
zone configuration, Personal Firewall configuration, CC packets only know a destination IP address and not a host
administrator configuration, and the explicit tunnel name, the allocation of host names to appropriate
override dialogs provided by the VPN GTI. Click the IP addresses must be managed through the firewall.
icon to open the Network Objects window from
which the network object reference can be chosen. Network objects of type Hostname allow specifying DNS
Click the icon to delete the reference. This feature resolvable host names as network addresses, and in this
protects your from adverse side-effects that may arise way make the use of host names in firewall rules possible.
from incomplete address changes throughout multiple
Note:
configuration instances.
Note that only explicitly defined host names (for
Note: example www.barracudanetworks.com) but no
Creating references to network objects in generic comprehensive zone names may be used in network
configuration areas is only possible in the Barracuda objects.
NG Control Center configuration tree and not on
CC-administered or single boxes. Note:
A DNS Server must be specified in the DNS Server IP
field in the Box Settings file (2.2.3.3 DNS, page 55), in
order to use network objects of type Hostname.
Using DNS resolvable host names in firewall rule sets can List 428 Network Object - Type Hostname
cause problems because of the following: Parameter Description
IP addresses that are allocated to DNS host names DNS Lifetime The DNS Lifetime defines the interval after which to
(Sec) refresh DNS entries for network objects of type
might change. Hostname that are configured for use in currently
A DNS record might contain multiple IP addresses. effective firewall rules (default: 600 s). Setting to a
lower value than 30 seconds might cause problems in
network object lists containing a huge number of
Creating network objects of type Hostname Hostname objects. DNS entries may also be refreshed
manually in the Firewall Monitoring GUI > Dynamic tab
Hostname objects may be created in: > Dynamic Rules tab (6.6.1 Dynamic Rules,
page 185).
z the Local Firewall rule set Attention:
The DNS Lifetime has no effect on actively established
z the Forwarding Firewall rule set connections, even if the DNS resolution of a network
object that is currently used in a firewall rule changes.
z as Global, Range- or Cluster-specific firewall objects In this case to force a refresh terminate the active
session in order to enable new connection
establishment using the updated DNS entry.
Note:
Hostname objects may NOT be created as explicit List 429 Network Object - Type Hostname section Entry / Excluded Entry
source or destination objects in firewall rules.
To create a network object of type Hostname, select The fields in the Entry and Excluded Entry sections
may be used to restrict a network object and to force a
Hostname (DNS resolved) from the Type list in the Net condition to match explicitly or to exclude it from being
Object window. Consider the following detail configuration part of it. For example, if a DNS host name entry
options: www.domain.com matches four DNS A-records pointing
to the IP addresses 10.0.6.1, 10.0.8.1, 10.0.8.2 and
10.0.8.3, and it is wanted that connection requests
Fig. 413 Network Object - Type Hostname (DNS Resolved) must always point to addresses residing in the
10.0.8.0/24 network, but must never be addressed to
the IP address 10.0.8.3, the following values need to be
configured in the corresponding fields:
Section Entry: IP 10.0.8.0/24
Section Excluded Entry: IP 10.0.8.3
The configuration stated above will be processed as

follows, when it is utilized in a firewall rule: Connection
requests may be addressed to IP addresses living in the
network 10.0.8.0/24, but they may not address the
excluded IP address 10.0.8.3.
Fig. 414 Hostname Network Object configuration example
List 428 Network Object - Type Hostname
Type The Type defines specific object characteristics.
Network objects of type Hostname expect
specification of an explicit DNS resolvable host name in
the Name field below.
Note:
Once the object has been created its type cannot be
changed.
Name Into this field insert the DNS resolvable name the
object is to be created for.
Note:
The specified name is the name of the network object Using network objects of type Hostname
at the same time. The object name may be changed
retroactively. Hostname objects may be used as:
Description Into this field insert a significant object description.
z Source/Destination in rules within the Forwarding
Resolve The functionality of this button is purely informational.
Click it to execute a DNS query for the host name Firewall
inserted into the Name field. The result of the query is
displayed in the IP field in the Entry section. Note that z Source/Destination in rules within the Local Firewall
the query is executed using the DNS server(s) known to
the client running the graphical administration tool z Reference in the Entry list of Generic Network Objects
Barracuda NG Admin and NOT using the DNS server(s)
known to the Barracuda NG Firewall running the
firewall service.

z Hostname objects may NOT be used as reference in the succession of the individual sub-objects that build up a
Entry list of all other network object types. service object is important.
Attention:
The default rule set of the Barracuda NG Firewall has a
Hostname objects that cannot be resolved can never large list of predefined service objects. We will discuss the
match in a rule. Consequently, when a non resolvable principal structure of a service object by dealing with the
object is used in a rule, this rule cannot be processed TCP-ALL example.
correctly. Hostname objects will become non resolvable Fig. 415 Part of the predefined services for the Barracuda NG Firewall
not only if they refer to a non existent host name, but
also in case the DNS server queries are addressed to is
unavailable.
Attention:
Do NOT use Hostname network objects in rules with the
policy block.
Note:
When the firewall is (re)started, it may take up to
10 seconds until DNS resolution is provided for all
configured Hostname network objects. Because the
firewall is already active, it might happen that before the
actually desired rule becomes active another rule
matches a request.
The service object TCP-ALL (figure 415) consists of five
Note: elements, though one would think that TCP-ALL simply
Active sessions are not revaluated when DNS resolution means what the fifth element is: all ports for a TCP
changes, but only when the rule itself is modified. connection. There are two reasons for this. Two of them
Persistent sessions might are to be terminated manually (ftp and rcmd) have different settings in the parameter
in order to enable new connection establishment using section than TCP * has. The presence of HTTP+S and SMTP
the updated DNS entry. only have administrative functions.
Monitoring network objects of type Hostname If you want the statistics to resolve the services it
DNS queries addressed to the DNS server configured in the performs down to the lowest matching object. In this case
Box Settings are triggered as soon as a Hostname network this means that the statistics for a rule using TCP-ALL
objects is created. The result of these queries is visualized would resolve the traffic for the service objects FTP,
in the following places: RCMD, HTTP, HTTPS (because HTTP+S itself is a
composite of HTTP and HTTPS), SMTP and the rest of TCP.
Note:
Fig. 416 Service objects TCP-ALL and FTP
In all views but the Dynamic Rules tab, DNS resolution
is retrieved using the DNS server(s) known to the client
running the graphical administration tool Barracuda NG
Admin and NOT using the DNS server(s) known to the
Barracuda NG Firewall running the firewall service.
z In the Entries column in the Network Object list
(figure 412).
z In the Rule Object list when the Hostname object
configured in the rule is used.
z In the Source/Destination window querying the Rule
Object list when the Hostname object is currently used.
z In the Rule Tester.
z In the Dynamic Rules tab (see 6.6.1 Dynamic Rules,
page 185) of the Firewall Monitoring GUI.
2.2.5 Services Objects

Services are terms for the ports involved in a network
connection. A service is principally defined by the
destination port. Nevertheless, it also defines the
permitted client range and some other parameters.
Services objects can be simply put together as net objects.
The only difference is that a service object has more
properties than just a set of one or more ports, the

2.2.5.1 Parameters of Services List 432 Firewall configuration - Service Objects parameters section General
Fig. 417 Parameter section for TCP and UDP
Balanced Time in seconds a session-like connection established
Timeout through a non-connection oriented protocol (all
protocols except TCP) may remain idle until it is
terminated by the firewall (default values: UDP: 30;
ICMP: 10; all other protocols: 120). The balanced
timeout comes into effect, after the initial datagram
sent by the source has been answered and the
"session" has been established. Generally, the balanced
timeout should be shorter than the session timeout,
because it will otherwise be overridden by the session
timeout and never come into effect. The balanced
timeout allows for keeping non-connection oriented
"sessions" short and minimising the amount of
concurrent sessions. The larger initial session timeout
guarantees that late replies to initial datagrams are not
inevitably dropped.
Note:
This parameter is only executable in the forwarding
firewall. Setting this parameter in the local firewall
List 430 Firewall configuration - Service Objects parameters section TCP & takes no effect.
UDP
Plugin Name and parameters of the used plug-in (see 2.2.5.2
Parameter Description Plugin Modules, page 152).
Port Range Port or port range the service is running on.
Dyn. Service This parameter is required in conjunction with ONCRPC
(see 11. RPC, page 204). 2.2.5.2 Plugin Modules
Service Label Here you may enter certain labels. Leaving this
parameter blank causes that well-known service names There are some applications which do not use just simple
(available in /etc/services) are used. communication between two predefined IPs over one or a
Attention: few well defined ports.
It is highly recommended to use this parameter only for
defining service names that are not "well-known ones" A well known example is FTP: After an initial control dialog
(for example, Oracle521, ).
over port 21, the client and the server use another random
Client Port Port range the firewall uses to build up the connection
Used between itself and the destination. This port range is port from 1024 through 65535 to send and receive data.
only used if a dynamic port allocation is required, as f.e. The firewall has two possibilities to handle this: either it
for the proxy dynamic connection type. Selecting
Manual Entry enables the parameters From and To
opens all higher ports, which is not really suitable for a
below, where you may enter a custom port range. secure firewall, or it listens to the two FTP partners and
Note: opens the data channel just for this connection. In order to
This parameter does not state a condition for do this, you must use a so-called module.
rule-evaluation.
Table 44 Currently available modules
List 431 Firewall configuration - Service Objects parameters section ICMP
Echo Application/ Protocol Syntax with
Description
Protocol family parameters
FTP TCP ftp
Max Ping Size Defines the maximum allowed ping size.
FTP TCP ftp samePort Indicates that no PAT (Port
Min Delay Defines the minimum allowed delay for pinging. Address Translation) is
Note: performed for ftp data
With eventing activated, the event FW Flood Ping sessions even if the firewall
Protection Activated [4002] is generated if this limit session is NATed. This way
is under-run (see Flood Ping, page 246). one can guarantee that the
source port for an active
List 432 Firewall configuration - Service Objects parameters section General FTP data session remains
port 20.
Parameter Description RSH TCP rsh Ensures that rsh works
Session Time in seconds a session may remain idle until it is properly
Timeout terminated by the firewall (default values: TCP: 86400; ICA Browser UDP ica Used for the ICA browser
UDP: 60; ICMP: 20; all other protocols: 120). This ip-address-1 application (mapping,
timeout applies as only value for all TCP connections ip-address-2 redirecting). The pairs of
thereby counting the time that has passed in a session ip-address-3 IPs are mapped IP/real IP. If
without traffic processing. Additionally, it applies as no NAT is involved, you
initial timeout for all session-like connections ip-address-n must declare the IPs as
established through non-connection oriented protocols pairs as well.
(for example, UDP or ICMP) thereby counting the time
Oracle TCP ora Needed when the Oracle
that has passed from the source's yet unanswered
SQL*Net hostname=ip SQL*Net application uses
initial datagram. As soon as this datagram has been
-address dynamic ports. Also used in
answered, the Balanced Timeout (see below) comes
the context of destination
into effect.
NAT (mapping, redirecting).
Note: The Oracle server usually
This parameter is only executable in the forwarding uses domain name
firewall. Setting this parameter in the local firewall resolution. Hence you must
takes no effect. give the IP/name pair to the
module.
Trivial FTP UDP tftp Attention:
Inherently insecure. Read
the explanation below.
ONCRPC UDP & TCP oncrpc Use only with port 111 (RPC
Port Mapper); in
conjunction with 11. RPC,
page 204.

Table 44 Currently available modules Since TNS structures can operate with different servers
Application/ Protocol Syntax with and hostnames you can use patterns for the hostname.
Description
Protocol family parameters Since the communication also involves a port change
DCERPC UDP & TCP dcerpc Use only with port 135 the plugin has to be used in any case. The
(Endpoint Mapper); in
conjunction with 11. RPC,
hostname2=hostname1 or hostname2=hostname1,IP1
page 204. part is mandatory and must not be omitted. If database
Skinny TCP --- The plugin monitors the farms are used, the hostname=IP or
skinny signalling hostname2=hostname1,IP entries must be a space
connection between phone
and Cisco call manager; use separated list.
only with port 2000
(default port for signalling);
for configuration details see
2. SCCP, page 374.
2.2.6 Connection Elements
SIP UDP sip For details hot ti use the SIP
plugin, see 4.3 Installing The connection element of a firewall rule defines the bind
SIP, page 378 address. This address is used by the firewall to connect to
the target computer.
z Trivial FTP module
The trivial ftp module can be used for all UDP There are essentially three ways of connecting the bind IP
applications, which maintain their connection on a to the original Source IP.
different port than their initial starting port; trivial FTP z Client - Source IP = Bind IP
is the most common example.
z Proxy - Fixed Bind IP for all Clients (also called
Fig. 418 Connection situation for a UDP connection of tftp kind Masquerading or Source NAT)
2048 69 2048 69 z Explicit NAT - Explicit rule; assigns a bind IP to every

source IP (Commonly called Source NAT)
bi-directional 5001 bi-directional 5001 To cover even the most complex network environments,
Client Firewall Server the Barracuda NG Firewall allows for a large set of detailed
connection types.
After an initiating request on port 69, the server for
example answers with port 5001, and all subsequent 2.2.6.1 Standard Connections
traffic uses port 5001.
z Oracle SQL*Net module To enter a new standard connection, click New
The SQL*Net client by OracleTM uses IP and hostname Standard in the Edit Connections navigation bar.
to establish a connection to the server.
Fig. 420 Standard Connections - Edit / Create a Connection Object
Since these parameters can be different behind the
firewall, it has to translate this information. The ora
plugin module analyzes the data stream of sqlnet
sessions. The purpose of the plugin is to detect server
responses during the initial sqlnet handshake that
redirect the client to a different port on the server or
even to another SQL server in a cluster. The redirection
is communicated to the client by sending port numbers
and hostname/IP-Addresses to the client. The plugin
must create an acceptor for the expected dynamic
session, and also must rewrite the hostnames or IP
addresses to proper values, if destination address
translation is used. Therefore, the plugin can be
configured with hostname rewriting parameters that
allow replacement of hostnames or IP address in the
server response.
The plug-in syntax (see above) allows various patterns
which may be replaced with the intended addresses.
Optional, a target address may be specified if a specific
target IP address where is SQLNET session is to be
connected to is required (SQLNET load balancing
between oracle servers).
Fig. 419 Connection situation for a SQL client connecting to an Oracle server
The following options are available for configuration of a
standard connection object:
List 433 Firewall configuration - Service Objects - General settings
SQL Client Firewall Oracle Server
connects to hostname1; hostname2; 172.16.0.22 Parameter Description
192.168.10.2 Name Name of the connection object.
Description Significant connection object description.
In the situation shown in figure 419, the correct plug-in Connection Choose a color, in which you want the connection object to
Color be displayed in the Firewall - Connections window.
setting is ora hostname2=192.168.10.2.
List 433 Firewall configuration - Service Objects - General settings List 434 Firewall configuration - Service Objects - General settings section
Failover and Load Balancing
Connection This general option for all connection types is the timeout Parameter Description
Timeout for trying to establish a connection. The default value is Policy This parameter allows you to specify what should
30 seconds. Increasing this value can be useful for very happen if the connection cannot be established.
protracted connection partners. Decreasing this value can Especially when having multiple providers and policy
be useful for faster failover mechanisms. routing this parameter comes handy because it allows
Address This parameter specifies the Bind IP. The following options you to specify which IP address/interface has to be
Selection are available: used for backup reasons. Otherwise, connecting via the
backup provider using the wrong IP address in
Proxy Reserved for future use to implement conjunction with the backup provider would make
Assigned policy routing based on administrative routing back quite impossible. Available policies are:
scope (organisational unit a host belongs
NONE (No Fallback or Source Address Cycling)
to).
[default setting]
Proxy First First IP address of server under which Selecting this option deactivates the fallback feature
firewall service is operating. Fallback (Fallback to alternative Source Addresses)
May be used to restrict the bind address or Causes use of the alternative IP
when policy routing is activated. addresses/interfaces specified below.
Proxy Second IP address of server under which SEQ (Sequentially Cycle Source Addresses)
Second firewall service is operating. Causes cycling of the IP addresses/interfaces
May be used to restrict the bind address or specified below.
when policy routing is activated.
RAND (Randomize Source Addresses)
Proxy Dynamically chosen according to firewall Causes randomized usage of the IP
Dynamic routing tables. This is a General purpose addresses/interfaces specified below.
(default) option.
Configuration examples related to multipath routing
Client IP Address of the Client. are described below in more detail (see 2.2.6.2
Source IP = Bind IP Barracuda NG Firewall Multipath Routing, page 155).
Explicit Explicitly specified IP address. May be used Alternative/Typ Here up to three Alternative IP addresses or interfaces
to restrict the bind address to a specific e can be configured for use with the selected policy.
address.
Selecting Explicit activates further options Note:
below and in section Firewall configuration Usage of alternative interfaces is recommended when
- Service Objects - General settings no permanently assigned IP address exists on an
section Failover and Load Balancing: interface.
Same Port Ticking this checkbox Weight Assigns a weight number to the IP address or interface.
enforces to use the same Lower numbers mean higher priority.
client port when
establishing the connection. List 435 Firewall configuration - Service Objects - General settings section VPN
Traffic Intelligence (TI) Settings
Explicit IP Here the specific IP address
is to be entered. Parameter Description
Create If the explicitly defined IP Settings configured in this section only apply to Traffic
Proxy ARP address does not exist Intelligence configuration in combination with TINA
locally, an appropriate tunnel VPN technology. See Traffic Intelligence (TI),
ProxyARP entry may be page 235 for details.
created by selecting this
checkbox
List 436 Firewall configuration - Service Objects - General settings section BOB
Interface Explicitly specified interface. May be used Settings
to restrict the bind address to a specific
interface. Selecting Interface activates Parameter Description
further options below and in section BOB Settings This setting specifies if traffic should be processed
Firewall configuration - Service Objects - compressed or not and in which direction to utilize
General settings section Failover and compression.
Load Balancing: To compress traffic, parameter Enable FW
Interface Here the name of the Compression has to be set to Yes (see page 244).
Name affected interface is to be Note:
entered. Firewall compression is only applicable between
Map Source NAT for a complete subnet. In order firewalls operating on Barracuda NG Firewall. When
to avoid dramatic misconfiguration, the activated, option Enable FW Compression (see
netmask is limited to up to 16 bits. page 244) MUST be set to yes on all systems
Otherwise, a Proxy ARP with 10.0.0.0/8 participating in compressed traffic.
would "blank out" the whole internal Attention:
network for example. Do not enable firewall compression on gateways
Attention: situated at the rim of untrustworthy networks in order
If you define a map, youve got to make to avoid DoS attacks based on bulk sending of
sure that the source range using this compressed data packets.
connection is equal or smaller than the An attacker might forward IPCOMP packet copies
map range. If not, the firewall will wrap the originating from the compressed session to the
larger source net into the smaller bind net. firewall, thus forcing it to load consuming
decompression tasks.
Map to Here the specific mapping
If compressed traffic is required at the perimeter, make
Network network is to be entered.
use of compressed VPN traffic. Authentication
Netmask Here the corresponding mechanisms included in VPN technology prevent the
netmask is to be entered. DoS exploit stated above (Traffic Intelligence (TI),
Proxy ARP This parameter is needed page 235).
by a router if the addresses
live in its local network (see
2.2.9 Proxy ARPs,
page 158).
Note:
The section Failover and Load Balancing is only
available with parameter Address Selection set to
Explicit or Interface.

List 436 Firewall configuration - Service Objects - General settings section BOB z Example Setup 2
Settings
The following situation does not afford traffic
Parameter Description compression from client to HTTP server but only vice
BOB Settings Note: versa, as the client rarely does anything else than
(continuation) Traffic compression only applies in the span from
firewall to firewall. The firewall automatically
requesting data. Compression is thus only needed in
uncompresses the traffic before forwarding it to the reverse direction.
actual destination. The following rules must be introduced to achieve the
Settings will be interpreted in the following way: wanted result:
No Compression
Traffic is always forwarded uncompressed (default). Table 46 Example Setup 2 Rule configuration firewalls A and B
Compression in FORWARD Direction
Traffic is compressed in direction from source to Rule configuration Firewall A Firewall B
destination address. Action Pass Pass
Compression in REVERSE Direction Source 10.0.0.2 10.0.0.2
Traffic is compressed in direction from destination
to source address. This compression mode thus Destination 10.1.1.5 10.1.1.5
only applies to traffic returned as response to a Service HTTP+S HTTP+S
connection request. Connection Client Client
Attention: Compression none Reverse
Be careful when creating rules using the "2-way"
option as this will only work when the destination
address is a firewall as well. Fig. 422 Standard Connections Example Setup 2
Note:
Have a look at the example setups below to understand HTTP
the mode of action of compression configuration. Client Firewall A Firewall B Server
Request
Effect of Firewall Compression Directions

Answer
z Example Setup 1 10.0.0.2 10.1.1.5
A LAN client and an intranet web server constantly

interchange huge amounts of data. The wanted setup Description:
therefore aims at bidirectional compressed traffic Client requesting a connection to a web server.
between these two endpoints (figure 421). It can Firewall A is configured without compression, firewall B
hereby generally be assumed, that the connection is is configured to compress traffic in reverse direction.
always initiated by the client. Connection requests from client to web server will thus
Two rules must be introduced to achieve the wanted be uncompressed, returning traffic will be compressed.
result:
Table 45 Example Setup 1 Rule configuration firewalls A and B
2.2.6.2 Barracuda NG Firewall Multipath Routing
Rule configuration Firewall A Firewall B
Action Pass Pass Barracuda NG Firewall 4.2 offers two possibilities to
Source 10.0.0.2 10.0.0.2 introduce Multipath Routing.
Destination 10.1.1.5 10.1.1.5
z Linux Standard Multipath routing
Service HTTP+S HTTP+S
Connection Client Client z ACPF Assisted Multipath routing
Compression Forward Reverse
Fig. 421 Standard Connections Example Setup 1 Additionally, the firewall rule set is extended to allow
Source Address Cycling. This enables to configure rules
HTTP where the source IP for different sessions is cycled.
Client Firewall A Firewall B Server
Request The capabilities of Barracuda NG Firewall multipath routing
are noted below.
Answer
10.0.0.2 10.1.1.5 Linux Standard Multipath - How Linux Standard
Multipath routing is handled
Description: z Source IP Based balancing between Next Hops.
Client requesting a connection to a web server. Once the source destination combination is in the
Firewall A is configured to compress traffic in forward routing cache this combination will stay on the selected
direction, firewall B is configured to compress traffic in next hop IP
reverse direction. Data transmitted between client to
z No dead next hop detection
HTTP server will thus always be compressed.
z No per session packet balancing

Simple redundancy by next hop detection could be Source Address Fallback and Cycling - Policy
provided by adding multiple routing entries with different
z NONE
route preference numbers.
No fallback or source address cycling
Fig. 423 Simple redundancy through next hop detection z FALLBACK
Fallback to alternative source addresses
r
z SEQ - Sequentially cycle source addresses
ide
ov
Pr .2 for example,
82
1
1
first session - Explicit IP,
82
.2.3
.2 1 second session - Alternative #1;
1
1
1
third session - Alternative #2;
A
.2.3
.1
B
1
.2.3
.2 fourth session -Alternative #3
82 82 1
1
82
.2.3.1
C
Pr
ov
ide
r
1 82
.2.3
.12 3
4
2
2
fifth session - Explicit IP,
.3 .21 .3.2
.2 D 2 .2
82 82
Next Hop Cycling .32
z RAND
1
.2.3.3 .2.3
82 3 82
82
.2.3
.0/
24
.2.3
.2
3
1
4
2
1
4
Randomize source addresses
82 3 2
Session 1: Src 82.2.3.2 .12 4
1 .2.3 1
82 3 2
2 4
A
2 .2 .3.2 1
82 3 2
4
Examples:
.3.1 .3 2
82.2 B .2.3
3 82
.3 .11
2.2 C
8 4
8 2.2
.3 .21
.31
D
Next Hop Cycling
z Source Address Cycling
.2.3
82
.2.3
.0/
82
24
To create a new Connection Object change to the
Session 1: Src 82.2.3.2
Connections tab and add a new standard connection
Session 2: Src 82.2.3.12 Session Source IP Cycling
Session 4: Src 82.2.3.32 object by clicking the New Standard button.
Select Explicit IP Address and add the first IP.
Alternative IP Addresses are specified in the section
ACPF Assisted Multipath - How ACPF Assisted
Source Address Fallback and Cycling.
Multipath routing is handled
z Per packet balancing between Next Hops Fig. 425 Configuration example for Source Address Cycling
z Dead Next Hop Detection (Missing ARP reply)

z Associated source for each next hop for dead source
address detection
Fig. 424 Handling of assisted multipath routing
r
ide
ov
82
Pr 1
.2 1
.2.3
82
1
1
A
1
.1 .2
.2.3 B .2.3
82 82 1
1 .12
.3.1 r 3 2
82
.2 C ide 1 82
.2.3 4
ov
1 Pr 4
.3.2 D
82
.2 2
Dead Next Hop Detection
1 .32
.2 .3.3 .2.3
82 82
82
.2.3
.0/ 1 3
24 3 2
.2 4
.2.3 1
82 3 2
Session 1: Src 82.2.3.2 .12 4
1 .2.3
4 82
A 1
2 3 2
.1 .32 4
.2.3 .2.3
82 B
82
.3.11
2.2 C
8 3
.21
.2.3 D
82 Dead Next Hop Detection
.3 .31
82 8 2.2
.2.3
.0/
24
Session 1: Src 82.2.3.2 Dead Source IP Detection

Session 3: Src 82.2.3.32 Session 3: Src 82.2.3.22
z Linux Standard Multipath routing

Add a default route in Box Network Routing. Change
Source Address Cycling
Route Type to multipath. Add multipath gateways by
For cycling through the individual source IPs Connection clicking Insert and provide the following Information
Objects in the Firewall Rule Set are extended by the
Multipath Gateway - next hop IP address of the
following entries.
multipath route
Weight Number - weight number of path (valid range
from 0 10)

Assigned Source IP Together with the described source address cycling the
configuration shown above performs packed based load
Fig. 426 Configuration example for multipath routing (Packet Load balancing by
Balancing is set to "No")
a) Sequentially cycling the source addresses for each
session so that the first session gets the source IP 82.2.3.2
assigned, etc
b) ACPF Assisted Multipath routing perform packet based
load balancing for each session, so that the first datagram
of session one is routed via 82.2.3.1, the second datagram
of session one is routed via 82.2.3.11 and so on.
c) The first packet of session two is routed via 82.2.3.1, the
second packet via 82.2.3.11 and so on.
d) Furthermore ACPF Assisted Multipath routing performs
dead Next Hop Detection by detecting missing ARP replies
from the next hop IP address.
If for example the next hop with the IP address 82.2.3.21
does not respond to ARP requests anymore further
datagrams are cycled through the next hops 82.2.3.1,
82.2.3.11 and 82.2.3.31. The Source Address 82.2.3.22 is not
used anymore for new session requests.
Together with the described source address cycling the

configuration shown above performs session based load 2.2.6.3 Translation Map
balancing by
Translation maps define rewriting of source and/or
z Sequentially cycling the source addresses for each destination addresses of IP packets as they pass the
session firewall. Source address translation (source NAT) involves
z Linux standard multipath routing does a routing lookup rewriting of the source address originating from the natted
for the first session (Source IP 82.2.3.2) and keeps the network. The reverse operation applies to returning reply
next hop IP 82.2.3.1 in its routing cache. So all packets packets. Destination address translation (destination
of the first session are routed via 82.2.3.1. NAT) involves rewriting of the destination address of
The next session gets the source IP 82.2.3.12 assigned packets destined to the natted network.
and thus is routed via 82.2.3.11. You may define multiple source NAT conditions in one
z ACPF Assisted Multipath routing connection object if this does not conflict with the objects
Add a default route in Box Network Routing. Change utilisation in multiple rules.
Route Type to multipath. Add multipath gateways by
clicking Insert and provide the following Information Attention:
Pay attention to the succession of data sets in the
Multipath Gateway next hop IP address of the translation map object. The first matching entry will be
multipath route used when a rule is processed.
Weight Number weight number of path
To create a new translation map, click New Translation
Assigned Source IP
Map in the Edit Connections navigation bar.
Fig. 427 Configuration example for ACPF Assisted Multipath routing (Packet
Load Balancing is set to "Yes") Fig. 428 Address Translation Map configuration

The object created in figure 428 defines source NAT z RAM, ADSL, DHCP, ISDN, SERIAL, UMTS
translation of the IP address 10.8.0.201 to 172.31.1.15 and of Explicitly restricts rule processing to the specified
IP address 10.8.0.28 (from a 3-Bit network sub-class) to the dynamic network interface (if installed and configured).
address 172.31.1.8 (from a 3-Bit network sub-class).
z Continue on Mismatch checkbox
As soon as this translation map is interpreted as Select this checkbox, if you want rule processing to
destination NAT map it will be read in reverse order, thus a continue even if no matching interface can be found.
request to the IP address 172.31.1.15 will be redirected to The next rule in succession will then be "tried".
the real destination address 10.8.0.201.
z Disable Interface Check checkbox
Select this checkbox, if you want to disable interface
2.2.7 User Groups check (only available for rules applying both ways).
Attention:
This tab is used in conjunction with Firewall
Checkbox Disable Interface Check affects both
Authentication. For a detailed description, please have a
sections, source AND reverse, and disables the
look at 10.1.2.1 Firewall - User Window, page 200.
settings of parameter Send TCP RST for OOS Pkts.
(see 2.1.1.4 Operational).
2.2.8 Interface Groups
Processing of a rule does not necessarily need to be 2.2.9 Proxy ARPs
invariantly associated with the physical network
environment on a box, which is configured on box level. On The Address Resolution Protocol (ARP) is primarily used to
machines equipped with multiple network interfaces, map IP addresses to MAC addresses. ARP takes an IP
usage of a specific interface may be explicitly defined address as input, and by propagating this address it tries to
when a rule comes into action. retrieve the MAC address of the interface featuring it. ARP
requests are broadcasted and can only be understood by
For each rule an interface may be assigned to origin and hosts placed within the same subnet class.
destination of the connection request. The Source
Interface specifies the interface, the source address is Proxy ARP is a technique utilising the nature of the
allowed to use. The Reverse Interface specifies the Address Resolution Protocol in order to connect two
interface, which the destination address is allowed to use. physically separated networks. The Barracuda NG Firewall
Latter is only available for passing and mapping actions may be configured to answer ARP requests on behalf of
with selected checkbox 2-Way. the requested interface itself, accept packets and thus
overtake responsibility for forwarding them to the actual
The following predefined network interface objects are destination correctly. This configuration is done via Proxy
available for selection: ARP objects. Proxy ARPs can thus be regarded as
z Any additional IP addresses the firewall responds to when it
With this setting the first interface matching the receives an ARP request.
request is utilized for the connection in accordance with Proxy ARP addresses may be utilized for redirecting and
routing configuration. The packet source is not verified. mapping in firewall rule sets, if they are in the same
Reply packets might be forwarded through another address space as
interface, if multiple interfaces capable of doing so are
available. Not to check the physical source of packets the source of a connection request. Additionally, Proxy
might sometimes be needed in very special ARP objects are utilized in bridging setups (9. Bridging,
configurations with combinations of screened host and page 190).
multi-homed topologies.
Note:
Attention: You may define up to 256 Proxy ARP entries per box.
For security reasons do not use this setting without This limitation exists for the numbers of entries, not for
explicit need. the number of IP addresses.
z Matching (default) Note:

This setting ensures that arriving packets are processed It is not recommended to create Proxy ARPs in address
through the same interface, which will forward the spaces, in which the firewall IP is configured as gateway
corresponding reply packets. Source and destination IP.
addresses are thus only reversed. This method aims at
preventing a network attack, in which an attacker might Table 47 Recommendation for creation of Proxy ARPs
try using internal addresses from outside the internal Default Redirected Create
Localnet Firewall IP
network (IP spoofing). Gateway IP IP Proxy ARP
10.0.0.0/24 10.0.0.100 none 10.0.0.10 yes
Note: 10.0.0.0/24 10.0.0.100 10.0.0.100 10.0.1.10 no
With eventing activated (parameter IP Spoofing set
to yes, see page 246), IP spoofing identification will
trigger the events FW IP Spoofing Attempt
Detected [4014] and FW Potential IP Spoofing
Attempt [4015].

Firewall Advanced Options for Firewall Rules < Firewall Configuration | 159
Fig. 429 Proxy ARPs tab of the firewall configuration window List 437 Proxy ARP object configuration values
Primary This field specifies the interface, which is going to be
Network utilized when responding to an ARP request. The
Interface following predefined choice is available:
pull-down menu match (default)
ARP requests will be answered via the interface that
hosts the network.
any
ARP requests will be answered via any interface.
noext
If an ARP request arrives from an external interface,
it will not be answered.
Alternatively, a specific network interface may be
entered into the field (for example eth1).
Additional Through this field additional interfaces may be
Interfaces field specified, which should respond to ARP requests. Be
careful only to specify interfaces, which cannot conflict
with the primary network interface. Separate multiple
entries with space.
In most cases proxy ARPs will be created, when the
Exclude If a complete network has been specified in the
checkbox Proxy ARP/Create Proxy ARP has been Networks field Network Address field (see above), specific network
selected next to a specific configuration parameters addresses may now be excluded from proxy ARP
properties in other configuration areas (rule configuration creation. Separate multiple entries with space.
window, connection object dialog, ). These proxy ARPs Source Address This field limits responding to an ARP request to the
Restriction field network addresses entered in this place. Separate
may not exist without concurrent existence of the objects multiple entries with space.
they have been created for, and will be deleted, as soon as Introduce Route This value is dependant on bridging configuration and
the object referring to them is deleted. on Interface only filled (read only) if a bridging interface route is
read-only field created (9. Bridging, page 190).
Attention: Send Activating this checkbox causes that the firewall does
Unsolicited not only answer ARP requests but also propagates the
If you are additionally using referenced proxy ARPs for ARP checkbox specified IP addresses through ARPs unsolicitedly
another purpose than the one they have been created (checkbox selected by default).
for, select the Standalone checkbox in the Proxy ARP Note:
object window. The proxy ARP object will then remain Unsolicited ARPs can only be sent if the corresponding
network interface has an active IP address. The
functional, even if the originally referring object is evaluation of the interface's IP address happens only
deleted. on startup of the forwarding firewall, in case of a HA
takeover or when the firewall rule set changes.
Nonetheless, you might sometimes want to create proxy No automatic evaluation is performed if the network
interface changes into state "up" or if a pending route
ARPs that are not dependent on rules or NAT tables, for becomes active (example: in case of a newly introduced
example for "filling up" a net to prevent someone else server-IP). In this case only the ProxyARP is introduced
from taking a local address. In this case make use of the to answer incoming ARP requests.
Proxy ARPs window.

A proxy ARP takes the following configuration values: 2.2.10 Rule Tester & Test Report
Fig. 430 Create a Proxy ARP Object dialog Due to their complexity, these two windows are described
in a separate chapter (see 4. Testing and Verifying of Rule Sets,
page 172).
2.3 Advanced Options for

Firewall Rules
2.3.1 Content Filter (Intrusion

Prevention)
The content filter is used for blocking Internet worms and
exploit attacks. A set of predefined filters, which can be
List 437 Proxy ARP object configuration values
referenced by the firewall rule set, comes with the
Parameter Description Barracuda NG Firewall. The possibility of defining custom
Network This field either takes a single IP address or filters enables the administrator to react to new threats.
Address field specification of a complete network.
Description field Enter a significant description of the proxy ARP object The Barracuda NG Firewall content filter can detect
in this place. network based attacks, and protects the network by
Standalone This checkbox always has to be selected when a proxy terminating the offending IP connection.
checkbox ARP object is created without a referring object
(selected by default). The proxy ARP object will be All type of network connections (for example SMTP) that
deleted when the checkbox is unselected.
are defined in the referenced service object are checked
for the configured patterns of the content filter to detect
attacks.

160 | Firewall Configuration > Advanced Options for Firewall Rules Firewall
Detected network attacks are logged in the Fig. 433 Creating/editing filter a pattern
<fw>_Content log file for later review. The source and
destination address and the associated network interfaces
or firewall rule actions are stored in the corresponding
filter log (for example [sqlslammer]).
Fig. 431 Firewall - Content Filter window
List 438 Firewall configuration - Content Filter creation
Name Enter a filter name into this field.
Direction This parameter defines whether the affected
traffic/stream goes To Server (incoming) or To Client
(outgoing).
Description Enter a significant description of the content filter in
this place.
Pattern Via this field the search pattern is defined. What kind of
pattern has to be entered depends on the object the
stream is scanned for.
Type This defines what kind of pattern is used. The following
two types are available:
Binary Pattern
The content filter configuration sequence consists of 3 list of hexadecimal digit pairs separated with a space
steps:
Figure 433 displays an example for binary pattern
(SQL slammer)
Step 1 Creating a filter ASCII Pattern + Wildcards(*,?,[])
see 2.3.1.1 Creating/Editing Filters, page 160 * - represents a variable number of characters
including an empty string (space)
? - matches exactly one character
Step 2 Creating a filter group [] - matches only the characters that are enclosed
see 2.3.1.2 Creating/Editing Filter Groups, page 160 within the brackets
Example pattern: [123]??attack*##
Step 3 Referencing within the corresponding rules Match on the following:200attacking##

321attacker##
see 2.3.1.3 Referencing within the Corresponding Rules, page 161 1stattack##
Mismatch on the following:500attackers##
1million attackers##
123ata#
2.3.1.1 Creating/Editing Filters
Note:
The patterns are detected at any offset in the traffic
To open the configuration dialog for filters, click New in flow unless the sequence of matching characters
the Edit Filter navigation bar. The configuration dialog exceeds the boundary that is defined via the parameter
Ending Offset.
consists of a field Name used for entering the name of the
Ending Offset This parameter defines the number of bytes from the
filter. The pull-down menu Service contains all available connection start that are scanned to find the pattern.
services and serves for determination of the service the Action Adjustment of this setting allows for a reporting only
filter is used for. mode for individual patterns.
Terminate Session
The field Description can be used for any additional Causes session termination when the pattern
information concerning/describing the filter. matches.
Create Log Entry
The buttons New , Edit and Delete allow you to Triggers log entry generation only.
create/edit/delete filter patterns. The dialog for defining
the filter pattern (accessible via buttons New or Edit )
looks as follows: 2.3.1.2 Creating/Editing Filter Groups
Fig. 432 Creating/editing filter a pattern To open the configuration dialog for filters, click New in
the Edit Filter Group navigation bar. The configuration
dialog consists of a field Name used for entering the name
of the filter. The field Description can be used for any
additional information concerning/describing the filter
group.
The list Filter name displays all filters that are part of this
filter group. These filters are implemented by selecting
them from the filter pull-down menu and clicking Add.

To delete an entry, select it from the list and click the upcoming Barracuda NG Firewall release will allow more
Delete button. granulated rules for individual categories or applications.
Fig. 434 Creating/Editing Filter Groups Note:

Behavior based analysis does not give full protection
against P2P applications.
The reason for this is that behavioral analysis requires
initial packets to pass through the firewall (of course
only if the packets are allowed by all other criteria of a
firewall rule) and that only as soon as the P2P module
has enough information to classify a flow as P2P traffic,
the configured Barracuda NG Firewall action can take
place.
Beyond this, the P2P module can only detect behavior of
known applications. Newer versions of a specific
Filter pull-down menu protocol or a completely new protocol can only be
detected as soon as their behavior is known and
detection mechanisms are implemented. Barracuda
Networks will notify their customers if a new P2P
module is available (usually in form of patch or release
notes).
2.3.1.3 Referencing within the Corresponding
Note:
Rules Barracuda NG Firewall P2P detection requires purchase
of an additional license. Please contact your Barracuda
Enter the Rule configuration dialog, click Content/IPS in
Networks sales representative for detailed information.
the Views navigation bar and choose the desired filter
from the Content Filter pull-down menu.
Note:
P2P detection is available in the local and in the
2.3.2 Peer to Peer Detection forwarding firewall rule sets and is assigned per firewall
rule.
Barracuda NG Firewall 3.6.2 and later provide additional
It has to be enabled globally through parameters in the
layer-7 deep packet inspection technology to detect and
Firewall Settings (see 2.3.3 Port Protocol Protection, page 162)
control applications such as Instant Messaging,
peer-to-peer based file sharing, and Skype. The above and a global policy applies whenever P2P traffic is
mentioned applications usually cannot be detected by detected.
pattern based intrusion prevention mechanisms. All these To assign P2P-detection to a firewall rule, click
applications have in common that they use peer-to-peer Content/IPS in the Rule window and set the following
(P2P) mechanisms instead of a client-server architecture. options:
Thus, we will refer to this kind of software as peer-to-peer
Fig. 435 Assigning Peer to Peer Detection
clients, even if their primary purpose is Instant Messaging
(IM) or Voice-over-IP (Skype).
P2P-software uses multiple technologies like port hopping
and protocol obfuscation to circumvent firewalls and proxy
servers. Skype and up-to-date BitTorrent or eDonkey
clients already make use of encryption; further protocols
will switch to encrypted communication in the near future.
Pattern based detection mechanisms will fail due to the
above mentioned reasons. Thus, Barracuda NG Firewall
provides sophisticated behavioral analysis to detect and
manipulate traffic generated by these applications. For
example, multiple criteria like packet length, packet timing,
flow behavior, and bit patterns are taken into account to
determine if a connection is likely to origin from an IM or
Skype client.
The current Barracuda NG Firewall version supports three
traffic handling modes regarding P2P forwarding traffic.
Traffic can be reported only, blocked, or throttled. The List 439 Port Protocol Protection Policies
Content Filter List of all defined Filer Groups within the Content Filter
section.
See 2.3.1 Content Filter (Intrusion Prevention),
page 159

List 439 Port Protocol Protection Policies List 440 Port Protocol Protection Policies

Port Protocol Use Matching Service Settings No Protocol Port Protocol Protection is disabled
Protection No Port Protocol Detection Protection
Policy
Report Prohibited Protocols Report Protocols that were detected will be reported in the
Reset Prohibited Protocols Prohibited firewalls access cache.
Protocols
Drop Prohibited Protocols
For additional informations of Port Protocol Reset If a prohibited protocol was detected, the affected
Protection Policies, see List 440 Port Protocol Prohibited session will be terminated by sending a TCP RST
Protection Policies, page 162 Protocols packet.
Peer to Peer Use Default policy Drop Prohibited If a prohibited protocol was detected, the traffic of the
Detection Protocols affected session will be dropped but the session will be
Detect Only
kept.
Limit Bandwidth
Drop Traffic
For additional information of Peer to Peer Detection Note:
policies, see List 41 Box Services - General
Firewall Configuration - Peer-to-Peer Detection
The policies Reset Prohibited Protocols and Drop
and Protocol Detection, page 134 Prohibited Protocols need additional P2P detection
Peer to Peer Use Default Protocol Selection license.
Protocol Explicitly Select Protocols If no P2P license is present, detected protocols will only
Selection
be reported.
Explicit Peer to If Peer to Peer Protocol Selection is set to Explicitly
Peer Protocol Select Protocols, Peer to Peer detection will be
Selection performed for all entries listed in Selected Protocols.
2.3.3.2 Example Port Protocol Protection Policy
for the service SSH
2.3.3 Port Protocol Protection
This example shows the definition of a Port Protocol
Port Protocol Protection addresses a general problem in Protection Policy for the service SSH to avoid unwanted
stateful packet inspection firewall configurations. A traffic forwarded by the according firewall rule.
firewall rule basically defines a policy for
source/destination networks/hosts, the allowed service Fig. 437 Port Protocol Protection Example Policy
and the corresponding port.
This policy can in general not guarantee that the desired
protocol is actually operating on the correct port number.
For example, a firewall rule that allows passing of SSH
traffic on port 22 can be misused to forward SMTP traffic
over port 22.
The Port Protocol Protection feature of Barracuda NG
Firewalls makes use of deep packet inspection mechanisms
to prohibit the above mentioned issues.
2.3.3.1 Defining Port Protocol Protection

Policies
The definition of a Port Protocol Protection policy takes

place on service level.
z Open the host or the forwarding firewall rule set
z Open the desired service or create a new one This Port Protocol Protection Policy allows SSH Traffic but
resets the session if any protocol from the Prohibited
Fig. 436 Port Protocol Protection Protocols list was detected.
Note:
Because of a limited set of known protocols not all
potentially unwanted protocols can be covered by a Port
Protocol Protection Policy.
2.3.4 Advanced Rule Parameters

Usually, a connection request matches a rule as soon as
source, service, and destination match. Situations exist in
which you might want to ascertain that no rule allows
bypassing a configured rule set.
Example: Two machines in your LAN have access to a
database server on a critical port (for example, telnet). You
want to make sure that no other rule accidentally allows
access for another source than the configured two clients.

In this case, select Block on (Source) Mismatch in the List 442 Firewall configuration - Advanced Rule Parameters section TCP Policy
Rule Mismatch Policy section of the Advanced Rule Parameter Description
Parameters window. Method Packet The firewall engine is capable of two
Forwarding TCP forwarding methods.
Clicking Advanced in the navigation bar of the rule window (Application If you want to avoid any direct TCP
opens the following dialog: Controlled connection between two
Packet TCP-partners transversing the
Forwarding) firewall you will use stream
Note: forwarding which actually builds
Stream
The following icon is displayed in the rule view of the Forwarding two distinct TCP connections and
(Transparent hence the destination will not get
rule configuration window as soon as the default data any packet which is not generated
Application
has been modified. Changed values are highlighted in Proxying; yellow by the firewall TCP stack itself.
yellow. background) Since the ACPF engine filters any
malformed packet too, the security
advantage of stream forwarding is
Fig. 438 Advanced Rule Parameters not that important as it was years
ago when the filtering engines were
not that powerful.
Note:
With Stream Forwarding the
performance of the firewall is
significantly reduced
(400-500 MBit maximum). For
detailed performance data contact
Barracuda Networks support.
Note:
The icon is added to the Action
column of the rule set overview
window, if Stream Forwarding is
configured as data transfer Method
Syn Flood Note:
Protection For a description of access policy handling see 2.3.4.3
(Forward) Accept Policies, page 166.
Server Default The value configured in see 2.1.1.4
Operational, page 136 is used as
default.
Outbound The firewall immediately tries to
establish a connection to the
List 441 Firewall configuration - Advanced Rule Parameters section Rule requested destination. If successful,
Mismatch Policy it then establishes the connection
between itself and the client.
Parameter Description Inbound The firewall first tries to establish a
Source / Defines the behavior on mismatch. The following connection to the requesting source
Service / options are available: and then establishes the connection
Destination / CONTINUE on Mismatch - processes the between itself and the requested
User / Mac subsequent rule destination.
BLOCK on Mismatch - see 2.2.3.3 Action Section, Syn Flood Only activated if option "2-way" has been chosen in
page 144 Protection section Action.
(Reverse) Note:
DENY on Mismatch - see 2.2.3.3 Action Section,
page 144 For a description of access policy handling see 2.3.4.3
Accept Policies, page 166.
Attention:
The effect of these options is cumulative. If you check Outbound Same as above. Policy applies for
two options you blank out the remaining values for all the reverse connection direction.
subsequent rules. If you check all three options, this Inbound Same as above. Policy applies for
rule is the effective end of your rule set. the reverse connection direction.
Persistence If set to yes, the session is not revaluated when rule set Accept Timeout Time the firewall waits until the destination has to
or authentication settings change (default: No). (s) answer. After this timeout the firewall sends a TCP RST
packet to both partners (default: 10).
Last ACK Time the firewall waits after an ACK until the
Timeout (s) connection is terminated (default: 10).
Retransmission Time the firewall waits until the source has to
Timeout (s) retransmit packets before the firewall registers this as a
hijacking attempt (default: 300).
Halfside Close Time the firewall waits after conscious termination of
Timeout (s) the connection until the socket is closed (default: 30).
Disable Nagle This parameter enables/disables the Nagle Algorithm.
Algorithm (No This option is only available when using Stream
Delayed ACK) Forwarding.
Force MSS When setting a MSS TCP in a rule the SYN and SYN-ACK
(Maximum TCP packets are checked for a MSS larger than the
Segment Size) configured one. If the MSS TCP attribute is smaller, the
packet is rewritten with the configured MSS. Use the
feature for VPN to force a TCP MSS that fits the MTU of
the VPN tunnel device.

List 443 Firewall configuration - Advanced Rule Parameters section Resource List 445 Firewall configuration - Advanced Rule Parameters section
Protection Miscellaneous
Max. Number of Maximum accepted concurrent connections for this Policy Default Policy This option is the default one and
Sessions rule on a global basis. takes the interface realm settings
Note: into consideration that are assigned
With eventing activated (parameter Rule Limit in the network configuration for the
Exceeded (see page 245), the event FW Rule local networks and interface routes
Connection Limit Exceeded [4016] is generated when (see 2.2.5.5 Network Routes,
the limit is exceeded. page 68). Depending on the
specified realm, the Source or
Max. Number of Maximum accepted concurrent connections for this Destination IP counts.
Sessions per rule on a per source address basis (default: 0 =
Source unlimited). Count Source IP These two parameters allow you to
specify explicitly what type of IP
Attention: Count address is counted (see 5.2 Policy
Choosing these values too small can have unexpected Destination IP No. 2: Rule Explicit, page 539).
effects. Use this parameters only if you are a preferred
victim of Denial of Service (DoS) attacks. Time Note:
Restriction Use this parameter to apply a time restriction to rules
Note: configured with a feature level lower or equal 3.2.
With eventing activated (parameter Source/Rule Limit
Exceeded, the event FW Rule Connection per Source For a description of the time restriction dialog see see
Limit Exceeded [4018] is generated when the limit is 2.3.4.2 Time Restriction, page 165 below.
exceeded. Clear DF Bit The DF (Don't Fragment) bit is a bit within an IP header
Session Allows setting a maximum keep alive time for an that determines whether a packet may be fragmented
Duration Limit established session. The value 0 means unlimited, that or not (0 = fragmentation allowed, 1 = do not fragment).
(s) means the session never dies. In networks where packet size is limited to a Maximum
Transmission Unit (MTU), packet fragmentation may
Note: become vital when packets sent to this network exceed
This parameter is only executable in the forwarding the MTU (for example, as may frequently occur with
firewall. Setting this parameter in the local firewall SAP applications).
takes no effect. This parameter determines if the original DF bit setting
in an IP header may be overridden. When set to no
List 444 Firewall configuration - Advanced Rule Parameters section Counting / (default) the packet's specification is observed.
Eventing / Audit Trail Normally, the sending clients determine if
fragmentation is required. When the DF bit is set and
Parameter Description the target network's MTU specification requires
Defines whether such events should be logged, written fragmentation, the firewall responds with an ICMP
to the access cache, Destination Unreachable message (Code 4: Packet too
large. Fragmentation required but DF bit in the IP
Access Cache Set to yes (default) to obtain access cache entries.
header is set). As the firewall may not override the DF
Entry
bit setting, fragmentation is up to the client. If the
Log File Entry Set to yes (default) to obtain log file entries. client for any reasons does not understand the answer
Transparent Setting to yes (default) causes that a session that is code, data transmission will fail and data loss might
Failover State controlled by this rule is synchronized on a HA system occur in network transports where packet sizes exceed
Sync (see 1. Overview, page 400). the MTU of the network.
Statistics Entry Set to yes (default) to obtain statistics files. Clear DF Bit When set to yes, the DF bit will be cleared from the IP
(continuation) header and packets will be fragmented if necessary
Note: regardless of the setting in the packet's IP header. Note
Set to no causes that also no global firewall statistics that fragmentation and packet reassembling process
will be generated. might lead to significant performance loss at high
Log Session Set to yes (default: no) to log changes of session states. traffic rates.
State Change Note:
Own Log File If set to yes (default: no) All log events belonging to Appropriate handling of this parameter is essential in
this rule are logged into an extra log file. conjunction with VPN tunnels, as encapsulating
Service Set to yes (default: no) to generate service statistics packets reduces the available MTU size. The DF bit is
Statistics for this rule. automatically cleared from traffic, which is forwarded
towards a VPN interface.
Eventing Specify a severity level for generation of event log
entries every time a request matches the rule. Possible Note:
settings generating the corresponding events are: It is recommended only to change the default setting
when experiencing transport problems clearly
None (default) - no event generation associated with packet size restrictions.
Normal - FW Rule Notice [4020]
Set TOS Value In networks the Type of Service (ToS) information may
Notice - FW Rule Warning [4021] be utilized to define the handling of the datagram
Alert - FW Rule Alert [4022] during transport. The TOS Value thus specifies how to
deal with the ToS information in packets IP headers for
Within the event settings (see 2. Event Configuration, all traffic forwarded by the particular rule. By default
page 322) each of these events can be assigned with the value is set to 0 (TOS unchanged). Another fixed
different actions. size may be specified instead even if originally the ToS
Note: flag has not been set.
Local rules are not affected by the rules advanced Prefer Routing This parameter controls routing behavior of bridges
'eventing' setting. The behavior is fixed to "none". over Bridging that are configured as Routed Transparent Layer2
Bridges (see), and thus act as routers and bridges at
List 445 Firewall configuration - Advanced Rule Parameters section the same time. When set to yes (default: no), traffic is
Miscellaneous routed that by configuration would actually traverse
the bridges, which are available on a Barracuda NG
Parameter Description Firewall directly. Use this setting in scenarios, where an
Authentication Via this menu the required user authentication for external router connects bridges that are configured
HTTP and HTTPS connections (Inline Authentication) on a Barracuda NG Firewall, and where it should be
can be defined (see 10. Firewall Authentication, avoided that traffic is directed to the router. When
page 199). The following options are available: directed to the external router first, traffic would
attempt to pass the gateway twice and be rejected by
No Inline Authentication (default) the firewall. When activated, the routing functionality
Login+Password Authentication of the bridge itself is used.
X509 Certificate Authentication Color Allows defining a color in which the rule is displayed in
X509 Certificate & Login+Password the rule set overview window.
Authentication

List 446 Firewall configuration - Advanced Rule Parameters section Quarantine particular rule, it is highlighted in red, leaving the field with
Policy
the parameter value empty.
LAN Rule Policy Matching Policy for a session to be evaluated destined Fig. 439 Advanced Rule Parameters - Multiple Rules Editing
or originated from a non Quarantine net.
Match: The rule matches
Block: The rule blocks the request
Deny: The rule denies the request
Continue: Rule evaluation continues with next rule
in ruleset
Quarantine Matching Policy for a session to be evaluated destined
Class 1 Rule or originated from a Quarantine class 1 net.
Policy Match: The rule matches
in ruleset
Class 2 Rule or originated from a Quarantine class 2 net.
Policy Match: The rule matches
in ruleset
Class 3Rule or originated from a Quarantine class 3 net. Attention:
Policy Match: The rule matches Use this feature with great care. Editing of multiple rules
without the necessary wariness can cause severe
misconfiguration.
in ruleset
Note:
Multiple rules editing as well applies to Content Filter
2.3.4.1 Multiple Rules Editing and ICMP Handling characteristics. Rules cannot be
edited together in the rule view, though.
When feature level 3.4.0, 3.6.0, 4.0.0 or 4.2.0 applies, it is
possible to select multiple rules for editing. Select the rules
you want to edit together and click Edit in the main 2.3.4.2 Time Restriction
navigation bar or Edit Multiple Rules in the right-click
context menu to open the rules for modification. Using the Always button in the Advanced rule parameters
window, each rule configured within a feature level equal
Note:
or lower than 3.2 can be equipped with a time restriction.
The option Edit Multiple Rules is not available if the
view is set to Show in Sections and a section is Clicking the button opens the Time Interval configuration
selected. Select real rules only. window. If time restriction applies to a rule, the label of the
button changes to Restricted!
The rule window opens displaying the advanced
parameters view. The granularity of time restriction is 1 hour on a weekly
base.
Note:
Fig. 440 Time restriction dialog
The register of available configuration parameters has
been expanded compared to the one in single rule
editing mode (see list 438, page 270).
The following values have been added to the listing:
List 447 Firewall configuration - Enhanced Advanced Rule Parameters section
Rule Settings
Timed see 2.3.6 Dynamic Activation, page 168
Inactive see inactive checkbox, page 252
Time Object see 2.2.3.10 Time Objects, page 147
Band see Forward Band, page 252
Authenticated see 2.2.3.8 Authenticated User Section, page 147
User
A rule is allowed at all times by default, which means all
Again, modified default values are displayed highlighted in checkboxes in the Time Interval dialog window are
yellow when they have been changed uniformly. As soon as unchecked. Checking a box denies a rule for the given time.
the parameter has been configured differently in each Figure 438 shows a time interval setting for a rule which

has been set to disallowed on Monday and on Thursday List 450 Firewall configuration - Accept Policy section section Firewall
configuration - Advanced Rule Parameters section TCP Policy
from 08:00 to 16:00.
List 448 Firewall configuration - Time Restriction Syn Flood see list 438, page 270
Parameter Description Protection
(Forward)
Continue if Process rule set even if time restriction denies it.
mismatch Syn Flood
(default) Protection
(Reverse)
Block if Do not allow connection if time restriction denies it.
mismatch
The scenario depicted in the figures below explains how
Terminate If checked an active session is terminated as soon as
existing time restriction applies. SYN flooding and protection by the Barracuda NG Firewall
Select to clear selected checkboxes.
work:
Set allow
Set deny Select to select checkboxes as disallowed time Fig. 441 Building up a connection with outbound accept policy.
intervals.
Set Invert Select to configure allowed and disallowed time SYN
Client Firewall Server
2.3.4.3 Accept Policies ACK

SYN
The firewall offers a choice of two different accept policies SYN
on a per rule basis which are intended to offer varying
levels of protection against TCP SYN flooding attacks. Only
ACK ACK
upon successful establishment the TCP session is
governed directly by the two communicating network
SYN SYN
entities. Client Firewall Server
z Outbound Accept Policy - "Trusted clients accessing

untrusted networks" The main characteristic of the outbound policy is that the
TCP session requests (SYN packets) are immediately client will only receive an ACK when the requested server
forwarded to the target address if the session is allowed is really up. This is important for many applications such as
by the rule set. The TCP handshake occurs between a browser when it tries to connect to a server with many IP
source and destination. addresses for the same hostname (DNS round robin). The
browser tries to connect to the first IP it gets from the DNS
z Inbound Accept Policy - "Server protection against server, and, if it is not successful, it tries the next one and
untrusted networks" so on. Hence, it would be fatal if the firewall sent an ACK to
TCP session requests (SYN packets) are NOT the client even if the server was not reachable because
immediately forwarded to the target address even if the then the browser would never get the chance to try any
session is allowed by the rule set. The firewall rather further IP.
establishes a complete TCP handshake with the
requesting source first, assuring that the requestor is On the other hand this accept policy opens the door to a
authentic (no IP spoofing) and really intends to simple attack illustrated in figure 442.
establish a TCP session. Only after a complete TCP
handshake is established, the handshake with the Step 1 The unfriendly host fakes its IP address and
target is catched up and traffic will be forwarded to the gives itself an address, which is already in use in
target address. another network. This way it never gets any answer.
Note: Step 2 It then sends innumerable SYN packets to the

The different accept policies only apply to the TCP protected server.
family.
Step 3 The firewall builds up a connection for every
Additionally, as safeguard against DoS/DDoS attacks from SYN, thus using up own and protected servers
the internet for instance, the Barracuda NG Firewall allows resources.
configuration of two resource limits on a per rule basis to
protect against resource exhaustion of the firewall Step 4 After a certain number of unanswered ACKs
gateway (Max. Number of Sessions/Max. Number of the firewall possibly recognizes the unfriendly activity
Sessions per Source). and no longer accepts SYNs from the source
The following options are configurable on a per rule basis
in the Advanced parameter window of the rule Note:
configuration window: If the unfriendly host is able to change its IP address

fast enough it will be able to do this very often without a
List 449 Firewall configuration - Accept Policy section section Firewall chance for the firewall to differentiate between the
configuration - Advanced Rule Parameters section Resource Protection
attack and ordinary requests.
Max. Number of see list 438, page 270
Sessions
Max. Number of
Sessions per
Source

Fig. 442 Simple SYN flooding attack with faked IP addresses on a firewall with 2.3.5.1 Theory
outbound accept policy
Let us have a look at the Barracuda Networks terminology:

z Forward Policy
ACK ACK The Forward Policy affects ICMP messages that are
SYN caused by traffic from Source to Destination.
SYN (many)
Client Firewall Server (running short
on resources) Fig. 445 Forward Policy
Fwd Traffic Fwd Traffic

Solution:
ICMP ICMP
To avoid exhausting a protected server with faked
requests, the Accept Policy of the rule should be set to Source Firewall Destination
(Target)
Inbound. This means the firewall first returns an ACK to
the clients IP, thus verifying its real wish for a connection.
Only if the ACK is confirmed, the firewall will build up a z Reverse Policy
connection to the protected server. The Reverse Policy affects ICMP messages that are
caused by traffic from Destination to Source.
Fig. 443 Building up a connection with inbound accept policy
Fig. 446 Reverse Policy
SYN
Rev Traffic Rev Traffic
ICMP ICMP
SYN Source Firewall Destination
(Target)

z Addresses (Forward / Reverse / Target)
ACK ACK
Fig. 447 Forward / Reverse / Target Address
SYN SYN
Forward Address Reverse Address
Fig. 444 Simple SYN flooding attack with faked IP addresses on a firewall with
inbound accept policy
Source Firewall Destination

(Target)
ACK Target Address
SYN (many)
Client Firewall Server (not even
noticing the attack)
2.3.5.2 Configuration
Note:
ICMP handling policy is configurable per rule. The following
A SYN request matching a rule with inbound policy is options are available:
neither logged nor appears in real time status nor in the Fig. 448 ICMP Handling parameters
access cache until it is validated as a real request. That
means that SYN flooding attacks do not affect resources
of the firewall system. As soon as a SYN flooding attack
is detected a cumulative log entry and the event FW
Potential IP Spoofing Attempt [4015] are generated.
2.3.5 ICMP Handling

Click on ICMP Handling in the Views navigation bar to
access this configuration section allowing you to define
which IP address is used within ICMP (Internet Control
Message Protocol) messages.

Forward Policy / Reverse Policy menu

Note:
z Default Policy Assuming that you use NAT for 173.16.3.2 via 10.0.8.3,
The Default Policy decides automatically whether to selecting Use Target Address causes IP address
use forward or target address: 10.0.8.3 to be used instead of 173.16.3.2.
with NAT the forward address is used (no internal IP
address is visible)
without NAT the target address is used
2.3.6 Dynamic Activation
Note:
This setting will fit in most cases. By chance every rule may become a dynamic rule.
Therefore, simply select the checkbox Timed in the rule
z NO ICMP AT ALL
configuration window.
This setting causes that all ICMP messages are blocked
by the firewall. This is a singular capability of the Barracuda NG Firewall. It
was developed to close one of the most dangerous gaps in
z Use Forward Address
firewall administration: the forgotten service access holes.
This setting causes that the Forward Address is used for
ICMP messages. If a rule is subject to Dynamic Activation, it is inactive by
default. It is switched on by demand and thereafter
z Use Reverse Address
automatically switched off after some time.
This setting causes that the Reverse Address is used for
ICMP messages. Dynamically activated rules are flagged by the icon. To
z Use Target Address alter the state of a dynamic rule, change from the firewall
This setting causes that the Target Address is used for configuration tab to the Dynamic tab ( Firewall).
ICMP messages. Double-clicking a dynamic rule opens the Change Dynamic
Rule dialog.
The section BLOCKED ICMP Messages offers
configuration options additional to the selected policies. Fig. 450 Change Dynamic Rule dialog
This means you may define whether certain ICMP
messages are blocked in either forward, reverse, or
forward & reverse direction.
Note:
To configure a policy template select New ICMP Param
Object in the ICMP tab of the Object Viewer.
2.3.5.3 Example
In order to get a more practical way for understanding this

topic, let us have a look at the following example:
Fig. 449 ICMP Handling Example

Possible actions:
Forward Address Reverse Address
(10.0.8.2) (173.16.3.1)
z Enable
Source Firewall enable rule
Fwd Traffic Fwd Traffic
z Disable
disable rule
ICMP ICMP
Destination z Disable & Terminate
Target Address (Target) disable rule and terminate all existing connections
(173.16.3.2)
based on this rule
Table 48 Forward policy comparison z Block
block all traffic matching this rule explicitly
Fwd Policy set to IP address used
Use Forward Address 10.0.8.2 z Block & Terminate
Use Reverse Address 173.16.3.1 block all traffic matching this rule and terminate all
Use Target Address 173.16.3.2 existing connections based on this rule explicitly
z None
none

Firewall Delete, Copy and Paste within the Firewall Configuration < Firewall Configuration | 169
2.4 Delete, Copy and Paste Cascaded rule lists are included into a rule set. They share
the rule set's properties, such as network objects and
within the Firewall service objects, and are stored in one file together with the
Configuration rule set.
Cascaded rule sets, just like ordinary rule sets, are directly
Since the rule set is built up of objects which can refer to related to specific objects they own. Each cascaded rule
each other, the data transfer actions like copy, paste, and set is saved to a separate file. To work together, these files
delete are not as simple as they usually are. Several are put together later on the operative system. Since
actions are forbidden to maintain consistency to the rule cascaded rule sets are saved to distinct files, they can be
set as a whole. assigned with specific administrative rights. With
repository technology it is furthermore possible to share
parts of the rule set with multiple firewall services.
2.4.1 Deleting
For details of that concept consult 6.5.1.2 Creating a Shared
It is not permitted to delete an object which is referenced Service, page 443 and 6.11 Supplement - Configuring the Cascaded
by another object. Otherwise, the other object would Firewall (Distributed-Firewall), page 449.
become invalid. If you try to delete a referenced object, the There are two action types called Cascade and Cascade
following window will appear. Back.
Fig. 451 Warning dialog when trying to delete a referenced object The process of applying a cascaded rule set is the
following: the firewall starts to go through the master rule
set. If a rule with Cascade action matches, it hands the
request over to the rule set where the cascade rule points
to. With the Cascade Back action it is just the other way
around.
2.5.1 Cascaded Rule Lists

Clicking New Rulelist below the Edit Rulelist navigation
bar item opens a window where the name of the new rule
list has to be entered. Confirming by clicking OK opens a
new tab next to the Main Rules tab labelled with the name
entered.
By clicking Show Selected Object you can go directly to
the referenced object, to see whether the reference is Note:
necessary. For some references this does not work, since The usage of the action type Cascade is limited to the
they are not real objects of their own. This holds especially main rule list and Cascade Back is limited to the
true for connection objects that are usually referenced by sub-lists. It is not allowed to cascade between sublists.
an action which is not a GUI-visible object by itself.
Attention:
Rule set names may contain a maximum of
2.4.2 Copy and Paste 10 characters and digits.
It is generally possible to copy objects from one firewall
configuration to another, or simply duplicate objects for
subsequent editing. Again, we face the problem of
2.5.2 Cascaded Rule Sets
referenced objects. If you copy and paste objects with
The logical structure of a cascaded rule set is simple. Each
references to other objects, you are asked to transfer
part of the rule set is a complete rule set with its own net
these objects as well.
objects, service objects, and rules.
Attention: To avoid overcomplexity and because of limitations of
Copying objects across firewall configurations can result overall rule name length, usage of cascaded rule lists is
in unwanted and inconsistent rule sets. Use with caution. limited to the global rule set of a cascaded rule set.
Attention:
Use cascading with diligence and caution. Cascading can
2.5 Cascaded Rule Sets simplify your rule set. If applied wrong it will mess it up.
Cascading of rules is allowed in the following places:
The Barracuda NG Firewall comprises the unique feature of
so-called cascaded rule sets. Usage of cascaded rule sets z Forwarding Firewall:
can contribute to improved rule management. The in the main rule set between the main rule list and
following two cascading methods exist: its sublists.
z Cascaded Rule Lists Note:
z Cascaded Rule Sets Cascading is not allowed from a rule-sublist to the
other.

170 | Firewall Configuration > Cascaded Rule Sets Firewall
z Cascaded Firewall the master rule set with the three subsets called alpha,
in the Global Rule Set between the main rule list and beta, and gamma.
its sublists.
Fig. 453 Rule for cascading into a rule-sublist
from the Global Rule Set to Local Rule Set and
Special Rule Set (6.11 Supplement - Configuring the
Cascaded Firewall (Distributed-Firewall), page 449).
Fig. 452 Cascading of rules
2.5.2.1 View
The cascaded rule sets are shown by own top tabs in the
firewall window next to the Main Rules tab. Here we have

Firewall General < Local Rules | 171
3. Local Rules
3.1 General 3.2 Restrictions of Local Action

The rules for local traffic (which means traffic to the box
and Connection Types
and traffic generated by processes on the system itself
(figure 42, page 242), are separated from the forwarding
rules.
3.2.1 Inbound Rule Set
Fig. 454 Local rules Many features of the forwarding rule set are not needed
for local traffic or are not applicable at all. The most
important restrictions regard the Action and Connection
types.
Available action types (2.2.3.3 Action Section, page 144):
z Block
z Deny
z Pass
3.2.2 Outbound Rule Set

Available action types (2.2.3.3 Action Section, page 144):
z Block
The rule set governing local traffic is one set, but internally z Deny
divided into four parts:
z Pass
z Inbound tab
Predefined rule set with the most important rules for z Redirect
protection of management access and rules to identify
Note:
the activities.
Multiple Redirects (load sharing) is not possible.
z Inbound-User tab Available connection types (2.2.6 Connection Elements,
Bound to the Inbound set. The default set contains a page 261):
Pass All rule. Change this to restrict any traffic to the
z Client
box. The ACL which protects the management access is
not affected. It is handled by the Inbound rule set. z Proxydyn
z Outbound tab z Explicit
Predefined rule set with the most important rules for
protection of management access and rules to identify
the activities.
z Outbound-User tab
Bound to the Outbound set. The default set contains a
Pass All rule. Change this to restrict any traffic leaving
the box.
The rule set consists of two separated parts, the inbound

and the outbound part. Each is divided into a standard set
and an individual set, which are bound to one another.
Fig. 455 Local Rule scheme

172 | Testing and Verifying of Rule Sets > General Firewall
4. Testing and Verifying of Rule Sets
4.1 General 4.3 Rule Tester

The Barracuda NG Firewall configuration appliance knows The rule tester allows testing rule sets for consistency.
three tools, which assist in keeping firewall rules
Fig. 457 Rule tester window with all information of consequences of the matching
consistent: rule
z An overlap checker reveals interferences between
rules.
z A rule tester explicitly applies a rule set to a given
connection request.
z The most comprehensive part is a set of example
connections which can be used to keep the rule set
working as you want.
4.2 Overlapping Rules

Principally, a connection request can match with several
rules of a rule set. Hence the succession of the configured
rules is very important. To help the administrator avoiding
mistakes, the Barracuda NG Firewall configuration includes
a navigation bar item called Select Overlapping Use of
4.3.1 Section Test Connection
this menu item in conjunction with selection of a rule will
The following entities are available for rule testing:
result in highlighting those rules possibly interfering with
the selected one. In most cases the overlap is a harmless z Protocol
outcome of the use of very openly defined objects such as
z Day of Week/Date/Time (optional)
World.
z Source-IP
Fig. 456 Example for overlapping rules
z Source-Port (default 2048)
z Destination-IP
z Destination-Port
z Source MAC Address
z Incoming Interface
z Outgoing Interface
z Service
z The button Swap IPs interchanges the
source/destination IPs of the tested connection. Note
that only the IPs and not the port information is
swapped.
z Click the Test button to test the connection. The test
result is then displayed in the section below.

Firewall Test Report < Testing and Verifying of Rule Sets | 173
4.3.2 Section Test Result 4.4 Test Report

The following icons depict if a connection attempt would Usually a rule set has the aim to allow and/or steer a set of
have succeeded or failed under given conditions. abstract policies. The test report utility is a tool to create a
set of connection requests, which are critical for a security
Table 49 Rule Tester Test Result icons
policy.
Icon Description
A rule has applied and the connection attempt has Test reports are saved on a first come first served basis.
, , succeeded. Valid test results are indicated by a green symbol.
No matching rule has applied or the connection Changing any rule parameter, which influences the result
attempt has been blocked explicitly. of a test report (for example object naming and details,
changing rule succession), leads to a status icon change in
The Rule field displays the name of the rule which has been the overview window green icons become red.
responsible for the result of the connection attempt. If a Furthermore, currently active values are added to the
configured rule has applied you may click on the button column listing, former ones are displayed embraced by
Edit to open and modify it. If no rule has applied, the brackets.
field will take the value No matching rule found.
Test reports flagged with a red symbol are not valid
z Save Result to button anymore, as the new conditions first must be applied to
Enter a name into the field right of the button and click them. In order to achieve this, select the test report and
it to save the result of the test. The output of the click the Rectify entry in the context menu. Rectified
connection test is then written to the Test Report test reports are again flagged with a green status icon.
window and stored as part of the rule set.
Double-clicking a test report or selecting Edit in the
Note: context menu opens the test report window, with all
The rule set has to be in locked (that is read-write) entries pre-filled, which have been responsible for the test
state to save a test report. result. This feature is very useful, as you may now use this
window as template for further tests or you may even
directly open the rule, which has been responsible for the
handling of this connection attempt by clicking the Edit
button next to the Rule field.
Note:
Test Reports are only saved temporarily. If you want to
save them permanently, click Send Changes and
Activate in the Test Report window.

174 | Example Configuration > General Firewall
5. Example Configuration
5.1 General Let us consider the following security policies to be

implemented.
To move towards a comprehensive description of the z All computers in the LAN should have full access to the
possibilities of creating rules for the Barracuda NG internet.
Firewall, we consider a setup with a LAN, the internet, and
z All news-service client PCs should have access to the
two demilitarized zones.
news service.
Note: z The FTP server should act as if it has an official IP and
The rules described in this section are for principle should communicate with others via FTP (as a server
informational purposes only. They are not at all and a client).
recommended as an example of secure setup.
z The mailserver should be accessible for everyone via
Fig. 458 Example for firewall configuration
secure webmail and should also be used as SMTP server
for the webmail users.
LAN: 172.17.0.0/24 z The webservers run server-side java and are usually
10.0.8.0/24 under heavy load. Traffic should be distributed to them.
z The external support for the webservers has only ssh
access to one webserver. From there it has to hop to the
next one.
z The internal support team should have access to the
DMZ.
DMZ 1: 172.16.0.0/24 DMZ 2: 72.17.0.0/24
We therefore must handle six different situations that are
to be translated into Barracuda NG Firewall rule language.
In the next section we want to extend them with some
sophisticated additional properties.
Internet: 0.0.0.0/0
Since the rule set is sensitive to the succession of the
rules, we want to give a general hint for starting to build up
such a set.
Table 410 Exemplary LAN scenario
Note:
IP / mask Description In most situations, start with the redirections followed
10.0.8.0/24 LAN, considered secure by maps and end with the pass rules. This is almost
10.0.8.34 Machines of the internal support team always true.
10.0.8.110
10.0.8.128 - Client PCs with access to news content provider (for We start by figuring out, what the security policies mean in
10.0.8.134 example Reuters) networking language:
10.0.8.201
172.16.0.50 Public FTP server with automatic routing z Destination address is identical to the connection
172.16.0.143 Mail server for uncritical accounts, accessible via address, whereas the source address is translated to a
webmail different bind address. All LAN machines get the same
172.16.0.2 Internal IP addresses of the web servers bind address: "proxying, masquerading". The
172.16.0.21
172.16.0.25 connection from the sysadmin's machine to the DMZ
172.16.0.32 looks just the same.
172.17.0.100 Terminal server and gateway to my-news provider (for
example Reuters) Fig. 459 Network situation for a typical LAN to Internet connection
172.17.0.8 - Addresses with access rights to the terminal server
172.17.0.15 Destination address: 194.93.78.126:80 Connection address:
105.8.23.64/29 External address space provided by my ISP FW 194.93.78.126:80
105.8.23.65 External address of www.myexample.com, at the same Source address:
time mail exchanger for myexample.com
10.0.8.126:2305
105.8.23.66 External address of ftp.myexample.com
105.8.23.67 External address of the firewall to be used as proxy Bind address: 202.32.15.48:2305
address^
10.0.8.100 External address of the firewall (default gateway of my
LAN)
172.16.0.100 DMZ 1 address of the firewall (default gateway of DMZ 1)
172.17.0.99 DMZ 2 address of the firewall (default gateway of
DMZ 2)

Firewall General < Example Configuration | 175
z Source address is the same as the bind address, webservers via http, the internal destination is
whereas the destination address is translated to the completely different (Service dependent NAT).
internal IP of the FTP server.
Fig. 464 Network situation for remote web server support
Fig. 460 Network situation for a ftp connection to our FTP server.
Destination address: 105.8.23.66:21 Connection address: FW 172.16.0.2:22
FW 172.16.0.50:21 Source address:
Source address: 194.93.77.21:4568
202.32.15.48:2305 Bind address: 194.93.77.21:4568
Bind address: 202.32.15.48:2305
z Source address is the same as the bind address,

z Destination address is identical to the connection whereas the destination address is translated to the
address, whereas the source address is translated a internal IP of the mail server: Redirecting.
different bind address. The bind address is used only for Note that although the destination address for the
the FTP server: explicit source NAT. client is the same as when connecting to the web
server, the internal destination is completely different
Fig. 461 Network situation for a ftp connection from our FTP server to (Service dependent NAT).
another FTP server
Fig. 465 Network situation for sending a mail to the mail server
FW 202.32.15.48:21
Source address: FW 172.16.0.143:25
172.16.0.50:2305
Source address:
Bind address: 105.8.23.66:2305 194.93.77.21:4568
Bind address: 194.93.77.21:4568

whereas the destination address is translated to the
internal IP of the webmail server: Redirecting Step 1 Open the rule set via Config > Box >
Virtual Servers > <servername> > Assigned
Fig. 462 Network situation for a secure connection to the webmail server Services > <servicename> (firewall) > Forwarding
Rules.
Lock the rule set by clicking the Lock button and select
FW 172.16.0.143:443
New from the context menu (right-click in the
Source address: configuration window).
212.56.54.87:1547
With the information above (figure 465), we are able to
Bind address: 212.56.54.87:1547
define a rule set which lets the firewall act exactly as we
want it to. We will start with the redirection rules as
z Source address is the same as the bind address, mentioned above. Allow the first one to function as mail
whereas the destination address is translated to the traffic to the mail server.
one of the internal IP addresses of the www servers:
Redirecting with cycling Fig. 466 Rule for redirection of mail traffic to internal mailserver
Fig. 463 Network situation for a client connection to our webserver farm
Destination address: 105.8.23.65:80

FW
Source address:
15.45.87.123:2305
Bind address: 15.45.87.123:2305 Connection address:

172.16.0.2:80
172.16.0.21:80
172.16.0.25:80
172.16.0.32:80

whereas the destination address is translated to the
internal IP of the mail server: Redirecting.
Note that although the destination address for the
client is the same as when connecting to the

176 | Example Configuration > General Firewall
Step 2 The rule for external support for the Fig. 468 Rule which maps the ftp server to the internet
webservers is almost the same.
Instead of defining the IPs explicitly in the rule
Therefore, we will go on to the next interesting rule, the dialog, we could have referred to a predefined
redirection of an external IP to the web server farm connection object, a translation map.
(figure 463, page 175).
HTTP access to one IP, namely 105.8.23.65, is redirected to
four other IPs. The redirection algorithm is the following:
the client address in binary form is divided by the number
of redirection targets. The remainder now decides to which
target the client is redirected (0 to the first, 1 to the
second, 2 to the third, ). Since the IP address space is
approximately equally distributed, this method provides
almost perfect load balancing for all practical purposes.
Introduce two rules of the following type:
Table 411 Exemplary rule configuration in comparison
Connection
Source Service Action Destination
type
World ftp Redirect Client 105.8.23.66
redirected to
172.16.0.50
172.16.0.50 ftp Pass Proxy World
explicit:
Step 3 The last rules to be created are the one from
105.8.23.66 LAN to DMZs and internet (figure 459, page 174).
We use the action Pass, because the destination IP is
These two rules do not seem to have much in common. But identical to the connection IP.
if we have a look at figure 460 and figure 461, it becomes
clear that the rules are just mirrors of each other. Since Note:
this is a frequent situation in networking life, the Allowing access to the world includes access to the
Barracuda NG Firewall has a single action to handle this - DMZs. If you want to give DMZ access to selected nodes
Map. only, then you must insert a rule which blocks access
from the LAN to the DMZs. This rule has to be placed
One key advantage of mapping is that it can be applied in after the rules which allow access for the selected nodes
both ways. Just like in the case of the FTP server. and before allowing access to the world.
Fig. 467 Rule which implements load balancing for the web server farm
Fig. 469 Rule for LAN access to the whole world
The target IPs must be a space

separated list of IP addresses.
Finally, we want to give certain clients of the LAN access to

the news gateway in DMZ 2. The network environment is a
little more complicated, because each of the clients is
mapped to a certain bind address. To avoid the
introduction of an own rule for each client, we define a new
connection object, a translation map.

Firewall Advanced Settings in the Example Setup < Example Configuration | 177
In this map, we define which source IP should get which 5.2 Advanced Settings in the
bind IP if the rule uses this connection object.
Example Setup
Fig. 470 Network situation for a typical LAN to Internet connection
With the knowledge of the advanced part of rule

Destination address: 172.17.0.100:5100 Connection address: configuration one would suggest the following
FW 172.17.0.100:5100
improvements for this example.
Source address:
10.8.0.201:4568 Table 412 Improved rule configuration
Bind address: 172.17.0.15:4568 Rule Improvement

Web-support Inbound, Dynamic activation
Web-in Inbound
The destination address is identical to the connection Mail-in Inbound
address, whereas the source address is translated into a Webmail Inbound
different bind address. Each client gets a different bind FTPServerMap Inbound, Reversed Policy: Outbound
address: "explicit source NAT". Admin2DMZ Outbound
NewsAccess Outbound
Fig. 471 Connection object dialog window for translation map
LAN2world Outbound
Fig. 472 Rule dialog for the news access rule via explicit source NAT
We now end up with a rule set that implements our general

security policy. There are however some pending
improvements. Before we refine the rule set, we will go on
with a detailed description of the rule in general.
A last attention we care to the FTP server rule. Since it
works in both ways, we have given a DMZ server ftp access
to our LAN, too. THIS IS SURELY NOT WHAT WE
INTENDED. Hence we fill in another rule, which blocks all
traffic from the DMZs to the LAN.

178 | Real Time Information and Manipulation > GUI Elements Firewall
6. Real Time Information and Manipulation
6.1 GUI Elements 6.3 Real Time Status

The operative firewall GUI consists of the following In the Status tab of the firewall GUI traffic going through
parts/tabs: your firewall can be watched in realtime.
z Dashboard - 6.2 Dashboard, page 178 Fig. 474 Status tab
z Status - 6.3 Real Time Status, page 178
Filtering, page 178 Status List, page 179
z Access Cache - 6.4 Access Cache, page 182
z AuthUser - 6.5 Authenticated User, page 185
z Dynamic - 6.6 Dynamic Rules and Data, page 185
z Shaping - 6.7 Shaping, page 186
z Trace - 6.8 Tracing Connections, page 187
z FW Audit Log Service - 6.9 FW Audit Log Service,
page 188
z Local Rule Set - 3. Local Rules, page 171
z Forwarding Rule Set - 2. Firewall Configuration,
page 134
6.2 Dashboard State of the Work Processes, Traffic Meter,

page 181 page 182
The Dashboard tab provides a real-time view on a
selection of important status and statistics data.
Fig. 473 Dashboard tab 6.3.1 Filtering
Note:
To activate the defined view it is necessary to click
Update List.
6.3.1.1 Traffic Selection
The pull-down menu (top, left) serves to define the number

of shown entries.
The tab Traffic Selection (top, right) is used for regulating
the shown information. Therefore, the options
(checkboxes) in the two lines Status Selection and Traffic
Selection are used:
Status Selection line
z Established
displays all established connections
z Pending
displays all connections that are establishing right now
z Closing
displays all connections that are closing
z Failing
displays all connections that could not be established
Traffic Selection line

z Forward
displays the traffic on the Forwarding FW
z Local In

Firewall Real Time Status < Real Time Information and Manipulation | 179
displays the incoming traffic on the box firewall Connection established (TCP) - Both way traffic (all
z Local Out other)
displays the outgoing traffic from the box firewall Connection could not be established
Closing connection
z Loopback
traffic over the loopback interface z Band
Traffic band (SYS, A, B, C, D, E, F, G)
6.3.1.2 Status Filter z Rule

Name of the affected rule
The tab Status Filter allows you to constrain the view z Org
to very specific properties. Origin:
LIN: Local In; equals incoming traffic on the box firewall
z Rule
LOUT: Local Out; equals outgoing traffic from the box
allows setting a filter for a specific rule
firewall
z Proto. LB: Loopback; equals traffic via the loopback interface
allows setting a filter for a specific protocol FWD: Forwarding; equals outbound traffic via the
forwarding firewall
z Source
IFWD: Inbound Forwarding; inbound traffic to the
allows setting a filter for a specific source IP
firewall
address/range
PXY: Proxy; equals outbound traffic via the proxy
z Dest. IPXY: Inbound Proxy; equals inbound traffic via the
allows setting a filter for a specific destination IP proxy
address/range TAP: Transparent Application Proxying; equals traffic
z Interface via stream forwarding
allows setting a filter for a specific interface (for z Proto
example eth0) Used protocol; for example TCP, UDP, ICMP
z Addr. z Interface
allows to setting a filter for a specific IP address Shows the affected interface
z Srv. z Source
allows setting a filter for a specific service Source IP:Port
z Port z Destination
allows setting a filter for a specific port Destination IP
z Src-Interface z Port
allows setting a filter for a specific source interface Destination port (or internal ICMP ID)
z Dest-Interface z Service
allows setting a filter for a specific destination interface Name of dynamic service
z Bytes/s
By ticking the corresponding checkboxes it is possible to Bytes per second (during the last second)
combine multiple fields in order to improve the filter
z Idle
sequence.
time passed since last data transfer
Note: z Total
All fields except the pull-down menu Proto. allow the Total number of bytes transferred over this connection
use of the * and ? wild cards.
z In
Total number of bytes transferred over this connection
6.3.2 Status List from the source
z Out
Note: Total number of bytes transferred over this connection
Double-clicking an entry opens a window called Details to the source
that contains all information concerning the entry in z Start
one view. Time passed since connection has been established
z Bind
The list itself consists of the following columns:
IP and port of the bind address
z ID
z Conn
Icons indicating the amount of traffic
IP and port of the connection address
( ) and the unique access ID for each
active connection z Out-IF
Outgoing interface
z State
One-way traffic z Status

180 | Real Time Information and Manipulation > Real Time Status Firewall
Status of active connections Table 413 Status types and their origin
Status name Origin Description
Note:
PXY-NEW TCP Session is validated by the firewall rule
Connections can be terminated by using Terminate Stream set, no traffic was forwarded so far.
Session from the right mouse-button context menu. Forwarding
Outbound
Do not use this feature for fun.
PXY-CONN TCP A socket connection to the destination
Stream is in progress of being established
The following status types exist: Forwarding
Outbound
Table 413 Status types and their origin
PXY-ACC TCP A socket connection to the source is in
Status name Origin Description Stream progress of being accepted.
Forwarding
FWD-NEW TCP Packet Session is validated by the firewall rule
Outbound
Forwarding set, no traffic was forwarded so far.
Outbound PXY-EST TCP Two established TCP socket
Stream connection to the source and
FWD-FSYN-RCV TCP Packet The initial SYN packet received from
Forwarding destination exist.
Forwarding the session source was forwarded
Outbound
Outbound
PXY-SRC-CLO TCP The socket to the source is closed or is
FWD-RSYN-RS TCP Packet The session destination answered the
Stream in the closing process.
V Forwarding SYN with a SYN/ACK packet
Forwarding
Outbound
Outbound
FWD-EST TCP Packet The SYN/ACK packet was acknowledge
PXY-DST-CLO TCP The socket to the destination is closed
Forwarding by the session source. The TCP session
Stream or is in the closing process.
Outbound is established.
Forwarding
FWD-RET TCP Packet Either source or destination are re Outbound
Forwarding transmitting packets. The connection
PXY-SD-CLO TCP The source and the destination socket
Outbound might be disfunctional.
Stream are closed or in the closing process
FWD-FFIN-RCV TCP Packet The session source sent a FIN Forwarding
Forwarding datagram indicating to terminate the Outbound
Outbound session
PXY-TERM TCP The session is terminated and will
FWD-RLACK TCP Packet The session destination answered the Stream shortly be removed from the session
Forwarding FIN packet with a FIN reply and awaits Forwarding list.
Outbound the last acknowledgement for this Outbound
packet
IPXY-NEW TCP Session is validated by the firewall rule
FWD-RFIN-RCV TCP Packet The session destination sent a FIN Stream set, no traffic was forwarded so far.
Forwarding datagram indicating to terminate the Forwarding
Outbound session Inbound
FWD-FLACK TCP Packet The session source answered the FIN IPXY-ACC TCP A socket connection to the source is in
Forwarding packet with a FIN reply and awaits the Stream progress of being accepted.
Outbound last acknowledgement for this packet Forwarding
FWD-WAIT TCP Packet The session was reset by one of the Inbound
Forwarding two participants by sending a RST IPXY-CONN TCP A socket connection to the destination
Outbound packet. A wait period of 5 seconds will Stream is in progress of being established
silently discard all packet belonging to Forwarding
that session Inbound
FWD-TERM TCP Packet The session is terminated and will IPXY-EST TCP Two established TCP socket
Forwarding shortly be removed from the session Stream connection to the source and
Outbound list. Forwarding destination exist.
IFWD-NEW TCP Packet Session is validated by the firewall rule Inbound
Forwarding set, no traffic was forwarded so IPXY-SRC-CLO TCP The socket to the source is closed or is
Inbound Stream in the closing process.
IFWD-SYN-SND TCP Packet A SYN packet was sent to the Forwarding
Forwarding destination initiating the session (Note Inbound
Inbound that the session with the source is IPXY-DST-CLO TCP The socket to the destination is closed
already established) Stream or is in the closing process.
IFWD-EST TCP Packet The destination replied the SYN with a Forwarding
Forwarding SYN/ACK. The session is established. Inbound
Inbound IPXY-SD-CLO TCP The source and the destination socket
IFWD-RET TCP Packet Either source or destination are re Stream are closed or in the closing process
Forwarding transmitting packets. The connection Forwarding
Inbound might be disfunctional. Inbound
IFWD-FFIN-RCV TCP Packet The session source sent a FIN IPXY-TERM TCP The session is terminated and will
Forwarding datagram indicating to terminate the Stream shortly be removed from the session
Inbound session Forwarding list.
Inbound
IFWD-RLACK TCP Packet The session destination answered the
Forwarding FIN packet with a FIN reply and awaits UDP-NEW UDP Session is validated by the firewall rule
Inbound the last acknowledgement for this Forwarding set, no traffic was forwarded so far.
packet UDP-RECV UDP Traffic has been received from the
IFWD-RFIN-RCV TCP Packet The session destination sent a FIN Forwarding source and was forwarded to the
Forwarding datagram indicating to terminate the destination
Inbound session UDP-REPL UDP The destination replied to the traffic
IFWD-FLACK TCP Packet The session source answered the FIN Forwarding sent by the source
Forwarding packet with a FIN reply and awaits the UDP-SENT UDP The source transmitted further traffic
Inbound last acknowledgement for this packet Forwarding after having received a reply from the
IFWD-WAIT TCP Packet The session was reset by one of the destination
Forwarding two participants by sending a RST UDP-FAIL UDP The destination or a network
Inbound packet. A wait period of 5 seconds will Forwarding component on the path to the
silently discard all packet belonging to destination sent an ICMP indicating
that session that the desired request cannot be
IFWD-TERM TCP Packet The session is terminated and will serviced.
Forwarding shortly be removed from the session ECHO-NEW ECHO Session is validated by the firewall rule
Inbound list. Forwarding set, no traffic was forwarded so far.

Firewall Real Time Status < Real Time Information and Manipulation | 181
Table 413 Status types and their origin Table 414 Overview of possible access cache entries
Status name Origin Description Entry Description

ECHO-RECV ECHO Traffic has been received from the NOTIFY_CONECT Session will notify the Firewall Service upon
Forwarding source and was forwarded to the successful or failing TCP establishment. Needed
destination for multiple redirection status
ECHO-REPL ECHO The destination replied to the traffic PROXYDYN Bind IP is determined by the routing table
Forwarding sent by the source NOLOG Session will not generate log file entries
ECHO-SENT ECHO The source sent more traffic after NOSTAT Session will not generate statistics
Forwarding racing a reply from the destination
NOCACHE Session will not generate an access cache entry
ECHO-FAIL ECHO The destination or a network
Forwarding component on the path to the NONAGLE Nagle algorithm is turned OFF
destination sent an ICMP indicating LOG_STATE Session will log each state change / Every state
that the desired request cannot be change of this session is logged
serviced.
OWN_LOG Session will log to firewall rule log file
OTHER-NEW OTHER Session is validated by the firewall rule
SRVSTAT Session will resolve service object names when
Protocols set, no traffic was forwarded so far.
generating statistics
Forwarding
DYNAMIC_PORT Session is dynamically NATed. The outgoing
OTHER-RECV OTHER Traffic has been received from the
source port will differ from the original client port
Protocols source and was forwarded to the
Forwarding destination NOSYNC Session will not be synchronized for transparent
failover
OTHER-REPL OTHER The destination replied to the traffic
Protocols sent by the source CLEAR_ECN Session will clear any ECN bits in the IP header
Forwarding
OTHER-SENT OTHER The source sent more traffic after z TI Classification
Protocols receiving a reply from the destination Transport rating setting (Bulk, Quality, or Fallback with
Forwarding
IDs 0-7 each)
OTHER-FAIL OTHER The destination or a network
Protocols component on the path to the z FWD Shape
Forwarding destination sent an ICMP indicating
that the desired request cannot be Shows you the actual shape connectors used in
serviced. forwards direction. There are possibly two shape
LOC-NEW Local TCP A local TCP session was granted by the connectors involved, one for ingress and one for egress
Traffic local rule set shaping respectively. Ingress shaping in forwards
LOC-EST Local TCP The local TCP session is fully direction takes place at the inbound interface, egress
Traffic established.
shaping at the outbound interface.
LOC-SYN-SND Local TCP A Local-Out TCP session is initiated by
Traffic sending a SYN packet. The first shape connector displayed is the one used for
LOC-SYN-RCV Local TCP A Local-In TCP session is initiated by ingress and the second one is used for egress shaping.
Traffic receiving a SYN packet.
z REV Shape
LOC-FIN-WAIT1 Local TCP An established local TCP session
Traffic started the close process by sending a Shows you the actual shape connectors used in reverse
FIN packet direction. There are possibly two shape connectors
LOC-FIN-WAIT2 Local TCP A local TCP session in the FIN-WAIT1 involved, one for ingress and one for egress shaping
Traffic state received an ACK for the FIN
packet
respectively. Ingress shaping in reverse direction takes
LOC-TIME-WAIT Local TCP A local TCP session in the FIN-WAIT1 or
place at the outbound interface, egress shaping at the
Traffic in the FIN-WAIT2 state received a FIN inbound interface.
packet. The first shape connector displayed is the one used for
LOC-CLOSE Local TCP An established local TCP session is ingress and the second one is used for egress shaping.
Traffic closed.
LOC-CLOSE-WA Local TCP An established local TCP session
IT Traffic received a FIN packet.
LOC-LAST-ACK Local TCP Application holding an established TCP
6.3.3 State of the Work Processes
Traffic socket responded to a received FIN by
closing the socket. A FIN is sent in In the lower left of the Status tab a display for the workers
return.
state is integrated.
LOC-LISTEN Local TCP A local socket awaits connection
Traffic request (SYN packets) The entry Active displays the currently active worker
LOC-CLOSING Local TCP A local socket in the FIN_WAIT1 state processes.
Traffic received a FIN packet.
LOC-FINISH Local TCP A local TCP socket was removed from The button Kill Selected is used for terminating single
Traffic the internal socket list. workers.
z Policy The entry on the right of the Kill Selected button shows
The following entries are possible: the status of the synchronisation in case of active
Transparent Failover (High Availability, page 399) and
Table 414 Overview of possible access cache entries consists of the following possible states:
Entry Description
z Active Sync (UP)
NO_MATCH_IIF Received packet (Forward Direction) must NOT
match initial input interface
shown on active HA partner; synchronisation works
NO_MATCH_OIF Received packet (Reverse Direction) must NOT z Active Sync (DOWN)
match initial output interface
shown on active HA partner; sync would work, but
INBOUND Session is set to accept policy Inbound (Firewall
2.3.4.3 Accept Policies, page 166)
BoxFW is down
FWD_FILTER Content filter is applied for forward traffic z Passive Sync (UP)
REV_FILTER Content filter is applied for reverse traffic shown on passive HA partner; synchronisation works
TRACE Session is being traced
z Passive Sync (DOWN)

182 | Real Time Information and Manipulation > Access Cache Firewall
shown on passive HA partner; sync would work, but The access cache is the most powerful tool for
BoxFW is down troubleshooting.
The window provides the following information about the Fig. 476 Access Cache
processes:
z PID
System process ID
z Connections
Number of connections handled by worker
z bps
bytes per second (during the last second)
z Heartbeat 6.4.1 Available Filter Options
Time in seconds the process stopped to answer, should
never be more than 2.
z PID
6.4.1.1 Global Viewing Options
System process ID; allows view on PID and full extended
The area on the top left side of the Access Cache tab is
description column
used to define viewing preferences.
z Description
Use the pull-down menu on the top to set the maximum to
Role description of worker
be shown cache entries.
Activate the checkbox Show Hostnames, if you want
6.3.4 Traffic Meter source and destination IPs to be translated to hostnames
as far as possible.
In the lower right of the Status tab a traffic meter is
integrated. Note:
IP addresses will only be resolved to hostnames, if this
The firewall engine samples the amount of traffic over
function has been enabled in the firewall settings (see
10 seconds and the traffic meter shows it either based on
Resolve Access Cache IPs, page 137).
bands (SYS, A to G) or on traffic origin (Forward,
Loopback, Local, Total).
Note:
Both traffics are available as Bytes/sec or Packets/sec. Click Update List to activate any newly defined view.
Fig. 475 Traffic meter
6.4.1.2 Cache Selection
The tab Cache Selection (top, right) is used for regulating

the shown information. Therefore, the options
(checkboxes) in the two lines Traffic Selection and Cache
Selection are used:
Traffic Selection line
The third available view is called TF Sync and contains
detailed information concerning the Transparent Failover z Forward
function of a HA Forwarding Firewall. The pull-down menu displays the traffic on the Forwarding FW
for the statistics type (with the options Bytes/sec and z Local In
Packets/sec) has no function for this type of view. displays the incoming traffic on the box firewall
The display consists of the following entries: z Local Out
z My Sync Addr displays the outgoing traffic from the box firewall
IP address and connection port for synchronisation of z Loopback
this box traffic over the loopback interface
z Partner Sync Addr
IP address and connection port for synchronisation of Cache Selection line
the HA partner box z Access
z Synced Sessions displays all allowed and successfully established
Number of sessions successfully synchronized connections
z Pending Sessions z Rule Block

Number of not synchronized sessions displays all connections matching Deny Reasons,
page 184/Block Reasons, page 184.
z Packet Drop
displays all connections matching the Drop Reasons,
6.4 Access Cache page 184.
z Fail

Firewall Access Cache < Real Time Information and Manipulation | 183
displays all connections matching the Fail Reasons, Access ID including an icon for blocked connections ( ),
page 185. an icon for established connections ( ) and consecutive
z ARP numbering for both blocked and established
displays all ARP requests connections. The AID contains also the letter B to
indicate blocked connection.
z Scan
displays all SCAN tasks z Org (Origin)
LIN: Local In; incoming traffic on the box firewall
LOUT: Local Out; outgoing traffic from the box firewall
6.4.1.3 Cache Filter LB: Loopback; traffic via the loopback interface
FWD: Forwarding; outbound traffic via the forwarding
The tab Cache Filter allows you to constrain the view firewall
to very specific properties. IFWD: Inbound Forwarding; inbound traffic to the
firewall
z Rule
PXY: Proxy; outbound traffic via the proxy
allows setting a filter for a specific rule
IPXY: Inbound Proxy; inbound traffic via the proxy
z Proto. TAP: Transparent Application Proxying; traffic via
allows setting a filter for a specific protocol virtual interface
LRD: Local Redirect; redirect traffic configured in
z Source
forwarding rule set
allows setting a filter for a specific source IP
address/range z Interface
Incoming interface
z Dest.
allows setting a filter for a specific destination IP z Source
address/range Source IP of the requesting client
z Interface z Destination
allows setting a filter for a specific interface (for IP of the requested destination
example eth0)
z Proto
z Addr. Used protocol; for example TCP, UDP, ICMP
allows to setting a filter for a specific IP address
z Port
z Srv. Port of the requested destination
allows setting a filter for a specific service
z Service
z Port Assigned (dynamic) service
allows setting a filter for a specific port
z Count
z Src-Interface Number of tries
allows setting a filter for a specific source interface
z Last
z Dest-Interface Time passed since last try
allows setting a filter for a specific destination interface
z Rule
Name of the matching rule
By ticking the corresponding checkboxes it is possible to
z Info
combine multiple fields in order to improve the filter
Reason why things happen (see 6.4.3 Reasons,
sequence.
page 184).
Note:
Note:
All fields except the pull-down menu Proto. allow the
Entry TF-sync means that the session is synced
use of the * and ? wild cards.
(shows up on the backup machine where the firewall
The size of the caches is configured in the Firewall Settings service is on standby).
and requires a service restart.
z MAC
MAC address of the interface
6.4.2 Access Cache List z Bind
Bind address
Note: z Conn
Double-clicking an entry opens a window called Details IP of the connection address
that contains all information concerning the entry in
one view. z Out-IF
Outgoing interface; tunnel and transport is visualized.
The list itself consists of the following columns: z OutRoute
unicast or local
z AID
z Next Hop

184 | Real Time Information and Manipulation > Access Cache Firewall
Gateway Table 416 Reasons for connection blocks

Block Reasons Description
Note:
Block by Rule A rule with the 'BLOCK on Destination Mismatch'
There may show up a Next Hop address in a Local Destination option selected, matched and resulted into a blocking
Redirect action. This routing information comes Mismatch action.
from the reverse direction lookup (how packets will Block by Rule A rule with the 'BLOCK on Interface Mismatch' option
Interface selected, matched and resulted into a blocking action
be routed from loopback to client). Mismatch due to the mismatch in time.
Block by Rule A rule with the 'BLOCK on Service Mismatch' option
Service selected, matched and resulted into a blocking action.
Mismatch
6.4.2.1 Context Menus
Block by Rule A rule with the 'BLOCK on Source Mismatch' option
Source Mismatch selected, matched and resulted into a blocking action.
Right-clicking into the listing makes the following context
Block by Rule A rule with the 'BLOCK on Time Mismatch' option
menus available: Time Mismatch selected, matched and resulted into a blocking action
due to the mismatch in time.
z The standard context menu accessible through the item
Block Echo The number of total Echo sessions was exceeded for a
Tools (see 4.2 Standard Context Menu, page 420). Session Limit request.
Exceeded
z Remove Selected
Block Local Loop A passing rule matched, but the destination is a local
This entry is only available with one or multiple item(s) system IP address. Targeted local IP addresses must be
selected. Executing it removes all selected access cache redirected. Use action type "Local Redirect" for IP
redirection to a local IP.
entries from the listing.
Block Multicast Multicasts are not propagated.
z Flush Cache Block No The matching rule contains a address translation table
Removes all entries from the access cache. Address which does not specify how to translate the particular
Translation source IP address.
z Save Cache Selection Policy possible
Permanently saves settings defined through the section Block no Rule No rule matched for the requested session. The default
Match action is to block the request.
Cache Selection (see 6.4.1.2 Cache Selection) in the
Block Other The number of total OTHER protocol sessions was
Barracuda NG Admin administration tool. Session Limit exceeded for a request.
Exceeded
z Group by
Block Pending The source IP address has to many pending sessions.
For better lucidity, access cache entries may be grouped Session Limit Further request which would lead to more pending
by their essential attributes such as Rule, Interface, Exceeded sessions are blocked.
Origin, Grouped entries are arranged in pop-up Block Rule Limit The total number of allowed session for the matched
menus topped by a labelled title bar. Exceeded rule was exceeded.
Block Rule The number of allowed session per source IP address
Source Limit for the matched rule was exceeded.
Exceeded
6.4.3 Reasons Block Size Limit A packet which exceeds the specified size limit (for
Exceeded ICMP-Echo) was received.
Block Source The number of total ECHO sessions per source IP was
6.4.3.1 Deny Reasons Echo Session exceeded for a request.
Limit Exceeded
Table 415 Reasons for connections denials Block Source The number of total sessions per source IP was
Session Limit exceeded for a request.
Deny Reasons Description Exceeded
Deny by The session request was matched by a dynamic rule, Block UDP The number of total UDP sessions was exceeded for a
Dynamic Rule which is set to be denied. Session Limit request.
Deny by Rule A rule denies a session request explicitly. Exceeded
Deny by Rule A rule with the 'DENY on Destination Mismatch' option Forwarding is A forwarding firewall service does not exist or is
Destination selected, matched and resulted into a deny action. disabled inactive.
Mismatch
Deny by Rule A rule with the 'DENY on Service Mismatch' option
Service selected, matched and resulted into a deny action. 6.4.3.3 Drop Reasons
Mismatch
Deny by Rule A rule with the 'DENY on Source Mismatch' option Table 417 Reasons for connection drops
Source Mismatch selected, matched and resulted into a deny action.
Drop Reasons Description
Deny by Rule A rule with the 'DENY on Time Mismatch' option
Time Mismatch selected, matched and resulted into a deny action due Forwarding not A packet could be assigned to an active session, but the
to the mismatch in time. Active forwarding firewall service is block resulting into
temporarily dropping all forwarding traffic.
Deny Local Loop A passing rule matched, but the destination is a local
system IP address. Targeted local IP addresses must be ICMP Header The ICMP header checksum did not verify
redirected. Checksum is
Invalid
Deny No Address The matching rule contains a address translation table
Translation which does not specify how to translate the particular ICMP Header is The ICMP header of the packet is shorter that the
possible source IP address. Incomplete minimum ICMP header length (8 bytes) or shorter than
the indicated ICMP header length.
ICMP Packet is An ICMP packet contains a type other than
Ignored UNREACHABLE or TIME_EXCEEDED and is ignored.
6.4.3.2 Block Reasons ICMP Reply A ICMP-Echo-Reply packet was received by no
Without a associated Echo session was found.
Table 416 Reasons for connection blocks Request
Block Reasons Description ICMP Type is The ICMP header contained an unknown ICMP type.
Block Broadcast Broadcasts are not propagated. Invalid
Block by The session request was matched by a dynamic rule, IP Header The IP header checksum did not verify.
Dynamic Rule which is set to be blocked. Checksum is
Invalid
Block by Rule A rule blocks a session request explicitly.

Firewall Authenticated User < Real Time Information and Manipulation | 185
Table 417 Reasons for connection drops 6.4.3.4 Fail Reasons

Drop Reasons Description
Table 418 Reasons for connection failures
IP Header The source routing IP option is set.
Contains Source Fail Reason Description
Routing
Accept Timeout The accept timeout for TCP session establishment was
IP Header has The IP option encoding is malformed or contains exceeded (TCP only). Possible IP spoofing attempt.
Invalid IP unknown IP options.
Connect The connection timeout for TCP session establishment
Options
Timeout was exceeded (TCP only). The destination IP address
IP Header is The packet is shorter than the minimum IP header was found not to be reachable.
Incomplete length (20 bytes) or shorter than the indicated header
Denied by Filter A next hop denied forwarding by a filter rule.
length.
Fragmentation The destination cannot be reached with the used MTU
IP Header The IP version is different than 4.
Needed size without fragmentation. Only occurs if
Version is Invalid
Path-MTU-Discovery is used by the source or the
IP Packet is The packet is smaller that the indicated total packet destination.
Incomplete length.
Host Access Access to the destination address was denied by on of
No socket for An outgoing TCP or UDP packet could not be assigned Denied the next hops.
packet to an active socket on the system (RAW socket
Host The destination is accessed through a direct route but
sending)
Unreachable does not respond to an ARP request.
Packet Belongs A received ICMP could not be assigned to a active
Host The requested IP address is not reachable for the used
to no Active session and is therefore dropped.
Unreachable for Type of Service.
Session
TOS
Rate Limit A Echo-Request packet could be assigned to an existing
Network Access Access to the destination network was denied by on of
Exceeded Echo session but was found to result into a too fast
Denied the next hops.
request rate.
Network The network for the destination of a request is not
Note:
Unreachable reachable (No routing entry on one of the next hops)
The intervall value is displayed in
increments of tens (ms) Network The requested network is not reachable for the used
Unreachable for Type of Service.
Reverse Routing The reverse routing path differs from the path the
TOS
Interface packet was received. (Receiving interface differs from
Mismatch sending interface) IP-Spoofing protection. No Route to Host The local system has no routing entry for the requested
destination.
Size Limit A Echo-Request/Reply packet could be assigned to an
Exceeded existing Echo session but was found to exceed the Port The destination system does not service the requested
configured size limit. Unreachable port number.
Source is an IP addresses 240-255.x.x.x are not allowed Protocol The destination system does not support the requested
Invalid IP Class Unreachable protocol.
Source is The source address is a broadcast address Routing Triangle Happens if a SYN followed by an ACK is registered
Broadcast without a SYN-ACK of the destination. This is an
indication of a triangle route in the network.
Source is Local The source address is an IP address which is active on
Address the local system and therefore not expected as a Source Route Source Routing was requested but could not be
sender address. Failed performed. Will not occur, since source routed packets
are dropped.
Source is The source address is a loopback address 127.x.x.x
Loopback Unknown Default network error
Network Error
Source is The source address is a multicast address
Multicast
TCP Header The TCP header checksum did not verify.
Checksum is
Invalid
6.5 Authenticated User
TCP Header has TCP header contains useless combinations of TCP flags
Invalid TCP (SYN+RST, SYN+FIN).
FLAGS This tab provides information concerning Firewall
TCP Header has TCP options encoding is malformed. Authentication (see 10.3 Monitoring, page 203).
Invalid TCP
Options
TCP Header is The TCP header of the packet is shorter that the
Incomplete minimum TCP header length (20 bytes) or shorter than
the indicated TCP header length. 6.6 Dynamic Rules and Data
TCP Packet A received TCP packet could not be assigned to an
Belongs to no active TCP session and is not an initial TCP packet (SYN
Active Session packet).
The Dynamic tab of the firewall GUI is the part where
UDP Header The UDP header checksum did not verify.
information about dynamic processes within the rule set
Checksum is lives.
Invalid
UDP Header is The UDP header of the packet is shorter that the
There are mainly three things which happen dynamically
Incomplete minimum UDP header length (8 bytes) or shorter than during normal operation, counting of protected IPs,
the indicated UDP header length. redirection, and dynamic rule activation.
Unknown ARP The 'operation' field for an ARP packet is either a
Operation request nor a reply. To refresh the displayed information, click the Update List
Session Creation A packet, triggering a new session evaluation, was button.
Load Exceeded dropped, because the actual CPU usage for session
creation/evaluation has exceeded its limit.
6.6.1 Dynamic Rules

This tab provides information about use of dynamic rules
and network objects of type Hostname (see 2.2.4.1
Hostname (DNS Resolvable) Network Objects, page 149).

186 | Real Time Information and Manipulation > Shaping Firewall
Data regarding use of dynamic rules is arranged in the Clicking the Update List button reloads the display.
following columns in the upper section of the tab:
To the right of the Update List button, general info
Table 419 Columns available in the upper section of the Dynamic Rules tab concerning the license of your Barracuda NG Firewall is
shown.
Column Description
Rule Icon visualising the rule status (inactive ; active ) The following columns are available:
and the name of the dynamic rule.
Table 421 Columns in the protected IPs tab
Status Current state of the rule (Disabled - inactive; Enabled -
active). Column Description
Expires Interval until the current state expires. ID Icon visualising the protected IP status (obsolete ;
Expire Action Action that is taken as soon as the dynamic activation
expires. licensed ) and a progressional ID number.
Status Status of each protected IP address (licensed or
obsolete).
Data regarding Hostname network objects is arranged in
Last Expired time since the IP address was counted the last
the following columns in the lower section of the tab: time.
Table 420 Columns available in the lower section of the Dynamic Rules tab Address Address of the protected IP.
Column Description
Index Progressional ID number of the Hostname network
object. The Index number is determined by the
6.6.3 Dynamic Services
combination of the Max. DNS Entries value (page 135)
and the percental breakdown of DNS queries allowed This tab provides information concerning protected IPs
for network objects in use by the local and forwarding
firewall rule sets. Index numbers start with 0 for
and is used in conjunction with ONCRPC (see 11. RPC,
network objects used by the forwarding firewall. The page 204 and 11.4 Monitoring, page 209).
initial index number for network objects used in the
local firewall is 75 % of the Max. DNS Entries value,
that is 384 with the default of 512 Max. DNS Entries
configured. 6.6.4 Redirect Availability
Note:
Keep in mind that CC-administered boxes inherit global, Redirecting an address to many others on a cycle or
cluster- and range-specific Hostname objects. These
objects are automatically added to the memory space
fallback policy is a dynamic process. The firewall decides
of the forwarding firewall rule set. on the fly what to do if one or more target addresses are
DNS Name DNS resolvable host name configured in the network not available.
object.
Status Current state of the network object. The following
The state of such rules is displayed here and uses the
states are available: New, Pending, Resolved. following columns:.
Addresses Result of the DSN query.
Table 422 Rule state overview
Last Update Time that has passed since the currently active DNS
entry was last retrieved by the Barracuda NG Firewall. Column Description
Lifetime Lifetime that is configured in the network object. Rule Name of the rule.
Address Target Address.
Note: Used Number of connection requests re-directed to target
address.
To update the DNS resolution of currently used network
Unreach Since Time since the target is unavailable.
objects manually, select one or multiple list entries, then
Last Retry Time since last retry.
right-click and then click Refresh selected DNS entries
Count Retry Number of retries since target was marked unavailable.
in the context menu.
Bad Port Unreachable port; important when the rule is sensitive
on more than one critical port.
6.6.2 Protected IPs

6.6.5 SIP
This tab provides information concerning the number of
active licensed IPs (so-called protected IPs). This tab provides information about voice media
The firewall license contains a parameter that limits the connections (Voice over IP 5. Monitoring, page 380).
number of IP addresses that are "protected" by the
firewall. For licensing see page 539. To monitor the
number of protected addresses the firewall has a count
algorithm that defines which addresses are to be
considered as a protected address.
The firewall enters a valid IP address into the list of 6.6.6 Bridging ARPs
protected IPs as soon as network activity occurs. Once an
address is entered, but no network activity occurs for that This tab provides information about connections, which
particular address for more than an hour, the address will have been established over bridging interfaces
be set to obsolete and does not count as protected address (9.6.3 Visualisation, page 197).
any more. Periodic checking of the status of protected IPs
happens every 30 minutes. Thus it may occur that IP
addresses are counted as active for up to 1 hour and
30 minutes. 6.7 Shaping

Firewall Tracing Connections < Real Time Information and Manipulation | 187
This tab provides information about enterprise traffic

Note:
shaping. For details see Enterprise Shaping, Realtime
Trace conditions are only evaluated for forwarding
Information, page 88.
firewall traffic. Thus trace conditions cannot be applied
for local traffic.
Tracing of local traffic is only available for active
connections (see above).
6.8 Tracing Connections Note:

The introduction of a new trace condition has no effect
Connection tracing is a powerful tool for firewall on already established sessions.
management. The Barracuda NG Firewall is able to record
every data byte which takes its way through the firewall Table 423 Possible tracing conditions
engine. This ability is most important to detect errors in Column Description
network based applications fast, and thus a definite need Rule Name of the rule to be traced.
for network administrators who deal with an ever changing Source Address IP address of the source; single IPs or netmasks
environment. allowed.
Source Port Port of the source address.
Connection tracing is configurable in the following two
Destination IP address of the destination; single IPs or netmasks
ways: Address allowed.
z A current connection may be selected in the Status tab Destination Port Port of the destination address.
of the firewall monitoring GUI and monitored from the Maximum Only the first n packets are recorded.
Counts 0 is the service default, which can be set in the firewall
moment tracing is activated. service parameters. The default is 512.
z Tracing conditions may be defined in the Conditions Maximum Bytes Only the first n kilobytes are recorded.
0 is the service default, which can be set in the firewall
section within the Trace tab of the firewall monitoring service parameters. The default is 256 KB.
GUI and monitored from the moment a corresponding Active You can keep a list of predefined trace conditions and
connection is initiated. switch them on/off by settings this flag.
6.8.1 Tracing of Active Connections 6.8.3 Tracing Window
In the Status tab of the firewall control window you can On the left side is the list of all available tracing sessions.
select a set of active connections and press the right The notion is
mouse button and select Toggle Trace. From that moment rule_sourceIP_sourcePORT_destIP_destPORT.dbg.
on the selected connections are traced and you will be able The corresponding files are located in
to see all data transferred within these connections in the /var/phion/debug/trans.
trace view.
The maximum number of recorded tracing sessions can be
The traced connections get an additional -Trace entry in set in the firewall basic configuration. The default is 512.
the Org column.
Double-clicking on a trace session opens the session in the
To stop tracing simply select the traced connections and right hand side. The connection traffic is depicted in the
press the right mouse button and select Toggle Trace following style:
again.
z Green: Data sent by source
z Blue: Data sent by destination
6.8.2 Tracing of Connections Matching
z Yellow: Messages from firewall (closing of connections)
Defined Conditions
The following checkboxes are used for filtering the view:
In the upper left part of the trace view window precise
conditions can be defined under which a connection will be z Binary
traced. Show traffic in binary notation
z Text
Attention:
Show traffic in text notation
If you choose the tracing conditions too general, you will
suffer a decrease in performance . Furthermore, it will z Source
be very difficult to find the connection you actually need Show traffic generated by source
to trace.
z Destination
Show traffic generated by destination
Note:
Tracing conditions are only evaluated if the so-called z Header
User space rule set is used. Thus tracing conditions are Show traffic header
only available if the parameter Use Kernel Rule Set is z Header Info
set to no, see 2.1.1.4 Operational, page 136).

188 | Firewall Rule Sets > FW Audit Log Service Firewall
Show header information
Note:
The depicted time stamp is that of the firewall system
time in the time zone of the Barracuda NG Admin
computer. If, for example, the firewall is on UTC and your
workstation is on Central European Summer Time you
will get the system time of the firewall +2 hours.
6.9 FW Audit Log Service

The FW Audit Log Service Service may be activated on
every Barracuda NG Firewall box without additional
licensing. You need to activate the generation of Firewall
Audit data within the configuration dialog Box >
Infrastructure Services > General Firewall Configuration
> Reporting > Audit Info Generation > Settings by setting
the parameter Audit Delivery to Local File.
Firewall Audit data is by default stored locally, but may be
forwarded to the Barracuda NG Control Center or to
separate Barracuda NG Firewall boxes running the FW
Audit Log Service for central collection.
More information about provided functionality is available
in Barracuda NG Control Center 12. CC Firewall Audit Viewer,
page 483.
7. Firewall Rule Sets
7.1 Direct Modification and

Activation
Beside the standard way via the configuration tool it is
possible to edit a firewall rule set directly within the
operative firewall GUI. This is not allowed if the system is
managed by a Barracuda NG Control Center.
Firewall rule sets are standard ASCII files and can be
exported and imported. The configuration engine,
however, checks whether the rule set to activate origins
from the active one or not. This check is not performed
during the standard configuration process.
8. Log Files
The firewall service generates several log files in 8.1 Standard Log Files
/var/phion/logs.
As the firewall engine operates as a box service, it logs into z box_Firewall.log
the box part of the log tree. This is the main log file. Main log file. All log entries are in this file. information
about tunnel and transport is only visualized on active
In addition, it logs all to forwarding traffic related entries
kernel rule set.
into a service specific log file.
z srv_servername_servicename.log
All standard logs are in the main log file. Additionally
Service log file. All forwarding rules related entries are
administrative logs and logs regarding changes of the rule
in this file.
set are logged twice in separate log files.
z srv_servicename_rulename.log

Firewall Standard Log Files < Log Files | 189
Generated when own log file is chosen for a certain rule.

All traffic is logged in the main log file and in this one.
z srv_servername_servicename_Content.log
This log file contains all log entries created by the
content filter (see 2.3.1 Content Filter (Intrusion
Prevention), page 159).

190 | Bridging > General Firewall
9. Bridging
9.1 General 9.3 Bridging Methods

Bridging is commonly used to separate LAN segments in a
flat structured network. Bridging can easily be 9.3.1 Transparent Layer2 Bridging
implemented into a network retroactively, if physical
segmentation of a flat structure becomes necessary. Transparent Layer2 Bridging can be implemented best in a
Typical bridging application areas are commercial ISPs network with already existing and configured routers
environments, where physical segmentation of different where only a few networks are to be separated. The
customers machines is necessary. following are the main characteristics of Transparent
Layer2 Bridging:
z The bridging interface carries no IP address. Thus, it is
not visible to other interfaces and as a result not
9.2 Bridging Goals and Benefits vulnerable.
The Barracuda NG Firewall bridging concept particularly z All network traffic is delivered using Layer 2 lookups.
aims at easy setup and configuration. One of its demands z Bridging is Layer 2 transparent, which means that the
is to achieve stealth mode, that means nodes should not be source MAC is propagated in connection requests.
aware of any active bridging involved.
z The bridged network nodes cannot locally communicate
The following are the main benefits of Barracuda NG with the interface.
Firewall bridging:
z A Transparent Layer2 Bridge requires a separate
z Bridging allows for physical segmentation of network interface making it accessible for configuration.
nodes within a logical network.
Fig. 478 Network segmentation in a Transparent Layer2 bridged environment
z There is no need for client configuration change.
Logical Network 10.0.8.0/24
z Full network transparency (down to Layer 2) can be
achieved. Default LAN 3 Bridge LAN 1
Gateway
z Firewalling can be implemented between LAN 10.0.8.1
10.0.8.10 10.0.8.12
segments.
Fig. 477 Flat network structure before segmentation

10.0.8.20 172.31.1.25
Logical Network
10.0.8.0/24
10.0.8.31 172.31.1.1
LAN 2
Router
The configuration example is described in detail at the end
of this chapter (see 9.6.2.1 Using Transparent Layer2
Bridging, page 195).
9.3.2 Routed Transparent Layer2

Bridging
A Routed Transparent Layer2 Bridge is meant to be
implemented in a network where the Barracuda NG
Firewall, besides bridging functionality, may as well offer
further functions. As the Barracuda NG Firewall by all
means acts as a router, additional routers are no longer
required. Beyond this, the bridging interfaces can be
configured to use any other service installed on the
The following are the main characteristics of Routed
Transparent Layer2 Bridging:
z The bridging interface carries an IP address.
z Depending on source or destination, packets are
delivered by either Layer 2 or Layer 3 lookup.

Firewall Bridging Methods < Bridging | 191
z Bridging is Layer 2 transparent, which means that the Figure 480 shows a common situation in which
source MAP is propagated in connection requests. implementation of Non Transparent Translational Bridging
would be appropriate.
z Unknown destinations are actively "ARPed".
z Traffic between routed and bridged destinations is Fig. 480 Flat network structure
forwarded.
LAN PC LAN PC LAN PC LAN PC
z Bridged network nodes may (if allowed) locally
communicate with the interface, which means that
beside bridging other Barracuda NG Firewall services
may be utilized simultaneously. 10.0.8.0/24
Fig. 479 Network segmentation in a Routed Transparent Layer2 bridged

environment In the logical network 10.0.8.0/24 the encircled PC is to be
Logical Network 10.0.8.0/24 detached from the other LAN PCs and protected by a
Bridge with firewall.
Default Gateway 10.0.8.1 Routing
Functionality LAN 1 A possible approach to achieve this could be to define a
10.0.8.1 10.0.8.10 10.0.8.12 new network (for example, 10.0.8.160/29) and place the PC
inside this network. A firewall between the two networks
could acts as a router and as protective interface for the
PC.
10.0.8.20 172.31.1.25
The disadvantage of such an approach is that network
settings of all clients are to be modified. Through bridging
10.0.8.31 172.31.1.1
LAN 2
implementation full security can be provided even in a flat
network architecture, with only the need to change
The configuration example is described in detail at the end network settings on the client, which is to be separated.
of this chapter (see 9.6.2.3 Using Routed Transparent
Fig. 481 Non Transparent Translational Bridging
Layer2 Bridging - Example 2, page 196).
LAN2 PC Bridge with LAN PC LAN PC LAN PC
9.3.3 Layer3 Bridging Routing
Functionality
Layer3 Bridging works best with client/server groups,

which seldom communicate with other machines than the 10.0.8.162 eth1: eth0: 10.0.8.0/24
ones belonging to their own group. It is easy and quick to
configure, if only few clients are involved. The more clients
the bridge has to serve the more time-consuming the As depicted in figure 481, after separation, the firewall
configuration gets, as bridging and routing must be acts as bridge between the networks 10.0.8.160/29 and
configured for each client explicitly. Depending on residual 10.0.8.0/24.
demands it is better to configure a (Routed) Transparent
Layer2 Bridge instead, if many clients are involved. All ARP requests transmitted between the networks
10.0.8.160/29 and 10.0.8.0/24 are answered by the
The following are the main characteristics of Layer3 firewall.
Bridging:
The configuration example is described in detail at the end
z Layer3 Bridging is implemented with Proxy ARPs and of this chapter (see 9.6.2.4 Using Layer3 Bridging,
host/network routes. page 196).
z All network traffic is delivered using Layer 3 lookups.
z All bridged network nodes must be entered into the 9.3.4 Bridging Characteristics in
configuration. Comparison
z Bridging is NOT Layer 2 transparent, which means that
Table 424 Bridging characteristics in comparison
the source MAC is not propagated in connection
requests. Transparent
Routed
Transparent Layer3
Layer2
z Traffic between routed and bridged destinations is Bridging
Layer2 Bridging
Bridging
forwarded.
Mac Transparent
z Bridged network nodes may (if allowed) locally Routing-Bridging-Forward
communicate with the interface. ing
Local Firewall Traffic
(Gateway)
Auto Learning of Network
Nodes
Active Learning of
Network Nodes
Next Hop Bridging

192 | Bridging > Security Firewall
Table 424 Bridging characteristics in comparison MAC addresses for a session are then fixated upon
Routed session creation and enforced until session end.
Transparent
Transparent Layer3
Layer2
Bridging
Layer2 Bridging Fig. 482 Destination MAC spoofing prevention
Bridging
Broad-Multicast LAN 2
Propagation 10.0.8.12
High Availability Bridge 3 MAC-A
10.0.8.10
VLAN capable
LAN 1 x MAC-B
10.0.8.20
9.4 Security LAN 3
First Packet: Dest. MAC: MAC-A, Dest. IP: 10.0.8.10
Bridging heavily depends on broadcasts for the purpose of Second Packet: Dest. MAC: MAC-B, Dest. IP: 10.0.8.10
establishing connectivity. This behavior leads to a few
weak points to be considered carefully in order to
implement bridging in a secure manner. In the situation depicted in figure 482, a client from LAN 1
Apart from the factor that broadcasts in huge tries to enforce a connection grant to a client in LAN 3. To
environments consume a lot of bandwidth, regard must be do so, it sends a first packet to the client in LAN 2 using
paid to the aspect that bridging is inherently insecure and MAC-A as destination MAC and the IP address 10.0.8.10 as
therefore requires a trusted environment. destination IP. After the session has been granted through
the bridge and communication has been allowed, it sends a
Barracuda NG Firewall offers methods which allow holding second packet to the client in LAN 3 using MAC-B as
the most common attacks. destination MAC and again IP address 10.0.8.10 as
destination IP. It thus tries to spoof the destination MAC of
its connection request. If MAC enforcement is configured,
9.4.1 IP or ARP Spoofing the communication to the client in LAN 3 will not be
granted.
Network nodes may for example use IP addresses of fake
ARP responses in order to fake network traffic with
arbitrary IP addresses. Since the firewall security
enforcement is performed on layer 3 this would equal 9.5 Implementation of Logical
bypassing of the security policy. These issues can be
solved by taking the following measures: Entities
z Segment Access Control Lists (Bridging Interface Table 425 Structural breakdown of bridging units
ACLs)
Bridging Bridging
Specify allowed IP addresses on a segment explicitly. Bridging ARPs
Groups Interfaces
z Static Bridge ARP Entries

eth1.123 00:02:34:56:77:88 10.0.8.20
Specify IP, MAC, and segment statically to avoid Bridging eth1.123 10.0.7.50
learning via ARP. Group ACL
test 10.0.8.0/24 00:08:55:34:32:78 10.0.8.22
z MAC based Firewall Rules 10.0.7.0/24 eth1.123 STATIC
Introduce source MAC conditions for network objects. phbr-test
10.0.8.1 00:08:55:34:32:78
z ARP Change reporting eth1.234 eth1.234
Configure any changes of IP-MAC-Segment 00:12:55:66:21:71 10.0.8.30
relationships to be reported in access cache and log. eth3 eth3
9.4.2 Destination MAC Spoofing

9.5.1 Bridging Groups
Another security issue in bridged environments is the
possible exploitation made available through security A bridging group defines a set of network interfaces for
enforcement on layer 3 and traffic delivery on layer 2. This which network traffic will be forwarded using bridging.
issue can be solved by taking the following measure:
z Enforce layer 2 once a layer 3 session is granted
9.5.2 Bridging Interfaces
A bridging interface is a network interface that was
assigned to a bridging group and is therefore subject to
bridged traffic forwarding between bridging interfaces.
Note:
A bridging interface can only be member of one bridging
group.

Firewall Implementation of Logical Entities < Bridging | 193
9.5.3 Bridging ARP Entries 9.5.3.1 Dynamic BARPs
A bridging ARP entry (BARP) stores the information on Dynamic BARPs are build up during run time by analysing
which bridge interface a certain MAC address resides. network traffic. Whenever a packet is received on an
Additionally, associated IP addresses are stored along with interface, dynamic BARPs are generated or updated. This
the BARP entry. way the firewall "learns", which MAC address resides on
which bridging interface. When analysing ARP packets the
Note: Layer 3 IP information is added to the BARP entry by
The IP address is only used for visualisation purposes. adding the IP address.
Dynamic BARPs are characterized by the following
activities:
z MAC-Interface relationship learned by any IP traffic
z MAC-Interface-IP relationship learned by ARP traffic
9.5.3.2 Static BARPs
Static BARPs are part of the configuration and define a

MAC-Interface-IP relationship that is present at all time
and will not be overwritten by "learning" from traffic.
9.5.4 Bridging Interface ACL

The Bridging Interface ACL (Access Control List) specifies
which IP addresses are expected to be received on a
bridging interface. These ACLs can be used to enforce a
Layer 3 topology when operating on the firewall. The most
restrictive implementation would be to maintain a list of
single IP addresses that are to be expected on a certain
bridge interface.
9.5.5 Virtual Bridge Interface

The virtual bridge interface is an interface that acts as
parent interface for all interfaces of a bridging group. The
name of a virtual interface is always the name of the
bridging group with a phbr- prefix:
(phbr- <group-name>).
9.5.6 Virtual Bridge Interface IP

Address
Optionally, each virtual bridge interface may be configured
with an IP address and a netmask. This way the firewall
itself can actively probe (learn) on which segments which
MAC address resides. It can also route traffic from a routed
network to a bridged network or between bridging groups.
Through the introduction of a virtual bridge interface one
switches from Transparent Layer2 to Routed
Transparent Layer2 Bridging.
The main characteristics a virtual bridge interface brings
along are the following:
z Active ARP queueing
z Forwarding between bridge groups
z Forwarding between routed and bridged networks
z Local firewall traffic (application gateways)
z Still MAC transparent (like Transparent Layer2
Bridging)

194 | Bridging > Bridging Configuration Firewall
9.5.7 Broad- and Multicast 9.6.1 Bridging Tab

Broad- and multicast can be forwarded between segments To create Transparent Layer2 or Routed Transparent
and routed networks. In order to allow broad- or multicast Layer2 Bridging, the setup is done through the Bridging
propagation a specific rule action must be chosen. Once a tab of the Firewall Forwarding Settings node. Here the
rule is introduced that explicitly allows such a propagation following parameters are available for configuration:
a list of
List 451 Firewall Forwarding Settings - Bridging section Layer2 Bridging
z Network interfaces
z IP addresses Bridging Click the Insert button and insert a Name for a new Bridging
Group Group. Select an available Bridging Group and click the Edit
z Multicast addresses button to change settings. Click the Delete button to delete
all selected entries irreversibly.
Creation of a new Bridging Group opens a further
can be specified in order to define how the broad- or configuration area allowing specification of Bridging
multicast should be propagated. Note that Broad- to Uni- Devices and Device IP addresses.
or Multicast translations are possible. Note:
In the Firewall Access Cache, bridging groups are labelled
A rule specified as below: with the letters phbr prefixed to the group name as specified.
Bridging All interfaces created in this place are the ones
Rule from 10.0.8.0/24 to 10.0.0.255 (ALL-UDP) Device responsible for bridge traffic forwarding. A
Action Broad- Multicast bridging interface is defined by the following
parameters:
Propagate 10.0.1.45, eth1.123, eth2.234,
Name In this place the exact labelling of
eth4:10.0.4.244, phbr-test, eth3:224.1.2.3 the network interface has to be
entered as it is listed in the
network configuration. If explicit
will result in the following propagation mechanisms: interfaces are in use, the Name
has to match the Interface Name
Unicast to 10.0.1.45 (page 69) as defined in the
Broadcast 10.0.8.255 on interface eth1.123 Section Additional Local
Networks , if VLANS are in use the
Broadcast 10.0.8.255 on interface eth1.234 Name has to be constructed to
Broadcast 10.0.4.255 on interface eth4 match the Hosting Interface and
the VLAN ID (page 65) separated
Broadcast 10.0.8.255 on all bridge interfaces on by a dot (for example eth1.5) as
bridge group phbr-test defined in the Network - Virtual
LANs Configuration section
Multicast 224.1.2.3 on interface eth3 Virtual LAN Configuration List
330.
Allowed The value of this parameter
9.5.8 High Availability Networks consists of all networks, which are
allowed to communicate over this
Bridging Device. The values
Bridging ARPs are synchronized to the partner box along specified can be complete
networks, individual client/server
with the session synchronisation. Synchronized BARPs are IP addresses or network ranges.
inactive as long as no bridging group exists that indicates Unrestrict List of MAC addresses that are
bridged forwarding. Upon activation (HA takeover) the ed MACs excluded from Allowed Networks.
bridging groups are introduced and all related BARP MAC This setting specifies, if network
entries activated. Along with the activation a dummy ARP Change interfaces participating in a
Allowed bridging group may change. A very
request is sent on all bridging interfaces except for the one restrictive policy will
the BARP resides on. This causes the MAC address to be Deny-MAC-Change a less
restrictive policy should
entered into the MAC-Port Table of the switch. Allow-MAC-Change (default).
Action elements of High Availability bridging scenarios are: Comment Entering a comment is optional
but useful for quicker orientation
z Firewall session synchronisation when many bridging interfaces are
in use.
z BARP HA synchronisation Device IP Device IP This parameter takes one or
Address Address multiple IP addresses that are to
z Dummy ARP for switch MAC-Port update be assigned to a bridging group.
IP
Netmask Each entry is built up of the
Device IP Address and its IP
Netmask.
9.6 Bridging Configuration Note:

If the Device IP Address field is left empty, the
Bridging Device is configured not to carry an IP
address and thus Transparent Layer2 Bridging
Bridging is set up through the following configuration is configured.
areas: As soon as the Bridging Device IP is specified
Routed Transparent Layer2 Bridging has been
z On single boxes in Config > Box > Virtual created.
Servers > Assigned Services > Firewall > Use IP This parameter controls generation of IP entries
BARP for all bridging ARP entries within a Bridging
Firewall Forwarding Settings > Bridging tab Entries Group. When set to yes (default), the Barracuda
NG Firewall does not only learn the allocation of
z On CC administered boxes in the MCs respective MAC addresses to ports from processed IP and
repository. ARP traffic, but also records IP addresses that
are assigned to a specific MAC address in a
separate table. Set to no, if a huge number of IP
addresses within a specific network segment
might cause an ARP table overrun.

Firewall Bridging Configuration < Bridging | 195
List 451 Firewall Forwarding Settings - Bridging section Layer2 Bridging The realisation of Transparent Layer2 Bridging as depicted
Parameter Description in the example above requires the following configuration
Static This configuration area may be used for statical MAC/IP settings:
Bridge address combination to minimize the risk of IP/ARP or
MAC Destination MAC Spoofing (see above). In Firewall Forwarding Settings > Bridging:
Static The expected MAC address of the external
Bridge interface is set here. Fig. 484 Bridging Group Setup for Transparent Layer2 Bridging
MAC
Device This is the name of the bridging interface
through which the connection request is
expected to be handled.
IP This is the IP address of the external interface
Address bound to the Static Bridge MAC specified
before.
Comment Entering a comment is optional but useful for
quicker orientation when many statical entries
are in use.
Bridging This parameter controls the bridge's handling of the TTL field
TTL in the header of an IP packet. The following options are
Policy available:
Decrease-TTL (default)
The TTL value is decreased by 1 every time a packet
arrives anew. When the TTL value reaches 0, the packet is
dropped.
Do-NOT-Decrease-TTL
The TTL value remains unchanged.
List 452 Firewall Forwarding Settings - Bridging section Quarantine Bridging z Define a Bridging Group.
Parameter Description z Add the Bridging Devices eth1, eth2, and eth3 to the
Quarantine To edit an already existing entry, select it and click Bridging Group.
Group Edit. To create a new entry, click Insert. To remove
an existing entry, select it and click Delete. z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and
See list 453 for parameter description. 10.0.8.12 individually to the Allowed Networks
List 453 Firewall Forwarding Settings - Bridging section Quarantine Bridging-
parameter of Bridging Device eth1.
Quarantine Group
z Add network 10.0.8.0/24 or the client 10.0.8.20
Parameter Description individually to the Allowed Networks parameter of
Disable Disables this quarantine group. Use this to quickly Bridging Device eth2.
Quarantine deactivate a fully configured quarantine group.
Group z Add the default gateway 10.0.8.1 to the Allowed
Quarantine Specifies one interface, where all quarantine class 1 Networks parameter of Bridging Device eth3.
Class 1 clients will be located. This interface must not already
Interface be member of any other quarantine group. z If you desire the client 173.31.1.25 to be reachable from
Quarantine Specifies one interface, where all quarantine class 2 clients in LAN1, add it to the Allowed Networks
Class 2 clients will be located. This interface must not already
Interface be member of any other quarantine group.
parameter of Bridging Device eth2. No further
Quarantine Specifies one interface, where all quarantine class 3
configuration is necessary to guarantee reachability
Class 3 clients will be located. This interface must not already between the clients 10.0.8.0.20 and 172.31.1.25.
Interface be member of any other quarantine group.
LAN Interfaces A list of interfaces where clients live. These clients may
z The Device IP Address of the Bridging Group is not to
change their state to a quarantine class which is be configured, as an external router (Default Gateway
located on one of the above quarantine class 10.0.8.1) already exists.
interfaces.
9.6.2 Example Configurations 9.6.2.2 Using Routed Transparent Layer2

Bridging - Example 1
Fig. 485 Configuration of Transparent Layer2 Bridging
9.6.2.1 Using Transparent Layer2 Bridging
Fig. 483 Configuration of Transparent Layer2 Bridging Bridge with
Logical Network: 10.0.8.0/24 Functionality LAN 1
Router 10.0.8.1 10.0.8.10 10.0.8.12
10.0.8.2
Default LAN 3 Bridge LAN 1
Gateway 10.0.8.10 10.0.8.12 eth1
10.0.8.1
eth3 eth1 eth2 10.0.8.20 172.31.1.25
eth2 10.0.8.20 172.31.1.25
10.0.8.31 172.31.1.1
LAN 2
10.0.8.31 172.31.1.1
LAN 2
In figure 485 a similar network setup has been created
like in figure 483, page 195 with one main difference,

though - the bridge has been set up with routing In the configuration example depicted in figure 487
functionality. Clients in LAN1 and LAN2 may now profit introduction of a Device IP address is a must as not further
from being able to locally communicate with the bridging router exists. The realisation of the setup requires the
devices. following configuration settings:
The realisation of Routed Transparent Layer2 Bridging as In Firewall Forwarding Settings > Bridging:
depicted in the example above requires the following
configuration settings: Fig. 488 Bridging Group Setup for Routed Transparent Layer2 Bridging
In Firewall Forwarding Settings > Bridging:
Fig. 486 Bridging Group Setup for Routed Transparent Layer2 Bridging - Example
1
z Define a Bridging Group.

z Add the Bridging Devices eth1 and eth2 to the Bridging
Group.
z Define a Bridging Group. z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and
10.0.8.12 individually to the Allowed Networks
z Add the Bridging Devices eth1 and eth2 to the Bridging parameter of Bridging Device eth1.
Group.
z Add network 10.0.8.0/24 or the client 10.0.8.20
z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and individually to the Allowed Networks parameter of
10.0.8.12 individually to the Allowed Networks Bridging Device eth2.
parameter of Bridging Device eth1.
z If you desire the client 173.31.1.25 to be reachable from
z Add network 10.0.8.0/24 or the client 10.0.8.20 clients in LAN1, add it to the Allowed Networks
individually to the Allowed Networks parameter of parameter of Bridging Device eth2. No further
Bridging Device eth2. configuration is necessary to guarantee reachability
z If you desire the client 173.31.1.25 to be reachable from between the clients 10.0.8.0.20 and 172.31.1.25.
clients in LAN1, add it to the Allowed Networks z Add the default gateway 10.0.8.2 to the Allowed
parameter of Bridging Device eth2. No further Networks parameter of Bridging Device eth3
configuration is necessary to guarantee reachability
between the clients 10.0.8.0.20 and 172.31.1.25. z Configure the Default Gateway address 10.0.8.1 as
Device IP Address of the Bridging Group.
z Configure the Default Gateway address 10.0.8.1 as
Device IP Address of the Bridging Group.
9.6.2.4 Using Layer3 Bridging
9.6.2.3 Using Routed Transparent Layer2 Fig. 489 Configuration of Non Transparent Translational Bridging
Bridging - Example 2
LAN2 PC Bridge with LAN PC LAN PC LAN PC
Fig. 487 Configuration of Routed Transparent Layer2 Bridging Routing
Functionality
Bridge with
Functionality LAN 1
10.0.8.1 10.0.8.10 10.0.8.12 10.0.8.162 eth1: eth0: 10.0.8.0/24
eth1
eth2 10.0.8.20 172.31.1.25
10.0.8.31 172.31.1.1
LAN 2

Firewall Bridging Configuration < Bridging | 197
The realisation of non transparent translational bridging as viewed in the Proxy ARPs tab of the Rules
depicted in the example above requires the following configuration area:
configuration settings:
Fig. 492 Proxy ARP Object - Bridging Parent Network
In the Networks tab of the Rules configuration area of the
Forwarding Firewall:
z Create a new Net Object for LAN2 PC. Enter LAN2 PCs
IP address 10.0.8.162 into the IP/Ref field of this Net
Object.
Fig. 490 Net Object creation for LAN2 PC
Fig. 493 Proxy ARP Object - Bridging Host Proxy ARP
z Set parameter Bridging to Bridging ENABLED For further information on Proxy ARP Objects see 2.2.9
(Advanced Settings). Proxy ARPs, page 158.
Note:
See List 425 Net Object configuration parameters, 9.6.3 Visualisation
section Net Object configuration parameters
section Bridging, page 149 for parameter Fig. 494 Firewall > Dynamic > Bridging ARPs tab
configuration details.
z In the Advanced Settings window of the Bridging

parameter enter the value eth1 (the bridges network
interface pointing to LAN2 PC) into the Device
Addresses Reside field.
z Enter network 10.0.8.0/24 into the Parent Network
field.
z Activate checkboxes Introduce Routes and Restrict
PARP to Parent Network.
Fig. 491 Bridging Parameters configuration
In the Bridging ARPs tab of the Firewall box menu

entry (Dynamic tab > Bridging ARPs tab) all connections
are recorded, which have been established over bridging
devices.
Clicking the Update List button refreshes the list of
entries.
z Corresponding ProxyARP Objects ensuring that ARP
Each row reports one connection establishment. The
requests are answered on the wanted interface are
following columns are in use to detail it:
automatically generated when a Net Object with
Bridging activated is created. Their references can be Table 426 Overview of bridging operational information in the Bridging ARPs tab
Column Description
MAC This column displays the MAC address of the external
interface which has established a connection to the
bridging interface.

Table 426 Overview of bridging operational information in the Bridging ARPs tab 9.6.4 Configuring Broadcast and
Column Description Multicast Propagation over
Interface This is the bridging interface through which the
connection has been established. Bridging Interfaces
Group The is the name of the Bridging Group the interface
belongs to. Fig. 495 Utilising action type Broad-Multicast for Bridging Groups
IPs The IPs recorded here belong to the MAC address
displayed in the first column.
Type The IPs bound to a MAC address are dynamic if they
have been learned dynamically through proxy ARPing.
The type is static, if the MAC/IP combination
documented through the other columns has been
configured statically through the parameter Static
Bridge MAC (list 451, page 194).
Timer This is the time interval, which has passed, since the
connection establishment has been recorded.
Clicking the label in the title row of each column sorts the
entries ascending or descending by name.
Right-clicking a selected entry makes the following actions
available in a context menu:
z Remove Selected MACs
Deletes the selected MAC address(es) from the list.
z Remove IPs from Selected MAC
Deletes IP addresses from a specific MAC, which have
been saved during a bridged connection establishment, Propagation of, for example, shared network interfaces is
without removing the MAC address itself from the list. achieved through distribution of broadcast messages. If
interface sharing is needed in bridged network setups, a
rule allowing for this has to be introduced. Use the firewall
action type Broad-Multicast to enable propagation of
broadcast and multicast messages. Configure values in the
following way:
Table 427 Broad-Multicast action type rule configuration
Description
Source the network the shared interface resides in
Destination the source network's broadcast address
Propagation the name of the bridging group responsible for bridge
List traffic forwarding (phbr-<group_name>)

Firewall Configuring Firewall Authentication < Firewall Authentication | 199
10. Firewall Authentication

The Firewall Authentication component allows adding user Fig. 497 Connection buildup using offline authentication
information (in addition to IP addresses) to firewall rules,
which results in a fourth condition (beside source, service, Step 1:
and destination). The firewall rule matches only as long as Connection request and verification of authentication data
each condition is fulfilled. Since the firewall engine can fwauthd (firewall
authentication daemon)
only process IP addresses, a user - IP address mapping is
being performed. Browser
Attention:
Due to the user - IP address mapping it is mandatory to
have unique IP addresses for all users, which ought to be Step 2:
authenticated by the firewall. Authentication data OK and connection establishment
fwauthd (firewall
Barracuda Networks offers two types of firewall authentication daemon)
authentication:
Browser
z Inline Authentication
works only in conjunction with HTTP and HTTPS; This Client
POP3
Firewall Server
way of authentication injects the authentication
request into the data stream. The authentication is
done via a pop-up window in the clients browser. The
firewall redirects the HTTP/S request to an internal
authentication server. This server generates the 10.1 Configuring Firewall
authentication request within the browser window by Authentication
sending a HTTP 401 status code (Server Auth) to the
clients browser.
Fig. 496 Connection buildup using inline authentication

10.1.1 Configuring the fwauth Daemon
Step 1:
The fwauth daemon (required for Offline Authentication,
HTTP+S connection request and verification of authentication data see above) is configured via the following parts of the
fwauthd (firewall Firewall Forwarding Settings ( Config > Box >
authentication daemon)
Services > <servicename>).
HTTP+S

10.1.1.1 Authentication
Step 2: List 454 Firewall configuration - Authentication parameters section FW
Authentication data OK and connection establishment Authentication Server
HTTP+S Settings By clicking Show a configuration dialog is opened
where settings concerning firewall authentication are
Client Firewall Server to be specified (see 10. Firewall Authentication,
page 199).
z Offline Authentication Force re- Activating this parameter (by
works in conjunction with all protocols (for example, authentication setting to Yes) causes that the user
[default: Yes] has to re-authenticate as soon as
POP3); When using this authentication method a the login times out.
browser is required to enter the authentication info WWW root This directory specifies the root
(then checked by fwauth daemon) in order to get access [/var/phion/ directory of the mini web server
granted.1 fwauthd] provided by Barracuda Networks.
HTTP/1.1-Keep-
Alive
Note:
[Yes]
This browser window has to stay open as long as the HTTP/1.1-Keep- Defines after which time (in
connection is required. Otherwise the connection Alive timeout minutes) a keep-alive session is
will be terminated due to a (configurable) refresh [10] terminated.
timeout. Authentication The HTML page specified here is
success page shown after a successful firewall
[success.html] authentication. Take into
consideration that it is relative to
WWW root (see above).
Authentication The HTML page specified here is
error page shown after a failed firewall
[error.html] authentication. Take into
consideration that is relative to

200 | Firewall Authentication > Configuring Firewall Authentication Firewall
List 454 Firewall configuration - Authentication parameters section FW 10.1.1.3 WWW tab
Authentication Server
Parameter Description This tab acts as a kind of simple upload tool for the
Authentication The HTML page specified here is integrated Barracuda NG Firewall web server that is used
logout page shown after a successful firewall
[logout.html] authentication logout. Take into during Offline Authentication, for either HTML code or
consideration that is relative to binaries.
Authentication The HTML page specified here is A possible task would be to place the proxy.pac in the
index page used as login page. Take into configured root directory (parameter WWW root, see
[index.html] consideration that is relative to 10.1.1.1 Authentication, page 199) of the integrated web
server.
Max size of a Files that exceed this value will not
file to cache be cached but loaded from disk.
(kb) Note:
[2048] Do not customize default html files (see list 454,
Max files to Here the maximum number of files page 199).
cache is specified that are cached
[20] simultaneously. Consequences of customization:
Refresh auth This parameter defines after how z Dirty Release status (see Control 2.5.1 Section
every min long (in minutes) authentication is
[5] refreshed. If the authentication Version Status, page 37).
information cannot be retrieved (for
example because of a closed z The customized files will potentially be overwritten
authentication browser window) the when installing patches or updates.
connection is terminated.
Refresh auth The authentication is automatically
tolerance min refreshed (without prompting) if
[1] peer reconnects after <Refresh 10.1.2 Introducing User-specific Rules
auth every min + Refresh
auth tolerance min>.
For this purpose the Create Rule dialog provides the
Root Here the root certificate for verification of browser
certificates peer certificates is handled.
Authenticated User Section, where you can select an
Default HTTPS The default key generated/imported here will be used
existing user object (see 10.1.2.1 Firewall - User Window) or
Private Key / for offline authentication via SSL connections (see 10. set an user explicitly. The available parameters for user
Default HTTPS Firewall Authentication, page 199). Take into configuration are the same for both ways of configuring.
Certificate consideration that default certificate AND default key
must match for successful connection establishment.
Destination-spe Via this field you may define certain certificates and
cific keys that used for SSL connections to explicit IP 10.1.2.1 Firewall - User Window
SSL-Settings addresses.
This window is used for defining user specific rules. Such
rules are required when using the Firewall Authentication
10.1.1.2 Phibs feature. In order to open the configuration dialog for a new
user/user group click New in the Edit User navigation
The following parameters are available for specifying Phibs
bar of the Firewall - User Groups window of the Rules tab.
behavior:
Now enter a name for this user/user group data set and,
List 455 Firewall configuration - PHIBS settings section Phibs Authentication optionally, a describing text. By clicking New , the next
Settings configuration dialog for defining the user conditions is
Parameter Description opened. This dialog provides the following parameters:
PHIBS A pull-down menu gives five different schemes to
Authentication choose from: Note:
Scheme MSNT, RADIUS, LDAP, MSAD, RSAACE Take into consideration that combining fields is also
Note: possible. For example, for enforcing a VPN connection
The authentication schemes are activated and
configured in the box configuration (Configuration (by entering required VPN User Patterns) AND a
Service 5.2.1 Authentication Service, page 111). matching X.509 certificate installed in the browser
PHIBS Listen IP Defines the IP address of the box where the application (by entering required X509 Certificate
PHIBS-authentication daemon is running on. Patterns).
PHIBS Timeout Specifies the response timeout (in minutes) for the
authentication server.
Fig. 498 Configuration dialogs - User Object & User Condition
User List Policy The option deny-explicit means that all domain-users
who are listed in the user list are not allowed to use the
proxy service.
The option allow-explicit means that only domain
users being listed in the user list are allowed to use the
proxy service. This does not mean that they do not
require authentication.
User List List of usernames that are used for the User List
Policy.

Firewall Configuring Firewall Authentication < Firewall Authentication | 201
List 456 Firewall configuration - Rules - User Groups section Authentication List 459 Firewall configuration - Rules - User Groups section VPN User Pattern
Pattern
Parameter Description VPN Name / Parameter VPN Name holds the required VPN login
Login Name This parameter serves for defining the required login VPN Group name.
name. Take into consideration that using wildcards (? Parameter VPN Group holds the required VPN group
and *) is also possible (?* requires at least one policy the user has to be assigned to.
character as login name). Note:
Group Patterns This field allows specifying the required group When using Offline Authentication ensure that
assignment(s) according to the affected external user-specific rules are sequenced after the fwauth rule
authentication scheme (MSAD, LDAP or RADIUS). (see 10.1.4 Activate Offline Firewall Authentication).
Add - adding a new entry List 460 Firewall configuration - Rules - User Groups section Authentication
Edit - modifying an existing entry Method
Delete - removing a marked entry
Take into consideration that combining fields is also Origin This parameter is used for defining the type of
possible, for example, for enforcing a VPN connection originator. The following originators are available:
(by entering required VPN User Patterns) AND a VPNP (PersonalVPN)
matching X.509 certificate installed in the browser VPNG (GroupVPN)
application (by entering required X509 Certificate VPNT (Tunnel)
Patterns). HTTP (Browser login)
For information concerning how to gather such group Proxy (Login via proxy)
patterns, have a look at Appendix 1.1 How to gather Server / These parameters allow enforcing authentication on a
Group Information, page 544. Service / Box certain server/service/box.
List 457 Firewall configuration - Rules - User Groups section Policy Roles
Patterns
10.1.3 Activate Inline Firewall
Selector This field allows specifying the required group
Authentication
assignment(s) according to the affected external
authentication scheme (MSAD, LDAP or RADIUS). In order to activate Inline Firewall Authentication, simply
Add - adding a new entry
enter the Advanced Rule Parameters dialog of the
Edit - modifying an existing entry affected rule and set the parameter Authentication to the
Delete - removing a marked entry required authentication mode. The following modes are
available:
List 458 Firewall configuration - Rules - User Groups section X509 Certificate
Pattern z No Inline Authentication (default)
z Login+Password Authentication
Subject Here the subject of the affected X.509 certificate is to
be entered. By clicking Edit the dialog Certificate z X509 Certificate Authentication
Condition is opened, where the required subject has to
be configured. z X509 Certificate & Login+Password Authentication
If multiple subject parts (key value pairs) are required
separate them with / (for example, OU=test1 and
OU=test2 are required, select OU and enter
test1/test2). 10.1.4 Activate Offline Firewall
Note:
Take into consideration that combining fields is also
Authentication
possible, for example, for enforcing a VPN connection
(by entering required VPN User Patterns) AND a
matching X.509 certificate installed in the browser
application (by entering required X509 Certificate 10.1.4.1 Introducing Redirect Rule for fwauthd
Patterns).
Using wildcards (?, *) is possible. fwauthd listens on the following ports of the local loopback
Attention: (127.0.0.1) adapter:
Take into consideration that order is mandatory.
Issuer Here the issuer of the affected X.509 certificate is to z 443 - listening for HTTPS connections (authentication
be entered. By clicking Edit the dialog Certificate via user & pw)
Condition is opened, where the required issuing
instance has to be configured. z 444 - listening for connections using X.509 certificates
If multiple subject parts (key value pairs) are required
separate them with / (for example, OU=test1 and for authentication
OU=test2 are required, select OU and enter
test1/test2). z 445 - listening for connections using X.509 certificates
Note: and user/pw for authentication
Take into consideration that combining fields is also
possible. For example for enforcing a VPN connection z 80 - listening for HTTP connections (authentication via
(by entering required VPN User Patterns) AND a user & pw)
matching X.509 certificate installed in the browser
application (by entering required X509 Certificate
Patterns). To introduce a redirect rule for fwauthd, it is necessary to
Using wildcards (?, *) is possible. redirect the IP address, where the users connect to for
Attention: authentication matters.
Take into consideration that order is mandatory.
Policy Here the ISO number according to the used X.509 Attention:
certificate may be entered.
Correlation between used authentication method and
AltName Here the SubjectAltName according to the used X.509
certificate may be entered. used port is mandatory for authentication success.

202 | Firewall Authentication > Barracuda NG Authentication Client Firewall
Step 1 Create a fwauth rule When firewall authentication has been configured, the user
authenticates himself using a browser. In the example
Step 2 Action: Select Local Redirect below the firewall authentication login screen is opened on
http://10.0.8.112 using Microsoft Internet Explorer.
Step 3 Destination: Enter the IP address to be
Fig. 4101 Firewall Authentication login screen
accessed by users in order to authenticate themselves
Step 4 Redirection: Enter the loopback IP address

(127.0.0.1) and the correct port
Step 5 Service: Enter the correct port for your

authentication method
Note:
After introducing ensure that the just created fwauth
rule is on top of the user specific rules.
In the example below a rule has been introduced

redirecting a client with the IP address 10.0.8.1 attempting
access to the firewall authentication interface running on
http://10.0.8.112 to the fwauth daemon on 127.0.0.1:80.
Fig. 499 fwauthd redirection rule
Note:
Having logged in, do not close the browser window, until
firewall authentication is no longer needed. Closing the
browser window terminates the active firewall
authentication session.
Fig. 4102 Firewall Authentication succeeded login screen

10.1.4.2 Introducing a User Authentication Rule
for fwauthd
After the firewall authentication redirection rule has been

introduced, actions can be defined for authenticated users.
In the example below, shell access to any server in the
Internet is explicitly allowed for user "support", in case this
user has established a connection using the IP address
10.0.8.1.
Fig. 4100 fwauthd user authentication rule
Note:
The Barracuda NG Authentication Client is available to
automate and facilitate firewall authentication
procedure (10.2 Barracuda NG Authentication Client,
page 202).
10.2 Barracuda NG Authentication

Client
The Barracuda NG Authentication Client (available on your
10.1.4.3 Authentication Procedure Application flash USB stick) is appointed to automate

Firewall Monitoring < Firewall Authentication | 203
handling of Offline Firewall Authentication. The client is an Monitoring takes place in the AuthUser tab of the
optional tool, which can be installed if it is desirable to Firewall box menu entry.
avoid circumstantial browser window operation.
The button Update List on top of this tab allows starting
Only one parameter has to be provided explicitly during the updating sequence manually.
installation:
The following columns are used for displaying all
z Home Page necessary information:
This is the URL of the firewall authentication login
interface. With regard to the example described in 10.1.4 Table 428 Monitoring parameters overview
Activate Offline Firewall Authentication, the homepage Column Description
would be entered as http://10.0.8.112. Peer This columns contains the IP address used to establish
the connection and an icon for each auth-connection
type:
Note:
VPNT - VPN Tunnel
The homepage URL can always be changed with
hindsight in the configuration options of the tool itself. VPNP - Personal VPN
VPNG - Group VPN
Note: HTTP - via browser
During installation the Barracuda NG Authentication Timeout Displays time until authentication expires
Client adopts the connection settings provided in the Origin Displays the type of connection for authentication. The
Internet Explorer settings. If proxy settings are to be following entries are possible:
VPNT - VPN Tunnel
adjusted for Barracuda NG Authentication Client usage, VPNP - Personal VPN
settings always must be changed directly in Internet VPNG - Group VPN
Explorer and not in the tool itself. HTTP - via browser
Server Displays the server/service/box that was used for
The Barracuda NG Authentication Client is automatically Service authentication purpose
started with Microsoft Windows (Registry entry Box
HKLM\SOFTWARE\Microsoft\Windows\ User Shows the login name.
CurrentVersion\Run\phionauth.exe). Groups Displays the authentication group the user is assigned
to
You may manually start the client from the Start menu by VPN Name Shows the name of the VPN tunnel
browsing to Start > Barracuda Networks > Barracuda NG VPN Group Displays the group policy the user is assigned to
Firewall Authentication > Barracuda NG Authentication X509 Subject These columns show information obtained from the
Client. X509 Issuer X.509 certificate that was used for authentication.
A browser-like window opens asking for the specific login X509 Policy
data. Enter the user information you have been applied X509 AltName
with and login to the firewall.
You may now close the window again. The client withdraws
to an icon in the status bar. It may be opened from the
status bar, either to log out from the firewall or to be
closed.
Note:
Exiting from the client leads to a timeout on the firewall
and thus terminates an active firewall authentication
connection.
10.3 Monitoring

204 | RPC > General Firewall
11. RPC
11.1 General 11.2 ONCRPC

Barracuda NG Firewall provides three ways of dealing with The ONCRPC (Open Network Computing Remote
RPC: passive, active, and active & passive. Procedure Call; formerly known as SUNRPC), allows
services to register on a server, which then makes them
Table 429 RPC comparison passive / active available on dynamic TCP/UDP ports. By means of this
Advantage Disadvantage mechanism, ports required for specific purposes (for
Passive The firewall immediately The firewall notices the RPC port example NFS), can be dynamically enabled without
notices RPC port changes which is used only on client weakening a strict security policy.
(traffic analyzes client requests. If a firewall reboot
server) occurs, the firewall will not know The heart of ONCRPC is the so-called portmapper, an
the port until the next client
request gets scanned. interface responsible for allocation of ports and protocols
Active The firewall actively looks All RPC servers are to be to services. If an application demands a certain service, a
for all RPC informations configured manually. request is sent to the portmapper. The portmapper's
independent of client Port changes within a polling answer contains the required port and protocol, which are
requests. interval will not be recognized by
the firewall. then used for connection establishment. How does the
firewall handle such actions?
z PASSIVE; which means "sniffing" RPC information
passively.
Using this type causes that the firewall engine reads the 11.2.1 Configuring ONCRPC
RPC information from RPC requests (using UDP/TCP on
port 135 (DCERPC) or port 111 (OCNRPC)) automatically Note:
using the plugin DCERPC or OCNRPC. This way you Please consider the following configuration option
are benefiting from the fact that the firewall is always regarding the parameter Dyn. Service when reading
up-to-date on the currently valid ports (with slight the guidance below as it applies to all available
performance loss, though). The main problem of methods:
passive is that in case of a reboot of the firewall there
would not be any information concerning the required z The parameter Dyn. Service can be configured to
ports as the information is not written to disk. This utilize all available services by just entering ONCRPC
would lead to a blocked connection attempt. into the Dyn. Service field.
z ACTIVE; which means requesting RPC information
actively.
This method uses a defined RPC server where the 11.2.1.1 Configuring Passive ONCRPC
firewall obtains the RPC information periodically. A
benefit of this type is that the firewall knows the type of Step 1 Enabling access to the portmapper
services available on the RPC server. However, Create a pass rule for portmapper access using a
problems may occur if the RPC server is not available corresponding service object. When configuring the
for some time. In this case the RPC server may have service entry, select either UDP or TCP as protocol and set
new portmapping information as soon as it is online the parameter Port Range to port 111. Last but not least,
again but the firewall still uses the "old" information as you need to enter the PlugIn ONCRPC in the General
valid ones which leads to blocked connection attempts. section of the Service Entry Parameters dialog (see
figure).
z ACTIVE & PASSIVE at the same time; that is
combining the benefits of both (recommended) Fig. 4103 General Service Object needed for creating a pass rule to enable passive
ONCRPC

Firewall ONCRPC < RPC | 205
Step 2 Creating a rule for the required service (for The following parameters are available for configuration:
example NFS)
List 461 Firewall configuration - Forwarding Firewall - RPC tab section RPC
Again, as mentioned in Step 1, the settings for the service Settings
object are of interest. Select the required protocol (either
UDP or TCP) and use parameter Dyn. Service for defining
Default Poll Here the interval for requesting RPC information from
the service information (which means Time (secs) the RPC server is defined.
servicename:serviceID; in our example this would be [default: 300]
ONCRPC:100003, see figure 4104).
List 462 Firewall configuration - Forwarding Firewall - RPC tab section
Fig. 4104 Service Object needed for enabling nfs usage via a portmapper ONCRPC Servers / DCERPC Servers
Name This is the describing name of the ONCRPC Server
specified at creation time.
IP Address Here the IP address of the considered RPC server is to
be entered.
Portmapper This parameter defines the port where portmapper is
Port listening on.
[111] Attention:
Take into consideration that the service object for the
portmapper rule (created in Step 2, page 205) has to
match this port.
Optional Bind IP This parameter allows you to define an explicit IP
[0.0.0.0] address that is used when connecting to the RPC
server. This comes handy as soon you are using policy
routing.
The default value of 0.0.0.0 deactivates this parameter
and the correct Bind IP address will be specified via the
routing table.
Polling Time Here the interval for requesting RPC information from
(secs) the RPC server is defined.
[300]
Additional If you want to use NAT, enter the corresponding
Step 3 Checking rule set hierarchy Addresses addresses in this section.
For successful usage of dynamic services it is mandatory (NAT)
to have the general rule (created during Step 1, page 204)
situated above the service rules (created during Step 2, Step 2 Enabling access to the portmapper
page 205). Create a pass rule for portmapper access using a
corresponding service object. When configuring the
service entry, select either UDP or TCP as protocol and set
11.2.2 Configuring Active ONCRPC the parameter Port Range to port 111 (see figure 4106).
Step 1 Configuring the RPC server information Note:

The RPC server information is configured via the RPC tab If you have specified an alternative port in the server
of the Firewall Forwarding Settings ( Config > Box configuration, do not forget to define this alternative
port instead of the default port here.
> Virtual Servers > <servername> > Assigned
Services > <servicename>). Note:
Via button Edit you may modify an already existing Do not fill in the PlugIn field when configuring Active
server entry. Via button Insert you may create a new ONCRPC.
server entry (however, both configuration dialogs are the
same). Selecting an existing entry and clicking Delete Fig. 4106 General Service Object needed for creating a pass rule to enable active
ONCRPC
removes this entry.
Fig. 4105 RPC Server information configuration dialog

206 | RPC > ONCRPC Firewall
Step 3 Creating a rule for the required service (for section of the Service Entry Parameters dialog (see
example NFS) figure 4108).
Again, as mentioned in Step 1, the settings for the service
object are of interest. Select the required protocol (either Fig. 4108 General Service Object needed for creating a pass rule to enable
active&passive ONCRPC
the service information (servicename:serviceID; in
our example this would be nfs:100003, see figure 4107).
Fig. 4107 Service Object needed for enabling nfs usage via a portmapper
Step 3 Creating a rule for the required service (for

example, NFS)
Step 4 Checking rule set hierarchy UDP or TCP) and use parameter Dyn. Service for defining
For successful usage of dynamic services it is mandatory the service information (servicename:serviceID; in
to have the general rule (created during Step 2, page 205) our example this would be nfs:100003).
situated above the service rules (created during Step 3,
Fig. 4109 Service Object needed for enabling nfs usage via a portmapper
page 206).
11.2.2.1 Configuring Active&Passive ONCRPC

(recommended)
Step 1 Configuring the RPC server information

Configure the RPC Server information as described above
in Step 1 Configuring the RPC server information,
page 205.
Step 2 Enabling access to the portmapper

Create a pass rule for portmapper access using a
the parameter Port Range to port 111. Last but not least,
you need to enter the PlugIn ONCRPC in the General
Step 4 Checking rule set hierarchy

For successful usage of dynamic services it is mandatory
is situated above the service rules (created during Step 3,
page 206).
Note:
The parameter Dyn. Service can be configured to utilize
all available services by just entering DCERPC into the
Dyn. Service field.

Firewall DCERPC < RPC | 207
Note:
11.3.1 Configuring DCERPC
In addition to explicit creation of new Service Objects
you may as well make use of the already existing Note:
predefined Service Objects (for example, Service Please consider the following configuration options
Objects bound to Microsoft Exchange usage). Please regarding the parameter Dyn. Service when reading
consider, though, that you might possibly need to adapt the guidance below as it applies to all available
the preconfigured objects due to potential requirement methods:
changes of the software.
z The parameter Dyn. Service can be configured to
utilize all available services by just entering DCERPC
into the Dyn. Service field.
11.3 DCERPC
z In addition to explicit creation of new Service Objects
you may as well make use of the already existing
The OSF Distributed Computing Environment (DCE) is a
predefined Service Objects (for example, Service
protocol standardized by the Open Group
Objects bound to Microsoft Exchange usage). Please
(www.opengroup.org/dce). Analogous to the ONCRPC
consider, though, that you might possibly need to adapt
protocol (see 11.2 ONCRPC, page 204), DCERPC allows
the preconfigured objects due to potential requirement
services to register on a server which then provides these
changes of the software.
services on dynamic TCP/UDP ports.
The most widespread application depending on DCERPC is
possibly Microsoft Exchange. Besides other Microsoft 11.3.1.1 Configuring Passive DCERPC
products, DCERPC for example is as well used by HP Open
View. Note:
Since the so-called end point mapper knows which service For the advantages and disadvantages of passive and
requires which port and protocol, the client application active configuration see 11.1 General, page 204.
first sends a request to the end point mapper to determine
the dynamically assigned ports. Step 1 Enabling access to the end point mapper
Creating a pass rule for end point mapper access using a
The endpoint mapper listens on TCP/UDP port 135.
corresponding service object (default service object:
Whats the difference to ONCRPC? DCERPC135). When configuring the service entry, select
z Portmapper is called Endpoint Mapper and uses either UDP or TCP as protocol and set the parameter Port
TCP/UDP port 135 instead of UDP/TCP 111 Range to port 135. Last but not least, you need to enter
the PlugIn DCERPC in the General section of the Service
z Service identification via UUID instead of program Entry Parameters dialog (see figure 4110).
numbers
Fig. 4110 General Service Object needed for creating a pass rule to enable passive
z Multiple services per port possible DCERPC
Having multiple services on one TCP port a
"pre-validation" by the firewall is required. This
pre-validation checks whether at least one service
offered by this port is granted by the rule set:
NO block
YES session is granted using service name
DCERPC:ANY and is subsequently analyzed further. As
soon as the service is selected, the rule set is checked
again whether exactly this service is permitted or not. If
granted, the service name changes to the now-known
name and session is active (first matching rule is used).
If the service is not permitted the session is terminated.
z One service can be offered on multiple ports
z Using UDP DCERPC offers an additional function in
order to avoid arbitrary spoofed request to the RPC
server
z Service can change within a session

208 | RPC > DCERPC Firewall
Step 2 Creating a rule for the required service (for 11.3.1.2 Configuring Active DCERPC
example MS Exchange)
Again, as mentioned in Step 1, the settings for the service Note:
object are of interest. Select the required protocol (either For the advantages and disadvantages of passive and
UDP or TCP) and use parameter Dyn. Service for defining active configuration see 11.1 General, page 204.
the service information (servicename:UUID; see
figure 4111).
Step 1 Configuring the RPC server information
Fig. 4111 Service Object needed for enabling MS-File Replication Service usage The RPC server information is configured via the RPC tab
via an end point mapper of the Firewall Forwarding Settings ( Config > Box
> Virtual Servers > <servername> > Assigned
Services > <servicename>). The configuration is
analogue to the one mentioned under 11.2.2 Configuring
Active ONCRPC, Step 1, page 205, except that the port 135
has to be entered (instead of port 111).

the parameter Port Range to port 135 (see figure 4112).
Fig. 4112 General Service Object needed for creating a pass rule to enable active
DCERPC

is situated above the service rules (created during Step 2,
page 205).
Note:
If you have specified an alternative port in the server
configuration, do not forget to define this alternative
port instead of the default port here.
Note:
Do not fill in the PlugIn field when configuring Active
DCERPC.
Step 3 Creating a rule for the required service (for

example MS Exchange)
the service information (servicename:UUID).

is situated above the service rules (created during Step 3).

Firewall Monitoring < RPC | 209
11.3.1.3 Configuring Active&Passive DCERPC 11.4 Monitoring

(recommended)
Monitoring takes place in the Dynamic Services tab of the
Step 1 Configuring the RPC server information Firewall box menu entry (tab Dynamic).
The RPC server information is configured via the RPC tab
Via the button Update List you can refresh the displayed
of the Firewall Forwarding Settings ( Config > information.
Box > Virtual Servers > <servername> > The following columns are in use:
Assigned Services > <servicename>).
Table 430 Monitoring parameters overview
The configuration is analogue to the one mentioned under
Column Description
11.2.2 Configuring Active ONCRPC, Step 1, page 205, except
Used Address IP address used by the dynamic service
that port 135 has to be entered (instead of port 111).
Proto Protocol used by the dynamic service
Port Port used by the dynamic service
Service Name Name and Number of the dynamic service
Service Desc Description for the dynamic service
Target Address IP address where the dynamic service connects to
Expires Displays when the dynamic service connection expires
the parameter Port Range to port 135. Last but not least,
Used Expired time since last usage
you need to enter the PlugIn DCERPC in the General
Updated Expired time since last information update
section of the Service Entry Parameters dialog.
Source Address IP address for which the dynamic service entry is valid
for (entry 0.0.0.0 indicates all IP addresses)
Step 3 Creating a rule for the required service (for Source Mask Netmask for which the dynamic service entry is valid
example NFS) for
the service information (servicename:UUID).

to have the general rule (created during Step 2) is situated
above the service rules (created during Step 3).

210 | RPC > Monitoring Firewall

5
VPN
1. Overview
1.1 Client Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
1.2 Site to Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
1.3 Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
1.4 Authentication, GroupVPN, Encryption and Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
2. Configuring Personal Remote Access

2.1 VPN Configuration Block Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
2.2 Introduce and Configure Box, Server, Firewall and VPN Service . . . . . . . . . . . . . . . . . . . . . . . . . 217
2.3 Install Licenses and Configure Personal Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
2.4 Configuring VPN GTI Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
2.5 Configuring L2TP/PPTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
2.6 Configuring Personal VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
2.7 Configuring VPN Tunnel Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
3. SSL-VPN
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
3.2 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
3.3 Setup Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
3.4 Hints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
4. Monitoring
4.1 Active Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
4.2 Status Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
4.3 Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
5. Examples for VPN Tunnels

5.1 Fully Transparent Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
5.2 Stealth Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
5.5.3 Star-shaped Topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
5.4 Redundant VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
6. Configuring the Barracuda NG Personal Firewall

6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
7. Barracuda NG VPN Client

7.1 Installation & Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
7.2 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

212 | Overview > Client Remote Access VPN
1. Overview
Virtual Private Networks offer an efficient and cost-saving 1.1.1 Direct Connection
way to use the internet as a transport alternative to
dedicated lines or dial-up RAS overcoming security risks of Fig. 51 General Scheme of Remote Access VPN
internet communications.
There are two well-established technologies for data
encryption: IPSec and SSL (Secure Socket Layer). Corporate internet link
Most VPN implementations rely solely on IPSec, which has Corporate network Remote
VPN
several disadvantages (for example problems with NAT, client
NAPT, filtering interfaces, etc.) in modern network
VPN server
topologies. Barracuda NG Firewall VPN has incorporated
both technology standards, hence it substantially improves
Secure
VPN connectivity. encrypted Local ISP - POP
tunnel
1.1 Client Remote Access A necessary condition in order to get working direct
connections is routing the client IP just like the server IP
throughout the whole connection. Due to security and
Mobile workers often need secure access to corporate
flexibility reasons, most corporate networks use private
information resources. This may either be achieved by
addresses (often called RFC1918 addresses). These
using dial-up Remote Access Servers (RAS) or by using
addresses are not routed within the internet itself.
VPN technologies. RAS implementations suffer from
Moreover, some corporate networks do not route other IP
several limitations, such as bandwidth, scalability, and
addresses than their own. This leads to severe problems in
manageability. Due to the spreading availability of
VPN client deployment. Raw IPSec protocol based VPNs
broadband access via cable and xDSL VPN provides a
cannot provide a proper solution for such situations.
superior solution for the remote access challenge.
The client simply connects itself to the VPN server on
Client-server communications may be established in three
port 691.
archetypical ways:
Optionally, the client could also use port 443.
z Direct Connection (1.1.1 Direct Connection, page 212)
z Connection through a firewall with or without NAT
(1.1.2 Connection through a Firewall, page 212) 1.1.2 Connection through a Firewall
z Connections via proxy or SOCKS server Fig. 52 Remote Access with the Client Placed Behind a Firewall
(1.1.3 Connections via Proxy / SOCKS Server, page 213)
These several different options of internal/external Corporate internet link

address assignment and routing can be subdivided into
Corporate network Remote
four archetypal conditions. VPN
client
The two criteria are:
VPN server
z Is the client IP routed through the Internet?
Firewall
z Is the VPN server IP routed through the private net the Secure with/without
encrypted Local ISP - POP NAT
client is in? tunnel
Table 51 ClientServer Communication Options
Conditions Solutions As the client does not use IPSec-ESP or another non-TCP
Client IP Server IP Transparent Transparent HTTPS protocol as transport facility, the firewall administrator
routed routed transport transport proxy / must provide access to the connection:
through through without with source SOCKS 4-5
Internet client source NAT NAT z client: (client-port) -> VPN Server: port 691
network
or
yes yes yes yes yes
no yes no yes yes z client: (client-port) -> VPN Server: port 443
yes no no no yes
no no no no yes Whether the firewall performs NAT (destination or source)
does not have any impacts on the VPN connections
functionality.

VPN Site to Site VPN < Overview | 213
1.1.3 Connections via Proxy / SOCKS 1.3 Certificate Authority

Server
For authentication, the Barracuda NG Firewall VPN server
Fig. 53 Remote Access with the Client Using a Proxy or SOCKS Server for Routing includes a full-featured Certificate Authority (CA), allowing
Assistance
the administrator to create, delete, and renew X.509
certificates for strong authentication of remote access
users.
Corporate internet link
Note:
Corporate network Remote
VPN In order to achieve full flexibility and security, it is
client mandatory to combine a firewall with the VPN server. At
VPN server the end of the VPN tunnel, the traffic is directed into the
firewall engine that applies its rule set to the traffic
Secure
HTTPS or coming from the tunnel and going into the tunnel.
SOCKS4/5
encrypted Local ISP - POP server
tunnel The VPN tunnel terminates before the traffic is directed
into the firewall engine. This means that even if the VPN
If either the client is not allowed to connect to the VPN RAS client appears to the firewall with an address of the
server directly or if there is no route to the VPN server, it local LAN, the administrator has still full control over
is necessary to use either a HTTPS proxy or a socks server. access policies for the clients connected to the LAN.
In order to connect via a HTTPS proxy, it is often necessary

to connect to port 443 at the VPN server side, because
most proxies restrict the connect method in such a way 1.4 Authentication, GroupVPN,
that port 443 must be used.
Encryption and Transport
1.2 Site to Site VPN 1.4.1 General
Connecting two corporate locations using VPN can be even The Barracuda Networks VPN implementation supports a
more dramatic cost saving than remote access. Saving range of authentication, encryption, and transport
costs for bandwidth limited dedicated lines, you can easily methods. The default settings fit for most practical
connect as many locations as necessary into one large purposes. However, there is a number of special situations
corporate network without even losing performance and in todays networking reality that need special solutions.
manageability or weakening cost control.
The Barracuda NG Firewall establishes strongly encrypted 1.4.2 Authentication
(using DES, 3DES, AES-128, AES-256, etc.) VPN tunnels
between two Barracuda NG Firewalls. It supports active
and passive tunnel initiation and provides maximum 1.4.2.1 Client to Site VPN
flexibility.
There are several different possible ways of authentication
Furthermore it is capable of establishing VPN connections
for VPN connections:
to IPSec based systems.
z phion x.509 Certificate
Fig. 54 Two Corporate Networks Linked Together via VPN Tunnel A phion x.509 certificate and the corresponding
private/public key pair is provided within a password
protected file.
z User and Password
Corporate network Corporate network For this authentication method, the user has to enter
username and password.
It is capable of VPN groups. For more information see
VPN server VPN server 1.4.3 VPN Groups, page 214.
z External x.509 Certificate
Secure
encrypted Corporate internet links
This method requires only an external (third-party),
tunnel root-signed x.509 certificate from a CA (PKI).
1.4.3 VPN Groups, page 214.
z External x.509 Certificate with User and Password
Request
This authentication method consists of an external
(third-party), root-signed x.509 certificate from a CA
(PKI) and requires manual username and password
entry.
1.4.3 VPN Groups, page 214.

214 | Overview > Authentication, GroupVPN, Encryption and Transport VPN
z External x.509 Certificate with Password Request This method is used if no CA/PKI (Public Key
This method consists of an external (third-party), Infrastructure) is available.
root-signed x.509 certificate from a CA (PKI) and
requires manual user and password entry. The 1.4.3 VPN Groups
username must match the one contained within the
x.509 certificate. When having lots of VPN clients, it can become very
The method is capable of VPN groups. For more annoying to configure every client one after another. In
information see 1.4.3 VPN Groups, page 214. order to make configurating work more comfortable and
faster, some authentication methods provide the
Note: possibility of working with so-called VPN groups.
For authentication methods requiring a x.509
certificate, the certificate and the private/public key pair These groups are not necessarily identical with the one for
may be provided on a smart card. This offers increased LDAP authentication for example. This fact implies
security since the private key is not extractable. 1-to-n mapping.
Fig. 55 Example for a VPN Constellation
1.4.2.2 Client-to-Site IPSec User 4 User 3

Policy 2
The authentication method for IPSec tunnels consists of an
external, root-signed x.509 certificate from a Certificate
Authority (CA). It is capable of VPN groups (see 1.4.3 VPN
Groups, page 214).
HQ LAN
Policy 1
1.4.2.3 VPN Site-to-Site
User 1 User 2 VPN
There are several different possible authentication

methods for VPN site-to-site tunnels: Configurating of VPN groups is done via a global VPN
z Pre-shared RSA Public Key Group Settings part that affects all VPN groups and VPN
Group Policies containing Common Settings, IPSec
z External Root-signed x.509 Certificate (1.3 Certificate Settings (Phase II), and Client Settings. These setting
Authority, page 213) categories are referred into the Policies (profiles)
This method is capable of many restrictive (figure 56).
configurations (match on one root certificate, match on
all root certificates, additional pattern check for Fig. 56 Data Scheme for VPN Groups
subject/subject alternative name, policy match, generic
v3 OID match).
VPN Group Settings
z Explicit x.509 Certificate (e.g. self-signed)
This method is used if no CA/PKI (Public Key
Infrastructure) is available. Policy 1 Policy 2
1.4.2.4 Site-to-Site IPSec

Common IPSec
There are several different possible authentication settings settings
Client
methods for VPN site-to-site tunnels:
Common for pol. 1 settings Phase II for pol. 1
IPSec Phase I
z Pre-shared Pass Phrase Client for pol. 1

Common for pol. 2 Phase II for pol. 2
z External Root-signed x.509 Certificate (1.3 Certificate Client for pol. 2
Common for pol. .. Phase II for pol. ..
Authority, page 213)
This method is capable of many restrictive Common for pol. n Client for pol. .. Phase II for pol. n
configurations (match on one root certificate, match on Client for pol. n
all root certificates, additional pattern check for
subject/subject alternative name, policy match, generic
v3 OID match).
z Explicit x.509 Certificate (for example self-signed)

VPN Authentication, GroupVPN, Encryption and Transport < Overview | 215
1.4.4 Encryption 1.4.5.1 Personal Access Clients
The following encryption algorithms are available for VPN The Barracuda Networks VPN server uses the built-in
connections: certificate authority and / or external root certificates to
guarantee the authenticity of both communication
z DES
partners. After exchanging the certificates, the
Digital Encryption Standard
communication uses RSA 1024 bit encryption to build up a
z 3DES secure connection to exchange session keys. The
Triple DES connection then is strongly encrypted with a key renewing
every 30 minutes.
z AES-128
Advanced Encryption Standard with up to 128 bit
encryption 1.4.5.2 Tunnel Connections
z AES-256
Advanced Encryption Standard with up to 256 bit The Barracuda Networks VPN servers need to exchange
encryption their respective public keys in order to build up the trusted
relationship. After exchanging public RSA keys, the
z Blowfish
communication uses RSA 1024 bit encryption for the
by Bruce Schneier
secure connection. This connection is then strongly
z CAST encrypted with a session key renewing every 10 minutes.
by Carlisle Adams and Stafford Tavares The time between the key renewings is configurable and
can also be dependent on the amount of traffic being
z Null
encrypted with the same key.
Not encrypted
For details see the book "Kryptografie" by Klaus Schmeh,
Attention: ISBN 3-932588-90-8 (german)
It is highly recommended not to use DES or Null
encryption for VPN connections, since these algorithms
are unsafe. 1.4.6 Excursion: Description of VPN
NoHash Security Issues
1.4.5 Transport Standard ESP
There are four different transport modes available for The ESP protocol provides packet authentication and
Barracuda Networks VPN connections: packet encryption. Packet authentication is performed
using a hashing algorithm (MD5, SHA, etc.) which is used to
z UDP hash the packet spanning the ESP header, the encrypted
Tunnel uses UDP port 691. This connection type fits ESP payload (the tunnelled IP packet) and the payload
best for response optimized tunnels. padding (see figure 57, page 216). Packet encryption only
z TCP spans the encrypted ESP payload and the payload padding
Tunnel uses TCP connections on port 691 or 443 (if and not the ESP header.
HTTP proxies are used). This mode is necessary for An ESP packet is only valid if the following checks are
connections through SOCKS 4 or HTTP proxies. passed (the order is important):
z UDP & TCP z 1. Is the authentication using the hashing algorithm
Tunnel uses both TCP and UDP connections. The tunnel correct?
engine uses the TCP connection for UDP requests and
the UDP connection for TCP and ICMP based z 2. Is the sequence number larger than all sequence
applications. numbers of all received valid ESP packets (replay
protection)?
z ESP
Tunnel uses ESP (IP protocol 50). This connection type z 3. Is the encryption of the ESP payload successful
fits best for performance optimized tunnels. (performed by a padding check)?
Note: This method was used already 10 years ago when hashing
DO NOT use ESP if there are filtering or NAT algorithms were much faster than encryption algorithms.
interfaces in between. The intention was to authenticate the packet prior to
decryption in order to avoid an expensive decryption for
Table 52 Comparison of Different Tunnel Transport Modes unauthentic packets. With AES, this assumption is no
Proxy/ longer true. In fact, AES is even faster than SHA.
NAT
Transport SOCKS Response Transport
Mode Compati-
Compati-
Time Reliability The NoHash method is based on the following
bility
bility consideration:
UDP no yes fast normal
Encryption may be used as authentication since only the
TCP yes yes normal complete
VPN partner holding the same encryption session key may
UDP&TCP no yes fast complete
construct an ESP packet which will then be correctly
ESP no no fast normal
decrypted. The only problem appearing after simply
turning off the authentication would be that packets might
be replayed using old (captured) ESP packets in a way that

216 | Overview > Authentication, GroupVPN, Encryption and Transport VPN
leads to a replacement of the former sequence number by

a larger one. The receiver would in such a case trust the
packet since the sequence number is not part of the
encryption (see figure 57, page 216). In this way, a denial
of service could be achieved.
Fig. 57 ESP and NoHash
The solution to this problem is quite simple:

By including the sequence number redundantly into the
encryption data of the ESP packet, a tampering of the
sequence number as described above becomes impossible.
After decryption, the two sequence numbers are simply
compared and the packet will be discarded on mismatch.
As a consequence, ESP packets may be exchanged
authenticated and encrypted with replay protection using
only a single encryption step as long as the sequence
number is part of the encrypted data. This leads to a
significant performance improvement because the hashing
operation can be skipped.

VPN VPN Configuration Block Diagram < Configuring Personal Remote Access | 217
2. Configuring Personal Remote Access
2.1 VPN Configuration Block 2.2 Introduce and Configure Box,

Diagram Server, Firewall and VPN
Fig. 58 VPN Configuration Block Diagram Service
Fig. 59 VPN Configuration - Introduce and Configure Block Diagram
Introduce & configure:
Requirements No Box
for personal Server Requirements
Introduce & Configure:
No Box
remote access Firewall for personal
remote Access
Server
Firewall
met? VPN Service met? VPN Service
Configure Yes
Barracuda NG Firewall
Yes
Configure VPN server:

Install keys/server &
root certificates
Configure personal
networks
Configure the server

Configure
personal VPN
root certificates
Configure personal VPN groups Yes Get group names
networks Configure the firewall
required? (DC, OU, )
No
Configure VPN group

policies
Configure Configure VPN tunnel Configure VPN group

personal VPN Introduce & Configure settings settings
the VPN service

VPN is ready
to use
Yes Table 53 VPN configuration - Introduce and Configure

VPN groups Get group names
required? (DC, OU, ) Issue Description
Configure Barracuda NG Firewall Configuration Service
2. Configuring a New System,
No page 48
Configure the server Configuration Service
Configure VPN group 3. Configuring a New Server,
policies page 94
Configure the firewall Firewall, page 131
Introduce & configure the VPN Configuration Service
service 4. Introducing a New Service,
page 97
Configure VPN tunnel Configure VPN group
settings settings
Note:
If you are using Additional Server IPs entries in your
server configuration, then these IP addresses must be
VPN is ready configured as Explicit Bind IPs within the VPN service
to use configuration.
The VPN configuration may be opened in two ways:

z via config tree ( Config > Box > Virtual
Servers > <servername> > Assigned Services >
<servicename> (vpnserver))
z via box menu ( VPN)

218 | Configuring Personal Remote Access > Install Licenses and Configure Personal Networks VPN
2.3 Install Licenses and Note:
Configure Personal Networks The corresponding gateway routes for the configured
personal network (both local and routed) are assigned
Fig. 510 VPN Configuration Block Diagram - Configure VPN server to the VPN client automatically when connecting.
Requirements No
Box
List 51 VPN Configuration - Personal Network Network Section
for personal Server
remote access Firewall
met? VPN Service Parameter Description
Yes
Advertise via When activated, the personal network is advertised via
OSPF OSPF.
Name The network name.
Install keys/server & Network The network address.
root certificates
Configure personal Address
networks
Network Mask Use inverted CIDR notation (Getting Started
5. Inverted CIDR Notation, page 25).
Configure
personal VPN Gateway The clients gateway address.
Type Type of VPN network used. Available types are:
routed (Static Route) (virtual network/DMZ)
VPN groups Yes Get group names For an illustrated example see figure 512.
A separate net is offered. A static route leads to the
No local network via the VPN server. VPN client
Configure VPN group
addresses can be distributed through DHCP as fixed
policies
or dynamic address.
local (Proxy ARP)
Configure VPN group
For an illustrated example see figure 513, page 218.
Configure VPN tunnel
settings settings A part of the local network is offered via VPN.
The defined addresses are entered as Proxy ARP on
the VPN Server (see figure 512).
VPN is ready
to use
VPN client addresses can be distributed through
DHCP as fixed or dynamic ones.
The following two values are to be defined
additionally:
Normally, the Barracuda NG Firewall is delivered with one IP Range Base - defines the starting point of the
personal and unlimited firewall-to-firewall VPN license. All offered addresses from the local network
other licenses must be ordered from Barracuda Networks IP Range Mask - defines the scope of the offered
addresses
separately. For more detailed information about license
Quarantine Quarantine networks may be defined in order to assort
activation see Licensing, page 529. clients accessing a VPN tunnel into separate network
classes. This configuration parameter has been
Additional personal licenses must be available as a file introduced in preparation for Barracuda NG VPN Client.
(*.lic files) on floppy, harddisk, or as e-mail. It will not work with the current VPN client release R7
or older versions.
Configuring the server settings is done by clicking VPN The recommended setting for all Barracuda NG Firewall
versions is to leave the setting at the default value
Settings (accessible through Config > Box > Regular Personal Network when creating a new
Virtual Servers > <servername> > Assigned Personal Network. Quarantine Network Classes will at
this time not be effective.
Services > <servicename> (vpnserver)) within the VPN
configuration tree. Fig. 512 VPN Configuration with Routed Network (Static Route; Virtual Network /
DMZ)
2.3.1 Personal Networks Tab VPN server Router
In order to create a VPN Personal network, lock the VPN client Local network
configuration dialog, open the context menu and select 192.168.6.123 (10.0.0.0/24)
New VPN Network This will open the following Static route
via VPN server
Secure
encrypted
Fig. 511 Personal Network Configuration Dialog tunnel Local DMZ: 10.0.0.0/24
Fig. 513 VPN configuration with Local (Proxy ARP)
VPN server
FW server
VPN client Local network

10.0.0.129 (10.0.0.0/24)
Secure
encrypted
tunnel
Local segment: 10.0.0.128/28
Note:
The maximum number of personal networks is 256.

VPN Install Licenses and Configure Personal Networks < Configuring Personal Remote Access | 219
2.3.2 Server Key/Settings Tab List 53 VPN Configuration - Server Certificates - General Server Configuration
Section
Manage server keys and certificates through this Parameter Description
configuration dialog. Global Replay The Replay Window Size is designed for sequence
Window Size integrity assurance and avoidance of IP packet
[0] "replaying", if due to ToS policies assigned to VPN
tunnels and/or transports packets are not forwarded
2.3.2.1 Server Certificates instantly according to their sequence number. The
window size specifies a maximum number of IP packets
that may be on hold, until it is assumed that packets
To open the Server Certificates window, click the Click have been sent repeatedly and sequence integrity has
here for Server Settings link on top of the Server been violated. Individual window size settings (see
Replay Window Size, page 239) are configurable per
Key/Settings tab: tunnel and transport, overriding the global policy
settings. Setting this to 0 (default) defines that these
Fig. 514 Server Certificates Configuration tunnel/transport specific settings should be used. ToS
details are described in VPN Envelope Policy,
page 238. The effective Replay Window Size is
visualized in the Transport Details window (Attribute:
transport_replayWindow), which can be accessed by
double-clicking the tunnel in the VPN Monitoring
GUI > Active tab (see 4. Monitoring, page 252).
Use Site to Site Typically, a tunnel registers itself at the firewall causing
Tunnels for an auth.db entry with the tunnel network and the
Authentication tunnel credentials. This can be used to build a firewall
[Yes] rule having the tunnel name or credentials as
condition. This feature is rarely used (maybe not at all).
Pending Session buildup is limited that, once a buildup of
Session 5 sessions is detected, any further session request will
Limitation be dropped until one of the already initiated sessions is
[Yes] completed.
Prebuild Typically, cookies are built on demand. For many tunnel
Cookies on building up simultaneously it is better to have the
Startup cookie already precalculated. This causes a slower VPN
[No] service startup but a faster tunnel buildup afterward.
Tunnel HA Sync In case of a HA takeover, the initialisation of all VPN
tunnels/transports requires a very CPU-intensive RSA
handshake procedure. As long as less than
approximately 200 tunnels/transports
are terminated, this initialisation happens very fast and
does not decrease overall system performance.
Due to realtime synchronisation to the HA partner box,
the system load during a takeover can be decreased,
hence providing faster tunnel reestablishment.
Note:
Synchronisation is only provided for TINA
tunnels/transports using either UDP or ESP.
Tab General: Synchronisation of hybrid, TCP or IPSec tunnels is not
available.
List 52 VPN Vonfiguration - Server Certificates - General Access Control Service Note:
Section The default setting for this function is off. It may be
Parameter Description activated using Tunnel HA Sync through the VPN
Server Settings. Barracuda Networks recommends to
IP Addresses IP address of the Access Control Service to use. activate this setting only when using more than 200
Sync Set to yes if authentication information should be ESP or UDP TINA tunnels.
Authentication propagated to the other boxes in the same . Maximum Sum of concurrent client-to-site and site-to-site tunnels
to Set to no to disable authentication synchronisation. Number of accepted by the VPN service.
Tunnels Note:
List 53 VPN Configuration - Server Certificates - General Server Configuration Barracuda Networks recommends to keep this value
Section below 8192 to avoid high system load produced by the
Parameter Description VPN service.
Use port 443 Defines whether incoming VPN connections on

List 54 VPN Configuration - Server Certificates - General Default Server
[default Yes] port 443 should be accepted or not. In some cases you
Certificate Section
might want to disable using port 443 for incoming VPN
connections, for example connections arriving at Parameter Description
port 443 should be redirected by the firewall service to
another machine. Subject/Issuer These two fields display certificate subject and issuer.
CRL Poll Time Time interval (in minutes) for fetching the Certificate Note:
Revocation List. L2TP/IPSEC require server certificates with
SubAltNames.
Note:
Setting this parameter to 0 results in a poll time of Default Key If the VPN server demands a key but the key is not
15 minutes. stated explicitly, it may be generated by clicking the
Ex/Import button and selecting a suitable option.
Global TOS Globally defines the ToS (Type of Service) flag for Site
Copy to Site tunnels. Global employment of the ToS flag is
[Off] disabled by default (setting: Off). Effects of ToS Note:
settings are described in detail in VPN Envelope
Policy (applying to TINA Tunnels, page 238) and
It is mandatory to define a default server certificate for
list 557, page 241 (applying to IPSec Tunnels, a successful client-to-site connection.
page 241). Individual tunnel ToS policies override the
global policy settings.

220 | Configuring Personal Remote Access > Install Licenses and Configure Personal Networks VPN
Tab Advanced: 2.3.3.1 Certificate Details Tab

List 55 VPN configuration - Server Certificates - Advanced Device
Configuration Section
To import a new root certificate, lock the
Root Certificates tab, then right-click into the
configuration window, then select a suitable Import option,
Click the Add button to open the VPN Device
Properties window and to add virtual interfaces
depending on the format the certificate is available in.
equipped with unique index numbers. Indexed virtual
interfaces may for example be needed for direct
The following configuration options are available:
OSPFv2/RIP multicast propagation of VPN networks.
After assigning the interface with a local IP address it List 58 VPN Configuration- Root Certificates - Certificate Details Tab
may be directly used within the OSPF router Certificate Section
configuration. The interfaces become active and visible
in the Control > Network tab of the corresponding
box as soon as a tunnel endpoint using the indexed This section shows the certificate's Subject and Issuer.
interface has been created. Indexed VPN interfaces are Into the Name field, insert a certificate name for easier
labelled in the following way: vpn[INDEX] (for example, recognition.
vpn1, vpn2, ).
List 59 VPN Configuration- Root Certificates - Certificate Details Tab Usage
Device Index Insert the unique index number of the VPN interface
Section
into this field.
MTU Specify the MTU (Maximum Transmission Unit) size in Parameter Description
this field (1398 / 1500). This section contains options that define which tunnel
IP Addresses Insert the IP addresses that should be started on the types a certificate should be valid for. The following
vpnX interface into this field. Separate multiple entries tunnel types are available for selection: Personal,
with spaces. Site-to-Site, IPSec Personal, IPSec Site-to-Site.
Multicast Insert the multicast addresses that should be Comment Into this field, optionally insert a certificate description.
Addresses propagated into this field. For example, to transport
OSPF multicast via VPN tunnel, insert "224.0.0.5 List 510 VPN configuration- Root Certificates - Certificate Details Tab CRL
224.0.0.6". Separate multiple entries with spaces. Error Handling Section
List 56 VPN configuration - Server Certificates - Advanced section IKE Parameter Description
Parameters This section defines actions to be taken in case a
certificate referred within the Certificate Revocation
Parameter Description List (CRL) is unavailable.
The IKE (Internet Key Exchange) Parameters section is Timeout (min.) If all URIs of the root certificate fail, then the fetching
globally applicable to all configured IPSEC tunnels. process is started again after this time period. If the
Exchange This value defines the maximum period to wait until the CRL is still not available, the fetching process is
Timeout (s) request for IPsec tunnel connection establishment has stopped and parameter Action (see below) is activated.
to be approved by the remote peer (default: Action The following actions are available if CRL fetching is
30 seconds). not possible:
Tunnel Check This value defines the interval in which to query if a Terminate all sessions
Interval (s) valid exchange is assignable to an IPsec tunnel (default: Every VPN session relating to this root certificate is
5 seconds). In case a tunnel configured with direction terminated.
assignment Active has been terminated, it will be
Do not allow new sessions
re-established automatically as soon as the check
New VPN session relating to this root certificate are
interval has expired. In case a tunnel configured with
not allowed.
direction assignment Passive has been terminated, a
corresponding status message will be triggered Ignore
causing a GUI update in the VPN monitoring view This option creates a log entry, but does not have
(4. Monitoring, page 252). any affect to VPN connections relating to this root
certificate.
Dead Peer This value defines the interval in which to execute keep
Detection alive checks on the remote peer (default: 5 seconds).
Interval (s)
Use IPSec Set to Yes if the the service is connected to the 2.3.3.2 Certificate Revocation Tab
dynamic IP internet via dynamic link (dynamic IP address). In this
case the server IP address is not yet known at Fig. 515 Certificate Revocation Tab
configuration time and IKE then listens to all local IP
addresses.
IPSec Log Level Defines the debug log level of IKE.
Note:
Debug log may be very noisy. Avoid a log level
greater than 0 if not required for solving an issue.
List 57 VPN configuration - Server Certificates - Advanced section Custom

Ciphers
For internal use only
2.3.3 Root Certificates Tab

This tab allows importing and viewing of root certificates
that have been issued to the VPN server by a Certificate
Authority (CA). Root certificates that may be imported
must be available as either .cer or as proprietary .pem
files.
This tab allows specifying paths to CRLs.

VPN Configuring VPN GTI Settings < Configuring Personal Remote Access | 221
If a CRL is already included within the certificate, import List 514 VPN Configuration- Root Certificates - OCSP Tab OCSP Server Tab
the CRL URI by clicking the Load paths from certificate Parameter Description
button. Phibs Scheme Allows selection of an OCSP scheme (default: ocsp).
To add a CRL URI manually, insert the CRL details into the List 515 VPN Configuration- Root Certificates - OCSP Tab OCSP Server
fields available in the URI, Login and Proxy sections and IdentificationTab
then click the Add button. Parameter Description
List 511 VPN Configuration - Root Certificates - Certificate Revocation Tab URI CA Root Specifies how the OCSP server is verified. The
Section following options are available:
This root certificate - The OCSP server certificate
Parameter Description signing the OCSP answer was issued by this root
certificate.
Protocol From this list, select the needed connection protocol.
Other root certificate - The OCSP server certificate
The following protocols are available:
signing the OCSP answer was issued by another root
Protocol Default port Comment certificate. This other root certificate has to imported
LDAP 389 DNS resolvable via parameter Other root (see below).
LDAPS 636 Note:
Take into consideration that the extended certificate
HTTP 80 usage is set to OCSP signing in the OCSP-server
HTTPS 443 certificate when using This root certificate or
Note: Other root certificate.
In LDAP directories, valid CRL file types are restricted Explicit Server certificate - The OCSP server
to .pem and .crt files. certificate signing the OCSP answer may be self-signed
Host DNS resolvable host name or IP address of the server or another certificate. This X.509 certificate has to
that makes the CRL available. imported via parameter Explicit X.509 (see below).
URL-Path Path to the Certificate Revocation List (CRL) (for Other root If CA Root is set to Other root certificate, this
example certificate has to be imported via the Ex/Import
cn=vpnroot,ou=country,ou=company,dc=com button (either in PEM or PKCS12 format).
?cn=*). Explicit X509 If CA Root parameter is set to
Note: Explicit Server certificate, this certificate has to be
When the CRL is made available through SSL imported via the Ex/Import button (either in PEM or
encrypted LDAP (LDAPS) take the following into PKCS12 format).
consideration:
To enable connection establishment, the CRL has to be
referred to by using the fully qualified domain name
(that is the resolvable host name) in the CN subject. For
2.3.4 Server Certificates Tab
example, if a server's host name is
server.domain.com it has to be stated in the This tab displays the available server certificates.
URL-path as follows:
cn=vpnroot,ou=country,ou=company,dc=com, Fig. 516 Server Certificates with Open Context Menu
cn=server.domain.com.
Note:
The A-Trust LDAP server requires that a CRL
distribution point referring to it MUST terminate with a
CN subject. Therefore, as from Barracuda NG Firewall
3.6.3 when loading the CRL from a certificate, the
search string "?cn=*" will automatically be appended,
if the CRL is referring to an LDAP server and if a search
string (CN subject) is not available in the search path
by default. Note that existing configurations will remain
unchanged and that the wildcard CN subject does not
conflict with other LDAP servers.
List 512 VPN Configuration - Root Certificates - Certificate Revocation Tab

Login Section
User / User name and corresponding password, necessary if
Password the LDAP/HTTP server requires authentication.
List 513 VPN Configuration - Root Certificates - Certificate Revocation Tab

Proxy Section
As shown in figure 516, the context menu of this
configuration tab provides multiple ways for import,
Proxy DNS resolvable host name or IP address of the proxy
server. removal, and export of certificates.
Port Proxy server port used for connection requests.
User / User name and corresponding password, necessary if
Password the proxy server requires authentication.
2.4 Configuring VPN GTI
2.3.3.3 OCSP Tab Settings
List 514 VPN Configuration- Root Certificates - OCSP Tab OCSP Server Tab VPN GTI Settings configuration is only of interest for
Parameter Description CC-administered boxes. It determines default settings
Host DNS-resolvable hostname or host IP address. applying to tunnels when they are created by use of the
Port OCSP server listening port. VPN GTI Editor. The functionality of the VPN Graphical
Use SSL Enforces an SSL connection to the OCSP server.

222 | Configuring Personal Remote Access > Configuring L2TP/PPTP Settings VPN
Tunnel Interface (GTI) is described in Barracuda NG Control List 517 VPN Configuration- VPN GTI Settings Proxy Section
Center 15. VPN GTI, page 490. Parameter Description
Accept Defines the identification type required for VPN access.
Note: Identification The following authentication methods may be used:
Merging of local VPN GTI Settings (as configured Type Public Key
through the parameters below on each box) and global X509 Certificate (CA signed)
VPN Settings (applying for a specific VPN group, see X509 Certificate (explicit)
15.2.2 Defining Global Settings for a VPN Group, Box SCEP Certificate (CA signed).
page 492) determines the initial default settings of VPN

servers and tunnels when they are introduced in the
graphical tunnel interface on the Barracuda NG Control
Center.
2.5 Configuring L2TP/PPTP
Settings
The following parameters specify a VPN servers default
settings:
To access the configuration file for L2TP and PPTP select
List 516 VPN Configuration- VPN GTI Settings Config > Box > Virtual Servers > Assigned
Parameter Description Services > <servicename> (vpn) > L2TP/PPTP
My IP Type IP address(es) to use when a VPN connection is Settings.
established:
<default> - Utilizes all bind IPs configured in the VPN The file itself consists of the following sections:
servers service configuration section. The VPN
connection then binds to the first available IP z General
chosen from the pool.
z L2TP/IPSEC
First-IP - Utilizes the VPN servers first IP.
Second-IP - Utilizes the VPN servers second IP. z PPTP
Dynamic (via routing) - Utilizes a dynamically
assigned IP address according to the routing table. z User List (page 223)
Explicit - Allows assignment of an explicit IP address
or interface name in the My IP Explicit field below.
Note: 2.5.1 General
Remember that explicitly assigned IP addresses are to
be included in the service configuration as well. List 518 VPN configuration- L2TP/PPTP Settings - General section Common
My IP Explicit Explicit IP address, if My IP Type has been set to Settings
Explicit.
Note:
Insertion of interface names into the My IP Explicit Maximum Maximum packet size to be sent without fragmentation
parameter is additionally possible in the configuration Transmission (default: 1400).
area of the VPN GTI Editor. Unit
My Peer Type IP address(es) to accept VPN connection Maximum Maximum packet size to be accepted (default: 1400).
establishment: Receive Unit
<default-from-My-IP> - Accepts connections on all First / Second IP address of the primary/secondary DNS server.
Bind IPs configured in the VPN servers service DNS
configuration section. The VPN connection then First / Second IP address of the primary/secondary WINS server.
binds to the first available IP chosen from the pool. WINS
First+Second-IP - Accepts connections on the VPN Set to yes for static IP assignments (default: no).
servers First and Second IP. Static IP
First-IP - Accepts connections on the VPN servers
First IP.
Second-IP - Accepts connections on the VPN 2.5.2 L2TP/IPSEC
servers Second IP.
Explicit - Specifies connection acceptance for
explicitly assigned IP addresses, interface names or Note:
host names as defined in the My Peer IP Explicit
field below.
L2TP is not enabled by default. Set Enable L2TP to yes
Note:
to activate the configuration section below.
This data will be used for both partners (active/passive)
of the VPN tunnel. Due to this, only explicit IP Note:
addresses can be configured.
To be able to establish a L2TP connection to Barracuda
My Peer IP Explicit IP address, if My Peer Type has been set to
Explicit Explicit. NG Firewall gateways, L2TP client and Barracuda NG
Note: Firewall must not belong to the same collision domain.
Insertion of interface names or host names (if DNS
resolution is available) into the My Peer IP Explicit Note:
parameter is additionally possible in the configuration
area of the VPN GTI Editor. Please consult 2.3.2 Server Key/Settings Tab, page 219,
Use ospf Setting to yes (default: no) causes the configured VPN for information concerning certificate requirements.
information to be advertised via OSPF.
List 517 VPN Configuration- VPN GTI Settings Proxy Section

Proxy Type Type of proxy to be used; The following settings are
available: Direct (no-Proxy), HTTP Proxy,
Socks-4-Proxy, Socks-5-Proxy.
Proxy Address Defines the proxy servers IP address or DNS-resolvable
host name.
Proxy User / Defines user and password for authentication on the
Password proxy.

VPN Configuring Personal VPN < Configuring Personal Remote Access | 223
Fig. 517 Configuration Dialog for L2TP List 520 VPN Configuration - L2TP/PPTP Settings - PPTP PPTP Settings
Section
Idle Timeout If this value (in seconds; default: 300) is exceeded
without having traffic over the VPN tunnel, the
User Choose a user authentification: Local-use-database or
Authentication Remote MS-CHAP-v2.
2.5.4 User List

This section handles the client user names and passwords
(Challenge Handshake Authentication Protocol).
In order to add a new entry, click the Insert button. To
modify an existing entry, select the entry in question and
click the Edit button. To remove an entry from the list,
select the entry and click the Delete button.
List 519 VPN Configuration- L2TP/PPTP Settings - L2TP/IPSEC L2TP Settings
Section Creating a new entry and modifying an existing entry
Parameter Description works via the same configuration dialog (figure 518).
L2TP Bind IP IP address of the VPN server listening for VPN
connection requests. Fig. 518 Configuration Dialog for Chap Secrets
IPSec PSK Pre-Shared Key for IPsec/IKE authentication.
Attention:
The # (hash) character is not allowed.
Local Tunnel IP Server-side IP address of the tunnel.
Pool IP-Begin Starting IP address for the IP-address pool available to
clients.
Pool Size Number of available pool IP addresses (for example
Pool IP-Begin 10.0.8.10 and Pool Size 2 results in IP
addresses 10.0.8.10 and 10.0.8.11).
LCP Echo Maximum number of lost echoes and the time period a
Failure / LCP echo reply may last (default for both parameters: 0).
Echo Interval List 521 VPN Configuration- L2TP/PPTP Settings - User List
Idle Timeout If this value (in seconds; default: 300) is exceeded Parameter Description
without having traffic over the VPN tunnel, the
Username User name.
Password / Enter the (new) password and confirm it by re-entering
User Choose a user authentification method:
Confirm / it into the Confirm field (existing entries require the
Authentication Local-use-database or Remote MS-CHAP-v2.
Current current password to unlock the fields Password and
Phase 1 The default IPsec phase 1 lifetime for all L2TP clients. Confirm).
Lifetime (s)
IP Address Used for static assignment (list 518, Static IP,
Max. phase 1 The maximum IPsec phase 1 lifetime for all L2TP page 222).
Lifetime (s) clients.
Min. phase 1 The minimum IPsec phase 1 lifetime for all L2TP clients.
Lifetime (s)
2.6 Configuring Personal VPN

2.5.3 PPTP
Fig. 519 VPN Configuration Block Diagram Configure Personal VPN
Note: Requirements No
Box
for personal Server
PPTP is not enabled by default. Set PPTP Enable to yes remote access
met?
Firewall
VPN Service
to activate the configuration section below. Yes
List 520 VPN Configuration - L2TP/PPTP Settings - PPTP PPTP Settings

Section Configure VPN server:
root certificates
Parameter Description Configure personal
networks
PPTP Bind IP IP address of the VPN server listening for VPN

connection requests.
Configure
Initiation Maximum time for establishing the GRE tunnel (default: personal VPN
Timeout [s] 10). A rule of thumb: the faster the connection, the
shorter this timeout can be set.
Local Tunnel IP Server-side IP address of the tunnel. VPN groups Yes Get group_name
Pool IP-Begin Starting IP address for the IP-address pool available to
clients. No
Configure VPN group

Pool Size Number of available pool IP addresses (for example, policies
pool IP start at 10.0.8.10 and pool Size 2 results in IP
addresses 10.0.8.10 and 10.0.8.11).
MPPE Required encryption strength (40bit, 128bit (default) settings settings
Encryption or election). The option election causes that the

Strength strongest available encryption will be used.
VPN is ready
LCP Echo These parameters indicate the maximum number of to use
Failure / LCP lost echoes and the time period a echo reply may last
Echo Interval (default for both parameters: 0).

224 | Configuring Personal Remote Access > Configuring Personal VPN VPN
The Client to Site item (accessible through Config > The Pool License Certificate appears after submission and
Virtual Servers > Assigned Services > confirmation of the password defined at purchase.
<servicename> (vpnserver)) is used for configuring Fig. 521 Pool License Certificate
remote VPN connections between a Barracuda NG Firewall
and the Barracuda NG VPN Client with usage of Barracuda
Networks certificates and private-public key pairs (no
groups) (see 1.4.2.1 Client to Site VPN, phion x.509
Certificate, page 213).
2.6.1 VPN CA Tab

This tab is used for management (import and removal) of
pool licenses and also for management (creation, cloning,
and removal) of personal licenses. In addition, the options
provided allow for the customising of graphics and
messages displayed to the client user and security routines
(for example registry checks on the clients workstation,
management of the Barracuda NG Personal Firewall, ).
2.6.1.1 Pool Licenses Tab
When buying a Barracuda NG Firewall product, a VPN

server license is distributed with one personal license. All Alternatively, the license might have been delivered by
additional VPN pool licenses must be purchased from e-mail.
Barracuda Networks.
You may then import it by copying it to the clipboard and
Fig. 520 Heredity of Barracuda Networks Certificates selecting Insert License from Clipboard from the context
menu. After submission and confirmation of the password,
Barracuda NG Firewall Barracuda NG Firewall which was defined at purchase, the pool license certificate
VPN VPN appears.
connector server
Note:
Copy the licenses content from the ---BEGIN
CERTIFICATE--- row down to the end of the ---END
RSA PRIVATE KEY--- as shown in figure 522.
Personal user
license Pool license
Personal certificate
license certificate
Password
Personal ******
license certificate
Pool
license
Personal
license certificate
Public key pool
Password
******
VPN
server license
Note:
VPN pool licenses must be imported into the Personal
VPN section of the VPN server. Do not treat VPN pool
licenses like box licenses and do not import them into
the pool license section of the global CC Identity
settings.
To install a VPN pool license, right-click into the main
window of the Pool Licenses tab and select whether to
import from file or from clipboard.
If the Pool license has been delivered to you in a .lic file,
import it by selecting Insert License from File from the
context menu.

Fig. 522 Pool License in Plain Text Format The following personal licenses configuration window
opens:
Fig. 523 Edit Personal License Information
Basic configuration field
Certificate section, page 226
List 522 VPN Configuration - Client to Site - VPN CA Tab - Personal License
Creation
Note: License is Sets either the license to disabled state or not.
disabled
The plain text certificate may be transformed into a checkbox
Barracuda Networks license (.lic) file, by saving its License field Name of the license - read-only; used syntax:
content to a text file and changing the file ending to .lic. poollicensename-IndexNo
Used by field Name of the user the license is assigned to.
As soon as pool licenses have been installed and herewith
Stat. Name field Name of the license to be shown in statistics.
activated, personal licenses can be distributed.
Note:
To create a personal VPN license, mark the responsible In case multiple licenses are existing, it might be
sometimes useful to create cumulative statistics.
pool license, right-click into the bottom part of the Pool
Licenses tab main window and select New personal List 523 VPN Configuration - Client to Site - VPN CA Tab - Personal License
license from the context menu. Creation IP Address & Networking Section
Network Personal VPN network (defined in the server settings
pull-down menu Personal Networks Tab, page 218).
Nr. pull-down IP, taken out of the VPN pool, to be assigned to the
menu client. Setting this value to dyn allows dynamic
allocation.
Use Template Template, if templates are in use. Otherwise click on
pull-down menu Parameters
Parameters Network settings, if no templates are used (figure 524,
button page 226).
ENA pull-down Defines whether ENA (Exclusive Network Access) is
menu activated for this license. Active ENA disables any
access to other networks the client is connected to.
List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License
Creation Password and Peer Restriction Section
Scheme Authentication scheme used for user authentication.
pull-down menu
User ID field User name required for authentication.

List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License In order to create a new template, lock the dialog, and click
Creation Password and Peer Restriction Section
New Template within the context menu.
VPN-Type Select the appropriate option: Fig. 524 Template Configuration
Personal + SSL
Personal Only or
SSL Only
Note:
This parameter takes effect when connecting via
SSL-VPN the authentication scheme Local is selected.
Change Server Password needed for connection to the VPN server.
Password
button
ACL list Access control list for VPN connections. The client is
only allowed to connect to the VPN server from one of
these IP addresses or address ranges.
List 525 VPN configuration - Client to Site - VPN CA Tab - Personal License
Creation Active Certificate / Obsolete Certificate Section
Note:
The Usage listing to the right defines whether only the
active key is permitted or both active AND obsolete
key.
License Type Type of license; File or Certificate Store based.
pull-down menu
Server Key Pre-defined server private key.
pull-down menu
Edit Information within the VPN certificate.
Certificate
button List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation
Create New Key New user private key. Parameter Description
button
Name Name of the template (for example, the name of the
Import Key Import a user private key either from clipboard or from user the template will be assigned to).
button file.
DNS IP address of the DNS server assigned to the client.
Copy to Copy the current certificate to obsolete. This way it is
Obsolete button possible to create a new certificate without losing the WINS IP address of the WINS server assigned to the client.
information of the old one. Domain DNS domain assigned to the client.
Usage Selects whether the user can only log in with the active VPN Rules From this list, a rule set may be selected and therewith
pull-down menu certificate or also with a certificate that is set to assigned to a VPN clients Barracuda NG Personal
obsolete status. Firewall during an active VPN connection
Export to Export the certificate to the clipboard. Clicking the (6. Configuring the Personal Firewall, page 257).
Clipboard button opens a dialog where you can additionally Offline Rules From this list, a rule set may be selected and therewith
button protect the certificate with a password. assigned to a VPN clients Barracuda NG Personal
Export to File Export the certificate to a file. Youve got to choose Firewall. The offline rule set is applicable while the
button whether you want to protect the certificate with a client is not connected to a VPN server. Note that the
password or not. Offline Rule Set overwrites a possibly existing user
customized rule local set defined in the Barracuda NG
Export Issuer Exports the issuer certificate to a .cer-file. Personal Firewall on the client itself (6. Configuring the
Cert button Personal Firewall, page 257).
Certificate Opens the Crypto Provider Frame. Message From this list, a predefined welcome message (see
Mgmt button 2.6.3 Messages Tab, page 232) may be selected and
therewith assigned to a VPN client.
Bitmap From this list, a predefined bitmap (see 2.6.4 Pictures
2.6.1.2 Templates Tab Tab, page 232) may be selected and therewith assigned
to a VPN client.
This tab lists all templates that have been introduced on Key Time Limit Defines the period of time after which the re-keying
this VPN server. process is started. Possible settings are 5, 10 (default),
30 and 60 minutes.
Templates contain sets of parameters (DNS server IP, Key Traffic Defines the amount of traffic after which the re-keying
WINS server IP, ) needed for personal VPN access. Define Limit process is started. Possible settings are:
templates with pre filled-in frequently used data content, No Limit
50 MB
to facilitate VPN client profile administration.
10 MB (default)
5 MB
1 MB
Tunnel Probing Defines the interval of sent probes. If such a probe is
not answered correctly, the parameter Tunnel Timeout
(see below) will be in charge.
Available pre-defined time values (in seconds) are:
- silent (no probes are sent; disables the parameter)
- 10 secs
- 20 secs
- 30 secs (default)
- 60 secs

List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation 2.6.2.2 Gathering Group Names
Tunnel Timeout If, for any reason whatsoever, the enveloping In order to have a working group VPN, youve got to know
connection breaks down, the tunnel needs to be the proper group names. The corresponding group names
re-initialized. This is extremely important for setups
with redundant possibilities in order to build the
can be obtained from your assigned administrator.
enveloping connection.
The parameter defines the period of time after which Note:
the tunnel is terminated. If MSAD or LDAP is used, the distinguished names are
The pre-defined available values (in seconds) are:
- 10 secs used for group_name; please have a look at Appendix
- 20 secs (default) 1.1 How to gather Group Information, page 544.
- 30 secs
- 60 secs
Note:
The choice of the ideal timeout parameter strongly 2.6.2.3 Configure VPN Group Policies
depends on the availability and stability of the
connection. Barracuda Networks recommends setting
the timeout to 30 seconds for internet connections In order to create VPN policies, enter the External CA tab,
and to 10 seconds for intranet connections or lock the configuration dialog and enter the required
connections over a dedicated line. information into the tabs described in the following.
Network Routes Routes assigned to the client when connecting to the
VPN server.
Note:
Note:
Up to 63 network routes may be defined.
As the configurations of Rules and Policies are
Accepted Encryption method allowed for users of this template
interdependent on settings configured within the other
Ciphers when connecting to the VPN server. tabs Common, Barracuda and IPSec, the following
configuration sections are described right-to-left
beginning with a description of tab IPSec.
2.6.2 External CA Tab
2.6.2.4 IPSec Tab

2.6.2.1 Configuring Group VPN
This tab is used for defining (multiple) templates
Fig. 525 VPN Configuration Block Diagram Configure Group VPN
concerning Phase 2 of an IPsec connection. In order to
Requirements No
Box
create IPsec Phase 2 datasets, activate the tab, lock the
for Personal Server
Remote Access
met?
Firewall
VPN Service
configuration dialog and select New phase II from the
Yes context menu.
List 527 VPN Configuration - Client to Site - External CA Tab > IPSec Tab
Phase 1 (default) / Phase 2 Section
root certificates
Configure personal
networks
Encryption Type of encryption to be used.
Available algorithms for both Phase 1 and Phase 2 are:
Configure AES, AES256, 3DES (default), Blowfish, CAST, and
personal VPN
DES.
Hash Meth. Type of hash algorithm to be used. Available algorithms
are MD5 (default) and SHA.
VPN Groups Yes Get group names
required? (DC, OU, ) DH-Group The Diffie-Hellman Group parameter defines the type
of key exchange. Available options for this parameter
No
are Group1 (default; 768-bit modulus), Group2
Configure VPN group
policies (1024-bit modulus), Group5 (1536-bit modulus) and
none.

settings
List 528 VPN Configuration - Client to Site - External CA Tab > IPSec Tab
settings
Lifetime Section
Barracuda Networks VPN is ready
to use
Time Rekeying time in seconds the server offers to the
partner.
Group VPN allows specification of global settings for VPN Minimum Minimum rekeying time in seconds the server accepts
personal tunnels using an external x.509 certificate. from its partner.
Furthermore group configurations concerning the used Maximum Maximum rekeying time in seconds the server accepts
from its partner.
authentication scheme or certificate can be defined.

2.6.2.5 Barracuda Tab List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab
Barracuda Section
In order to create connection datasets, activate the tab, Parameter Description

lock the configuration dialog and select New Barracuda Tunnel Probing The probing parameter defines the interval of sent
probes. If such a probe is not answered correctly, the
from the context menu. parameter Tunnel Timeout (see below) is in charge.
The available time settings (in seconds) for the probing
Fig. 526 New Barracuda NG Client Policy parameter are:
silent (no probes are sent; disables the parameter)
10 secs
20 secs
30 secs (default)
60 secs
Tunnel Timeout defines the period of time after which the tunnel is
terminated.
If, for some reason, the enveloping connection breaks
down, the tunnel needs to be re-initialized. This is
extremely important in setups with redundant
possibilities to build the enveloping connection.
The available settings (in seconds) for the timeout
parameter are:
10 secs
20 secs (default)
30 secs
60 secs
Note:
The ideal value strongly depends on the availability and
stability of the connection. Barracuda Networks
recommends setting the timeout to 30 seconds for
internet connections and to 10 seconds for intranet
connections or connections via dedicated lines.
List 530 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab
Accepted Ciphers Section
List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Parameter Description
Barracuda Section
This section specifies the encryption algorithm(s) to be
Parameter Description accepted from the client at connection time. If the
Name field Name of the dataset. By ticking the checkbox Disabled, client tries to establish a tunnel using a cipher type not
the settings are disabled. specified here, then it will not be able to connect.
Secure Client When set, access is granted only to Secure Clients.

checkbox
ENA (Exclusive If set to yes, this causes any network access other than 2.6.2.6 Common Tab
Network Access) the tunnel to be blocked for the client. If the client does
not have ENA set within its configuration, no access will In order to create common datasets, activate the tab, lock
be granted.
it and select New common from the context menu.
Domain field Name of the partners domain.
Message Available welcome messages to be shown to the client Fig. 527 New Common Common Settings
pull-down menu after establishing the VPN tunnel (see 2.6.3 Messages
Tab, page 232).
VPN Rules Available rule sets for the clients Barracuda NG
pull-down menu Personal Firewall. As long as the VPN tunnel is
established, this rule set is active (see 2.6.6 VPN FW /
Offline FW Tab, page 232).
Offline Rules Available offline rule sets for the clients Barracuda NG
pull-down menu Personal Firewall. As long as the VPN tunnel is not
established, this rule set is active (see 2.6.6 VPN FW /
Offline FW Tab, page 232).
Bitmap Available bitmaps to be shown to the client as the VPN
pull-down menu tunnel becomes being established (see 2.6.4 Pictures
Tab, page 232).
Registry Available registry checks for selection (see 2.6.1 VPN
pull-down menu CA Tab, Registry Tab, page 232). The checks are carried
out when connecting.
Firewall Always Disables the deactivation of the clients Barracuda NG
ON checkbox Personal Firewall when ticked.
Key Time Limit Defines the period of time after which the re-keying
process is started. Possible settings are:
5 minutes
10 minutes(default)
30 minutes
60 minutes.
Key Traffic Defines the amount of traffic to be processed before
Limit the re-keying process is started. Possible settings are:
No Limit
50 MB
List 531 VPN Configuration - Client to Site - External CA Tab > Common Tab
10 MB (default)
Common Section
5 MB
1 MB Parameter Description
Name field Name of the data set.

List 531 VPN Configuration - Client to Site - External CA Tab > Common Tab 2.6.2.8 Configure VPN Group Rules
Common Section
Parameter Description The VPN group rules specify the global settings for VPN
Statistic Name Name to be displayed within the statistics. personal tunnels using an external x.509 certificate and
field
group configurations, such as which kind of certificate is to
Assigned The defined networks (see 2.3.1 Personal Networks Tab,
Network page 218) are available for selection here. be used, or the type of authentication scheme.
pull-down menu
The configuration consists of two separate instances:
DNS field IP address of an optional DNS server.
WINS field IP address of an optional WINS server. z General settings, available via the link on top of the tab
(alternately, the context menu entry Group Match
List 532 VPN Configuration - Client to Site - External CA Tab > Common Tab Settings )
Network Routes Section
Parameter Description z Group policy conditions, available via the context menu
This section is used to define network routes. Enter an entry New Rule
IP address and click Add to add the entry to the listing
on the right side. Note:
Note: Take into consideration that it might be necessary to
You may define up to 63 network routes.
move the available group policies up and down in the list
List 533 VPN Configuration - Client to Site - External CA Tab > Common Tab due to the sequential processing order. This movement
ACL Section is done by first selecting a policy item and then using
Parameter Description the context menu entries Up or Down.
This section is used to define the ACL (Access Control
List). Enter an IP address and click Add in order to add
the entry to the listing on the right side.
2.6.2.9 Change Group VPN Settings
Fig. 529 Change Group Match Settings
2.6.2.7 Policy Tab
In order to create VPN group policies, activate this tab,

lock it and select New Policy from the context menu.
Fig. 528 Configuration Dialog - New policy
List 534 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Match Settings X.509 Client Security Section
Mandatory Specifies the certificate to be used:
Client X.509 Certificate - enforces authentication via
Credentials certificate.
External Authentication - enforces authentication via
username / password.
Concurrent activation of both options forces both,
certificate AND username / password authentication.
Certificate Specifies whether the alternative name in the
Login Matching certificate has to match the user login for successful
authentication. Therefore, subjectAltName must
contain an email type value and the user part of the
If settings at the tabs Common, Barracuda and IPSec have e-mail address must match the login name (see 1.4.2
Authentication, External x.509 Certificate with
not yet been configured and therefore cant be selected Password Request, page 214, and/or, if not selected,
within the corresponding tabs as described here, then you External x.509 Certificate with User and Password
may generate a new data set using the New button. Request, page 213).
Furthermore, an existing data set may be modified by
selecting it and subsequently clicking Edit

List 535 VPN Configuration - Client to Site - External CA Tab > Rules Tab > List 537 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Match Settings Server Section Group VPN Settings > Preauthentication Details
Authentication Authentication scheme to be used. The following LDAP Name of the attribute within the LDAP compatible
Scheme values are available: Authentication directory service / MSAD wherein the name of the
ldap Selector Field authentication scheme is enclosed.
Therewith, it is possible to assign a different
msnt
authentication scheme to every user.
msad The identifiers are the same as in the authentication
radius service, e.g. MSAD. If there is an additional MSAD
rsaace authentication scheme configured, the identifiers are
user-specific, e.g. MSAD-HQ, RADIUS, etc.
Server All available server certificates (see 2.3.4 Server The values of the attribute can be transformed by
Certificate Certificates Tab, page 221). When selecting right-clicking into the field beneath. For the attribute
-Use-Default-, the default server certificate is used authScheme, e.g., enter the value pattern HQ and the
(see 2.3.3 Root Certificates Tab, page 220). scheme name msad2. The authentication service
Server Protocol The key to be used. The entry -From-Server-Cert- msad2 will then be used for the final authentication.
Key causes the server certificate key to be used. Note:
Alternatively, any readily configured key that had been The authentication scheme defined within the
created within the VPN Server Settings (see 2.3.2 Group VPN Settings will be deactivated as soon as
Server Key/Settings Tab, page 219) may be activated. this field is used.
Used Root The root certificate to be used to verify this VPN LDAP Name of the attribute containing an alternative login
Certificates partner. The entry -Use-All-Known- allows all available Alternative name.
root certificates to be used for the partner verification Login Name If users need to use different login names for
process. Alternatively, an explicit root certificate may Field authentication at the authentication server, this
be selected. different login names may be defined on the
LDAP IP Name of the attribute containing the IP address to be pre-authentication server.
Attribute assigned to a VPN user. LDAP Group Defines whether the group information of the
Only IP addresses from one of the personal networks Information pre-authentication server or the one of the
configured within the VPN settings are allowed. authentication server will be assigned to VPN users.
LDAP VPN Name of the attribute containing the name of the
Group Attribute group policy to be assigned to a VPN user. Group Policy Condition:
The rules within the assigned policy overrule other
existing group policy rules. This section displays all configured VPN group policies.
There will be no connection possible if this attribute
contains a nonexistent policy name. Right-click into the tabs main window and select New Rule
X509 Login Name of the attribute within the certificate containing from the context menu in order to create a new group
Extraction Field the username.
The VPN server requires a username of the VPN user policy or mark an existing policy. Subsequently, select
for successful pre-authentication. If authentication Show/Edit to view or edit the settings.
takes place only using x.509 certificates, the VPN
server needs to extract the username out of the x.509
Fig. 531 Configuration Dialog - Group Policy Condition
certificate.
CN (Common Name)
altName (Alternative Name)
emailAddress (EmailAddress)
Group Match Settings section Preauthentication
Pre- Pre-authentication scheme to be used. The following
authentication values are available:
Scheme ldap
msad
tacplus
Preauthentication Details:
Fig. 530 Preauthentication Details

If an LDAP compliant directory server has been chosen to List 539 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Policy Condition > AD Lookup > AD Lookup Advanced Settings
be used for external authentication, clicking the Lookup
button within External Group Condition (from external Parameter Description
authentication) will open a dialog window allowing for Timeout Number of seconds the client will wait for the server to
return the result.
more specified condition filtering within user or group data
Login DN Authentication characteristics of the defined directory
received from the MSAD: server.
Port Port of the directory server.
Fig. 532 AD Lookup Dialog
Use SSL Selects whether to use Secure Socket Layer or not.
Group Applies the match pattern defined within Object Filter
to group data.
User Applies the match pattern defined within Object Filter
to user data.
Object Filter Pattern string to be validated for matching.
2.6.2.10 Security
Group Policy Condition
Assigned VPN This list contains the available VPN group policies (see
Group Policy 2.6.2.3 Configure VPN Group Policies, page 227).
Group Policy Condition X509 Certificate Conditions Section
Subject Type of group information to be taken into
consideration. Clicking Edit/Show will open the
Certificate Condition dialog (figure 533).
Choose whether to use the current AD connection by This field uses pattern matching. If e.g. multiple OUs
are required, they need to be separated using the /
checking or unchecking the Use Current AD connection (slash) character. E.g., entering FOO*/COMPANY will
checkbox. If unchecked, connection details may be set result in a match for all subjects containing OU=FOO*
within the Connection section of the dialog. just like OU=COMPANY.
Note:
The Advanced... button leads to another dialog with For in-depth details about group information within
advanced settings, allowing the definition of certain MSAD or LDAP authentication schemes, see
Appendix 1.1 How to gather Group Information,
timeout values. page 544.
The Object Filter field below accepts the entry of a string Certificate Required value of the certificate policy field (e.g. OID:
Policy 2.5.29.32).
pattern needed for a match. Either Group or User data will
Generic OID v3-extension field per OID number.
be used as matching criteria by selecting the appropriate
Content Required content/value of the Generic OID field.
radio button.
The lower half of the dialog, titled Lookup Results, allows Group Policy Condition External Group Condition Section
for querying the AD and testing match patterns as a help
while assembling the object filter pattern.
Group Pattern Pattern to match (case insensitive) for groups from an
List 538 VPN Configuration - Client to Site - External CA Tab > Rules Tab > external authentication method (e.g.
Group Policy Condition > AD Lookup OU=Department1*).
Parameter Description List 543 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Use Current AD Selects whether to use the current connection or not. If Group Policy Condition Peer Condition Section
connection this checkbox is active, the values defined within
Connection will not be used. Parameter Description
Defined Dropdown to select a predefined connection. Barracuda Methods to be used by the VPN partners to allow the
Connections Client / IPSec VPN tunnel establishment.
Client
Host Name or The directory servers URI.
IP Address Peer Address / ACL containing networks (address/mask) defining the
Network allowed peer IPs. By clicking Add, a value is entered
Login DN Authentication characteristics of the defined directory into the list to the left of this field. By selecting an
server. entry in the list and clicking Delete, the entry in
Port Port of the directory server. question can be removed.
Use SSL Selects whether to use Secure Socket Layer or not.
Fig. 533 Certificate Conditions Configuration
Group Applies the match pattern defined within Object Filter
to group data.
User Applies the match pattern defined within Object Filter
to user data.
Object Filter Pattern string to be validated for matching.
Group Policy Condition > AD Lookup > AD Lookup Advanced Settings
Time Limit Number of seconds the server waits for a search to
complete.
Paged Time Number of seconds the server should wait for a page of
Limit search results.

232 | Configuring Personal Remote Access > Configuring VPN Tunnel Settings VPN
2.6.3 Messages Tab z Personal VPN Firewall

This rule set applies when being connected via VPN.
Customized welcome messages may be defined within the The server-held VPN Firewall rule set is sent to the
Messages tab for later assignment to specific licenses. client during the connection establishment process.
Assigned messages are displayed within the VPN client z Personal Offline Firewall
requesting connection to a VPN server after successful This rule set applies in case there is no connection via
connection establishment. VPN. The offline rule set replaces the customized rule
set of the clients Barracuda NG Personal Firewall.
Hence, it assures that the company policy for Internet
2.6.4 Pictures Tab access is guaranteed.
Customized pictures (e.g. a company logo) may be defined
Due to the complexity of this configuration tree entry,
within the Pictures tab for later assignment to specific
have a look at Configuring the Personal Firewall, page 257.
licenses. Assigned pictures are displayed within the VPN
client requesting connection to a VPN server after
successful connection establishment.
Note that only files of the type bitmap (.bmp) with a 2.7 Configuring VPN Tunnel
maximum color depth of 256 colors and a maximum size of
150x80 pixels may be imported.
Settings
Fig. 535 VPN Configuration Block Diagram - Configure VPN Tunnel
2.6.5 Registry Tab Requirements No

Box
for Personal Server
Remote Access Firewall
met? VPN Service
Use this configuration dialog to define registry checks to Yes
be performed on the clients system on connection. Ypu

may here specify the action to perform depending on the
given situation. For example, the connection attempt could Configure VPN server:
Root certificates
be terminated or a warning could be generated if the virus Configure personal
networks
scanner auto-update was deactivated on the connecting

client. Configure
personal VPN
Select New Registry Rule set from the context menu

and enter a name for the rule set. Right-click into the
Yes
appearing configuration window and choose New from VPN groups
required?
Get group_name
(DC, OU, )
the context menu in order to open the configuration dialog No
displayed in figure 534. Configure VPN group

policies
Fig. 534 Configuration Dialog for Registry Rules

settings settings
VPN is ready
to use
Each tunnel has some general settings besides the routing

relevant information. These include the way the tunnel is
built up and kept active.
Note:
2.6.5.1 Security
You may define up to 2048 VPN tunnels (sum of
List 544 VPN Configuration - Client to Site - Registry Tab > New Registry Rule client-to-site and site-to-site tunnels).
Set Registry Entry Section
In order to access the configuration dialogs, double-click
Path Enter the path to the registry entry that is to be
Site to Site (accessible through Config > Virtual
checked. Servers > Assigned Services > <servicename>
Value Enter the value for the required readout. (vpnserver)).
Action Specify the next to take action on value mismatch.
Possible actions are termination of the connection The main task in building a Virtual Private Network is the
(default) or generation of a warning message. creation of IP tunnels. The basics of IP tunnelling are
rather simple.
2.6.6 VPN FW / Offline FW Tab Note:

However, the details can be difficult to set up because of
These tabs allow specification of two kinds of rule sets for overlapping IP address ranges and redundancy needs.
the Barracuda NG VPN clients Personal Firewall:

VPN Configuring VPN Tunnel Settings < Configuring Personal Remote Access | 233
The goal is to get a transparent connection from a host Step 3 Set the general tunnel settings
within a local network to another host within a partner
network. Fig. 537 Tunnel Configuration
Table 54 Involved Objects within a VPN Framework

Object Description
Local Network The source IP addresses that should use the tunnel to
reach the partner network. General tunnel
IP Address used IP address used by the system to build up the settings
for tunnel tunnel enveloping connection to the VPN server #2.
Peer IP IP address of VPN server #2 used to build up the
tunnel enveloping connection. TI transport
classification
Partner Network Destination addresses to be reached via the tunnel by
the local networks.
Note:
Tunnel parameters
Barracuda Networks provides a tool called
vpnadminclt (/opt/phion/bin/) for direct access
on the VPN server for the "root" user.
Usage of this tool:
/opt/phion/bin/vpnadminclt
<server>_<service> <protocol command>
Available commands:
z kill <name> (example: kill FW2FW-2hq1) -
terminates a Site-To-Site tunnel 2.7.1.1 Security
z ipsechardkill <name> - terminates IPsec site-to-site List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Tunnel General Tunnel Settings Section
tunnels
z init <name> (example: init FW2FW-2hq1) - Name Tunnel name, needed for informational and partner
establishes a tunnel identification purposes.
Note:
z disable <num> <name> (example: disable 0 The maximum length of this parameter is
FW2FW-hq1) - disables (num is 0) or enables a tunnel 64 characters.
permanently (num is -1), or enables a tunnel with a Disabled Disables the tunnel manually.
time limit of x seconds (num is greater than 0) checkbox
Direction Operational mode of the tunnel.
Fig. 536 Scheme with the Basic Notations of VPN Tunnelling Each tunnel may be operated in one of the following
modes:
Active
An active VPN server accepts tunnel requests and it
tries to initiate the tunnel connection. When the
tunnel is down for a defined time (see Tunnel
Local network Partner network Timeout, page 234), it will clean its state to accept
retries from its partner. Furthermore, it will try to
initiate the connection by itself.
Passive
VPN server 1 VPN server 2 A passive VPN server does not build up the tunnel, it
(Partner server) merely accepts requests from its partner. If the
tunnel is down for a defined time (see Tunnel
Secure Timeout, page 234), it will clean its state to accept
encrypted IP used for Peer IP retries from its partner.
tunnel tunnel Note:
Do not try to establish a tunnel between two passive
VPN servers as both would wait for the other to
initiate the tunnel.
OnDemand
2.7.1 Configuring TINA Tunnels This direction type is only of interest in combination
(Firewall-to-Firewall Tunnels) with traffic intelligence configuration (see 2.7.1.2
Traffic Intelligence (TI), page 235). A VPN server set
to direction mode OnDemand will actively build up a
Step 1 Enter config tree entry Site to Site > TINA connection and will then terminate it again as soon
as the connection times out. This timeout is
Tunnels tab and lock the configuration dialog configured through the On Demand Transport
Timeout (page 239) parameter.
Note:
Step 2 Create a new tunnel object It is possible to set both VPN servers to OnDemand
Access the tunnel configuration dialog via the context in the GTI editor (Barracuda NG Control Center
menu entry New TINA tunnel 15.2.2.4 Defining Tunnel Properties, page 495).

List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Tunnel General Tunnel Settings Section Tunnel General Tunnel Settings Section
Transport Transport mode of the tunnel; only accessible if Tunnel Probing The probing parameter defines the interval of sent
Direction is set to active. probes. If such a probe is not answered correctly, the
Four options are available: parameter Tunnel Timeout (see below) is in charge.
UDP Available time values (in seconds):
Tunnel uses UDP port 691 to communicate. This silent (send no probes; this disables the parameter)
connection type is suited best for response 10 secs
optimized tunnels.
20 secs
TCP
30 secs (default)
Tunnel uses TCP connection on port 691 or 443 (for
HTTP proxies). This mode is required for connection 60 secs
over SOCKS4 or HTTP proxies. Tunnel Timeout If, for some reason, the enveloping connection breaks
UDP&TCP down, the tunnel has to be re-initialized. This is
Tunnel uses TCP AND UDP connections. The tunnel extremely important within setups with redundant
engine uses the TCP connection for UDP requests possibilities to build the enveloping connection.
and the UDP connection for TCP requests and The parameter defines the period of time after which
ICMP-based applications. the tunnel is terminated.
ESP Available time values (in seconds):
Tunnel uses ESP (IP protocol 50) to communicate. 10 secs
This connection type is best suited for performance 20 secs (default)
optimized tunnels. 30 secs
Note: 60 secs
Do not use ESP if there are filtering or NAT interfaces
in between. Note:
The choice of the ideal timeout parameter strongly
Routing depends on the availability and stability of the
Attention: connection. Barracuda Networks recommends setting
Unencrypted data. the timeout to 30 seconds for internet connections
and to 10 seconds for intranet connections or
This transport type is only of interest in combination
connections over a dedicated line.
with traffic intelligence configuration (see 2.7.1.2
Traffic Intelligence (TI), page 235). Specifying Authentication Algorithm used for authentication.
routing as transport disables data payload Available methods:
encryption within the tunnel. This transport method MD5
should only be used for uncritical bulk traffic. Message Digest 5. Hash length is 128 bit.
Transport type Routing activates parameter SHA
Routing Next-Hop within the VPN Configuration - Secure Hash Algorithm. Hash length is 160 bit.
Site to Site - TINA Tunnels Tab > New TINA Tunnel
TI Transport Classification Section List 546 NOHASH
(page 236), where the next-hop address for the See 1.4.6 Excursion: Description of VPN NoHash
routed data packets is to be specified. Security Issues, page 215.
RIPEMD160
Encryption Encryption mode the tunnel wants to establish as the
RACE Integrity Primitives Evaluation Message
active part. Tunnels work by utilising various
Digest. Hash length is 160 bit.
encryption algorithms. The initialising partner tries to
establish the encrypted connection by offering only SHA256
one of the following methods. Secure Hash Algorithm. Hash length is 256 bit.
AES SHA512
Advanced Encryption Standard; default; capable of Secure Hash Algorithm. Hash length is 512 bit.
128/256 bit key length Key Traffic Amount of traffic after which the re-keying process is
3DES Limit started.
Further developed DES encryption; three keys with Available values:
each 56 bit length are used one after the other No Limit
resulting in a key length of 168 bit. 50 MB
CAST 10 MB (default)
by Carlisle Adams and Stafford Tavares; algorithm
similar to DES with a key length of 128 bit. 5 MB
Blowfish 1 MB
works with a variable key length (up to 128 bit)
DES Step 4 Set the tunnel parameters
Digital Encryption Standard; since DES is only The tunnel parameters section is split into the following
capable of a 56 bit key length, it cannot be
considered as safe any longer. tabs:
Attention: z Identify tab
Never use DES with strictly confidential data.
This defines the identification type (Public Key, X509
Key Time Limit Period of time after which the re-keying process is
started. Possible settings are 5, 10 (default), 30 and Certificate (CA signed) or X509 Certificate (explicit),
60 minutes. Box SCEP Certificate (CA signed)).
HW Selecs the preferred encryption engine that is the
Acceleration CPU or a hardware accelerator if present. This allows z Partner tab
for load balancing between CPU and an optional crypto Depending on whether the tunnel direction is passive or
card with more than one tunnel in use. active, the partner server may be a whole subnet
Use Acceleration Card (if present) (default)
To be used if a crypto accelerator hardware board is
(passive mode) or needs to be defined by single IPs
in use. Note that the corresponding module (active and bi-directional mode). The usage of more IPs
supporting the card has to be loaded within the local for redundant tunnel enveloping connections is
firewall settings (see VPN HW Modules, page 136).
described in 5.4 Redundant VPN Tunnels, page 255.
Use CPU
Use CPU acceleration. Import the public key of the tunnel partner via
clipboard or file. Principally, the public key is not
needed. However, it is strongly recommended to use
strong authentication to build up the tunnel enveloping
connection.

If you have two different tunnel connections configured Intelligence (TI)). See the TI tab description below
between the same two peers, the keys are mandatory. (page 238).
The Accepted Ciphers section is used for defining the
accepted encryption methods.
2.7.1.2 Traffic Intelligence (TI)
z Partner Networks tab
The VPN tunnel makes partner networks accessible The aim of VPN traffic intelligence employment is to offer
through the assigned VPN interfaces. a multi-transport construct within a VPN tunnel allowing
Insert the address(es) of the partner network(s) into for reliable and failsafe network connectivity. The
the Addr/Mask list. multi-transport TI implementation within the Barracuda NG
Firewall accommodates the following needs:
The tunnel is fed through vpn0 by default. You may use
another VPN interface by adjusting the VPN Device z Transports can be identified and classified. Transport
Index. classes are broken down into Quality, Bulk and
Fallback traffic.
Note:
z Multiple transport methods (TCP, UDP, ESP, IP
Youve got to create indexed VPN interfaces first if addresses, Cipher, Hash, Compression, ) may be used
you want to use this option (2.3.2 Server in one tunnel at the same time.
Key/Settings Tab, Device Index, page 220).
z Transports may either be used simultaneously or on
Select the Advertise Route checkbox to propagate demand.
routes to the partner networks using OSPF/RIP.
z Transport selection policies may be defined to steer
z Local Networks tab network traffic.
The local networks that should be able to reach the
partner networks. This may be a list of networks or z Standard routing may be used for uncritical traffic.
single IP addresses. Since this setting is typically
shared by several tunnels, it may be defined within the The diagram below shows the usage of different lines for
menu item Local Networks and referenced within different transport classes, e.g. provider lines for bulk
the single tunnel configurations. transport (top), a frame relay for quality transport
(middle), and UMTS (bottom) for fallback transport:
z Parameter tab
Use this tab to define the connection type. Fig. 538 Traffic Intelligence (TI)
z Tunnel Parameter Template

This may be used to activate templates (as predefined HQ-Network Branch Office
in the Parameter templates tab) or to define values VPN
explicitly. With scheme -explicit-, the fields below are
available.
z IP Address or Device used for Tunnel Address
Option First Server IP serves to inherit the first server Bulk
IP by the server settings.
Quality
Option Second Server IP serves to inherit the second HQ- Branch
server IP by the server settings. Network Office
Fallback
Option Dynamic (via routing) causes the IP to be
Multiple transports in VPN
chosen by the routing table.
Option Explicit (ordered list) causes the explicit IPs or TI employment relies upon the following mechanisms to
device names (entered below) to be used in the given achieve consistent transport selection policies:
order. This is important to ensure redundancy on the
active side of the tunnel. z Transport quality is defined through firewall connection
objects (see Step 6 Configure Connection Objects for
z Proxy Type use with Traffic Intelligence, page 237). Appropriate
Option Direct (no Proxy) indicates the standard firewall rules referring to these connection objects need
connection. to be created in order to activate TI settings.
Option HTTP Proxy causes the use of a HTTP proxy
z Connection objects define primary and secondary
server with optional user/password authentication
transport class, and they determine general policy
Options Socks 4 Proxy / Socks 5 Proxy cause the use behavior if the preferred transports fail.
of a Socks 4/5 server.
z Connection objects allow protecting from "expensive"
z Scripts tab transports by explicitly excluding their usage.
This tab offers two separate sections called
z Connection objects may be handled in the context of a
Start Script and Stop Script. It allows defining certain
master-slave concept by the tunnel endpoints. The
processes to be started when connecting via VPN
connection object may be configured to advertise its
and/or stopped when disconnecting.
settings (see parameter TI Learning Policy, page 237).
z TI tab
Options in this tab are only of interest in combination
with traffic intelligence configuration (2.7.1.2 Traffic

See figure 539 to understand the mechanism of transport First of all, the values in list 546 must be defined:
selection policy:
List 546 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Fig. 539 Transport Selection Policy Tunnel TI Transport Classification Section
Cheap Expensive
TI This setting divides the transport rating into
Classification Bulk
Exclusion Exclusion Exclusion TI exclusion
Quality and
Bulk Quality Fallback TI class
Fallback
XX X X X X X X X X X X XX TI status
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 TI ID traffic. Each transport inherits the identification type
from its parent. Thus, keys and certificates may be
shared among multiple transports. Transports may be
equipped with unique keys and certificates though.
Secondary Preferred TI-ID A Traffic Intelligence ID must be assigned to each
transport transport added transport class in order to determine the
transport selection policy succession. The values 0-7
Transport selection policy: are available, whereas lower numbers mean lower cost.
First try cheaper then try expensive The primarily created tunnel, being the first tunnel
transport, is automatically regarded as Bulk transport
with TI-ID 0. Each combination of
Multiple transport classes have been created for a TINA transport classification and ID is unique in order to
guarantee a consistent routing rule set. See figure 539
tunnel. As shown in figure 539, the following transports for a description of transport quality handling.
are available: Quality transport (TI-IDs 0, 2, 3, 5, 7), Bulk Compression Compression support may be provided by the
transport (TI-IDs 0, 1, 3, 7), Fallback transport (TI-IDs 0, 1, 3, VPN engine for VPN client connections using
5, 6). Barracuda NG VPN Client. Generally, compression can
be requested by the user. The server may or may not
A connection object has been configured to use Quality accept to serve the request depending on both its
configuration and the license type assigned to the VPN
transport with TI-ID 5 (Q5) as preferred transport and Bulk client. Client compression is only available to those
transport with TI-ID 3 (B3) as secondary transport. If both clients with a secure connector license assigned.
transport mechanisms fail, at first the cheaper, The following settings are available:
No (default)
subsequently the more expensive transport is to be used. Denies VPN client compression requests.
This policy will have the following effect, if a firewall rule Packet Compression (Low Latency)
This setting may be used for compression of all
refers to the connection object: transport types.
z Q5 will be tried first. Stream Compression (Large Latency)
This setting may only be used for compression of
z If the line is not available, then B3 will be tried next. TCP based data streams. The attainable
compression rate will be higher than can be
z If this line is also not available, then the next transport achieved with packet compression.
class with TI-ID smaller than the preferred transports Note:
The gateway hosting the VPN server must have a valid
will be tried. For this example, this is Q3. The succession BOB license to use this feature. Refer to the product
to the cheaper end would now proceed towards Q2, Q0, guide for license details. Whether your system is
licensed for compression usage can be verified in the
B7, B3, B1, and B0.
License Values field within the Control > Licenses
z If none of these lines are available, tries will proceed tab (Control 2.5 Licenses Tab, page 37).
towards the more expensive direction, resulting in Note:
In order to activate compression operability, the VPN
trying the next higher class to the preferred transport service has to be restarted after BOB license
Q7. The succession would afterwards reach further from installation.
F0, F1, F3, Routing This parameter is only available when Routing is
Next-Hop selected as Transport type (page 234). The direction
must be set to Active to enable modification of the
Note:
transport type. If the Transport type has been set to
Transport classification is a prerequisite to traffic Routing, then you may change the direction to Passive
classification. See below for a detailed description of again.
Enter the next-hop address for forwarding of
available configuration values. unencrypted data payload. Note that a next-hop IP
address must be configured for both the active and the
passive VPN partner.
Step 5 Configure Transport Classification
A new transport mode is initially added to a tunnel through
selecting the tunnel in the TINA Tunnels tab and choosing Note:
Add Transport from the context menu. This opens the For each transport, general tunnel settings and tunnel
TINA Tunnel configuration window with the Partner tab parameters may as well be specified individually.
(see above) pre-selected.
Confirming the changed settings by clicking the OK button
at the bottom of the configuration window will then insert
a new data set into the TINA Tunnel tab.
Fig. 540 TINA Tunnel with multiple transport modes added

TI transport modes of a TINA tunnel are flagged with the List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport
Selection Section
icon within the listing. Additionally, the specified transport
mode and TI-ID are displayed within the Enabled column Parameter Description
whereas B stands for Bulk, Q for Quality and F for Fallback TI Learning This parameter setting determines general VPN tunnel
Policy endpoint firewall behavior this connection object is
transport. utilized in. Generally, it is reasonable to configure
connection objects on both firewalls synchronously. TI
Note: Learning Policy Settings apply per connection session.
The following configuration options are offered:
It is not possible to modify the TI classification setting
Slave (learn TI settings from partner)
retroactively. This way, the connection object adapts settings from
the partner connection object when answering a
Before proceeding to traffic classification in the TINA request.
tunnel transport classes themselves, let us have a look at Master (propagate TI settings to partner)
This way, the connection object propagates TI
the configuration of connection objects. settings to the partner, thus forcing it to override its
own configuration when answering a request.
Step 6 Configure Connection Objects for use with Note:
Traffic Intelligence Set these values with deliberation. Both partner
objects set to Master might lead to unwanted
For transport and traffic classifications to become transport effects; both set to Slave will miss
effective, connection objects defining utilisation of information trim. Have a look at the process workflow
transport and traffic mechanisms must be inserted into in the Example for TI Learning Policy below.
rule sets. Connection objects are described in detail in Allow Bulk/ Generally enables or disables transport classes for this
Quality/ connection object. By excluding expensive transports,
Firewall 2.2.6 Connection Elements, page 153. Values of Fallback this feature offers protection from unwanted transport
interest for TI are the VPN Traffic Intelligence (TI) Transports utilisation.
Settings described below. Click Edit/Show to open the
List 548 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Traffic
TI Settings window: Prioritisation Section
List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport Parameter Description
Selection Section Only relevant if VPN transport is bandwidth protected.
Parameter Description When using Sets traffic priority assignment.
BULK Note:
Preferred These multiple parameters define the first transport
transports/ For this to work, the Bandwidth Protection settings
Transport class and ID to use when the connection object is
When using are to be configured within the TI tab (see Step 7
Class/ processed in a rule set. Available transport classes are
QUALITY below) of the corresponding transport.
ID Bulk transports
Quality and
Fallback (On Demand) Example for TI Learning Policy:
wherein each transport class may have a transport ID
Fig. 541 TI Learning Policy Scheme
ranging from 0-7.
Second Try These multiple parameters define the second transport
Transport class and ID to use when the connection object is Master Slave
Class/ processed in a rule set in case the first transport fails. FW1 VPN1 VPN2 FW2
ID Again, available transport classes are Q1
Bulk
Quality and B0
Fallback (On Demand)
each with transport ID from 0-7 possible. If no further
transport attempt is desired Table 55 Example for TI Learning Policy
None (Not Used) Connection Object1 Connection Object2
can be chosen as configuration value. If only one
Preferred Transport B0 Q1
transport is in use (B0), you may leave the default
Class/ID
values here.
Secondary Transport Q1 B0
Further Tries This section defines further transport attempts in case
Class/ID
Transport first and the second transport class fail. Configurable
Selection Policy values are: TI Learning Policy Master Slave
First try Cheaper then try Expensive
Only try Cheaper In the setup displayed in figure 541 firewall rules have
First try Expensive then try Cheaper been introduced allowing traffic from VPN1 to VPN2 and
Only try Expensive vice versa. Connection objects on both tunnel endpoints
Stay on Transport (No further tries)
Configuring this section is important because it allows
have initially been configured identically, but now the
an exact specification of when to abort the transport. master connection object on FW1 has changed and been
Correctly configured, it protects from processing less configured with B0 as preferred transport class / ID and Q1
important traffic over expensive lines (figure 539,
page 236 for better understanding). as secondary transport class / ID. Traffic processing is now
Balance Select Yes or No. attempted from master to slave. The master propagates its
Preferred and Note: settings to the slave. The slave adapts the information and
Second Session-based load balancing does not balance packets
from one single connection but instead dispatches
multiple connections to one of the defined transports.

answers the connection request on B0, though this is not bandwidth method operates using a static maximum for
its own preferred transport. the available bandwidth according to the value specified
within the Estimated Bandwidth parameter.
Note:
The TI Settings window can be accessed from the In the default setting, 60 % of the maximum bandwidth are
Status tab in the Firewall Operative GUI (Firewall assigned as Low Priority Upper Limit and 20 % as Low
6.3.2 Status List, page 179) through right-clicking an Priority Lower Limit. This means:
active transport session and selecting z Low priority traffic may utilize up to 60 % of the
Change TI Settings from the context menu. Changes bandwidth as long as high priority traffic does not claim
apply for the active session only. any bandwidth.
z The Low Priority Lower Limit of 20 % applies as soon
Step 7 Configure Traffic Classification as the sum of high and low priority traffic rises above
In addition to classification of transports, traffic may be the Low Priority Upper Limit of 60 %. Low priority
categorized to enable individual handling for specific traffic wont be processed any further if it already
purposes. consumes 20 % of the bandwidth. It will be discarded
To configure traffic classification settings for a transport, even if more bandwidth still would be available.
open the corresponding data set in the TINA Tunnel The available bandwidth may be consumed by up to
window and select the TI tab in the tunnel parameters 80 % high and 20 % low priority traffic. When high
section. priority traffic requires capacity beyond this point, then
low priority traffic is retented because high priority
Differentiated traffic classification options are available in
traffic is always privileged. Therefore, it might happen
the following:
in the worst case, that, at times, low priority traffic is
Bandwidth Protection discarded completely.
List 549 VPN configuration - Site to Site - TINA Tunnels Tab > New TINA Note:
Tunnel > TI Tab - Bandwidth Protection Section
The Low Priority Lower Limit setting does not
Parameter Description imply a guaranteed bandwidth reservation. It can be
Note: rather looked upon as a measure to prevent
Bandwidth protection within a transport relies upon a
connection object being classified as low or high immediate low priority traffic discarding at peak
priority traffic. Configure this in the connection object traffic times.
itself (list 548, page 237).
Bandwidth These settings specify how much of the available VPN Envelope Policy
Policy bandwidth traffic may "grab" within a transport. The
following settings are available: List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA
Best Effort (No Protection) Tunnel > TI tab section VPN Envelope Policy
In this mode, all traffic is processed through the
transport with equal rights. An objects classification Parameter Description
into low or high priority traffic is ignored. Full TOS Policy Policy defining how to deal with the Type of Service
transport capacity might lead to bad response times (ToS) information within a packets IP header. In
and data loss. networks, the ToS may be utilized to define the
Dynamic Bandwidth (TCP Transport only) handling of the datagram during transport. If the ToS is
This setting is only available with parameter enveloped, this information is lost. The following
transport set to TCP, as this is the only transport settings are available:
mode allowing for dynamical bandwidth assignment. Copy TOS From Payload to Envelope
Note: Note:
When using TCP, this is the recommended policy. This setting can only be used with non TCP transports.
Nonetheless, limits for Low Priority traffic must be In this mode, the packets original ToS information is
specified, as it is otherwise going to be discarded copied to the envelope. Thus, it remains available for
completely when it cannot allocate any bandwidth at utilisation.
traffic peak times. Default values are 60 % for the Fixed Envelope TOS
Upper Limit and 20 % for the Lower Limit. See below In this mode, ToS information is masked by
for a description of how limits are calculated. enveloping it without consideration. This setting
Attention: activates the parameter Envelope TOS Value
Undercutting the lower limit of 20 % will cause the (default: 0) where a fixed ToS value must be
discarding of low priority traffic. specified. All packets will then be assigned the same
Fixed Bandwidth ToS information.
A fixed bandwidth must be specified for all non-TCP
transports, as for these, the bandwidth needs
cannot be calculated dynamically. A disadvantage of
this method is the initial bandwidth already being
subject to a limitation. A rule of thumb is required to
set the value correctly.
The fixed bandwidth (in kbit/s) needs to be defined
through the Estimated Bandwidth parameter.
Again, values for Low Priority Upper and
Lower Limit must be specified. See below a
description of how limits are calculated.
Attention:
Undercutting the lower limit of 20 % will cause the
dicarding of low priority traffic.
Calculation of Low Priority Traffic Upper and Lower

Limits
The dynamic bandwidth calculation method assumes a
maximum available bandwidth of 100 %; the fixed

List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA confidentiality and replay protection are transparent to
Tunnel > TI tab section VPN Envelope Policy
any application operating on a higher layer than IP.
Band Policy Note: Note:
Traffic shaping (Configuration Service 2.2.6 Traffic For general information concerning IPsec, see
Shaping, page 82) must be configured for band policy
settings to apply. Band policy settings work www.netbsd.org/Documentation/network/ipsec/
independently from bandwidth protection settings (see
above). IPsec consists out of three standards, namely:
Band policy settings rely on connection objects being
allotted to Bands in firewall rule sets. These settings z ESP (Encapsulating Security Payload)
specify the assignment of bandwidth to transports as a
whole. Multiple transports may share a single band Note:
when processed through the same interface. The
following settings determine the behavior: Since ESP provides everything AH is capable of, but
Use Band According to Rule Set also provides data confidentiality and limited traffic
This setting uses the band from the firewall rule flow confidentiality, we do not support AH yet.
allowing traffic between the tunnel endpoints.
Copy Band From Payload To Envelope z AH (Authentication Header)
This setting uses the band from the firewall rule
redirecting traffic to the VPN tunnel entry point. The z ISAKMP (Internet Security Association and Key
band setting for the rule configuring traffic between
the tunnel endpoints is then ignored.
Management Protocol)
Fixed Envelope Band consists of two Steps:
This setting specifies a band statically. It activates - Phase 1 (Main-Mode)
the Envelope Band Value parameter below, where - Phase 2 (Quick-Mode)
one of the available bands (System or Band A to
Band G) must be selected.
Replay Window The Replay Window Size is designed to assure Establishing an IPsec Tunnel usually consists of the
Size sequence integrity and to avoid IP packet "replaying" in following steps:
cases where, due to ToS policies assigned to VPN
tunnels and/or transports, packets are not forwarded
instantly according to their sequence number. Step 1 The "active" IPsec peer establishes an UDP
The window size specifies a maximum number of IP Port 500 connection to the "passive" one.
packets that may be on hold until it is assumed that
packets have been sent repeatedly and therefore After that, both peers negotiate a main mode
sequence integrity has been violated. This value may security association using their pre-shared secret. This is
also be defined globally (see Global Replay Window done in order to verify data integrity and confidentiality.
Size, page 219). If it is not set, and also no global value
had been defined, then the default value of 32 packets
is used. If a global value is set, then the global value is Step 2 Various quick-mode security associations are
used.
The effective replay window size is visualized within
established on top of the existing phase 1 (main mode)
the Transport Details window (attribute: security association. These provide keying and
transport_replayWindow). This may be accessed by configuration material for the next step.
double-clicking the tunnel within the VPN
monitoring GUI > Active tab (see 4. Monitoring,
page 252). Step 3 Any IP packet matching a security
association established prior to it will be encrypted and
List 551 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA authenticated using the keying and configuration material
Tunnel > TI Tab Transport (complement) Section
found in the corresponding phase 2 security association.
On Demand Only available with Direction mode OnDemand
Transport (page 233). It specifies the period of inactivity after
Timeout which to terminate the tunnel (default: 60 seconds).
Delay Only available with Direction mode OnDemand
(page 233). When set, traffic is not processed the
moment it arrives. Instead, it is delayed for the
specified time span until more traffic has accumulated
(default: 0 seconds, no delay).
2.7.2 Configuring IPsec Tunnels
Note:
For further information concerning the configuration of
IPsec with Barracuda NG Firewall and for third-party
appliances have a look at the documentation phion
netfence IPsec Configuration.
2.7.2.1 Overview
The IPsec suite of protocols is used to provide encryption

and authentication at the IP layer, meaning authentication
of data origin and integrity just like data content

2.7.2.2 Configuring List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section
The introduction of IPsec tunnels is very similar to that of Parameter Description

Barracuda Networks to Barracuda Networks tunnels. The HW Accel. Hardware Acceleration. Selects the preferred
encryption engine the CPU or a hardware accelerator,
configuration, however, is rather different. that is if present. This allows for load balancing
between CPU and an optional crypto card with more
Fig. 542 IPSec Tunnel Configuration - Base Configuration Tab than one tunnel in use.
Use Acceleration Card (if present) (default)
A crypto accelerator hardware board is installed and
is to be used. Note that for this to work, the
corresponding module supporting the card has to be
loaded within the local firewall settings (see VPN
HW Modules, page 136).
Use CPU
Use CPU acceleration.
Lifetime [sec] Rekeying time in seconds the server offers to the
partner.
Min. Lifetime Minimum rekeying time in seconds the server accepts
[sec] from its partner.
Max. Lifetime Maximum rekeying time in seconds the server accepts
[sec] from its partner.
Device Index The tunnel is fed through vpn0 by default. Another
VPN interface can be used by adjusting the VPN
Device Index. Note, that indexed VPN interfaces must
be created first if this option is to be used (see 2.3.2
Server Key/Settings Tab, Device Index, page 220).
List 554 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
Tunnel > Base Configuration Tab Networks Section
Local Networks The local networks.
Remote The remote networks.
Networks
Note:
For successful parameter negotiation, the parameters
for phase 1 and phase 2 must meet the requirements of
Tunnel > Base Configuration Tab the remote peer.
The IPSec specification allows two possible values for
Name Tunnel name, needed for informational and partner
the Local Networks and Remote Networks parameters
identification purposes. if the local or the remote network consist of only a
Note: single IP address.
IPsec tunnel names may contain a maximum of 26 Most of the IPsec implementations Barracuda Networks
characters.
is currently aware of represent a single IP address as
Local Address Local IP address.
network address in combination with a subnet mask
Note:
Use 0.0.0.0/0 as local address when working with (255.255.255.255).
dynamic IPs. The IKE protocol is difficult to debug. Therefore,
Remote Remote IP address. Barracuda NG Admin displays a warning message if
Address IPsec networks contain single IP addresses.
Direction Defines whether the tunnel is Active or Passive It may happen that an IPSec connection cannot be
(default is Passive).
established and the following error is shown:
Note:
Direction Active implies accepting (Passive), too. no compatible proposals chosen
In this case, you should first verify whether both IPSec
List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec peers are using the same IPSec parameters (e.g.
Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section
encryption, hash method, lifetime periods,
Parameter Description Diffie-Hellman Group, etc.).
Encryption Type of encryption to use. If all parameters are identical, but the tunnel still fails to
Available algorithms for Phase 1 are: 3DES (default),
DES and CAST. establish, you may try to use network addresses (using
Available algorithms for Phase 2 are: AES, 3DES netmask 255.255.255.252) for local and remote
(default), CAST, Blowfish and DES. network parameters.
Hash Meth. Hash algorithm to use. If the tunnel can properly be established then, the
Available algorithms are MD5 (default) and SHA.
involved IPSec implementations are not compatible for
DH-Group The Diffie-Hellman Group parameter defines the type
of key exchange. Available options for this parameter the use of single IP addresses. In this case it is required
are Group1 (default; 768-bit modulus), Group2 to reserve a whole network range for the IPSec tunnel.
(1024-bit modulus), and Group5 (1536-bit modulus).

Fig. 543 IPSec Tunnel Configuration > Authentication Tab List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
tunnel > Authentication Tab Parameters Section
Band Policy Note:
Traffic shaping (Configuration Service 2.2.6 Traffic
Shaping, page 82) must be configured for band policy
settings to apply. Band policy settings work
independently from bandwidth protection settings (see
above).
Band Policy settings rely on connection objects being
allotted to bands in firewall rule sets. These settings
specify bandwidth assignment to transports as a
whole. Multiple transports may share a single band if
they are processed by the same interface. The
following settings determine the behavior:
Use Band According to Rule Set
Use the band from the firewall rule, allowing traffic
between the tunnel endpoints.
Copy Band From Payload To Envelope
Use the band from the firewall rule, redirecting
traffic to the VPN tunnel entry point.
The band setting for the rule that configures traffic
between the tunnel endpoints will be ignored if this
is activated.
Fixed Envelope Band
Specifies a static band. This activates the parameter
Envelope Band Value below, wherein one of the
available bands (System, Band A to Band G) must
be selected.
Replay Window The Replay Window Size is designed to assure
Size sequence integrity and to avoid IP packet "replaying" in
cases where, due to ToS policies assigned to VPN
tunnels and/or transports, packets are not forwarded
instantly according to their sequence number.
The window size specifies a maximum number of IP
tunnel > Authentication Tab
packets that may be on hold until it is assumed that
Parameter Description packets have been sent repeatedly and therefore
sequence integrity has been violated. This value may
Identification The following identification types are available for also be defined globally (see Global Replay Window
Type configuration: Size, page 219). If it is not set, and also no global value
Shared Passphrase had been defined, then the default value of 32 packets
X509 Certificate (CA signed) is used. If a global value is set, then the global value is
X509 Certificate (explicit) used.
The effective replay window size is visualized within
Box SCEP Certificate (CA signed) the Transport Details window (attribute:
transport_replayWindow). This may be accessed by
List 556 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec double-clicking the tunnel within the VPN
tunnel > Authentication Tab Partner Identification Section monitoring GUI > Active tab (see 4. Monitoring,
page 252).
Advanced RAW Additional, optional parameters for establishing IPsec
Depending on the configured identification type,
ISAKMP tunnels. When appending such an additional parameter,
different fields will become unlocked within the
settings start out by entering the section the parameter is
Partner Identification section (see 1.4.2
assigned to. The next line then contains the new
Authentication, page 213).
parameter itself (one single value per line!).
Example:
List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec [Section]
tunnel > Authentication Tab Parameters Section key=value
Herewith defined new sections are added to the end of
TOS Policy This policy setting specifies the way to deal with the the isakmpd.conf file. New parameters, however, are
Type of Service (ToS) information contained within a added on top of the according section.
packets IP header. In networks, the ToS may be utilized
Note:
to define the handling of the datagram during
For detailed information concerning the syntax to be
transport. If the ToS is enveloped, this information is
used within this field, please consult
lost. The following settings are available:
www.openbsd.org/cgi-bin/man.cgi (man page:
Copy TOS From Payload to Envelope isakmpd.conf).
Note:
This setting can only be used with non-TCP transports.
The packets original ToS information will be copied
onto the envelope; this way, it stays available for
utilisation.
Fixed Envelope TOS
ToS information is masked by enveloping it without
consideration. This setting activates parameter
Envelope TOS Value (default: 0), wherein a fixed
ToS value must be specified. The same ToS
information will then be assigned to all packets.


VPN General < SSL-VPN | 243
3. SSL-VPN
3.1 General 3.2 Parameters

Barracuda Networks SSL-VPN gives you the opportunity of For an initial configuration of the SSL-VPN service, move to
secure and encrypted access to your internal network SSL-VPN inside the Config Tree :
structure, without installing any software at the client PC.
Fig. 546 SSL-VPN configuration node
SSL-VPN provides network resources over a customisable
web portal and offers the following features:
z transparent network access
z access to internal web sites
z Outlook Web Access
z WebDav / Sharepoint
z RDP
z VNC
z SSH
z Telnet
z SMTP
z POP3
z IMAP4
z SMB
z Generic Application Tunnels
z dynamic firewall rules
z Barracuda NG Network Access Client access control 3.2.1 Basic Setup
Fig. 544 SSL-VPN login screen
3.2.1.1 General Service Settings

List 558 VPN configuration - SSL-VPN Basic Setup section General Service
settings
Enable Enables or disables the SSL-VPN service.
SSL-VPN
Bind IPs IPs of the SSL-VPN web interface.
Allow SSLv2 Select this checkbox to enable SSLv2.
Note:
Barracuda Networks does not recommend the usage of
SSLv2 due to security issues.
Note:
The Bind IPs need to be defined at the virtual server.
Fig. 545 SSL-VPN web portal
SSL-VPN service and VPN service must use different
Bind IPs and port 443 has to be idle, otherwise the
SSL-VPN service is not able to start.

244 | SSL-VPN > Parameters VPN
3.2.1.2 Service Identification List 560 VPN configuration - SSL-VPN Authentication & Login section User
Authentication
List 559 VPN configuration - SSL-VPN Basic Setup section Service Parameter Description
Identification
Browser Set to yes if the browser should be cleaned up, after
Parameter Description Cleanup the SSL-VPN session has been terminated with the
Sign Out button.
Use Self-Signed yes for self-signed certificate.
Certificate no for external-signed certificate.
Browser Cleanup with Mozilla Firefox:
Self-Signed Create or export a self-signed private key. All global history pages of the SSL-VPN client
Private Key
Downloaded files in the download manager
Self-Signed Edit to create a new self-signed certificate.
All cache entries
Certificate Show to view an existing self-signed certificate.
Cookies of the SSL-VPN
External-Signed Create or export an external-signed private key.
Private Key Form history (search bar)
Passwords of the SSL-VPN
External-Signed Edit to create a new external-signed certificate.
Certificate Show to view an existing external-signed certificate. Note:
Cleanup process will be initiated after agreeing to a
browser enquiry.
Note:
Browser Cleanup with MS Internet Explorer:
When using self-signed certificates, be aware that the All (!) entries in the browser history
client browser shows a warning page, that the All (!) passwords
certificate is not issued by a trusted certificate Navigation
authority. Internet cache
Registry history
Note:
3.2.2 Authentication & Login Cleanup process will be initiated after agreeing to a
browser enquiry.
Note:
3.2.2.1 User Authentication
Browser cleanup is available for the following web
List 560 VPN configuration - SSL-VPN Authentication & Login section User browsers:
Authentication
z Microsoft Internet Explorer 6 and 7
Authentication Scheme that is used by the SSL-VPN service to
ActiveX must be enabled
Scheme authenticate users: Needs an internet connection
MSNT
MS_ACTIVE_DIRECTORY z Mozilla Firefox 2 and 3
LDAP
RADIUS Barracuda Networks recommends the usage of Mozilla
RSA_SECUREID Firefox because of the less aggressive browser cleanup
Use Group Enables or disables the usage of Allowed User Groups function.
Policies and Blocked User Groups.
Allowed User List of user groups, that have access to the SSL-VPN
Groups service. Group information is gained via authentication
at directory services. For example Radius, MS Active 3.2.2.2 Corporate ID
Directory,...
List 561 VPN configuration - SSL-VPN Authentication & Login section
Note:
Corporate ID
If local authentication and external authentication are
used, the usernames of local users comply with group Parameter Description
names of external authentication. Therefore those
usernames has to be entered into Allowed User Logo Export or import of the greeting logo.
Groups to get access to the SSL-VPN. (recommended resolution is 200*66 pixel)
Blocked User List of user groups, that have NO access the SSL-VPN Login Message This text is displayed after a successful login.
Groups service. Help Text (html) HTML help text that is provided to the logged in users.
Note:
Allowed User Groups and Blocked User Groups have
the following preferences:
3.2.3 Barracuda NG Network Access
Blocked User Groups overrules Allowed User
Groups Client Access Control
Having a user in both groups, causes a block
Leaving both fields empty results an allow all
Use Max. Enables or disables the usage of Max. Tunnels. 3.2.3.1 Barracuda NG Network Access Client
Tunnels
Access Control Setup
Max. Tunnels Maximum number of concurrent SSL tunnels.
Cookie Timeout Validity period of the session cookie List 562 VPN configuration - SSL-VPN Barracuda NG Network Access Client
(Min.) Range: 5 to 180 minutes Access Control section Barracuda NG Network Access Client Access Control Setup
After expiration of the validity period, the client will Parameter Description
be redirected to the SSL-VPN login page
Active Activates the client health check.
Policy Server IP IP address of the policy server.
User Groups User groups that need a health check to get access to
the SSL-VPN.

VPN Parameters < SSL-VPN | 245
3.2.4 Barracuda NG SSL-VPN Client List 564 Barracuda NG SSL-VPN Client section Access Authorization
Barracuda NG SSL-VPN Client is a powerful VPN client that Allowed User Allowed User Groups act as a Access Control List, to
offers the opportunity to establish transparent network Groups restrict transparent network access to defined user
groups only.
access (Layer 3) to internal company network
infrastructures. The client is fully integrated into the If the Barracuda NG SSL-VPN Client network access is to
SSL-VPN Portal and can be executed by starting the be realized in combination with Barracuda NG Group VPN,
my Network JAVA applet. be aware that the Group Policy Condition also includes
Barracuda NG SSL-VPN Client supports the following the Barracuda NG SSL-VPN Client as Peer Condition,
authentication schemes: otherwise the VPN policy will not be assigned to SSL-VPN
user.
z X.509 certificate
Fig. 547 SSL-VPN web portal my Network
z user/password
z X.509 certificate & user/password
z license file
Note:
The Barracuda NG SSL-VPN Client needs a correctly

configured and running client to site configuration.
For further informations, how to set up a client to site
infrastructure, please have a look at Configuring Personal
Remote Access, page 217
3.2.4.1 Barracuda NG SSL-VPN Client Setup

List 563 VPN configuration - SSL-VPN Barracuda NG SSL-VPN Client section
Barracuda NG SSL-VPN Client Setup
Parameter Description 3.2.4.2 Initial Installation of the Barracuda NG
Barracuda NG Insert to create a new Barracuda NG SSL-VPN Client
SSL-VPN Client profile.
SSL-VPN Client
Delete to remove an existing Barracuda NG SSL-VPN
Client profile. The Barracuda NG SSL-VPN Client is accessible by clicking
Edit to modify the settings of an existing Barracuda
NG SSL-VPN Client profile.
the my Network link of the SSL-VPN Web-portal.
List 564 Barracuda NG SSL-VPN Client section Access Authorization Fig. 548 SSL-VPN web portal my Network
Active Enables the my Network link inside the SSL-VPN
Web-Portal, to get fully transparent network access.
This feature uses the Barracuda NG SSL-VPN Client The first time a user accesses my Network, the Barracuda
applet to establish a Client to Site connection to a
Barracuda Networks VPN service, using the SSL-VPN NG SSL-VPN Client VPN client binary will be downloaded
Web-Portal. This requires an configured and running and installed on the client computer.
VPN service and Client to Site access.
VPN-Server default: uses the configured listen IP address of the Note:
Listen IPs VPN service, defined in the Bind Type field of the VPN
Service Properties. For installation and removing of the Barracuda NG
SSL-VPN Client client software, administrative rights on
First-IP
Uses the configured First IP address of the VPN the client operating system are needed.
Service, defined in the Bind Type field of the VPN Once the client is installed, users do not need to have
Service Properties.
administrative rights to run the VPN client application.
Second-IP
Uses the configured Second IP address of the VPN
Service, defined in the Bind Type field of the VPN Fig. 549 Barracuda NG SSL-VPN Client installation
Service Properties.
First+Second
Uses the configured First IP or Second IP address
of the VPN Service, defined in the Bind Type field of
the VPN Service Properties.
explicit
Uses the IP address(es) defined in the
Explicit Listen IPs field.
Explicit Listen List of IP addresses the VPN-Server is listening.
IPs
Advanced If needed, advanced options can be entered. 3.2.4.3 Running the Barracuda NG SSL-VPN
Options
Connection Choose between External CA (provides single sign-on
Client
Type to SSL-VPN users) or VPN CA as Client to Site
connection type. Once the Barracuda NG SSL-VPN Client has been installed
Must Be When this checkbox is enabled, the connected user has successfully and a user tries to access the my Network
Healthy to perform a health-check before the transparent
network access is granted.
area to establish a connection to a company network
infrastructure, the Barracuda NG SSL-VPN Client will
246 | SSL-VPN > Parameters VPN
automatically be launched and initiates a Client to Site

Note:
connection to the company network infrastructure by The Barracuda NG SSL-VPN Client connection will be
using the user credentials entered in the SSL-VPN Login terminated by the VPN server in case of no activity or
screen. browser refresh.
3.2.4.4 Barracuda NG SSL-VPN Client Login 3.2.4.6 X.509 Form Based Authentication
Mask
The X.509 certificate subject string (inclusive wildcards)
If a connection to the configured VPN server fails or no stated in a X.509 certificate can be used in the Allowed
single sign-on functionality should be used, the Barracuda User Group sections to regulate link visibility for each
NG SSL-VPN Client will automatically open the client to site authenticated SSL-VPN user.
login screen and the user will be prompted to insert the
user credentials to establish a connection. Note:
In order to match the e-mail pattern of a X.509
Fig. 550 Barracuda NG SSL-VPN Client login prompt
certificate, type emailAddress= in the Allowed user
Groups sections.
3.2.5 Web Resources
3.2.5.1 Web Resource Configuration

List 567 VPN configuration - SSL-VPN Web Resources section Web Resource
Configuration
Web Resources Insert to create a new web resource.
Delete to remove an existing web resource.
Edit to modify the settings of an existing web
Note: resource.
Press the shift key while clicking on the my Network
link and hold it until the VPN client has been loaded, to List 568 Web Resources section Web Resource Access Authorization
open the Barracuda NG SSL-VPN Clients graphical user Parameter Description
interface. Active Enables or disables the link in the SSL-VPN portal.
This may be useful to login with other user credentials Visible Name Visible link name of the web resource.
or to change the connection settings of the Barracuda Link Additional description text of the web resource.
NG SSL-VPN Client. Description
URL URL of the web resource.
Note:Only domains and subdomains are allowed.
3.2.4.5 Barracuda NG SSL-VPN Client Must Be Access is only granted after a positive Barracuda NG
Healthy Access Monitor health check.
Connection Settings Active Content The SSL-VPN gateway acts similar to a HTTP proxy. All
Rewrite HTTP requests must be forwarded to the SSL-VPN
List 565 Barracuda NG SSL-VPN Client Connection gateway and not to the web server.
Parameter Description This is only possible if Active Content Rewrite is
enabled.
Username User name of the client to site user.
Allowed User List of user groups that have access to this web
Password Password of the client to site user. Groups resource.
Certificate Sets the path to the X.509 certificate used for
authentication.
VPN Server IP address of the VPN server, the client should connect
to.
Probe Checks if the desired VPN server is reachable.
Target(TCP
Only)
Remember user Enable this checkbox if the Barracuda NG SSL-VPN
credential Client should remember the user name of the most
(without recently logged in user.
password)
List 566 Barracuda NG SSL-VPN Client Transport Properties 3.2.6 Outlook Web Access
Tunnel Mode Transport mode for the client to site VPN Tunnel.
Optimized(Hybrid) 3.2.6.1 Outlook Web Access Authorization
Reliability(TCP)
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook
Response(UDP)
Web Access Authorization
Use a proxy Enable this checkbox if the connection will be
server to established over a proxy server. Parameter Description
connect Active Enables or disables the link shown in the web portal.
User/Password User credentials for the proxy server. Visible Name Visible link name of the Outlook Web Access resource.
Proxy[:port] IP address and port of the proxy server. OWA URL Enter the Outlook Web Access URL.
Simulate SSL Simulates an SSL connection to the web proxy. e.g.: https://<ip>/exchange/

VPN Parameters < SSL-VPN | 247
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook List 572 VPN configuration - SSL-VPN Application Tunneling section
Web Access Authorization Application Tunneling Configuration
Enable Public In order to view configured public folders on MS Generic Insert to create a new generic application tunneling
Folder Windows Exchange 2003, this checkbox has to be Application resource.
activated. With MS Windows Exchange 2007 activation Tunneling Delete to remove an existing generic application
is not neccessary. tunneling resource.
Note: Edit to modify an existing generic application
Public Folders on MS Windows Exchange 2007 can only tunneling resource.
be viewed with MS Internet Explorer.
List 573 Application Tunneling Configuration Service Configuration section
Must Be Access to the Outlook Web Access is only granted after
Application Access Authorization
Healthy a positive Barracuda NG Access Monitor check.
Allowed User List of user groups that have access to Outlook Web Parameter Description
Groups Access. Active Enables or disables the link shown in the SSL-VPN
portal.
Visible Name Visible link name of the resource.
Note:
Link Description text of the application tunnel resource.
Forms-Based Authentication and SSL encryption needs Description
to be activated at MS Exchange server. Application IP address of the application server.
Server IP
Application Protocol type of the tunnelled application. Choose
Protocol between: RDP, VNC, SSH, Telnet, SMTP, POP3,
IMAP4, SMB
Note:
When using VNC, make sure that VNC does not require
MS Logon for authentication.
Application TCP Connection port of the application server.
Port
3.2.7 WebDAV / Sharepoint RDP Path to the application that should be launched by the
Application RDP applet. This applet is used, if only a single
Path application should be provided to the user.
Note:
3.2.7.1 WebDAV Resource Configuration This parameter is only enabled if Application Protocol
> RDP is specified. When using this option no client
List 570 VPN configuration - SSL-VPN WebDAV/Sharepoint section WebDAV program is possible.
Resource Configuration
SMB Path Path to a Samba share.
WebDAV Insert to create a new WebDAV/Sharepoint resource. This parameter is only enabled if Application Protocol
Resources Delete to remove an existing WebDAV/Sharepoint > SMB is specified.
resource. Tunnel Client This parameter activates an additional link to a port
Edit to modify an existing WebDAV/Sharepoint Application forwarding applet. This applet opens a listening socket
resource. on the loopback address at the client, that is listening
for incoming connections at a specific port.
List 571 WebDAV Resources section WebDAV Resource Access Authorization Note:
This parameter is only enabled if RDP, VNC, SSH,
Telnet or SMB is configured at Application Protocol.
Active Enables or disables the link shown in the SSL-VPN For SMTP, POP3 or IMAP4 this parameter is disabled
portal. and set to yes.
Visible Name Visible link name of the WebDAV resource. Client Loopback Listening port of the port forwarding applet.
Link Description text of the WebDAV resource. TCP Port
Description Must Be Access to the application tunnel resource is only
WEbDAV IP address of the WebDAV resource. Healthy granted after a positive health check.
Address Allowed User List of user groups that have access to the application
WEbDAV Name of the desired share. Groups tunnel.
Sharename
Must Be Access to the WebDAV share is only granted after a List 574 Application Tunneling Configuration Generic Application Tunneling
Healthy positive health check. section Generic Application Tunneling Authorization
Allowed User List of user groups that have access to the WebDAV Parameter Description
Groups shares. Active Enables or disables the link shown in the SSL-VPN
portal.
Visible Name Visible link name of the resource.
3.2.8 Application Tunneling Link Description text of the generic application tunnel
Description resource.
Kind of Other
Application
3.2.8.1 Application Tunneling Configuration Mail
Web
List 572 VPN configuration - SSL-VPN Application Tunneling section Protocol Type HTTP
Application Tunneling Configuration HTTPS
Parameter Description Only active if Kind of Application is set to Mail or Web
Service Insert to create a new application tunneling resource. SSL Tunnels Insert to create a new SSL tunnel.
Configuration Delete to remove an existing application tunneling Delete to remove an existing SSL tunnel.
resource. Edit to modify an existing SSL tunnel.
Edit to modify an existing application tunneling Must Be Access to the generic application tunnel resource is
resource. Healthy only granted after a positive health check.
Allowed User List of user groups that have access to the generic
Groups application tunnel.

248 | SSL-VPN > Setup Examples VPN
List 575 Generic Application Tunneling Authorization SSL Tunnels section SSL z Set Enable SSL-VPN to Yes
Tunnel Configuration
z Define the Bind IPs for the SSL-VPN service
Server IP Server IP address of the tunneled application.
Note:
Client Loopback Listening port of the port forwarding applet.
TCP Port
Be sure not to use a bind IP of the VPN service.
Application TCP Listening port of the of the server application.
Otherwise the SSL-VPN service can not be started.
Port
To test if SSL-VPN is running, open
https://<bind IP>/
3.2.9 Dynamic Firewall Rules in your web browser.
3.2.9.1 Dynamic Firewall Rules 3.3.1.2 Service Identification

List 576 VPN configuration - SSL-VPN Dynamic Firewall Rules section SSL-VPN can handle self-signed or external signed
Dynamic Firewall Rules
certificates and private keys.
If self-signed certificates should be used, set Use
Firewall Rule Insert to create a new dynamic firewall rule.
Activation Delete to remove an existing dynamic firewall rule. Self-Signed Certificate to yes. For external-signed
Edit to modify an existing dynamic firewall rule. certificates set this parameter to no.
List 577 Firewall Rule Activation section Dynamic Firewall Rule Activation z New Key to generate a new private key
Authorization
z Edit to create a new self-signed certificate
Active Enables or disables the link shown in the SSL-VPN z Ex/Import to import an external-signed certificate
portal.
Visible Name Visible link name of the dynamic firewall rule. Note:
Link Description text of the dynamic firewall rule. For external SSL-VPN access it is recommended to
Description use external signed certificates to avoid browser
Dynamic Rule Name of the firewall rules, accessible over the SSL-VPN pop-ups.
Selector portal.
Must Be Access to the dynamic firewall rule resource is only
Healthy granted after a positive health check.
Allowed User List of user groups that have access to dynamic firewall 3.3.2 Authentication & Login
Groups rules.
3.3.2.1 User Authentication

3.2.10 Access Rights Query
z Set the Authentication Scheme to
MS_ACTIVE_DIRECTORY
3.2.10.1 Access Rights Query
Note:
List 578 VPN configuration - SSL-VPN Access Rights Query section Access Be sure that Authentication Service is configured
Rights Query
correctly.
Username Username search field. The configuration is located in: Config > Box >
Userlinks Result of the username query. Infrastructure Services > Authentication Service
Note:
3.3.2.2 Corporate ID
A user group query is not possible, if RADIUS is used as
external directory service.
It is possible to customize the SSL-VPN point-of-entry. (see
Corporate ID, page 244) with the following parameters:
z Logo
3.3 Setup Examples z Login Message
To realize the following example setups, SSL-VPN needs z Help Text (html)
some basic configuration steps.
Note:
3.3.3 Barracuda NG Network Access
A running VPN service is needed to provide the Clients Access Control
functionality of the SSL-VPN service.
Barracuda NG Network Access Clients Access Control can
determine the health state of a SSL-VPN client. Based on
3.3.1 Basic Setup the health state, client access to sensitive resources is
granted or not.
z Set Active to Yes
3.3.1.1 General Service Settings
z Enter the Policy Server IP

VPN Setup Examples < SSL-VPN | 249
z In User Groups, enter the groups that should be 3.3.6 Example 3: Application Tunneling
checked
Note:
3.3.6.1 Windows Terminal Service
Configurations according to Barracuda NG Network
Access Client Access Control must be done inside the z Open Config > Box > Virtual Servers > <server> >
policy server. Assigned Services > <service> (vpnserver) > SSL_VPN
> Application Tunneling
3.3.4 Example 1: Web Resources z Service Configuration: click Insert and assign the
name Windows terminal service
In this example, access to an internal web resource with z Active: select this checkbox to enable the link
the SSL-VPN will be realized.
z Visible Name: Windows RDP
z Open Config > Box > Virtual Servers > <server> >
Assigned Services > <service> (vpnserver) > SSL_VPN z Link Description: Company terminal server
> Web Resources z Application Server IP: enter the address of the
z Service Configuration: click Insert and assign the Windows terminal server
name Company web server z Application Protocol: select RDP
z Active: select this checkbox to enable the link z Application TCP Port: no changes are necessary if
z Visible Name: Our internal website port 3389 is configured at the terminal server. If not,
select Other and enter the appropriate port number
Note: z RDP Application Path: leave empty
Every resource has a Name (see parameter Web
Resources) and a Visible Name. The name of the z Tunnel Client Application: select yes because
resource should differ from name that the user portforwarding should be used
knows (For example server name sales-portal z Client Loopback TCP Port: 3390
and the users would know it as intranet).
z Allowed User Groups: delete the asterisk (*) and enter
z Link Description: This is the internal website the assigned MSAD group name. For example
of our company CN=accounting*
z URL: URL of the web resource
z Active Content Rewrite: selected by default 3.3.6.2 SAP Application
(For parameter description see parameter Active
Content Rewrite, page 246.) We want to establish a SSL-VPN access for all sales staff
members to the SAP application at the sales terminal
z Allowed User Groups: to enable access for all users,
server. It should only be possible to execute the SAP
leave the default asterisk (*)
application.
3.3.5 Example 2: WebDAV / Sharepoint Assigned Services > <service> (vpnserver) > SSL_VPN
> Application Tunneling
In this example, a connection to the company file server
z Service Configuration: click Insert and assign the
will be created. To minimize the risk of virus infiltration,
name terminalsales
the usage of Barracuda NG Access Monitor health check is
recommended. z Active: select this checkbox to enable the link
z Open Config > Box > Virtual Servers > <server> > z Visible Name: SAP
Assigned Services > <service> (vpnserver) > SSL_VPN
z Link Description: This is the SAP
> WebDAV/Sharepoint
appliclication of the Sales Department
z Service Configuration: click Insert and assign the
z Application Server IP: 192.168.10.10
name WebDAV share
z Application Protocol: select RDP
z Active: mark this checkbox to enable this link
z RDP Application Path: enter C:/SAP/sap.exe or
z Link Description: Company file server
C://SAP//sap.exe
z WebDAV Address: enter the address of the WebDAV
share
the MSAD group name of the Sales Department, for
z WebDAV Sharename: enter the WebDAV share name example CN=sales*
z Must Be Healthy: select this checkbox to initiate a Note:
health check on the client
z Directory names must not contain spaces.
the MSAD group name. For example CN=sales* z Only *.exe files can be executed.
z Directories must be separated by a slash or double
slash ( / or //). Backslash (\) is not allowed.

250 | SSL-VPN > Setup Examples VPN
3.3.7 Example 4: Generic Application 3.3.8 Dynamic Firewall Rules

Tunneling
With SSL-VPN it is possible to enable/disable dynamic
We want to establish a SSL-VPN port forwarding access for firewall rules at the Barracuda NG Firewall.
all staff members to the citrix server We want to establish an FTP access from the intranet to
(IP address: 10.0.0.112). All staff members working at a the internet via a dynamic firewall rule.
home office need to have a virus scanner and a firewall
running. z Firewall rule name: ftp-dynamic
Due to the fact that application browsing is based on UDP, z intranet address: 172.0.0.0
this task can not be solved only with SSL-VPN. So, the
applications must be configured.
3.3.8.1 Required Settings
Assigned Services > <service> (vpnserver) > SSL_VPN z Create a dynamic rule in the forwarding firewall and call
> Generic Application Tunneling it ftp-dynamic
z Generic Application Tunneling: click Insert and assign Source: 172.0.0.0
the name Citrix Service: FTP (TCP 21 ftp)
z Active: select this checkbox to enable the link Destination: 0.0.0.0
z Visible Name: Company Citrix server z Browse in the SSL-VPN settings to the Dynamic
Firewall Rules
z Link Description: enter an appropriate description for
your users z Firewall Rule Activation: click Insert and assign the
name FTP
z SSL Tunnels: insert the required connections, in this
example all TCP ports. Click Insert and assign the z Active: select this checkbox to enable the link
following SSL tunnels. z Visible Name: Company FTP server
Table 56 SSL tunnels z Link Description: enter an appropriate description for
Client
your users, for example Here you can activate
Application the dynamic firewall rule ftp-dynamic
Name Server IP Loopback TCP
TCP Port
Port
ICA 10.0.0.112 1494 1494
z Dynamic Rule Selector: delete the asterisk (*) and
IMA 10.0.0.112 2512 2512
enter ftp-dynamic
SSL 10.0.0.112 443 443 z Allowed User Groups: delete the asterisk (*) and enter
STA(ISS) 10.0.0.112 80 80 the MSAD group name of the Administrators, for
Citrix License 10.0.0.112 8082 8082 example CN=admins*
Management
Console
Fig. 551 SSL-VPN web portal dynamic firewall rules
Presentation 10.0.0.112 27000 27000
Server
Licensing
ICA session w/ 10.0.0.112 2598 2598
Session
Reliability
enabled
Access Gateway 10.0.0.112 9001 9001
Standard and 9002 9002
Advanced
Editions 9005 9005
Manager 10.0.0.112 2897 2897
service daemon
server Note:
When enabling a dynamic firewall rule for a specific
z Must Be Healthy: select this checkbox to initiate a time period in the SSL-VPN Web-GUI, be sure to enter
health check on the clients numeric values in minutes.
If the firewall rule should be permanently active, leave
z Allowed User Groups: leave the asterisk (*) so all staff
this field empty.
members have access
z Configure the connections of the client software to the
loopback address

VPN Hints < SSL-VPN | 251
3.4 Hints site.html won't work. Allowed is for example

http://websername.domain.subdomain or
http://webservername/path1/path2
Note:
Hardware based on i386 compatible CPUs does not HTTP redirects from one webserver to another
provide the functions required for SSl-VPN. Thus webserver via SSL-VPN is not possible. Only
SSL-VPN does not work on i386 kernels. Enter weblinks are allowed (no relaying).
rpm -q kernel --qf %{ARCH}\\n z Content
on the command line to find out which kernel is present. SSL-VPN server is not designed to rewrite all
different kind of webservers out in the internet. So it
z Java Runtime may happen that pictures, frames etc. will not be
Only Java Runtime version 1.6.0 and higher is shown
supported. redirects are not recommended
To check which version is installed, type use the SSL-VPN interface as portal rather than
java -version on the command line. linking from it to an internal portal
Fig. 552 Java runtime version query z Copy&Paste
Do not re-use links or send them via
e-mail/messenger. These links wont work when a
user that should not have access to a web resource
tries to reach the web resource by copy / paste the
corresponding web resource URL into the browser:
depending on the used application/application
protocol a 404 not found is send by the SSL-VPN
z Supported browsers (for RDP not a denied page is displayed but a status
Internet Explorer 6 and 7 message).
Firefox 2 and 3 z Firewall rules
z Number of concurrent connections Rules are displayed in the browser firewall tab, if the
SSL VPN can handle up to 250 concurrent configured rulename matches a rule. Only dynamic
connections. More are possible, but not or timed rules are evaluated. If a dynamic rule of a
recommended. Due to encryption performance and cascaded rule list wants to be used the SSL-VPN
other system limitations. portal one must use the rule lists name as
matching critiria (rule name is generated as
z Virus Scanner and Antispy rulelist:name)
Both actions (manual and autoremediation) for the You may use the character * as wildcard for a string
Virus Scanner and Antispy settings in the policy in Dynamic Rule Selector; also use character? for a
server config can be triggered automatically at the single character wildcard.
Barracuda NG Access Monitor with the Do it
function in the context menu. z User rights
For some actions administrative rights are needed. For
z VPN point of entry example:
Big messages and pictures may lead to a delay after enable real time protection for Virus Scanner and
downloading them from the remediation server. Antispyware
Recommended pictures size is 30 kB. Large pictures enable Virus Scanner and Antispy
will be scaled down, so it makes no sense of using
perform a system scan for Virus Scanner and
them.
Antispy
z SSL-VPN Barracuda NG Network Access Clients
z Barracuda NG Network Access Client Health Agent
There is no enforcement of rules regarding personal
If the client is healthy, and the next health check
firewalls.
fails, all opened connections will not be terminated
User authentication is only performed if local until cookie times out (see parameter Cookie
machine state is healthy, same applies to the Timeout (Min.)). New connections will not be
Barracuda NG Network Access Clients. initialized.
z Access Control If the next Health Check fails, the client will be
If Use Group Policies is set to yes and a user is redirected to a denied.html page if he wants to open
listed in Allowed User Groups and Blocked User a new connection.
Groups, then the user has no access. The policy is z Connections
blocking in favor of allowing.
When closing the browser all tunnels will remain
z Webpages and webservers: open until cookie times out.
Only domains and subdomains are allowed as URLs.
That means a URL which is terminated by an ending

252 | Monitoring > Active Tab VPN
4. Monitoring
4.1 Active Tab terminated after an additional confirmation process.

In order to manually reestablish a tunnel, select
Initiate Tunnel within the context menu.
As soon as a connection to the VPN service has
An IPSec tunnel may as well be terminated by using the
successfully been established, the VPN Status will be
option Hardkill Tunnel. The differences between the two
displayed within this window.
termination methods are outlined here:
The status display shows the VPN sessions just like the
z Terminate Tunnel
firewall-to-firewall tunnels currently being open and their
This method kills Phase2 of the IPSEC tunnel. Phase2
respective data within the following columns:
can be re-initialized immediately as the tunnel partners
z Tunnel exchange information with each other.
Either FW2FW (firewall-to-firewall tunnel), PERS
z Hard Kill Tunnel
(personal license), IPSec, PGRP, or IGRP (IPSec group).
This method kills Phase1 of the IPSEC tunnel. As there is
z Name no exchange between the tunnel partners Phase1 can
Name of the user. only be re-established if the partner kills his own Phase
z Type 1.
Tunnel type.
Attention:
z Group Do not use the Hardkill Tunnel function unless it is
VPN group the user is assigned to. absolutely necessary. In case of doubt, please contact
Barracuda Networks Support to get assistance.
z Local
Local IP address / network.
z Peer
Clients internet IP address. 4.2 Status Tab
z Virtual IP
Clients virtual IP address. The Status tab provides information on all configured
VPN connections on the given machine.
z Info You can enable, disable or temporarily enable configured
Depending on the tunnel type, this displays either the connections by right-clicking a License and selecting
tunnel type, the state, or the certificate subject. Enable Tunnel, Disable Tunnel, or
For FW2FW and IPSec, firewall tunnel is displayed here. Temporary Enable Tunnel. If selecting the latter, enter the
As soon as a tunnel is a passive one and it is in period (in minutes) for which the tunnel should be enabled.
down-state, DOWN (passive) will be displayed. For The Update List button refreshes the display.
group tunnels with certificate, the x.509 subject is The Show CRL button displays the certificate
displayed. revocation list, wherein the lines containing blank first
z Tunnel Mode columns display status information about the last CRL
Transport mode, encryption type, and authentication fetch. This is also contained within the log.
algorithm (MD5/SHA1), each separated by a "" The following columns can be seen:
(hyphen character).
z Tunnel
z bps10 Name of the tunnel.
Current transfer speed in bytes per 10 seconds.
z Name
z Total Name of the user.
Total amount of traffic in kB/key.
z Type
z Idle Tunnel type.
Time (in seconds) that passed since the last activity
within the connection. z Group
VPN group the user is assigned to.
z Start
Duration of VPN connection in minutes (m) or days (d). z Info
Information concerning the current connection (e.g.
z Key Access Granted, Disconnect, etc.).
Age of issued key in minutes (m) or days (d).
z State
Status of the VPN connection (ACTIVE or Ready).
Double-clicking an entry opens a new window with detailed
information about the selected sessions connection (such z Succ.
as the assigned Group, Rekeying Time, Access Time, Peer Number of successful connections.
IP Address, etc.). z Fail
Select the connection, right-click the selected row and Number of failed connections.
choose Terminate Tunnel from the context menu to z Last Access
terminate a session. The tunnel will then become Time passed by since the last access.
VPN Access Tab < Monitoring | 253
z Last Peer Table 57 Possible "Last Connection" States

Client IP address of the last connection. Status Description
z Last Info Certificate is expired
Last information concerning the connection (e.g. Certificate not yet valid The Barracuda Networks
certificate has not yet obtained
Access Granted, Disconnect, etc.). validity.
z Last Duration Certificate does not The Barracuda Networks

belong to server certificate is valid for a different
Duration of the last connection. VPN server.
z Last Client Certificate index exceeds More Barracuda Networks

number of licenses certificates have been issued
Client (including version number) used for the last than allowed by the licenses on
connection. the server.
Certificate issuer does The personal license certificate
z Last OS not match issuer does not correspond with
Operating system (including kernel number) used by the issuer of the server
certificate.
the last connections client.
Certificate subject does The subject of the personal
not match certificate license does not
correspond to the subject of the
server certificate.
4.3 Access Tab Unknown certificate error
Mode not supported An invalid decoding or
compressing method was
The Status list (upper part of the Access tab) displays the detected.
number of succeeded and aborted connections per license. Invalid Peer The client tunnel address does
A maximum of 512 entries is possible. not correspond to the one
The Update list button refreshes the list. entered on the server.
Requested Source IP does The client address does not
The following columns are listed: not match correspond to the one entered
on the server.
z AID No client IP address The client address could not be
Access ID. assigned issued.
License or peer already in
z Tunnel use
Either FW2FW (firewall to firewall tunnel) or PERS Client IP address already
(personal license). in use
z Name z VPN Client Downloads (lower part of the Access tab)

Name of the user. The VPN client downloads area allows making arbitrary
z Peer software downloads available to VPN clients connecting
Client internet IP address. to the VPN Server.
Clicking the Upload button opens the uploading
z Info window. Use the Browse button within this window to
Either a person name (defined during configuration) select the desired installation file and click Upload to
and an IP address assigned by the license, separated by copy it onto the Barracuda NG Firewall system. The next
"@" (the "at" character), or the certificate subject. time an Barracuda NG Network Access Clients VPN
z Last client connects to the VPN Server, it will be offered this
Passed-by time in seconds (s), minutes (m) and days (d) installation file for download.
since the last connection attempt.
Fig. 553 Upload Dialog
z Success
Total number of successful connections.
z Fail
Total number of unsuccessful connections.
z Last Status
Status of the last connection or connection attempt.
Table 57 Possible "Last Connection" States
Status Description
Granted The connecting process was
successful. If an already uploaded file has become obsolete, select
Already connected it and click the Delete button to remove the file from
Access Denied (No License The connection was denied due the VPN client Downloads list.
or invalid peer) to a missing license or a wrong
client address.
Invalid Password
Root certificate not valid
Certificate did not verify The Barracuda Networks
certificate did not correspond to
its counterpart on the server.
Certificate signature did The digital Barracuda Networks
not verify certificate shelf mark did not
correspond to its counterpart on
the server.

254 | Examples for VPN Tunnels > Fully Transparent Tunnel VPN
5. Examples for VPN Tunnels
5.1 Fully Transparent Tunnel Firewall configuration on VPN server 1 and

VPN server 2:
The simpliest-as-possible tunnel configuration is a As the tunnel terminates at a point located previous to the
transparent connection of two networks with different firewall engine, rules are to be introduced allowing the
address ranges. Being in effect, the tunnel configuration local and partner networks to pass along in both directions.
should not be noticeable by the connected networks.
Fig. 554 illustrates such a fully transparent tunnel. In
order to keep the example easy understandable, the
routing configuration between the two VPN servers is not
5.2 Stealth Tunnel
considered in the setup. Except for scenarios with
A further popular example for tunnelling is the so-called
overlapping addresses, the VPN tunnels will not interfere
stealth mode or half-side transparent tunnel. This
with the routing configuration.
method involves a local network having granted access to
Fig. 554 Fully Transparent Tunnel a partner network, but not vice versa. Moreover, the local
networks internal IP structure is hidden from the partner
network. In the example setup, only one IP address
(10.0.35.32) is explicitly directed into the tunnel.
Note:
10.0.20.0/24 10.0.21.0/24
The stealth tunnel shown in figure 555 masks the
network on the left side from the network on the right
VPN server 1 VPN server 2 side. Thus, appropriate firewall settings become crucial
(partner server) for functioning.
Secure
encrypted 192.168.3.1 192.168.3.101 Fig. 555 Stealth Tunnel
tunnel
Table 58 Fully Transparent Tunnel VPN Configuration on VPN server 1

Object Configuration Comment
10.0.20.0/24 10.0.21.0/24
Direction Mode active or passive Converse to the partners
configuration.
Timeout 10 for intranet or 30 for
internet-like connections VPN server 1 VPN server 2
(partner server)
Encryption AES (or whatever is May be unencrypted for
Mode needed) intranet connections only Secure
aiming at routing encrypted 192.168.3.1 192.168.3.101
assistance. tunnel
Transport Mode UDP&TCP (or whatever is
needed) FW rule: FW rule:
Partner Server 192.168.3.101 10.0.20.0/24 to 10.0.21.0/24 10.0.5.32 to 10.0.21.0/24
with explicit 10.0.35.32 with either client connection
Partner 10.0.21.0/24
type or proxying
Network
Local Network 10.0.20.0/24
Parameters Dynamic Only one IP address is Table 510 Stealth Tunnel VPN Configuration on VPN Server 1
assumed on the outside Object Configuration Comment
interface.
configuration.
Table 59 Fully Transparent Tunnel VPN configuration on VPN server 2
Timeout 10 for intranet or 30 for
Direction Mode Configuration Comment internet-like connections
active or passive Converse to the partners Encryption AES (or whatever is May be unencrypted for
configuration. Mode needed) intranet connections only
Timeout 10 for intranet or 30 for aiming at routing
internet-like connections assistance.
Encryption [Same value as on the Transport Mode UDP&TCP (or whatever is
Mode local side] needed)
Partner Server 192.168.3.1 Partner Server 192.168.3.101
Partner 10.0.20.0/24 Partner 10.0.21.0/24
Network Network
Local Network 10.0.21.0/24 Local Network 10.0.35.32 Only this IP address is
directed into the tunnel.
Parameters Dynamic Only one IP address is
assumed on the outside Parameters Dynamic Only one IP address is
interface. assumed on the outside
interface.

VPN Star-shaped Topologies < Examples for VPN Tunnels | 255
Firewall configuration on VPN server 1: routed through the headquarters, thus reducing the
number of tunnels to be managed.
Rules meant to redirect traffic into the tunnel must use the
connection type Explicit: 10.0.35.32. Fig. 556 Star-Shaped Topology with One HQ and Two Outposts
Table 511 Stealth Tunnel VPN configuration on VPN server 2
Object Configuration Comment

configuration. 10.0.20.0/24 10.0.21.0/24
Timeout 10 for intranet or 30 for 10.0.23.0/24
192.168.3.1
internet-like connections 10.0.24.0/24
10.5.0.0/24
Encryption [Same value as on the
Mode local side]
Partner Server 192.168.3.1 VPN server 1 VPN server 2
Partner 10.0.35.32
Network
Local Network 10.0.21.0/24 192.168.3.101
Parameters Dynamic Only one IP address is 194.93.78.126
assumed on the outside
interface.
194.93.78.124
VPN server 3
Firewall configuration on VPN server 2:
Secure
As the tunnel terminates at a point located previous to the encrypted
tunnel
firewall engine, a rule has to be introduced allowing the IP
address 10.0.35.32 to pass into the local network.
Further Remarks: 10.0.22.0/24
The proxy address may be chosen without restrictions.

Half-side transparent tunnelling is suited as alternative to In the star-shaped topology depicted in figure 556, a VPN
personal VPN access. The local network IP address then connection could be established from 10.0.22.0/24 to
derives from the personal VPN networks. Anyway, stealth 10.0.21.0/24 without the need of configuring a tunnel
mode tunnels may as well be operated without personal between VPN servers 2 and 3. The table below illustrates
access configuration. As they are not fully transparent, the relationship between local and partner networks:
there is no need for setting up network routes, proxy
ARPs, etc. Table 512 Relationship between Local and Partner Networks
Tunnel VPN server Local network Partner network

Optionally, a local IP, e.g. 10.0.21.156, may be defined
Tunnel 1 - 2 Server 1 10.0.0.0/8 10.0.21.0/24
as the right tunnel endpoint. In this case, the VPN server
Server 2 10.0.21.0/24 10.0.0.0/8
must be instructed to request traffic being directed to this
Tunnel 1 - 3 Server 1 10.0.0.0/8 10.0.22.0/24
address. This can be done by either introducing this IP
Server 3 10.0.22.0/24 10.0.0.0/8
address as a personal access network or by creating a
standalone proxy ARP for it.
Redirection of traffic for VPN networks to the VPN server
engine is usually handled through a policy routing table
introduced by the VPN server. However, this policy routing
5.3 Star-shaped Topologies table will not work properly if the local network is part of
the partner network, as shown in the example in
figure 556. Traffic originating from the local network
Most real-world VPN topologies comprise a headquarters
itself would in this case be rerouted incorrectly into the
structure, which means many VPN tunnels terminate on
VPN engine. This condition can be circumvented by
one VPN server. Traffic between outposts is typically
introducing a throw route, which explicitly excludes the
local network from the policy routing table.
5.4 Redundant VPN Tunnels
5.4.1 Overview
Redundant VPN tunnels contribute to the maintenance of
non-intermittent connectivity between Barracuda NG
Firewall gateways (e.g. HQ and branch). They help
minimising the menaces of hardware crashes and
interruptions of internet connections. They are the ne plus
ultra when it comes to reliability and stability of VPN
tunnels over the internet. In addition, they might eliminate
the need for upgrading existing infrastructure (frame
relay, dedicated line) when the load exceeds the limits but
upgrading is out of question due to high costs.
256 | Examples for VPN Tunnels > Redundant VPN Tunnels VPN
Barracuda NG Firewall decides about which type of traffic In order to configure the example shown above, enter the
is to be sent through which tunnel by a service object VPN tunnel configuration (through Config > Box >
utilized within a firewall rule. This way, response-critical Virtual Servers > <servername> > Assigned
traffic (e.g. SSH, Telnet, Citrix, etc.) can be directed to the
Services > <servicename> (vpnserver) > Site to Site >
tunnel using dedicated line/frame relay (usually offering
TINA Tunnels tab).
shorter delay times), while bulk traffic (e.g. SQL server
replication, Lotus Notes replication, etc.) can be directed to Lock the configuration dialog and select
the internet tunnel. New TINA tunnel from the context menu.
However, the aim is having all traffic appearing with the
Step 2 Configuring the Tunnels
original source IP address, regardless of the tunnel and the
Configure the tunnels as described in 2.7 Configuring VPN
direction used.
Tunnel Settings, page 232.
The following values must be supplied for the example
5.4.2 Configuring Redundant VPN setup:
Tunnels Table 514 Redundant VPN Tunnel Example Parameter Settings
Fig. 557 Configuring Redundant VPN Tunnels - Example Environment Parameter HQ Branch
Tunnel Direction passive active
Peer IP 172.16.0.2, 172.16.0.1,
212.86.0.2 212.86.0.1
Tunnel IP 172.16.0.1, 172.16.0.2,
212.86.0.1 212.86.0.2
10.0.1.0/24 10.0.2.0/24 Partner Network 10.0.2.0/24 10.0.1.0/24
Local Network 10.0.1.0/24 10.0.2.0/24
HQ Branch
Step 3 Configuring the Routing
The default routes for establishing the VPN tunnels are
eth1: eth1:
212.86.0.1 212.86.0.2 configured within the Section Main Routing Table
eth2: eth2: (Configuration Service 2.2.5 Network, page 61).
172.16.0.1 172.16.0.2
The following values must be supplied for the example
setup:
Figure 557 illustrates a redundant VPN tunnel setup
Table 515 Redundant VPN Tunnel Direct Routes for VPN Server 1
having two links on each side of the tunnel. This setup
results in four possible ways to build up the tunnel Parameter 1 2
enveloping connection. Target Network 212.86.0.0/24 172.16.0.0/24
Address
The algorithm determining the succession of retries works Type direct_route direct_route
as follows: Interfacename eth1 eth2
z First local IP to first peer IP Table 516 Redundant VPN tunnel Direct Routes for VPN server 2
z First local IP to second peer IP Parameter 1 2
z Second local IP to first peer IP Target Network 212.86.0.0/24 172.16.0.0/24
Address
z Second local IP to second peer IP Type direct_route direct_route
Interfacename eth1 eth2
In case the establishment process of the preferred tunnel

As soon as one of the VPN tunnels has been established
enveloping connection fails, no measure can be taken
successfully, the network routes needed for
automatically to rebuild it. The tunnel must be terminated
communication through the tunnel are introduced by the
manually. It will then immediately be rebuilt following the
system itself. These routes are displayed in the ROUTES
described algorithm.
section of Control > Network tab.
The example setup depicted in figure 557 relies upon the
following settings: Note:
In former versions of Barracuda NG Firewall, redundant
Table 513 Redundant VPN Tunnel Example
VPN tunnels with intermediate networks were needed
Tunnel 1 - 2 Peer IP Address Local Bind IP Address for traffic intelligence configuration. This configuration
HQ 212.86.0.2 212.86.0.1 method has been replaced in Barracuda NG Firewall 3.4.
172.16.0.2 172.16.0.1
Firewall Connection Objects may now be equipped with
Branch 212.86.0.1 212.86.0.2
172.16.0.1 172.16.0.2 settings defining Traffic Intelligence (TI) behavior in the
VPN Traffic Intelligence (TI) Settings section (see
2.7.1.2 Traffic Intelligence (TI), page 235). It is
Note:
recommended to use this new method. Already existing
It is assumed that a VPN service has been introduced on
redundant tunnel configurations will remain fully
both sides.
functional though and do not necessarily need to be
replaced.
Step 1 Creating a New Firewall-to-Firewall Tunnel

VPN General < Configuring the Personal Firewall | 257
6. Configuring the Personal Firewall
6.1 General
The Personal Firewall Configuration determines the
behavior of the Barracuda NG VPN clients Personal Note:
Firewall when connected via VPN. Barracuda NG For further information on the personal firewall see the
Firewall gateway 4.2 supports the Barracuda NG VPN appropriate documentation named Barracuda NG
Client and Barracuda NG Personal Firewall clients, just like Network Access Protection Administrators Guide.
the Barracuda NG VPN Client versions R6 and R7. It is contained on your Application & Documentation
flash USB stick.
7. Barracuda NG VPN Client
7.1 Installation & Configuration 7.2 Troubleshooting

Note: In case you are facing problems with your copy of the
For further information on the Barracuda NG VPN Client Barracuda NG VPN Client within a Microsoft Windows
see the appropriate documentation named Barracuda environment, you should consider to look into the Windows
NG Network Access Protection Administrators event viewer log. All VPN client errors are logged there.
Guide. The Windows event viewer can usually be found under:
It is contained on your Application & Documentation
flash USB stick. Start > Control Panel > Administrative Tools > Event
Viewer

258 | Barracuda NG VPN Client > Troubleshooting VPN

6
Mail Gateway
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
2. Installation
2.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
3. Configuration
3.1 Service Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
3.2 MailGW Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
3.2.1 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
3.2.2 Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
3.2.3 POP3 Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
3.2.4 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
3.2.5 Content Adaptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
3.2.6 Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
3.2.7 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
4. Spam Filtering
4.1 Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
4.2.1 Configuring the Spam Filter Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
4.2.2 Configuring the Spam Filter Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
4.2.3 Configuring the Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
4.2.4 Archiving and Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
5. Mail Gateway Operation

5.1 MailGW Operation via GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.2 General Characteristics of the Graphical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.2.1 Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.2.2 Title Bar(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.2.3 Context Menu Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.3 Mail Queue Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
5.4 Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
5.5 Spam Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
5.6 Processes Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
5.7 Attachments Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
5.8 Grey Listing Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
5.8.1 Grey List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
5.8.2 White List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
5.9 Logs, Statistics, Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
5.9.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
5.9.2 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
5.9.3 Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

260 | Mail Gateway Barracuda NG Firewall
6. E-mail Synchronisation after HA Handover

6.1 Automatic Synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
6.2 Manual Synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Mail Gateway General < Overview | 261
1. Overview
1.1 General The Barracuda NG Firewall mail gateway service is, of

course, completely maintainable via the management
console Barracuda NG Admin. The service provides several
With this service you can set up a powerful and secure mail
features such as mail traffic control, spam filtering,
gateway according to the SMTP (Simple Mail Transfer
statistics, event notification, and many more. The
Protocol), RFC 2821.
installation, configuration, and operation of this service is
Note: described in the following.
For further details on this protocol see
www.ietf.org/rfc/rfc2821.txt.
2. Installation
2.1 Procedure The mail gateway service generates three log files, which
can be viewed in the Logs GUI (Log Viewer, page 305) of the
graphical administration tool Barracuda NG Admin:
To install the Barracuda NG Firewall mail gateway service
you already need to have installed a server on your box. z servicename
This file contains the general logging data of the mail
Choose Create Service in the context menu of the gateway service.
corresponding server and select a name for this service
(for example mailgw). z pop3
This file belongs to the POP3 scanner and is only
Configure the service definition settings (Service Name, generated when POP3 scanning is set to enabled (Use
Description, Software Module) of the mail gateway POP3, page 265).
service in the following window.
z qspool
Select Mail-Gateway as software module. Click OK to This file records transactions processed between the
create the service. Now you can activate the changes by configuration and monitoring areas of the mail gateway
clicking Activate, and your newly installed mail gateway service and the graphical administration tool Barracuda
service is ready for configuration. NG Admin.
3. Configuration
The config tree of your box provides all configuration General - section Service Definition:
options for your mail gateway service and contains the
The fields Service Name and Software Module are
following entries (listed according to their sequence of
read-only fields displaying the settings made when the
usage):
service was created.
z Service Properties
Note:
z MailGW Settings, Page 262 Due to software module Mail-Gateway the fields Bind
Type and Explicit Bind IPs are not available.
Note:
3.1 Service Properties If there is only one (or even no) bind IP configured in
your server configuration, an error message Cannot
To enter the configuration, select the Service bind to IP will be displayed in Logs (see 5.9 Logs,
Properties entry in the config tree. Statistics, Events, page 284).
It is strongly recommended that your official IP
addresses are reverse DNS resolvable. You might
otherwise experience problems concerning your mail
gateway. For example, other mail servers might deny
communicating with it.

262 | Configuration > MailGW Settings Mail Gateway
Statistics and Notification: 3.2.1 Basic Setup

These configuration options in the service configuration Fig. 62 Mail gateway positioning in a network
window do not have any effect on the actual behavior.
Statistics and Event settings of the mail gateway are Internal company network external networks
configured in the MailGW settings (see 3.2.7 Reporting,
page 272). company.com friendly.com
Client PCs Mail server Barracuda NG Client PC

Firewall
3.2 MailGW Settings

Internal External
To enter the configuration, select the MailGW Settings Listen IP Listen IP
any domain
entry in the config tree.
The MailGW Settings configuration window is divided into
two organisational areas: Section Host Configuration
z a navigation bar on the left side and A mail gateways fundamental configuration part are its
Listen IP addresses. Listen IP addresses are addresses the
z the configuration area in the main window. server listens to on the standard SMTP port 25. A mail
Fig. 61 MailGW Settings configuration area gateway operating in both directions has to listen to two
IPs at least. The internal listen IP usually connects your LAN
clients. The external listen IP connects your LAN to a foreign
network.
For the following reasons it is essential to distinguish
between these two listening IP types:
z The mail gateway determines the transportation
direction by the e-mail's incoming IP address. Mail rules
are only interpretable when internal and external
listening IPs are configured properly (see Section Local
Domain Settings, page 263 and Section Extended
Domain Setup, page 263).
z Differentiation between inbound and outbound mail
traffic in statistics collection is determined by the
listening IP type.
The following organisational segments are made available
through the navigation bar: If you are operating a mail server in your internal LAN, the
mail gateway's internal listening IP address can be
Table 61 Items of the Navigations Bars main element "Configuration"
specified as mail relaying address. If a dedicated mail
View Comment described on server does not exist, clients may specify the gateway's
Basic Setup For configuration of general page 262 internal listening IP address as outgoing SMTP server address in
settings of the Mail Gateway.
the configuration of their e-mail client programs.
Extended For settings applying to specific page 263
Domain Setup mail domains. This section is
deactivated by default. If activated,
Local Domain Settings in the
Basic Setup are overwritten.
POP3 Setup For handling of POP3 protocol page 265
processing.
Advanced Setup For relaying, specific operational, page 266
and expert settings.
Content For the definition of mail specific page 269
Adaptions content filters.
Limits For the definition of mail processing page 271
limits.
Reporting For reporting and eventing settings page 272
bound to e-mail traffic.

Mail Gateway MailGW Settings < Configuration | 263
A listen IP is characterized by the following detail Section Global Domain Parameters

parameters:
List 63 MailGW Settings - Basic Setup section Global Domain Parameters
List 61 MailGW Settings - Basic Setup section Host Configuration Parameter Description
Parameter Description Default This parameter holds the relative path and Default
External / Listen Address Insert the respective external and Recipient DB Recipient DB name of the default database for
Internal Listen internal listening IP addresses recipient verification (MailGW Settings section
Address (IPv4) here. Either choose the Extended Domain Setup Domains, page 264). Please
First- or Second- (Server) IP from see Recipient DB, page 265 for detailed information on
the pull-down menu, or select the the correct use of this parameter.
checkbox Other to specify another Note:
IP address. If parameters Default Recipient DB and Default
Note: Recipients Lookup are in use at the same time, the
Listen IP addresses must be part of recipient email address has to match both databases.
the server network configuration as Default This parameter allows importing recipients into the
well. If you choose option Other, do Recipients Default Recipient DB specified in the field above.
not forget to configure the inserted Please see Recipients, page 265 for detailed
address(es) as server address(es) information on the correct use of this parameter.
(Configuration Service Default Select one of the phibs authentication schemes in the
3. Configuring a New Server, Recipients combo box to enable an online mail recipient lookup in
page 94). Lookup a meta directory just in time when the mail arrives.
Greeting Name This is the SMTP "helo / ehlo" Only authentication schemes of type MSAD or LDAP
greeting name which is sent after are allowed as recipient lookup scheme.
the SMTP connection to a mail Note:
server has been established (see The recipients email address is checked against the
www.ietf.org/rfc/rfc2821.t meta directory attribute named mail.
xt). This field can take letters from
the Latin alphabet excluding special Note:
characters, ciphers, ".", "-", and "_". If parameters Default Recipient DB and Default
Recipients Lookup are in use at the same time, the
Postmaster Enter the e-mail address of the postmaster in this field. recipient email address has to match both databases.
Mail-Address If an e-mail to the postmaster is sent, it will be
re-written to the herein specified e-mail address. Note:
When this parameter is set to MSAD or LDAP the list
Recipients Lookup req. Groups may be filled. If filled,
Section Local Domain Settings the authentication scheme config (Group Attribute) has
to be set accordingly.
Use this section to provide the mail gateway with Recipients Define here group patterns which the recipient has to
information about trust relationships in your internal Lookup req. match that the recipients email address will be
network, such as the mail server it should forward Groups accepted.
incoming mail to, and specification of local domains for Allow Relaying E-mails are only accepted for relaying on the internal
from listen address if they have been forwarded by one of
which it should process mail traffic. the hosts specified here.
List 62 MailGW Settings - Basic Setup section Local Domain Settings

Parameter Description 3.2.2 Extended Domain Setup
Internal Mail Specify your internal mail server in this field. The mail
Server gateway will redirect incoming mail to this server.
A freshly installed version of Barracuda NG Firewall 4.2
My Domains Domains defined as My Domains are treated as trusted
List internal domains by the mail gateway. It is vital to aims at simplest possible configuration and expects
specify trusted domains, as the mail gateway will only domain specific configuration in the Section Local
accept mail relaying for these domains on its internal Domain Settings within the Basic Setup (see 3.2.1 Basic
listening address (see External / Internal Listen
Address). Setup). Thus, the Extended Domain Setup is disabled (set
Note: to no) by default. Enabling it deactivates and overwrites
The mail gateway will redirect incoming mail to the settings configured in the Section Local Domain Settings.
specified Internal Mail Server (see above). If you
require another delivery policy setting, consider
configuring your mail gateway through the Extended Note:
Domain Setup configuration options instead (see The Extended Domain Setup section is utilized when
below). migrating Mail Gateway settings from Barracuda NG
Note: Firewall version 3.2.
Security restrictions applying to My Domains are
identical to the formerly known Protection Profile
internal (see Protection Profile, page 264). If higher Section Extended Domain Setup
protection from fake e-mail addresses is required,
consider configuring your mail gateway through the This is a complex and powerful rule feature. It protects
Extended Domain Setup configuration options your mail gateway from fake e-mail sender domains which
instead (see below). could abuse it for relaying spam mail.
My Domains Enter the name of the internal trusted
List domain in this place (for example, List 64 MailGW Settings section Extended Domain Setup
barracuda.com). Wildcards may be used
as supplement for the .tld ending to Parameter Description
include multiple domains (for example, Enable Select Yes to enable.
barracuda.*). Keep in mind, though, Extended
that a wildcard placed at the end of the Domain Setup
domain name involves a potential
security risk, as the top level domain Domains see list 65
might be interpreted as sub-domain (for Default Internal You can specify a default DNS-resolvable mail
example, barracuda.anyname.net). MX exchange in this field. Incoming mail will be redirected
Consider creating one entry per domain to this default MX. Usable for load balancing via DNS
instead. Round Robin.
Include Set to yes, if subdomains of the
Subdomains specified domain should be treated as
trusted mail domains as well (default:
no).

List 64 MailGW Settings section Extended Domain Setup List 65 MailGW Settings section Extended Domain Setup Domains
Default Internal You can specify one ore more default internal mail Delivery This parameter determines the handling of incoming
Mail Server servers in this field. Incoming mail will be redirected to Policy e-mails addressed to the specified recipient domain. The
this default mail server. If you specify more mail following setting options define the mail gateways e-mail
servers, the mail gateway will try them subsequently forwarding mechanism:
until delivery is successful (for example, if the first MX (default)
default mail server is unreachable, ). Enter the IP The mail gateway tries to resolve a DNS MX (mail
address and select Insert and to add it to the list of exchange) record for the specific domain.
default mail servers.
Default_Internal
The mail gateway redirects incoming mail for a trusted
Domains: domain to the respective default mail server as outlined
on page 264 (Default Internal Mail Server).
Select Insert to insert a new trusted domain and enter the Default_MX
domain name into the Name field. The mail gateway redirects incoming mail for a trusted
domain to a MX-resolvable domain as outlined on
The following parameters are available for configuration: page 263 (Default Internal MX).
Explicit_Peer_IP
List 65 MailGW Settings section Extended Domain Setup Domains Activates the field Delivery IPs where one or more IP
addresses can be entered (parameter Delivery IPs, see
Parameter Description below). The mail gateway redirects matching incoming
Additional If your trusted domain has additional patterns (for example mail to the specified IP address.
Domain several top level domains such as .com or .net ) you can Explicit_MX_Domain
Pattern add the additional pattern to the list. For the additional The mail gateway redirects responsibility for e-mail
pattern, it is also possible to enter wild cards such as * or ? forwarding to another MX-resolvable domain. Enter the
(like sample.*). MX domain into the Delivery IPs field below. E-mail
Protection Protection profiles determine a mail domain's trust scope. distribution to the final recipients will then be handled
Profile Domains impersonating the highest trust level may only be by the other domains mail servers. This option can be
forwarded by a gateway's internal listen IP, domains with used when multiple internal mail servers are in use.
the lowest trust level may be used to communicate outside
the company LAN only. Delivery IPs This field only expects input if Delivery Policy has been
Have a look at figure 62, page 262 to understand the set to Explicit_Peer_IP or Explicit_MX_Domain. If having
impacts of protection profile configuration. The following done so specify delivery IP address(es) or MX domain(s)
trusted domain definitions apply: explicitly in this place.
Local This parameter should be used when having multiple
strictly_internal Deliver IP Listen IPs because it allows selecting one of the available
E-mail senders using a domain defined as strictly IPs as binding one.
internal are only accepted from within the company
network at the mail gateway's internal listen IP. This Allow This setting specifies which peers are allowed to use the
configuration offers the highest protection level against Relaying specified domain as sender domains. There are three
fake e-mail addresses, as it is not possible to forward from different accept policies:
e-mails through any external, Internet-accessible mail Any_Peer
relay. The specified domain can be used by any peer
internal Basic_Relaying_Setup
E-mail senders using a domain defined as internal are The specified domain can only be used by peers
accepted from within the company network at the mail specified in parameter Allow Relaying from.
gateway's internal listen IP and as well from outside the Explicit_ACL
company network at the mail gateway's external listen Activates the field ACL where ACL IPs can be entered.
IP. This configuration is of interest for mobile workers Specified domains can only be used by these peers.
wishing to send e-mails with official company addresses
ACL Explicit access list (allowed peer IPs)
when they are connected to the Internet via any ISP.
foreign Recipient This parameter allows verifying each mail recipient in a
E-mail senders using a domain defined as foreign are Lookup database. If the recipient cannot be found in the database
accepted at both listening interfaces. Foreign domains the mail is dropped. The following options are available:
can be defined if some of your clients want to use an Disabled (default)
external mail account (like a web mail account) Deactivates the parameter, that means no verification is
company-wide and from the Internet. As foreign carried out.
domains are accepted as senders and recipients on both Default_DB
listening interfaces on the mail gateway, it makes sense Uses the database configured in parameter Default
to specify allowed clients explicitly (parameter Allow Recipient DB (see Section Global Domain Parameters,
Relying from > Explicit ACL), so the foreign domain page 263).
setting is only valid for these clients and not for the
Explicit
whole internal client network.
In case the sum of queried users in the Default_DB
strictly_foreign causes performance problems, it is sensible to specify
E-mail senders using a domain defined as strictly an individual Recipient DB for each domain.
foreign are only allowed at the mail gateway's external
listening interface.
Rules controlling mail traffic
strictly_ strictly_
internal foreign
internal foreign
Allow as pass pass pass DENY
sender on
internal
Allow as DENY pass pass pass
sender on
external
Allow as pass pass pass pass
recipient on
internal
Allow as pass pass DENY DENY
recipient on
external

List 65 MailGW Settings section Extended Domain Setup Domains

Note:
Do not mistake this configuration section as POP3 mail
Recipient This field is only available when the parameter Recipient
Lookup is set to Explicit. It holds the relative path and
server setup. The configuration options in this place are
DB
Recipient DB name of the explicit database for recipient limited to scanning of traffic between an e-mail client
verification. and an external POP3 server.
A Recipient DB is always expected in
/var/phion/spool/mgw/*server*_*service*/ or a The following conditions must be met to enable scanned
folder below this one. You may specify an already existing
database through this field. If the database does not yet POP3 data streams between e-mail client and POP3 server:
exist, it will be created.
For a database that has been or is expected to be created z Firewall configuration
in /var/phion/spool/mgw/*server*_*service*/ A rule has to be configured in the firewall settings
enter my_recipient.db into this field. For a database allowing communication on the POP3 port (default: 110)
that has been or is expected to be created in
/var/phion/spool/mgw/*server*_*service*/myf (Firewall 2.2 Rule Set Configuration, page 140).
older/ enter myfolder/my_recipient.db into this
field. z Virus Scanner settings
Note: the AVIRA AntiVir virus scanner service has to be
If you wish to create a database in a subfolder of installed (Anti-Virus, page 389). The use of an external
/var/phion/spool/mgw/*server*_*service*/ the
subfolder already has to exist, as it will not be created by
virus scanner is not possible.
Barracuda NG Admin automatically.
z Mail scanning settings
Attention:
If specified, the mail gateway is always going to query the
Mail Scanning (Anti-Virus 1.7.3 Mail Gateway Integration,
recipient DB before processing an e-mail. Thus, make sure page 396) has to be activated. Settings (Anti-Virus,
to immediately configure the contents of the Recipients DB page 389) apply to POP3 scanning.
after creation, as an empty Recipient DB will block all
e-mail traffic. z Spam Filter settings
Recipients This parameter allows importing recipients into the If SPAM checking is desired the Spam filter service has
Recipient DB specified in the field above. The import
routine takes a text file with e-mail addresses arranged one to be installed (4. Spam Filtering, page 273).
per line.
z E-mail client configuration
Attention:
Only use the import routine when you have specified an User specific login data has to be entered into the
existing database in the parameter Recipient DB above. e-mail client that collects mail from the POP3 server.
Attention: This login data has to be adapted so that the e-mail
Do not use the import routine to update the Recipient DB client addresses the Barracuda NG Firewall instead of
with solitary users, as the content of the Recipient DB is
deleted prior to update. the POP3 server directly. According to the example
Note: scenario in figure 63, the data has to be entered in the
If you need to update the Recipient DB at regular intervals, following way:
do so by using an always up-to-date text file containing the
total amount of used e-mail addresses. Table 62 E-mail client configuration
Attention:
The content of the Recipient DB is not saved to the .par file Field Value Example
when creating a backup of the box configuration. Thus, you Username username#POP3serverI cuda#212.118.60.1:110
should always keep the contents of your Recipient DB in a P:port
safe place in case restoring it becomes necessary.
Password POP3 account password *******
Default Phips scheme for lookup of a recipients e-mail address in a
POP3 server Listening IP of the POP3 10.0.8.12
Recipients meta-directory.
scanning service (see
Lookup Note: Listen on, page 265)
Only MS-Active-Directory and LDAP schemes may be used.
Recipients Define Meta-Directory group patterns to restrict allowed The following configuration options are available for POP3
Lookup req. e-mail addresses. Only persons which are assigned at least
Groups one of the here defined groups are allowed recipients. scanning:
Patterns are allowed.
List 66 MailGW Settings - Pop3 Setup section POP3 Setup
3.2.3 POP3 Setup Use POP3 Set to yes (default: no) to enable scanning of data
processed over POP3. Activating this option
E-mail clients use the Post Office Protocol version 3 automatically enables virus scanning.
(POP3) to retrieve mail from a remote server over a Listen on The mail gateway listens for POP3 requests on the IP
address(es) specified here. Either choose the First- or
TCP/IP connection. Especially in small companies, which do Second- (Server) IP from the pull-down menu, or select
not operate an internal mail server, mail traffic is the checkbox Other to specify another IP address.
sometimes limited to fetching and forwarding of e-mails to Multiple addresses may be entered in a comma
separated list.
an externally hosted POP3 mail server.
Note:
For enhanced measure of security when collecting e-mails Listen IP addresses must be part of the server network
configuration as well. If you choose option Other, do
from this mail server over the Internet the Barracuda NG not forget to configure the inserted address(es) as
Firewall may be configured to scan data streams server address(es) (Configuration Service
processed over POP3 for viruses and spam.
Maximum This is the maximum number of concurrent
Children connections the mail gateway accepts for POP3
Fig. 63 POP3 scanning example setup
sessions (default: 10). Connection attempts exceeding
this value will be dropped.
10.0.8.1 10.0.8.12 212.118.60.1:110
E-mail client Barracuda NG External POP3

FW/MailGW/AV server

List 66 MailGW Settings - Pop3 Setup section POP3 Setup List 67 MailGW Settings - Advanced Setup section Operational Settings
Timeout (s) This is the time span after which connection between Spool Queue This parameter activates/deactivates the
e-mail client and mail gateway times out. Sync synchronisation of mails between a HA pair. When
This value is of importance because too long activated, the active mail gateway sends mail-bundles
processing times caused by communication or to the passive mail gateway for synchronisation each
connectivity problems between mail gateway and 10 sec.
POP3 server can lead to connection loss between mail Note:
gateway and e-mail client. You may leave the default Enabling this parameter requires a restart of the mail
setting at 30 seconds if you are not experiencing any gateway service due to the HA specific startup
problems. procedure. Disabling works without restart.
Check Spam Set to yes (default: no) to activate spam checking of Attention:
e-mails retrieved via POP3. Having this option activated may cause extensive load
Note: during synchronisation.
In order to perform a spam check the Spam filter DSN Mails in Select yes to send DSN messages in MIME format,
service has to be installed (4. Spam Filtering, MIME-Format according to RFC1891 (SMTP Service Extension for
page 273). Delivery Status Notifications; for details see
Template When the virus scanner finds a virus, it immediately www.ietf.org/rfc/rfc1891.txt).
drops the e-mail and attempts forwarding an Due to a variety of reasons (for example a target server
MTA Retry
informational message to the e-mail's recipient instead is unreachable), an e-mail might possibly not be
of the original e-mail. Sequence
delivered at once. If this is the case, the mail gateway
Use the Template field to define a global template for service starts a further delivery attempt after a certain
these notifications. Variable parameters such as e-mail period specified through this field. Multiple retry
address, virus information, mail subject are inserted attempts can be entered in a space separated list. The
into the template when the notification is generated. following characters may be used:
Valid variable parameters are:
Digits
%USERNAME % - name of the user
m = minute(s)
%VIRUSNAME % - virus information
h = hour(s)
%MAILFROM % - sender e-mail address
d = day(s)
%MAILTO % - recipient e-mail address
%MAILDATE % - date of the e-mail Adding the character w to a time parameter in the list
%SUBJECT % - mail subject causes generation of DSN (Delivery Status
Notification) messages addressed to the original
Subject This string is inserted into the alert e-mails subject
e-mail's sender. As long as further retry attempts still
header (default value: [VIRUS found]).
are to follow, a delay message is generated. The last
Delete Infected Virus infected e-mails are immediately deleted and not message of the retry sequence is a delivery failure
Mails stored on the Barracuda NG Firewall when this option is notification.
set to yes (default: no). E-mails are saved to the path
/var/phion/run/mailgw/<servername>_<servi Example messages for the MTA retry sequence: '1m 5m
cename>/root/virus-rejected. 10m 1hw 1dw':
Use HTML Tag Set to yes (default: no) to enable HTML tag removal.
Removal For a short description of HTML tag removal see Delay message generated after 1 hour:
Section HTML Tag Removal (page 270). Your Message to the following recipients
<recipient@sample.com> (reason: [reason for
delivery delay])has been delayed.
You do NOT need to resend your message!!!
3.2.4 Advanced Setup The mail server will keep trying to deliver your
message and you will be notified if delivery is
impossible.
Received: from [IP] ([hostname]) by [mail
The following parameters define the mail gateways gateway] id [JOB ID Number]; [Day Date Time]
general behavior: From: "Sender" <sender@sample.com>
Subject: [Subject of mail message]
List 67 MailGW Settings - Advanced Setup section Operational Settings Delivery failure notification generated after 1 day:
Your Message to the following recipients
Parameter Description <recipient@sample.com> (reason: [reason for
Mail Transfer Mail transfer agents are service processes that deliver delivery failure])- maximum retries reached
Agents (MTAs) mails received from a client to other mail servers (see -could not be delivered.
5.1 MailGW Operation via GUI, page 279). You can Received: from [IP]([hostname]) by [mail
gateway] id [JOB ID Number]; [Day Date Time]
specify the maximum number of MTAs here (default: 5) From: "Sender" <sender@sample.com>
Attention: Subject: [Subject of mail message]
This number must not be 0). Priority Switch The Barracuda NG Firewall mail gateway schedules all
MTA processes are only started when the mail gateway after (minutes) mail jobs received from the clients (for more
system needs them for mail delivery. They are after information on the scheduling mechanism see 5.1
delivery has succeeded. MailGW Operation via GUI, page 279). This setting
MTAs for This parameter defines the number of MTAs that are specifies the period of time (default: 60 minutes) after
Urgent Mail reserved for mail classified as urgent (default: 1). The which the mail gateway automatically changes
definition what kind of mails have the scheduling scheduling priority to the next higher level.
priority urgent is made within the Section Expert Note:
Settings (use with care) (page 267). This setting has nothing to do with the priority flag you
Admin This is the maximum number of GUI connections can set in your e-mail client software; this priority flag
Connections allowed to the box where the mail gateway service is concerns the mail application only.
installed (default: 5).
List 68 MailGW Settings - Advanced Setup section Allowed Relaying
DNS Query The local box firewall blocks DNS reply packets from
slow DNS servers because the mail gateway already Parameter Description
received an answer from a fast DNS server (when
selecting option parallel; default). The option Internal These internal IP addresses are allowed to forward mail
sequential causes that DNS servers are queried one IP-Addresses traffic.
after the other. Attention:
Use this parameter with great care as incorrect
settings may cause security violation.

List 69 MailGW Settings - Advanced Setup section Cloning and Archiving
Parameter Description Abstract Rule Language

By means of the configuration options in the Cloning Configuration of Expert Settings requires syntactical
and Archiving section, e-mail addresses can be
manipulated before a mail is forwarded to its knowledge of the applicable abstract rule language.
recipient(s). E-mails can be duplicated (cloned) by
inserting multiple recipients in a comma separated list General syntax
into the recipient related rewrite field. They can thus be
forwarded (archived) to an external e-mail archiving z // Comment line (comment lines are ignored by the
system. abstract rule parser)
Note:
Delivery classification options configured in the z Separate expressions with space (for example, a
MailGW Settings section Extended Domain Setup double-slash // must be followed by space)
Domains List 65 (page 264) also apply to e-mail
addresses that have been rewritten. For example, if the z Quote string variable values ("string").
sending domain address of an e-mail, which has been
accepted for delivery at the mail gateway's external z Separate parameters with a comma sign (,).
listen address, is rewritten to a strictly internal sender
domain, the mail will be discarded due to policy
restrictions. Variables
Enable Cloning Set to yes to activate Cloning and Archiving and click
and Archiving the Set button to open the following configuration Table 64 Variables used in the Expert Settings section
window.
Special
Archiving Sender just like recipient addresses can be rewritten. Variable Type Level Description
value
Settings Click the Insert button to add new rewriting
result integer all return code of rule parser
patterns. Wildcards such as * or ? may be used in the
Pattern columns. peerip string connect IP address of peer (client)
Sender/Recipient - Full Address Manipulation (1)
manipulate full e-mail address peername string connect hostname of peer (client)
Sender/Recipient - Local Part Manipulation (1)
manipulate local part (string preceding '@') inbound boolean connect 0=outbound; 1=inbound
Sender/Recipient - Domain Manipulation (1) (that is mail reception on
manipulate domain name (string following '@') internal IP)
helo string helo (2) SMTP greeting name
Section Expert Settings (use with care) (ehlo/helo)
from string sender sender e-mail address null
Attention: (3) after re-writing
Expert settings should be used with care. Do not use fromuser string sender sender e-mail address
(3) local part after re-writing
expert settings unless you exactly know what you are
fromdomain string sender sender e-mail address
doing and/or have contacted Barracuda Networks (3) domain after re-writing
Support. to string rcpt (4) recipient e-mail address postmaster
after re-writing
By means of the configuration options that touser string rcpt (4) recipient e-mail address
Expert Settings make available, rule settings may be after local part re-writing
added to the Barracuda NG Firewall mail gateway service todomain string rcpt (4) recipient e-mail address
manually. In the Pre Settings section rules are domain after re-writing
configurable that are considered before other mail orig_[] string sender adding orig_ to e-mail
(3) address variable (for
gateway settings, in the Post Settings section rules are rcpt (4) example
configurable that are considered after all other mail orig_fromdomain; reflects
gateway settings have been processed. To enable e-mail address before
re-writing)
configuration options, set Enable Pre Settings or Enable
subject string data (5) subject of mail body
Post Settings respectively to yes and then click the
corresponding Edit button to open the configuration Operators
dialog.
Table 65 Operators used in the Expert Settings section
Expert Settings can be added to all 5 levels of a SMTP mail
transmission (refer to RFC 2821 for details): Operator Description
= Text Operator; Equality
Table 63 SMTP levels <> Text Operator; Inequality
Level Type Description "" Numerical Operator
1 Connect This is the connection level of the mail gateway AND Logical Operator
server (like that banned hosts rule will affect the OR Logical Operator
connect level).
2 Helo This is the SMTP greeting level (SMTP "helo" or
"ehlo" command).
Usage:
3 Sender In this level the sender of a mail is announced <variable> <operator> <expression>
(SMTP "mail from:" command, for example,
banned sender rule will affect the sender level).
4 Recipient The recipient of a mail is announced in this level Example:
(SMTP "rcpt to:" command; for example, banned fromdomain <> "sample.com"
recipient or re-write recipient rule will affect the
recipient level).
5 Data In the last level of a SMTP transmission the mail IF statements
body (data) is transmitted, for example the
subject is part of the mail body (banned subjects Table 66 IF statements used in the Expert Settings section
rule will therefore affect the data level).
Statement Description
IF Begin IF test block

Table 66 IF statements used in the Expert Settings section Example:

Statement Description ACTION ("rewrite", "test@sample.com");
ELSE Begin ELSE block
ELSEIF Begin ELSEIF block
or
ENDIF END IF block
THEN THEN statement for IF tests ACTION ("event", "1, Event has been triggered!");
Usage: RETURN
IF (<test-expression(s)>) THEN The return command exits the current level function, so
<statement>;
ENDIF subsequent instructions will no longer be performed.
Usage: RETURN ;
Example:
Note:
IF (fromdomain = "sample.com") OR
(fromuser = "spammer") THEN Lines with ACTION and RETURN commands require a
ACTION ("deny", "Banned Sender"); semicolon (;) at the end of the line; expressions with
ENDIF
ACTION/RETURN command are space separated (this is
also valid for the semicolon after the RETURN command
ACTION
as shown above).
This command is used to let the mail gateway service
perform various actions. Examples for expert settings
Example 1
Table 67 Actions used in the Expert Settings section
Mail delivery from mail servers that send "spam" as
Action Level Parameter Description
greeting name should be denied. Insert the following rule
ruledebug all view rule debug messages in
logs
language code into the Helo field of Pre or Post Settings:
smtpdebug all view SMTP debug messages in IF (helo = "spam") THEN
logs ACTION ("quit", "");
RETURN;
deliverdirect >2 target IP when specified in level 3 it has ENDIF
address an effect on the whole mail
objects, else on current rcpt
Bind >2 extern when specified in level 3 it has Example 2
intern an effect on the whole mail Priority of e-mails arriving from a specific address should
bind IP objects, else on current rcpt
[inbound-flag] extern: use first configured be changed to "high". Insert the following rule language
external bind IP code into the Sender field of Pre or Post Settings:
intern: use first configured
internal bind IP IF (from = "boss@company.com") THEN
ACTION ("priority", "HIGH");
specify an explicit bind IP
ENDIF
[inbound-flag is either 0
(default, outbound) or 1
(inbound)] Example 3
Quit all close connection
E-mails arriving from a specific address should be cloned
Deny >2 description deny mail delivery of current
mail and distributed to multiple recipients. Insert the following
Drop 4 drop current recipient rule language code into the Recipient field of Pre or Post
rewrite >2 mailbox if specified in level 3 re-write Settings:
rewriteuser localparts sender (-part), else re-write IF (from = "sender@company.com") THEN
rewritedomain domains current recipient (-part) ACTION ("clone", "rcp1@company.com,
clone 4 list of clone current recipient (-part) rcp2@company.com,rcp3@company.com");
ENDIF
cloneuser mailboxes,
clonedomain local-parts or
domains
Example 4
Priority >2 priority scheduling priority; allowed
values: low, normal, high, Spam e-mails should be redirected. The following rule
urgent language code can be entered in any expert pre settings.
Event all event-type, trigger an event The following syntax applies:
description allowed values: 0=info,
1=notice, 2=error ACTION ("redirect", "<program>,[<optional_params>]");
description of event: will be
displayed in Events if event
triggered A corresponding configuration entry could read as follows:
None all do nothing ACTION ("redirect", "/opt/phion/bin/spam_redirect.sh");
Usage:
The script itself that is required for e-mail redirection
ACTION ("<action>", "<parameter(s)>");
(spam_redirect.sh in the example) could read as
follows:
If there is no parameter required (this is the case when #!/bin/bash
quit action is used), you need to enter the quotation # $1 ... path to mail files
# $2 ... spoolid
marks anyway, like for example ACTION ("quit, "");. ## this script redirects mails with "[SPAM]" within subject
# to an archive mail account
DSTMAILBOX=mailboxname
DSTDOMAIN=domainname
DSTIP=serverip
BODY_FILE=$1$2".body"
ENV_FILE=$1$2".env"

TMP_FILE="/tmp/"$2".env" List 610 MailGW Settings - Content Filter - Attachment Stripping section
SUBJECT=`cat $BODY_FILE | formail -c -x subject | grep "[SPAM]" | Advanced Attachment Options
sed -e 's/.*\[SPAM\].*/[SPAM]/g'`
if [ "_$SUBJECT" = "_[SPAM]" ]; then
# redirect to spam mail box MIME-Type This parameter determines to strip all attachments
# 1. remove lines that start with "rcpt" belonging to a specific MIME-Type. For MIME-Type
# 2. insert infos for delivery to spam archive specification, the following syntax applies (wildcards (*)
# (assumption: $DSTIP is an internalmailserver) are allowed) : MIME-Type/MIME-Subtype (for example,
mv $ENV_FILE $TMP_FILE */*, application/*, application/activemessage). For
cat $TMP_FILE | grep -v -e "^rcpt" -e"^recipient" -e"^numrcpts" >
$ENV_FILE
an authoritative listing of all MIME-Types, refer to
echo "numrcpts 1" >> $ENV_FILE http://www.iana.org/assignments/media-typ
echo "recipient" >> $ENV_FILE es/.
echo "rcpt id 0" >> $ENV_FILE Note:
echo "rcpt user $DSTMAILBOX" >> $ENV_FILE
echo "rcpt domain $DSTDOMAIN" >> $ENV_FILE
If wildcards are applicable the MIME-Type Exceptions
echo "rcpt status 0" >> $ENV_FILE parameter below allows you to exclude specific
echo "rcpt deliverdirect $DSTIP" >> $ENV_FILE subtypes from attachment stripping.
echo "rcpt bindtype 1" >> $ENV_FILE MIME-Type Specify MIME-Subtypes in this list that should be
echo "rcpt bind intern" >> $ENV_FILE
rm -f $TMP_FILE
Exceptions excluded from attachment stripping, in case the
fi MIME-Type parameter above has been defined globally
echo "0" employing wildcards.
For MIME-Subtype specification, the following syntax
applies (wildcards (*) are allowed):
Note:
MIME-Type/MIME-Subtype (for example
The script has to be made executable. Enter application/pdf, image/*).
chmod 777 /opt/phion/bin/spam_redirect.sh Automatically Setting to yes (default) triggers use of the UNIX file
in this example) Detect command to detect a file's MIME-Type automatically. If
MIME-Type set to no, the MIME-Type propagated by the sender's
e-mail client applies for determination of attachment
stripping conditions. It is recommended not to change
3.2.5 Content Adaptions the default setting.
File Extension Determines files with a specific ending to be stripped
Filter off e-mails. If the desired file type is not in the list,
Section Spam Detection select checkbox Other and specify the ending
explicitly.
Through this section the SPAM Filter client is configured.
Message to Supply a message in this place informing the e-mails
For detailed information about configuring see 4.2.1 Recipient recipient that file attachments have been cut from the
Configuring the Spam Filter Client, page 274. original e-mail. This message is inserted into the e-mail
before it is forwarded to the actual recipient.
Section Virus Protection
Section Grey Listing
This section is used for integrating the virus scanner into
the mail gateway. See 1.7.3 Mail Gateway Integration, List is a feature allowing for reduction of unsolicited
Grey listing
1722 MailGWSettings - Virus Scanning section Virus SPAM e-mail. Grey listing works by rejecting the first
Protection, page 396 for a description of the available arrival of a new message and telling the remote site to try
configuration parameters and integration into a mail again. Grey listing relies upon correctly configured
gateway. legitimate mail transfer agents, attempting at least one
further delivery try. Non RFC conformant mail servers
Section Attachment Stripping
ignore error reports and do not try re-sending their mails.
This section allows configuring file attachments to be cut As spam is most frequently delivered through such
from e-mails before forwarding the e-mail to its recipient. servers, grey listing reduces acceptance of unwanted
Filters can be set by senders and/or recipients e-mail messages.
addresses and domains, and by file type.
When a new message, comprising an unknown
To access the configuration dialog, set Enable sender-recipient pair, arrives, the grey lister rejects mail
Attachment Stripping to yes (default: no) and then click acceptance, passes a rejection notice to the sending mail
the Set button to the right of the Advanced Attachments server and places the sender-recipient pair into its grey
Options. The following parameters define attachment list. This list is visualized in 5.8 Grey Listing Tab, page 283.
stripping behavior in detail: If the mail has been delivered by a legitimate MTA, it will be
resent most likely. The second delivery attempt is
List 610 MailGW Settings - Content Filter - Attachment Stripping section
Advanced Attachment Options accepted by the grey lister and the e-mail is delivered.
Parameter Description Two side effects of grey listing are to be taken into
Cut Whitelists Sender/Re E-mail addresses and domain patterns account:
cipient inserted into this list are excluded from
Whitelist Attachment Stripping execution. Senders z Depending on the sending MTAs configuration, the
and recipients may either be inserted e-mail sender might be issued a report about the initial
with their full addresses or wildcards may
be used (like user@barracuda.com, delivery failure.
@barracuda.com, barracuda.com).
The Sender Whitelist is processed before z As e-mails are temporarily rejected, they experience a
the Recipient Whitelist. An incoming slight delivery delay.
e-mail will thus first be scanned for its
sender. If the sender is in the whitelist, z Wanted e-mails might not be delivered due to
the e-mail will be forwarded untrimmed. incorrectly configured MTAs on the sender's side. This
If the sender is not in the whitelist, the
e-mail will be scanned for its recipient(s). misconfiguration may be corrected through the White
If the e-mail is addressed to multiple List Peers and Senders parameters (see below).
recipients, it will only be forwarded
untrimmed, if all its recipients reside in
the Recipient Whitelist. Attachments will To access the configuration dialog, set Enable Grey
otherwise be cut. Listing to yes (default: no) and then click the Edit button

to the right of the Advanced Grey Listing Options. The of option Blacklists. The following parameters define
following parameters define grey listing behavior in detail: blacklist behavior in detail:
List 611 MailGW Settings - Content Filter - Grey Listing section Advanced Grey Fig. 64 Blacklist configuration
Listing Options
Grey Listing This is the time (in minutes) expected to have passed
Time (Min) between the first and the second SMTP delivery
attempt (default: 1). Higher values increase message
delivery delay.
White List Grey listing does not apply to the MTAs defined here.
Peers Use this parameter to exclude known peers from grey
listing explicitly, in order not to interfere with
immediate mail delivery. A peer may be defined with its
full IP address or domain name. Wildcards may be used
(like host.mailsrv.com, *.mailsrv.com, 172.16.1.*).
Note:
Do not enter network address ranges.
White List Grey listing does not apply to the sender addresses
Senders defined here. Use this parameter to exclude known
senders from grey listing explicitly, in order not to
interfere with immediate mail delivery. A sender may
be defined with his full e-mail address. Wildcards may
be used (like *@barracuda.com).
Auto White List When set to yes (default: no) a sender is automatically
(Senders) added to the sender's white list, after a successful mail
transfer. The sender-recipient pair is stored in the white
list for a maximum of days as configured through
parameter Remove from White List after (d) (see
below) and is thereafter deleted. Manual deletion of
white list entries is possible in the visualized list (see List 612 MailGW Settings - Content Filter - Blacklists
5.8 Grey Listing Tab, page 283).
Remove from Sender-recipient pairs, which have been added to the Parameter Description
Grey List after Grey List (see 5.8 Grey Listing Tab, page 283), are Subject / Unwanted subjects / senders / recipients can be banned
(h) automatically removed from the list after the number Sender / using these fields. The mail gateway will deny e-mails each
of hours specified here (default: 24). Recipient matching with one of the phrases specified.
Remove from Sender-recipient pairs, which have been added to the Blacklist Note:
White List after Auto White List (Senders), are automatically removed To ban subjects that are composed of multiple items
(d) from the list after the amount of days specified here including space characters consider the following case
(default: 30). insensitive syntax rules to allow for correct interpretation of
Daily Report Specify a recipient for a daily report e-mail regarding the banned subject:
Mail to grey listing utilisation in this place. By default, reports ? Use a question mark to identify space.
are sent to Postmaster (see Postmaster Mail-Address). * Use an asterisk to identify an arbitrary number of phrases.
With Nobody selected no report mails are generated. If Space can be identified by an asterisk, too.
any other report recipient is desired, select the Use quotation marks to identify a complete phrase.
checkbox Other and specify an e-mail address. Multiple See below for a banned subjects interpretation example:
recipients must be entered in a space separated list.
Phrase to Syntax of banned
Interpretation
be banned subject
Section Blacklists your your password The filter will be ignored,
password because there is no
This section represents a sort of "emergency-off-button", applicable rule.
which means the administrator of the mail gateway is able your?password All e-mails with the exact
to block certain hosts, subjects, sender, or recipients subject your password
will be blocked.
explicitly very fast (for example, virus warning: known
*your?password* All e-mails with your
subjects of the virus may be entered in order to block password being a part of
before even receiving). the subject phrase will be
blocked regardless of the
Note: other phrases
content(s).
This is a very static way of defining the behavior of the
*your*password* All e-mails with the
mail gateway on certain mail. Therefore it should not be words your and password
used as a spam filter in general but for such in the given succession
will be blocked
"emergency-overrides" as mentioned above. regardless of other
However, if you want to configure a spam filter, have a phrases contents before,
look at 4. Spam Filtering, page 273. between, or behind these
two words.
To access the configuration dialog, set Enable Blacklist to IP Mail delivery coming from the host(s) inserted here will be
Blacklist refused. Multiple IP addresses can be specified.
yes (default: no) and then click the Edit button to the right
Section HTML Tag Removal
To protect your network from HTML e-mails with annoying
or potentially dangerous content, such as hyperlinks
leading to faked websites, images with objectionable
content, the mail gateway may be configured to alter
HTML tags in e-mails, so that the tags lose their function.
Links thus lose their link characteristic and images can no
longer be loaded from the servers they are lying on. By this

means users can be prevented from clicking on links List 615 MailGW Settings - Limits section Mail Gateway Limits
unintentionally or thoughtlessly. Parameter Description
DSN for Max Set to yes (default: no) if you want the mail gateway to
Note: Data Size create an extended Delivery Status Notification (DSN)
Keep in mind that HTML tag removal applies for Excess mail, when an e-mail has exceeded the max. allowed
size.
incoming and outgoing e-mails likewise.
Maximum This setting reflects the maximum number of recipients
Number of of a mail. Since RFC2821 requires at least 100 possible
List 613 MailGW Settings - Content Filter - HTML-Tag Removal Recipients recipients of a mail, this setting cannot be smaller than
the required value (default: 200).
DSN for Max Set to yes (default: no) if you want the mail gateway to
Remove HTML Set to yes (default: no) to enable HTML tag altering.
Recipients create an extended Delivery Status Notification (DSN)
Tags
Excess mail, when an e-mail has been forwarded to more
Remove HTML When set to yes (as by default), link (a href) tags in recipients than allowed.
Link Tag HTML e-mails are altered, so that the link uses its
Refuse Empty Defines whether e-mails with empty sender
function. The string of the link itself, though, remains
Mail from information are rejected.
unchanged. The linked destination can be viewed by
By default (no) the SMTP server accepts every
copying the link from the e-mail and pasting it into the
incoming e-mail.
address field of the browser.
Accept Loose Domain names may only exist of the following
Remove HTML When set to yes (default: no) image source (img src)
Domain Name characters:
Img Src Tag tags in HTML e-mails are altered so that they lose their
[-.0-9A-Za-z].
function. Linked images will no longer be loaded from
Via this parameter incorrect domain names may be
the servers they are placed on. Keep in mind that this
accepted:
function destroys the design of HTML e-mails (like in
no - an incorrect domain name causes that the e-mail is
newsletters), outgoing, and incoming likewise.
rejected
yes - domain names are not checked, that means
Section Misc e-mails with incorrect domain names will be delivered.
Max. Defines the maximum number of to-be-scanned
List 614 MailGW Settings - Content Filter - Misc Attachments attachments per MIME e-mail.
Parameter Description Drop Mails over Defines whether e-mails contain too many attachments
Attachment (as defined in parameter Max. Attachments) are
Strip Received Every SMTP server or relay registers itself within the Limit rejected.
Lines mail header (Received Lines). These entries typically
reflect the company-internal mail infrastructure. Drop Defines whether malformed/damaged e-mails are
Setting this parameter to yes (default: no) causes that Fragmented rejected.
this internal and confidential information is stripped Mails
from the mail header. The number of "received" lines in Max Age of A mail in the "crashed" directory stays for this amount
the header stays the same but the content is replaced crashed Mails of days.
by dummy entries and thus no longer contains security (d)
critical information. Max. SMTP Line Enter the maximum line length. Barracuda Networks
Note: Length recommends, like RFC defines, a maximum length of
Be aware that mail header modification makes mail 1000 characters.
loop detection less efficient.
Strip Received The text entered here replaces the original text List 616 MailGW Settings - Limits section DoS Protection
Lines Text stripped from the e-mail header.
Remove When activated this parameter removes the Barracuda
Barracuda Networks ID from the mail header of dispatched Parallel Inbound These fields specify how many parallel inbound or
Networks ID e-mails. Aim of this setting is security enhancement / Outbound outbound connections for receiving mail to the server
through mail gateway identity concealment and Connections are allowed in total (default: 5). If your mail gateway
decreased software traceability. has to handle a lot of mail traffic, you may need to
increase this value.
Note:
This value must not be 0.
3.2.6 Limits Parallel Inbound These fields specify how many parallel TCP
/ Outbound connections from a single inbound or outbound source
This section allows for configuration of various mail Conn. per Peer IP address are allowed (default: 25). This provides an
effective protection against DoS (Denial of Service)
gateway service limits. attacks.
Note:
List 615 MailGW Settings - Limits section Mail Gateway Limits
This value must not be 0.
Limit Mail Data This option activates/deactivates mail data The value of maximum parallel connections per peer
(attachments) size limit (default setting: yes). The may not be greater than the maximum number of
Size
attachment size limit is specified in the Mail Data Size parallel connections.
(MB) field below. Note:
Mail Data Size Enter a value > 0 (default: 20). If mail size exceeds the With parameter Parallel Connection Limit (see
(MB) specified value, the mail gateway refuses delivery and page 272) set to yes, the event Resource Limit
returns an error message to the sender. Exceeded: Max connections (per Peer) [136] is
triggered when the limit values are exceeded.
Note:
This parameter reflects the actual mail body size
because SMTP applies transfer encoding. The actual
mail size may be greater than the physical size of the
attachment. For example, if you add an attachment of
about 5MB size, the total mail size could be up to about
6.5MB.

3.2.7 Reporting List 618 MailGW Settings - Event Settings

Entries in Access Cache Mail Data Size When set to yes (default: no) the event Mail Size Limit
Limit Exceeded [140] is triggered when the size of an e-mail
List 617 MailGW Settings section Entries in Access Cache exceeds the value specified in the limits configuration
window (Limit Mail Data Size, see 3.2.6 Limits,
Parameter Description page 271).
Delivered / Through these fields, a maximum number of Access User Defined It is also possible to define your own events by using
Undelivered Cache entries may be defined for successfully Rule Event the Expert Settings located in the Advanced Setup
Entries delivered (Delivered Entries) and undelivered e-mails configuration are (page 267). Feasibility of user defined
(Undelivered Entries). rule events is activated by default (default: yes). If no
For every mail job processed by the mail gateway a rule events have been defined, this setting is ignored.
history entry is stored in a file. This history file is Personalized events trigger the events Mail Rule
visualized in the Access Cache (see 5.1 MailGW Notice [4512], Mail Rule Warning [4513], and Mail
Operation via GUI, page 279). The Access Cache Rule Alert [4514].
reflects a FIFO (First In First Out) list. If the number of
Bad Rulefile Section Global Domain Parameters, Section Local
entries in the Access Cache gets greater than the value
Loaded Domain Settings or Section Extended Domain Setup
defined through these fields (each with default 100),
Settings respectively (see 3.2.1 Basic Setup and 3.2.2
the oldest entry is deleted according to its reception
Extended Domain Setup) are stored in a rule file.
time.
Although config changes are checked before
activation, the mail gateway service may be unable to
Section Event Settings locate the rule file. This is a serious problem because
mail reception is no longer possible.
If you would like your mail gateway service to generate When set to yes (default: no) the event Flawed
Configuration Data Activation [2380] is triggered
event messages, you may specify those event types, which when the rule file is missing or a corrupt rule file has
should trigger events and event notification messages, in been loaded.
this configuration area (for detailed information on Kill Worker As soon as connection to the mail gateway is
eventing, see Eventing, page 321). Each event type has its Process established, the mail data receiving process starts. This
process is called a worker. Worker processes can be
unique event ID number. killed with the admin command "Kill Process" (see 5.6
Processes Tab, page 282) if necessary (for example, if
The following options are available for configuration: you want to abort the transmission of an e-mail with a
large attachment).
List 618 MailGW Settings - Event Settings When set to yes (default: no) killing a worker process
triggers the event Subprocess Kill Requested: Kill
Parameter Description PROC_SMTP Worker [2054].
Admin When set to yes (default: no) the event Mail Operation Note:
Reception Changed: [user@peer] [4504] will be triggered when Killing a SMTP worker process causes data loss.
Commands an e-mail is blocked or allowed manually through the
admin commands Allow/Block Mail Reception (see 5.6 Minimum configuration: You must specify at least an
Processes Tab, 5.6.1 Context Menu Entries, page 282). internal and external bind IP (both IPs are to be
configured as Server IPs), and a postmaster address to
Admin Discard Administrators with special admin permissions are start the mail gateway service on your Barracuda NG
Mail Cmd allowed to discard mails in the mail queue. Firewall box.
When set to yes (default) the event Mail Data
Discarded: ID [spool-ID Nr.] [4500] will be triggered
when an e-mail is discarded with an admin command. Section Statistic Settings
Mail Denied The Barracuda NG Firewall mail gateway service This section provides special settings for the statistics
provides special features for denying mail (SPAM
Filter , see 3.2.5 Content Adaptions, page 269). When module. Select the statistics types that should be created.
set to yes (default: no) the event Mail Relaying
Denied: Deny [Rule] [4508] will be triggered when an For information on the different types of statistics of the
incoming mail is denied according to content filter mail gateway service see 5.9 Logs, Statistics, Events,
configuration.
page 284; for general information see Statistics, page 311).
Recipient If a mail recipient matches a banned recipient specified
Dropped in the Blacklist configuration (see 3.2.5 Content Filter,
Page 231), delivery to this recipient will be refused;
other recipients of the same mail are not affected by
this action.
When set to yes (default: no) the event Mail Delivery
Refused: Drop recipient <[e-mail address of dropped
recipient]> [4506] will be triggered, when e-mail
delivery to a banned recipient is refused.
Note:
Some e-mail client applications disconnect at once
after a recipient has been dropped. The e-mail might
therefore not be delivered to any of its addressees.
Parallel When set to yes (default) The events Resource Limit
Connection Pending/Resource Limit Exceeded: Max
Limit connections (per Peer) [135/136] are triggered when
the number of parallel connections allowed to the mail
gateway reaches a critical value or exceeds the value
specified in the limits configuration window (sections
MailGW Settings - Limits section Mail Gateway
Limits and MailGW Settings - Limits section DoS
Protection, see 3.2.6 Limits, page 271).
Spooling Limit Incoming mail jobs are queued and thereafter delivered
(activates by the available MTAs (see 5.3 Mail Queue Tab,
parameter page 279). However, during times of heavy incoming
Number of mail traffic, the mail queue may start to grow. If
Queued Mails) Spooling Limit is set to yes (default), you can set a
(triggers event maximum limit for the length of the mail queue in the
ID 136) field below (Number of queued Mails = Max 10000
Mails). If the spool queue length reaches a critical value
or exceeds the maximum limit, the events Resource
Limit Pending/Resource Limit Exceeded: Spool
Limit Exceeded [135/136] are triggered.

Mail Gateway Theory < Spam Filtering | 273
4. Spam Filtering
Barracuda NG Firewall provides spam filtering by placing SpamAssassin applies a variety of tests to determine the
the mail filter SpamAssassin at the disposal. probability that an e-mail is spam: It examines the e-mails
SpamAssassin identifies spam by using mechanisms header and body locally, runs through the configured rule
such as text analysis, Bayesian filtering, DNS blocklists, set (list 623, page 277) and a Bayesian filter. Each single
and collaborative filtering databases. rule adds a value to the overall spam value of the e-mail. If
the complete score exceeds a certain threshold
Note: (default: 5), the e-mail is regarded as spam.
The complete SpamAssassin documentation is
Note:
available at www.spamassassin.org.
As a rule of thumb it can be said that the higher an
Spam filter settings are defined in two configuration areas: e-mails score is, the higher is the probability that it will
be classified as spam. For detailed information
z Spam Filter Client - see 4.2.1 Configuring the Spam concerning filtering mechanisms, please refer to
Filter Client, page 274 http://spamassassin.apache.org/tests_3_1_
z Spam Filter Service - see 4.2.2 Configuring the Spam x.html.
Filter Server, page 275
The SPAM Filter adds a tag to the mail header according to
an e-mails classification as SPAM or HAM (no SPAM).
Optionally, a training environment may be introduced to
improve the filtering result (4.2.3 Configuring the Training, z for SPAM mail: X-SPAM-STATUS: Yes
page 277). X-SPAM-FLAG:YES
Follow the instructions available in Configuration Service z for HAM mail: X-SPAM-STATUS: No
4. Introducing a New Service, page 97 to set up the SPAM
Filter service, and select SPAM Filter as Software Module.
Additionally, it adds the results of the triggered tests to the
e-mailss body.
Fig. 66 Header of an e-mail identified as spam

4.1 Theory
Received: from mailsrv.spammersnest.com ([1.2.3.4) by
smtp.spammersnest.com with Microsoft SMTPSVC(6.0.3790.1830);
Generally, spam filtering involves the following Fri, 24 Mar 2006 08:48:54 +0100
Received: from xxx ([x.x.x.x]) by xxx with xxx;
procedures: 24 Mar 2006 08:48:09 -0100
Received: from xxx ([x.x.x.x]) by xxx with xxx;
Fri, 24 Mar 2006 08:48:09 +0100
Fig. 65 Overview: Spam filtering process X-Message-Info: ZRCPB+dfk02+jvm+QG+760/7861938317196
Date: Fri, 24 Mar 2006 15:48:48 0800
Message-Id: <400357198482.74998@spamdomain.net>
From: "Geoff" <Geoff572@spamdomain.net>
To: <spam@this.com>
Subject: [SPAM] demehoqlola
MIME-Version: 1.0 (produced by diqybdoxifut 0.4)
Barracuda NG Firewall Content-Type: multipart/alternative;
boundary="----------090708090808030606080206"
X-phion-id: 20060324-084808-02011-00
2 X-Spam-Prev-Subject: demehoqlola
mail gateway X-Spam-Flag: YES
with SPAM Filter server X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
SPAM Filter client spamsrv.this.com
1 X-Spam-Level: **
X-Spam-Status: Yes, score=2.6 required=2.0
tests=ALL_TRUSTED,BAYES_00,DATE_IN_FUTURE_06_12,HTML_MIME_NO_HTM
L_TAG,INVALID_DATE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,X_MESSAGE
3 5 _INFO autolearn=no version=3.0.4
X-Spam-Report: * 0.2 INVALID_DATE Invalid Date: header (not RFC
2822)* 4.2 X_MESSAGE_INFO Bulk email fingerprint
(X-Message-Info) found* 1.3 DATE_IN_FUTURE_06_12 Date: is 6 to
e-mail client 12 hours after Received: date* -3.3 ALL_TRUSTED Did not pass
or 4 training environment through any untrusted hosts* -2.6 BAYES_00 BODY: Bayesian spam
mail server probability is 0 to 1 %* [score: 0.0042]* 0.2
MIME_HTML_ONLY BODY: Message only has text/html MIME parts* 0.1
HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
tag* 2.4 MIME_HTML_ONLY_MULTI Multipart message only has
text/html MIME parts
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.3-25;
Step 1 Mail gateway/SPAM Filter client to SPAM AVE: 6.33.1.0; VDF: 6.33.1.1;
host: spamsrv.this.com)
Filter server Return-Path: geoff572@spamdomain.net
The mail gateway service pipes all mail traffic to the SPAM X-OriginalArrivalTime: 24 Mar 2006 07:48:54.0566 (UTC)
FILETIME=[664AD460:01C64F17]
Filter server. Here, the e-mails are processed through X-TM-AS-Product-Ver: SMEX-7.0.0.1345-3.52.1006-14342.000
SpamAssassin. When the SPAM Filter is not available,

X-TM-AS-Result: No-3.150000-8.000000-31
X-UIDL: AAQMd8AAAAQwBNsx5nZbMWkZBBoOyqFh
TO: spam@this.com
e-mails are delivered without filtering. CC:
BCC:

274 | Spam Filtering > Configuration Mail Gateway
Step 2 Spam filter server to mail gateway 4.2 Configuration

After the e-mail has been classified, it is returned to the
mail gateway for further processing.
4.2.1 Configuring the Spam Filter Client
Step 3 Mail gateway to e-mail client/mail server
E-mail clients may utilize the content of the supplemented The SPAM Filter clients work process involves the
mail header to sort e-mails (like moving spam tagged following:
e-mails to a spam directory automatically).
Fig. 67 Flowchart - Spam filter client
Attention:
Moving spam tagged mails into the trash bin without Mail header is not modified
checking is NO good idea (see Step 4).
Connecting process
Mail gateway 2
Spamfilter Server
Step 4 Improve spam filtering via training with
Spamfilter Client 1
environment
3 5
As spam filtering is merely based on statistics it may
happen that e-mails are tagged wrongly. To minimize the Mail Client
or 4 Training Environment
risk for such incidents, training the SPAM Filter is highly Mail gateway Mail Server
recommended.
Training means sorting out misclassified e-mails, re-sorting
them into SPAM, HAM and FORGET mailboxes (list 626,
Yes No
page 277), and providing them to SpamAssassin for Spam analysis Internal
enabled? mail?
filter mechanisms improvement.
No Yes
Step 5 Spam filter server update
SpamAssassin periodically fetches e-mails from the
No Analyse Yes
training environment and thus adapts its tests to improve internal mails?
future e-mail classification.
Yes Timeout
exceeded?
No
Yes Maximum
Mail gateway Size exceeded?
No
e-mail Client/Mail Server

Spam filter server
Spam filter client configuration is done through section

Spam Analysis within the MailGW Settings (see 3.2
MailGW Settings, Section Spam Detection, page 269).

Mail Gateway Configuration < Spam Filtering | 275
Enable the SPAM Filter through setting Enable Spam List 619 MailGW Settings - Spam Analysis
Analysis to yes, and click the Set button to open the Parameter Description
Advanced Spam Options configuration window: Domain Action This field only has to be configured, if domain checking
(see above) has been enabled. Domain check failure
results in one of the following actions:
Fig. 68 Spam Analysis configuration
logging - the e-mail is delivered and a corresponding
log entry is created
deny - the e-mail is not delivered and a
corresponding log entry is created
Domain This field takes a list of trusted domains, which should
Whitelist be excluded from spam filtering. This list is consulted
before the SPAM Filter is applied. Top-level and
sub-domains may be defined (like barracuda.com
and *.barracuda.com).
4.2.2 Configuring the Spam Filter

Server
The SPAM Filter servicess work sequence involves the
following:
Fig. 69 Flowchart - Spam filter Server
Note: Mail header is not modified

Only Barracuda NG Firewall SPAM-Filter services may be Connecting process
used as spam engines. 2
Mail gateway
with Spam Filter Server
Spam Filter Client 1
List 619 MailGW Settings - Spam Analysis
3 5
Spam Analyser This IP address is the Bind IP of the SPAM Filter service Spam filter client Mail Client
or 4 Training Environment
IP (Bind or Additional IP, see 4.2.2 Configuring the Spam Mail Server
Filter Server, page 275).

Optionally, you may enter a DNS-resolvable host name.
The host name can be used to implement load Listening Port
balancing for high traffic scenarios.
IP allowed Yes
Spam Analyser This value (default: 783) must correspond with the port Filtering Sequence
Port defined for the SPAM Filter service (Listening Port, see to connect?
4.2.2 Configuring the Spam Filter Server, page 275).
Max. Size (MB) This parameter defines the maximum size an e-mail No
may need to be processed by the SPAM Filter. If the
e-mail exceeds this value (default: 1 MB) it will not Yes
Add header for SPAM Threshold
traverse the filter mechanism and will be delivered to Add text to subject exceeded?
its recipient without header modification (spam tag)
instead.
No
Timeout (sec) This parameter defines the maximum duration (default:
60 s) it may take to analyse an e-mail. If the value is
exceeded, the e-mail is delivered to its recipient Add header for HAM
without header modification (spam tag).
Analyse When set to yes (default: no) mail traffic generated by
Internal Mails internal mail domains is also classified.
Note:
Analysing of internal mail traffic may lead to high CPU Mail gateway
load.
Deny Threshold An e-mail is rejected when it exceeds the threshold
configured here. The threshold is calculated from an
e-mails spam score (resulting from the testing Step 1 Introducing the service
sequences) multiplied by factor 100. To introduce the service, follow the instructions in
To deactivate this parameter, enter a threshold of 0. Configuration Service 4. Introducing a New Service, page 97
Enable Domain This field allows for checking of sender domains. The and select the software module SPAM Filter.
Check following options are available:
None - sender domains are not checked for validity
MX - sender is only accepted if it is one of the
domains MX servers.
Host-Domain - sender is only accepted if it is within
the mail domain. For example, if the sending e-mail
address is e.example@foo.com then the sending
host has to be within domain foo.com.
All-MX-Domains - sender has to be in a domain of
the mail-domain MX servers. For example, if the
sending e-mail address is e.example@foo.com
and the MX servers of the domain foo.com are
server1.foo.com and
server1.backupfoo.com then the sending host
has to be either in domain foo.com or
backupfoo.com.
Domain check failure results in one of the actions

configured through parameter Domain Action (see
next entry).

Step 2 Configuring the service List 621 Spamfilter Config section WHITE/BLACK LISTS
Service configuration takes place in the Spamfilter Parameter Description

Settings within the introduced SPAM Filter service. Note:
Take into consideration that using white/blacklists adds
a specific "list value" to the corresponding scan value.
Fig. 610 Spam filter configuration dialog
This means valid black list entry adds spam value 10;
valid white list value lowers the spam value by 6.
Both values (10, -6) can be overruled in the rules
section (page 277).
Whitelist From Mail from these senders will not be tagged as SPAM
(regardless of an e-mails score).
Whitelist To Mail to these recipients will not be tagged as SPAM
(regardless of an e-mails score).
Blacklist From Mail from these senders will always be tagged as SPAM.
Note:
The whitelist is processed before the blacklist. Thus, it
is possible to configure a specific sender
user@domain.com in the parameter Whitelist From
as allowed, and hence to block all further senders from
the domain through entering the value *@domain.com
in the parameter Blacklist From.
List 622 Spamfilter Config section ONLINE TESTS

This section serves to gain access to collaborative
spam-tracking data bases in the internet. The following
4.2.2.1 General View services are available:
Note:
List 620 Spamfilter Config section Spamfilter Settings For online tests to function, Internet access has to be
enabled on specific ports.
Parameter Description Use DCC Distributed Checksum Clearinghouse. Does not list
Text To Insert In case the e-mail is classified as SPAM, the text domain names or IP addresses but detects bulk mail
Into Subject inserted here is placed at the beginning of the e-mail messages by creating checksums. These checksums
subject. If this field is left empty, the subject field of the include values that are constant across common
e-mail is left as it is. variations in bulk messages, including personalisation.
SPAM Mail This setting determines the extent to which an e-mail Internet access on UDP port 6277 has to be enabled for
Modification should be modified if it is classified as SPAM. The DCC to function. For more detailed information
followings settings are applicable: concerning DCC please check
www.rhyolite.com/anti-spam/doc.
only_add_tags (default)
triggers adding of SPAM tags into the mail header Use Razor V2 Razor detects spam by analysing statistical and
but does not alter the mail body randomized signatures that spot mutating spam
content. Internet access on TCP port 2703 has to be
as_attachment
enabled for Razor V2 to function.
triggers insertion of a verbose SPAM report into the
mail body and appends the actual e-mail as Use Pyzor Pyzor detects spam by calculating digests of e-mail
attachment parts and comparing these with other recipients
as_attachment_text e-mails. Internet access on TCP port 80 and UDP
triggers insertion of a verbose SPAM report into the port 24441 must be enabled for Pyzor to function
mail body and appends the actual e-mail as text properly. Pyzor tries to retrieve an up-to-date server
attachment list by accessing the link
http://pyzor.sourceforge.net/cgi-bin/info
Report This option determines the language of the SPAM rm-servers-0-3-x. If it does not succeed, it uses its
Language report that is inserted into the e-mail body when internal default server list.
as_attachment or as_attachment_text is applicable
for parameter SPAM Mail Modification (default: Skip RBL-Tests Realtime Blackhole List; a list containing server IPs
English). The wording of the report is generated by that are responsible for spam or are known to be
SpamAssassin and is not customisable. Note that hijacked for spamming. Ticking this option results in
report translations are not yet available completely for deactivating the IP search in this list.
all configurable languages. Use Black List Checks for domain names appearing in e-mails and
Threshold A mail is classified as SPAM when its score exceeds the Tests compares them against online black lists, in order to
configured threshold. Increasing the threshold will detect messages sent by spammers.
increase the amount of SPAM missed, but will reduce Note:
the risk of false positives (default: 5, medium: 7.5, By enabling DNS blocklists (DNSBL) the SPAM-Filter
high: 10, max.: 100). service uses external servers to verify if specific IP
Maximum This parameter specifies the number of concurrent addresses or URIs have already been used by
Children SPAM Filter servers. When the limit is reached, spam spammers.
filtering is put on hold until a server is available. The usage policy of the external service surbl.org
Enable HA Sync Ticking this checkbox activates SPAM Filter guarantees free use for organizations that have fewer
synchronisation between an HA pair. The than 1,000 users or scan fewer than 250,000 messages
synchronisation starts at 4:20 am. If this default per day.
setting is not acceptable, simply clear the check box Please do not enable DNSBL checks if your
and create a cronjob for the required time interval organization exceeds either the number of email users
(Configuration Service 5.1.3 System Scheduler, or number of messages per day.
page 102) using the following line: Note:
/opt/phion/modules/server/spamfilter/bin/ To disable this function create a rule in section RULES,
hacron.sh SERVER SERVICE parameter Rules, with this contents:
Attention: score URIBL_BLACK 0 (Rules, page 277).
The SPAM Filter is deactivated while synchronisation is
running.

Mail Gateway Configuration < Spam Filtering | 277
List 623 Spamfilter Config section RULES Ticking the check box Enable Training activates the
Parameter Description training options.
Rules This section allows manual overriding of specific
testing sequences. To disable a given test set its score List 626 Spamfilter Config section TRAINING OPTIONS
to 0. Especially when a test is known to deliver "wrong" Parameter Description
results, adapting the sequence options to one's needs
is a vital measure. Enable Training Ticking the checkbox activates SPAM Filter training.
Note: Mailserver This parameter specifies the IP address/name of the
For a complete list of available rules, have a look at (IMAP) external mail server.
http://spamassassin.apache.org/tests_3_1_ Note:
x.html. The mail server has to be capable of IMAP.
Account In this field the user name/account name has to be
List 624 Spamfilter Config section TRAINING OPTIONS entered.
Parameter Description Password This field takes the the mail accounts password.
see list 626, page 277 Note:
Take into consideration to use english characters and
digits only and to avoid blanks in the password. For
security reasons this password must be entered twice
4.2.2.2 Advanced Network Settings View (field Confirm).
Mailbox SPAM SPAM mail that was delivered without being tagged as
List 625 Spamfilter Config - Advanced Network Settings SPAM has to be put into this mailbox.
Parameter Description Mailbox HAM HAM mail that was wrongly tagged as SPAM has to be
put into this mailbox.
Listening Port The value in this field specifies the port the service is
listening on. Mailbox Mail, which should not be classified as either SPAM or
FORGET HAM, has to be put into this mailbox.
IPs Allowed To This field determines the SPAM Filter clients, which are
Connect (ACL) allowed to connect to the SPAM Filter service. The Note:
default IP 127.0.0.1 specifies the internal loopback For the correct path for the three mail boxes please
interface of the Barracuda NG Firewall. This interface consult your mail server administrator. Depending on
has to be used when mail gateway and SPAM Filter the directory structure it might be necessary to enter a
reside on the same system. name space (for example ~/mail/SPAM). By default, if
the folder names are simply specified as SPAM, HAM
and FORGET, the users home directory in
(/home/<username>) will be queried.
4.2.3 Configuring the Training Keep Mails In Select this checkbox, if for some reason (especially
Mailbox when using multiple SPAM Filter servers), it is
Because spam filtering is merely based on an e-mails necessary to keep the e-mails in the mailbox in order to
provide something to learn for the other servers.
classification according to specific iterative attributes,
Note:
SpamAssassin will most possibly fail in detecting all The mail boxs content, however, is trained only once.
This means, when you add new e-mails to a bundle of
SPAM, and eventually tag non-SPAM e-mails as SPAM. This e-mails in a mailbox, which have already been
efficiency factor is utterly normal. The filter has to be processed, only the added e-mails will be trained.
trained, to improve filtering mechanisms. Time (h)/Time Defines the time of day for SPAM Filter training. For
(min) example entering Time (h) 4 means 4 am, whereas 16
Training is done by sorting out misclassified e-mails and indicates 4 pm. At the set time the SPAM Filter collects
providing them to SpamAssassin in SPAM, HAM and mail from the SPAM, HAM, and FORGET mailboxes and
processes the retrieved e-mails for training.
FORGET mailboxes for collection.
Attention:
4.2.3.1 Setting up the Training Environment
Create a separate mail account for testing. If you use a
real mail account, it will be classified as spamming one.
Note:
Note:
Spam filter training can only be configured with a mail
The SPAM Filter training environment has to be server capable of IMAP.
configured on the mail server, not on the Barracuda NG
Firewall. The training environment consists of an IMAP mail server
and e-mail clients, which can directly access the mail
SpamAssassin modifies several ratings of the filter servers folder structure (like Microsoft Outlook, Mozilla,
mechanisms in order to improve the chance of recognising Evolution, ). All that has to be done, is to create three
spam e-mails. mailboxes on the mail server (one each for HAM, SPAM,
and FORGET e-mails), either for all mail server users in
SpamAssassin bases on statistical evaluations that are whole (if their judgement is reliable) or for each mail user
to react very stable on outliers. To guarantee such a separately.
behavior, SpamAssassin adapts its filter mechanisms in
Attention:
small steps. Therefore, each learned spam e-mail increases
the chance of recognising this e-mail as SPAM, but does Connectivity between IMAP server and Barracuda NG
not guarantee that the e-mail is considered a SPAM when Firewall is stringently required. To test connectivity,
re-sending it. enter the following commands at the command line
interface:
The configuration takes place in the Spamfilter telnet IMAPServer imap2 (tests the connection
Settings within the introduced SPAM Filter service. itself)
A001 CAPABILITY
A002 LOGIN username pwd (verifies the user and
password)
Training environment suitable for RELIABLE users:

z All users have access to the "training area" on the mail because the service does not need to be stopped and
server and file their mis-tagged mails into the restarted for archiving - the database takes care of the
corresponding directories. updating/restoring procedure.
Note:
To maintain privacy on this "public" file structure, you 4.2.4.2 Updating the Database on the HA Partner
may configure user access rights, so that each user only
sees his own e-mails. For updating purposes copy the contents of the folder
/var/phion/preserve/spamd/<server_servicenam
z Each user has his own HAM-SPAM-FORGET folder e>/root from the primary box to the HA box.
structure and sorts the mis-tagged mails accordingly.
E-mails for training area update are collected from
these folders with a script (figure 611, page 278).
Training environment suitable for UNRELIABLE users:
All users share a HAM-SPAM-FORGET folder structure,
which is detached from the training environment, and sort
their mis-tagged mails accordingly. The mail server
administrator has to check the folder contents for correct
classification before moving the e-mails to the training
environment.
This approach may be additional work for the
administrator but it guarantees a "clean" training
environment because poisoning of the database with
incorrect entries can be avoided.
Fig. 611 Example script for e-mail collection

#!/bin/bash
# assumptions:
# HAM and SPAM live under /home/$USER/mail/
# TARGETDIR should not be /tmp/, but a more secure location
# no filelocking, etc
# 2003-12-18 j.radinger@barracudanetworks.com
TARGETDIR=/tmp/
SPAM=`find /home/*/mail/ -type f -name SPAM`

HAM=`find /home/*/mail/ -type f -name HAM`
for a in SPAM HAM; do

if [ -f $TARGETDIR/$a ]; then
rm -f $TARGETDIR/$a
fi
done
for a in $SPAM; do
cat $a >> $TARGETDIR/SPAM
done
for a in $HAM; do
cat $a >> $TARGETDIR/HAM
done
4.2.4 Archiving and Updating

Because it may grow to non assessable size, the
SpamAssassin database is not included in box PAR files. If
desired, it has to be archived manually.
Note:
Because of the highly dynamic behavior of
SpamAssassin it is not recommended to restore the
archived database, for example crash recovery.
4.2.4.1 Archiving the Database on a Single Box
To archive the database, create a backup of the directory

/var/phion/preserve/spamd/<server_servicenam
e>/root.
The much more elegant and easier way of archiving and
restoring is to create a backup of the training environment
(the messages in the SPAM, HAM and FORGET folders). In a
new setup, the SPAM Filter may then be re-trained with the
original files. This method provides additional security

Mail Gateway MailGW Operation via GUI < Mail Gateway Operation | 279
5. Mail Gateway Operation
5.1 MailGW Operation via GUI using the standard context menu (see 4.2 Standard
Context Menu, page 420) or by dragging and dropping
the respective column to another place.
To administer operative processes on the mail gateway,
log on the box hosting the mail gateway service. As well on
CC administered boxes, log on the box itself and not on the z Ordering data sets
Data sets may be arranged ascending or descending
Barracuda NG Control Center. Access the administration
respectively by clicking into the column labelling of the
GUI by clicking MailGW in the box menu.
respective title bar. The information may not only be
sorted alphabetically, but also with regard to a specific
Note:
status.
The following mail gateway operation windows are only
available after a minimum of values has been specified
in the MailGW Settings configuration (Minimum 5.2.3 Context Menu Entries
configuration, Page 272).
z Right-clicking into any configuration area without
The following tabs are available for operational purposes:
selected item, makes the standard context menu
z Mail Queue Tab, see 5.3 Mail Queue Tab available through the menu item Tools (see 4.2
z Access Tab, see 5.4 Access Tab Standard Context Menu, page 420).
z Spam Tab, see 5.5 Spam Tab z A menu item Show in Sections is included in most
operational tabs. It allows switching between two views,
z Processes Tab, see 5.6 Processes Tab the classical view, a continuous list, or a list combining
z Attachments Tab, see 5.7 Attachments Tab groups of elements. In the section view, each section is
topped by a section header.
z Grey Listing Tab, see 5.8 Grey Listing Tab
5.3 Mail Queue Tab

5.2 General Characteristics of
the Graphical Interface This register displays pending mail jobs. In section view
mails jobs are arranged according to their spam
classification state. They are classified into the following
5.2.1 Filters categories:
z Spam State Unknown
In each tab, e-mail entries are arranged in an ordered list.
This list is topped by a filter section area. Filters may be z Spam
applied to each available column to narrow down the view. z No Spam
By default, all columns are marked with an asterisk (*),
which stands for a character string of any length. Press Note:
Enter or click the reload button to refresh the view after If no SPAM Filter has been configured, all e-mails are
having defined a filter. As soon as a filter applies the categorized as Spam State Unknown, regardless of their
filtered value is displayed highlighted in yellow and the content.
filter is flagged with an exclamation mark.
Information on currently queued jobs covers the following:
Fig. 612 Filter settings z Spam column
E-mails are flagged with an icon according to their spam
classification. The following icons are in use:
Spam State Unknown
Spam
No Spam
z From column
5.2.2 Title Bar(s) Shows the sender address.
z Changing the column sequence z To column
Information situated in the main window of each Shows the recipient(s) address(es).
operational tab is captioned with a title bar. The data
z Subject column
sets themselves are arranged in columns. The column
Shows the mail objects subject.
sequence may be adjusted to personal needs either by

280 | Mail Gateway Operation > Mail Queue Tab Mail Gateway
z State column 5.3.1 Context Menu Entries

Shows an icon displaying the current spool activity and
a corresponding state description. The following icons Right-clicking a data set opens a context menu with
are in use: commands assisting in figuring out why a mail could not be
active pending - ready for delivery and pending delivered and allowing influence on execution of pending
until MTA is ready mail jobs.
active - delivery is performed right now
Note:
giveup - e-mail could not be delivered due to Execution of the commands made available through the
problems on the recipients side and no further delivery context menu requires adequate permissions.
attempts will be undertaken
crash - e-mail could not be delivered due to z Show Envelope
misconfiguration (for example missing MX record, This command opens a window showing the mail
unknown recipient domain ) envelope. The mail envelope contains information on
pause - delivery has been paused due to the selected mail job, such as sender / recipient
execution of the admin command Pause Delivery (see address, helo / ehlo name, mail size, scheduling
5.3.1 Context Menu Entries, page 280) priority
z Prio column z Show Log File

Shows the priority of the mail object: This command opens a window showing the mail jobs
log file. The log file contains information on MTA
- low
operation.
- normal (default)
- high z Schedule Now
If an e-mail cannot be delivered at once, the mail
- urgent
gateway retries delivery according to the MTA Retry
z APrio column Sequence (see MTA Retry Sequence, page 266). To skip
Shows the actual priority of the mail object the MTA Retry Sequence select this option to start a
Due to high traffic a mail object can be ready for new delivery attempt.
delivery but cannot be delivered yet. The objects
z Change Priority
priority continuously rises, until it can finally be sent.
With this option you can change scheduling priority of
Effective priorities in the APrio column are the same as
the selected mail job. Default scheduling priority is
in the Prio column, except for priority urgent.
normal. Jobs with high priority will be scheduled first;
z Size column jobs with lower priorities will be scheduled thereafter.
Shows the size of the mail object. The following scheduling priorities exist:
- low
z NumTo column
- normal (default)
Shows the number of recipients for the mail object.
- high
z Tries column - urgent
Shows the tries carried out for delivering the mail
z Change Priority and Schedule
object.
This option combines the two scheduling options
z Last Status column Change Priority and Schedule Now.
Shows the last trys status.
z Pause/Resume Delivery
z Next Try column Select Pause Delivery to halt delivery of a mail job.
Shows waiting period until next delivery try (hh:mm:ss). Select Resume Delivery to resume it.
z Last Try column z Discard Mail
Shows time passed since last delivery try. Select this option to discard a mail job and to remove
z Receive Time column the mail object from the mail queue.
Shows receiving time of the mail object.
Note:
z Scan State column Mails in active state cannot be discarded.
Shows an icon displaying the e-mail objects scan state.
The following icons are in use.
e-mail scan has been completed successfully
e-mail scan could not be executed completely
and has been aborted
z Spool ID column
Shows the ID of the mail object.

Mail Gateway Access Tab < Mail Gateway Operation | 281
5.4 Access Tab 5.4.1 Context Menu Entries

This register shows the Access Cache of the mail gateway Note:
service. The Access Cache contains completed mail jobs, Execution of the commands made available through the
which have been moved to it from the Mail Queue. The context menu requires adequate permissions.
Access Cache thus represents a history of the mail gateway.
The maximum number of entries the Access Cache may Right-clicking a group title makes the following context
contain is specified through parameter sets MailGW menu entries available:
Settings - Limits section Mail Gateway Limits and
MailGW Settings - Limits section DoS Protection z Delete Items in Category
(page 271). Deletes all access entries from the selected category
Spam State Unknown, Spam or No Spam.
Again, in section view, e-mails are arranged in groups
disclosing their spam classification state. Mails are Note:
classified into the following categories: This action does not automatically delete possibly
z Spam State Unknown cut attachments from the Attachments tab.
z Spam Right-clicking any data set makes the following context

menu entries available:
z No Spam
z Show Logfile / Show Envelope
see 5.3.1 Context Menu Entries, page 280
All columns, except the State column, can be interpreted
in the same way as described in 5.3 Mail Queue Tab, z Remove Entry
page 279. As the Access tab represents a history, the state Removes the selected data set (or multiple data sets if
column only knows the following three states: selected).
z Clear All
Deletes all objects from the Access tab.
z State column
deliver - mail has been delivered successfully
giveup - mail could not be delivered / mail has been Right-clicking a data set flagged with in the Attachment
discarded by admin command Stripped column makes the following additional option
available:
crash - an error has occurred during delivery or
internal operation z Show Stripped Attachments
Clicking this item redirects the administrator to the
attachment(s) cut from the mail object, now located for
Furthermore, the following column pays regard to handling
analysis in the Attachments tab (see 5.7 Attachments
of suspicious and malicious attachments:
Tab, page 282).
z Stripped column
A mail object is tagged with a pair of scissors , if a
spam suspicious or malicious virus attachment has
been removed from it. 5.5 Spam Tab
Note: This tab combines Mail Queue and Access tab and only
All attachments will be cut out from an e-mail displays spam tagged e-mails. As this tab serves
containing multiple attachments, if only one of them informational purpose only, the context menu has no tools
is classified as suspicious file because it cannot be for modification/deletion of entries. The only available
scanned. The virus scanner does not generate actions from the context menu are:
information, which of the files is the suspicious one.
z Show Envelope
If of interest, a manual scan is necessary, after all
opens a view containing basic information concerning
attachments have been downloaded. For a definition
the select mail (for example mail size, peer IP address,
of suspicious files, please see Delete All Suspicious
sender, )
Attachments , page 283 below.
z Show Log File
opens a view containing all log files that were created
by the selected mail
Note:
The columns building the spam list/spam tab can be
interpreted in the same way like the ones used in the
Mail Queue Tab (page 279) and Access Tab (page 281).

282 | Mail Gateway Operation > Processes Tab Mail Gateway
5.6 Processes Tab 5.6.1 Context Menu Entries

The Processes register shows the active mail gateway Note:
processes. When a multitude of processes is running, use Execution of the commands made available through the
the filter options Delivery, Receiving, and Internal in the context menu requires adequate permissions.
filter section area, to limit the amount of processes shown.
Right-clicking a data set makes the following context menu
Note:
entries available:
Internal processes are not shown by default. Adapt the
filter setting for Internal to display them. z Kill Process
With administrative permissions single worker
Information on currently active processes covers the processes can be killed. MTA processes are
following: automatically created on demand until the configured
z PID column maximum number of MTAs has been reached (see Mail
Shows the Process IDentifier. Transfer Agents (MTAs), page 266).
z State column Note:
Processes can have the following states: Killing a worker process triggers the event Subprocess
- pause (only available with type mgw_main) Kill Requested: Kill PROC_SMTP Worker [2054] when
- active eventing is activated through parameter Kill Worker
z Type column Process (see page 272) (default: no).
The following process types exist:
z Allow Mail Reception
mgw_main - This is the parent process of the Barracuda
Used to resume mail operation after blocking mail
NG Firewall mail gateway service. It provides the SMTP
reception.
listening sockets and handles the mail receiving
processes (SMTP worker processes). z Block Mail Reception
qspool_main - This process listens for incoming Used to block the mail gateway process.
connections from a remote host running the Barracuda
NG Firewall administration GUI Barracuda NG Admin.
qspool worker - This process is responsible for
transferring the visualisation data (Mail Queue, Access 5.7 Attachments Tab
Cache, Processes, Logs, Stats ) to the remote host
running the Barracuda NG Firewall administration GUI The Attachments tab assembles cut e-mail attachments.
Barracuda NG Admin. Its listing arranges mail objects sorted ascending by their
SMTP worker - This temporary process is activated Spool ID. Cut attachments are directly assigned to the
when a client opens a SMTP connection to the mail object they have been cut from.
gateway. The SMTP worker process is responsible for Use this operative area to decide individually how to
receiving mail data from the client. It terminates when proceed with suspicious or malicious files.
mail data transfer has ended.
spooler - The spooler process is responsible for Note:
scheduling mail jobs. When the Worker Process receives File types meant to be cut from e-mails and not
a mail job, its state temporarily changes to spool. While forwarded to their recipients are on the one hand
it is in this state, the mail job is visualized in the Mail defined through the virus scanner (Anti-Virus, page 389)
Queue tab. The mail queue becomes larger with every and on the other hand specifically appointed through
mail job getting spooled. The sequence, by which the the mail gateway settings (see Section Attachment
spooled items are worked off, is handled by the Stripping, page 269).
Spooling Priority.
mta (Mail Transfer Agent) - This process is responsible Available information is arranged in the following columns:
for mail delivery. When the MTA process receives a mail z Spool
job from the spooler, it establishes a connection to a This column shows the e-mail's spool ID and behind it in
foreign target mail server (the mail job's recipient mail brackets the number of attachments which has been
server) and delivers the e-mail. After successful cut from it. Click on the + symbol to display detail
delivery, the mail job moves from the Mail Queue to the information regarding the attachments.
Access Cache.
ha (High Availability) - This process is needed for z From
synchronising mail traffic between HA partners. Shows the sender address.
z Peer column z To
Shows peer IP and port handled by a SMTP or qspool Shows the recipient(s) address(es).
worker. z Subject
z Spool ID column Shows the mail object's subject.
Shows the spool ID of the mail being processed by a z Receive Time
Mail Transfer Agent (MTA). Shows the time the message has been arrived at the
mail gateway.

Mail Gateway Grey Listing Tab < Mail Gateway Operation | 283
z Filename 5.8.1 Grey List

Shows the name of the file, which has been cut.
z Reason Data sets in the Grey List are arranged in sections
Displays the reason why the file has been cut. disclosing the e-mails' arrival time. E-mails are classified
into the following categories:
z Newer than 1 hour
5.7.1 Context Menu Entries
z Between 1 and 12 hours
Right clicking any data set makes the following context z Older than 12 hours
menu entries available:
z Delete All Attachments Objects in the first category Newer than 1 hour are subject
Deletes all attachments from all mail objects currently to a greater movement. Sender-recipient pairs are
assembled in the listing regardless of the reason why removed from the grey list with the following successful
they have been cut. delivery attempt. E-mails which do not experience a
second delivery attempt, are successively moved to the
z Delete All Normal Attachments lower categories.
If the mail gateway has been configured to cut all file
attachments regardless of their type (see Section The grey list can be used to:
Attachment Stripping, page 269), they will be z recognize peers exclusively delivering junk mail. When
contained in this tab. This action deletes all mail known, these hosts can be added to the IP Blacklist in
attachments, which have been stripped off according to the Block Filter configuration section (see Section
mail gateway settings. Blacklists, IP Blacklist, page 270) thus further reducing
z Delete All Suspicious Attachments unwanted e-mail traffic.
Deletes all file attachments, which have been classified z recognize uncritical sender-recipient pairs whose
as suspicious by the virus scanner. Files are classified as e-mails could not be delivered due to a misconfigured
suspicious when the virus scanner for any reason is not sender's mail server not attempting a second delivery
able to handle them properly. Amongst others, the attempt. When known, these senders and/or hosts can
following can be causes for this: be added to the White List Peers and/or Senders fields
The file attachment is larger than 1 MB and thus in the Grey Listing configuration section (see Section
cannot be scanned completely. Grey Listing, White List Peers/Senders, page 270) thus
The file attachment is encrypted. excluding the specific servers from Grey Listing.
The file attachment is an archive file exceeding the
maximum allowed archive size. Available information is arranged in the following columns:
z Delete All Virus Attachments z Sender
Deletes all malicious file attachments like viruses. Shows the senders e-mail address.
z Receiver
Right-clicking a Spool ID header makes the following action Shows the recipients e-mail address.
available:
z Peer IP
z Delete Attachments From This Mail Shows the IP address of the sending mail server.
Deletes all attachments from the selected mail object.
z Peer Hostname
Shows the delivering mail servers hostname, if its
Right-clicking a selected file object makes the following name is DNS resolvable. Otherwise the field will contain
actions available: the string unknown.
z Get Attachment z Count
Makes the cut attachment available for download. It is This is the number of counted delivery attempts.
up to the respective administrator to download the file Multiple unsuccessful delivery attempts might occur
to his/her own harddisk, scan the file manually and when the sending mail server retries delivery before
thereafter possibly forward it to the original recipient. Grey Listing Time expiration (see Grey Listing Time
z Delete Attachment (Min)).
Deletes the selected file attachment. z First Try
This is the time of the first delivery attempt.
z Last Try
5.8 Grey Listing Tab This is the time of the last delivery attempt.
z All Tries
Contents of the Grey Listing tab are associated with Grey This is the sum of all delivery attempts. Multiple
Listing set to enabled in the Mail Gateway settings (Section delivery tries may possibly occur, if a successional
Grey Listing, page 269). The list summarizes e-mail delivery attempt under-runs the Grey Listing Time
delivery attempts, which have reached the gateway. (Min) (page 270).
The Grey Listing tab is subdivided into two areas, a Grey
Grey Listing entries Older than 12 hours are automatically
List and a White List.
deleted after 1 day.

284 | Mail Gateway Operation > Logs, Statistics, Events Mail Gateway
5.8.2 White List 5.9.2 Statistics

Contents of the White List are associated with parameter Note:
Auto White List (Senders) set to yes in the Mail Gateway
For general information on the Statistics feature of
settings (Section Grey Listing, page 269). The list contains
Barracuda NG Firewall Barracuda NG Admin see Statistics,
all e-mail senders whose e-mails have been delivered
page 311.
successfully and which have been added to the temporary
White List automatically.
Select Statistics on the Barracuda NG Admin toolbar
Available information is arranged in the following columns: and select the server your mail gateway service is installed
z Sender on.
Shows the senders e-mail address. Then double-click the mail gateway service name. Now you
z Listed Since can choose between various types of statistics you can
Shows the date when the e-mail address has been specify in Section Statistic Settings (page 272).
added to the White List.
Fig. 613 Statistics tree

Data sets in the White List are deleted automatically
according to the interval, which is defined through
parameter Remove from White List after (d) (page 270).
Manual deletion is possible through the following context
menu entries available through right clicking any data set:
z Remove
Deletes the selected entry from the list.
z Clear List
Deletes all entries from the list.
z Maildata
5.9 Logs, Statistics, Events These statistics visualize only bulk mail data without
the SMTP protocol overhead.
There are three subtypes:
5.9.1 Logs Inbound - successful inbound MTA delivery of a pair
(sender, recipient)
Outbound - successful outbound MTA delivery of a pair
Note:
(sender, recipient)
For general information on the Logs feature of
Fail - failed MTA delivery
Barracuda NG Firewall Barracuda NG Admin see Log
Viewer, page 305. z Traffic
These statistics visualize total mail traffic with SMTP
Select Logs on the Barracuda NG Admin toolbar and protocol overhead.
select the server your mail gateway service is installed on. There are several subtypes:
Then double-click the mail gateway service name. Now you Receive-In - Inbound SMTP receive traffic (SMTP
can access the logs of the mail gateway service. Worker Processes)
Receive-Out - Outbound SMTP receive traffic (SMTP
Worker Processes)
Send-In - Inbound MTA traffic
Send-Out - Outbound MTA traffic
byte (Time) and conn (Time) reflect total mail traffic
without separation of peer/sender/server.
5.9.2.1 Samples for Frequently Used Statistics
z How many mails have been sent out totally since ?

Traffic > Send out > Conn (Time) > Top list for time
interval > select time interval you wish to be visualized
z How many mails have been received from outside
totally since ?
Traffic > Receive out > Conn (Time) > Top list for time
interval > select time interval you wish to be visualized
z Who of my users has sent most mails?

Mail Gateway Automatic Synchronisation < E-mail Synchronisation after HA Handover | 285
Maildata > Outbound > Conn (Top Src) > select outlined in Section Event Settings (page 272). Triggered
instances from top list events are shown in the Events window.
5.9.3 Events
Note:
For general information on the events feature of
Barracuda NG Admin see Eventing, page 321.
Select Events on the Barracuda NG Admin toolbar. You

may customize event notification by the mail gateway, as
6. E-mail Synchronisation after HA Handover
6.1 Automatic Synchronisation

For a detailed description about automatic synchronisation
procedure see High Availability, page 399.
6.2 Manual Synchronisation

For a detailed description about manual synchronisation
procedure see High Availability, page 399.

286 | E-mail Synchronisation after HA Handover > Manual Synchronisation Mail Gateway

7
DHCP
1. DHCP Enterprise
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
1.2 Working Principles & Process Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
1.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.1 Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.2 Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.3 Known Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
1.3.4 DHCP Option Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
1.3.5 Parameter Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
1.3.6 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.7 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.8 GUI as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.9 Text Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.4 Realtime Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
1.5 Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
2. "Regular" DHCP
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2.1 DHCP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2.2 Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.3 IP-Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.4 Special Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.5 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.3 Real Time Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
3. DHCP Relay Agent

3.1 DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
3.1.1 Cascading DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

288 | DHCP Enterprise > Overview DHCP
1. DHCP Enterprise
1.1 Overview 1.2 Working Principles &

Process Structure
The Dynamic Host Configuration Protocol is used for
assigning IP addresses automatically. The process structure of the novel DHCPe server is
The DHCP server has a given amount of so-called leases. presented in figure 71 Processes structure. In brief, five
These leases are IP addresses that are available for being different processes are involved, which are:
"lent" to an interface. After a predefined amount of time, z Wrapper: Responsible for finding available services
the client sends a request to the server whether it may
keep the lease or not. z Services: Takes care of looking for the DHCP server
z DHCPe: Represents the DHCP enterprise server
Note:
DHCP and the DHCP Relay Agent have been z arp: Takes care of sending arps every 10 seconds to all
implemented according to the following RFCs: the clients accessible in the direct net
- RFC 1497 (RFC 951) z sync: Responsible for the synchronisation among HA
- RFC 2131 boxes
- RFC 2132
- RFC 3046 Fig. 71 Processes structure
The work flow consists of the following steps:
Step 1 Discover DHCPe

As soon as a client connects to the network to contact any
reachable DHCP server (source IP: 0.0.0.0; destination IP:
255.255.255.255). This message includes the MAC address Wrapper Services arp
of the client. Thus the server(s) know where the request is
coming from.
sync
Step 2 Offer
After receiving the discover message, the server(s) offers
a lease to the client.
A lease consists of: All these processes use one unique log file named
server/serviceName following the convention.
z IP address
The client gets an IP address out of a defined available Note:
IP range The DHCP Enterprise Service does not replace the
When the clients MAC address is defined within the former Barracuda Networks DHCP Service, although
class/known clients configuration this explicit IP only one of them may run on the same box. New
address will be used licenses are not required for the DHCP Service to be
fully recognized.
z Options
These options define the subnetmask, the gateway,
Step 3 Selection & Request

The client checks the received lease-offers and selects
one.
Note:
The selection depends on the client configuration, but
usually the lease received first is selected.
Now the client sends a request for the lease to the DHCP
server that offered it.
Step 4 Acknowledgement
When the lease is still available the DHCP server sends an
ACK to the client and the client activates the settings of
the lease.

DHCP Configuration < DHCP Enterprise | 289
1.3 Configuration List 71 DHCP Enterprise Configuration - Operational Setup section Service
Availability
Configuring DHCP Enterprise on a Barracuda NG Firewall
Server Is When the DHCP server receives a DHCPREQUEST
starts with introducing a corresponding DHCP service. Authoritative message from a DHCP client requesting a specific IP
Therefore select Config from the box menu and address, the DHCP protocol requires that the server
determines whether the IP address is valid for the
introduce the service by selecting Create Service from network to which the client is attached or not. If the
the context menu of Assigned Services. address is not valid, the DHCP server should respond
with a DHCPNAK message, forcing the client to
acquire a new IP address.
Note: To make this determination for IP addresses on a
Please see Configuration Service 4. Introducing a New particular network segment, the DHCP server must
Service, page 97, for detailed information concerning have complete configuration information for that
network segment. Unfortunately, it is not safe to
the procedure and available options. assume that DHCP servers are configured with
complete information. Therefore, the DHCP server
After the service has been created, the following two normally assumes that it does not have complete
configuration entries are available in the config tree: information, and thus is not sufficiently authoritative
to safely send DHCPNAK messages as required by the
protocol.
z Dhcp Enterprise Configuration - see below
List 72 DHCP Enterprise Configuration - Operational Setup section HA
z Service Properties - settings made during the Synchronisation Setup
introduction of the service
HA Setting this parameter to yes causes the periodical
Enter the configuration dialog via Config > Box > Synchronisa- synchronisation of the DHCP database between the HA
Virtual Servers > <servername> > Assigned tion pair (default: no).
Time Interval This parameter defines the period between
Services > <servicename> (dhcpe) > DHCP [s] synchronisation tasks (default: 300)
Enterprise Configuration.
1.3.2 Address Pools

1.3.1 Operational Setup
Fig. 73 DHCP Enterprise Configuration - Address Pools
Fig. 72 DHCP Enterprise Configuration - Operational Setup
List 71 DHCP Enterprise Configuration - Operational Setup section Service

Availability
UDP Listen Note:
Port This parameter is only available in Advanced View
mode.
This parameter causes the DHCP server to listen for
DHCP requests on the UDP port specified in port, List 73 DHCP Enterprise - Address Pool Configuration section Address Pool
rather than on default port 67. Configuration
DHCP Server This parameter can be used to inform the client about
the name of the server from which it is booting and Parameter Description
Identifier
should be the name that will be provided to the client. Load Network This parameter activates/deactivates the automatic
Device Here the automatic detection of listening interfaces is Info search for local networks (default: yes).
Autodetection activated/deactivated (default: yes). Setting the
parameter to no, activates parameter Listen on List 74 DHCP Enterprise - Address Pool Configuration section Subnets
Devices (see below).
Listen on This parameter is only available, if the parameter
DHCP Server Identifier is set to no. It allows Description Here a describing text concerning the subnet can be
Devices
specifying the listening interfaces explicitly. entered.
Shared Network This parameter defines whether the subnet is a shared
Device one (default: no). If an interface is to be shared (by
setting to yes) parameter DHCP Enterprise - Address
Pool Configuration section Further Subnets (see
below) is activated.
Shared Here the parameters for the shared network can be
Parameters choosen.
Shared DHCP Here the DHCP options for the shared network can be
Options choosen.

290 | DHCP Enterprise > Configuration DHCP
List 74 DHCP Enterprise - Address Pool Configuration section Subnets List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet
Configuration
Subnet Type Defines the type of subnet. The following options are Parameter Description
available: Shared Here the parameters for the shared network device can
local (default) - activates parameter Used Subnet for Parameters be choosen. The available parameters are configured
selecting the required subnet within Parameter Templates (see 1.3.5 Parameter
relayed / explicit - activates parameters Network Templates, page 293)
Address and Netmask for entering the required Shared DHCP Here the options for the shared network device can be
network. Options choosen. The available options are configured within
Used Subnet Here the required subnet has to be selected. DHCP Option Templates (see 1.3.4 DHCP Option
Templates, page 292)
Network Here the network address has to be entered.
Further see list 77
Address
Subnets
Netmask Here the network mask has to be entered.
Server IP This parameter can be used to define the value that is List 76 DHCP Enterprise Configuration - SUBNETS tab section Address Pools
sent for a given scope. The value specified must be an
IP address for the DHCP server and must be reachable
by all clients served by a particular scope. Pool description description of the pool
The usual case where the Server IP needs to be sent is Range DHCP defines DHCP options available for the range
when a physical interface has more than one IP Options
address, and the one being sent by default isn't
appropriate for some or all clients served by that IP Begin start IP of the range
interface. Another common case is when an alias is IP End end IP of the range
defined for the purpose of having a consistent IP All Clients defines the policy that is to be used;
address for the DHCP server, and it is desired that the Policy
clients use this IP address when contacting the server. none - no global policy is used; enforces usage of
[default: none] policy defined in parameters Known Clients,
Server Is Note: Unknown Clients, Allowed Classes, and Denied
Authoritative This parameter is only available in Advanced View Classes
mode.
allow - all pool-matching policies are set to allow
When the DHCP server receives a DHCPREQUEST (valid for all clients, that are known and unknown)
message from a DHCP client requesting a specific IP deny - all pool-matching policies are set to deny
address, the DHCP protocol requires that the server (valid for all clients, that are known and unknown)
determine whether the IP address is valid for the
network to which the client is attached. If the address is Barracuda NG defines the policy that is to be used;
not valid, the DHCP server should respond with a Network Access enforces usage of policy defined in parameters Known
DHCPNAK message, forcing the client to acquire a Clients Policy Clients and Unknown Clients (see below
new IP address. [none] none - no Barracuda NG Network Access Clients Policy
To make this determination for IP addresses on a is used; )
particular network segment, the DHCP server must Barracuda NG Network Access Clients the
have complete configuration information for that -NAP-clients receive a IP address from the pool
network segment. Unfortunately, it is not safe to guests - NAP-clients are excluded from this pool;
assume that DHCP servers are configured with Allowed Classes defines the classes that are allowed to get leases from
complete information. Therefore, the DHCP server this pool; see 1.3.6 Classes, page 294
normally assumes that it does not have complete
Denied Classes defines the classes that are NOT allowed to get leases
information, and thus is not sufficiently authoritative
from this pool; see 1.3.6 Classes, page 294
to safely send DHCPNAK messages as required by the
protocol. Known Clients allow - known clients may obtain a lease from this pool
[allow] deny - known clients may NOT obtain a lease from this
Perform DDNS Note:
pool
Updates This parameter is only available in Advanced View
not-set - deactivates the parameter
mode.
Unknown allow - unknown clients may obtain a lease from this
This parameter offers the following options:
Clients pool
true - activates DNS parameter updates for subnets [deny] deny - unknown clients may NOT obtain a lease from
(parameter DNS Zone is activated) this pool
false - deactivates DNS parameter updates for not-set - deactivates the parameter
subnets BOOTP Clients Use the dynamic-bootp flag to tell the DHCP server to
not-set (default) - enforces global DNS parameter to Policy dynamically assign addresses to bootp clients or to not
be used for subnets [deny_dynamic] do so.
DNS Zone Note: allow_dynamic - dynamic BOOTP for IP addresses
This parameter is only available in Advanced View allowed
mode. deny_dynamic - dynamic BOOTP for IP addresses
denied
If parameter Perform DDNS Updates is set to true, not-set - deactivates the parameter
here the updating DNS zones (configured within
Dynamic DNS, see 1.3.7 Dynamic DNS, page 294) are
defined. List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets
Subnet Here the parameters for these subnets can be choosen. Parameter Description
Parameters The available parameters are configured within This parameter is only available if parameter Shared
Parameter Templates (see 1.3.5 Parameter Templates, Network Device (see above) is set to yes and allows
page 293). determination of subnets using this interface. This way
Subnet DHCP Here the options for these subnets can be choosen. it is possible to have multiple subnets on ONE interface.
Options The available options are configured within DHCP Subnet Description of the subnet
Option Templates (see 1.3.4 DHCP Option Templates, Description
page 292).
Subnet Type Defines the type of subnet. The following options are
Address Pools see list 76 [default: local] available:
local (default) - activates parameter Used Subnet for
List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet selecting the required subnet
Configuration relayed / explicit - activates parameters Network
Address and Netmask for entering the required
Parameter Description network
Note: Used Subnet Here the required subnet has to be selected.
This parameter set is only available in Advanced View
mode. Network Here the network address has to be entered.
Address
Shared Network Set this to yes if the determination of subnets should
Device be used. This way it is possible to have multiple subnets Netmask Here the network mask has to be entered.
on one device. [8-bit]

List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets Section Client Group Members
List 79 DHCP Enterprise - Known Clients - Client Group Member section Client
Server IP This parameter can be used to define the value that is Description
sent for a given scope. The value specified must be an
IP address for the DHCP server, and must be reachable Parameter Description
by all clients served by a particular scope. Client description of the client
The usual case where the Server IP needs to be sent is Description
when a physical interface has more than one IP
address, and the one being sent by default isn't
appropriate for some or all clients served by that List 710 DHCP Enterprise - Known Clients - Client Group Member section
interface. Another common case is when an alias is Client Match & Address Assignment
defined for the purpose of having a consistent IP Parameter Description
address for the DHCP server, and it is desired that the
clients use this IP address when contacting the server. DHCP Client Host declarations are matched to actual DHCP or
Identifier BOOTP clients by matching the dhcp-client-identifier
Server Is When the DHCP server receives a DHCPREQUEST option specified in the host declaration to the one
Authoritative message from a DHCP client requesting a specific IP supplied by the client, or, if the host declaration or the
[yes] address, the DHCP protocol requires that the server client does not provide a DHCP Client Identifier option,
determines whether the IP address is valid for the by matching the hardware parameter in the host
network to which the client is attached. If the address is declaration to the network hardware address supplied
not valid, the DHCP server should respond with a by the client. BOOTP clients do not normally provide a
DHCPNAK message, forcing the client to acquire a dhcp-client-identifier, so the hardware address must be
new IP address. used for all clients that may boot using the BOOTP
To make this determination for IP addresses on a protocol.
particular network segment, the DHCP server must Be aware that only DHCP Client Identifier option and
have complete configuration information for that hardware address can be used to match a host
network segment. Unfortunately, it is not safe to declaration. For example, it is not possible to match a
assume that DHCP servers are configured with host declaration to a host-name option. This is because
complete information. Therefore, the DHCP server the host-name option cannot be guaranteed to be
normally assumes that it does not have complete unique for any given client, whereas both, hardware
information, and thus is not sufficiently authoritative address and DHCP Client Identifier option, are at least
to safely send DHCPNAK messages as required by the theoretically guaranteed to be unique to a given client.
protocol.
MAC Address defines the MAC address of the client required for
Perform DDNS This parameter offers the following options: [ff:ff:ff:ff:ff:ff] identification
Updates true - activates DNS parameter updates for subnets
[not-set] (parameter DNS Zone is activated) MAC Type defines the type of network card requesting a lease
false - deactivates DNS parameter updates for subnets [ethernet] (either ethernet or tokenring)
not-set (default) - enforces global DNS parameter to be Fixed IP defines, if required, a static IP address that is sent to
used for subnets Address the client
Subnet Here the parameters for these subnets can be choosen.
Parameters The available parameters are configured within List 711 DHCP Enterprise - Known Clients - Client Group Member section
Parameter Templates (see 1.3.5 Parameter Templates, Advanced Client Assignments
page 293).
Subnet DHCP Here the options for these subnets can be choosen.
Options The available options are configured within DHCP Note:
Option Templates (see 1.3.4 DHCP Option Templates, This parameter set is only available in Advanced View
page 292). mode.
Client DHCP defines DHCP options available for the client
Options
1.3.3 Known Clients Client defines DHCP parameters available for the client
Parameters
Fig. 74 DHCP Enterprise Configuration - Known Clients Allowed DHCP and BOOTP protocols both require DHCP and
Broadcast BOOTP clients to set the broadcast bit in the flags field
Reply of the BOOTP message header. Unfortunately, some
[not-set] DHCP and BOOTP clients do not do this, and therefore
may not receive responses from the DHCP server. The
DHCP server can be configured to always broadcast its
responses to clients by setting this flag to yes for the
relevant scope; relevant scopes would be inside a
conditional statement, as a parameter for a class, or as
a parameter for a host declaration. In order to avoid
creating excessive broadcast traffic on your network,
Barracuda Networks recommends to restrict the use of
this option to as few clients as possible.
Duplicates Choose between one of the settings allow and deny in
Policy this place.
[allow] Host declarations can match client messages based on
the DHCP Client Identifier option or based on the
client's network hardware type and MAC address. If the
MAC address is used, the host declaration will match
List 78 DHCP Enterprise Configuration - Known Clients section Group Based any client with that MAC address even clients with
Assignment different client identifiers. This doesn't normally
happen, but is possible when one computer has more
Parameter Description than one operating system installed on it for example,
Group May hold a further description concerning the group. Microsoft Windows and NetBSD or Linux.
Description
This parameter tells the DHCP server that if a request
Group DHCP Defines the DHCP options that are available for this is received from a client matching the MAC address of a
Options group. host declaration or any other lease matching that MAC
Group Defines the DHCP parameters that are available for this address should be discarded by the server, even if the
Parameters group. UID is not the same. This is a violation of the DHCP
Automatic If this parameter is set to true (default: false) then for protocol, but can prevent clients whose client
Hostname every host declaration of this group of known clients, identifiers change regularly from holding many leases
Assignment the name provided for host declaration will be supplied at the same time.
to the client as its hostname. Client If a name is entered, the statement within a host
Known Clients see list 79 Hostname declaration will override the use of the name in the
host declaration.

List 711 DHCP Enterprise - Known Clients - Client Group Member section List 715 DHCP Enterprise - DHCP Option Templates section Extended Options
Advanced Client Assignments
Parameter Description Netbios Node Note:
DDNS Defines the hostname that will be used in setting up Type [46] When using a Linux client this parameter is obsolete
Hostname the client's A and PTR records; if no DDNS hostname is and has to left empty.
specified the server will derive the hostname This entry allows NetBIOS to configure TCP/IP clients.
automatically, using an algorithm that varies for each The following values are available (with their
of the different update methods. indication):
not-set (default)
b-node broadcast; like clients use broadcast for name
1.3.4 DHCP Option Templates registration/resolution
p-node point; like client registers itself at the netbios
server (point-to-point)
List 712 DHCP Enterprise - DHCP Option Templates section Template m-node multi; like client first uses b-node, if it fails
Description p-node is used
Description May hold a describing text. However, b- and m-nodes should not be used with large
networks because the broadcasts use lots of
bandwidth.
List 713 DHCP Enterprise - DHCP Option Templates section Basic Options
h-node hybrid; like m-node, but uses p-node first and
Parameter Description then b-node (as a last resort)
Subnetmask [1] Here the required subnet mask has to be selected Netbios Scope Note:
(default: not-set). Id [47] When using a Linux client, this parameter is obsolete
Router [3] Here the default address(es) of the default gateway(s) and must be empty.
are to be entered. When using NetBIOS Scope IDs (for example, for
DNS Servers Here the IP address(es) of the DNS servers are to be isolating NetBIOS traffic or for giving the same name to
[6] entered. different computers), here this ID is to be entered.
Domain Name Here the domain name is to be entered. Note:
[15] The NetBIOS Scope ID is case-sensitive.
LPR Server [9] When using this printing protocol for Unix systems,
List 714 DHCP Enterprise - DHCP Option Templates section Barracuda NG here the IP address of the printer has to be entered.
Network Access Clients Access Control Service Options Log Server [7] In case of a stand-alone log server, here the IP address
of the server has to be entered.
Time Server [4] In case of a time server according to RFC868, here the
Access Control In order for a client to receive valid policy server IP address of this server has to be entered.
Service information, either a vendor ID OR a policy server IP or
IPs/Names a DNS-resolvable policy server name is to be entered Time Offset [2] This field defines the client's time offset (in seconds)
here. from UTC.
This field only has effect, if the Barracuda NG Network IEN Name In case of a IEN name server, here the IP address of this
Access Clients Policy of an Address Pool has been Server [5] server has to be entered.
set to Barracuda NG Network Access Clients- or
Cookie Server When using a stand-alone cookie server, here the IP
guests.
[8] address of this server has to be entered.
Note:
Swap Server When using a separate swap server, here the IP address
If the Barracuda NG Network Access Clients Policy
[16] of this server has to be entered.
field is set to none, the Access Control Service
IPs/Names will be ignored. Local Subnets In case of local subnets, they are selected in this field
[27] (default: not-set).
Impress Server This field defines the IP address of an optional image
Note: [10] impress server.
Setting both options is not valid. The client would not Resource This option specifies a list of RFC 887 Resource
receive any policy server information. Only one of the Location Server Location servers available to the client. Servers should
[11] be listed in order of preference.
both options must be set.
Perform Mask Note:
Discovery [29] When using a Linux client, this parameter is not
List 715 DHCP Enterprise - DHCP Option Templates section Extended Options supported.
Parameter Description This field defines whether a subnet mask discovery is
carried out or not. The following settings are available:
Vendor [43] This parameter is used to exchange vendor-specific
true - Client uses ICMP for subnet mask discovery
information. The definition of this information is
false - No subnet mask discovery is to be performed
vendor-specific.
not-set (default) - deactivates the parameter
It is possible to either enter only one vendor ID or a
semicolon-separated list of two or more vendor IDs. Perform Router Note:
Discovery [31] When using a Linux client, this parameter is not
Broadcast Here the Broadcast Address can be entered.
supported.
Address [28]
This field defines whether a router discovery is carried
NIS Domain Enter the domain of the Network Information System
out or not. The following settings are available:
Name [40] in this field.
true - Client performs ICMP router discovery
NIS Server [41] Here the IP address(es) of the NIS server(s) are (according to RFC1256)
entered. false - No router discovery is to be performed
NTP Server To enable synchronized times, here the IP address(es) not-set (default) - deactivates the parameter
[42] of the NTP server(s) are entered. Static Route Specify a list of static routes that the client should
WINS Server When using a WINS server, here the IP address(es) of Net [33] install in its routing cache. If there are multiple routes
[44] the server(s) are entered. to the same destination, you should list them in
descending order of priority.
NBDD Server When using a NBDD server, here the IP address(es) of The routes are made up of IP address pairs. The first
[45] the server(s) are entered. address is the destination address; the second address
is the router for the destination.
The default route (0.0.0.0) is an illegal destination for a
static route. Use the Router [3] parameter to specify
the default route.
The following options are available:
Static Route Net [33]
Static Route GW [33]
TFTP Server Used to identify a TFTP server when the "sname" field
Name [66] in the DHCP header has been used for DHCP options.

List 715 DHCP Enterprise - DHCP Option Templates section Extended Options List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS
Parameters
TFTP Server IP TFTP Server IP Addresses for Cisco CallManager Parameter Description
Address [150] Devices. It is possible to enter a comma-separated list DDNS Defines the domain name that will be appended to the
of IP addresses. Domainname client's hostname to form a FQDN (Fully Qualified
Boot File Name Used to identify a boot file when the "file" field in the Domain Name).
[67] DHCP header has been used for DHCP options. Rev DDNS Defines the domain name that will be appended to the
Domainname client's reversed IP address to produce a name for use
in the client's PTR record. By default, this is
1.3.5 Parameter Templates "in-addr.arpa.", but the default can be overridden here.
The reversed IP address to which this domain name is
appended is always the IP address of the client, in
List 716 DHCP Enterprise - Parameter Templates section Template Description dotted quad notation, reversed for example, if the IP
address assigned to the client is 10.17.92.74, then the
Parameter Description reversed IP address is 74.92.17.10. So a client with that
Description Holds describing text. IP address would, by default, be given a PTR record of
10.17.92.74.in-addr.arpa.
List 717 DHCP Enterprise - Parameter Templates section Lease Constraints Dynamic Used for setting the length of leases dynamically
BOOTP Lease assigned to BOOTP clients. At some sites, it may be
Parameter Description Time [s] possible to assume that a lease is no longer in use if its
Max Lease Time Maximum length in seconds that will be assigned to a holder has not used BOOTP or DHCP to get its address
[s] lease. The only exception to this is that Dynamic within a certain time period. The period is specified in
BOOTP lease lengths, which are not specified by the length as a number of seconds. If a client reboots using
client, are not limited by this maximum. BOOTP during the timeout period, the lease duration is
reset to length, so a BOOTP client that boots frequently
Def Lease Time Default length in seconds that will be assigned to a
enough will never lose its lease. Needless to say, this
[s] lease.
parameter should be adjusted with extreme caution.
Min Lease Time Minimum length in seconds that will be assigned to a
Boot File Server Specify the host address of the server from which the
[s] lease.
initial boot file (specified in the filename statement) is
Reply Delay [s] Minimum number of seconds since a client began to be loaded. Boot File Server should be a numeric IP
trying to acquire a new lease before the DHCP server address. If no Boot File Server parameter applies to a
will respond to its request. The number of seconds is given client, the DHCP server's IP address is used.
based on what the client reports, and the maximum
Boot File Used to optionally specify the name of the initial boot
value that the client can report is 255 seconds.
file which is to be loaded by a client. The filename
Generally, setting this to one will result in the DHCP
should be a filename recognizable to whatever file
server not responding to the client's first request but
transfer protocol the client can be expected to use to
always responding to its second request.
load the file.
This parameter can be used to set up a secondary
DHCP server which never offers an address to a client
until the primary server has been given a chance to do List 719 DHCP Enterprise - Parameter Templates section Miscellaneous
so. If the primary server is down, the client will bind to Parameters
the secondary server, but otherwise clients should
always bind to the primary.
Boot Unknown true / not-set clients without host declarations will
Note:
Clients be allowed to obtain IP addresses, as long as those
This does not, by itself, permit a primary server and a
addresses are not restricted by allow and deny
secondary server to share a pool of
statements within their pool declarations
dynamically-allocatable addresses.
false clients for whom there is no host declaration
will not be allowed to obtain IP addresses
List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS
Parameters RFC1048 Some BOOTP clients expect RFC1048-style responses,
Conformance but do not follow RFC1048 when sending their
Parameter Description requests. You can tell that a client is having this
problem if it is not getting the options you have
Do Fwd Updates Instructs the DHCP server whether it should attempt to
configured for it and if you see in the server log the
update a DHCP client's A record if the client acquires or
message "(non-rfc1048)" printed with each
renews a lease. This statement has no effect unless
BOOTREQUEST that is logged.
DNS updates are enabled and ddns-update is set to
If you want to send RFC1048 options to such a client,
interim. If this statement is used to disable forward
you can set the always-reply-rfc1048 option in that
updates, the DHCP server will never attempt to update
client's host declaration, and the DHCP server will
the client's A record, and will only ever attempt to
respond with an RFC-1048-style vendor options field.
update the client's PTR record if the client supplies an
This flag can be set in any scope, and will affect all
FQDN (Fully Qualified Domain Name) that should be
clients covered by that scope.
placed in the PTR record using the fqdn option. If
true - response in RFC1048-style
forward updates are enabled, the DHCP server will still
false - response NOT in RFC148-style
honour the setting of the client-updates flag (default:
not-set).
Hostname via This parameter is used for telling DHCP whether or not
Optimized If this parameter is false for a given client, the server
Rev-DNS to look up the domain name corresponding to the IP
Updates will attempt a DNS update for that client each time the
address of each address in the lease pool and use that
client renews its lease, rather than only attempting an
address for the DHCP hostname option.
update when it appears to be necessary. This will allow
true - lookup is done for all addresses in the current
the DNS to heal from database inconsistencies more
scope
easily, but the cost is that the DHCP server must do
false - no lookups are done
many more DNS updates. If this parameter is true, the
DHCP server will only update when the client
information changes, the client gets a different lease, Ping Check If the DHCP server is considering dynamically
or the client's lease expires (default: false). allocating an IP address to a client, it first sends an
ICMP Echo request (a ping) to the address being
Update Static If set to true, causes the DHCP server to do DNS
assigned. It waits for a second, and if no ICMP Echo
Leases updates for clients even if those clients are being
response has been heard, it assigns the address. If a
assigned their IP address using a fixed-address
response is heard, the lease is abandoned, and the
statement - that is, the client is being given a static
server does not respond to the client.
assignment. This can only work with the interim DNS
This parameter introduces a default one-second delay
update scheme. It is not recommended because the
in responding to DHCPDISCOVER messages, which can
DHCP server has no way to tell that the update has
be a problem for some clients. The default delay of one
been done, and therefore will not delete the record
second is configured using parameter Ping Timeout
when it is not in use. Also, the server must attempt the
[s] (see below). The ping-check configuration
update each time the client renews its lease, which
parameter can be used to control checking - if its value
could have a significant performance impact in
is false or not-set (default), no ping check is done.
environments that place heavy demands on the DHCP
server (default: false).

List 719 DHCP Enterprise - Parameter Templates section Miscellaneous List 721 DHCP Enterprise - Dynamic DNS section DNS Update Configuration
Parameters
Ping Timeout If the DHCP server determined that it should send an This parameter set is only available in Advanced View
[s] ICMP echo request (a ping) because the ping-check mode.
statement is true, this parameter allows configuring DNS Update Define the DNS Update Scheme with this parameter.
how many seconds the DHCP server should wait for an Scheme Two options are available:
ICMP Echo response. If no ICMP Echo response has
been received before the timeout expires, it assigns the none (default)
address. If a response is heard, the lease is abandoned, interim
and the server does not respond to the client.
The ddns-update-style statement is only meaningful in
the outer scope - it is evaluated once after reading the
dhcpd.conf file, rather than each time a client is
1.3.6 Classes assigned an IP address, so there is no way to use
different DNS update styles for different clients.
Client Updates The first point to understand about this style interim of
Note: DNS update is that the DHCP server does not
This parameter set is only available in Advanced View necessarily always update both, the A and the PTR
mode. records. The FQDN (fully qualified domain name) option
includes a flag which, when sent by the client, indicates
that the client wishes to update its own A record. In
List 720 DHCP Enterprise - Classes section Class Configuration that case, the server can be configured either to
honour the client's intentions or ignore them. This is
Parameter Description done with the statement allow client-updates; or the
Spawn If there are spawn subclasses (default: no) they must be statement ignore client-updates. By default, client
Subclasses specified here. updates are ignored.
Spawn In case of spawn subclasses (default: n) their parameter
Parameter are configured via this parameter. List 722 DHCP Enterprise - Dynamic DNS section DNS Authentication
Lease Limit This parameter defines the maximum number of Parameter Description
parallel active leases.
Zone Keys Here the HMAC-MD5 Key for the dns zone has to be
Match Match Parameter (default: dhcp-user-class) entered.
Parameter Match Type (default: exact) - defines the number
matching values; that means exact indicates ONE DNS Zones Zone Type Choose between Forward (default),
client, list allows multiple client that must be entered Reverse and Both.
in parameter Match Value List. DNS Server IP Enter the DNS Server IP here.
Match Value - defines the value that has to match (for Forward Zone Holds the network of the forward
example, MAC, store agent ID, ) Name lookup.
Match Value List
Reverse Lookup Holds the network of the reverse
Note: Net lookup.
The way MAC addresses are entered depends on the
used type of interface: Reverse Lookup Holds the netmask of the reverse
ethernet requires a 1: prior to the MAC address (for Netmask lookup.
example 1:00:01:f3:34:44:2g) Authentication Used for selecting a preconfigured
tokenring requires a 6: prior to the MAC address (for Key (in parameter Zone Keys) key,
example 6:00:01:f3:34:44:2g) configured in Zone Keys.
1.3.7 Dynamic DNS 1.3.8 GUI as Text

Fig. 75 DHCP Enterprise - Dynamic DNS
Note:
mode.
List 723 DHCP Enterprise - GUI as Text
Show GUI as Activating this parameter causes that the configuration
Text file sent to the DHCP server is displayed (default: no).
GUI Displays the configuration file of the DHCP server as
Corresponding read-only.
Text
1.3.9 Text Based Configuration
Note:
mode.
List 724 DHCP Enterprise - Text Based Configuration
Note: Use Free Activating this parameter enables manual
Format configuration of the DHCP server (default: no).
Attention:
mode. Setting this parameter to yes disables every settings
made in the user interface. However, deactivating
causes that the settings in the user interface are valid
again.

DHCP Realtime Information < DHCP Enterprise | 295
List 724 DHCP Enterprise - Text Based Configuration z IP-Address - displays the assigned IP address;
Parameter Description additionally the status of the client is displayed by using
Free Format Here you can write the configuration file. the following icons:
Text indicating that client is up and running (ARPable)
indicating that client is relayed (not ARPable)
indicating that no client is listening on this IP
1.4 Realtime Information z State - displays the state of the lease.
The real time information for the configured DHCP server z Start - displays time of lease assignment; used format:
yyyy/mm/dd hh:mm:ss
can be accessed via the box menu entry DHCP.
z End - displays when the client has to renew its lease;
Fig. 76 Real Time Information - DHCP used format: yyyy/mm/dd hh:mm:ss
z Hostname - if available, this column displays the
configured hostname the client is assigned to
z Relay-ID - if available, this column provides the clients
relaying interface
z Hardware-Address - displays the clients MAC address
z Hardware-Type - displays the clients interface type
(ethernet or token ring)
The following columns are used for displaying RANGE

status (lower frame):
z Range Start - displays the start IP address of the
range; additionally, the lease consumption of the range
is displayed by using corresponding icon (from
- low to high)
z Range End - displays the end IP address of the range
z % Leased - displays the current lease consumption in
By using the Delete button (top left corner) it is possible to this range (in percent)
delete inactive and relayed leases manually. z Nr. of Leases - displays the exact number of leases
currently in use in this range
Attention:
When deleting relayed leases, it may occur that a lease Note:
is assigned twice leading to duplicate IPs. Take into consideration that known clients are displayed
in the range status frame (indicated by identical
The refresh button (next to Delete button) is used for
start-/end IP address and value 0 in columns % Leased
refreshing the display.
and Nr. of Leases. However, this does not indicate that
The following columns are used for displaying lease status the lease is currently assigned due to not-ARPable
(upper frame): relayed clients.

296 | DHCP Enterprise > Example DHCP
1.5 Example Fig. 78 Example Configuring CLASS Settings
Create DHCP for 2 networks with 3 different IP pools.

z network 1 (10.0.8.0/24) - contains two address pools:
one pool for unknown clients
one pool for known clients (identified via their MAC
addresses)
z network 2 (10.0.4.0/24) - contains one address pool for
unknown clients and two known clients
Fig. 77 Example environment
Unknown clients "testclass" clients
Step 4 Create subnet and pools for 10.0.8.0/24

Enter Address Pools section and create a new subnet
10.0.8.0/24
called Subnet1.
Configure the subnet according to the following table:
eth0: 10.0.8.35
Table 71 Example Configuration parameters for Subnet1
DHCP Enterprise
service Parameter Value
Subnet Type explicit
eth1: 10.0.4.44 Network Address 10.0.8.0
Netmask 8-bit
10.0.4.0/24
Fig. 79 Example Configuring Subnet settings for Subnet1
Unknown clients Known client 1 Known client 2
Step 1 Create a DHCP Enterprise server using FirstIP

10.0.8.35 and SecondIP 10.0.4.44.
Step 2 Create a DHCP Enterprise service using

First+Second-IP for Bind Type.
Step 3 Define MAC addresses for "testclass" clients

Change to Advanced View mode, enter Classes view and
add a new class called testclass.
Set parameter Match Type to MAC and enter our ethernet
MAC addresses 00:01:f3:34:44:2g and 00:01:f3:34:44:2e to Now we can create the 2 required address pools for
parameter Match Value List. Subnet1. Therefore, simply add new datasets to parameter
Address Pools using the following settings:
Note:
Address Pool 1: Unknown:
The way MAC addresses are entered depends on the
used type of interface: Table 72 Example Configuring Address Pool 1 for Subnet1
ethernet requires a 1: prior to the MAC address (for Parameter Value Description
example 1:00:01:f3:34:44:2g) IP Begin 10.0.8.10 Start and end IP address for our
tokenring requires a 6: prior to the MAC address (for IP End 10.0.8.15 example environment is defined.
example 6:00:01:f3:34:44:2g) Denied Classes testclass These parameter settings
Known Clients deny guarantee that only unknown
clients may receive IP addresses
Unknown Clients allow from this pool.
Address Pool 2: Classpool:

Table 73 Example Configuring Address Pool 2 for Subnet1
Parameter Value Description

IP Begin 10.0.8.20 Start and end IP address for our
IP End 10.0.8.30 example environment is defined.

DHCP Example < DHCP Enterprise | 297

Allowed Classes testclass These parameter settings
Known Clients not-set guarantee that only the allowed
class may receive IP addresses from
Unknown Clients this pool.
BOOTP Clients
Policy
Step 5 Create subnet and pool for 10.0.4.0/24

Enter SUBNETS tab and create a new subnet called
Subnet2.
Configure the subnet according to the following table:
Table 74 Example Configuration parameters for Subnet2
Parameter Value
Subnet Type explicit
Network Address 10.0.4.0
Netmask 8-bit
Now we can create the required address pool for Subnet2.

Therefore, simply add new datasets to parameter Address
Pools using the following settings:
Address Pool 1: Unknown:

IP Begin 10.0.4.10 Start and end IP address for our
IP End 10.0.4.15 example environment is defined.
Known Clients deny These parameter settings
Unknown Clients allow guarantee that only unknown
clients may receive IP addresses
from this pool.
Step 6 Configure Known Clients

Enter tab KNOWN CLIENTS and add a new group called
Known1.
Configure section Known Clients according the following
table:
z Known Client One:
Table 76 Example Configuration parameters for Known Clients 1
Parameter Value
MAC Address 00:01:f3:34:44:2g
Fixed IP Address 10.0.4.31 (optionally)
z Known Client Two:

Table 77 Example Configuration parameters for Known Clients 2
Parameter Value
MAC Address 00:01:f3:34:44:2e
Fixed IP Address 10.0.4.32 (optionally)
Step 7 Send Changes and Activate the configuration

and have a running DHCP

298 | "Regular" DHCP > Overview DHCP
2. "Regular" DHCP
2.1 Overview Step 4 Acknowledgement

When the lease is still available the DHCP server sends an
ACK to the client and the client activates the settings of
Attention: the lease.
From Barracuda NG Firewall 3.6 on "Regular DHCP" is
not available when creating a new service. In
multi-release environments formerly existing servers
can be administered, though. Due to compatibility 2.2 Configuration
reasons, using DHCP Enterprise (see 1. DHCP Enterprise,
page 288) is anyway highly recommended. As the regular DHCP service was obsolete in Barracuda NG
Firewall 3.6, the regular DHCP service must already exist
The Dynamic Host Configuration Protocol is used for and have been migrated from a former Barracuda NG
assigning IP addresses automatically. Firewall release.
The DHCP server has a given amount of so-called leases. The following two configuration entries exist in the
These leases are IP addresses that are available for being configuration tree in Config > Assigned Services:
"lent" to an interface. After a predefined amount of time,
the client sends a request to the server whether it may z Dhcp Server Settings - see 2.2.1 DHCP Server
keep the lease. Settings, page 298
Note:
z Service Configuration - settings made during the
DHCP and the DHCP Relay Agent was implemented introduction of the service
according to the following RFCs:
Note:
- RFC 1497 (RFC 951)
- RFC 2131 When configuring the Service itself ( Service
- RFC 2132 Configuration) take into consideration that only certain
- RFC 3046 settings are allowed:
Bind TypeFirst-IP or
The work flow consists of the following steps: Second-IP or
Explicit (only if just one explicit IP is specified)
Step 1 Discover First+Second-IP (only First IP will be used)
As soon as a client connects to the network to contact any
reachable DHCP server (source IP: 0.0.0.0; destination IP: Attention:
255.255.255.255). This message includes the MAC address Currently the usage of only ONE subnet is supported.
of the client. Thus the server(s) know where the request is But you may define several IP ranges (see below) within
coming from. this one subnet.
Step 2 Offer
After receiving the discover message, the server(s) offer a 2.2.1 DHCP Server Settings
lease to the client.
Fig. 710 DHCP Server Settings with pre-configured settings
The lease consists of:
z IP address
- The client gets an IP address out of a defined available
IP range (see 2.2.3 IP-Ranges, page 299)
- When the clients MAC address is defined within the
special client configuration (2.2.4 Special Clients,
page 299) this explicit IP address will be used
z Options
The options define the subnetmask, the gateway, (see
2.2.5 Options, page 299)
Step 3 Selection & Request

The client checks the received lease-offers and selects
one.
Note:
The selection depends on the client configuration, but The sections IP-RANGES, SPECIAL-CLIENTS, and
usually the lease received first is selected. OPTIONS are defined via datasets (consisting of multiple
parameters). Therefore it is necessary to click Insert to
Now the client sends a request for the lease to the DHCP
get to the configuration dialog for a new data set.
server that offered it.
However, if you want to modify an already existing data
set, select the entry and click Edit instead.

DHCP Configuration < "Regular" DHCP | 299
2.2.2 Global Settings 2.2.5 Options

List 725 DHCP Server Settings section GLOBAL SETTINGS
Note:
The numeric values in square brackets indicate the
Verbose Setting this parameter to yes causes that every action
option-numbering defined in RFC2132.
will be logged ( Logs > <servername> >
<servicename>; logs additionally to
Administrator-relevant data, for example Error, BASIC OPTIONS:
Warning, Fatal, , also Info such as Requests, ACKs, )
Leases Low / The events Resource Limit Pending/Resource Limit Fig. 713 Configuration - BASIC OPTIONS
Leases Critical Exceeded [135/136] are triggered when the
percentage of assigned leases (in %) reaches a critical
value or exceeds this limit.
Note:
The bigger the available network the smaller the gap
between low and critical level may be.
Enable HA Sync Setting this parameter to yes causes the periodical
synchronisation of the DHCP database between the HA
pair.
HA Sync Period This parameter defines the minimum period of time for
[sec] starting the synchronisation (default: 3600 s). This
period is valid as long the server is idle (no traffic is
handled). When the server has traffic this minimum List 728 DHCP Server Settings section BASIC OPTIONS
period of time may increase.
Subnetmask [1] Here the correct subnetmask has to be entered.
2.2.3 IP-Ranges Router [3] Here the IP address(es) of the default gateway(s) are to
be entered.
DNS Server [6] Here the IP address(es) of the DNS server(s) are to be
Fig. 711 Configuration - IP RANGES
entered.
Domain Name Here the domain name is to be entered.
[15]
Lease Time [51] This field is used for defining the maximum period of
time (in minutes) that an IP address may be leased.
Renew Time This field is used for defining the expired period of time
[58] after which the client sends a request (Unicast) to the
server, it got the lease from, in order to extend its lease.
The default value for this field is 0.5 x Lease Time.
Rebind Time This field is used for defining the expired period of time
[59] after which the client sends a request (Broadcast) to
List 726 DHCP Server Settings - section Option Section and IP RANGES ANY server to extend its lease. A reasonable value for
this field is 0.875 x Lease Time.
Note:
Option Section This field defines what kind of configured options (see
When configuring the parameters Lease Time, Renew
2.2.5 Options, page 299) should be used within this IP
Time and Rebind Time use the following rule of thumb
range.
to determine the values:
IP-Begin This field indicates the begin of the IP range including Lease Time > Rebind Time > Renew Time
this IP address.
IP-End This field indicates the end of the IP range including List 729 DHCP Server Settings section EXTENDED OPTIONS
this IP address.
Broadcast Here the Broadcast Address can be entered.
Address [28]
2.2.4 Special Clients NIS Domain Enter the domain of the Network Information System
Name [40] in this field.
Fig. 712 Configuration - SPECIAL CLIENTS
NIS Server [41] Here the IP address(es) of the NIS server(s) are
entered.
Host Name [12] Here the host name of the client can be entered.
NTP Server To enable synchronized times, here the IP address(es)
[42] of the NTP server(s) are entered.
WINS Server When using a WINS server, here the IP address(es) of
[44] the server(s) are entered.
NBDD Server When using a NBDD server, here the IP address(es) of
[45] the server(s) are entered.
List 727 DHCP Server Settings section SPECIAL CLIENTS

Option Section This field defines what kind of configured options (see
2.2.5 Options, page 299) should be used for this client.
IP Address This field indicates the IP address that is sent to the
client.
MAC-Address Through this field the unique MAC address is defined
that identifies the client.

300 | "Regular" DHCP > Real Time Information DHCP
List 729 DHCP Server Settings section EXTENDED OPTIONS 2.3 Real Time Information
Netbios Node Note: The real time information for the configured DHCP server
Type [46] When using a Linux client, this parameter is obsolete
and has to be left empty. can be accessed via the box menu entry DHCP.
This entry allows NetBIOS to configure TCP/IP clients.
The following values are available (with their Fig. 714 Real Time Information - DHCP
indication):
1 b-node - broadcast; which means clients use Number of total available
broadcast for name registration/resolution leases
2 p-node - point; which means client registers itself at Lease-O-meter
the netbios server (point-to-point)
4 m-node - multi; which means client first uses b-node,
if it fails p-node is used.
Note:
Number of
However, b- and m-nodes should not be used with large used leases
networks because the broadcasts use lots of
bandwidth.
8 h-nodehybrid; which means like m-node, but uses
p-node first and then b-node (as a last resort)
Netbios Scope Note:
Id [47] When using a Linux client, this parameter is obsolete
and has to be left empty.
When using NetBIOS Scope IDs (like to isolate NetBIOS
traffic or to give the same name to different
computers), here this ID is to be entered. By using the Delete button (top left corner) it is possible to
Note: delete active leases manually.
The NetBIOS Scope ID is case-sensitive.
LPR Server [9] When using this printing protocol for Unix systems, Attention:
here the IP address of the printer has to be entered. To avoid duplicate IPs after deleting a lease, the lease is
Log Server [7] In case of a stand-alone log server, here the IP address not put back into the list of available IP addresses until
of the server has to be entered.
the service is restarted.
Time Server [4] In case of a time server according to RFC868, here the
IP address of this server has to be entered. The Refresh button (right to Delete button) is used for
Time Offset [2] This field defines the clients time offset (in seconds) refreshing the display.
from UTC.
IEN Name In case of a IEN name server, here the IP address of this The so-called Lease-O-meter in the middle of the user
Server [5] server has to be entered. interface indicates the level of lease usage.
Cookie Server When using a stand-alone cookie server, here the IP
[8] address of this server has to be entered. z MAC
Swap Server When using a separate swap server, here the IP address This column displays the client MAC address for each
[16] of this server has to be entered. lease that is currently used.
Local Subnets In case of local subnets, they are entered in this field.
[27] z IP
Impress Server This field defines the IP address of an optional Imagen This column displays corresponding client IP address.
[10] Impress server.
Resource This field defines the IP address of an optional resource z Leased or Offered
Location Server location server (according to RFC887). The state of a lease is displayed in this column. Possible
[11] values are Leased and Offered:
Perform Mask Note:
Discovery [29] When using a Linux client, this parameter is not Leased - indicates used IP addresses
supported. Offered - indicates leases that are currently offered
This field defines whether a subnet mask discovery is but not yet taken
carried out or not. The following settings are available:
1 - Client uses ICMP for subnet mask discovery z Lease Time
0 - No subnet mask discovery is to be performed
Shows the amount time until the lease expires.
Perform Router Note:
Discovery [31] When using a Linux client, this parameter is not z Online/Offline/Duplicated
supported.
The DHCP sends ARP requests throughout the network.
This field defines whether a router discovery is carried
out or not. The following settings are available: Depending on the response, the following states are
1 - Client performs ICMP router discovery (according to possible:
RFC1256)
0 - No router discovery is to be performed Online - the IP address answers the ARP request
Static Route This field is used for entering the static routes of the Offline - the IP address does not answer the ARP
[33] client. request
Note:
When using a Windows client, this parameter is not
Duplicate - multiple IP addresses answer the ARP
supported. request
TFTP Server Here a TFTP server may be defined.
Name [66]
Boot File Name This field allows entering a boot file name.
[67]

DHCP Real Time Information < "Regular" DHCP | 301
z Range/Specific
This column shows what kind of IP address is used in
this lease:
Range - The IP address is defined through the
IP-Ranges field (see 2.2.3 IP-Ranges, page 299)
Specific - The IP address is defined through the
Special Clients field (see 2.2.4 Special Clients,
page 299)
z Option
This column shows the name of the options used by this
lease.

302 | DHCP Relay Agent > DHCP Relay Settings DHCP
3. DHCP Relay Agent

3.1 DHCP Relay Settings
Fig. 715 Example of use for a DHCP Relay Agent
Fig. 716 DHCP Relay Settings
Department LAN 1 Department LAN 2
eth0 eth1
DHCP Clients DHCP Relay DHCP Server

Agent running behind Barracuda
on Barracuda NG Firewall
NG Firewall
A DHCP relay agent has to be used when DHCP clients and

server are located in different networks both protected
behind firewalls. DHCP relay agents communicate with
unicast instead of broadcast so that the messages may
pass the firewalls. List 730 DHCP Relay Settings
The DHCP relay agent does not handle IP addresses itself, Parameter Description
but instead passes DHCP messages between the DHCP UDP Port This parameter defines the port the relay agent is
clients and their server. listening on (default: 67).
Relay Define the network interfaces, which the DHCP relay
Introduce a DHCP relay on a Barracuda NG Firewall by Interfaces agent utilizes to connect the networks DHCP server
selecting Config from the box menu, navigating and clients are situated in (eth0 and eth1 in the
example given in figure 715). Choose the interfaces
through the configuration tree until the Assigned from the physical network interfaces available in the
Services item is reached, and selecting Create Service list. Virtual interfaces are not included in the list. If you
require a virtual interface, select the Other checkbox
from the context menu. and insert the interface manually. Click the Insert
button after each interfaces selection or manual
Note: specification to add the interface to the configuration.
Please see Configuration Service 4. Introducing a New Note:
When using Virtual LANs (Configuration Service
Service, page 97, for detailed information concerning 2.2.5.3 Virtual LANs, page 65), select the Other
procedure and available options for service creation. checkbox and enter the tagged VLAN Interface
(parameter Hosting Interface).
Note: DHCP Server In this place, specify the IP address(es) of the DHCP
IPs server(s) the DHCP relay is relaying for.
DHCP relay and DHCP server cannot live together on
Add Agent ID Set to yes (default), if you want the DHCP relay agent
the same box. Make sure to configure these services on (AID) to add an Agent ID (AID) to the transmitted packets.
self-contained systems. This restriction is valid for DHCP An AID indicates that the data has been relayed.
servers that have been delivered until 2.4.x. DHCP Packet This parameter defines the maximum DHCP packet size
DHCPe servers can live together with DHCP relay, as Size [B] in bytes (default: 1400).
long as these services do not use the same interface. AID Relay This parameter defines how to deal with DHCP packets
Policy already flagged by an AID. The following options are
available:
By introducing a DHCP relay, the following configuration Append (default) - Attaches my agents's ID to the
items are added to the configuration tree: existing one leaving it intact.
Replace - Replaces the existing AID with my agent's ID.
z Dhcp Relay Settings - see 3.1 DHCP Relay Settings, Forward - Passes DHCP packets without any
modification.
page 302 Discard - Discards DHCP packets which are already
flagged by an another agent's ID.
z Service Properties - settings made during the
Reply AID The relay agent scans packets it receives from the
introduction of the service Mismatch DHCP server for the servers IP address before
Policy forwarding them to the client. If it finds the IP address
in the header, it forwards the packet to the client. If it
cannot find it, the relay acts on the directive defined by
the following parameter:
Discard (default) - Discards the DHCP packet.
Forward - Forwards the DHCP packet regardless.
Note:
The Reply AID Mismatch Policy parameter is of
special importance when multiple relay agents serve
the DHCP server.
Packet Hop Limit the hop count (default: 10) with this parameter to
Count avoid infinite packet loops.

DHCP DHCP Relay Settings < DHCP Relay Agent | 303
3.1.1 Cascading DHCP Relay Agent
Note:
Actually, the DHCP Relay Agent is not designed for
cascaded use. However, if there is demand to configure
multiple relay agents in a cascaded environment,
consider that you must not specify the server-side
interface of the cascaded ("border") relay agent in the
configuration, as this will lead to conflicts.
Attention:
Cascading DHCP relay agents are to be used only, if a
client subnet is connected to the server-side DHCP
Relay Agent.
Fig. 717 Cascading DHCP Relay with interfaces to be configured
Department LAN DHCP Relay DHCP Relay Server LAN

segment behind Agent 1 Agent 2 segment behind
Barracuda NG Firewall a Barracuda NG Firew
eth1 eth3
eth2 eth5
DHCP Clients DHCP Server

eth4
Client Subnet
DHCP Clients
The configuration itself is done in the same way as the

standard configuration depicted above, except for the
definition of relay interfaces.
In the example (figure 717) two client subnets are
connected to two DHCP Relay Agents 1 and 2. The
interfaces listening to broadcast request from the clients
must be specified as relay interfaces in the configuration
(eth1 and eth4). The server-side interface of Relay Agent 2
(eth5), which is connected to the DHCP Sever must NOT be
specified.

304 | DHCP Relay Agent > DHCP Relay Settings DHCP

8
Log Viewer
1. Overview
1.1 LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
2. Functional Elements of the LogGUI

2.1 Selection Segment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
2.2 Navigation Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
2.3 View Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
2.3 View Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
2.5 Event Log Message Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
2.6 Specialities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
2.6.1 Clock Skew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
2.6.2 Dirty Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
2.6.3 Digression: logwrapd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

306 | Overview > LogGUI Log Viewer
1. Overview
1.1 LogGUI The output is text-based and occurs systematically after

an event has taken place. The output can be tailored
individually to the specific needs and preferences of the
The Barracuda NG Firewall LogGUI is an additional tool for
administrator by use of the LogGUI.
receiving individual information for specific parts of a
Barracuda NG Firewall system. To access the log viewer, click Logs in the box menu.
Fig. 81 LogGUI
Selection and Navigation segment
View segment

Log Viewer Selection Segment < Functional Elements of the LogGUI | 307
2. Functional Elements of the LogGUI

The LogGUI is divided into three segments, through which Additionally, the view of the section being presented can
a selective presentation of a log protocol is made possible. be restricted, by explicitly entering the log input type or by
filtering a character string. The pull-down menu in the
Fig. 82 Navigation section of the LogGUI Type section is for choosing the type of log input.
see 2.1 Selection Segment The number of log entries to be presented is adjusted in
the segment Lines.
You are also able to filter normal descriptive log entries of
the type info and internal by selecting All_But_Info.
The form of the character string, which is to be filtered,
can be entered in the Filter section. By doing so, the
see 2.2 Navigation Segment, page 307 bordering hook is automatically enabled. This signifies that
the filter is enabled and should be disabled to deactivate
the filter.
For a simple and clearly arranged overview and an analysis
2.1 Selection Segment of the individual log entries, the different entries in the
logs are assigned to types. This is further explained under
The directory displayed in the Log-module menu is divided 2.3 View Segment, page 308.
into five logically separated types of log files which The button Refresh updates the log tree in the selection
constitute the first level in the tree hierarchy. segment.
The file tree consists of the log files in the directory Ticking checkbox new Tab creates a new tab for the new
/var/phion/logs/, which can also be reached in the box log view instead of replacing the "old" one.
level.
z Box
All the events on the box level can be found in the
column Box. Various box specific daemons are included 2.2 Navigation Segment
here. These types of log files are documented with the
prefix box_. The date fields enable you to enter the time and date for a
particular segment of a log either directly, by use of the
z Misc keyboard, or by using the pull-down menu to easily attain
The segment Misc deals with logs, that do not fall into a log entry items between larger time intervals.
specific column. They are neither categorized as box
services nor as server support or reports and do not When the desired log is marked, it is possible to thumb
have a prefix on the box level. through the log items by using the navigation arrows:
Table 81 Navigation arrows and their function
z Reports
These types of logs on the box level documented with Icon Description
the prefix rep_ include entries that are carried out in Browse back from the value entered for time and date
continuous intervals (cronjobs). Browse forward to the value entered for time and date
z Fatal Browse back from current entry

All fatal errors that can occur on a Barracuda NG Browse forward from current entry
Firewall are in addition to the original log file
Browse from beginning of log
collected in this section. The original log file is added in
the fatal log message text as a prefix. Browse to end of log
z Services
This part deals with log file types that deal with server The button Live Update enables an update of the view
support. These types of legalizes are documented with segment, if the log file concerned got any new entries.
the prefix srv_. From case to case, long lasting presentation options or
long processing filtering tasks can be terminated by using
the Abort button.
Within the Box branch the log files are grouped by
operative themes, for example, Auth contains
authentication log files.
For a detailed view of a specific log out of these categories
select it by double-click.
In the selection segment it is possible to delete selected log
entries. Therefore, select Delete Log in the context menu
of the corresponding log entry. For deleting the log cache
select Clear Log Cache. This way the database is build
from ground up.

308 | Functional Elements of the LogGUI > View Segment Log Viewer
2.3 View Segment Event content (bold message text portion above) enclosed
in brackets, ( and ) contains the following pipe | separated
After a log has been selected and the navigation options fields:
(which can be time, date, type, and filter) have been set, The log message text arranged as follows
the log entries are displayed in the view segment after
having pressed one of the navigation arrows. (D|2|mgwext_mail|3|Mailgw-Rule|4506|Drop
Recipient<e.example@barracuda.com>|bart_111)
The view segment window is divided into three categories:
z Time is built up of the following elements:
This is the time when an event has taken place. The
time indicator marks individual log entries. (Internal flag|Layer[1-3]|Layer
description|Class ID [1-3]|Class
z Type description|Type (Event ID) |Layer
Shows the type of log entry Description|Full box name)
z TZ
This column displays the UTC time zone offset Layer and Class are hidden fields, which have originally
compared to the local box time. been part of the event specification. However, the two
z Message parameters have no particular meaning, which could be
Short description of the entry used for filtering and extraction purposes by a security
event management tool.
Layer description denotes the originator of the event on
the Barracuda NG Firewall system. In the example above
2.4 Types of Log Entries the event has been generated by a service named
mgwext_mail.
A certain symbol is given to every log entry depending on
the type of the entry. Info and Internal describe normal Class description denotes a subcomponent of the
events, which are not associated with a symbol. Table 82 originator, in the example above the event was triggered
summarizes the individual types and their respective due to a mail gateway rule having handled a particular
symbols. mail.
Suitable filtering criteria are layer description, type
Table 82 Log Entry types
identifier, class description, and full box name.
Icon Type Description
Warning Uncritical event (for example login)
Error Event error (for example system calls, clock skew)
Fatal System critical events

2.6 Specialities
Notice Normal system events (for example reading a
configuration file)
2.6.1 Clock Skew
Security Events relevant to security (for example
authorisation, login)
Clock skews are events that describe an inconsistency in
Type Panic, which extremely rarely appears and is the timed recording of sequences. For example, this can
excluded in table 82, marks critical events compromising occur when the system time has been changed, through
the system's functionality and stability. which the incremental record of the time stamp is
disturbed in the log.
The meaning of a symbol cannot be related to a single
event. Instead it should be regarded in relation to the log Fig. 83 Log Sequence Number in Relation to System Time
type that has been marked.
System time
2.5 Event Log Message Structure backward clock skew
Log query start date B

At a glance Event logs look the same as any other log
message. However, the message text holds very important
information, and therefore requires a deeper look.
?
The following example contains a mail event log message:
Table 83 Event Log Message Attributes
Log query start date A
Date Time TZ
Type
[yyyy mm dd] [hh:mm:ss] [ hhmm]
2005 07 18 15:40:41 Info +0200
n n+1 Log entry sequence number
Table 84 Event Log Message ID and text
Message ID Message Text

Figure 83 shows a clock skew event in the past. The leap
[1071065] Insert Event from 127.0.0.1:12631 -
(D|2|mgwext_mail|3|Mailgw-Rule|4506|Drop
in system time (indicated as red vertical bar) results in the
Recipient <e.example@barracuda.com>|bart_111)

Log Viewer Specialities < Functional Elements of the LogGUI | 309
recording of sequence pairs in the log file, which show the 2.6.1.2 Log File Entries related to Clock Skew
same time stamp. Detection
For this reason if you start to browse the log from an
Table 85 Log file entries related to clock skew detection
inconsistent starting point (log query start date B, see the
question mark in figure 83) it is ambiguous, which starting Corresponding
Log content of
point is meant. Reason
(Type/Message) BerkeleyDB-
Header
Hence a popup window will appear that lets you decide to
"Info / MAIN no LastRun 0, A clock skew cannot be detected
chose the log query start date in order of the chronological clock skew LastStart 0 because it is assumed that dstatm is
occurrence of the clock skew entries in the corresponding detection either running for the first time or it
(initial)" has never run successfully.
log.
"Error / *** LastRun HASync is active. The current
Unresolvable <timestamp>, system time is behind the time of
clock skew today the LastRun header field in the
2.6.1.1 Analysing Clock Skew Entries in Log detected ***" <timestamp> BerkeleyDB. A clock skew detection
fails because of inconsistencies in
Files time settings.
HASync is not active. The current
This overview is meant to explain the cause of the most system time is either behind or
frequent clock skew entries produced by dstats/dstatm. more than two days ahead the time
of the LastRun header field in the
Particular regard is paid to those messages generated in BerkeleyDB. A clock skew detection
dirty situations. fails because of inconsistencies in
time settings.
Dstats and dstatm search for clock skews on every daily
start-up of the service. The log file entries they produce
will be related to the following processes: 2.6.1.3 Log File Entries related to
z clock skew detection Synchronisation of Polling List and
Database
z synchronisation of actively configured polling list and
database Table 86 Log file entries related to synchronisation of polling list and database
z reasons for service start-up abortion Log (Type/Message) Reason

Eventually the configuration cannot
z synchronisation between the local copy of the be read.
HA-database (which has been mirrored during the last "Error / MAIN cannot sync box state The configuration of the polling list
HA-sync) and the current database of the HA-partner with configuration: <specific error cannot be synchronized with the
message>" database.
z Furthermore, dstats searches for files, which are "Error / MAIN cannot save state db: The configuration of the polling list
outdated due to a clock skew and should have been <specific error message>" cannot by synchronized with the
database.
deleted according to the configuration file. If the
checking routine fails, manual action has to be taken
(see 4.2.2 Manual Correction for Time Preference,
2.6.1.4 Log File Entries related to Service
page 319).
Start-up Abortion
Some of the errors described below might produce an Table 87 Log file entries related to synchronisation of polling list and database
additional log file entry like "Comment / MAIN ADMIN
Log (Type/Message) Reason
action required!!!" The reason for such a message will be
"Fatal / MAIN is disabled!"; Main is in state DISABLED.
that the main task is not running. Whenever you encounter "Comment / MAIN ADMIN action
it you mightve got to restart the task manually. required!!!"
"Notice / MAIN trying to recover Main is not in state CLEAN. If the
As well some of the malfunctions described in the following from <current_state> state" field 'main task' has been set to
might additionally produce an entry in the CC control > STOPPED it will now be reset to
IDLE. It will be assumed that the
Stat Collect tab. In case the value of these entries is problem has been solved and
"INTERNAL ERROR" please contact your sales partner or normal operation can be continued.
Barracuda NG Firewall support.
2.6.1.5 Log File Entries related to

Synchronisation between Ha-databases
Scenarios which will stop task MAIN:

These scenarios will produce an additional log file entry
"Comment / MAIN ADMIN action required!!!". Checking the
state of task MAIN is required.
Table 88 Log file entries related to synchronisation between HA-databases -
Scenarios which will stop task MAIN
Log (Type/Message) Reason
"Error / MAIN sync state dirty!" HASync is active but the sync
state-file is DIRTY.
"Warning / MAIN ha entry: activity HASync is not active but the
state changed to disabled" database entry for the HA-partner
has been not set to DISABLED.

310 | Functional Elements of the LogGUI > Specialities Log Viewer
Table 88 Log file entries related to synchronisation between HA-databases - In case the synchronisation is not successful, the current
Scenarios which will stop task MAIN
try is given up and the MAIN task is reset to 'sync_await'.
Log (Type/Message) Reason When the maximum allowed number of retries is exceeded,
"Info / MAIN ha state db not HASync is active but the database the main status changes to 'await_daybreak'. The database
available, assuming initial" of the HA-partner is not available. It
is assumed that the HA-partner has will not be synchronized with the HA-partner. Manual
never been active and thus has no action will be necessary to solve the problem.
"state", which it could have
negotiated during the HASync. The Table 89 Log file entries related to synchronisation between HA-databases -
database of the HA-partner will Scenarios which will not stop task MAIN
contain the comment entry "no
state present, assuming initial". Log (Type/Message) Reason
"Error / MAIN cannot load HA state HASync is active but the database "Error / MAIN local compression Cooking of statistics files could not
db: <specific error message>" of the HA-partner is though cooking done with error %d, going be completed.
available not readable. to stop!", "Error / MainLoop - main
"Error / MAIN HA state db out of HASync is active and the database task cook_pending"
date" of the HA-partner is available. There "Error / MAIN cannot write HA sync The HA sync file could not be
are time inconsistencies in the file", "Error / MainLoop - main task written. Check for a previously
LastStart header fields of the sync_pending" created HA sync file which possibly
BerkeleyDBs though, which means could not be overwritten. Check for
the LastStart header field in the HDD errors. Restart dstatm.
own BerkeleyDB is younger than the
"Error / MAIN HA sync done with The sync-process cannot be started.
one in the HA-partner's DB.
error <error_num>", "Comment /
Furthermore the DB header field
MAIN could not start sync process"
LastRun does not reflect the
current day. "Error / MAIN HA sync unsuccessful The HA synchronisation has failed.
(try <retry_count>)" Prior error messages are to be
The database of the HA-partner is
analyzed to solve this problem.
obsolete. A data inconsistency is
most likely. As an automated
troubleshooting is not possible in
this case, a manual check has to be
undertaken.
2.6.2 Dirty Block
Possible scenario: The active
HA-partner has crashed during It is possible that corrupt entries are taken to a log.
HA-synchronisation. The following
log entry could be expected in this
"Corrupt" in this case means that the log entry does not
case (see next entry below): conform with the expected log entry format. These entries
"Info / MAIN HA state db out of HASync is active but the are called dirty blocks.
date? Assuming block and restart ActivityState of the HA-Partner is
scenario" DISABLED. There are different circumstances which can lead to dirty
"Warning / MAIN HA sync enabled HASync is active but the block entries. Examples could be unsuitable timestamp
although HA box is disabled" ActivityState of the HA-Partner is formats due to a wrong version of the network time
DISABLED.
protocol daemon (ntpd) or the recording of binary data,
"Fatal / AIN HA takeover in HaSync is active but the HA-partner
inconsistent state!" is not in state CLEAN. where a timestamp is completely missing. Such entries are
"Warning / MAIN ha entry: activity HaSync is not active but the indicated and shown as dirty blocks in the view segment
state changed to disabled" HA-partner state is not DISABLED. area.
"Error / MAIN session state The state of MAIN could not be
unknown, going to stop!", "Error / determined during start-up.
MainLoop - main task UNKNOWN"
2.6.3 Digression: logwrapd
"Error / MAIN cannot sync poll Synchronisation of configured
state, going to stop!", "Error / polling list and database is not
MainLoop - main task poll_pending" possible (compare to 2.6.1.3 Log File The directories relevant for recording events can be found
Entries related to Synchronisation in /var/phion/logs/ and /var/phion/logcache/ on
of Polling List and Database).
the box level. In addition, there are directories for every
"Error / MAIN internal error A system related error has occurred
<error_num>", "Error / MainLoop - during polling (for example missing segment (Range), named after the client number.
main task poll_pending" system resources)
The files found in the directory /var/phion/logcache/
Scenarios which will not stop the task MAIN with the extension LAF (Log Access File), are structure
authorities that are produced in a cycle and continually
The errors described below will not stop task MAIN updated. They are used to raise log file interrogation
because there will be no indication that data on the (local) performance.
MAIN has been damaged. Take into consideration that on
the other hand data on the HA-partner could be in an The box daemon logwrapd is responsible for handling logs
inconsistent mode. and LAF structures just like log cycling, detection of clock
skews, and dirty blocks.
Attention:
Logs and LAF-structures in the above mentioned
directories are not to be renamed, erased or
manipulated.

9
Statistics
1. Overview
1.1 Box Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
1.2 Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
2. Operation of the Statistics Module

2.1 Time Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
2.1.1 Control Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
2.1.2 Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
2.2 Top Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
2.2.1 Control Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
2.2.2 Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
3. Configuration
3.1 Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
4. Advanced Topics
4.1 Cooking of Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
4.2 Dealing with a Box in the "Future" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
4.2.1 Self-healing for Quantitative Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
4.2.2 Manual Correction for Time Preference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
4.2.3 Further Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

312 | Overview > Box Statistics Statistics
1. Overview
The Barracuda NG Firewall statistics module raises a As shown in figure 91, the statistics window user interface
multitude of statistical data reflecting box and server is divided into two areas, a Control and a Viewing field.
processes, such as disk utilisation, processor load, and
In the Control field, statistics file and various display
traffic generation.
options may be selected for display in the Viewing field.
The following services are responsible for handling of Double-click a folder to expand the statistics file list.
statistics data: Double-click a statistics file to select it for display.
Table 91 Services responsible for statistics files handling Note:
Service Responsibility Always click the Show button after having defined
cstatd Collection of statistics files. viewing options in order to display the statistics file
Handling of statistics queries, like display of statistics analysis.
qstatd
files contents in the statistics viewer.
Validation and "cooking" (which means compression) To delete statistics files, select a folder in the Statistics file
dstats
of statistics files. Utility run by cron as daily job. list, then right-click and then select Delete Statistics from
Recognizes corrupted statistics files and prevents their
(statcook
collection by cstatd and dstatm. Available on both,
the context menu.
daemon)
self-managed systems and Barracuda NG Control
Centers.
Generally, data originates from two sources:
CC specific service. Collection of statistics files from z System resources
dstatm CC-administered boxes (Barracuda NG Control
Center 9. CC Statistics, page 461). z Operative service data
CC specific service. Handling of statistics queries,
display of statistics files contents in the statistics
qstatm viewer on the Barracuda NG Control Center
The statistical raw data is registered according to time,
(Barracuda NG Control Center 9. CC Statistics, connection, or a combination of both. Statistical data
page 461). containing time information is defined as time data (which
means timed statistics), whereas connection based data is
To access the Statistics viewer, click Statistics in the defined as top data or top statistic.
box menu of the graphical administration tool Barracuda
NG Admin. Fig. 92 Tree structure of the Statistics module
Note:
Collection of statistics by cstatd is not included in all
licenses. If statistics records are unavailable, check your
licenses coverage.
Fig. 91 Statistics user interface
Control field
1.1 Box Statistics

The different box resources recorded are:
z cpu (Time)
Viewing field The CPU load x 100 is displayed in the graphic. The CPU
load is an equivalent and has no unit. For example, on a
single processor machine CPU load 1 states that a given
process utilizes the whole processor. The equivalent on
a dual processor machine is CPU load 0.5, which means
a given process utilizes half of the available CPUs.
z cputime
The amount of CPU time needed for running or
Statistics file list completed processes is displayed. The unit is a
millisecond per second.

Statistics Server Statistics < Operation of the Statistics Module | 313
z byte (Time for Src)

Time statistic by means bytes transferred for a certain
source address
z disk
Status of available disk space (filling degree) of the z byte (Time)
single partitions, available as byte and as percentage Time statistic by means of bytes transferred
statistic.
z byte (Top Dst)
z fdesc Top statistic by means of bytes transferred for a certain
Number of file descriptors per Barracuda NG Firewall destination address
box or server process
z byte (Top Src-Dst / Dst-Src)
z mem Top statistic by means of bytes transferred for a certain
Main memory capacity in bytes per Barracuda NG pair of source and destination address
Firewall box or server process
z byte (Top Src)
z net Top statistic by means of bytes transferred for a certain
Net transfer statistic (in/out) per network interface in source address
bytes, packets and the number of errors of the
z conn (Time for Dst)
configured network interface.
Time statistic of the number of connections to a
z proc specific destination
Number of current box and server processes
z conn (Time for Src)
z sock Time statistic of the number of connections from a
Number of open sockets per box or server process specific source
z conn (Time)
Time statistic of the number of connections
1.2 Server Statistics z conn (Top for Dst)
Top statistic of the number of connections to a specific
Server statistics are recorded as transfer capacity (byte destination
statistic), the number of connections handled (conn z conn (Top for Src)
statistic) and number of open connections (open-conn Top statistic of the number of connections from a
statistic). Which of these statistic types are actually specific source
recorded depends on the specific service type. Also, the
detailed structure of the service statistic tree depends on z conn (Top for Src-Dst / Dst-Src)
the type of service. Top statistic of number of connections for a specific
pair of source and destination addresses
The statistic types in detail:
z open-conn (Time)
z byte (Time for Dst) Number of open connections
Time statistic by means of bytes transferred for a
certain destination address
2. Operation of the Statistics Module
2.1 Time Statistics List 91 Control field for type Curve with time axis section Options
Statistics Type Defines the display mode of the graph. Available
2.1.1 Control Field selection are:
Curve with time axis
Bars with time axis
The following values may be adjusted in the Control field Depending on the statistics type either a source or a
Filter
related to viewing of statistics files of type Time: destination address has to be specified. The format of
these addresses depends on the Barracuda NG Firewall
Fig. 93 Control field for type Curve with time axis service type and is equivalent to the corresponding Top
statistic.
Clear button Clicking this button clears the Filter field.
Show Checkboxes to the right of the Show label define
display of minimum, maximum and/or average values.
Min (minimum) - When selected, a green curve for the
lowest value within the selected time interval is
displayed.
Max (maximum) - When selected, a red curve for the
the highest value within the selected time interval is
displayed.
Average - When selected, a black curve for the
calculated average value within the selected time
interval is displayed.

314 | Operation of the Statistics Module > Time Statistics Statistics
List 91 Control field for type Curve with time axis section Options With appropriate selection (see Min, Max, Average
Parameter Description checkboxes), three curves for minimum (green),
Show button Clicking this button generates the statistics analysis. To maximum (red), and average (black) values will be
open the report in a new tab instead of overwriting displayed.
currently displayed content, select the
New tab checkbox prior to clicking the Show button.
To detail a part of the analysis, left-click the starting
History Clicking this button opens the Statistics History
point of the new interval, drag the cursor through the
window, which lists all analyzes that have been window and release the mouse-button at the intervals
executed during the current Barracuda NG Admin end point.
session. Double-click a report in the list to open it anew.
Alternatively, browse through all available reports by
Fig. 95 Time Interval selection
clicking the and arrows to the right of the
history button.
List 92 Control field for type Curve with time axis section Time Interval - Curves
(for Statistics Type: Curve with time axis)
From Start time for the analysis on a specific day.
To End time for the analysis on a specific day.
Day Start and end date of the analysis.
Bin / Coarse The Bin value represents the density of the graph.
Select the Coarse checkbox to reduce density and to
smoothen the curve. Lower graph density is suitable
for survey of long observation periods.
Today Sets the analysis period to the current date.
Same Day Sets the analysis period to the selected start date.
Single Day Sets the analysis period to the selected start date.
Shifts the analysing period to an earlier or later time
interval following the configured settings in the From,
To and Day fields.
Right-click the selected area to open the related context
List 93 Control field for type Curve with time axis section Time Interval - Bars
menu and click Show selected interval to display the
Parameter Description new time interval in detail.
(for Statistics Type: Bars with time axis) In the newly opened view, right-click anywhere, then
Year / Month / Checkbox selection and insertion of appropriate date click Show next interval in the context menu to display
Day values into the fields below, sets the analysing period
to the corresponding interval. the statistics details following the previously shown
Today Sets the analysis period to the current date. time interval. Note that clicking this option influences
Shifts the analysing period to an earlier or later time the time values in the Time Interval section within the
interval following the configured settings in the From, Control field (see above).
To and Day fields.
z Bars with time axis
2.1.2 Graphs Fig. 96 Bar type
Time statistics analyzes can be displayed as curves or bars

with a time axis.
z Curve with time axis
To display statistics files a curves, select Curve with
time axis from the Statistics Type list and click the
Show button.
Fig. 94 Curve type
Bars with accumulated statistical data may be

generated by day, month, or year. Again, with
appropriate selection and availability of data (see Min,
Max, Average checkboxes), bars will be divided into
three parts for indication of minimum (green),
maximum (red), and average (blue) values.

Statistics Top Statistics < Operation of the Statistics Module | 315
2.2 Top Statistics left mouse button. An individual instance can be

selected by means of the left mouse button (day,
Top statistics are always displayed as bars in the statistics month, or year). Several instances can be selected with
module. STRG + left mouse button or with shift + left mouse
button.
Top statistics show values (bytes or number of
connections) and the corresponding connection z Maximum Number shown
information (source and/or destination address) in a Input box for determining the number of bars that are
sorted manner. to be displayed
2.2.1 Control Field 2.2.2 Graphs

Fig. 98 Example for Top list statistics
Options for top file types can be set in this field.
The observation period is subdivided into the actual day
(today), date of past day, week, and month. The existence
of week and month instances depends on the configuration
of the statistics daemon by means of the Barracuda NG
Admin configuration module.
After an option has been changed, the Show button must
always be clicked on in order to activate the setting
options.
Fig. 97 Control field
Display of corresponding URLs
Section Options
z Statistics type
For the top file types, there is only the Top list statistic
type
z Src Filter
In this box, character strings can be entered, according
to which IP address, port and protocol are to be filtered.
Wildcards ? and * can be used.
z Clear
Button for re-setting the Src filter
z Show
There is no minimum, maximum of average for top
statistics.
z Show button
The options that have been set are activated by a left
mouse click
z History
Via this button a dialog is opened containing the last
statistics displays and their settings.
By clicking on the arrows ( , ) previously set
options are displayed.
Section Top List

z instances
Options window for observation period. An individual
instance can be selected by means of the left mouse
button (day, month, or year). Several instances can be
selected with STRG + left mouse button or with shift +

316 | Configuration > Service Configuration Statistics
3. Configuration
The range of statistics files that may be viewed in the List 94 Infrastructure Services - Statistics General section Global Settings
Statistics viewer depends on settings for: Parameter Description
z Statistics generation by each service (Configuration Disc Write This option defines the statistics data types that should
be recorded and written to the harddisk. The following
Service List 390 Service Configuration - Statistics options are available:
section Statistics Settings, page 97). Default settings On (default) - Box and Server statistics are written to
provide that all services generate statistics. disk
Off - No statistics are written to disk
z Configuration of the Statistics daemon (see 3.1 Box_only - Only box statistics are written to disk
Service Configuration). Server_only - Only server statistics are written to
disk
Skip Null Stats This parameter steers the behavior of cstat
concerning 0 byte or 0 connection statistics. When set
3.1 Service Configuration to yes (default: no) empty statistics files will be omitted
when writing to the harddisk.
Query Process In case of high CPU load during statistical queries this
Fig. 99 Configuration dialog - Statistics - Statistics Cooking Priority parameter allows decreasing process priority (range 0
(highest) - 19 (lowest); default: 8).
Statistics Cooking view

List 95 Box Services - Statistics Cooking section Statistic Cooking section Cook
Settings
In this section it may be defined how dstats should
handle specific data types.
Settings for In this field, select the software module to whose
statistics data the settings below should apply. In the
The statistics package represents an integral part of the list, all software modules with appropriate default
Barracuda NG Firewall box infrastructure and consists of configuration are available that generate statistics
two box services (cstatd and qstatd) just like an utility data. Optionally, Pattern-Match may be selected to
define a file pattern that should apply for cooking of
program (dstats), which is regularly invoked by cron. statistics data.
Selecting Pattern-Match enables the Directory
The utility dstats coarsens time resolution of Pattern field below, which expects insertion of an
accumulated statistical data according to configurable applicable file pattern.
rules, and if specified eventually removes statistics files Directory Pattern-Match settings apply to statistics files
when they are no longer needed. In this latter regard it is Pattern available in sub-folders of /var/phion/stat.
Patterns may be specified by either inserting full folder
related to the log file management utility logstor. names or by using wildcards (? and *), in which the
question mark wildcard (?) stands for a single
Note: character and the asterisk wildcard (*) stands for an
arbitrary number of characters.
Both utilities need to be invoked. Default settings
Attention:
provide that both utilities are run as daily cronjobs by Generally, there is no need to make use of directory
the cron daemon. patterns when specifying cooking settings, as the
default settings suffice most needs. If you do use
To open the Statistics Daemon Configuration, in the box directory patterns, make sure that they do not
interfere with the module settings configuration. For a
menu click Config, and then double-click Statistics specific data type always use EITHER module OR
(accessible through Box > Infrastructure Services). directory pattern settings. dstats works through the
configured instances successively, and will omit
The following configuration options are available: directory patterns that apply to directories it has
already processed.
Statistics General view Additionally, for clearly arranged management, place
directory patterns at the end of the configuration file.
List 94 Infrastructure Services - Statistics General section Global Settings Example pattern:
To include all statistics files starting with "conn"
Parameter Description generated by the VPN services running on servers s1
Corrupted Data This option defines the action dstats executes when and s2, insert the following pattern structure:
Action it recognizes a corrupted DB file. The following options Actual file structure:
are available: /var/phion/stat/0/server/s1/vpn/conn<xxx>
/var/phion/stat/0/server/s2/vpn/conn<xxx>
Delete - deletes the corresponding DB file (default). Directory pattern:
Archive - moves the DB file to a lost+found */server/s?/vpn/conn*
directory
Attention:
Note: Avoid too openly defined patterns spanning multiple
Recognising a corrupted data file always triggers the folders, such as
event Corrupted Data File [150]. */server/*/*. If you do use patterns spanning
Attention: multiple folders, be aware of their implication and
Regardless of the configured action a corrupted data always position them at the list bottom.
file, which prevents cstatd from actually collecting
statistics is always removed. Beside the event List 96 Statistic Cooking section Type: Time
Corrupted Data File [150] the following log file entries
are written: Parameter Description
Fatal "Watchdog: SIGSEGV detected" Note:
Fatal "CSTAT: DoCleanup" Options in this section apply to Time statistics only
Fatal "Remove corrupt stat file: (like byte (Time for Dst), conn (Time for Src), ).
/var/phion/stat/_filename_"
Fatal "CSTAT: DoCleanup finished"

Statistics Service Configuration < Configuration | 317
List 96 Statistic Cooking section Type: Time Time statistics may be cooked in a 2-level approach: In the
Parameter Description first level cooking granularity is increased to 1 hour, in the
Resolution 1h Number of days, after which the granularity of second to a full day. The second level can only be enabled
after (Days) statistics data of type time should be increased to one if the first is enabled, too. It is intended for providing the
hour. Data more recent than the inserted number of
days will not be affected.
data for long-term trends, for example data for disk
Resolution 1d Number of days, after which the granularity of
utilisation. The number of days that will be stored within a
after (Days) statistics data of type time should be increased to one single cook instance is calculated out of the specified
day. offsets.
Note:
The period between cooking from hour to day For Top statistics only a one-level approach is available,
granularity has to be 2 days minimum. If set to 1 day it because the additionally attainable factor of compression
will result in a summary offset for hourly granularity of
0 days per instance. This will lead to an error message is primarily data-dependent and cannot be estimated
in the dstat log file similar to the following: Cannot reliably. Cooking granularity may be either weekly or
create, file byte.hour_tot<cookInstStartTS> exists monthly.
already.
Delete Data Number of days, after which statistics data of type time Deletion of obsolete file instances is as well controlled by
after (Days) should be deleted. offset specification.
List 97 Statistic Cooking section Type: Top
Note:
Parameter Description These offsets determine when statistics data is obsolete
Note: and that they are used for calculation of cooking
Options in this section apply to Top statistics only (for
example byte (Top Dst), conn (Top Src), ). parameters.
Condense Data Number of days, after which statistics data of type top
after (Days) should be merged into larger temporal bins. Data more
On the other hand cooking offsets imply the offset when
recent than the inserted number of days will not be raw data files become obsolete and can be deleted. See
affected. figure 910 to understand the relationship between
Delete Data Number of days, after which statistics data of type top configuration parameters.
after (Days) should be deleted.
Resolution Available resolutions are weekly and monthly. Settings The length of a cooking instance can be calculated using
trigger data rearrangement so as to be representative the equation [(cook1 TS - cook2 TS)-1] * 2.
of an entire week or a month.
Attention: Fig. 910 Event chain of a cooking instance
It is recommendable only to change this parameter as
long as the system is not productive. Thoughtless raw daily files
modifying may cause imprecise visualisation in the raw
TS time stamp
statistics viewer due to incomplete cook instances. raw 29.08. cook2
20.08.-17.09. delete TS = today - 60
raw 30.08. (complete)
Statistic Transfer view (parameter
raw
Delete Data after
List 98 Statistic Transfer Transfer Settings raw
raw 28.09. cook1 cook2 TS = today - 30
Parameter Description 18.09.-02.10. (parameter
raw 29.09. (complete)
Note: Resolution 1d after
This section is only available if the box is raw
CC-administered. Configuration is required in context raw
with collection of statistics files by the CC Statistics
Collector service (dstatm) running on the Barracuda raw 12.10. cook1 delete raw data =
NG Control Center. For a description of configuration 03.10.-14.10. cook1 TS - 2
raw 13.10. (incomplete)
options, see Barracuda NG Control Center
raw 14.10. cook1 TS = today - 14
9.4 Transfer Settings, page 465.
(parameter
raw 15.10. Resolution 1h after (Days)
Calculation of cooking and deletion offsets: raw
today
raw 29.10.
Local compression cooking and deletion are configured
separately for Time and Top statistics by providing the
earliest point in time when an action (cooking or deletion)
should be performed. These points in time are specified
incrementally as number of days in the past.
Example:
On October 15, an offset of 5 means, that file instances
from an earlier date than October 9 through October 9
should be processed. File instances from October 10
through October 14 (which indicates an offset of 5 days)
and additionally October 15 should remain uncooked.

318 | Advanced Topics > Cooking of Statistics Statistics
4. Advanced Topics
4.1 Cooking of Statistics Statistical data is stored in separate file instances. The
collected data with the highest time resolution is stored in
daily files containing one day per file (raw data). After
The following chapter explains a feature that can only be
some time the data may be compressed to a time
understood with some deeper insight into the statistics
resolution of one hour and stored in files that contain
module.
multiple days (cooked data). The number of days stored in
Figure 911 shows firewall connection time statistics, a compressed (cooked) instance depends on the specific
reaching from March 08 to March 16, with minimum and configuration settings. It is important to state that such a
maximum values enabled. As we can see there are no cooked instance does not contain minimum and maximum
minimum and maximum values available for March 08 to values, because here they are of no significance.
10. Querying the same time statistics starting with March
For the given firewall service, the full time resolution is
09 (figure 912) results in minimum and maximum values
only available for March 09 and earlier. Before this date,
on March 09 and 10. This is not an error in the statistics
time statistics are compressed. This is the reason for the
module, but can rather be explained by examining the data
above mentioned divergence. The query in figure 911 uses
instances used to satisfy a request. Furthermore, this
the cooked data for March 8 to 10 and covers the analysis
scenario may only occur for transfer rates (bytes or
of the remaining days with raw data. Minimum and
connections per time unit).
maximum values are available with the first raw data
Fig. 911 Timed connection statistics starting at 08.03. instance used, which is March 11. The statistics module can
execute the query in figure 912 with raw data files only,
and thus presents minimum and maximum values over the
whole time interval.
4.2 Dealing with a Box in the

"Future"
How to solve problems related to time drift on boxes
Incorrect time settings on a box will amongst others result
in falsified statistics data. This falsification is even of more
concern if the box is CC-administered.
Time settings on CC-administered boxes and on the CC
itself must run in a synchronized mode to allow for correct
operation of several functions described below. Usually,
NTP is used to guarantee this. A deviation in time settings
can occur if the administrator changes date and time
Fig. 912 Timed connection statistics starting at 09.03. manually or if the BIOS clock drifts while NTP is not
available.
Box time going behind the actual time or behind CC time is
a minor problem, because in this case the system's
self-healing process will provide readjustment soon after
having reset box time settings manually to the correct
values (see below, 4.2.1).
Consequences of box time going ahead of the actual time
or ahead of CC time are more time-consuming to repair.
The bigger the drift, the higher the effort has to be.
Depending on whether you expect the statistics data to be
correct on a quantity basis or correct on time entries, the
following solutions are possible:

Statistics Dealing with a Box in the "Future" < Advanced Topics | 319
4.2.1 Self-healing for Quantitative Step 2 Log cache

Preference z Block logd.
z Delete sub-folders and files in
cstatd checks at a day's change over if current files are to
/var/phion/logcache/.
be switched, hereby using the file's date header. Files
currently in active use will be transferred into a historical z Set the correct time.
file with corresponding date ending if their header date lies
in the past. Step 3 Logs
Assuming box time settings are behind, the statistics files z If possible delete sub-folders and files in
will be transferred to a historical file on the next day and /var/phion/logs/.
"self-healing" will be completed. The statistics files will lack
z If deleting is not possible move the contents from
some time entries.
/var/phion/logs/ to another directory.
Assuming box time settings are ahead, you have corrected
z If no action is taken, querying the statistics files with
these time settings manually. cstatd comes upon a file
the Barracuda NG Admin GUI will further on result in
containing a future date and will in an analogous manner
incorrectly displayed timeline events. Moreover the
leave it at this date, then continue using it for statistics
cache files will continue to contain duplicate entries,
writing until the header date is equal with the actual date.
even after the time settings have been adjusted.
When the file is then switched, it will contain data with
diverging time entries from more than one day. Note:
"Self-healing" is completed and a new day file is written. If the box was running for one day with wrong time
settings you should check directory
Note:
/var/phion/dstats.
Even on CC-administered boxes there is not necessarily
the need for further manual corrections concerning the
Attention:
reorganisation of statistics files. After having adjusted
On CC-administered boxes do not delete statistics with
the time settings on the box you may wait for the next
time stamps smaller or equal to the highest
dstats process. This will detect toSend files with a
masterAccept time stamp. These statistics have already
future time stamp in /var/phion/dstats/ which
been collected by the CC, and they will there be
have not yet been delivered to the CC (which means that
overwritten with completely new files if these have a
no masterAccept file is available). The dstats process
smaller time stamp.
will remove these files and create them freshly.
4.2.2.2 In Addition to the Actions on the Box do

4.2.2 Manual Correction for Time
the Following on the CC
Preference
Step 4 Main statistics
When diverging time entries in statistics and logging files
should be avoided, the following steps are to be z Block dstatm
undertaken for readjustment. z Delete files with a wrong time stamp in sub-folders of
/var/phion/mainstat/
4.2.2.1 Required Actions on the Box z Delete toSend-files with a wrong time stamp in
/var/phion/dstats/
Step 1 Statistics z If present delete the folder
z Block cstat. /var/phion/dstats/tmp/
z Delete all sub-folders and files in /var/phion/stat/. z Set the correct time.
z Delete all files with future timestamp in

/var/phion/dstats/.
z Set the correct time on the box.
z Restart the NGFW Subsystem to assure that all sub
processes resume the correct time settings.

320 | Advanced Topics > Dealing with a Box in the "Future" Statistics
4.2.3 Further Issues With wrong time settings the date and time entries in the
Access Cache will be incorrect.
Especially on CC-administered boxes time drift might z Adjusting the box time will solve this problem.
cause some other problems as well. Below you will find a
brief summary of known issues and an instruction how to z In addition to this adjustment flush the Access cache
correct them. with the command acpfctrl cache flush all.
4.2.3.1 Licenses 4.2.3.5 Cron Jobs
Wrong time settings may lead to incorrect license handling. With wrong time settings Cron Jobs will be executed
Licenses may not yet be valid thought they should be, or untimely.
they lose their validity too early. Licenses of z Adjusting the box time is the only required action to
CC-administered boxes cannot be validated correctly solve this problem.
against the CC if the time difference between these two
systems is too large.
Restarting the rangeconf service on the CC or the control 4.2.3.6 Mail Gateway
service on the administered box is another source of error
on incorrectly adjusted systems. The restart will involve a Wrong time settings will lead to a divergence between the
license validation and if this fails box licenses might get retrieving and the delivery time of e-mails.
deactivated immediately. z Adjusting the box time is the only required action to
z Move the file /opt/phion/preserve/licstamp on solve this problem.
the administered box to another place. z If there are still many e-mails in the queue, which you
wish to be stamped with the correct date and time, you
Attention: may optionally delete the databases spool.db and
The services will be stopped by this action. history.db in the directory
z Set the correct time. /phion0/spool/<server_servicename>. They will
then be created freshly.
z Restart the rangeconf service on the CC.
z Restart the control service on the box.
4.2.3.2 Time Restrictions defined by Firewall

Rule Sets
With wrong time settings the restrictions will take effect

untimely.
z Adjusting the box time is the only required action to
solve this problem.
4.2.3.3 Dynamic Firewall Rules
With wrong time settings the defined firewall rules will be

activated and respectively deactivated untimely.
z Adjusting the box time is the only required action to
solve this problem.
4.2.3.4 Access Cache

10
Eventing
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2. Event Configuration
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2.1.1 Events Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2.1.2 Severity Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
2.1.3 Notification Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
2.1.4 Server Action Tab - Execute Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
2.1.5 Basic Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2 Event Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2.2 Confirm Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.3 Delete Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.4 Alarm Types / Disable Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.5 Filter Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
2.2.6 Event Monitor - Live Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

322 | Overview > General Eventing
1. Overview
1.1 General Via the so-called Notification type you are able to define
actions that are carried out if a certain event is triggered
(like mails, program executions, SNMP traps; see 2.1.3
The event module displays current information about the
Notification Tab, page 324).
Whenever an event is generated, the counting device for Attention:
this event will be increased. If this counter reaches its The event monitor should be used as a tool to get a
(configurable) limit the system will go into alarm condition. quick overview of the system(s). In order to maintain the
event monitors usability it is recommended to delete
older entries. The statistics and the log module are
created to recall the past.
2. Event Configuration
2.1 General Event propagation to a CC and notification settings are

configurable in multiple places.
The Event Configuration window allows for viewing of The configured settings are processed in the following
events that are generated on Barracuda NG Firewall sequence:
systems and customising of event handling.
Event propagation to a CC
To open the Event Configuration window, double-click
z The parameter setting Send Event to CC in the Basic
Eventing (accessible through Config > Box> tab (see page 327) defines if boxes are to generally
Infrastructure Services. propagate their events to the Barracuda NG Control
Event processing is determined by customisable settings Center or not. The checkbox is selected by default. If
that can be configured in the following tabs: cleared, events are never propagated. The setting in the
Basic tab overrules the settings defined in the other
z Basic tab configuration areas.
Use this tab to define general parameters for event
propagation and default settings for alarm notifications z The parameter setting Propagate to CC in the Severity
(see 2.1.5 Basic Tab, page 327). tab (see page 324) defines general propagation of
events that are assigned with a specific Severity ID. This
z Notification tab setting may be overruled by customized settings for
Use this tab to customize existing or define additional specific events in the Events tab. When the checkbox is
notification types (see 2.1.3 Notification Tab, page 324). cleared in the Severity tab, it is automatically cleared as
z Severity tab well from all events that are associated with the
Use this tab to view severity categorisations and corresponding severity category.
optionally to modify notification types associated with z The parameter setting Propagate to CC checkbox in
them (see 2.1.2 Severity Tab, page 323). the Events tab (see page 323) overrules the setting
z Events tab specified in the Severity tab.
Use the Events tab to view a listing of all available event
types and optionally to customize event handling, Generation of notifications
Severity ID and Notification ID settings for each specific In the Severity tab a notification type is associated with
event (see 2.1.1 Events Tab, page 322). each Severity ID. This assignment may be overruled by
defining event specific notification settings in the Events
Events are visualized in the Event Monitor. Access it by tab.
clicking the Events icon in the box menu (see 2.2 Event
Monitoring, page 327). On a single box, the event monitor
lists all events that have been generated on the box itself. 2.1.1 Events Tab
On a Barracuda NG Control Center (that has been accessed
using the CC-Address in the Barracuda NG Admin login The Events tab contains a listing of all events that may be
screen), the event monitor lists events that have been generated on self-managed Barracuda NG Firewalls and
generated by the CC-Services and events from the boxes Barracuda NG Control Centers. For a complete list of all
the CC administers, if these events have been configured available events see System Information 5. List of Default
to be propagated to the CC. Events, page 536.

Eventing General < Event Configuration | 323
The listing is divided into the following columns: List 101 Events tab - Event details
Table 101 Overview of events in the Events tab
Notification ID This is the notification setting applying to the event.
Column Description The Notification ID determines alarm actions that
ID This is the Event-ID. should be initiated when the event occurs (like e-mail
generation, pop-up of alarm messages, ). For
Description This event description is written to the event monitor information on notification settings see 2.1.3
GUI and to logging facilities. The event description is Notification Tab, page 324.
sometimes extended by additional information in case Setting to "0 null" means that notification settings are
the event may be triggered by multiple processes. to be inherited from the configuration defined in the
Severity ID This is the severity level that has been assigned to the Severity tab (see 2.1.2 Severity Tab, page 323).
event. Comment Optionally insert a customized event description into
Severity This is the severity description. Severity categories this field.
range from informational events to security events. Persistent This parameter is only of interest on CC-administered
Notification ID This is the effective notification setting applying to the checkbox boxes. When selected (default) the event is only
event. propagated to the CC once, even if occurring
frequently. Before it can be propagated anew, it has to
Notification This is the notification description.
be deleted on the CC. This measure may be taken to
Pers. This is the effective persistency setting of the event. prevent excessive event propagation.
This setting is only of interest on CC-administered
Propagate to CC This parameter is only of interest on CC-administered
boxes (see Persistent checkbox, page 323).
checkbox boxes. When selected (default) generated box events
Prop. This is the effective setting for propagation of the are propagated to the CC.
event to a CC. This setting is only of interest on
Note:
CC-administered boxes (see 2.1 General, page 322).
This setting overrides the equivalent setting in the
Drop This is the effective setting for dropping of the event Severity tab (see page 324). Refer to 2.1 General,
(see Drop Event checkbox, page 323). page 322 to understand the processing logic.
Drop Event Events that have been appointed for dropping
The following functional elements are placed at the bottom checkbox (checkbox selected) are neither inserted into the local
DB nor are they propagated to a CC.
of the listing:
z Lookup field z Click Send Changes and Activate to activate your
Insert the object ID of the element you are looking for changes.
here to find it quickly.
z Change button 2.1.1.2 Font Styles used in the Event Tab
Double-click or select a list entry and click the
Change button to open the object for editing. The following font styles apply for event depiction:
Table 102 Font styles characterising event settings
2.1.1.1 Change an Event Entry Font style Description
angle and weight Settings for this event have not been customized. They
To change the properties of an event, lock the regular are inherited from settings defined in the Severity tab.
configuration dialog, select the event, then open it by angle regular/ The Notification ID for this event has been customized
double-clicking. This makes available the Detail window. weight bold and thus overriding the ID defined in the Severity tab.
This event has been appointed for dropping in the
Fig. 101 Event detail window Severity tab but the setting has been revoked in the
Event tab.
angle This event has been appointed for dropping through
italic/weight customisation of Severity ID settings in the Severity
regular tab.
angle The event has been appointed for dropping in the Event
italic/weight tab thus overriding the inherited setting configured in
bold the Severity tab.
2.1.2 Severity Tab

Fig. 102 Severity tab
The following event details may be configured:

List 101 Events tab - Event details
Event ID This is the unique Event-ID (read-only).
Description This event description is written to the event monitor
GUI and to logging facilities (read-only).
Severity ID This is the severity level of the event. Severity levels
reach from informational to security event generation.
They determine the notification type that should be
triggered when the event occurs. Note that the
Notification ID setting below may override the
notification assignment within the severity settings.
For information on severity settings see 2.1.2 Severity
Tab, page 323.

324 | Event Configuration > General Eventing
List 102 Severity tab - Column view 2.1.3 Notification Tab

Column Description
ID Displays the severity ID. The following severity IDs with Fig. 103 Notification tab
corresponding default descriptions are in use:
Operative Events
ID 1 - Information
ID 2 - Warning
ID 3 - Error
Security Events
ID 4 - Notice
ID 5 - Warning
ID 6 - Security
Note:
An events severity ID is responsible for the color
visualisation coming to effect in the status map of the
box (Getting Started 3.2.1 Start Screen, page 18) and,
if the box is CC-administered and events are
propagated to it, in the status map of the CC Control
(Barracuda NG Control Center 5.2 Status Map Tab,
page 421). The events generate the following color
depiction:
IDs 1 (Information) and 4 (Notice) > green
IDs 2 and 5 (Warning) > yellow
Attention:
IDs 3 (Error) and 6 (Security) > red
Description This severity description is written to the event monitor
An entry displayed in italic indicates that the
GUI and to logging facilities. notification is inactive and an alarm condition will never
Prop. This is the setting for propagation of the event to a CC. be reached.
This setting is only of interest on CC-administered
boxes. It may be overruled by customising settings in
the Events tab (see 2.1.1 Events Tab, page 322). The following buttons are available:
Drop This is the setting for dropping of the event (see Drop z Delete
event below). It may be overruled by customising
settings in the Events tab (see 2.1.1 Events Tab, Deletes the selected entry
page 322).
z New
Notification ID This is the notification setting applying to all events
assigned with the given Severity ID. The notification Creates a new entry
setting may be overruled by customising settings in the
Events tab (see 2.1.1 Events Tab, page 322). z Copy
Notification This is the notification description. Duplicates the selected entry
Category This is the category the event is assigned to. z Change
Categories are Operative and Security events.
Changes the selected entry
2.1.2.1 Modification of the Severity Using the buttons New, Change or simply by
double-clicking on an entry opens the Detail dialog.
By double-clicking a severity entry the dialog for editing is
opened: Global settings
List 103 Severity tab - Severity details Note:

Parameter Description Be aware of the Notification ID. If the notification is
Severity ID This is the unique Severity-ID (read-only). displayed in Bold font style, it indicates that the
Description This is the customisable severity description. notification is in use either by an event or severity.
Notification ID This is the notification setting applying to all events If you must delete a notification or change its
assigned with the given Severity ID. The Notification ID
determines alarm actions that should be initiated when notification ID, delete notification settings at respective
the event occurs (like e-mail generation, pop-up of events and severities that use this notification
alarm messages, ). For information on notification (referential integrity).
settings see 2.1.3 Notification Tab, page 324. The
notification setting may be overruled by customising Until this is done, the Notification ID can be
settings in the Events tab (see 2.1.1 Events Tab,
page 322). changed/deleted.
Propagate to CC This parameter is only of interest on CC-administered
boxes. When selected (default) generated box events List 104 Notification tab - Column view
are propagated to the CC. Note that this setting may be
overridden by the equivalent setting in the Events tab. Column Description
Refer to 2.1 General, page 322 to understand the Notification ID Adding and/or copying: this value has to be unique.
processing logic. Description Description of the notification
Drop event Events that have been appointed for dropping If this checkbox is selected, the event is in alarm status
Event must be
(checkbox selected) are neither inserted into the local until the user confirms it.
DB nor are they propagated to a CC. confirmed
If this checkbox is disabled, the appropriate
Note: Server Action (if enabled) will be triggered every time
This setting may be overridden by the equivalent the event appears.
setting in the Events tab.

Eventing General < Event Configuration | 325
2.1.3.1 Server Action Tab - Mail If the global settings Event must be confirmed (see
Global settings, page 324) is selected, the checkbox
By ticking the checkbox Enable and selecting the server Repeat every is available. Activating this option unlocks
action Mail (Type menu), events that are using this the section below, where the specific repeat time interval
notification ID create a mail that is, for example, sent to is to be entered. Therefore, simply enter the wanted time
the corresponding administrator. interval (numeric type) and select the time unit (seconds).
The event will repeat executing the program until the user
Fig. 104 Server Action tab - Type Mail confirms the event in the event monitor.
Note:
If the checkbox Repeat Every is not activated, the
selected Type of Server Action will only be triggered
once, as long as the Event is not acknowledged.
2.1.4.1 Server Action Tab - SNMP
By ticking the checkbox Enable and selecting the server

action SNMP (Type menu), events that are using this
notification ID propagate a SNMP trap to an external
Note: security event monitoring system.
If the basic tab (see 2.1.5 Basic Tab, page 327) is already
configured, the set default values will be pre-entered. Note:
It is recommended to create an explicit rule for SNMP
The sender ID has to be entered into the field From. It is
traps in the local-out rule set (UDP, Port 162) of your
recommended to use the box name and its domain to have
Barracuda NG Firewall and/or Barracuda NG Control
a clearly identifiable ID.
Center.
The field To holds the mail address where the event mail is
sent to. Fig. 106 Server Action tab - Type SNMP
In the Mail Server field the IP address or resolvable name

of the affected mail server has to be entered.
If the global settings Event must be confirmed (see
Global settings) is selected, the checkbox Repeat every is
available. Activating this option unlocks the section below,
where the specific repeat time interval is to be entered.
Therefore, simply enter the wanted time interval (numeric
type) and select the time unit (seconds). The event will
repeat propagating mails until the user confirms the event
in the event monitor.
Note:
2.1.4 Server Action Tab - Execute If the basic tab (see 2.1.5 Basic Tab, page 327) is already
configured, the set default values will be pre-entered.
Program
List 105 Server Action tab - Type SNMP
By ticking the checkbox Enable and selecting the server
Column Description
action Execute Program (Type menu), events that are
Destination IP address of the external monitoring system.
using this notification ID start a specific program.
Spec Type Via this field the sent specific Trap PDU type is
configurable according to the needs of the monitoring
Fig. 105 Server Action tab - Type Execute Program
system. Alternatively, the unique event ID can be used
for purpose (see below).
Note:
If network management software like Tivoli
NetView6000 or HP Open View is ought to receive
SNMP traps, set this parameter to 1.
Use Event ID Ticking this checkbox causes the usage of the
checkbox corresponding event ID as specific trap type.
Note:
If network management software like Tivoli
NetView6000 or HP Open View is ought to receive
SNMP traps, do NOT activate this checkbox.
Enterprise This line displays the registered Barracuda Networks
company OID (1.3.6.1.4.1.10704).
Enter the path and the filename of the executable in the Community This field is used for entering the SNMP community
where the Barracuda NG Firewall is located in
field Parameter. This can be any executable file on the according to your community concept.
Note:
Enter the path name like /tmp/executable.

326 | Event Configuration > General Eventing
Fig. 107 Example for a SNMP trap 2.1.4.2 Client Action Tab
Note:
Client actions concern actions in Barracuda NG Admin
(what happens at event monitoring).
To set actions, first select the Enable checkbox.

Choose between two possibilities:
z Audio Alert
plays an audio sound when an event with this
notification occurs.
The sound specified must fit into available physical
memory and has to be playable by an installed
waveform-audio device driver.
It searches the following directories for sound files:
current directory (where Barracuda NG Admin is
The section Simple Network Management Protocol located), windows directory, windows system directory,
depicted in figure 107 provides the following information: directories listed in the PATH environment variable, and
the list of directories mapped in a network.
Table 103 SNMP Parameters
For example, the audio file chord.wav is in the same
Line Value Description folder as Barracuda NG Admin.exe, type chord.wav in
Version 1 (0) used SNMP version the input field Parameter or enter an absolute path
Community mit community as configured (like c:\temp\chord.wav (enter path for Windows
above
systems).
Note:
If no Community is set, no z Popup
SNMP trap will be sent.
opens a pop-up window displaying the notification
PDU Type TRAP-V1(4) used Trap PDU version
message, as soon as an event configured with this
Enterprise 1.3.6.1.4.1.10704 Registered company OID
(iso.3.6.1.4.1.10704)
notification type occurs.
Agent address 10.0.3.90 address of transmitting
(10.0.3.90) system
Trap type ENTERPRISE used Trap type 2.1.4.3 Thresholds (to Activate Notification) Tab
SPECIFIC (6)
Specific trap type 2420 in this case the event ID is To limit the amount of events that are generated, there is a
available; if the checkbox Use possibility to determine the time when an event entry
Event ID is not selected, here
the configuration of should be generated.
parameter Spec Type is
displayed Note:
Timestamp 77816100 systems uptime in seconds When checkbox Activate Notification if any of these
Object identifier 1.3.6.1.4.1.10704.1 displays enterprise OID and thresholds are reached is not selected, notification is
(iso.3.6.1.4.1.10704.1) the sub-identifier (last digit, in
this example 1). The MIB can NOT activated.
be obtained from Barracuda
Networks Example: an event occurs 5 times as follows:
Value 1::NGFW Subsystem here the human-readable
Login event text is displayed; the Fig. 108 Example for occurring event and settings for Threshold tab
Information::t:: submitted data is divided by
2004.10.02/04:12:4 double colon (::) and listed as 0 5min 15min 1h (=60min)
9::event::Login:: follows:
Login root from ID::Description::Type
10.0.3.66 Description:: Timeline
System date and time::Layer
Description::Class
Description::Data Events
If the global settings Event must be confirmed (see

Global settings, page 324) is selected, the checkbox
Repeat every is available. Activating this option unlocks
the section below, where the specific repeat time interval
is to be entered. Therefore, simply enter the wanted time
interval (numeric type) and select the time unit (seconds).
The event will repeat propagating SNMP traps until the
user confirms the event in the event monitor. Take into
consideration that the notification is sent only after
confirming the event (using Send - Reset Alarm; see 2.2.1.1
Context Menu, page 328).

Eventing Event Monitoring < Event Configuration | 327
The example shown in figure 108 results in the following List 107 SNMP Service Notifications section Default SNMP
notifications: Parameter Description
SNMP This field is used for entering the community where the
Table 104 SNMP Service notifications Community Barracuda NG Firewall is located in according to your
Activate community concept.
After Activate
Event count notification at
minutes notification List 108 SNMP Service Notifications section Default Mail
counter
5 2 3 no Parameter Description
15 3 4 no From Sender ID. It is recommended to use the box name and
60 5 5 yes its domain to have a clearly identifiable ID.
To Holds the mail address where the event mail is sent to.
Assuming the settings above means that a wrong Mail Server IP address or resolvable name of the affected mail
password is entered 5 times within 1 hour. This will server.
generate one event entry because of the configuration Attention:

After modifying the parameters be sure to click button
5 during 1 hour. Change in order to set the changes active.
Possible errors:
To use actions (server action or client action) select the
Enable checkbox. 2.2 Event Monitoring
Check the tab Thresholds for correct entries (increasing
values) and the checkbox Activate Notification if any of
these thresholds are reached.
2.2.1 General
To open the event monitor, click Events in the box
2.1.5 Basic Tab menu of the graphical administration tool Barracuda NG
Admin.
Use this tab to define general parameters for event
Fig. 1010 Event monitor
propagation and default settings for alarm notifications.
Fig. 109 Basic tab
List 106 SNMP Service Notifications
Send Event to When selected (default), CC-administered boxes
CC forward their events to the central eventing service
(mevent) on the Barracuda NG Control Center. Event
forwarding also applies to events that are generated on
the Barracuda NG Control Center itself.
Attention:
In the upper left of the dialog are three buttons:
This setting defines if boxes are to generally propagate
their events to the CC. If cleared, events are never
z All
propagated. The setting in the Basic tab overrules the Update all current events.
settings defined in the other configuration areas
(Severity tab, see 2.1.2 Severity Tab, page 323 and z Live
Events tab, see 2.1.1 Events Tab, page 322). Listens continuously for new events. This also enables
Silent Box Select this checkbox to disable event alarms and popup windows and sound; see 2.2.6 Event Monitor -
collect events only.
Live Mode, page 330.
Max Event This is the maximum number of event entries that are
Records to be displayed in the Event Monitoring GUI (default z (filter)
4000). Note that if this maximum has been reached
new events will not be recorded in the Monitoring GUI. Adapt a filter mechanism to all current events (see
It is recommended to delete events on a regular basis 2.2.5 Filter Settings, page 330).
and to refer to the Logs and Statistics Monitoring areas
to recall the past.
Note:
List 107 SNMP Service Notifications section Default SNMP Notification messages are only enabled in live mode.
SNMP IP address of the external monitoring system.
Destination

328 | Event Configuration > Event Monitoring Eventing
z Delete Event
Note:
Erases an event. It is recommended to delete older
Hence to have the event monitor in normal mode can be
entries to keep a "compact" event monitor.
seen as a display of the current event system status.
z Properties
Severity status column
Displays details of a selected event
This column contains the following icons (sorted ascending
according to their priority): Fig. 1012 Page 1 of the Properties dialog
z Information
z Warning
z Error
z Notice
z Security
Different font colors and highlightings are used to indicate

event importance:
z black normal text Uncritical or already confirmed
event
z blue normal text New, not yet read event
z black bold text Alarm event; Pay attention List 109 Event Properties - Page 1 tab
z black italic Alarm event temporarily disabled Parameter Description

Box IP address of the box that created the event
Layer There are three layers. Layer 1 is boot-layer, layer
2 is box-layer and layer 3 is server/service-layer.
2.2.1.1 Context Menu
Class Three types of classes can appear here. Class 1 is
operative, Class 2 is resources and Class 3 is
To confirm an event, open the context menu by selecting security.
the event and press the right mouse button. This opens the Type Event ID
context menu shown in figure 1011.
Fig. 1013 Page 2 of the Properties dialog
Fig. 1011 Context menu
z Send - Acknowledgement
Use this function to acknowledge events asking for
confirmation. Acknowledging an event will terminate
the alarm function, if the corresponding event has been
configured with generation of warning notifications
(playing of sound or generation of e-mail messages).
List 1010 Event Properties - Page 2 tab section Confirmed
z Send - Reset Alarm Parameter Description
This function has the same impact as event Confirmed - by Admin - Who has confirmed the event?
acknowledgement. In addition, it removes the warning - by Peer - IP address of the management
workstation
icon from the task bar. - Date - Date and time when the event has been
marked as read, that means confirmed.
z Send - Mark as Read
This function is only available for uncritical events not List 1011 Event Properties - Page 2 tab section Time
asking for confirmation. It has the same impact as
simply marking an event in the list for three seconds.
Insert Date and time when the event was inserted in the
Marking an event as read adds access information to database
the event properties "Page 2 tab" (figure 1012, Box Internal system information related to the insert
page 328). time (please ignore this value).
Update Date and time of status changes of this event
z Temporary Disable (mark, read, acknowledge, )
Disables alarm conditions temporarily. Disabled events Alarm Date and time when the alarm had been sent
are displayed in italic. t. disabled Date and time when the alarm was disabled
temporarily

Eventing Event Monitoring < Event Configuration | 329
z Columns 2.2.3 Delete Events

Shows/hides different table columns
Deleting events is no particular difficult task when the
Additionally, the context menu contains already well Barracuda NG Firewall is administered by a Barracuda NG
known selections like Export List to Clipboard, Export Control Center. To guarantee consistence of the eventing
Selected to Clipboard, Print List, on both systems, the following procedure takes place:
Step 1 Box: Event is considered to be deleted

2.2.1.2 Examples
Step 2 Box: Sends delete sequence to the CC
z Event in Alarm Condition, Event must be Confirmed
If an event is in alarm condition and the user has to Step 3 CC: Deletes event from database
confirm (not done yet), server action (box) will be
enabled (send mail or others and repeat every n Step 4 CC: Sends acknowledgement to box
minutes).
This box action will be repeated (if set in config), if the Step 5 Box: Deletes event from database
user confirms this event explicit (Send -
Acknowledgement); user ID action at this event will be Note:
saved. If this procedure fails due to connection problems, the
z Event in Alarm Condition, Event must NOT be event entry will NOT be deleted. Refresh the view by
Confirmed clicking the All button to verify whether the event has
If an event is in alarm condition, a notification is been deleted or not.
displayed (a pop-up window) and the alarm is not
stopped:
No more notifications will come in the future; to enable 2.2.4 Alarm Types / Disable Alarm
notifications stop alarm.
User action at this event will be saved. If an alarm occurs, a yellow alert sign ( ) is displayed in
the taskbar.
To see alert details, move the mouse over the icon. A
2.2.2 Confirm Events left-mouse click opens the event monitor.
There are two types of event confirmation (this can be set Alarm notifications can be configured in the Config
in the Config section of Barracuda NG Admin): section of Barracuda NG Admin.
Normal events do not require confirmation. The following alarm types are available:
Mark regarding alarm and wait 3 seconds; font will then z Playing of sound
change from bold or blue to black. If the configured sound file is not available, a couple of
bars from Beethoven ("Fuer Elise") is played.
The second possibility is by selecting Send - Mark as Read
from the context menu (right-mouse-button menu). z Warning pop-up window
A window displaying the warning message pops up.
Alarms must be confirmed:
Mark the corresponding alarm, right-click and select Send An alarm can be disabled as follows:
- Acknowledgement.
z Temporary Disable
Note:
Mark the event in the list and open the context menu
The default mode of the of event monitor is static, i.e through clicking the right mouse button. Then select
events are not updated continuously. After having made the entry Temporary Disable. Enter the wanted time
changes (for example, acknowledgements, alarm interval for which the alarm should be turned off.
deletions, ), click the All button to update the event To use Temporary Disable, mark the alarm and click
list. right to enter the context menu. Now you may enter the
amount of time, in which alarm is to be disabled.
After entering the time and clicking OK, the event will
be displayed italic.
Attention:
Temporarily disabled events will not use the alarm
communication (pop-up window, sound) to the user for
this time (if alarm options are set).
Note:
If an event has to be confirmed and is in alarm condition,
deleting alarm will also delete request for
acknowledgement.
If an alarm is stopped, repeating server actions (mail,
executable on box, ) will stop also.

330 | Event Configuration > Event Monitoring Eventing
2.2.5 Filter Settings Enter the corresponding value into the pull-down field (for
example, field Layer ID) and click Add. Clicking on OK
To narrow down the view in the listing, filter options can be closes the Add Criterion dialog and sets the value in the
applied. To open the Filter dialog, click the filter button . corresponding field of the Filter dialog.
The aim is only to display the following event types:

z Events with Layer ID 2 2.2.6 Event Monitor - Live Mode
z Events with Class ID 3 The live mode displays all newly created events, contrary
z Events with Event ID 11 to normal mode that does not display new events.
z Time restrictions are not to apply. In live mode alarm messages like pop-up windows and
sound (if it is configured) are also enabled.
Fig. 1014 Filter dialog with values according to the example
To enable live mode click the Live button. This will change
the top label "Current Event" to "Live Event" with green
background.
A status bar in the lower right corner will also indicate this
status. When an event occurs in the live mode, the
background will blink green and red for a few seconds. The
newly occurred event is indicated with a flag symbol ( ).
Fig. 1016 Event monitor in live mode
To enter values click on (for example) the Layer ID button

to open the Add Criterion dialog.
Fig. 1015 Add Criterion dialog

11
DNS
1. Overview
1.1 Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
2. Installation
2.1 Create Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
3. Configuration
3.2 DNS Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
3.3 Zone Independent DNS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
3.4 Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.1 Predefined Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.2 Add a New Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.3 Edit/Add a New Start of Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
3.4.4 Edit/Add a New Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
3.4.5 Add a New Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
3.4.6 Add a New Mail-Exchanger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
3.4.7 Add a New Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
3.4.8 Add New Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
3.4.9 Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

332 | Overview > Literature DNS
1. Overview
This chapter describes how to install and configure a
Barracuda NG Firewall DNS server.
1.1 Literature
The following reading is recommendable to get familiar
with DNS and BIND:
z DNS and BIND, 4th Edition
written by Paul Albitz and Cricket Liu, published by
O'Reilly & Associates
ISBN 1-56592-512-2
z SuSE Linux 7.3 Netzwerk, 2. Auflage 2001
published by SuSE GmbH (included in SuSE Linux 7.3
Professional Package)
z DNS-HOWTO
en.tldp.org/HOWTO/DNS-HOWTO.html
2. Installation
A box server already has to exist, before a DNS service can
be created.
2.1 Create Service

To create a DNS service, select Create Service from the
context menu of Config > Box > Virtual Servers >
<servername> > Assigned Services and assign DNS
as software module.
Click the Activate button to activate the changes. The
newly installed DNS service is now ready for configuration.
Attention:
DNS service installation collides with a running
Forwarding/Caching DNS (bdns) (see Run Forwarding /
Caching DNS, page 55). The DNS service must run
exclusively. Do NOT install both services.

DNS Service Properties < Configuration | 333
3. Configuration
3.1 Service Properties

To access the service configuration area, double-click
Service Properties. For service configuration details, 3.3 Zone Independent DNS
refer to Configuration Service 4. Introducing a New Service,
page 97. Server Settings
Fig. 112 DNS configuration area
3.2 DNS Server Configuration

Fig. 111 File structure of the DNS service
To configure zone independent DNS server settings,

double-click DNS Configuration, then right-click the
server name in the DNS Configuration area (DNSSrv in the
example). After that select Properties from the context
menu (figure 112).
Fig. 113 DNS server properties
The following configuration nodes are available in the DNS

service:
z Hint Zone
The Hint Zone contains information on the initial set of
root servers (see 3.4.1 Predefined Zones, page 334).
z Template Zone
The Template Zone may be used to build templates for
creation of new zones (see 3.4.1 Predefined Zones,
page 334 for detail information).
z DNS Config
Double-clicking DNS Configuration directs to the
Forward Lookup configuration area. Sub items of
Forward Lookup are the already existing zones,
including the Hint Zone and the Template Zone.
To create a new zone, right-click Forward Lookup
and select Add New Zone The newly created zone List 111 DNS Server - Properties configuration section Interface
will initially inherit all settings made in the Template
Zone. The inherited settings can freely be modified and
The interface section lets you configure the forwarding
supplemented with further settings. For a more detailed behavior of the DNS service.
description of possible configuration options see 3.4.2 forward This menu offers the following settings:
Add a New Zone, page 334. <blank> - The default settings of BIND are used.
first - The server forwards the DNS query first. Only in
case no entry is found the local database is queried.
Note:
only - The server forwards all DNS queries.
The DNS configuration area can be accessed by forwarders Enter the DNS servers here to which DNS queries are
double-clicking any of these configuration nodes. The forwarded. Separate multiple entries with a semicolon
triggered node determines the initial view in the DNS and space (like 10.0.0.53; 10.0.0.67).
Configuration area. Note that the sub-items "." and recursion Define the allowance of recursive queries. The
following options are available:
"_template" are identical in all cases, though. yes - The server allows recursive queries.
no - The server does not allow recursive queries.
Note: <blank> - The default settings of BIND are used.
Before starting major configurations it is best to lock the notify Define whether the DNS server should actively notify
its slaves about settings updates.
complete branch of the configuration tree below
Assigned Services > <servicename>
(DNS-Service).

334 | Configuration > Zone Configuration DNS
List 111 DNS Server - Properties configuration section Interface root zone and means any zone for which there is no
Parameter Description locally defined zone (slave or master) or cached answer.
forward This field offers various selections which IP address the
source-ip DNS server should use for contacting other DNS Attention:
servers. Do NOT modify the root server settings unless you
server-first - The DNS service uses the first server IP
for connecting. exactly know what you are doing.
server-second - The DNS service uses the second
server IP for connecting.
explicit - The DNS service uses an explicit IP address
for connecting. This IP address must be configured as a 3.4.2 Add a New Zone
server IP.
<blank> - The default settings of BIND are used.
To introduce a new zone right-click on your DNS server
List 112 DNS Server - Properties configuration section Security and select Lock Server from the context menu. Optionally
you may lock the DNS Server in the Config Tree already.
The configuration may now be modified.
The security section holds security options for the DNS
service. In each pull-down field one of the following Select Add New Zone from the context menu and
values can be filled in:
none configure the following options:
any (one or more IP addresses)
These entries can optionally be complemented with List 113 DNS Server - Zone configuration section General
further IP addresses.
Note:
Separate multiple entries of IP addresses or address Type Set the needed zone type here
ranges (inverted CIDR notation has to be used (Getting Master Every domain configuration change takes
Started 5. Inverted CIDR Notation, page 25)) with a place on the master. From here the
semicolon and space (like 10.0.0.53; 10.0.0.67; information is propagated to the secondary
192.168.0.10; 10.17.0.0/16). servers.
allow notify Lists the hosts that are allowed to notify the DNS A master zone requires at least a Start of
server about zone changes. Authority (SOA) record and a Name Server
(NS) record. Be sure to examine the
allow query Lists the hosts that are allowed to query the DNS security settings of the master zone, since
server. By default all hosts are allowed to query the a corrupt master zone can cause a lot of
DNS server. problems.
allow recursion Specifies which hosts are allowed to make recursive Slave A slave zone is a replica of a master zone.
queries on this server. The masters list specifies one or more IP
allow transfer Lists the hosts that are allowed to fetch the DNS addresses that the slave contacts to update
database from the DNS server. its copy of the zone.
DNS slave zones do not require much
blackhole Specifies a list of addresses that the server will not
configuration; just enter the IP addresses
accept queries from or use to resolve a query.
of the master server (or servers) and
examine the security settings. Be sure to
set a transfer-source-IP, otherwise the
slave zone will not be accepted by the DNS
3.4 Zone Configuration Forward
server.
A forward zone is used to direct all queries
in it to other servers. The specification of
options in such a zone will override any
3.4.1 Predefined Zones global options declared in the options
statement.
A forward zone does not need a
As described before the Barracuda NG Admin DNS GUI transfer-source-IP. Be sure to check the
security settings.
contains two predefined zones:
Hint The initial set of root name servers is
z _template specified using a hint zone. When the
server starts up, it uses the root hints to
This zone contains the general template, which is used find a root name server and get the most
as model for all newly created zones. The procedure for recent list of root name servers. The
creating and modifying template settings is identical to Barracuda NG Firewall DNS server already
has pre-configured a hint zone (Zone "."),
the procedure for creating and editing settings in so normally there is no need to introduce
another zone. Note that only template settings which another hint zone.
have already existed before creating the zone will be Note:
inherited. Double-click on the entry (_template) to Depending on the selected types the necessary settings
may be slightly different. Such settings are marked with
create or modify settings for SOA, Primary Server, (optional) in the following.
Nameserver, Right-click into the main window to Origin Enter the domain name you wish to create here (for
create new hosts, mail-exchangers, Every setting Domain example, barracuda.com).
Name
made here will be clearly arranged in a separate row
Lookup This section is used for defining whether the zone should
within the main window and can be selected for further Forward or Reverse lookup.
modification or deletion. DNS forward lookup provides IP addresses for known host
names, while reverse lookup provides host names for
z . known IP addresses.
The initial set of root-servers is defined using a hint The Barracuda NG Firewall DNS server is able to provide
DNS reverse lookup only for 8-bit networks (like
zone. When the server starts up it uses the hint zone 213.47.10.0/24).
file to find a root name server and get the most recent Masters This field is available when type Slave is selected. Enter
list of root name servers. The 'zone "."' is short for this (optional) the master IP addresses here.
Forwards This field is available when type Forward is selected. Enter
(optional) the forward IP addresses here.

DNS Zone Configuration < Configuration | 335
By clicking the advanced button a new window appears 3.4.3 Edit/Add a New Start of Authority
containing additional settings:
At creation time of the Barracuda NG Firewall DNS Server
Fig. 114 DNS properties with open advanced window
a standard template is created which is automatically
inherited by newly generated zones. This standard
template may freely be deleted or modified. In case you
have deleted it, and have thereafter created a new zone,
proceed as follows to comprehend the following
instructions:
Select the newly created domain lacking a Start of
Authority (SOA) record in the tree view, right-click into the
main window and choose Add a New Start of Authority
(SOA) from the context menu.
If the SOA record already exists, double-click on one of the
existing entries with type NS or SOA and select the
properties tab Start of Authority (SOA).
Note: Fig. 115 Configuring a new SOA

Refer to the BIND documentation for detailed
information about the advanced options.
List 114 DNS Server - Zone configuration - Advanced Settings section Interface
notify Allows the administrator to select whether the DNS
server should notify slave DNS servers about zone
changes. Possible values for selection are
yes/no/explicit. If explicit is selected enter the explicit
IP in the also notify field below.
also notify Here you may enter a list of hosts that should be
notified about zone changes although these machines
are not registered slaves of the DNS server.
Note:
Separate multiple entries with a semicolon and space
(like 10.0.0.53; 10.0.0.67; 192.168.0.10).
transfer-source This field is only available for type Slave. It defines the
-ip IP address the slave has to use when contacting its
master DNS server.
The following options are available:
service-default
server-first
server-second
explicit
Note:
Slave zones must have transfer-source-ip to work. List 116 DNS Server - SOA configuration
List 115 DNS Server - Zone configuration - Advanced Settings section Security
Serial Enter a serial number here.
offers detailed security options for the DNS service. Clicking Update will increase the serial number by one.
Each pull-down field can take one of the following The serial number of the master has to be higher than
values: the serial number saved on the slave, otherwise the
none slave will stop fetching information updates from its
master.
any
Primary Sever Select the primary name server of the domain here.
allow notify This field is only available for type Slave. It defines if
the Slave accepts notifications about updates from its Note:
master. By clicking Pickup already created entries can be
selected.
allow query Lists the hosts that are allowed to query the DNS
server. By default all hosts are allowed to query the Responsible Use this field to define a person responsible for this
DNS server. person host/zone. The syntax that has to be used is
username.domain (for example
allow update Lists the hosts that are allowed to update the database ernestexample.test.org)
of the DNS server.
Note:
allow transfer Lists the hosts that are allowed to fetch the DNS By clicking Pickup already created entries can be
database from the DNS server. selected.
Refresh after This interval tells the slave how often it has to check
whether its data is up to date.
Retry after When the slave fails to reach the master server after
the refresh period (Refresh after), then it starts trying
again after this set time interval.
Expire after When the slave fails to contact the master server for
the expire period, the slave expires its data. Expiring
means that the slave stops giving out answers about
the data because the data is too old to be useful.

List 116 DNS Server - SOA configuration List 117 DNS Server - Name Server configuration

Minimum TTL This value sets the Time To Live of cached database Superordinate This is a read-only field. It displays the name of the
(standard) entries of this zone. domain domain the nameserver will be responsible for.
Note: Add /Modify Clicking the button Add , opens a new window
The format for TTL is days:hours:minutes:seconds. /Delete allowing you to add name servers.
Expire (TTL) This value sets the Time To Live of cached database buttons Servername This is the name of the name server.
entries of this zone until it is considered as expired. IP Address This is the IP address of the name
Note: server.
The format for TTL is days:hours:minutes:seconds. Expire (TTL) This is the globally defined length of
life, future name server records are
expected to have.
3.4.4 Edit/Add a New Name Server Note:
The format for the Time to Live
(TTL) is
To introduce a new NS (Name Server), press the right days:hours:minutes:seconds.
mouse button in the right part of the window and select
New Name Server (NS) from the context menu.
If a nameserver has already been created open an already
3.4.5 Add a New Host
exiting entry with type SOA or NS and choose the tab
To introduce a new host, press the right mouse button in
Nameserver (NS).
the main window and select New Host from the context
Note:
menu.
A new nameserver can only be entered if the SOA has Entries made in the individual tabs will be saved in
already been generated. separate rows of type A, TXT, HINFO and WKS within the
main configuration window.
Fig. 116 Configuring a new name server
Select the checkbox Add corresponding reverse lookup
entry (PTR) to automatically create a pointer record when
creating the A-Record.
Note:
In order to function, the reverse zone already has to
exist (see 3.4.9 Reverse Lookup Zones, page 338).
Fig. 118 Configuring a New Host
Fig. 117 Adding a nameserver
List 118 DNS Server - Adding a New Host Host (A) tab
Superordinate This is a read-only field. It displays the name of the
domain domain where the new host is created in.
Note:
This field is also displayed in all other tabs of this
window.
Host Enter the name of the host here.
Note:
In all other tabs of this window this field is also
displayed but read-only.

DNS Zone Configuration < Configuration | 337
List 118 DNS Server - Adding a New Host Host (A) tab List 1112 DNS Server - Adding a New Mail-Exchanger Mail-Exchanger (MX)
tab
IP address To enter a new host IP address click Add. To delete an Parameter Description
existing address click Delete. Mailserver (A) Here the name of the mailserver has to be entered.
Expire (TTL) The format for this field is days:hours:minutes:seconds. Note:
By clicking Pickup already created entries can be
List 119 DNS Server - Adding a New Host Host Information (HINFO) tab selected.
Mailserver Use this field to set the mailserver priority.
Parameter Description priority
The fields of this tab (Hardware Type and Operating Expire (TTL) The format for this field is days:hours:minutes:seconds.
System) can be used to provide information on used
hardware and operating system platform a host is
running. List 1113 DNS Server - Adding a New Mail-Exchanger Mailbox information
(MINFO) tab
List 1110 DNS Server - Adding a New Host Text (TXT) tab Parameter Description
Parameter Description Mailbox (MB) Here the name of the mailbox has to be entered.
Text In this field any text can be entered, for example, for Note:
describing the system to simplify maintenance of the By clicking Pickup already created entries can be
DNS database. selected.
Expire (TTL) The format for this field is days:hours:minutes:seconds. Error mailbox Here the name of the error mailbox has to be entered.
(MB) Note:
List 1111 DNS Server - Adding a New Host Well-Known Services (WKS) tab By clicking Pickup already created entries can be
selected.
Expire (TTL) The format for this field is days:hours:minutes:seconds.
Enter the IP address and the used protocol in the
appropriate fields. The services need to be entered in List 1114 DNS Server - Adding a New Mail-Exchanger Well-Known Services
plain text and separated with blanks (like telnet ssh (WKS) tab
smtp ftp).
Enter the IP address and the used protocol in the
3.4.6 Add a New Mail-Exchanger appropriate fields. The services need to be entered in
plain text and separated with blanks (for example
telnet ssh smtp ftp).
To introduce a new mail exchanger, press the right mouse
button in the main window and select New
Mail-Exchanger from the context menu. 3.4.7 Add a New Domain
Fig. 119 Configuring a new mail exchanger To introduce a new sub-domain, click right in the main
window and then select New Domain from the context
menu.
Fig. 1110 Configuring a new sub-domain
Enter a name for the new sub-domain. After clicking OK

the new sub-domain appears in the DNS tree. Within the
new sub-domain you are able to perform the same
operations as described above.
Note:
Completely set up new sub-domains before executing
Send Changes > Activate. Unconfigured sub-domains
will be deleted.
List 1112 DNS Server - Adding a New Mail-Exchanger Mail-Exchanger (MX)

tab
Superordinate This is a read-only field. It displays the name of the
domain domain the mail-exchanger handles mail-traffic for.
Note:
This field is also displayed in all other tabs of this
window.
Host Depending on the needs the following values are
entered here:
@ - mail-exchanger is responsible for @domain.com
any_text - mail-exchanger is responsible for
@any_text.domain.com
Note:
In all other tabs of this window this field is also
displayed but read-only.

3.4.8 Add New Others Table 111 Supplementary DNS configuration objects overview
Object Description
There are several other objects you can add to your DNS RP RP identifies the name (or group name) of the responsible
configuration. person(s) for a host. This information is useful in
troubleshooting problems over the network.
RT Route-through binding for hosts that do not have their own
Note:
direct wide area network addresses (experimental).
Consult the BIND documentation to learn about the SVR Information on well known network services (replaces WKS).
appropriate parameters and functions of these objects. TXT A TXT record contains free-form textual data. The syntax of the
text depends on the domain in which it appears; several systems
Note:These objects can be introduced by right-clicking in
use TXT records to encode user databases and other
the right part of the DNS config window and selecting administrative data.
New Others. WKS WKS records describe the well-known services supported by a
particular protocol at a specified address. The list of services
The following objects can be added to the DNS and port numbers comes from the list of services specified in
/etc/services. There should be only one WKS record per protocol
configuration: and address. Because the WKS record is not widely used
throughout the Internet, applications should not rely on the
Table 111 Supplementary DNS configuration objects overview existence of this record to recognize the presence or absence of
Object Description a service. Instead, the application should simply attempt to use
the service.
A New host
X25 Representation of X.25 network addresses (experimental)
AAAA IPv6 address
AFSDB AFSDB records specify the hosts that provide a style of
distributed service advertised under this domain name. A
subtype value (analogous to the preference value in the MX
3.4.9 Reverse Lookup Zones
record) indicates which style of distributed service is provided
with the given name. Subtype 1 indicates that the named host is Each of the four available zones can be defined as reverse
an AFS database server for the AFS cell of the given domain
name. Subtype 2 indicates that the named host provides lookup zone.
intra-cell name service for the DCE cell named by the given
domain name. To do so, switch the lookup box from forward to reverse
CNAME CNAME specifies an alias or nickname for the official or when creating a new zone.
canonical name. An alias should be the only record associated
with the alias; all other resource records should be associated The input mask will change and you will be able to enter
with the canonical name and not with the alias. Any resource the address of the network you wish to create a reverse
records that include a zone name as their value (for example, NS lookup zone for.
or MX) must list the canonical name, not the alias. This resource
record is especially useful when changing machine names.
Fig. 1111 Create reverse lookup zone
HINFO HINFO records contain host-specific data. They list the hardware
and operating system that are running on the listed host. If you
want to include a space in the machine name, you must quote
the name. Host information is not specific to any address class,
so ANY may be used for the address class. There should be one
HINFO record for each host. For security reasons, many sites do
not include the HINFO record, and no applications depend on
this record.
ISDN Representation of ISDN addresses.
MB MB lists the machine where a user wants to receive mail. The
"name" field is the user's login; the machine field denotes the
machine to which mail is to be delivered. Mail box names should
be unique to the zone.
MG The mail group record (MG) lists members of a mail group.
MINFO MINFO creates a mail group for a mailing list. This resource
record is usually associated with a mail group, but it can be used
with a mailbox record. The "name" specifies the name of the
mailbox. The "requests" field is where mail such, as requests to
be added to a mail group, should be sent. The "maintainer" is a
mailbox that should receive error messages. This is particularly
appropriate for mailing lists when errors in members' names
should be reported to a person different to the sender.
MR MR records lists aliases for a user. The "name" field lists the alias
for the name listed in the fourth field, which should have a
corresponding MB record.
MX MX records specify a list of hosts that are configured to receive An appropriate name for the reverse lookup zone will
mail sent to this domain name. Every host that receives mail automatically be created from the network address. In our
should have an MX record, since if one is not found at the time example, the network address is 10.0.0.0 which results in
the mail is delivered, an MX value will be imputed with a cost of
0 and a destination of the host itself. an automatically created reverse lookup zone named
NS NS lists a name server responsible for a given zone. The first 0.0.10.in-addr.arpa.
"name'' field lists the zone that is serviced by the listed name
server. There should be one NS record for each name server of By clicking the advanced button the advanced option
the zone, and every zone should have at least two name servers, window will pop up allowing you to define the same options
preferably on separate networks.
as described in 3.4.2 Add a New Zone, page 334.
PTR PTR allows special names to point to some other location in the
domain. The following example of a PTR record is used in setting
up reverse pointers for the special in addr.arpa domain. This line
is from the example mynet.rev file. In this record, the "name''
field is the network number of the host in reverse order. You only
need to specify enough octets to make the name unique.

12
Proxy
1. HTTP Proxy
1.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
1.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
1.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
1.2.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
1.2.3 Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
1.2.4 Content Inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
1.2.5 Advanced. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
1.3 Transparent Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
1.4 Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
1.4.1 Example Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
2. Secure Web Proxy

2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
2.2 Technical Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
2.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
2.4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
2.4.1 Secure Web Proxy Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
2.5 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
2.5.1 Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
2.5.2 Tickets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
2.5.3 Certificates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
2.5.4 RSS-Feeds Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
2.5.5 Webservices Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
3. URL Filter
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
3.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.1 Configuring URL Filter Redirectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.2 Configuration of the URL Filter Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.3 Configuring of URL Filter - Redirector Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
3.3.4 Adapting the Local Firewall Rule Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4 Communication & Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4.1 Communication with External HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4.2 Proventia URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
3.5 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
3.6 Load Sharing and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

340 | HTTP Proxy > Installation Proxy
1. HTTP Proxy
1.1 Installation Insert a name for the proxy service and assign HTTP
Proxy as software module.
Note: Fig. 122 Creating the HTTP Proxy service

The proxy service integrated into Barracuda NG Firewall
is based on the Squid Web Proxy Cache. The labelling
of configuration parameters thus follows the labelling
applying in the initial product. If you are not familiar
with terms used for Squid proxy configuration, refer to
the official Squid documentation available at
www.squid-cache.org.
Note:
DNS Server IP and Box DNS Domain must be specified
in the Box Settings file before creating the proxy
service (Configuration Service 2.2.3.3 DNS, page 55). The
proxy service will otherwise fail to start.
A box server has already to exist before an HTTP Proxy

service can be created.
Note: Click the Activate button to activate the changes. The

When two proxy instances are configured on one box newly installed HTTP Proxy service is now ready for
(for example a HTTP Proxy and a Secure Web Proxy), configuration.
they must be configured to use two different ports, even
if they use separate bind-IPs. For service configuration details, refer to Configuration
Service 4. Introducing a New Service, page 97.
To create an HTTP Proxy service, select Create Service
from the context menu of Config > Box > Virtual Note:
Regarding the proxy service, customized statistics
Servers > <servername> > Assigned Services.
settings are not configurable. By default, the service will
Fig. 121 Creating the HTTP Proxy service always generate all available statistics types.
1.2 Configuration
To configure specific proxy service settings double-click
HTTP Proxy Settings.
Fig. 123 HTTP Proxy Config node in the Configuration Tree

Proxy Configuration < HTTP Proxy | 341
1.2.1 General 1.2.2 Network

List 121 HTTP Proxy Service Parameters - General section Basic Settings Fig. 124 HTTP Proxy Service Parameters - Network
Contact Mail Mail address of administrative contact used for
designation of user and error messages.
Visible Host name displayed in error messages generated by
Hostname the proxy service. Defining a host name is mandatory.
Note:
Do not use special characters in the visible hostname.
Attention:
If you are running a Forwarding/Caching DNS server
(parameter see Run Forwarding / Caching DNS,
page 55) the Visible Hostname MUST NOT be identical
to the Box Hostname (parameter see Hostname,
page 62).
Language of This parameter defines the language for Access Denied
Error Pages error messages. German and English are available for
choice.
Disable FTP If set to yes (as it is by default) the proxy server denies
FTP request. Set to no to enable FTP traffic
List 122 HTTP Proxy Service Parameters - General section Log Settings List 125 HTTP Proxy Service Parameters - Network section Network Settings
Write Store-Log The store log file records information about storage TCP Outgoing The proxy server uses this IP address when executing
and deletion of cached objects. This information is Address HTTP requests. Available for selection are: First-IP,
essentially important for troubleshooting. Second-IP, Dynamic, Other (which means an explicit
Write The cache log file records debug and failure messages IP address). With setting Dynamic a suitable address
Cache-Log generated by squid during operating time. Amongst for request execution is chosen automatically from the
others, it includes information about service start and available server address pool.
termination, and execution of ACLs. Note:
Debug Level The debug level defines the verbosity of the cache log Explicitly defined IP addresses must be available in the
file (default: normal). Additional IP list in the Server Configuration file (see
normal Setting to normal results in minimal 3. Configuring a New Server, page 94).
logging. Errors will not be listed exhaustively; TCP Listening The TCP Listening Port defines the port the proxy
statistical information will not be generated. Port service is listening on for incoming TCP connections.
verbose - Setting verbose generates statistical (TCP Incoming is set as Bind Type in the service
information and logs most errors. configuration window; see Configuration Service
List 387 Service Configuration - General section
debug Setting to debug results in exhaustive
Service Definition, page 97).
logging of errors and statistical information.
Note:
Attention:
The TCP Listening Port configured here is directly
Use option debug with care, as full logging claims high
related to the Service Object "PROXY" which is
disk capacity.
configured in the Services tab of the Local Firewall. If
Log via Syslog This parameter determines handling of log files that you change the value of the TCP Listening Port to
are generated by the HTTP Proxy service. Setting to no another value than the default 3128, remember to
triggers local log file generation. Setting to yes change the value of the Service Object "PROXY" as
forwards logging data to the local Syslog-Proxy well because this one is used in the default HTTP proxy
(Configuration Service 5.2.3 Syslog Streaming, Local Firewall rule set. If port settings are not adapted
page 116) where further data processing can be in the Service Object, all HTTP traffic is blocked.
defined. Setting to Auto (default) queries the
UDP Incoming The proxy server uses this IP address when responding
Syslog-Proxy configuration prior to log data
Address to ICP queries. Available for selection are: First-IP,
processing. If a streaming profile for HTTP Proxy log
Second-IP, None, Other (which is an explicit IP
files is defined, it will be used to stream log files to a
address).
syslog server and generates a local log file as well.
Note:
Note:
Explicitly defined IP addresses must be available in the
Set to no if you encounter performance issues in
conjunction with remote logging of busy servers.
List 123 HTTP Proxy Service Parameters - General section Misc. Settings UDP Outgoing The proxy server uses this IP address when executing
Address ICP and DNS queries. Available for selection are:
Parameter Description First-IP, Second-IP, Other (which is an explicit IP
address).
This part of the configuration offers manual control of
size and structure of the cache directories. Click Set to Note:
open the cache config. Explicitly defined IP addresses must be available in the
Size in MB Specifies the maximum size of the cache directory in
MB. The cache is located in
/var/phion/squid-cache_SERVERNAME_SERVICE Note:
NAME. Using at least 100 MB is recommended. Insert 255.255.255.255 into this field when
accessing the Internet through a dynamically assigned
Level1 These settings define the structural organisation of the
IP address (like using an xDSL line).
Directories / proxy service's cache directory. The default values (16 /
Level2 256) are the recommended minimum values for Level1 ICP Port This is the port through which the proxy service
Directories and Level2 directories respectively. Define settings handles ICP (Internet Cache Protocol) connections
with deliberation, since high values result in a vast with its neighbour caches (default: 3130). If not needed
number of subdirectories. set to 0 to disable.
Neighbour see Section Neighbour Settings
List 124 HTTP Proxy Service Parameters - General section Fail Cache Settings
Parameter Description SNMP Settings see SNMP Settings, page 342
Enable Fail Enables or disables the HTTP Proxy Fail Cache.

Cache
Keep Fail Cache Maximum number of entries of the HTTP Proxy Fail
Entries (d) Cache.

342 | HTTP Proxy > Configuration Proxy
Section Neighbour Settings List 128 HTTP Proxy Service Parameters - General - Neighbour Settings section
Cache Behavior
Use this section to configure this proxy servers behavior Parameter Description
towards neighbouring proxies. Adjacent proxies can rank Note:
before or be coequal with the proxy, which means they can Activities related to the caching parameters are logged
either be treated as parents or siblings. Click Insert to to the files <server_servicename>\proxy\store and
access. These files can be viewed in the Barracuda NG
create a new neighbouring proxy and specify a Name for it. Admin LogGUI (DHCP, page 287).
URL Fetching This parameter takes complete URLs or a list of words,
Attention: which if found in an URL cause the object to be handled
The name specified in this place is used as expression in directly by the proxy itself. Before communicating with
the proxy servers ACL list. The same applies to the any of the cache peers, squid first tries to fetch the
requested URL directly from the server. If it cannot find
Name field specified for a new record in the ACL Entries it, it tries to establish a connection to the configured
section (see 1.2.3.4 Access Control - Section ACL Entries, parent cache(s).
page 345). To avoid conflicts, make sure these two Note:
URLs entered without protocol specification are
names never match. applied on both possible protocols, HTTP and FTP (like
www.barracuda.com, *barracuda*). Please
The following parameters are available for configuration. consider the following characteristic, when fetching
FTP URLs with virus scanner and FTP scanning
List 126 HTTP Proxy Service Parameters - General - Neighbour Settings activated at the same time: If directly fetched FTP
URLs ought to be virus scanned, specify their protocol
Parameter Description as well (like ftp://www.barracuda.com,
IP/Hostname This field contains either IP address or hostname of the ftp://*barracuda*). The data stream will otherwise
neighbouring proxy server. be forwarded without virus scanning.
Neighbour Type This field defines the relationship to the neighbouring Note:
proxy server. Possible values are parent or sibling. It is recommended to include dynamic pages into this
Attention: tag (like jsp, asp, php, ).
In a sibling relationship, a peer may only request Attention:
objects already held in the cache. A sibling cannot Though configured in context per neighbour cache, the
forward cache misses on behalf of the peer. value of the URL Fetching parameter is inherited by all
Exclusive This parameter is only activated with Neighbour Type neighbours in use. A specific domain, once configured
Parent set to parent. When set to yes all requests are for direct access in a single configuration section, will
forwarded to the Exclusive Parent. This setting is always be fetched directly, even if not inserted in other
recommended if the parent proxy is a virus scanning configuration sections.
proxy server. Cache Direct This parameter is linked to parameter URL Fetching.
Proxy Port Specifies the port, on which the neighbour server Objects Set to yes to enable caching of URLs with
listens for incoming HTTP requests (default: 3128). characteristics specified above. Set to no to disable
caching.
ICP Port Specifies the port, on which the neighbour server
listens for incoming ICP connections (default: 3130). Domain This parameter takes a list of explicit domains for
To configure a neighbour cache not using ICP, enable Restrictions which the neighbour caches are to be queried. The
the UDP echo port on it and specify 7 as ICP port value. following syntax applies:
For neighbours, which do not support ICP queries, .domainame.tld
specify 0 as ICP port value and define no-query in the .subdomain.domainame.tld
Options parameter (Section Option Settings) below. *.domainname.tld
A domain name preceded by an exclamation mark
Cache Priority Setting a value for the Cache Priority is mandatory. means that all domains are to be requested from the
Lower numbers mean higher priority. The neighbour cache except the specified one.
cache with the highest priority number will be !.domainname.com
considered first. The priority may be set to any value, if Cache hosts with no domain restrictions configured will
only one neighbour cache exists. It will then be ignored. be queried for all domains.
Attention: Cache Domain This parameter is linked to parameter Domain
The Cache Priority may not be set to value 0. Objects Restrictions. Set to yes to cache URLs fetched from
Note: the parent.
An example for cache priority weighing is described in Cache Peer This parameter takes a list of IP addresses/IP address
1.2.3.11 Cache Behavior Configuration Example. Access ranges which is to be directed to a specific neighbour
cache. If restrictions are not configured, the cache will
List 127 HTTP Proxy Service Parameters - General - Neighbour Settings section be queried for all requests.
Option Settings Cache IP Set to yes to cache requests originating from the IPs
Parameter Description Objects specified above.
Authentication This parameter specifies the authentication

mechanism from the proxy to its neighbour. Possible SNMP Settings
values are NONE (default), noPASS and PASS.
The integrated Squid proxy server can handle statistics
Use PASS (=log in) if authenticating against an
upstream proxy (parent). To combine this with and status information transmitted through the Simple
proxy_auth both proxies must share the same user Network Management Protocol (SNMP). This is especially
database as HTTP only allows for one proxy login.
USE WITH CAUTION, as this will expose your user's
useful for management of non SNMP manageable network
proxy password to the parent. nodes. The SNMP Service daemon (snmpd) supports
Use noPASS with a personal or workgroup proxy protocol versions SNMPv1 and SNMPv2c. It accepts and
when the parent requires proxy authentication. In responds to SNMP Service messages that have been sent
this case User and Password are set in the fields
below. to the SNMP Service port.
User/Password This is the login data needed with Authentication For a general overview of SNMP Service features please
Setting noPass (see above).
see SNMP 1. Overview, page 514.
Options Additional options for the specified parent proxy can
be inserted here. Amongst others, the following In a network management system, SNMP communication is
options can be used: proxy-only, weight=n, ttl=n,
no-query, default, round-robin, multicast-responder, processed over two components, the Network
closest-only, no-digest, no-netdb-exchange, Management Station (NMS) and its managed agent. When
connect-timeout=nn, digest-url=url, allow-miss.
Please consult the squid documentation for further
the managed agent is not capable of SNMP, a Proxy SNMP
information. Agent may take over the task of querying the
Management Information Base (MIB) and forwarding the
retrieved information to agent and network management Click the Set button to open the User Authentication
station as queried. configuration window:
The following scheme depicts the proxy server's position in Fig. 126 Config Section Dialog - Authentication Settings
an environment communicating through SNMP.
Fig. 125 SNMP Service message handling
SNMP traffic MIB
Priority
Messages
Network LAN Proxy SNMP Agent Real Agent

Management (SNMP Agent (Non SNMP
Station Protocol Engine) manageable
(NMS) network node)
Click Set to configure the Proxy SNMP Service settings.

The following parameters are available for configuration:
List 129 HTTP Proxy Service Parameters - General section SNMP Service
Enable SNMP This option enables the Proxy SNMP agent. If set to No,
the proxy will not listen for SNMP traffic.
Note:
SNMP Address This parameter defines the address the Proxy SNMP
listens on for SNMP traffic. The agent uses the defined
The availability of the options depends on the set
SNMP address(es) to accept messages from SNMP Authentication Scheme.
agents and to return packets to them.
SNMP Port Listening port for SNMP queries. List 1210 HTTP Proxy Service Parameters - Authentication Settings
Attention: Parameter Description
Do not use the default SNMP port, if a SNMP Service is
configured on this server. Authentication Defines the authentication method applying:
Scheme General Remote-MS-CHAP-Phibs: for Windows 2003
IP/Mask IP/Mask Defines which hosts/networks are
granted to query the SNMP Service. Server domains in native mode.
Access to the SNMP port is allowed Note:
for all peers with the source To use MSCHAPv2 authentication method, it is required
network addresses configured here. to integrate the Barracuda NG Firewall as a member
Squid checks all snmp_access ACL into the Windows domain.
operators when it is queried by a Note:
SNMP management station. Remote-MS-CHAP-Phibs replaces the option
Community Defines the community name (acts Native-NTLM from former versions.
as a sort of password) to identify PHIBS-Specific-Schemes: for non windows
membership of a community. network environments.
Note:
When using one of the first two methods, a fallback
1.2.3 Access Control scheme has to be configured in the PHIBS Specific
Authentication Scheme section to allow for
authentication of non windows clients as well.
Attention:
1.2.3.1 Section Authentication When using a Windows 2003 server domain with
scheme Native-NTLM take the following into
consideration:
A user authentication scheme has to be configured if you Domain has to be in Mixed-Mode (NOT Native) AND
want your users to authenticate themselves when using registry key
the proxy. HKLM/SYSTEM/CurrentControlSet/Services/la
nmanserver/parameters/requiresecuritysign
ature
Note: has to be set to 0
If an authentication scheme has been configured, all The following parameters are only available with
users will be asked to authenticate themselves by Remote-MS-CHAP-Phibs selected as Authentication
Scheme:
default. Defining ACLs in the Access Control - Section
Authentication This field contains the text that is displayed in the
ACL Entries 1.2.3.4, page 345 revokes this default Text MS-CHAP authentication window of the client.
setting. From now on, ACLs making use of ACL Type Enter a significant text to let the user know, which
proxyauthentication must be defined explicitly (see server requires authentication.
Supplying an authentication text is mandatory.
User Authentication, page 346).
Authentication Number of workers started for authentication. The
Worker default value is 5.
MS-CHAP Note:
For proxy servers with great load this value may be set
up to 48.
The following parameters are only available with
Native-NTLM selected as Authentication Scheme:
Windows This is the name of the domain the authentication
Domain Name server resides in.

List 1210 HTTP Proxy Service Parameters - Authentication Settings 1.2.3.2 Section Access Control - Proxy Access
Parameter Description Handling Scheme
Domain This is the host name of the Windows domain controller
Controller providing authentication operation. Enter the host In the Access Control section, access control lists can be
name without its domain suffix. The name has to be
DNS resolvable. defined exhaustively. Sections ACL ENTRIES and
Attention: ACTIONS make GUI helpers available for configuration.
Do not enter IP addresses instead of host names. Sections ACL FILELIST and LEGACY allow integration of
No restrictions apply to the number of domain
controllers in use. Multiple domain controllers improve
complete ACL files.
performance due to load balancing ability.
The parameter Access Configuration influences the
Note:
Since Native-NTLM uses small time-out values, it may
configuration mode. With default selected, access control
be necessary to add the parameters is managed through ACL ENTRIES, ACTIONS, and ACL
auth_param ntlm max_challenge_reuses and FILELIST sections. If set to legacy all ACLs may be
auth_param ntlm max_challenge_lifetime
within the Generic squid.conf Entries (Section specified manually in the LEGACY section without using
ADVANCED SQUID CONFIGURATION, page 351) for GUI helpers.
fine tuning.
Attention: Note:
Do not use Domain Controllers in conjunction with low
speed connections, for example 10MBit network
When configuring Access Control in legacy mode or
connections or VPN tunnels. through an ACL FILELIST, ACLs must match squid.conf
syntax exactly.
List 1211 HTTP Proxy Service Parameters - Authentication Settings section
PHIBS Specific Authentication Scheme The value Default is related to the use of the default
Parameter Description Access Configuration mode. It sets all ACLs, which have
Note: not been set to allow explicitly, to deny by default. Squid
This section has to be configured with either first looks for ACL files in the ACL FILELIST, then continues
authentication method selected. It is either applied
solely, otherwise the settings represent a fallback the workflow by processing entries in the ACL ENTRIES
scheme, in case the other authentication methods are and ACTIONS sections.
not applicable (see parameter Authentication Scheme
General). Fig. 127 Proxy Access Handling Scheme
Authentication This field contains the text that is displayed in the
Text authentication window of the client. No
Correct
Enter a significant text to let the user know, which port? Squid block
server requires authentication.

Yes deny
Authentication Number of workers started for authentication. The
Worker default value is 5.
No No
Note: ACL Entries and
Actions set?
Authentication
set?
Default Behavior
For proxy servers with great load this value may be set
up to 48. Yes Yes
allow
PHIBS A pull-down menu gives five different schemes to No
Authentication
Authentication choose from: set?
Scheme MSNT, MSAD, RADIUS, LDAP, RSAACE
Yes
Note:
The authentication schemes are activated and Correctly No
configured in the box configuration (Configuration authenticated? Authenticator block
Service 5.2.1 Authentication Service, page 111). deny

Yes
PHIBS Listen IP Defines the IP address of the box where the
PHIBS-authentication daemon is running on. All Actions Yes Request No
for ACL Entries matches one of Default Behavior
PHIBS Timeout Specifies the response timeout for the authentication set to allow? the actions?
server. Yes
No
User List Policy The option deny-explicit means that all domain-users allow
who are listed in the user list are not allowed to use the
proxy service.
Request Yes
The option allow-explicit means that only domain matches one of the
deny actions?
users that are listed in the user list are allowed to use
the proxy service. This does not mean that they do not No
require authentication. No
Request
User List List of usernames that are used for the User List deny matches one of the
allow actions?
Policy.
Yes
Yes
All Actions Yes Request No
for ACL Entries matches one of Default Behavior
set to deny? the actions?
No
allow
Connection
establishment
Request No
matches one of Dependent on the default
the actions? behavior access is allowed or denied.
Yes
Dependent on the Action type

access is allowed or denied.
Note:
For each allow action a deny action
with logical inverse statement and
vice versa exists.

1.2.3.3 Access Control - Using Regular Table 121 Short overview of metacharacters in regular expressions
Expressions Metacharacter Description
Matches 0 or 1 occurrence of the character or regular
In Barracuda NG Firewall Perl-compatible regular expression immediately preceding. For example, the
?
regular expression z? would match the string warez
expressions (PCRE) show to advantage, for example in the but not the string intermezzo.
HTTP Proxy server ACL configuration section. Here they
may be used in various configuration fields where the aim
is to substitute hard coded character strings against 1.2.3.4 Access Control - Section ACL Entries
expressions that match in multiple cases. The table below
summarizes those regular expressions, which are most This section allows defining ACL Types, which afterwards
frequently applicable for this purpose. when set together in the ACL ACTION section, build up an
access control list. Click Insert to generate a new ACL
Note: and specify a significant Name for it. The following objects
Abundant reading is available for an exhaustive are available for configuration:
instruction of how to use regular expressions. A handy
quick syntax overview can be found at List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries
http://www.perl.com/doc/manual/html/pod/p Parameter Description

erlre.html. ACL Type In this place a pull-down menu displays all ACL Types
available for configuration in the fields below. Choosing
a type activates the corresponding fields Edit and
Note: Clear buttons. After type choice click Edit to open
Regular expressions in the HTTP proxy server the succeeding parameters configuration dialog.
configuration are treated case insensitive. Time This parameter defines access during specific times
Restrictions (ACL Type: time).
Name timeconfig
Attention:
(predefined)
In fields where both, combinations of words AND Use Local Box If checked, time restrictions apply
regular expressions are applicable, take care not to use Time according to box time zone settings.
characters, which could lead to misinterpretation Time Zone This parameter is only active, if
without due care. local box time settings do not apply.
In this case, configure a time zone
explicitly.
Note: Note:
For lucidity reasons strive for formulating regular ACL entries regarding time settings
expressions as simple as possible. are always converted to local box
time settings in squid.conf. Only in
case you are using local box time,
Table 121 Short overview of metacharacters in regular expressions conversion is not necessary and
time in the ACL entries is exactly
Metacharacter Description going to match box time. Do not let
Matches any single character (including space). For yourself be confused, if ACL entries
. example, the regular expression b.g would match the written to squid.conf do not seem to
strings big, bug, b g, but not blog. be what you have configured. Have
Matches the end of a line. For example, the regular a look at the configuration example
expression mp3$ would match the end of the string below (1.2.3.9 ACL Time Restrictions
"song.mp3" but not the string "mp3 download". The Configuration Examples).
$ expression mp3$ may for example be used in an ACL Time Settings By default, the configuration is
entry with type urlextension or urlpathextension to always active. Click the Always
exclude download of mp3 files where the string mp3 button to define the ACLs validity
represents the URL ending. period explicitly. The buttons label
Matches the beginning of a line. For example, the turns to Restricted! when time
regular expression ^mp3 would match the beginning of settings have changed. See 1.2.3.8
^ ACL Time Restrictions for a detailed
the string "mp3 player available for download" but
would not match "get your free mp3 player". description of Time Restrictions
configuration.
Matches zero or more occurrences of the character
immediately preceding. For example, the regular Source IP This parameter defines a connection's source IP (ACL
* Type = source).
expression .* means match any number of any
characters. Name sipconfig
This is the quoting character, use it to treat the (predefined)
succeeding character as an ordinary character. For IP A pull-down menu makes
example, \$ is used to match the dollar sign character Configuration configuration of IP Ranges or
($) rather than the end of a line. Similarly, the Single IPs available. The following
expression \. is used to match the dot character rather menu entries exist:
\
than any single character. For example, the expression Singlemode
\.mp3 may be used in an ACL entry with type
Rangemode
urlextension or urlpathextension to exclude access to
Inverted CIDR notation applies if
links containing the file ending .mp3, where .mp3 must
activated.
not necessarily represent the URL ending.
IP Ranges Insert an IP range into these fields.
Matches anyone of the characters between the
(from/to)
[] brackets. For example, the regular expression b[aiu]g
matches bag, big, and bug, but not beg. Single IPs (Set Insert a single IP or multiple single
IPs) IPs into this field.
Matches a range or multiple ranges of characters or
ciphers between the brackets. For example, the regular
[0-9]
expression [1-5] matches all ciphers from 1 to 5. The
[a-z]
regular expression [a-cg-k] matches all letters from a
to c and g to k.
Use the caret as first character after an opening
[^1-5] bracket to match any character except those in the
[â-k] range. For example, the regular expression [^1-3a-k]
matches all characters except 1 to 3 and a to k.

List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries

Destination IP This parameter defines a connection's destination IP URL This parameter defines URL extensions (url_regex)
(ACL Type = destination). considering protocol and hostname (ACL Type =
IP A pull-down menu makes urlextension).
Configuration configuration of IP Ranges or URL Path This field takes regular expressions
Single IPs available. The following Extensions (see 1.2.3.3 Access Control - Using
menu entries exist: Regular Expressions, page 345) or
Singlemode simply words or word patterns. All
entries are treated case insensitive.
Rangemode
url_regex looks for the specified
value in the URL path including
Inverted CIDR notation applies if
protocol and hostname.
activated.
URL Path This parameter defines URL path regular expressions
IP Ranges Insert an IP range into these fields.
(urlpath_regex) (ACL Type = urlpathextension)
(from/to)
matching the URL but skipping protocol and hostname.
Single IPs (Set Insert a single IP or multiple single
URL Path This field takes regular expressions
IPs) IPs into this field.
Extensions (see 1.2.3.3 Access Control - Using
Source Domain This parameter defines client domains (ACL Type = Regular Expressions, page 345) or
Destination sourcedomain / destinationdomain). simply words or word patterns. All
Domain Processing delays may be caused when using domain entries are treated case insensitive.
names as Squid needs to reverse DNS lookups (from urlpath_regex looks for the
client IP address to client domain name) before it can specified value in the URL path
interpret the ACL. following the hostname, that is in
Domains Insert domain names into this field. URL http://
www.exampledomain.com/exam
Note: ple/domain/index.htm the word
Domains names are to be preceded "example" will only be looked for
by a dot. within the path
Example: .barracuda.com "/example/domain/index.htm".
User Defines users authenticating themselves in an external Maximum This parameter limits the maximum number of
Authentication authentication program. (ACL Type = Connections connections from a single client IP address (ACL Type
proxyauthentication). This ACL type can only be used = maxconnections).
with user authentication set.
Define Insert a value for the maximum
Required for All Set to yes (default: no) if generally Maximum number of connections (default: 5).
Users all users using the proxy should Connections The value of the ACL is TRUE if the
authenticate themselves. With number is larger than the specified
setting to yes, the Users field below one.
is deactivated. With setting to no,
users must be defined explicitly. Protocol This parameter specifies the transfer protocol (ACL
Type = protocol).
Note:
An ACL with setting yes can only be Define Transfer Specify a transfer protocol, for
created once. You will be warned Protocol example HTTP, FTP,
when trying to create a further Requestmethod This parameter specifies the request method (ACL
identical ACL. Type = method).
Users Define user names for Define Request Specify a request method, for
authentication. If authentication Method example GET, POST, UPDATE,
should apply, the ACL containing
TCP Port This parameter specifies the destination's port
the user names has to be added to
addresses (ACL Type = destinationport).
the ACL entry.
Actions may be allowed or denied Specify Insert the destination servers port
for the specified users after they Destination number.
have authenticated themselves. Port Address
Groups Interpret as Set to Yes if the Groups list Browser This parameter defines regular expression patterns or
RegEx contains regular expression. words, matching the user-agent header transmitted
during the request (ACL Type = browser).
Note:
The meta symbol * has to be Define Browser This field takes regular expressions
entered by a leading . (dot) if it is Access (see 1.2.3.3 Access Control - Using
the only meta symbol or the first Regular Expressions, page 345) or
one in a RegEx. words. If, for instance, the word
Firefox is configured, it will be
Partial Search Enable if partial pattern matching
searched for in the user-agent
should be possible.
header of an incoming request.
If matching should be possible for
RegEx meta symbols, Interpret as
RegEx needs to be enabled.
Attention:
Case Enable if groups should be matched
insensitive cas insensitive. Each ACL Entry may only consist of one ACL Type.
Note:
If enabled, Interpret as RegEx will Attention:
be disabled. Do not forget to delete values configured for use in the
Groups Definition of meta directory group ACTIONS section, parameter ACL Entries for this
patterns.
Action manually when deleting an ACL Entry, as the
Note:Group names are the
distinguished names of meta conjoined actions are not deleted automatically. Actions
directories. with broken links to its parent will cause the proxy to fail.
Example for LDAP:
CN=myname, OU=myOU, DC=com

1.2.3.5 Access Control - Section Actions mean higher priority. ACL Filelists are processed one by
one according to their priority.
This section serves to construct an ACL list, which the
List 1214 HTTP Proxy Service Parameters - Authentication Settings - ACL
proxy server works through one by one, according to the FileList
actions priority number. The Default parameter setting
below the Actions section specifies the final measure to
ACL Filelist Filename All ACL Entries (see below) are
take after the workflow of the list has been completed. stored in the specified Filename
after clicking OK. The default
Note: location of the file is
/var/phion/preserve/proxy/
In an analogous manner to firewall rule handling, proxy <servername>_<servicename>
settings are processed from top to bottom. /root/. In addition, it is also
possible to change the location by
Click Insert to generate a new Action and specify a specifying an absolute path in front
of the filename (not recommended).
significant Name for it. In this case, the destination
directory must exist.
Attention: Note:
The name specified in this place is used as expression in Do not use Filenames such as
the proxy servers ACL list. The same applies to the squid.conf, ftpsquid.conf,
This could lead into loss of
Name field specified for a new record in the Section configuration information. To avoid
Neighbour Settings section (Access control section, see such situations, it is recommended
to use the default location and .acl
Section Neighbour Settings, page 342). To avoid as the preferred filename extension
conflicts, make sure these two names never match. (example: aclfile.acl).
ACL Entries These are the entries, which are
The following objects are available for configuration: written to the file defined through
the parameter Filename. ACL
List 1213 HTTP Proxy Service Parameters - Authentication Settings - Actions Entries are processed line by line. A
line must not exceed 1012
Parameter Description characters. If a greater length
ACL Describe briefly, what this action should effect. cannot be avoided, use "/" to
Description section lines.
ACL Priority Insert a value for this actions priority. Lower numbers Attention:
mean higher priority. ACLs with higher priority are ACL Entries must exactly match the
processed first. squid.conf syntax. They are not
checked against squid.conf for
ACL Entries for In this place a pull-down menu displays all configured
compatibility. Do not use Inverted
this Action ACL entries. Choose the ACL entries this action is to
CIDR Notation.
refer to and insert them into the field on the right side.
Note:
Note:
To include ACL entries specified in
A maximum of 6 ACL entries can be inserted into an
the ACL filelist, include them in the
action.
Generic squid.conf Entries field
Attention: (see following syntax example).
Remember to delete ACL entries from an action when
deleting the value in the ACL ENTRIES section.
Action This parameter sets the action to allow or deny.
ACL Filelist Usage Example
Step 1 Insert an ACL entry into the ACL filelist

Note: section
See 1.2.3.10 Access Control List (ACL) Interpretation, Open the Access Control tab, lock the data set, then click
page 349 for a workflow description of ACL lists. Insert in the ACL Filelist section to add a new ACL file.
List 1215 ACL Filelist Usage Example
1.2.3.6 Access Control - Section ACL FileList Parameter Description
Name 1
ACL FileLists may be used as supplement to ACL Entries Filename prxacl.acl
and Actions. ACL Entries 10.0.8.20/255.255.255.255
Note:
Step 2 Include the ACL file into the configuration
The ACL FileList is processed before those entries Change to the Advanced tab and insert the following line at
configured through ACL ENTRIES and ACTION sections. the beginning of the file displayed in the Generic
Click the Insert button to define a new ACL List and squid.conf Entries field:
specify a list Name. List Names may consist of ciphers only acl STAFF src "prxacl.acl"
(max. length 12 ciphers). The number defined for an ACL acl WORLD dst 0.0.0.0/0.0.0.0
Filelist is a direct marker for its priority. Lower numbers http_access allow STAFF WORLD
The value STAFF and WORLD specify the ACL names. In

the example HTTP access to the Internet is allowed for the
network client with the address 10.0.8.20.

1.2.3.7 Access Control - Section Legacy 1.2.3.9 ACL Time Restrictions Configuration
Examples
This section enables creation of an ACL file exactly
matching squid.conf syntax. Example 1
This parameter set is only available if parameter Access Fig. 128 ACL Time Interval configuration - Example 1
Configuration is set to legacy.
List 1216 HTTP Proxy Service Parameters - Authentication Settings - Legacy
Name aclconfexpert
(predefined)
Access Control Insert the ACL Entries into this field.
Entries Attention:
ACL Entries must exactly match the squid.conf syntax.
They are not checked against squid.conf for
compatibility. Do not use Inverted CIDR Notation.
Note:
This field either takes complete ACLs, but may as well
include entries from the ACL filelist. Syntax usage as
given in the example above applies.
In the example above, local box time applies to time

Note:
restriction settings.
squid.conf can be located in the path
/var/phion/preserve/proxy/<servername_ser In the time interval window, access has been activated for
vicename>/root/. all times except Wednesday 03:00 to 05:00.
After saving and execution of Send Changes and Activate,
Note:
the following ACL entries will be generated:
A quick syntax check for squid.conf can be executed by
entering the following command at the command line Note:
interface: squid -N -f In squid.conf the days of the week are stated as follows:
/var/phion/preserve/proxy/<servername_ser M - Monday, T - Tuesday, W - Wednesday, H - Thursday, F
vicename>/root/squid.conf. If commands have - Friday, A - Saturday, S - Sunday.
been misarranged, the row number containing the
flawed configuration will by thrown to the output. acl mytime time M 00:00-24:00
acl mytime time T 00:00-24:00
acl mytime time W 00:00-03:00
1.2.3.8 ACL Time Restrictions acl mytime time W 05:00-24:00
acl mytime time H 00:00-24:00
ACL Time Restrictions are a configuration part of the acl mytime time F 00:00-24:00
Access Control - Section ACL Entries parameter Time acl mytime time A 00:00-24:00
Settings. Clicking the button Always opens the Time acl mytime time S 00:00-24:00
Interval configuration window. If time restriction applies,
the label of the button changes to Restricted!. Interpretation:
The granularity of time restriction is 1 hour on a weekly An ACL entry has been generated for each day of the
base. week, spanning the whole day (except for Wednesday).
The time settings ACL entry is preset to always active by Two ACL entries have been created for Wednesday, as
default, which means that all checkboxes in the Time there time flow has been intercepted between 03:00 and
Interval dialog window are unchecked. Checking a box 05:00.
deactivates a time interval for the given time.
Inserted into the Actions section with policy allow and
List 1217 HTTP Proxy Service Parameters - Authentication Settings - Time default policy denied, this ACL entry will cause allowed
Restriction configuration
proxy access on every day of the week, except Wednesday,
Parameter Description 03:00 and 05:00.
Set allow Select to clear selected checkboxes.
Set deny Select to select checkboxes as disallowed time

intervals.
Set Invert Select to configure allowed and disallowed time
Continue if Attention:
mismatch / Always leave the default setting Block if mismatch.
Block if
mismatch
(default)

Example 2 1.2.3.10 Access Control List (ACL) Interpretation

Fig. 129 ACL Time Interval configuration - Example 2
The following example configuration attempts to explain
the logics of
z how to create ACL entries and put them together in an
action.
z how actions are processed by the proxy server.
Fig. 1210 ACL Entries and Actions configuration example
In the example above, time zone Europe/London applies to

time restriction settings.
In the time interval window, access has been activated for
all times except Wednesday 14:00 to 15:00.
After saving and execution of Send Changes and Activate,
the following ACL entries will be generated:
acl mytime time M 01:00-24:00
acl mytime time F 00:00-01:00
acl mytime time F 01:00-24:00
acl mytime time A 00:00-01:00
acl mytime time A 01:00-24:00
acl mytime time S 00:00-01:00
acl mytime time S 01:00-24:00
acl mytime time M 00:00-01:00
Note:
Multiple entries are generated for each day in squid.conf
due to time conversion.
Interpretation:
Two ACL entries have been generated for each day of the
week, spanning the whole day (except for Wednesday).
Three ACL entries have been created for Wednesday, as
there time flow has been intercepted between 14:00 and
15:00 Note, that the missing time span has been generated
Figure 1210 depicts an exemplary Access Control
as gap between 13:00 and 16:00.
configuration, with the following ACL Entries and Actions
Inserted into the Actions section with policy allow and configured in detail:
default policy denied, this ACL entry will cause allowed
z ACL Entries
proxy access on every day of the week, except Wednesday,
14:00 to 15:00. Europe/London time or 15:00 and 16:00 List 1218 ACL ENTRIES configuration
local box time respectively. Name ACL Type Value
A user from London trying to access the proxy at 14:59 clientpc source 10.0.8.1
London/Europe time will be rejected, because this portftp destinationport 21
corresponds 15:59 local box time and is still within the portwww destinationport 80
disallowed time span. protocolftp protocol FTP
protocolwww protocol HTTP
timeftp time Access activated Mo, 09:00 -
13:00
timeweb time Access activated Mo-Fr, 08:00 -
17:00

z Actions 1.2.3.11 Cache Behavior Configuration Example

Fig. 1211 Configuration of Action webaccess
Correct Cache Behavior configuration becomes important
when the proxy server is surrounded by multiple adjacent
neighbour caches. In particular, Cache Priority settings
have an immediate effect on execution of Cache Peer
Access and Domain Restrictions settings.
The following example is meant to point up the importance
of correct configuration.
ProxySrv1 is surrounded by three neighbour caches
ProxySrv2, ProxySrv3 and ProxySrv4, each of them
configured as its parents.
Table 122 Actions configuration
The aim is to direct all requests with source IP 10.0.8.20 to
ACL
Description
ACL Priority ACL Entries for this Action ProxySrv2 and all requests with the destination
webaccess 1 clientpc, portwww , exampledomain.com to ProxySrv3. All other requests are
protocolwww, timeweb to be fetched from the cache of ProxySrv4.
ftpaccess 2 clientpc, portftp, protocolftp,
timeftp Fig. 1212 Proxy neighbour cache configuration - Example setup
10.0.8.20 Priority
z Default policy: denied 1 2 3
These actions are summarized to the following lines in

squid.conf: 10.0.8.0/8 PrxSrv1 PrxSrv2 PrxSrv3 PrxSrv4
10.0.8.1 10.0.8.2 10.0.8.3 10.0.8.4
http_access allow clientpc portwww
protocolwww timeweb
A Cache Peer Access filter has to be set for ProxySrv2
http_access allow clientpc portftp
and a Domain Restrictions filter has to be set for
protocolftp timeftp
ProxySrv3. ProxySrv4 is set up without any filters, which
means that all requests not matching the configured filters
This is interpreted as follows: will be directed to it.
Allow access, if clientpc AND portwww AND z Neighbour Configuration settings for ProxySrv2:
protocolwww AND timeweb is TRUE Name: ProxySrv2
IP/Hostname: 10.0.8.2
--- if TRUE, stop processing further rules ---
Neighbour Type: parent
--- OR proceed to the next rule, if this is not the case --- Exclusive Parent: no
Allow access, if clientpc AND portftp AND Cache Priority: 1
protocolftp AND timeftp is TRUE. Cache Peer Access: 10.0.8.20
Cache IP Objects: no
z Neighbour Configuration settings ProxySrv3:
Let us consider the following scenarios: Name: ProxySrv3
It is Monday, 09:00. The user working at clientpc tries to IP/Hostname: 10.0.8.3
access the Internet on port 80. His connection attempt will Neighbour Type: parent
be considered by the rule http_access allow Exclusive Parent: no
clientpc portwww protocolwww timeweb, access Cache Priority: 2
will be granted and no further rules processed. Domain Restrictions: *.exampledomain.com
Cache Domain Objects: no
It is Monday, 14:00. The user working at clientpc tries to
access an FTP server on port 21. On his connection z Neighbour Configuration settings for ProxySrv4:
attempt, the first rule will be processed and considered Name: ProxySrv4
false because none of the parameters matches except of IP/Hostname: 10.0.8.4
Access Entry clientpc. Subsequently the second rule Neighbour Type: parent
http_access allow clientpc portftp Exclusive Parent: no
protocolftp timeftp will be processed, and again, it Cache Priority: 3
will be considered false, because the Access Entry
Note:
timeftp does not match. The connection attempt will be
ProxySrv4 is vital for the example setup to work. If not
rejected, as none of the rules matches, and the default
present, requests not matching the configured filters
policy as well denies it.
cannot be directed to any neighbour. ProxySrv1 cannot
process the requests spontaneously without
appropriate directive.

1.2.4 Content Inspection 1.2.6 HTTP Proxy Fail Cache
The HTTP Proxy provides the user with a GUI that is

1.2.4.1 Section Virus Scanner accessible through Barracuda NG Admin.
This GUI displays the so-called Fail Cache which can be
Via this section the integrated virus scanner is
enabled/disabled. Due to the complexity please have a look perfectly used to facilitate in troubleshooting. It lists all
at Anti-Virus, page 389. HTTP replies with a HTTP status code of 400 and greater
(except 407). Certain filters may be configured in order to
customize the view.
1.2.4.2 Section Data Leak Prevention
Note:
List 1219 Proxy Service Parameters section Data Leak Prevention If the HTTP Proxy is not running with Engine Version
Parameter Description NG activated, the button to view the proxy GUI within
DLP Data Leak Prevention consists on disallowing HTTP Barracuda NG Admin will be available, although it has
POST requests. Set to Enable to enable Data Leak no function then.
Prevention.
DLP Exception Define here exceptions for Data Leak Prevention, that
Note:
URLs is HTTP POST requests on those URLs are allowed even
if DLP was set to Enable. In order to ensure the compatibility of the
Patterns (* and ?) are allowed here. p-MGMT-PROXY firewall object with TCP port 880,
Barracuda Networks recommends to perform a Copy
from Default on the local firewall ruleset after applying
1.2.4.3 Section Redirector Settings this patch. Do not forget to backup your local firewall
rules first.
This section has to be configured when the URL Filter or
another external filter is implemented into the HTTP proxy Fig. 1213 HTTP Proxy Fail Cache
server for URL filtering. See 3. URL Filter, page 360 for
configuration details.
1.2.5 Advanced
Note:
The section Optimizations is only available for the
Secure Web Proxy.
List 1220 Proxy Service Parameters - Advanced view section Optimizations
Read Timeout Define here the read timeout of the Secure Web Proxy
(sec.) in seconds.
Note:
This timeout affects connections to the internet and to
the ICAP server.
The HTTP Proxy Fail Cache is available on gateways that
List 1221 Proxy Service Parameters - Advanced view section Advanced
are running a HTTP Proxy.
Parameter Description phions Secure Web Proxy does not provide the
Use Engine Normal: squid version 2.5 functionality of the Fail Cache.
Version NG: squid version 3.1
Generic The whole configuration file of the proxy service is
squid.conf displayed. This field offers the possibility to edit the
Entries whole configuration file (except the access control 1.2.6.1 HTTP Proxy Fail Cache Filters
part) manually. Use this section to configure a
transparent proxy (see 1.3 Transparent Proxy,
page 352) or reverse proxy (see 1.4 Reverse Proxy,
The Fail Cache GUI provides several filter options that
page 352). allow a selective view of all desired Fail Cache entries.
Attention:
These entries must exactly match the squid.conf List 1222 HTTP Proxy Fail Cache Filter Options
syntax. Entries are not checked against squid.conf for
compatibility. Do not use Inverted CIDR Notation. Parameter Description
Entries Amount of listed Fail Cache entries.
From Start time/date for Fail Cache entries.
Note:
To End time/date for Fail Cache entries.
A quick syntax check for squid.conf can be executed by
IP IP address to filter.
entering the following command at the command line
User User to filter.
interface: squid -N -f
URI URI to filter.
/var/phion/preserve/proxy/<servername_ser
Status HTTP status code to filter
vicename>/root/squid.conf. If commands have
been misarranged, the row number containing the
flawed configuration will by thrown to the output.

352 | HTTP Proxy > Transparent Proxy Proxy
1.3 Transparent Proxy 1.4 Reverse Proxy

This mode allows the proxy to work transparently to the The Squid reverse proxy is designed for supplying static
client. With a transparent proxy the clients do not need to content served by web servers placed behind of it from its
be configured in a special way, whereas a firewall or a own cache. This way, reverse proxy mode reduces load on
router must be configured to redirect proxy traffic web servers and is thus is also known as httpd-accelerator
(port 80) to the proxy listening on port 3128 (for example). mode.
Since clients are not configured to use a proxy, http traffic To configure a reverse proxy, add options assigned to the
will be passed to port 80. A firewall or a router then has to httpd_accel directive to the squid.conf file. Refer to
redirect this traffic to the proxy. The usage of a the official squid.conf documentation for details. You
transparent proxy may be useful, for example in a may edit squid.conf in the generic squid configuration
migration scenario, where multiple existing clients were section (see 1.2 Configuration, Generic squid.conf Entries,
not configured to use a proxy and a reconfiguration of page 351).
them would be a unreasonable big effort.
The following options are configurable:
To configure a proxy as a transparent one, the following
configuration lines need to be entered into the z http_port 80
genericsquid configuration section (see 1.2 Configuration, The reverse proxy listens for connections on this port.
Generic squid.conf Entries, page 351): Normally, this is set to port 80 paying regard to the fact
that incoming requests will mostly be directed to the
httpd_accel_host virtual IP address of web default HTTP port.
server (use virtual for multiple servers)
z httpd_accel_host <server_IP>/virtual
httpd_accel_port 80 port of web server This option specifies the address of the actual web
httpd_accel_with_proxy on server. Specify an IP address, if only a single web server
serves web content. If the proxy is meant to supply
httpd_accel_uses_host_header on cached content from multiple web servers, use
The httpd_accel_port directive defines the port the httpd_accel_host virtual.
origin server is listening on (port 80). For virtual port
support use 0 instead of 80. Squid does not need to know Note:
how requests arrive at its listening port (80). This has to be HTTP 1.0 is not applicable with option
done by the firewall or router. httpd_accel_host virtual.
Note:
z httpd_accel_port 80
When using the NG HTTP Proxy Engine, to following The web server listens for connections on this port. As
lines are to be added into the Generic squid.conf instead, the web content will be served from a separate physical
to run the HTTP Proxy in transparent mode. machine, you may consider using the default listening
HTTP port 80. Optionally, switch the listening port to
http_port <proxyservice-IP>:<listenport> another value.
transparent
Note:
Squid sees a request for an URL and connects to port 80 Multiple web servers must provide content on one
(or virtual) of the server where the URL resides. Squid port uniformly.
does not have any control over the arriving request types.
z httpd_accel_single_host on/off
If Squid is listening on port 3128 it assumes that data
This option specifies whether to forward uncached
arrives using a protocol it can handle (HTTP, FTP over
requests to a single back end web server. If set to on,
HTTP). The packet type redirected to Squid is determined
requests will be forwarded regardless of what any
entirely by the hosts firewall (or an external router) and is
redirectors or host headers say.
out of Squid's control.
z httpd_accel_with_proxy on/off
Attention: This option specifies if Squid should act as both,
proxy_auth cannot be used in conjunction with a standard and reverse proxy or only as reverse proxy.
transparent proxy because it collides with any Note that generally better performance will be achieved
authentication done by origin servers. when this option is set to off.
Attention:
z httpd_accel_uses_host_header off
HTTP 1.0 must not be used in conjunction with a Requests in HTTP version 1.1 include a host header,
transparent proxy since the header of HTTP 1.0 does not specifying host name or IP address of the URL. This
contain the address of the destination server. The option should remain off in reverse proxy mode.
information gets lost, when the request is redirected to z hosts_file /etc/hosts
the firewall (or the router). This option defines the location of the hosts file. This
has to be specified, when requests to your back end
web servers are addressed to FQDNs and the proxy
server itself fetches DNS entries from external name
servers. In the hosts file, map the FQDNs of your web
sites to the actual IP the site is published on. Configure
mappings in Config > Box > Settings >

Proxy Reverse Proxy < HTTP Proxy | 353
DNS section > Known Hosts (see 2.2.3.3 DNS, Table 123 Example: squid.conf file httpd_accel directive
page 55). Parameter IP address Domain
/etc/hosts 10.0.8.1 mySite1 mySite2 mySite3
www.myDomain.com sub.myDomain.com
1.4.1 Example Setup sub2.myDomain.com
Fig. 1214 Reverse proxy example configuration In the squid.conf file, the corresponding options must
be specified as follows:
Web Server Reverse Proxy Client
Table 124 Example: squid.conf file corresponding options
Option Setting
10.0.8.1:80 193.99.144.85:80 http_port 80
httpd_accel_host 10.0.8.1
httpd_accel_port 80
In the example setup, a web server is configured running httpd_accel_single_host on
three virtual hosts on an internal IP address 10.0.8.1. httpd_accel_with_proxy on/off (recommended)
Clients direct requests to these sites to httpd_accel_uses_host_header off
www.myDomain.com, sub.myDomain.com, and hosts_file /etc/hosts
sub2.myDomain.com. These names are resolvable to the IP
address 193.99.144.85, which is the official external
address of the reverse proxy server.
The reverse proxy forwards not yet cached requests to the
appropriate virtual host running on the IP address 10.0.8.1,
and otherwise serves the requested content from its
cache.
The following parameters determine settings in the
httpd_accel directive of the squid.conf file:
Table 123 Example: squid.conf file httpd_accel directive
Parameter IP address Domain
Web Server 10.0.8.1 www.myDomain.com
sub.myDomain.com
sub2.myDomain.com
DNS IN A 193.99.144.85 www.myDomain.com
sub.myDomain.com
sub2.myDomain.com

354 | Secure Web Proxy > Overview Proxy
2. Secure Web Proxy
2.1 Overview on-the-fly using a proper "CommonName". The certificate

is signed by the proxy's root certificate. This root
certificate must first be installed in the client's known CA
The Secure Web Proxy ensures that SSL traffic doesn't
database.
pass unchecked through your network's HTTP proxy chain.
Encrypted data sent and received by clients is decrypted As mentioned above, the proxy checks a server's
transparently so that it can be inspected for viruses and certificate for validity. There are numerous options for
other malicious content just like any other normal HTTP determining a certificate's validity. This will be explained
traffic. later. Only once a certificate has been validated will the
proxy begin forwarding data to and from the client.
That's not the only advantage. Many HTTPS servers aren't
able to issue a valid certificate signed by an official
Certificate Authority (herein referred to as "CA"), thereby
proving their authenticity. And displayed browser alerts
don't always catch the attention of today's average user.
2.3 Installation
Not realising their possible consequences, they are often
simply ignored. That's why Secure Web Proxy provides Attention:
diverse options for "Certificate Verification". Depending on Using the Secure Web Proxy requires additional
your security requirements, you can configure your software packages which are not part of the installation
certificate settings from low to very high. flash USB stick due to import/export regulations. Please
contact your local Barracuda Networks Partner in order
Once it has been determined that a certificate is invalid, to request these specific packages.
the client will be prohibited from communicating with the
website, an incident ticket will be generated and its
A box server already has to exist, before a Secure Web
reference number will appear. This ticket helps the
Proxy service can be created.
administrator determine the cause of nonconformity and
decide what further action should be taken. The Note:
questionable site can either be blacklisted permanently or When using a HTTP proxy and a Secure Web Proxy on
added to the whitelist, which would allow the user to the same virtual server, it is mandatory to modify the
connect to the site despite any previous problems with its listening port of the Secure Web Proxy, since both types
certificate. In addition, most CAs provide so-called of proxy use port 3128 as default listening port.
"Certificate Revocation Lists" (CRLs) or lists of revoked or
no longer valid certificates (due to misuse or other To create a Secure Web Proxy service, select Create
reasons). Web browsers don't usually retrieve and update Service from the context menu of Config > Box >
such lists themselves. Not so with Secure Web Proxy Virtual Servers > <servername> > Assigned
revocation lists are kept up-to-date at all times. Services, select Secure Web Proxy as software module
and configure services basic settings.
By clicking Activate, the new service is sent to the
2.2 Technical Details Barracuda NG Firewalls and the newly installed Secure
Web Proxy service is ready for configuration.
A basic knowledge of SSL certificates, certificate signing The Secure Web Proxy service will generate a number of
and CAs is assumed in the following remarks: log files. These can be viewed via the Log Viewer (Log
The Secure Web Proxy effects transparent decryption by Viewer, page 305).
acting as the endpoint of the client's SSL connection and
Note:
maintaining a cryptographically independent connection to
Installation via PAR file requires this procedure:
the target web server. As a result, there are two separate
SSL connections to forward data from one to the other by z Install the box via PAR File
the proxy on one logical channel: one between the client
z Install the additional software package
and the proxy and the other between the proxy and the
target web server. This means that the actual payload is z Perform a config dummy change and execute Send
decrypted by the proxy on both sides and is inspected just Changes > Activate
like any other normal clear text traffic.
Without the client being alerted to the invalid certificate,
the proxy generates a valid certificate for the site

Proxy Configuration < Secure Web Proxy | 355
2.4 Configuration List 1223 Secure Web Proxy section SSL Settings
If you have ever configured a "regular" proxy, many of the Root CA Private Generates the proxy's issuing root certificate. The Root
Key /Root CA CA Certificate should be exported and added to all
options will be familiar to you. In fact, with a few small Certificate client CA databases.
differences, everything except the SSL-related options is Note:
the same. The SSL options are described in the following. All SSL client-connections will receive a temporarily
created certificate signed by this configured CA instead
The Secure Web Proxy Service configuration area provides of the real certificate when establishing a HTTPS
three configuration entities: connection. The certificate and the corresponding
private key are used for SSL/TLS encryption and
decryption. If this root certificate is not installed on the
z URL Filter Config (see 3. URL Filter, page 360) client computers, users will get certificate-error
warnings by the browser on each new HTTPS
z Service Properties (Configuration Service connection.
4. Introducing a New Service, page 97) External Root Use this parameters to import external root
CA Private certificates. Instead of using a self signed certificate
z Secure Web Proxy Settings (see below) Key / External (parameters above), one can import an external root
Root CA certificate and its corresponding private key.
Certificate Note:
2.4.1 Secure Web Proxy Settings The root certificate must be signed by the private key.
Note:
The notes from the parameters above apply to these
Browse to Config > Box > Virtual Servers > parameters too.
<servername> > Assigned Services > Notify User Specifies whether or not the user should be notified
whenever SSL connections are decrypted, logged or
<servicename> (sslprx) > Secure Web Proxy Settings inspected (default: No). When enabled, a splash screen
to access the configuration dialog. will appear in the user's browser at regular intervals
(see Notify Again After (min)).
Note: Note:
Setting this parameter to Yes will prevent
The parameters enlisted in the following are SSL-related HTTPS-based resources embedded in HTTP-based
only. For a general description of view General, documents from being displayed as long as the
notification for the HTTPS domain hasnt been
Network, Access Control, Content Inspection and confirmed. See also the more detailed problem
Advanced, please consult 1. HTTP Proxy, page 340. description below this table.
Notify Again When enabled, a notification will reappear after a
However, note the following restrictions: After (min) specified amount of time. The default value is
60 minutes.
Note:
FTP is by default disabled. IF enabled, FTP traffic will not Fig. 1215 Secure Web Proxy User Notification and Confirmation Dialog
be scanned for viruses.
z General view:
There are no Log Settings. The system automatically
logs access and cache.
z Network view:
The most significant difference between a Secure Web
Proxy and a normal proxy is that the Secure Web Proxy
is configurable for one parent proxy only. If the setup
has multiple parent proxies, the Secure Web Proxy is to
be daisy-chained with a normal proxy, where the
parents can be configured as usual.
2.4.1.1 SSL Settings If Notify User is set to Yes, the notification dialog shown
List 1223 Secure Web Proxy section SSL Settings
above will be displayed prior to delivering any data from
any yet unconfirmed domain to the users browser via
HTTPS.
Enable SSL Allows SSL decryption, the process of decrypting and
Decryption inspecting data (default: Yes). It may happen that certain embedded resources in a web
Enable Validates certificates (default: Yes). site, such as images, media files, CSS stylesheets or
Certificate Attention:
Verification
javascripts, fail to display or execute since their HTTPS
When this parameter is disabled, server certificates will
not be validated. This means that clients will be able to
source domain was not yet confirmed by the user. The
communicate with malicious sites (like phishing sites) reason for this is the proxy delivering the
without realising there is a threat. It is recommended notification HTML to the browser instead of delivering the
that this option only be disabled by someone who
knows what they are doing. requested image, media or text data. The
Use Self-Signed Define whether using a self signed or extenal notification HTML can not be interpreted correctly by the
Certificate certificate. browser at this point.
As this effect is likely to appear on widely used web sites
such as Amazon, leaving users confused, Barracuda
Networks recommends to not activate this notification
dialog.

356 | Secure Web Proxy > Operation Proxy
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation
The following screenshot demonstrates such a situation Parameter Description
with the missing data highlighted. The header area in the User Real-Time In addition to CRLs, it is possible to do a real-time
Check (OCSP) check of the OCSP (Online Certificate Status
screenshots upper half shows a destroyed layout, Protocol)(default: Yes). If a CA supports OCSP, a
suffering of missing javascript and CSS, while, in the main certificate's validity will be checked in real time and the
result will be cached for one day.
content area, two images are missing.
Block Unknown When enabled, certificates will be denied if their
State revocation status is not determinable (either via CRLs
Fig. 1216 Missing Embedded Data on a Web Site
or OCSP)(default: No). This parameter is usually
enabled in high-security environments. However, it
results in many incident reports.
List 1226 Secure Web Proxy - SSL Certificates section Client Certificates
This section discusses actions to be taken should a
server request a client certificate - a seldom but,
nevertheless, possible SSL transaction. Since private
details of the client certificate are known only to the
client, the SSL proxy will not be able to interact as it
would with other SSL connections.
Client Establishes the action to take when a client certificate
Certificate is requested. The connection will either be tunnelled
Action (without decryption) or denied (default).
The screenshot hereafter shows the same web page after

the proxys notification has been confirmed. The header 2.4.1.3 SSL Exceptions
area is now properly rendered and the images in the main
content area are accurately displayed. This section explains how to configure exceptions, which
are made up of a server name (without the leading
Fig. 1217 Correct View of the Web Site from the Previous Figure
https://) or an IP address. There are three different
types of exception lists:
z The Blacklist prohibits the client from accessing the
listed servers or websites.
Note:
Restriction is based on the site's certificate rather
than on the actual server name or IP address.
z The Whitelist allows clients to access the listed servers
or websites, even should there be something wrong
with its certificate.
z The Tunnellist specifies which servers or website
2.4.1.2 SSL Certificates connections should be tunnelled (neither intercepted
nor decrypted).
List 1224 Secure Web Proxy - SSL Certificates section Certificate Verification
Allow Accepts wildcards in the CommonName such as 2.4.1.4 Advanced
CommonName *.domain.com. Browsers such as IE or Firefox allow
Wildcards wildcards and/or regular expressions. Disabling this List 1227 Secure Web Proxy - Advanced - section Optimizations
parameter provides more security (default: No, which
means disabled). Parameter Description
Deny Expired Determines whether or not expired certificates should Read Timeout Define here the read timeout of the Secure Web Proxy
Certificates be denied (default: Yes). (sec.) in seconds.
Allow Visit If a certificate is not valid, an information page will Note:
After Confirm appear in the browser. If this parameter is disabled, an This timeout affects connections to the internet and to
incident ticket will be generated and access to the site the ICAP server.
will be denied. When this parameter is enabled, the Strip HTTP1.1 If set to yes, the Secure Web Proxy extracts HTTP1.1
user can connect to the site by clicking Allow (default: Enc. Header specific lines of the HTTP1.1 header.
No). Lines
Note:
It is recommended that this parameter be disabled as it
is, essentially, the same override mechanism provided
by web browsers.
2.5 Operation
In addition to configuration, certain administrative actions
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation
can be taken in the Graphical User Interface (GUI). To
Parameter Description access the GUI, select SSL Proxy in the box menu.
Enable Checks every certificate against the revocation list of
Revocation the issuing CA (provided one is available) (default: Yes). The following tabs are available:
Check
Download CRLs Specifies when Certificate Revocation Lists (CRLs)
z Access - view accumulated real-time log.
at Hour (0..23) should be retrieved from the CAs.
z Tickets - manage incident tickets created when a user
encounters an invalid certificate.
Proxy Operation < Secure Web Proxy | 357
z Certificates - inspect and manage all known Root CAs. Following columns organize the Access tab of the Secure
Web Proxy.
z RSS-Feeds - inspect and manage all known RSS-Feeds
z Time - point in time when the connection was
z Webservices - inspect and manage all known
established. The content of this column may differ
webservices (including sub functions)
depending on selected time "groups" and set UTC time
Note: flag (see 2.5.1.1 Access Context Menu, page 358).
Each tab, except for Certificates, provides additional z IP Address of the client who requested the connection.
filter settings. The options in these filter settings are
taken from the available entries and will become active z Method that is used for connecting (according to
as soon as the checkbox to the right of each entry is Method Definitions in RFC2616). Possible entries are:
selected. GET, HEAD, PUT, DELETE.
z Server name of the destination.
z Count shows the number of connections.
2.5.1 Access Tab
z Bytes from client / Bytes to client indicates the
Fig. 1218 Secure Web Proxy GUI - Access tab amount of data sent/received by the client.
z User Agent displays the signature of the clients
browser.
z Content type displays the sort of sent/received data.
z Boxname provides the name of the server where the
Secure Web Proxy is running on.
z HTTP status as retrieved from the destination
(according to Status Code Definitions in RFC2616).
z User / Group displays, if configured, the group
authentication scheme the requesting client resides in.

358 | Secure Web Proxy > Operation Proxy
2.5.1.1 Access Context Menu 2.5.2.1 Tickets Context Menu
z Show Details This entry opens an additional Show Details This entry opens an additional window
window providing detailed information concerning the providing detailed information concerning the selected
selected entry (alternatively, this view is also available ticket (alternatively, this view is also available by double
by double clicking on an entry). clicking on a ticket).
z Flush Cache removes either the selected entry Ungroup - Removes the sorting selected below.
(option Entry) or the complete access cache (option
Group by - Via this entry you may sort the tickets for ID,
-ALL-)
Server, Action or Type
z Ungroup Removes the sorting selected below.
Set Action allows the user to modify the status of an
z Group by Via this entry you may sort the tickets for incident ticket. The following commands are possible:
column wise.
z Blacklist/Whitelist/Tunnel Blacklist, whitelist or
z Show time in UTC switches the time format within tunnel connections to a server. For more details, see
the Time columns. 2.4.1.3 SSL Exceptions, page 356.
z Block Has almost the same status as blacklist except
2.5.2 Tickets Tab that the user can override the blacklist by enabling
parameter Allow Visit After Confirm (see 2.4.1.2 SSL
In this tab incident tickets can be viewed or deleted or their Certificates, List 1224 Secure Web Proxy - SSL
status can be changed. Certificates section Certificate Verification, page 356).
By clicking Update List, all incident tickets will be z Delete Deletes the incident ticket.
retrieved from the server.
Note:
Clicking Lock activates a lock required for editing the It is possible to make exceptions to the configuration
database. Once all changes have been made, click the (see 2.4.1.3 SSL Exceptions, page 356). Exceptions
same button (which has now been renamed to Unlock) to are also listed with the incident tickets, however
release the lock. unlike regular incident tickets it is not possible to
edit or delete them.
Note:
User permission is required to edit incident tickets. For
more information, Barracuda NG Control Center 8. CC 2.5.3 Certificates Tab
Admins, page 457.
All known CAs (or instances of trusted servers issuing valid
Fig. 1219 Secure Web Proxy GUI - Tickets tab with detail info certificates) are displayed in this tab. Certificates can be
deleted, denied or unconditionally allowed and certain
attributes (like name, CRL, and OCSP-URL) can be
changed.
Note:
As with incident tickets, a user must have permission in
order to make any changes to the CA tree.
Fig. 1220 Secure Web Proxy GUI - Certificates tab
View details of an incident ticket by double clicking on the

entry. Make changes using the context menu.

Proxy Operation < Secure Web Proxy | 359
The Update List and Lock buttons work just the same as in 2.5.5.1 Webservices Context Menu
the Tickets tab.
The context menu is identical with the one described in
A green square ( ) in front of a CA signifies that any
2.5.2.1 Tickets Context Menu, page 358.
certificates issued by this CA will be allowed.
A red "X" ( ) in front of a CA signifies that any certificates
issued by this CA will be denied.
2.5.3.1 Certificates Context Menu
The following commands are available over the context

menu:
z Show certificate Retrieves a certificate from the
server and displays it as a standard certificate dialog.
z Edit Name Alter a CAs name. The CA name is for
purposes of this list only and is not used for any other
purpose.
z Edit URICRL/URIOCSP Change URL of CRL and
OCSP queries. Usually, it is not necessary to edit these
attributes. They should already be correct.
z Set Allow/Set Deny Manually allow or deny a CA (see
above).
z Delete CA Permanently removes a CA from the list.
This action should only be taken by someone who
knows exactly what he is doing.
Note:
New CAs will occasionally appear on this list as they
become known to the system and are downloaded from
the Internet. Initially, they will be denied. Therefore, it is
recommended to check the CA tree regularly for new
additions and, if necessary, change their status.
2.5.4 RSS-Feeds Tab

Here the handling of RSS feeds can be viewed (and edited).
2.5.4.1 RSS-Feeds Context Menu
The context menu is identical with the one described in

2.5.2.1 Tickets Context Menu, page 358.
2.5.5 Webservices Tab

The information provided in this tab is split into following
columns:
z URL displays the destinations URL.
z Action defines the global way the connection is
handled (either Pass, Scan, Block, or Delete). By
opening the detail information you may set the action
that is to be taken for each webservice method.
However, it is not possible to delete webservice
methods.
z Subtype displays webservice type and version.
z Count displays the number of established
connections.

360 | URL Filter > General Proxy
3. URL Filter
3.1 General Step 1 Proxy - Basic ACL

The request committed by a client's browser is first
The Proventia Web Filter, a content filtering utility, may processed by the HTTP Proxy, where it has to pass Basic
optionally be implemented into the Barracuda NG Firewall ACL configuration. If Basic ACLs do not allow browsing the
HTTP Proxy, thus enabling access restriction to sites Internet, the request will be dismissed by displaying the
agreeable to the company policy. proxy server's internal block HTTP page.
When the filter is embedded, traffic is processed in the Note:

following succession: For information on Basic ACLs, refer to 1.2
Configuration, Section Access Control - Proxy Access
Fig. 1221 Overview: URL filtering process
Handling Scheme, page 344.
Browser
Step 2 URL Filter Redirector
The redirector pipes the URL request into the internal
checking routines (black lists, white lists, ). When the
Proxy requested URL can be verified in one of these internal
categories/lists, the requester is allowed access to it, if not
the request is handed over to the URL Filter Daemon
(cofsd).
Access OK? No
Proxy Block HTTP
(Basic ACL) Step 3 URL Filter Daemon
The cofs-daemon first attempts to find the requested page
Yes in the local cache. If it cannot find it there it establishes a
connection to the URL Filter Database in order to retrieve
URL Filter Web
Filter Redirector an already assigned categorisation. It then either hands
the local or external search result back to the redirector.
The process responsible for this procedure can be viewed
URL Filter Web in the Processes tab of the Control section of
Filter Daemon Barracuda NG Admin and is named <servername>_cofsd.
Note:
Block HTTP Connection allowed
A few requirements must be met, to enable the URL
Filter to query the Web Filter Database in the Internet.
See 3.3.1 Configuring URL Filter Redirectors, page 362
for configuration details.
Step 4 URL Filter Redirector

The redirector processes the search result by matching the
URL categorisation with its internal settings. Access to the
URL is then granted or denied in compliance with the
specified policy.

Proxy General < URL Filter | 361
Figure 1222 illustrates the processes performed in Step 3

and Step 4 of the URL filtering process in detail:
Fig. 1222 Flowchart - URL Filter Redirector & Daemon
Proxy
Browser
Proxy
URL
Filter Redirector 1
Access OK? No Proxy Block HTTP
(Basic ACL)
URL Yes
Filter Redirector 2 No Request Proventia Web

Filter Redirector
Configuration 999999
(default) is activated by Config. Group/
URL Proventia Web
User? Filter Daemon
Filter Redirector ..
Block HTTP Connection allowed
URL
Filter Redirector n
Yes
No Request in
set time slot?
1
Yes
Connecting process
Default Policy?
Configuration Configuration
Default Policy: Default Policy:
deny-all-except allow-all-except
Yes URL in URL in Yes

categories? categories?
No No
Block HTTP URL in URL in

1 black list? white list?
1 Yes Yes 2
No No
Yes URL in URL in Yes

Connection allowed
white list? black list?
2 2 1
No No
1 1 URL Filter Daemon 1

Deny No Deny
Allow Yes No User limit Yes Allow

Default Policy? Category allowed? Limit Handling?
exceeded?
2 2 2
not categorized
time limit exceeded

362 | URL Filter > Installation Proxy
3.2 Installation 3.3.2 Configuration of the URL Filter

Daemon
To install the URL Filter, follow the instructions in
Configuration Service 4. Introducing a New Service, page 97, The URL Filter Service configuration area defines general
and select URL Filter as Software Module. service settings and allows specifying login values, if the
Proventia Internet Databases is to be accessed through a
Note: proxy server.
The URL Filter service binds to localhost and thus
cannot be equipped with an individual Bind Type. Browse to Config > Box > Virtual Servers >
<servername> > Assigned Services >
<servicename> (cofs) > URL Filter Service to access
the configuration dialog. The following values are available
3.3 Configuration for configuration:
The configuration of the URL Filter is subdivided into the

following three configuration areas: 3.3.2.1 General
z URL Filter Redirectors List 1229 URL Filter Configuration - General section URL Filter General
(see 3.3.1 Configuring URL Filter Redirectors, page 362) Settings
z URL Filter Daemon
Max URL Filter This parameter defines how many Proventia processes
(see 3.3.2 Configuration of the URL Filter Daemon, processes may be started simultaneously at a maximum
page 362) (figure 1221, page 360).
z URL Filter - Redirector Parameters List 1230 URL Filter Configuration - General section URL Filter Database
(see 3.3.3 Configuring of URL Filter - Redirector Settings
Parameters, page 363) Parameter Description
Use local Select this checkbox to enable usage of a local
database categorisation database. This setting is recommended
3.3.1 Configuring URL Filter on boxes with poor network connectivity to the central
ISS database servers or for installations serving more
Redirectors than 100 concurrent web users. Querying a local
database improves responsiveness of the filter.
An initial database download is triggered when this
Redirector configuration is part of the HTTP Proxy option is enabled (approximate download size: 160 MB).
configuration (see 1.2.4.3 Section Redirector Settings, Attention:
page 351). On flash RAM based appliances the local database
support cannot be used and has to be deactivated.
Browse to Config > Box > Virtual Servers > Upload Select this checkbox to activate collection of unknown
<servername> > Assigned Services > Unknown URLs URLs and their successive upload to an ISS server.
Using this feature may contribute to evaluation of not
<servicename> (proxy) > HTTP Proxy Settings > yet categorized URLs.
Content Inspection view > Redirector Settings section, to
List 1231 URL Filter Configuration - General section URL Filter Support
access the configuration area. The following values are Options
available for configuration:
List 1228 Proxy Service Parameters - section Redirector Settings Log Categories Selecting this checkbox extends Proventia log files (see
per URL 3.5 Logging, Cofsd (created by the URL Filter daemon),
Parameter Description page 366) by adding the category classification to each
Enable Set to URL Filter (default: None) to enable the URL requested URL. This option should only be used to
Redirector Filter. assist in case of problems. Check for sufficient disk
Optionally, select the Other checkbox and insert the capacity before enabling it.
name of an external redirector into the field, to
implement another URL filtering tool.
Firewall login Set this parameter to Yes (default: No) if proxy
authenticated users additionallyve got to authenticate
3.3.2.2 Proxy
themselves on the firewall. The proxy server will then
forward the user login to the firewall. List 1232 URL Filter Configuration section URL Filter Proxy
This option will only work with usage of an User
Enable Proxy Select this checkbox if the URL Filter has to access the
Authentication Scheme (see 1.2.3.1 Section
Proventia Internet Databases through the local proxy
Authentication, page 343). Please review User
server.
Authentication, page 346 if you want to define ACL
Entries using ACL Type "proxyauthentication" Note:
explicitly. See 3.3.4 Adapting the Local Firewall Rule Set,
page 365 for a summary of access demands.
Number of This parameter determines the number of
Redirectors simultaneously working redirectors (default: 5). The Proxy Host / Specify the authentication data requested by the local
value may be increased for high traffic processing. Port / User / proxy server in this place.
Password

Proxy Configuration < URL Filter | 363
3.3.3 Configuring of URL Filter - List 1234 URL Filter Configuration - Filter Settings section Configurations
Redirector Parameters Parameter Description

White List The White List takes domain names, to which access is
always to be granted, notwithstanding the domain's
This section allows specification of the URL Filters categorisation. Sub-domains are not included into the
functional details, such as individual categorisation list automatically, but must be specified explicitly
instead.
definitions, logging and statistics configuration. When the Find String checkbox is selected, the string
inserted into the White List field is searched in any
Browse to Config > Box > Virtual Servers > domain name.
<servername> > Assigned Services > Note:
Do not specify the protocol identifier in white list
<servicename> (proxy) > URL Filter Config to access entries (for example, write www.domain.com instead
the configuration areas. The following values are available of http://www.domain.com).
for configuration: Black List The Black List takes domain names, to which access is
never to be granted, notwithstanding the domain's
categorisation. Sub-domains are not included into the
list automatically but must be specified explicitly
3.3.3.1 Filter Settings instead.
When the Find String checkbox is selected, the string
List 1233 URL Filter Configuration - Filter Settings section URL Filter Settings inserted into the White List field is searched in any
domain name.
Note:
Timeout [s] This parameter specifies the maximum duration of a Do not specify the protocol identifier in white list
URL category research. If categorisation cannot be entries (for example, write www.domain.com instead
accomplished within this limit, the Default Policy (see of http://www.domain.com).
below) determines, whether a request is granted.
Affected If settings within this data set should apply to specific
Networks networks accessing the proxy server, define these
List 1234 URL Filter Configuration - Filter Settings section Configurations networks here.
Parameter Description Affected Groups If settings within this data set should apply to specific
/ Users users or user groups accessing the proxy server, define
This section allows creating data sets with self
these users or user groups here.
contained settings for dedicated networks, user groups,
The syntax of the user/user group entries depends on
or users. Data sets may be configured with explicit
the used authentication method (see 1.2 Configuration,
denial or allowance for strictly outlined time intervals.
Section Authentication, page 343). The usage of
Each data set takes a number from 1 through 999998
pattern matching (via wildcards * and ?) is supported.
as name. Data sets are processed in succession from
lower to higher numbers, similar to a firewall rule set. Note:
Affected Groups and Affected Users may contain space
Note:
characters. The inserted strings are treated
The data set 999999 comprises the default setting
case-insensitively (that means A-Z = a-z).
including the default policy deny-all-except. The profile
may be changed to allow-all-except policy and be Note:
modified, but it may not be deleted. When deleted it If you are using MSNT or RSAACE as authentication
will be restored with the initial default settings and method, the parameter Affected Groups will have no
changes that have been made to it will get lost. impact, because these methods do not provide group
names.
Note:
The default data set applies to all Radius:
Networks/Users/Groups accessing the URL Filter Radius servers supply group names that have got to
though, as the corresponding configuration fields are be inserted exactly the way they are provided.
left empty, this seems not to be configured. LDAP, MSAD:
In all further data sets complementing the default set Both methods supply so-called distinguished names
at least one of the fields Affected Networks/Affected that have got to be entered exactly the way they are
Users/Affected Groups has to be specified, otherwise provided (for example
the data set will have no validity. If values have been CN=Group,OU=Unit,DC=Company,DC=com).
specified for all three fields, they will be linked with
Note:
OR, and access to a requested URL will be granted or
For information how to retrieve distinguished names,
denied according to the default policy and on the basis
refer to Appendix 1.1 How to gather Group
of the first value applying.
Information, page 544.
Default Policy The default policy defines the general proceeding with
Note:
all following configuration values, which are defined
In case group conditions are not matched correctly
within this data set. Available policies are:
using an LDAP authentication scheme, verify that you
allow-all-except have specified the Group Attribute field correctly (see
deny-all-except page 113).
Note: Note:
Check the Timeout [s] parameter (see above) to find If you encounter problems applying this filter due to
out about the effect this setting has in case of incorrect user/group allocation, see Netbios Domain
categorisation failure. Name, page 112 for details on domain name
Categories This pull-down menu makes the category list provided assignment.
by the URL Filter available. More than 60 million Web
sites are part of the catalogue. Insert an arbitrary List 1235 URL Filter Configuration - Filter Settings section TIME SETTINGS
number of categories into the Value list by selecting a
category and clicking the Insert button. Depending on Parameter Description
the data set's Default Policy setting, access to the This section allows defining a number of time settings.
URLs contained in each category will be granted or Use Local Time When the checkbox is selected, the data set's validity
denied. checkbox/Time period is measured according to local box time
Zone pull-down settings. If you want another time zone to apply as
menu calculation base, clear the checkbox and select the
time zone from the pull-down menu.

364 | URL Filter > Configuration Proxy
List 1235 URL Filter Configuration - Filter Settings section TIME SETTINGS List 1237 URL Filter Configuration section URL Filter Exceptions

Time Settings Clicking the Always button opens the Time Interval Unrestricted This parameter defines IP addresses whose URL
configuration window, allowing for temporary IPs requests are not going to be filtered.
activation/deactivation of the URL Filter with Note:
1-hour-granularity on a weekly base. If time restriction The Unrestricted IPs involve IP addresses configured
applies to a profile, the label of the button changes to in the Access Control - Section ACL Entries 1.2.3.4 of
Restricted!. the HTTP Proxy Server (ACL Type source, parameter
A profile is valid at all times by default, that means all Source IP (IP Ranges or Single IPs).
checkboxes in the Time Interval dialog window are
unchecked. Checking a box deactivates a profile for the Unrestricted Via this parameter you can enter users by using their
given time. Users proxy login. This is handy when your network works
with DHCP.
Set allow Select to clear selected
Note:
checkboxes.
The Unrestricted Users involve users configured in
Set deny Select to select checkboxes as the Access Control - Section ACL Entries 1.2.3.4 of the
disallowed time intervals. HTTP Proxy Server (ACL Type proxyauthentication,
parameter User Authentication (Users).
Set Invert Select to configure allowed and
disallowed time intervals
simultaneously.
Continue if Process the URL request even if the 3.3.3.4 Cascaded Redirector
mismatch URL Filter is not available.
Block if Block the URL request when the For inclusion of additional scanning procedures with third
mismatch URL Filter is not available. party software products installed on the Barracuda NG
(default)
Firewall (for example virus scanning), the redirector may
optionally be cascaded.
3.3.3.2 Deny Message
Note:
List 1236 URL Filter Configuration section URL Filter Deny Message Use this functionality on your own responsibility.
List 1238 URL Filter Configuration section URL Filter Cascaded Redirector
Message for This parameter determines the message type displayed
Deny for connection denials. The message page can either Parameter Description
be configured locally using a custom HTML text (Page) Cascaded is Ticking this checkbox defines the cascaded redirector
or be retrieved from an external HTTP server (URL). Primary as primary component in the scanning chain. The URL
Depending on what has been chosen, either a Deny checkbox request is then first routed through the additional
Page or a Deny URL has to be configured. scanner and then through the URL Filter.
Deny URL This field takes the URL of an external HTTP server Cascaded This parameter defines the location (full pathname) of
capable of CGI used for display of customized Redirector the cascaded redirector in the Barracuda NG Firewall.
block-pages in case of connection rejection. The URL of
the message server (for example msgsrv) has to be
specified including server protocol and IP address. Port
specification is optional (like http://msgsrv.com:80). 3.3.3.5 Logging
Note:
For information concerning the use of external HTTP
server, see 3.4.1 Communication with External HTTP Note:
Server, page 365.
Use the following parameters with care as they may
Deny Page This field takes an HTML page that is displayed via the
internal firewall authentication daemon (fwauthd)
produce huge log files.
when a connection request is rejected.
Note: List 1239 URL Filter Configuration section URL Filter Logging Settings
The reason for connection denial is contained in the Parameter Description
$$MESSAGE$$ variable. Use this variable in the custom
block-page to inform users about relevant security Log Denied Ticking this checkbox creates a log entry for each
policy. URLs denied URL request.
Note: Log Allowed Ticking this checkbox creates a log entry for each
In case the URL Filter Daemon (cofsd) is not available, URLs allowed URL request.
the user will still get informed why the connection was
refused, if the URL request can be found in the internal
categories/lists.
3.3.3.3 Exceptions
This tab allows configuring users who may bypass the URL
Filter Redirector. Users may be identified either by their
source IP address or by their user name.
List 1237 URL Filter Configuration section URL Filter Exceptions
Note:
Be sure to use the inverted CIDR notation, if activated,
for the following two parameters. (Getting Started
5. Inverted CIDR Notation, page 25)

Proxy Communication & Categories < URL Filter | 365
3.3.3.6 Statistics Tab z Service Explicit with 006 TCP, Port 443 and
006 TCP, Port 6000
Section URL Filter Statistics Settings
Fig. 1223 Local rule granting access from URL Filter to Proventia Internet
Selecting a checkbox within this section creates Databases
corresponding statistics for:
z Unrestricted Users
z Unrestricted IPs
z Denied URLs per User
z Denied URLs per IP (selected by default)
z Allowed URLs per User
z Allowed URLs per IP
The generated statistics data pays regard to the following:

z URL distribution over the available categories.
z Usage distribution of categories per user.
3.3.3.7 Limit Handling

List 1240 URL Filter Configuration section URL Filter Limit Handling Attention:
Parameter Description When using flash RAM based appliances, pay special
Block If User When selected (default), the URL Filter blocks URL attention to correct rule configuration in order to
Limit Exceeded requests, when the license dependent URL Filter user guarantee for uninterrupted Internet connectivity. If the
limit is exceeded.
URL Filter Daemon is unable to access the license server
it will attempt to write to disk, which might lead to
3.3.4 Adapting the Local Firewall Rule hardware malfunctions.
On flash RAM based appliances, configure Internet
Set access before enabling the URL Filter Daemon.
The URL Filter Database first attempts categorisation of
URL requests through its local settings and cache. If the
requested URL cannot be retrieved in these places, it
attempts accessing the URL Filter Databases in the
3.4 Communication & Categories
Internet. This access has to be enabled by meeting the
following requirements:
3.4.1 Communication with External
z From the Barracuda NG Firewall the URL Filter Daemon HTTP Server
is running on check, if the address
license.cobion.com is DNS-resolvable. The daemon
Note:
has to contact the license server for license verification
through https://license.cobion.com. TCP The external HTTP server has to act as Common
port 443 has to be enabled on the firewall. Gateway Interface (CGI).
z Access to the the Proventia Internet Databases for URL The block-page on the external HTTP server has to be
categorisation running on the IP addresses designed as HTML page, including a parameter line that is
195.127.173.135 and 195.127.173.136 has to be enabled on processed through the CGI with all parameters desired for
TCP port 6000. explaining the reason for connection rejection.
z From the Barracuda NG Firewall the URL Filter Daemon The following parameters can be processed in a
is running on, the pointer (PTR) records of the block-page:
addresses 195.127.173.135 and 195.127.173.136 must be
recallable. z categories=[1-63], 99
indicating the categories that caused the block;
category 99 marks a not found one; see 3.4.2 Proventia
Introduce a rule in the Outbound-User tab of the local rule URL Categories, page 366, for a list of available
set with the following setting parameters categories.
z Source ServerIPs z other reasons
z Action Pass urlfd_not_running
The URL Filter Daemon is not running
z Destination World
urlfd_read_error
Could not read from URL Filter Daemon
no_more_memory
Machine is running out of memory
udp_not_received

366 | URL Filter > Logging Proxy
Could not receive an answer for the requested URL. Table 125 URL categories overview
Please try later Category Description
filter_timeout 22 Recreational_Facilities/Amusement/Theme_Parks
Could not receive an answer for the requested URL. 23 Art/Museums
Please try later 24 Music
request_not_correct 25 Literature/Books
The proxy has sent an incorrect request 26 Humour/Comics
27 General_News/Newspapers/Magazines
black_list
28 Web_Mail
This site is on the BLACK LIST
29 Chat
no_category
30 Newsgroups/Bulletin_Boards/General_Discussion_Sites
This domain is in no category
31 SMS/Mobile_Phone_Accessories
timestamp_not_active 32 Digital_Postcards
Sorry, but at this time the access is blocked 33 Search_Engines/Web_Catalogs/Portals
user_limit_exeeded 34 Software_and_Hardware_Vendors/Distributors
Sorry, but the URL Filter user limit exceeded 35 Web_Hosting/Broadband
36 IT-Security
z url=www.[url].com
37 Translation
38 Anonymous_Proxies
A parameter line included in a custom block-page can look 39 Illegal_Drugs
as follows (www.msgsrv.com is the external HTTP-server 40 Alcohol
displaying the customized block-page): 41 Tobacco
www.msgsrv.com/block_page?filter_timeout&url 42 Self-Help/Addiction
= 43 Dating/Relationships
www.forbidden.com 44 Restaurants/Bars
45 Travel
www.msgsrv.com/block_page?categories=1,6,35& 46 Fashion/Cosmetics/Jewelry
url= 47 Sports
www.forbidden.com 48 Building/Residence/Architecture/Furniture
49 Nature/Environment
50 Private_Homepages
3.4.2 Proventia URL Categories 51 Job_Search
52 Investment_Brokers/Stocks
Note: 53 Financial_Services/Investment
The following list is provided by Proventia. 54 Banking/Home_Banking
55 Vehicles/Transportation
Table 125 URL categories overview 56 Weapons
Category Description 57 Health/Recreation/Nutrition
01 Pornography 58 Abortion
02 Erotic/Sex 60 Spam_URLs
03 Swimwear/Lingerie 61 Malware
04 Online_Shopping 62 Phishing_URLs
05 Auctions/Classified_Ads 63 Instant_Messaging
06 Governmental_Organizations
07 Non_Governmental_Organizations
08 Cities/Regions/Countries
09 Education 3.5 Logging
10 Political_Parties
11 Religion Activities, which are processed through the URL Filter,
12 Sects generate two log files. These log files can be viewed in the
13 Illegal_Activities Log GUI of the graphical administration tool Barracuda NG
14 Computer_Crime Admin via Logs > <servername> > <servicename>
15 Hate/Discrimination >
16 Warez/Hacking/Illegal_Software
z Cofsd (created by the URL Filter daemon)
17 Extreme
18 Gambling z Fwauthd (created by the Barracuda NG
19 Computer_Games Authentication Client processing the "block-page").
20 Toys
21 Cinema/Television

Proxy Load Sharing and High Availability < URL Filter | 367
3.6 Load Sharing and High Note:

Availability Although both servers are displayed as active in the
control view of Barracuda NG Admin, the second URL
If a HA pair of Barracuda NG Firewalls is available it may be Filter server is idle. This inevitably happens because
useful to install a second URL Filter on the second gateway URL Filter servers bind to the localhost IP 127.0.0.1, and
to share the load and to take benefit of the available the second server will not be able to bind to an IP, which
hardware. A second URL Filter license is required for this is already in use by another server (a corresponding log
scenario. entry will be created in the log file Cofsd, see 3.5
Logging, page 366).
Fig. 1224 Principle of Load Sharing
This behavior is necessary to avoid fraud with multiple URL
Filter servers using the same Proventia license. The
URL requests / Traffic anti-fraud procedure as well causes that still only 100 users
(number of users is depending on the Proventia licenses
installed on the now active box) are allowed at the same
Box HA-1 Box HA-2 time.
Proxy 1: Proxy 2:
IP address 10.0.8.113 IP address 10.0.8.114 Note:
COFS 1: COFS 2: Make sure that the parameter Block If User Limit
License for 100 users License for 100 users Exceeded (page 365) is set properly.
IP address 127.0.0.1 IP address 127.0.0.1
Listening on port 1830 Listening on port 1830
URL requests / Traffic
In case Box HA-2 is down (for example because of a

hardware failure), Box HA-1 takes over the Proxy server
and URL Filter server that were hosted by Box HA-2.
Fig. 1225 Principle of High Availability
Box HA-1 Box HA-2

Proxy 1: active Proxy 2: active Proxy 2:
IP address 10.0.8.113 IP address 10.0.8.114 IP address 10.0.8.114
COFS 1: active COFS 2: idle COFS 2:
License for 100 users License for 100 users License for 100 users
IP address 127.0.0.1 IP address 127.0.0.1 IP address 127.0.0.1
Listening on port 1830 Listening on port 1830 Listening on port 1830

368 | URL Filter > Load Sharing and High Availability Proxy

13
FTP Gateway
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
2. Installation
2.1 Create Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
3. Configuration
3.2 FTP-GW Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
3.2.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
3.2.2 User specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
3.2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

370 | Overview > General FTP Gateway
1. Overview
1.1 General
The Barracuda NG Firewall FTP Gateway service is
completely maintainable via the management console
Barracuda NG Admin.
Note:
For detailed information on the file transfer protocol
(FTP) see www.w3.org/protocols/rfc959.
2. Installation
An installed box server is a pre-requisite to the installation > Assigned Services and assign FTP Gateway as
of the FTP Gateway service. software module to create a FTP Gateway.
Activate the changes by clicking Activate. Your newly
installed FTP Gateway service is now ready for
2.1 Create Service configuration.
Choose Create Service from the context menu of

Config > Box > Virtual Servers > <servername>
3. Configuration
The configuration tree of the box provides all 3.2 FTP-GW Settings
configuration options for the FTP Gateway service and
contains the following items (listed according to their To enter the configuration, select the FTP-GW Settings
sequence of usage):
entry in the configuration tree.
z Service Properties
Fig. 131 FTP-GW Settings
z FTP-GW Settings, Page 370
Note:
Boxes maintained via a Barracuda NG Control Center
(CC) can be configured locally only if an Emergency
Override is performed (Configuration Service 2.2.1.1 Box
Context Menu, page 51).
3.1 Service Properties

Select the Service Properties item in the config tree to
enter the configuration dialog. Please consult Configuration
Service 4. Introducing a New Service, page 97 for a review
of the configuration options.

FTP Gateway FTP-GW Settings < Configuration | 371
3.2.1 Settings List 132 FTP-GW Settings configuration section Virus Scanning
List 131 FTP-GW Settings configuration section BEHAVIOR
Use local virus Set to yes (default: no) to enable the virus scanning on
Parameter Description scanner files retrieved via FTP download. Virus scanning
settings are configured in 1.7.4 FTP Gateway
Listening Port This parameter specifies the TCP port the gateway is Integration, page 397.
listening on (default: 21).
Dataport range Here the smallest possible allowed TCP port the List 133 FTP-GW Settings configuration section Logging
(min) gateway uses for data connections is defined (default:
30000). Parameter Description
Listen timeout This timeout defines the maximum allowed duration for Click the Show button to start the configuration
(s) connection establishment (default: 15 seconds). If the dialog for logging settings. The following actions are
timeout is exceeded the gateway terminates the logged by default.
attempt. Log download file
Bind policy Here the to-be-used Bind IP is defined. The available Log upload file
options are: Log append file
ProxyDyn (default) - The bind IP is defined by the Log rename file
routing table. Log delete file
Server-First - The FTP gateway uses the first server IP Log delete directory
for connections. Log create directory
Server-Second - The FTP gateway uses the second Log other file-actions
server IP for connections. Log denied ftp-commands
Explicit - The FTP gateway uses an explicit IP for Log protocol denies
connections (to be defined below) Log logins
Explicit Bind IP Via this parameter the explicit IP to be used by the FTP Log succeeded local logins
gateway on connection has to be entered. Take into Log denied local logins
consideration that this parameter is only available if Log destination denies
Explicit has been selected as parameter for Bind Log file-upload denies
policy (see above). Log file-download denies
Log structure-mount denies
Maximal This parameter determines the number of processes Log delete file-denies
allowed workers that the gateway may fork (default: 255). Log rename-file denies
Deny active By setting this parameter to yes, any port command Log change to upper dir denies
ftp-data will be denied by the gateway (default: no). This way Log extension denies
transfer only passive data transfer is possible, which means that Log create dir denies
the server connects to the client. Log delete dir denies
Log other ftp-commands
Deny passive By setting this parameter to yes, any PASV command
ftp will be denied by the gateway (default: no). This way
data-transfer only active data transfer is possible, which means that
the client connects to server. 3.2.2 User specific
Deny additional Setting this parameter to no allows additional FTP
ftp- commands commands that are not included in RFC 959 (like status
display in percentage) (default: yes).
User specific
FTP-command/ If active this parameter (default: yes) parses the Define different user profiles for FTP access here.
protocol check protocol and checks FTP commands for correctness.
Buffer-overflow The button Set opens a new window with several List 134 FTP-GW Settings Configuration - User specific section Configuration
protection parameters for buffer-overflow protection Assignment
configuration which can be activated or deactivated.
Each of the parameters controls two input fields: the Parameter Description
first one activates or deactivates a length restriction As a matter of fact the processing sequence goes from
(possible values yes/no), the second one defines the up to down (similar to the firewall rule set). The
length limitation if the first value has been set to yes. sequence is defined by specification of the profile
The following table displays the configured default name (a profile number).
settings:
Affected Groups Enter the groups here to which the profile and its
Parameter restrictions apply.
Description
group
Affected Users Enter the users here to which the profile and its
(Max.) Filename This parameter affects the following restrictions apply.
Length commands: RETR, STOR, SMNT,
Affected IPs for Here you may assign IP addresses to the profile that
[default: yes / APPE, RNFR, RNTO, DELE, RMD,
Anonymous need no authentication for accessing the FTP gateway
255] MKD, LIST, NLST and STAT due to
(see 3.2.3 Authentication, page 372, parameter No local
the fact that all of those commands
authorization needed, Page 372).
may contain a parameter with file or
directory name.
List 135 FTP-GW Settings Configuration - User specific section Special
(Max.) Length limitation for username Destinations
Username (USER).
Length Parameter Description
[yes / 255]
Via the parameters of this section you are able to
(Max.) Account Length limitation for account define restrictions for explicit FTP destinations
Info Length (ACCT). (overruling the global configuration defined in FTP-GW
[yes / 255] Settings Configuration - User specific section Default
(Max.) Length limitation for password User Specific, Page 372).
Password (PASS). Destination Here the IP address or DNS-resolvable hostname of the
Length FTP destination has to be entered.
[yes / 255]
Redirection This parameter allows connection redirection to
(Max.) String Limits the parameter length for another host.
Length commands REST, SITE and HELP.
Policy This parameter defines whether the destination is
[yes / 255]
accessible for this user profile or not (default: allow).
(Max.) Limits the parameter length for all
Initial directory This parameter defines the "start" directory after login.
Parameter other FTP commands.
Length Top most This parameter defines the highest possible directory
[yes / 255] directory level.
Deny file-upload Set to yes (default: no) to prohibit file upload for this
user profile.
Deny Set to yes (default: no) to prohibit file download for this
file-download user profile.

372 | Configuration > FTP-GW Settings FTP Gateway
List 135 FTP-GW Settings Configuration - User specific section Special Default User specific
Destinations
Parameter Description Via this section a profile is defined that is used if no other
Deny file-delete Set to yes (default: no) to prohibit file deletion for this profile matches the request. The available parameters are
user profile. nearly identical to the ones described above. An additional
Deny Set to yes (default: no) to prohibit renaming of a file for section TIME RESTRICTIONS allows limiting the default
file-rename this user profile. profiles validity period.
Deny structure Set to yes (default: no) to prohibit a structure mount
mount for this user profile. List 138 FTP-GW Settings Configuration - User specific - Default User Specific
Deny make dir Set to yes (default: no) to prohibit directory creation section SPECIAL DESTINATIONS
for this user profile.
Deny delete dir Set to yes (default: no) to prohibit directory deletion
see list 135, page 371
for this user profile.
Deny Define prohibited file extensions for this user profile. List 139 FTP-GW Settings Configuration - User specific - Default User Specific
file-extensions Enter only the extension itself without the leading dot. section OTHER DESTINATIONS
Separate multiple entries with space (like mp3 exe
doc). Parameter Description
Timeout (sec.) This parameter specifies the timeout after which an see list 136
idle connection is terminated (default: 0).
List 1310 FTP-GW Settings Configuration - User specific - Default User Specific
List 136 FTP-GW Settings Configuration - User specific section Default User section Time Restrictions
Specific
Use Local Time Mark the checkbox to relate time restriction settings to
Via the parameters of this section you are able to checkbox the systems time zone settings. If unchecked, the
define "global" restrictions for this user profile. parameter Time Zone below is activated to allow
Destination Here the IP address or DNS-resolvable hostname of the specific time zone configuration.
FTP destination has to be entered. Time Zone Choose a preconfigured time zone from the pull-down
Policy This parameter defines whether the FTP gateway is menu time restriction settings are meant to relate to.
available to this user profile or not (default: allow). Time Settings The default policy allows all possible actions. By
Deny file-upload Set to yes (default: no) to prohibit file upload for this default, these profile settings as well are always valid.
user profile. Activate checkboxes in the Time Interval window for
periods a restriction should apply. During this period,
Deny Set to yes (default: no) to prohibit file download for this all settings lose their validity.
file-download user profile.
Deny file-delete Set to yes (default: no) to prohibit file deletion for this
user profile.
Deny Set to yes (default: no) to prohibit renaming of a file for 3.2.3 Authentication
file-rename this user profile.
List 1311 FTP-GW Settings Configuration section Local Authentication
Deny make dir Set to yes (default: no) to prohibit directory creation
for this user profile. Parameter Description
Deny delete dir Set to yes (default: no) to prohibit directory deletion Denied This parameter holds networks from where users are
for this user profile. source-network not allowed to connect.
Deny structure Set to yes (default: no) to prohibit a structure mount s
mount for this user profile. IP addresses/networks that are entered in this
No local
Deny Define prohibited file extensions for this user profile. authorization parameter do not need to authenticate when
file-extensions Enter only the extension itself without the leading dot needed connecting.
(for example mp3).
Welcome This parameter allows generation of welcome
Timeout (sec.) This parameter specifies the timeout after which an message messages that are displayed when logging in. The
idle connection is terminated (default: 0). configuration dialog is opened when clicking Edit
Phibs settings The parameters of this configuration dialog (to be
List 137 FTP-GW Settings Configuration - User specific section Time entered via button Edit ) allow definition of details
Restrictions concerning authentication:
PHIBS Authentication Scheme
This parameter defines what kind of authentication
Use Local Time Mark the checkbox to relate time restriction settings to scheme is to be used. The following schemes are
checkbox the systems time zone settings. If unchecked, the available: MSNT (default), RADIUS, LDAP, MSAD and
parameter Time Zone below is activated to allow RSAACE.
specific time zone configuration.
Note:
Time Zone Choose a preconfigured time zone from the pull-down Take into consideration that authentication schemes
menu time restriction settings are meant to relate to. MSNT and RSAACE do not provide group information.
Time Settings The default policy allows all possible actions. By PHIBS Listen IP (default: 127.0.0.1)
default, these profile settings as well are always valid.
PHIBS Timeout (default: 10)
Activate checkboxes in the Time Interval window for
periods a restriction should apply. During this period, User List Policy This parameter defines the policy for users that are
all settings lose their validity. entered in the user list (see below). The following
settings are available:
deny-explicit (default)
allow-only
User List This section is used for entering the login names for
which access is granted.

14
Voice over IP
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
2. SCCP
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
2.2 Installing SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
3. H.323 Neighbour Gatekeeper

3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
3.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
4. SIP
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2 SIP-related Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2.1 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2.2 Firewall Forwarding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.3 Installing SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
5. Monitoring
5.1 Dynamic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

374 | Overview > General Voice over IP
1. Overview
1.1 General z Skinny Client Control Protocol (also known as SCCP

by Cisco)
Currently Barracuda NG Firewalls (version 2.4.2 SP1 and z H.323
higher) support three different types of Voice over
z SIP
Internet Protocols (VoIP):
2. SCCP
2.1 General 2.2 Installing SCCP

Cisco Skinny NAT and firewall traversal is implemented by Step 1 Create service objects for signalling and
a firewall plugin. The plugin monitors the skinny signalling streaming purpose
connection between the phone and the Cisco callmanager. For information concerning service objects, Firewall
The default signalling port for SCCP is TCP 2000. When the 2.2.5 Services Objects, page 151).
plugin intercepts a Skinny packet that establishes a RTP The skinny plugin has two optional parameters which can
connection like an audio transmission for VoIP a pinhole be entered in the PlugIn field:
for the voice stream in the firewall will be opened. A call
release packet or the termination of the skinny signalling z natname
connection closes the pinhole in the firewall. is a reference to a Address Translation Map in the
Connections tab in the firewall rule set (syntax: skinny
natname=<natname>, figure 141) and handles the
signalling (protocol: TCP, port: 2000).
Fig. 141 Provisioning the plugin in a service object for the SCCP signalling
Note:
If this option is not specified then the default value
RTP:Skinny (see below) is used instead. No address
translation is performed for the RTP media streams
if there is no matching entry in Connections.

Voice over IP Installing SCCP < SCCP | 375
z srvname The name of the map must match the option of the
is a reference to a Dyn. Service label that data fills a natname parameter of the skinny firewall plugin
service object with the data stream of skinny calls configured above. The Original Address/Net is the
(syntax: skinny [srvname=<srvname>])(protocol: physical IP subnet of a node whereas the Translated
UDP). The service object can be referenced by a firewall Address/Net is the virtual address.
rule in order to forward the media streams between the
call participants. The default value of srvname is Fig. 144 Creating an Address Translation Map
RTP:Skinny.
Fig. 142 RTP Stream service object with the default service name set to
RTP:Skinny
In a call setup message the real address of the phone is

translated to the virtual address.
Step 2 Create translation map (optional) As soon as the other participant of the call receives the
If network address translation is done between caller and modified call setup message it starts sending its voice
callee an address translation map has to be defined, stream to the virtual address of the peer. The firewall next
translating the real IP address of the participants to virtual to the receiver of the media stream re-translates the
addresses that are routable for all nodes in the Voice over virtual IP address back to the real address of the
IP network (for information concerning translation maps, participant.
see Firewall 2.2.6.3 Translation Map, page 157).
The firewall rule required for proper address translation
Fig. 143 VoIP infrastructure with 2 virtual subnets handling has to contain a reference to the service object
with the RTP Dyn. Service label specified in the skinny
plugin (see above).
Virtual Subnet
The mapping rule action controls how the address mapping
Hub IP phones is performed. To use the same address map which is used
Barracuda NG Firewall by the skinny plugin, select the same map in the
Redirection and Source Translation section.
Callmanager Hub
Hub IP phones
Virtual Subnet

376 | H.323 Neighbour Gatekeeper > General Voice over IP
If no address translation is required then the Pass firewall

action is to be used.
Fig. 145 Skinny signal protocol firewall rule with Skinny firewall plugin
Fig. 146 RTP firewall rule with network address translation from the voipnat
address translation map
3. H.323 Neighbour Gatekeeper
3.1 General The following gatekeepers are allowed in neighbour

configurations:
Barracuda NG Firewalls can be integrated as gatekeeper z Gnu Gatekeeper
into a H.323 network. The media stream of the calls that
z Cisco Gatekeeper
are established by the firewall gatekeeper are redirected
to a local address of the Barracuda NG Firewall and z Clarent Gatekeeper
forwarded to the receiver of the stream. Special handling z Glonet Gatekeeper
for network address translation or firewall traversal is not
required.
The H.323 endpoints that are in direct contact with the
gatekeeper can be registered with H.225 RAS, or can be
provisioned in the firewall configuration. Several
gatekeepers can be clustered together to handle calls for
endpoints with the same prefix, which are distributed over
several locations. This is called the neighbour
configuration.

Voice over IP Configuration < H.323 Neighbour Gatekeeper | 377
3.2 Configuration List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab
H.323 is configured within the Firewall Forwarding H.323 Gatekeeper The H.323 alias of the neighbour
Neighbors Name gatekeeper.
Settings ( Config > Box > Virtual Servers > Gatekeeper The vendor of the neighbour
<servername> > firewall). Type gatekeeper (GnuGK, CiscoGK,
ClarentGK, GlonetGK).
Fig. 147 Firewall Forwarding Settings - H.323 Gatekeeper Configuration dialog Gatekeeper This is the hostname of the IP address
Hostname of the neighbour gatekeeper.
Gatekeeper This is the H.225 port number of the
Port neighbour gatekeeper.
Gatekeeper The specified password is used to log
Password into the neighbour gatekeeper for
neighbour clustering
support.
Neighbor The timeout of LRQ (Location Request) messages for
Timeout (sec.) browsing the neighbor cluster.
H.323 Endpoints that are permanently registered at the
Endpoints gatekeeper. This is useful for interfaces that do not
support H.225 RAS.
H.323 Alias H.323 alias of the permanent endpoint.
Gateway Hostname or IP address of the
Hostname/I endpoint. Endpoints with dynamic IPs
P must use H.225 registration to connect
to the firewall gatekeeper.
Prefix All calls with this number or prefix are
routed to this endpoint.
Call Redirect Original All calls with this prefix are rerouted.
Prefix
New Prefix The Original Prefix is removed from the
dialled number and replaced with the
new prefix.
RAS The following options are available:
Authentication None allows all H.225 RRQ (Registration Requests).
Radius registers the username at a radius server.
Radius+CAT uses the Cisco Access Token in the RRQ
message for registration at a radius
server.
Radius Server IP address or hostname of the radius server. An
optional port number may be specified after a colon (:).
<hostname>[:<port]
Radius The shared secret of the radius server.
Password
Radius Server If the server does not answer within the specified time
Timeout period then the authentication fails.
(millisec)
Radius IDCache Lifetime of the 8-bit request cache ID. After the
Timeout timeout expires the cache ID of a request may be
(millisec) reused. If the timeout is too short, then the radius
List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab server may drop requests with the same cache ID.
Radius Server The number of tries of authentication requests that are
Transmission sent to the radius server. The Radius Server Timeout
Enable H.323 Starts the firewall gatekeeper if set to yes. determines the time intervals between the
Gatekeeper Note: transmissions.
In order to allow communication of the H.323 Radius with Include Cisco h323-ivr-out attribute in the radius
equipment with the Barracuda NG Firewall gatekeeper Terminal Alias request.
you must add rules to the local firewall. We recommend
Fixed Radius If this option is used and the RAS Authentication is set
to allow all incoming and outgoing UDP and TCP ip
User / Fixed to Radius then all registration requests will use the
ports from the networks with H.323 nodes that are
Radius Fixed Radius User and Fixed Radius Password for
directly communicating with the Barracuda NG Firewall
Password registration at the radius server. If this field is left blank
gatekeeper.
then the username is used as password.
Gatekeeper This is the H.323 alias name of the firewall gatekeeper.
Name
Gatekeeper Determines whether the gatekeeper binds on first or
Bind IP second IP of the server or if the gatekeeper should bind
all local IPs of the host. An explicit IP can also be
entered by ticking the Other checkbox.
Broadcast RAS Enable the sending of H.225 broadcast gatekeeper
discovery packets. This is useful for phones that
autodetect the gatekeeper.
Gatekeeper The password that must be specified by the neighbour
Password gatekeepers to logon to the firewall gatekeeper for
allowing neighbour cluster calls.

378 | SIP > General Voice over IP
4. SIP
4.1 General 4.2.2 Firewall Forwarding Settings
SIP firewall traversal and NAT is supported by the SIP transaction timeouts are defined in Config > Box
Barracuda NG Firewall service plugin. The firewall decodes > Virtual Servers > <servername> > Assigned
the SIP packets and opens and closes firewall pinholes for Services > <servicename> (firewall) > Firewall
the voice media connections. Due to the dynamic nature of Forwarding Settings > SIP.
this protocol, a table of all active calls is held in memory.
This table contains the negotiated media connections, the All timeout values are set in hundredth of seconds.
SIP transactions for the call signalling, and the calls. When List 143 Forwarding Firewall Settings - SIP Parameters
a SIP packet passes the firewall, the state of the table is
altered accordingly.
INVITE Timeout The invite timeout is the timeout of an "INVITE"
The SIP plugin supports SIP signalling over UDP/IP (csec) transaction. If a reply to this request is received after
the invite timeout has expired then the reply is
packets. The default port for SIP signalling connection is discarded. This value can also be set in the SIP service
UDP port 5060. object by the "toInvite" plugin parameter (default:
3200).
Note: ACK Timeout The ACK timeout is the timeout of a replied or
(csec) acknowledged "INVITE" transaction after the
For more information about the SIP Protocol see transaction is discarded. This value can also be set in
"RFC3261: SIP: Session Initiation Protocol". the SIP service object by the "toAck" plugin parameter
(default: 3200).
Reply Timeout The reply timeout defines how long the firewall will wait
(csec) for a reply of a non-invite transaction. This value can
also be set in the SIP service object by the "toReply"
4.2 SIP-related Parameters plugin parameter (default: 400).
Transaction The transaction timeout is the timeout of a replied
Timeout (csec) non-invite transaction. This value can also be set in the
SIP service object by the "toTrans" plugin parameter
4.2.1 Firewall Settings (default: 500).
The size of the SIP call table is defined in Config >

Box > Infrastructure Services > General Firewall
Configuration > Global Limits > Access Cache Settings
4.3 Installing SIP
section.
To enable the SIP firewall plugin create a firewall rule with
List 142 Box Firewall Settings - SIP Parameters section Access Cache Settings a SIP enabled service object. When creating this service
Parameter Description object set the Protocol to 017 UDP and the Port Range to
Max. SIP Calls The maximum number of SIP calls is the number of 5060. When your equipment uses different ports for the
concurrent calls that can be handled by the firewall SIP protocol you are expected to enter these ports instead.
(min: 64; max: 8192; default: 512). A new call is created
when a SIP request is received by the firewall which
Set the plugin field to sip to finish the Service Entry
contains a previously unknown call-ID. An existing call Parameters settings.
is discarded when all media connections of the call are
closed or timed-out and no SIP transactions are Here you can also set additional parameters for the SIP
associated with the call. plugin by appending plugin parameters in a whitespace
Max. SIP A SIP transaction is started with a SIP request packet. separated list:
Transaction In reply of a SIP request a SIP response packed is
generated and sent to the address that was specified in z toInvite
the request. The lifetime of a SIP transaction does not
end with the reception of a response message. Instead for example "sip toInvite=3200"
a timer is started that allows the SIP signalling
endpoints to handle retransmissions of any SIP sets the invite timeout to 32 seconds
packets. The SIP transaction can be discarded after the
timer has expired (min: 64; max: 8192; default: 512). See SIP Timeouts
Max. SIP Media The SIP Media (min: 64; max: 16384; default: 1024) z toAck
defines a voice connection through the firewall. Usually
2 different media connections are used by a voice call. for example "sip toAck=3200"
One media connection describes the path of the actual sets the acknowledge timeout to 32 seconds
RTP voice packets while the other connection See SIP Timeouts
describes the RCTP connection for quality feedback
and RTP signalling. The inactivity timeout of media z toReply
connections can be configured in a firewall rule by
setting the "Balanced Timeout" in the "Service Entry for example "sip toReply=400"
Parameters" window. sets the reply timeout to 4 seconds
See SIP Timeouts
z toTrans
for example "sip toTrans=500"
sets the transaction timeout to 5 seconds
See SIP Timeouts

Voice over IP Installing SIP < SIP | 379
z nonat When the firewall plugin receives a complete SIP INVITE

for example "sip nonat=1" handshake for negotiating a RTP media session it makes a
disables network address translation handling for the lookup in the firewall rule set. The lookup for the RTP rule
sip plugin is done for a dynamic service name of "RTP:SIP" or the
value defined in the "srvname" SIP plugin parameter. No
z srvname
fixed ports are required for RTP rule. The media timeout
Example: "sip srvname=voip"
value in this rule is defined by the "Balanced Timeout"
set the service name for the RTP rule lookup to
parameter in the "Service Entry Parameters" Settings.
"RTP:voip"
Additional attributes like traffic shaping settings for the
The default value is "RTP:SIP".
media connection can also be defined in this rule. If the
z via matched rule allows the RTP connection then the call table
Example: "sip via="SIP/2.0/UDP 172.31.10.5:5060"" is updated so that the media packets may pass.
sets the target address for the SIP reply message to
The RTP rule should always have a connection type of
172.31.10.5 UDP port 5060
"Client". NAT rewriting is based on the rule that matches
This parameter enables rewriting of the "Via" SIP
the SIP signalling connection. If source or destination NAT
header field in outgoing SIP request messages. The
is used in the SIP rule then SIP ties the media session to
default is not to rewrite the "Via" header if no NAT is
the outgoing or incoming IP addresses of the firewall and
performed. In NAT configurations the default is to use
rewrites the media portion of the SIP messages
the bind address of the connection slot for the "Via"
accordingly. Then the firewall forwards the media packets
header. Any "Via" header field tags of the original
to the endpoints of the call. The NAT rewriting behavior
message persist. This is valuable when using NAT for
can be disabled by setting the "nonat=1" plugin parameter.
the SIP firewall rule to force the receiving SIP peer to
send SIP reply messages to the address defined in the When using NAT you define an incoming and outgoing rule
"via" plugin parameter. In its reply message the firewall for the SIP messages. The outgoing rule performs the
rewrites the "Via" header field to the original field value source NAT and should use the parameters "via" and
from the request message. Usually the address in the "fwdcontact" to tell the outside peer the right contact
"via" plugin parameter will point the SIP peer to a port address on the firewall.
on the firewall that is redirected to the internal SIP Example: "sip via="SIP/2.0/UDP 172.31.10.5:5060"
proxy. The value must be enclosed in double quotes. fwdcontact="<sip:proxy@firewall.extern>""
z fwdcontact The incoming rule redirects SIP packets to the internal
Example: proxy and should use the "revcontact" plugin parameter to
"sip fwdcontact="<sip:proxy@gateway.extern>"" tell the outside peer the right contact address on the
sets the contact address for sip messages in the firewall.
forward direction of the firewall rule
This parameter enables rewriting of the "Contact" SIP Example: "sip revcontact="<sip:proxy@firewall.extern>""
header field of packets that are leaving the firewall in
Note:
the forward rule direction (from source to target). This
is useful for NAT setups in the outgoing rule to tell the The firewall has no registrar functionality. Setups using
SIP peer the target address for its SIP request NAT always must use a SIP proxy in the net which gets
messages. Usually the address in the "fwdcontact" translated. This proxy distributes incoming SIP
plugin parameter will point the SIP peer to a port on the messages to the appropriate SIP peers. The firewall rule
firewall that is redirected to the internal SIP proxy. The set must be configured to forward SIP messages for
value must be enclosed in double quotes. peers in the translated net to the SIP proxy.
The default is not to rewrite the "Contact" header if no The state of the SIP signalling can be monitored in the
NAT is performed. In NAT configurations the default is firewall GUI in the Dynamic tab under SIP.
to use the bind address of the connection slot for the
"Contact" header. In network setups without NAT all SIP Peers may
communicate directly. Ports for the RTP media streams
z revcontact are opened dynamically by the firewall and passed to the
Example: participants of the call.
"sip revcontact="<sip:proxy@gateway.extern>""
sets the contact address for sip messages in the reverse Fig. 148 Network setup without NAT SIP/RTP
direction of the firewall rule
This parameter enables rewriting of the "Contact" SIP
header field of packets that are leaving the firewall in
Caller Voice Box User Voice Mail Callee
the reverse rule direction (from target to source). This is
useful for NAT setups in the incoming rule to tell the SIP
peer the target address for its SIP request messages.
Usually the address in the "revcontact" plugin
parameter will point the SIP peer to a port on the
SIP/RTP
firewall that is redirected to the internal SIP proxy.
The default is not to rewrite the "Contact" header if no
NAT is performed. In NAT configurations the default is SIP/RTP
to use the destination address of the connection slot for
the "Contact" header.

380 | Monitoring > Dynamic Services Voice over IP
5. Monitoring
5.1 Dynamic Services

Monitoring takes place in the Dynamic Services tab of the
Firewall box menu entry (tab Dynamic).
Clicking Update List refreshes the displayed information.
The following columns are in use:
Table 141 SIP Monitoring parameters overview
Column Description
first row
The first row gives an overview of all calls that have
been executed. A call does not necessarily need to be a
standard call, between active caller and callee. A phone
registering with a central registrar will produce a call as
well. In other words, every action producing a new
Call-ID, which is then part of every SIP packet
transmitted through the SIP protocol, is defined as call.
Call-ID This ID is randomly generated through a caller's call.
Start This is the duration of the call.
Status The status column indicated the call's state. The
following markers exist:
Init - The call has just arrived.
Setup - Connection establishment is just taking
place.
Established - The call has been established.
Teardown - The call is about being terminated.
Terminated - The call has been terminated.
Note:
The call is not deleted from the table immediately after
termination. It stays visible until no further media
connections or SIP transactions related to it exist.
SrvName This is the name of the Dynamic Service, which is used
for RTP Rule lookup (default: RTP:SIP).
SYNC not available
second row
The second row gives an overview of all RTP Media
Connections (Audio/Video Data Streaming) and RTCP
Connections (Quality Feedback and Media Signalling).
Usage of RTCP is optional. If RTCP is not used during a
media connection, the entry for RTCP connections
vanishes after the Balanced Timeout of the service has
expired.
Medium and call are interconnected through the
Call-ID.
Call-ID This is the Call-ID belonging to this Media Connection.
The Call-ID constitutes a chaining to the call, which is
described through the first row.
Start This is the duration of the call.
Idle This is the idle time since the last data flow.
Src-Addr This is the source address before address rewriting.
Src-Port This is the source port before address rewriting.
Dst-Addr This is the destination address before address
rewriting.
Dst-Port This is the destination port before address rewriting.
Src-User This is the sender's account.
Dst-User This is the receiver's account.
Src-Addr-Used This is the source address after address rewriting.
Src-Port-Used This is the source port after address rewriting.
Dst-Addr-Used This is the destination address after address rewriting.
Dst-Port-Used This is the destination port after address rewriting.

15
Wireless LAN
1. WLAN Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
2.2 Network Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
2.3 WLAN Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.5 WLAN Access Point Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.6 Radius/EAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.7 Wireless Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.8 Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.8 Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.9 WLAN Access Point GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

382 | WLAN Access Point > General Wireless LAN
1. WLAN Access Point
1.1 General administration of the Wi-Fi network is fully integrated into

Barracuda Networks security concept.
The Barracuda NG appliances F101, F103, F201, F203, F301 Note:
and F303 are capable of introducing and managing Wi-Fi Barracuda NG F101 and F103 appliances in default
networks compliant to IEEE 802.11b/g standard and strong configuration are fanless devices. If ordered with WLAN
WPA and WPA2 encryption. Furthermore, they provide option and either ISDN or UMTS option, the appliances
Super G channel bonding. Configuration and will be delivered with a low noise regulated fan.
2. Configuration
2.1 Network Configuration z According to the chosen regional settings, an

appropriate channel can be selected in the Channel
pull-down menu
To be able to introduce the WLAN Access Point service on
a Barracuda NG Firewall, the WLAN Access Point network List 151
module needs to be enabled and some basic configuration
steps need to be done.
WLAN Enabled Enables or disables the WiFi module.
Fig. 151 Location Geographical position of the WiFi equipment.

Operation Mode Frequency according to IEEE 802.11b or 802.11g
standard.
Channel Operating channel for the wireless network
Transmission Sets the transmission power of the wireless access
Power point.
SuperG 108 Extension of IEEE 802.11g to achieve higher transfer
MBit rates.
Note:
Requires compatible client devices.
Extended Range Method of processing 802.11 signals in such a way that
Support their range and effectivity are extended.
2.2 Network Activation

After enabling the WLAN Access Point, a network
Step 1 Enable WLAN activations needs to be performed to successfully
introduce all necessary network routes.
z Browse to Config > Network > WLAN.
Move to Control > Box.
z Set WLAN Enabled to yes.
Ifyou are performing the network activation for the first
Step 2 Regional Settings time, then
z Choose the country you are residing in the Location z Click Activate New
pull-down menu. z Choose Failsafe
Step 3 Wi-Fi Operational Mode If you are not performing the network activation for the
z Select IEEE 802.11bg in the Operational Mode first time and you changed anything within Control > Box >
drop-down menu. Configuration > WLAN, then
z Click Activate New
Step 4 Channel Selection
z Choose Force
If none of these conditions is fulfilled, then

z Click Activate New
z Choose Soft

Wireless LAN WLAN Default Routes < Configuration | 383
For a successful introduction of wireless networks, a basic

configuration for each network is necessary.
Fig. 152
Step 1 Service Set Identifier and Network Interface

z Enter the Network Name(SSID) that should be
broadcasted by the WLAN Access Point.
z Choose one of the three available Virtual Access Point
Device(VAP) that should host the wireless network.
Step 2 Wireless Security

z Select the encryption key management standard to be
be used to protect the wireless network.
List 152
2.3 WLAN Default Routes WPA-PSK Wi-Fi Protected Access with Pre-Shared-Key
authentication
WPA-Radius/EAP Wi-Fi Protected Access with Extensible
Configure a default route for the WLAN by performing the Authentication Protocol via Radius server.
following steps: WPA-PSK+WPA- WPA-PSK as well as WPA-Radius/EAP authentication.
Radius/EAP
z Go to Box > Config > Network Routes and click Lock
z Click Insert and enter a name for the route Step 3 Encryption Mode
z Enter a target network address, e.g. 192.168.1.0/24 z Select the encryption standard that should applied.
z Choose direct as route type List 153
z Choose the interface name (athX) Parameter Description

AES AES in counter mode with CBC-MAC
z Perform a Soft Activate TKIP Temporary Key Integrity Protocol
AES+TKIP Hybrid Mode
2.4 Service Introduction Step 4 Key Management

To force access control on network layer 2, access to
wireless networks can be restricted by defining
Barracuda NG Firewalls are capable of managing up to combinations of MAC address and Pre Shared Keys.
three independent WLAN Access Points. For each WLAN
Access Point one service needs to be introduced. z Click Insert to create a new PSK-MAC combination
z Enter the clients MAC address into the Associated
Step 1 Select Virtual Server MAC field.
z Browse to Config > Virtual Servers > <your server> > z Enter a Pre-Shared-Key for the above entered MAC
Assigned Services. address into the Preshared Key (PSK) field.
z Right click Assigned Services and select Create
Note:
Service... within the context menu.
A Pre-Shared-Key consists at least of 8 characters
Step 2 Define a Service Name and Software Module and is limited to a maximum of 64 characters.
z Enter the Service Name and select WLAN AP in the
Note:
Software Module pull-down menu.
To define one single PSK that is not restricted to one
Note: single MAC address, enter 00:00:00:00:00:00.
If the configuration options described in step 2 are
not available, then please select the other checkbox
and enter wlan manually.
2.6 Radius/EAP Configuration
Step 3 Select Bind IPs
In large network environments, a comfortable way of
z Choose one of the available Bind Types or enter an handling user authentication is the authentication via EAP
Explicit Bind IP. and Radius server.
z Click Finish to complete the service introduction. To configure a WLAN Access Point to provide Radius/EAP
authentication, open the Radius/EAP view of the WLAN
AP Configuration.
2.5 WLAN Access Point Basic List 154 Primary Radius Server
Configuration Parameter Description

NAS-IP Address Service IP address of the WLAN Access Point.

384 | Configuration > Wireless Network Security Wireless LAN
List 154 Primary Radius Server List 158 WPA Tuning

Other NAS-IP Alternative Service IP address of the WLAN access Pre-Auth Interfaces Interface that is used for Pre-Authentication
Point. process.
NAS-Identifier NAS identifier string for RADIUS messages. E.g. the
fully qualified domain name.
Authentication IP address of the Radius authentication server.
Server IP 2.8 Advanced Settings
Authentication Port address of the Radius authentication server
Port List 159 Operational Tuning
Authentication Authentication password of the Radius
Password authentication server. Parameter Description
Use Accounting Enables RADIUS Accounting. Max Number of Defines the maximum number of clients that are
Stations allowed to connect to the WLAN Access Point.
Accounting IP address of the RADIUS Accounting server.
Server IP Enable IEEE IEEE 802.11d advertises the set of allowed channels
802.11d and transmit power levels based on regulatory
Accounting Port IP port of the Accounting server. limits.
Accounting Password of the Accounting server. Wi-Fi Enables the Wireless Multimedia Extension
Password Multimedia(WMM) according to 802.11e standard.
Accounting Time interval in seconds for obtaining Accounting Note:
Update Interval[s] updates. [60 to 600 seconds] 802.11b will not be functional anymore if this option
is enabled.
List 155 Radius Fallback Options
Parameter Description List 1510 Logging Setup
Primary Retry Retry interval in seconds, for trying to return to the Parameter Description
Intervals primary Radius server. Log level Set the log-level of the WLAN Access Point service.
Secondary Radius Configuration of a secondary or fallback RADIUS
Servers server.
2.9 WLAN Access Point GUI

2.7 Wireless Network Security
To view and manage connected WLAN clients, the
To enhance wireless network security, WLAN Access Barracuda NG Admin client provides a dedicated user
points offer several advanced parameters. interface where all clients connected to the access point
are listed.
List 156 Security
Ignore SSID If enabled the WLAN Access Point broadcasts an Please perform a Copy From Default on the Host
Broadcasts empty SSID and will not reply to probing frames that Firewall Rules to introduce the firewall rule that is
are not containing the full SSID. necessary to access the WLAN Access Point GUI.
Enable Enables or disables the Management Frame Alternatively a rule can be introduced that allows
IEEE802.11w Protection.
connections on TCP port 888. The corresponding
Note:
If enabled, be sure all wireless clients are supporting service object is p-MGMT-WLAN TCP 888.
IEEE802.11w.
Fig. 153
List 157 EAP Tuning
EAPoL Protocol Extensible Authentication Protocol over LAN version
Version for 802.1X authentication.
EAPoL Protocol When using MS Windows XP and broadcast keys.
Version XP Key
Workaround
List 158 WPA Tuning

GTK Rekey Group Temporal Key rekeying interval in seconds. The WLAN Access Point GUI displays important
Interval[s] informations of all active wireless LANs and the connected
Strict GTK Set to yes if rekeying should be enforced whenever clients.
Rekeying a station leaves the group.
GMK Rekey Group Master Key rekeying interval in seconds. z Global Wlan Settings
Interval[s] Here the globally active settings valid for all active
WPA2 Enable to speed up authentication for roaming wireless LANs shown.
Pre-Authentication station hand-overs between Access Points.

16
SSH Gateway
1. SSH Proxy
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.2 Creating a SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.3 Configuring a SSH Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
1.3.2 Authentication & Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
1.3.3 Default Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.4 Access Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.5 Permission Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.6 User Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

386 | SSH Proxy > Overview SSH Gateway
1. SSH Proxy
1.1 Overview z Configurable local source IP (to use policy routing) for
accessing remote systems
The SSH Proxy allows regulating SSH connections. z Configurable SSH protocol support for accessing target
systems (v2-only, or v2 and v1)
Supported features:
z Configurable escape character
z Based on openSSH 3.8p1 with proprietary modifications
for the controlled termination of SSHv2 terminal access Note:
sessions Parts of this document/description are taken from the
z No support for the termination of SSH protocol manual pages of openSSH 3.8p1.
version 1
z No support for remote execution or secure copy or
secure ftp
1.2 Creating a SSH Proxy
z No local user database required
z User authentification at the gateway via all configurable The SSH Proxy service is created as described in
and meaningful authentification schemes (not OCSP) Configuration Service 4. Introducing a New Service, page 97,
using a user/password combination. and selecting SSH Proxy as service module.
z Access configurable based on groups (deny, allow)

z Support for public key authentification at target system
due to configurable public key support and configurable 1.3 Configuring a SSH Proxy
agent forwarding
Configuration of a SSH Proxy takes place in the SSH
z Individual known_hosts files for each user
Proxy configuration dialog (accessible through Config >
z Optional HA synchronisation of known_hosts files Box > Virtual Servers > <servername> >
z Optional session/activity tracing for certain users Assigned Services > <servicename>(sshprx)).
(console output cloning to file)
Fig. 161 Configuration dialog - SSH Proxy
z Port is configurable
z DoS protection by configurable login grace time and
maximum pending session limits
z Configurable client alive interval and interval count
z Configurable reverse DNS lookup behavior of server for
accessing clients
z Configurable login greeting text (banner text)
z Configurable server log level
z Compression on/off configurable
z Menu based user interface program for selection of
IP-address/hostname, user, port for accessing the
target system
z Separate inactivity timeout for user interface program
z Configurable number of maximum successive illegal
inputs before user interface program terminates
z Configurable client log level (ssh-client)
z Configurable server alive interval and interval count

SSH Gateway Configuring a SSH Proxy < SSH Proxy | 387
1.3.1 General 1.3.2 Authentication & Login

List 161 SSH Proxy configuration - General section General Service Settings List 163 SSH Proxy configuration - Authentication & Login section User
Authentication
Idle Mode This parameter activates/deactivates SSH proxying Parameter Description
(default: no - active). Authentication This parameter defines the authentication scheme for
TCP Listen Port Here the port the SSH Proxy is listening on has to be Scheme login (user/password combination).
entered (default: 22). Note:
Allow Inbound States whether or not data compression is supported Authentication Scheme OCSP is NOT supported.
Compression by the server for incoming client connections. Within Use Group Setting this parameter to yes (default: no) enables
LAN environments using compression can create a Policies parameters Allowed User Groups and Blocked User
significant CPU overhead and is typically not advisable. Groups for defining access restrictions according to
Support X11 States whether or not X11 forwarding is supported by group information.
Forwarding the service. If set to no X11 forwarding is not available Allowed User Enter groups for which access is granted into this field
regardless of any subsequent profile based settings. Groups and click Insert in order to add them to the listing on
This parameter defines the user name that will be used the right.
Run as User
when synchronising the log with the high available Blocked User Login names of users which are not allowed to use the
partner system. By default this parameter is set to Groups proxy. This setting allows for more fine grained control
system user sshprx. By ticking the checkbox Other (to of access refusal than a group based option. The user
the right) you may enter any other name. will not be refused access by the authentication
User ID Here the ID of the system user (parameter Run as subsystem but the proxy engine itself. The user will
User, see above) is defined. receive an appropriate message instructing her/him
that no valid authorization to use the service could be
Note: determined.
The User ID is used as the HA sync port (default: 8099). Enter groups for which access is denied into this field
If using a different User ID the local firewall rule set has and click Insert in order to add them to the listing on
to be changed. the right.
Attention: Note:
If multiple instances of the SSH proxy are run on the Policy enforcement parameters Allowed User Groups
same box, you must choose a different user/user ID and Blocked User Groups have the following
combination for each service. preferences:
HA Sync Activating this parameter (default: no) enable Blocked User Groups overrules Allowed User
synchronisation between HA partners (SSL based with Groups (having user in both groups causes a block)
user/key).
leaving both fields empty results in allow all.
HA Sync Key Defines the key required for HA sync tasks.
Server Log This parameter defines the intensity of log file creation. List 164 SSH Proxy configuration - Authentication & Login section User Session
Level Handling
List 162 SSH Proxy configuration - General section Service Identification
Login Greeting Via this field you may define custom login messages
Parameter Description Text that are displayed as soon as user logins were
RSA Host Key Here the RSA host key for the server is successful.
created/imported/exported. Login Grace This parameter defines the maximum amount of time a
DSA Host Key Here the DSA host key for the server is Time [s] login attempt may last (default: 120 seconds).
created/imported/exported. Pending Here the maximum number of pending sessions
Forward X11 States whether or not the proxy will forward X11 Session Limit (initiated but not established) is specified.
Connection sessions to the client (default: no). This setting applies Client Alive Sets a timeout interval in seconds after which if no
to all user for whom no explicit profile has been Interval [s] data has been received from the client, sshd will send a
assigned which would then have precedence. message through the encrypted channel to request a
Note: response from the client. The default is 0, indicating
X11 forwarding will greatly reduce the usefulness of that these messages will not be sent to the client. This
session tracing which only applies to terminal based option applies to protocol version 2 only.
activities not using the X11 channel. Client Alive Sets the number of client alive messages (see above)
Max Count which may be sent without sshd receiving any
messages back from the client. If this threshold is
reached while client alive messages are being sent,
sshd will disconnect the client, therefore terminating
the session.
It is important to note that the use of client alive
messages is very different from KeepAlive (below). The
client alive messages are sent through the encrypted
channel and therefore will not be spoofable. The TCP
keepalive option enabled by KeepAlive is spoofable.
The client alive mechanism is valuable when the client
or server depend on knowing when a connection has
become inactive.
DNS Reverse Specifies whether sshd should lookup the remote host
Lookup name and check that the resolved host name for the
remote IP address maps back to the very same IP
address.

388 | SSH Proxy > Configuring a SSH Proxy SSH Gateway
1.3.3 Default Permissions List 166 SSH Proxy configuration - Default Permissions section Access Options
List 165 SSH Proxy configuration - Default Permissions section Security Options
Static Source Defines a static IP address, which is used as source
Parameter Description IP address for the SSH connection.
Max Illegal This parameter defines how often an illegal option may Allow Local Controls whether or not users may access local box
Inputs be selected by the user until the connection is Access addresses. We recommend to leave this turned off
terminated. unless you limit access to the proxy to Barracuda NG
Firewall administrators only.
Record Terminal User terminal activity is being recorded into a file.
Session Access Control Choose between
Policy By Network ACL Restriction and
Recorded Users User login names for whom the recording will take
place. By Explicit Host Specification
Users given access to certain destinations based on
Blocked Users These users have no access to any of the configured
destination hosts which are configured in the
SSH destinations.
Access Lists section and referenced by Permission
Inactivity Grace As soon as a SSH connection has no longer traffic, this Profiles.
Time [s] limit waited until the connection is terminated (default:
Network ACL Users who are not in the Blocked User Groups can
120).
be given additional access rights due to source network
Supported SSH This parameter defines the to-be-used SSH protocol restrictions.
Protocol (v2-only - default - or v2-and-v1) for connecting to
Allowed Hosts Choose an Access List (defined at 1.3.4 Access Lists,
remote targets.
List page 388)
Attention:
Since SSHv1 is considered to be insecure, Barracuda
Networks highly recommends not to use option
v2-and-v1. 1.3.4 Access Lists
Allow Outbound States whether or not data compression is supported
Compression by the proxy for outgoing client connections. Within List 167 SSH Proxy configuration Access Lists section Access List
LAN environments using compression can create a Configuration
significant CPU overhead and is typically not advisable.
When connecting to remote servers over low
bandwidth links compression may appreciably improve Access Lists Edit, Insert, or Delete an access list
the user experience. Note that when set to yes the user
is prompted if he/she would like to request List 168 SSH Proxy configuration - Access Lists Access List Configuration
compression when connecting to the target server. section Access List Configuration
Forward X11 Allow X11 connection through the SSH proxy
connections (transferring and displaying data used by a remote X11
application on your local workstation is permitted Allowed Hosts Edit, Insert, or Delete an allowed host
through the SSH tunnel).
Allow Public Specifies whether public key authentication is allowed List 169 SSH Proxy configuration - Access Lists Access List Configuration
Keys by the server. Set this option to yes if you wish to allow section Allowed Host Configuration
connecting users to authenticate themselves at a
target system with public key authentication. While
authentication at the SSH proxy requires User Visible Name of the target host allowed to connect, seen by
user/password authentication, it still supports this Name the user (when connecting to the SSH proxy)
feature at a remote target via SSH agent forwarding. Target FQDN Fully qualified domain name of the target host defined
Support Agent Specifies whether the connection to the authentication in DNS
Forwarding agent (if any) will be forwarded to the connecting Target IP IP Address of the target host allowed to connect, seen
users machine or not. This is required when users are Address by the user (when connecting to the SSH proxy)
allowed to used cascaded agent forwarding.
Agent forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the
connecting host (for the agent's Unix-domain socket) 1.3.5 Permission Profiles
can access the local agent through the forwarded
connection. An attacker cannot obtain key material
from the agent, however they can perform operations This is nearly the same as the Default Permissions
on the keys that enable them to authenticate using the (list 165, page 388) but can be applied to users by way of
identities loaded into the agent.
assignments to login names, see 1.3.6 User
Client Log Level This parameter defines the intensity of log file creation.
Authorization.
SSH Escape Sets the SSH escape character (default: none). We
Character strongly advise against the usage of an active escape
character unless you completely trust your users.
1.3.6 User Authorization
List 166 SSH Proxy configuration - Default Permissions section Access Options
Parameter Description This view allows creating pre-defined profiles for SSH
Target Alive Sets a timeout interval in seconds after which if no permissions. The created profiles are available in User
Interval [s] data has been received from the server, ssh will send a Authorization view.
message through the encrypted channel to request a
response from the server. The default is 15, indicating The parameters are the same as mentioned in list 165,
that these messages are sent every 15 seconds to the
server. This option applies to protocol version 2 only. page 388.
Target Alive Sets the number of server alive messages (see above)
List 1610 SSH Proxy configuration - User Authorization
Max Count which may be sent without ssh receiving any messages
back from the server. If this threshold is reached while Parameter Description
server alive messages are being sent, ssh will
disconnect from the server, terminating the session. It Permission Here a pre-defined permission profile has to be
is important to note that the use of server alive Profile selected.
messages is very different from TCPKeepAlive User Names Can be used to assign a permission profile to user login
(below). The server alive messages are sent through names. If there is no valid assignment for a particular
the encrypted channel and therefore will not be user then the default permissions will apply.
spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive
mechanism is valuable when the client or server
depend on knowing when a connection has become
inactive.

17
Anti-Virus
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.2 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.3 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.4 Avira. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
1.5 ClamAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
1.6 Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
1.7 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
2. Pattern Update Manipulation

2.1 Update / Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

390 | Overview > General Anti-Virus
1. Overview
1.1 General 1.2 Basic Setup

The Virus Scanner service is a tight integration of the Attention:
AVIRA products into the Barracuda NG Firewall. Please take into consideration that virus patterns are
Additionally to AVIRA, the ClamAV virus scanning engine not updated immediately when activating the service.
may be activated. The pattern update is carried out 1 minute after starting
the service.
Attention:
Although it is possible to activate both virus scanning List 171 Virus Scanner Settings - Basic Setup section Basic Setup
engines at the same time, Barracuda Networks does not
recommend to do so due to probably resulting high CPU
Max. file RAM Max. file RAM usage (MB) (default: 32)
and memory load, leading to siginificant latencies in usage (MB) Define here the maximal size of the RAM based
data throughput file-system which is used to speed up virus-scanning. If
the limit is reached, files are moved from memory to
The integration allows for easy configuration of Virus disk to reduce memory-usage.
Scanner parameters just like simple integration together Max. Num. Maximum number of workers that are launched to
Workers handle requests. Can be adjusted according to
with the Barracuda NG Firewall proxy and Barracuda NG type/power of hardware used (default: 30).
Firewall mail gateway services. Enable Avira Activates the AVIRA AntiVir virus scanning engine.
Defaults to yes.
Introduction of the Virus Scanner Service is a pre-requisite
Enable ClamAV Activates the additionally available ClamAV virus
for actually using virus scanning later on. scanning engine. Defaults to no.
The squid-based proxy service communicates with the
List 172 Virus Scanner Settings - Basic Setup section Reporting
Virus Scanner Service by using the standardized ICAP
protocol. Scanning of SMTP e-mails is based on standard Parameter Description
SMTP communication between the Barracuda NG Firewall HTML Here the HTML template pages sent to the client
Templates browser in case a page is blocked can be defined.
mail gateway and the Virus Scanner Service.
List 173 Virus Scanner Settings - Basic Setup section Advanced
Note:
Licenses for Virus Scanner service (.lic file) and AVIRA
Debug Log Define here the level of debug output in the log.
products (.key file), are required for full virus scanner Level
integration functionality. Import the .lic file into the Box
Licenses container (Configuration Service 5.1.4 Inventory,
page 103). Import the .key file into the license fields
provided within the Virus Scanner service. Further 1.3 Updates
information on Avira Virus Scanner Licenses is available
in Licensing 2.3.3 "Avira Virus Scanner Licenses, This configuration module defines how the virus scanning
page 534. engines handling their pattern database updates. Within
To introduce the Virus Scanner Service, follow the the subsections, engine and data specific settings can be
instructions in Configuration Service 4. Introducing a New configurated.
Service, page 97, and select Virus Scanner as Software
Module.Configuration
1.3.1 General Update Settings
Note:
List 174 Virus Scanner Settings - Updates - section General Update Settings
Since the Virus Scanner Service always binds to
loopback addresses a Bind Type selection is not Parameter Description
available. Disable Update Setting to yes (default: no) permanently disables

automated virus pattern update. See 2. Pattern Update
Manipulation, page 398 for an instruction how to
Open the configuration dialog via Config > Box > override this setting in individual cases and accomplish
Virtual Servers > <servername> > Assigned unscheduled pattern updates or how to disable pattern
updates temporarily only.
Services > <servicename> (virscan) > Virus Scanner Update Every This parameter is used for defining the virus pattern
Settings. (min) update frequency in minutes (default: 60). See 2.
Pattern Update Manipulation, page 398 for an
instruction how to accomplish unscheduled pattern
Note: updates.
Files or archives exceeding the limits defined in Retries Number of retries if server does not respond.
Max. size, Max. file size, Max. nesting and Max. count
will not be scanned for malicious code.

Anti-Virus Avira < Overview | 391
1.3.2 Avira Update Settings 1.4.2 Avira Archive Scanning

List 175 Virus Scanner Settings - Updates - section Avira Update Settings Settings that define Aviras behavior regarding to all kinds
Parameter Description of archives, such as *.zip, *.rar or certain document files.t
Download URL of the AVIRA pattern update service.
Server List 179 Virus Scanner Settings - Avira - section Avira Archive Scanning
Note:
Barracuda Networks recommends not to change this Parameter Description
URL, to avoid a not up to date virus pattern database.
Scan Archives This parameter enables/disables scanning of archives
(default: yes - enabled).
Attention:
1.3.3 ClamAv Update Settings Archives are NOT scanned for viruses/malicious
software if this parameter is set to no.
List 176 Virus Scanner Settings - Updates - section ClamAv Update Settings Max. size (MB) This field allows entering the maximum size allowed for
archives to be unpacked and scanned (default: 1024). If
Parameter Description an archive exceeds the herewith defined maximum
DNS Database Use DNS to verify the virus database version. Contains size, then it will be blocked.
Info the database verification domain. Defaults to This field allows entering the maximum recursion level
Max. nesting
current.cvd.clamav.net. allowed for archives to be unpacked and scanned
Database Mirror Defaults to database.clamav.net. (default: 20). The policy how archives exceeding this
Safe Browsing Enables or disables support for Google Safe Browsing. value are handled is defined via parameter Block on
Defaults to no. other error (see below).
Max. This parameter protects against so-called "mail bombs"
compression that require an unexpected amount of disk space when
unpacked. The value is entered in percent (default:
1.3.4 Proxy ratio
150). That means 100 % is packed status, 150 % is
unpacked status.
List 177 Virus Scanner Settings - Updates - section Proxy Max. count Defines the maximum number of files within an
archive. Set to 0 (zero) for no limit.
Block encrypted If this is set to yes (as it is by default) encrypted
Use HTTP Since Virus Scanner pattern updates are done via archives archives will be blocked by the virus scanner.
Proxy HTTP, it is mandatory that the box has access to
Internet either directly or via a proxy. This section Block on other If this is set to yes (as it is by default), corrupted or
allows defining the configuration of the proxy server to error unknown / unscannable archives will be blocked by the
update the virus patterns in case no direct network virus scanner. Furthermore, mail bombs wth too high
connection is available. compression rates will be detected and blocked as well.
The parameter may be set to no in order to let these
Host Used for entering resolvable hostname or host IP archives pass through the scanner.
address.
Block If this is set to yes (as it is by default) not supported
Port Specifies the port number on which the proxy server is unsupported archives will be blocked by the virus scanner.
available (default: 3128). archives
Requires Enables usage of optional username and password to
Authentication get access to the proxy server (default: no).
Username Specifies the username for accessing the proxy.
1.4.3 Avira Non-Virus Detection
Password Specifies the password for accessing the proxy.
Avira can detect malware, spyware or bandwidth wasters

as well. Within this section, settings regarding to these
1.4 Avira threats are defined.s
List 1710 Virus Scanner Settings - Avira section Avira Non-Virus Detection
Settings concerning only the Avira AntiVir virus scanning Parameter Description
engine. Detect All Enables/disables the detection of all non-virus threats
Types or malware mentioned below.
Detect Dialers Enables/disables detection for unwanted dialers; as
1.4.1 Avira General soon as installed on the system such programs
establish Internet connections via a premium rate
number (area codes 0190 in Germany, 09x0 in Austria,
The settings within this section affect the general behavior Switzerland and, medium-term, Germany). Dialers
sometimes are installed inconspicuously and/or
of the Avira AntiVir virus scanning engine. fraudulently which may result in horrendous phone
bills.
List 178 Virus Scanner Settings - Avira section Avira General Detect Jokes Enables/disables detection for (often harmless) joke
programs.
Detect Games Enables/disables detection for games that may cause
AVIRA license Import the AVIRA License Key (.key) into this field.
no harm but, nevertheless, are unwanted on company
Contact Mail The contact email address. workstations.
Quarantine Path for the directory where blocked files should be Detect BDC Enables/disables the detection of backdoor controller
Directory archived (default: software.
/var/phion/run/virscan/blocked).
Detect AdSpy Enables/disables the detection of Adware/Spyware.
Note:
Detect Enables/Disables the detection of executable files with
The quarantine directory is NOT emptied automatically.
HiddenExt a manipulated file extension.
Thus it is recommended to have look at it from time to
time. Detect Pck Enables/Disables the detection of files that are
compressed in an unusual way.
Detect Phish Enables/disables the detection of phishing websites.
Detect Spr Enables/disables the detection of programs that may
violate against system security or privacy policies.
Heuristic Macro enables/disables usage of heuristics for detecting
Detection malicious code in MS Office documents before a Macro
update is performed

392 | Overview > ClamAV Anti-Virus
List 1710 Virus Scanner Settings - Avira section Avira Non-Virus Detection ClamAV can detect malware, spyware or bandwidth
Parameter Description wasters as well. Within this section, settings regarding to
Heuristic Enables/disables detection of known or unknown these threats are defined.
Others malicious code in all types of files before an update is
Detection performed. The level of intensity ranges from 0 List 1713 Virus Scanner Settings - ClamAV section ClamAV Possibly Unwanted
meaning disabled to 3 meaning full intensity Applications (PUA)
Detect All Defaults to yes.
PUAs
1.5 ClamAV Packed Files that use some kind of runtime packer. Defaults to
yes.
Settings concerning only the ClamAV virus scanning PwTool Password tools are all kind of tools that can be used to
recover or decrypt passwords. Defaults to yes.
engine.
NetTool Applications that can be used to sniff, filter, manipulate
or scan network traffic or networks. Defaults to yes.
Note:
P2P Peer-to-peer clients. Defaults to yes.
Exploits within key frames (ActiveX controls) will not be
IRC Internet Relay Chat clients. Defaults to yes.
detected by the ClamAV virus scanning engine.
RAT Remote Access Tools, may be trojans, but also tools like
VNC clients. Defaults to yes.
Tool General system tools, like process killers or finders.
1.5.1 ClamAV General Spy Keyloggers and spying tools. Defaults to yes.
Server Server based badware like DistributedNet. Defaults to
The settings within this section affect the general behavior yes.
of the ClamAV virus scanning engine Script Known problematic scripts written in Javascript,
ActiveX or similar. Defaults to yes.
List 1711 Virus Scanner Settings - ClamAV section ClamAV General
Self Check Perform a database check (sec.), defaults to 600
1.5.4 ClamAV Misc Scanning Options
List 1714 Virus Scanner Settings - ClamAV section ClamAV Misc Scannning
Options
1.5.2 ClamAV Archive Scanning Parameter Description
Algorithmic In some cases, ClamAV uses algorithms to detect
Settings that define ClamAVs behavior regarding to all Detection malware. Defaults to yes.
kinds of archives, such as *.zip, *.rar or certain document Portable PE is an executable file format also used by
files Executable self-unpacking archives. Defaults to yes.
Executable and ELF files are a UN*X standard. Defaults to yes.
List 1712 Virus Scanner Settings - ClamAV section ClamAV Archive Scanning Linking Format
Parameter Description Detect Broken With this option activated, ClamAV tries to detect
Executables broken PE and ELF files and mark them as broken.
Scan Archives Enables or disables scanning of archives. Defaults to Defaults to no.
yes.
Scan OLE2 OLE files, such as MS Office and MSI. Defaults to yes.
Max. size (MB) Defines the maximum amount of data to be scanned
for each input file. Archive and other container files are Scan PDF Adobe PDF files. Defaults to yes.
recursively extracted and scanned up to this value. A Heuristic Scan Enables or disables heuristic scan precedence.
value of 0 disables the limit. Defaults to 1024. Precedence Recommended for use. Defaults to yes.
Note: Scan HTML Enables or disables HTML nor,alisation and scanning of
Disabling this limit or setting a too high value may MS Script Encoder code. Defaults to yes.
result in severe damage to the system.
Max. file size Files larger than this limit will not be scanned. A value
(MB) of 0 disables the limit. Defaults to 150. Note:
Max. nesting Nested archives are scanned recursively. This defines If Heuristic Scan Precedence is enabled and the scan
the maximum value of nesting levels. A value of 0 engine detects phishing signatures within archives or
disables the limit. Defaults to 20.
mails, scanning will be aborted and the affected files will
Max. count Maximum number of files to be scanned within any
archive. A value of 0 disables the limit. Defaults to be blocked.
10000.
Note:
Disabling the limit or setting the value too high may
result in severe damage to the system.
1.5.5 ClamAV Mail Scanning Options
Block encrypted Generally mark encrypted archives as viruses. Defaults
archives to yes. ClamAV can scan emails and recognize threats within
them.
Note: List 1715 Virus Scanner Settings - ClamAV section ClamAV Mail Scanning
If archives are nested deeper than with factor 1, the scan Options
engine will currently not scan for malicious code. Parameter Description
Mail Follow Choose whether ClamAV follows download URLs within
URLs emails and scans the linked files. Defaults to no.
Scan Partial Scan RFC1341 messages split over multiple emails.
Messages Defaults to no.
Attention:
This may open your system to a DOS attack. Dont use
it on loaded servers.
1.5.3 ClamAV Possibly Unwanted Phishing Scan

URLs
use heuristics to detect phishing URLs in emails.
Defaults to yes.
Applications (PUA)
Anti-Virus Streaming Settings < Overview | 393
1.5.6 ClamAV Phishing Options The squid-based proxy service communicates with the
Virus Scanner WebGate by using the standardized ICAP
Phishing can optionally be recognized by ClamAV. protocol.
List 1716 Virus Scanner Settings - ClamAV section ClamAV Phishing Options Fig. 172 Schematic overview of proxy integration
Use Phishing ClamAV tries to detect phishing by using signatures.
Signatures Defaults to no.
Always Block Always block SSL mismatches in URLs, even if the URL
SSL Mismatch is not in the database. Defaults to no. 1
Always Block Always block cloaked URLs, even if the URL isnt in the 2
Cloak database. Defaults to no.
1.5.7 ClamAV Data Loss Prevention 1

3
(DLP) 6
5
Within this section, settings regarding to threats targeting

on private data theft can be configured.
List 1717 Virus Scanner Settings - ClamAV section ClamAV Data Loss 4
Prevention (DLP)
Structured Enables or disables the DLP module. Defaults to no.
Data Detection Step 1 Request is sent from source address to the
Min. Credit Card Defines the minimum amount of credit card numbers Internet.
Count needed to be found in a file to create a detection
Defaults to 3.
Step 2 Response is returned from the destination.
SSN Format Defines whether the DLP module searches for valid
social security numbers. Defaults to yes.
Min. SSN Count Defines the minimum amount of social security Step 3 Response is forwarded to the anti virus
numbers to be found in a file for triggering a detection. service via ICAP.
Step 4 If content is "infected" it is removed.
1.6 Streaming Settings Step 5 Scanned response is returned to the

Barracuda NG Firewall. In case of infected content, a
List 1718 Virus Scanner Settings - Streaming Settings
corresponding block HTML is sent.
Scanning Domain: Step 6 Requested content is delivered to source
Exceptions Define here the domains that are excepted from
being scanned. Wildcards are possible. address. In case of infected content, a corresponding
Allowed MIME-Types: block HTML is displayed.
Define here MIME-types that are excluded from
scanning (figure 171).
Note: Integration of virus scanning on a HTTP proxy takes place
To find out which MIME-type has been used set the by setting parameter Enable Virus Scanner to Yes (as it is
parameter Debug Log Level to 1 (Basic Setup, section
Virus Scanner Settings - Basic Setup section
by default).
Advanced). Afterwards check the Logs for cas log files.
This parameter is located in HTTP Proxy Settings -
Fig. 171 Scanning exceptions General tab (Proxy 1. HTTP Proxy, page 340).
List 1719 HTTP Proxy Settings - Content Inspection section Virus Scanner
Enable Virus This parameter enables/disables the virus scanner
Scanner (default: yes - enabled).
Scanner Define here where the Virus Scanner Service which
Location should be used for virus scanner is located.
Set to Local if the Virus Scanner Service is running on
the same Barracuda NG Firewall box, Remote if the
Virus Scanner Service is located at another Barracuda
NG Firewall system.
Ensure that the referenced Virus Scanner Service is
existent.
Scanner IP Define here the IP address of the remote Virus Scanner
Service which is used for virus scanning. This option is
1.7 Integration Enable Trickle

available only if Scanner Location was set to Remote.
Enables/disables the trickle feature (default: no -
Feature disabled).
Trickle feature enabled means that the proxy starts to
1.7.1 Proxy Integration send trickle packets which are not download-related.
Set the trickle feature parameters wisely, because if it
is too slow or it happens too rarely the client might
time out anyway.

394 | Overview > Integration Anti-Virus
List 1719 HTTP Proxy Settings - Content Inspection section Virus Scanner Fig. 173 Scan exceptions
Trickle Size Low There will be no trickle feature running for files smaller
Watermark than this value. (default: 50 MB).
(MB)
Trickle Period Delay between trickle packets (default: 10 seconds).
(sec) Note:
Keep the value for Trickle Period SMALLER than the
value for Popup After to avoid problems with Progress
Popup and trickling.
Trickle HTTP This parameter enables/disables the trickle feature for
1.0 HTTP 1.0 (default: no).
Advanced Enable Data Trickle Feature
Trickle Settings Enables Data Trickling
Note:
Data Trickling only works in NG operation mode.
Note:
Data Trickling causes unscanned data to be sent to the
client.
Initial Data Trickle Size(kB)
Size of the first trickle packet Note:
Data Trickle Size(bytes) Scanning of FTP over HTTP Requests is included in the
Size of subsequent data trickle packets HTTP Proxy Settings and configured in the AVIRA
Data Trickle Buffer Size(kB)
Overall size of the trickle buffer.
ANTIVIR WEBGATE tab. Scanning of mere FTP requests
Note:
handled through settings of the FTP Gateway is
A too high value causes high memory usage. configured in the AVIRA ANTIVIR FTP SCANNING tab.
Data Trickle Dest. Domains
Restrict Data Trickling to certain domains. Note:
Data Trickle URL Pattern If the data trickling feature is active and malware has
Restrict Data Trickling to certain domains by defined
by URL-patterns.
been found within a scanned file by the virus scanning
Example: engine, the remaining portion of the file will not be
Trickling of all PDF files of a domain: .pdf$ transmitted. This will then result in a small, incomplete
Header Trickle Dest.Domains stub file at the users download location.
Restrict Header Trickling to certain domains.
Header Trickle Pattern
Restrict Header Trickling to certain domains by Trickling of all destinations appears if no special
defined by URL-patterns. restrictions are defined. The Data Trickling access
Example:
Trickling of all PDF files of a domain: .pdf$ control list (ACL) is processed prior to the Header
Trickling ACL.
Note:
For additional information regarding Regular This feature is only available when Engine Version NG
Expressions/Pattern-matching, see 1.2.3.3 Access
Control - Using Regular Expressions, page 345 is activated. It is generally not available within the
Scan Domains: Secure Web Proxy.
Exceptions Define the domains that are excepted from being
scanned.
Please see List 1719 HTTP Proxy Settings - Content
Raw:
You may also enter raw squid configuration here Inspection section Virus Scanner, page 393 in order to
(figure 173). get in-depth information about trickling and the
Progress Popup Per default the proxy progress popup is disabled. necessary parameters and settings.
Enabling the progress popup detects the following
browsers per default: List 1720 Content Inspection section Virus Scanner Progress Popup
Mozilla Firefox 2 and 3
Microsoft IE 6 and 7 Parameter Description
Opera Enable Progress Set to Yes to enable the proxy progress bar.
Popup
Apple Safari
Log Decisions Set to Yes to enable a more granular logging where
The proxy progress popup is available for both HTTP decisions why a progress bar is shown or not are
proxy and Secure Web Proxy. The progress popup can written to the log.
only be displayed for unencrypted content (HTTP Browsers Detection Regex
connections). This feature requires running a Virus Is a regular expression which will be applied to the
Scanner service and is not available in conjunction with client requests HTTP header for browser evaluation.
third-party Virus Scanner engines.
Exception Regex
Is a regular expression which will be applied to the
See list 1720 for parameter description.
client requests HTTP header as contraindication for
a popup. If e.g. a user right clicks a URL and
processes a "Save target as ..." command, no
progress bar should be popped up.
Most browsers are sending a slightly different
request in such a case.
Show Save Button
Set to Yes if the download should not be fetched
automatically but the button "Save file as ..."
should be shown instead.

Anti-Virus Integration < Overview | 395
List 1720 Content Inspection section Virus Scanner Progress Popup z Internet Explorer 6 mp3-files download procedure:
Fig. 174 Progress bar
Mime-Types Define here the mime-types for which a progress bar
should be shown. The default settings already contain
the most useful mime-types.
Mime types which are not saved to disk but handed
over to a plugin from the browser (e.g. application/pdf)
usually should not be applied to a progress bar,
because users are expecting such types to be opened
automatically which is not possible with a progress bar.
Even worse, the browser and the plugin try to download
the requested file, but the temporary link is just valid
for one download and thus the second download
request (from the plugin) will fail.
Popup After Define here after which amount of time a progress bar
(sec) popup should be raised.
Note:
Keep the value for Trickle Period SMALLER than the
value for Popup After to avoid problems with Progress
Popup and trickling.
No Popups If Define here for which download time (this value or less)
Less Than (sec) a progress bar popup should be suppressed.
Excluded Define here a list of excluded domains (e.g. where may
Domains automated download come from). This setting
overrules the settings from above, that is if a download
matches one of the entries in this list a download
progress bar is never shown.
Note:
The filter works only for domains and subdomains. Right-click "Save target as"
(That means until the first slash (/) appears in the
path).
Select Save Target As from the context menu
Excluded Define here a exception list of sources where a Browse to the desired folder and click Save
Sources download progress bar always is suppressed. This
setting overrules the settings from above, that is if a Note:
download matches one of the entries in this list a
download progess bar is never shown. Parameter Show Save Button has to be set to Yes.
Progress Define here a HTML template of your customized
Template download progress popup. Note:
Note: With some browsers and websites, the download bar
This setting may damage your progress bar popup process can not discriminate between a Save result
seriously. Be sure what your are doing. Take the default
template as a starting point of modification.
as... and a direct link click action on the specified link
Unknown Define here a HTML template of your customized
in the browser window (i.e., download areas at
Downloads "unknown download" template which is shown if www.microsoft.com). This may lead to unexpected
Template someone tries to call a temporary URL which does not behavior without popup creation as a result of a "direct
exist any more.
link click" action. In order to learn about a possible
Note:
This setting may damage your progress bar popup solution, see KB article 1500005.
seriously. Be sure what your are doing. Take the default
template as a starting point of modification. z Internet Explorer 6 and 7 PDF-files download
Custom Import here a logo. procedure: same download procedure as with mp3-files.
Template Logo Note:
To be able to display a logo in MS Internet Explorer,
z If you want to define at Mime-Types a type text/plain be
Bypass proxy server for local addresses has to be sure to add an asterisk, otherwise it wont work
disabled in the MS Inernet Explorers proxy settings. (text/plain*).
z The download bar is not working with a transparent
Note:
proxy, except the <visible-hostname> is DNS-resolvable.
The Progress Popup does not work with HTTPS
connections. Note:
Supported browsers are Mozilla Firefox 2 and 3, When a progress popup is opened the main window is
Microsoft Internet Explorer 6 and 7. set to blank for IE6/IE7. The user has to enter a new web
address manually or use the back button to return to the
previous page.
If IE8 or a Firefox browser is used the main window
displays the page where the download was started
automatically. This is done by getting back in the
browser history by two steps. Stepping back two sites is
important for download sites where the download is
started via javascript or HTTP redirects. Otherwise the
download would start in an endless loop. On the other
hand it may happen that the main browser window is set
to the last opened web site.
Note:
If Progress Popup is enabled, no header-trickling will be
performed.

396 | Overview > Integration Anti-Virus
1.7.2 Data Leak Prevention (HTTP POST List 1722 MailGWSettings - Virus Scanning section Virus Protection
Scanning) Parameter Description

Advanced Virus see list 1723
Protection
Data Leak Preventions allows scanning of HTTP POST Option
requests for malicious code. External Scan see list 1727
Engine
Note:
Data Leak Prevention is only available if HTTP Proxy List 1723 MailGWSettings - Advanced Virus Protection Option section Scanner
Location
Engine Version is set to NG and is only available for
HTTP Proxy. Parameter Description
Scanner Define here where the Virus Scanner Service which
List 1721 HTTP Proxy Settings - Content Inspection Location should be used for virus scanner is located.
Set to Local if the Virus Scanner Service is running on
Parameter Description the same box, Remote otherwise.
DLP Enables or disables Data Leak Prevention. Ensure that the referenced Virus Scanner Service is
existent.
DLP Exception URL list that should be excluded from DLP scanning.
URLs Scanner IP This field takes the IP address(es) of SMTP scan
engine(s). If multiple virus scanners have been
supplied, the first available will be used for virus
scanning. If connection to the actively used virus
1.7.3 Mail Gateway Integration scanner breaks, the next available virus scanner will be
contacted.
Scanning of SMTP e-mails is based on standard SMTP List 1724 MailGWSettings - Advanced Virus Protection Option section
communication between Barracuda NG Firewall mail Notification
gateway and Virus Scanner MailGate. Parameter Description
Expose Sender Warnings can be sent to the sender of e-mails
Step 1 Mail approaches mail gateway Alerts containing viruses/malicious software. The following
settings are available:
NO - Warnings are never sent to the originator.
Step 2 Mail is redirected to virus scanner YES - Warning are always sent to the originator.
LOCAL (default) - Warnings are sent only if the
originator is a local domain user.
Step 3 (optional) Infected mail is deleted
Note:
Use the Extended Domain Setup of the Mail Gateway
Step 4 Mail is returned for delivery to configure local domains. Users belonging to domains
defined as internal and strictly_internal through
parameter Protection Profile, are treated as local
Step 5 Mail is delivered (Mail Gateway 3.2.2 Extended Domain Setup,
page 263).
Expose Warnings concerning e-mails containing
Integration of virus scanning on a Barracuda NG Firewall Postmaster viruses/malicious software can be sent to the
mail gateway takes place by setting parameter Enable Alerts postmaster. The following settings are available: yes
(default), no.
virus scanning to yes (as it is by default).
Silently Drop When set to yes (default: no), the virus scanner service
This parameter is located in MailGW Settings > Content Phishing Mail does not generate a DSN delay message addressed to
the e-mail's sender when it recognizes a phishing
Adaptions (Mail Gateway 3.2 MailGW Settings, page 262). e-mail. The original phishing e-mail is automatically
moved to the give-up folder and no further attempts
Fig. 175 Schematic overview of mail gateway integration are made to forward it.
List 1725 MailGWSettings - Advanced Virus Protection Option section

Adaptions
1 Add Status in Virus status is added to mail body (default: no).
Body
Add X-Status in Virus status is added to mail header (default: yes).
Header
Add Body to The original body of the infected mail is appended to
Notice the postmaster notice mail (default: yes).
2
4
5 List 1726 MailGWSettings - Advanced Virus Protection Option section No Scan
Exceptions
No Scan For Allows defining recipients/sender whose e-mails are
(Recipients) not scanned. The syntax is perl-compatible regular
3 expression (for example
No Scan For
(Sender) ^virus@mydomain.com\.tld$).
List 1727 MailGWSettings - External Scan Engine

List 1722 MailGWSettings - Virus Scanning section Virus Protection Scan Engine IPs This field takes the IP address(es) of external SMTP
scan engine(s). If multiple virus scanners have been
Parameter Description supplied, the first available will be used for virus
Enable Virus This entry allows enabling the scan engine. The scanning. If connection to the actively used virus
Detection following values are available: scanner breaks, the next available virus scanner will be
Yes - specifies an external virus scanner contacted.
No - disables virus scanning Scan Engine Here the ports used to to contact the external SMTP
external - uses an external Virus Scanner service Port scan engine are specified.

Anti-Virus Integration < Overview | 397
List 1727 MailGWSettings - External Scan Engine Step 5 If content is clean, scanned response is
Parameter Description returned to the FTP gateway.
Bind IP Here the IP address the mail gateway service listens to
and awaits virus scan engine replies from can be Step 6 FTP gateway delivers requested content to
entered.
the source client.
Note:
The Bind IPs also need to be entered as part of the
server configuration.
1.7.4 FTP Gateway Integration

Scanning of FTP requests is processed via internal service
communication between FTP gateway and the virus
scanner service.
Fig. 176 Schematic overview of FTP gateway integration
1
3 6
5
3
Step 1 FTP request is sent from the client to the

Internet passing the FTP gateway.
Step 2 Response is returned from destination to the

FTP gateway.
Step 3 Response is split into two information

streams.
Per 4096 KB package, 1 KB is directly returned to the client
without being scanned, to avoid that the connection
between client and FTP gateway times out. The larger part
of the data package is forwarded to the anti virus service.
Step 4 If content is "infected" it is removed.

The virus scanner returns error code and virus information
to the FTP gateway, which causes termination of the client
data connection. Furthermore, it returns a 505 error code
containing the virus information. The FTP gateway
forwards this information to the client (505 virus
<virus_name> found in file).
The not scanned part of the data package, which has
already been forwarded to the client, remains on it as tiny
file fragment. This fragment has to be deleted manually.

398 | Pattern Update Manipulation > Update / Disable Anti-Virus
2. Pattern Update Manipulation
2.1 Update / Disable

The general virus pattern update-logic of the Virus
Scanner service is defined through the parameters Update
Every (min), page 390 and Disable Update, page 390.
Settings defined here can be overridden temporarily
through, if manual interaction is desired.
To initiate unscheduled virus pattern updates or to disable
the pattern update cycle browse to Control > Server
tab and in the Service Status section of the window select
the virus scanner service with a left-click. Then right-click
to make the following additional context menu entries
available:
z Update Pattern
Selecting this item triggers an immediate virus scanner
update.
z Disable Pattern Update
Selecting this item opens an interactive dialog that
allows customising the length of the pattern update
blockage. The following specifications are available:
Fig. 177 Disabling virus pattern updates manually
Disable permanently - Select this item to disable

virus pattern updates permanently.
hours/minutes/seconds - These fields allow
defining a time span during which general virus
pattern update settings should be ignored.
Permanent and temporary virus pattern update

deactivation change the context menu entry Disable
Pattern Update to Enable Pattern Update. Select this
item to revoke your modifications.
Blocked update states are appropriately visualized by an
entry in the Info column appended to the service entry.
Note:
For security reasons access to this trigger is restricted
to the administrator's role:
z On single boxes access is permitted for the Manager
and Security roles (table 320, page 92).
z On Barracuda NG Control Centers access is
permitted through the VIRSCAN MODULE section
within the Administrators configuration (list 1912,
page 438).

18
High Availability
1. Overview
1.1 Main Principle of High Availability Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2 Definitions and Notions in a High Availability system (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2.1 Primary Box / Secondary Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2.2 Primary Server / Secondary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
2. Setting up a HA System
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.2.1 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.3 Designing a HA System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.4 Configuring HA Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
2.4.1 Configuring a Stand-alone HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
2.4.2 Configuring a CC-administered HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
2.4.3 HA Sync Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
2.4.4 Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
2.4.5 Configuring Interception of Failure Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
3. Services with Additional HA Mechanisms

3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
3.2 Transparent Failover for a HA Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
3.2.1 Synchronising Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
3.2.2 Take-Over Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
3.2.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
3.2.4 Visualisation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
3.3 Mail Gateway with HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
3.3.1 Automatic E-mail Synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
3.3.2 Manual E-mail Synchronisation after HA Handover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

400 | Overview > Main Principle of High Availability Operations High Availability
1. Overview
1.1 Main Principle of High Table 181 State table with working communication
Primary Secondary Control Control
Availability Operations Box Box Primary Secondary
Comment
Inactive Inactive Down / Down / Both boxes start

Unknown Unknown their servers, if the
The mechanism of High Availability (HA) works by primary starts first,
exchanging alive packets with the HA partner and it will keep up the
informing each other about their status. Also echo servers, the
secondary will fall
requests (pings) and ARP requests (Address Resolution into standby mode
Protocol) are exchanged. This is repeated every (Active/Inactive)
10 seconds for Box IP and Server IPs. If there is no Inactive Blocked Down / Block / The secondary box
response from the active system/server the following Block Down was active, the
primary was in
scenario will happen: standby mode until
the secondary was
z Box IP does not respond - causes the transfer of all blocked
servers to the HA partner Blocked Active Block / Secondary If the secondary
Secondary / Block box fails, the HA
z First Server IP does not respond - causes the partner is not
corresponding server to be transferred available
Blocked Inactive Block / Down / Situation after
Unknown Block server on primary
In either situation, the state of the other system/server machine is blocked
and secondary is
changes to unknown. The frequency of alive packets and not up yet
pings is increased. If there is response from the primary, Blocked Blocked Block / Block / No active server is
the cycle will fall back to normal operation. If there is no Block Block running
response within 10 seconds the inactive partner (normally
the secondary box) will make an emergency server start.
When the primary box becomes active again it will
recognize the active servers on the secondary box, and will 1.2 Definitions and Notions in a
go into standby mode. High Availability system (HA)
Note:
If the primary and secondary box activate their servers
at the same time, the secondary box will "win", and the
1.2.1 Primary Box / Secondary Box
primary will shut down its server immediately. This
z Primary box
procedure makes sure that only one HA partner is in
This is the box which runs all servers and services until
operational mode while the other one is in standby
a serious fault occurs or servers and services are to be
mode.
shut down for system maintenance.
Note: z Secondary box
In order to have the HA mechanism for a single service, Identically (to the primary box) set up box, which runs
it is necessary to create a separate server for this in standby-mode until the primary box is unreachable.
service on the Barracuda NG Firewall In this case, the secondary box starts its servers and
services to minimize the fail over time.
Table 181 State table with working communication
z Communication table
Primary Secondary Control Control
Box Box Primary Secondary
Comment There are various different states how the two boxes
Active Active Primary / Secondary Instable, both boxes
behave to each other.
unknown / unknown runs their servers,
for a short amount Table 182 Communication between HA partners; ARPs are
of time, duplicate independent from a HA system.
IP's are detected
Protocol Active Inactive
until the primary
box will stop its UDP801 1 2 2 1
servers; typical ICMP 1 2 + primary server IP
situation of a
broken ARP 1 2 1 2
communication
channel.
Active Inactive Primary / Standby / Normal operation 1.2.2 Primary Server / Secondary
Standby Primary mode
Active Blocked Primary / Block / If the primary box
Server
Block Primary fails, the HA
partner is not z Primary Server
available
This is the active server in the high-availability system.
Inactive Active Down / Secondary Normal operation
Secondary / Down mode, the server is The position of the primary server within the HA system
running on the is completely irrelevant. In a system built up of 5 HA
secondary machine partners, the VPN primary server might for example
run on box 4 its secondary partner on box 5.
High Availability Definitions and Notions in a High Availability system (HA) < Overview | 401
z Secondary Server Example:

This is the backup server within the high-availability
Primary Server S1 on HA Box1 knows Secondary Server S1
system, configured for taking over services in case the
on HA Box2 as HA-Partner Server.
services on the partner box become unavailable. Note
that not only box failure might result in activation the Primary Server S2 on HA Box2 knows Secondary Server S2
secondary server, but also unavailability of network on HA Box1 as HA-Partner Server.
components the service relies upon.
While both boxes are active, the services FFW and VPN are
Always remember to make a clear differentiation in the processed on the HA Box1 while the Services Proxy and
use of nomenclature. The naming primary box and DNS are processed on the HA Box2. If the state of the HA
secondary box respectively is always meant from the Box1 changes to "unknown" due to fatal errors either
server's point of view. Whereas, when speaking of primary hardware or software sided, the HA Box2 starts its
server and secondary server the service itself is thought Secondary Server S1 and activates FFW and VPN service
of, which has to be started on the HA partner as soon as within a few seconds.
one box or communication to a networking component the
service relies upon fails.
Using HA configuration to balance the load between boxes
is a very common and effective way to exploit all features
given by the Barracuda NG Firewall architecture.
Figure 181 visualizes the behavior of HA partners in case
of services failure on the primary server
Fig. 181 Load Balancing with a HA system
Normal Operation
FFW VPN PX DNS FFW VPN PX DNS
Primary S1 Secondary S2 Secondary S1 Primary S2
Box1 Box2
Operation without
Box 1
Box1 Box2
Operation without
Box 2
Box1 Box2

402 | Setting up a HA System > General High Availability
2. Setting up a HA System
2.1 General Fig. 183 HA monitoring with private uplink
Note:
It is important to configure switches and routers
properly to work in conjunction with a HA system. Most 10.0.8.0/24
important is the so-called ARP cache time or ARP
timeout. When the secondary box starts its services the eth0: eth2:
IP addresses of the primary box are used (except the Primary FW 192.168.0.1 Secondary FW
management IP) but with different MAC addresses. With 10.0.8.112 10.0.8.113
an infinite timeout configured the secondary box would eth1: 0.0.0.0
never be reached. With a timeout of 300 seconds, the eth2:
192.168.0.2
secondary box would not be reached for 5 minutes, and
the HA concept would not fulfil its purpose. The
recommended setting lies between 30 and 60 seconds.
Disadvantage: The amount of ARP requests will increase Private Uplink
with a higher timeout.
When setting up a Barracuda NG Firewall HA system there 2.2.1 Modes of Operation

are typically three possible initial situations.
In a HA system with no private uplink alive packets and
z A standalone Barracuda NG Firewall already exists
status information are transferred over the network which
which can be upgraded to HA mode.
the management IP addresses belong to (figure 182).
z Two separate standalone Barracuda NG Firewalls exist
which can be turned into a single HA pair. Note:
When the switch "dies", the connection between the HA
z A HA pair has to be installed from scratch. In this case
partners will break, too, and the secondary box will start
install a new single system first. Then upgrade this
its servers albeit the primary box is still alive. When the
system to HA mode (see first scenario above).
switch is re-activated, for around 1 second both boxes
are up and duplicate IPs are online until the primary box
stops its servers.
2.2 Introduction In a HA system with private uplink one network interface is
dedicated for HA purposes (figure 183). There are some
We assume that a successfully installed single box already routing specialities (host routes) to route the HA traffic via
exists (Getting Started, page 7). Thus, the scenario explained the private uplink. A failover route has to be configured too
below also applies when upgrading single box operation to to make sure that the boxes can reach each other via both
HA operation mode. For the single system a so-called DHA routes. The private uplink should be a direct connection
(Dedicated High Availability) box is defined. The DHA box with a cross cable to be independent from a further
has the same configuration as its HA partner. This box is hardware component (switch/HUB); the subnet for the
inactive as long as there is no serious fault on the other uplink should be a 2 bit network.
box or its services have been shut down for system
maintenance.
Fig. 182 HA monitoring without private uplink (HA state exchanged via
10.0.8.0/24 network)
2.3 Designing a HA System
Fig. 184 Designing a HA system
10.0.8.0/24
10.0.8.0/24
eth0: 10.0.8.100
Srv IP
Primary FW Secondary FW eth0: 10.0.8.100
10.0.8.112 10.0.8.113 A1 eth2:
Primary FW 192.168.0.1 Secondary FW
eth1: 0.0.0.0 A0: 10.0.8.112 B0: 10.0.8.113
eth1: 0.0.0.0
B1 eth2:
192.168.0.2
Private Uplink

High Availability Configuring HA Pairs < Setting up a HA System | 403
Used IP addresses 2.4 Configuring HA Pairs

Table 183 Designing a HA System Used IP addresses
Primary box Secondary box 2.4.1 Configuring a Stand-alone HA Pair

Management IP 10.0.8.112 / eth0 10.0.8.113 / eth0
FW Server IP 10.0.8.100 There are several ways to reach HA. The first way is with
Further Network 192.168.0.1/30 / eth2 192.168.0.2/30 / eth2 an existing Barracuda NG Firewall and a box, which has to
(Private Uplink)
be installed as HA partner.
The definition of which way the heartbeat will take may be The installation of a stand-alone HA pair works as follows:
created following one of two possible methods:
Step 1 Installation of the primary box
z Via the parameter group Translated HA IP ( Config >
Box > Infrastructure Services > Control). In Step 2 Complete configuration of the primary box
our example we configure that the heartbeat uses both, (server, services)
the 10.0.8.0/24 network AND the private uplink to send
heartbeats. Step 3 Creation of the dedicated HA (DHA) box
Table 184 Designing a HA system Translated HA IP After installation and configuration of the single box,
create the DHA partner by clicking right on the box icon in
Translated Alternative
HA IP HA IP
Usage Policy the configuration tree and selecting Create DHA box from
Primary FW 10.0.8.113 192.168.0.2 Use-Both the context menu.
Secondary FW 10.0.8.112 192.168.0.1 Use-Both
Fig. 185 Context menu of Box
z Alternatively you can use the Routing ( Config >

Box > Network > Network Routes) instead.
Table 185 Designing a HA system network routes
Route Primary box Secondary box Comment

Direct route 10.0.8.112 / eth0 10.0.8.113 / eth0 Preference 200
Gateway route 10.0.8.113 10.0.8.112 Preference 100
via 192.168.0.2 via 192.168.0.1
All gateway routes must have a lower preference than

the direct route to make sure that HA traffic is routed
via the private uplink (preference 0). A new menu item in the configuration tree of the box (HA
The explicit failover route via eth0 is required because Box) is created.
the minimal scope algorithm would cause the kernel to The HA network settings tab has to contain the network
use the HA link even if it is disabled (preference interfaces, the management IP, routes,
65000).
Note:
Attention: From its first boot on, the DHA box has every
It is important to include the net of the private uplink information about the configuration, and works in
into the box ACLs since otherwise the control standby mode. Every change of the primary box
daemon would disable the gateway routes because configuration will be transmitted to the secondary box
the other machine does not answer. instantly.
According to the example above the configuration looks as
follows: Step 4 Installation of the DHA box with the PAR file
for the DHA box
z Primary FW: After the HA box has been configured, a PAR file has to be
Source IP A1 via gateway B1 to Destination IP B0 created. Therefore select Create PAR file for HA box
(Preference 100) from the context menu.
B0 interface eth0 (Preference 200) The procedure to setup a box with a PAR file is described in
Getting Started,
page 7.
z Secondary FW:
Source IP B1 via gateway A1 to Destination IP A0
(Preference 100)
A0 interface eth0 (Preference 200)

404 | Setting up a HA System > Configuring HA Pairs High Availability
Step 5 Introduction of the HA Box to the Managing 2.4.2 Configuring a CC-administered

Workstation HA Pair
To avoid connecting to an unknown system, the box key
should be imported into the local Barracuda NG Admin The creation of CC-administered HA pairs works slightly
settings. The two machines share their keys, hence the different, as the pairs are to be combined in the
public key can be imported from the primary one. It is configuration section of the CC and not in the
found in the configuration file Identity. configuration section of the boxes themselves.
Fig. 186 Exporting the public key to a file Perform the following step to create a CC-administered HA
pair (it is supposed that the boxes already exist):
Step 1 Creation of the server

Create a Server in the Cluster Servers interface of the CC.
In this context choose the boxes which should operate
together as HA partners.
Fig. 188 Creation of CC-administered HA partners - Step 1
This tab is used to manage the box keys and certificates,

the function Ex/Import is needed to export the Box Public
Key to a file.
After you have selected a folder to save the public key, the
key has to be imported in the Barracuda NG Admin settings
(File > Settings or icon ). Enter the Public Host
Key tab, click the Import PEM button and select the
public key that was exported above.
Fig. 187 Public Host Keys
Fig. 189 Creation of CC-administered HA partners - Step 2
The primary and secondary servers will automatically be

created and configured as HA partners on both boxes.
Note:
Please consider that HA partners can only be created
within one cluster.

High Availability Configuring HA Pairs < Setting up a HA System | 405
2.4.3 HA Sync Status connection to the secondary box. Open the context menu
with right-click on Box (Backup) and select Emergency
Configuration changes on the primary box will be Override.
transferred to the secondary box instantly. The sync status
Fig. 1811 Emergency Override of a HA Box
can be viewed via the Barracuda NG Admin configuration
GUI.
To do so, simply click HA Sync
Fig. 1810 Sync Status of two HA partners
Confirm the now opened query with Yes to enable the

Emergency Override.
Fig. 1812 Confirmation query for Emergency Override
z Do Update
An incremental update will be performed.
z Do Complete Update
A complete update will be performed.
z Discard Update
Discards the changes; needed when the two HA
The box icon gets highlighted in yellow ( ) as soon the
partners are in an inconsistent state (for example when
Emergency Override is active.
primary box was down, configuration changes had to be
made on the secondary box, that means the secondary Note:
box has been set to Emergency Override). The Emergency Override option belongs to one session
z Refresh only, that means it must be re-established in every new
Refreshes this window to see actual changes session.
(completion of update).
Step 2 Change the configuration
Note:
After enabling the Emergency Override mode, the
If HA boxes are managed by a Barracuda NG Control
configuration file can be locked and edited. As soon the
Center, this button is deactivated when connecting to
files have been manipulated, the icon in the header
the box itself.
changes and the buttons Send Changes and Reload are
HA Box synchronisation has to be triggered over the
available.
Step 3 Send Changes and Activate
2.4.4 Emergency Override Note:
For detailed information on the functions of the buttons
If the primary box fails, configuration changes must be Send Changes and Activate, see Getting Started, page 7.
made on the secondary box. In normal operation mode it is
not possible to alter configuration via the secondary box. If The Send Changes button sends configuration changes to
there is the need to do so, the DHA box has to be set in the the server. The configuration changes will be stored until
Emergency Override mode. After re-establishing the the changes are activated. The Reload button loads the
primary box the synchronisation has to be started original file with the configuration data before having
manually. activated any changes by clicking Activate.
Hence the procedure after a serious failure of the primary To verify the changes for their functionality, it is possible
box is the following: to check the changes before activation. For this purpose
the Box tab ( Control) contains the button Verify New.
Step 1 Enable the Emergency Override mode Clicking this button results in a detailed report about the
To enable the emergency override mode open the
Barracuda NG Admin configuration GUI and establish and a

406 | Setting up a HA System > Configuring HA Pairs High Availability
changes. When the report is OK (no errors occurred), click Insert the IP address of the primary box into the HA
Activate New to set the changes active. Partner IP field.
Insert the IP address of the secondary box into the
Fig. 1813 Example for test report Sender IP to use field.
Activate the Change Address checkboxes to the
right of both fields.
Transfer the configuration from the secondary box
to the primary box by clicking the Do Update button
and instantly thereafter the Do Complete Update
button.
Block services on the secondary box so that the
primary box can regain normal operation status.
Note:
Only configuration changes on the primary box are
transferred instantly to the secondary box. In
Emergency Override situations the synchronisation
from the secondary to the primary has to be done
manually. It is recommended to perform a complete
update since the updates are done incrementally.
2.4.5 Configuring Interception of

Failure Conditions
To enable handling of failure conditions and to guarantee a
Step 4 Manual synchronisation with the quick take-over of services in case a box or networking
re-established primary box component becomes unavailable it is vital to configure
After having changed the configuration of the secondary monitoring of IP addresses and services. Monitoring
box, and the primary box is up and running again, the configuration is done on Server level (see also Configuration
synchronisation of the two boxes has to be made manually. Service 3. Configuring a New Server, page 94).
z Of a standalone HA pair
(it is assumed that services are still active on the
secondary box)
Clear Dirty Status Button (click for description)
Open the Config tree on the secondary box and
click the HA Sync button in the button bar on top
of the window.
Now enter the IPs of the HA partners into the IP
address fields of the HA Box Synchronisation
window.
Insert the IP address of the primary box into the HA
Partner IP field.
Insert the IP address of the secondary box into the
Sender IP to use field.
Activate the Change Address checkboxes to the
right of both fields.
Transfer the configuration from the secondary box
to the primary box by clicking the Do Update button
and instantly thereafter the Do Complete Update
button.
Block services on the secondary box so that the
primary box can regain normal operation status.
z Of a HA Barracuda NG Control Center
(it is assumed that services are still active on the
secondary box)
Clear Dirty Status Button (click for description)
Open the Config tree on the CC and click the HA
Sync button in the button bar at the top of the
window.
Now enter the IPs of the HA partners into the IP
address fields of the HA Box Synchronisation
window.

High Availability General < Services with Additional HA Mechanisms | 407
3. Services with Additional HA Mechanisms
3.1 General 3.2.1 Synchronising Procedure
Several services can be configured as HA systems, but Synchronisation can be carried out via the uplink
some of them use distinct synchronisation mechanisms. connection or alternatively via the LAN connection (see 2.
Two of these services (HA Firewall Service, Mail Gateway Setting up a HA System, page 402).
with HA) are described below in more detail. The synchronisation traffic is realized by sending UDP
Other available services are: packets, so-called sync packets (port 689), with a AES-128
encryption to prevent infiltration. The AES keys are
z DHCP: created by using the BOX RSA Keys and are changed every
for Enterprise (Barracuda NG Firewall 3.2) see DHCP, 60 seconds to maintain the high security level of the sync
page 287 traffic.
for Basic (Barracuda NG Firewall 2.4.2) see DHCP Using the LAN connection for synchronising is only
2. "Regular" DHCP, page 298 possible due to the small amount of necessary
z SSH (SSH Gateway, page 385) synchronisation traffic. This traffic is reduced by
synchronising sessions and not each packet. Due to the
z SPAM Filter (Mail Gateway 4. Spam Filtering, page 273) characteristics of the TCP protocol (SYN, SYN-ACK, ) this
causes that only already established TCP connections are
synchronized. When the synchronisation takes place
3.2 Transparent Failover for a HA during the TCP handshake, this handshake has to be
repeated.
Firewall
Fig. 1814 Synchronising procedure
We have heard now that a HA system provides safety by Active sessions Synchronized sessions
taking over the configured servers and services in case of
a breakdown of one partner and that a HA system can be
used for load balancing to exploit all features available
through the Barracuda NG Firewall architecture. Sync packet
Sync ACK
FFW FFW
So far so good, but having a firewall server/service taken
over by the second HA partner without the open sessions
is not that good. Using the function Transparent Failover
(activated per rule; active by default) synchronizes the
forward packet session (TCP in- and outbound, UDP, Box Box
Active Box Inactive Box
ICMP-Echo and OTHER-IP-Protocols) of the Firewall server FW FW
between the two HA partners.
Attention: The synchronising procedure takes place immediately (if

Take into consideration that the following session types possible). If synchronisation packets are lost, up to 70
are not synchronized: sessions per second are synchronized.
- Local Sessions
Depending on the system availability, the behavior differs:
- Stream Forwarding Sessions
- Sessions using a Box IP as Bind z Partner box is inactive/rebooted
- Sessions redirecting a Box IP Sometimes it may happen that the "backup" box is not
- Sessions explicitly classified as not to available and therefore does not respond to the sync
be synchronized within the advanced rule parameter packets (for example for maintenance reasons). In this
of the affected rule case, the active box stops synchronising. As soon as the
partner box re-appears, the active box checks whether
For a working Transparent Failover function it is the other one was rebooted or has an obsolete session
mandatory to have an analogous network configuration on state and re-synchronizes all necessary sessions.
both HA partners. However, the NICs may differ, but the
assignment of the interfaces (for example interfaces and z Active box reboots without a take over
their assignment) has to be identical. That means if the ISP This happens when the OS Restart button is used, that
is connected on eth0 and the DMZ is on eth1, it is a must means the acpf and sockets are gone but the box is not
that this assignment is the same on the partner box. re-booted physically. In this case, the partner box
recognizes that its session state is obsolete and
removes all synchronized sessions.

408 | Services with Additional HA Mechanisms > Mail Gateway with HA High Availability
3.2.2 Take-Over Procedure 3.3 Mail Gateway with HA

As soon as the HA box where the firewall runs does not
respond to the heartbeat (Control UDP 801), the take over 3.3.1 Automatic E-mail Synchronisation
will be started (after a delay of 10 to 15 seconds). This delay
is necessary due to potentially low network performance. The automatic mail traffic synchronisation is quite similar
to the Transparent failover that is available for the
Note: Forwarding Firewall (High Availability, page 399).
During this time NO service is available.
As soon as mails are spooled, they are synchronized on the
When the box stays inactive, the synchronized sessions on HA partner after a maximum of 10 seconds. However, the
the second box are set active and all connections synchronisation procedure itself is one-way only. That
connections are available again. means changes made to the mail log and envelope on the
Again, the TCP protocol has to be mentioned separately. partner box are lost when the primary box re-takes the
The "backup" box does not have the current TCP sequence mail gateway.
numbers. Hence, in case of a take over, the sequence When an already synchronized mail has been delivered, it
number is not checked for correctness. As soon as the is deleted on the HA partner.
connection has traffic, the sequence number is known to
If a synchronisation attempt fails, it is stored in a
the former "backup" box and the sequence number check
transaction log for pending actions and is retried as soon
is performable again.
as possible.
The missing sequence number on the "backup" box also
results in the fact that TCP connections that were taken
over but have no traffic since then, cannot be reset in a 3.3.2 Manual E-mail Synchronisation
"clean" way. Terminating the session via the Terminate after HA Handover
Session button removes the connection but does not send
a TCP-RST (TCP Reset signal). In case of HA handover, the mail gateway service on the
secondary HA partner server starts and performs the mail
delivery. After successful recovery of the primary HA box,
3.2.3 Configuration the primary server takes over mail delivery again and the
mail gateway running on secondary box stops delivering.
Each Firewall rule is equipped with a Transparent Failover
active/inactive option that allows you to define whether If this process of HA handover happens during mail
sessions affected by this rule should be synchronized or delivery, it is, in certain cases, possible that there are mails
not. See Firewall 2.3.4 Advanced Rule Parameters, left in the mail queue on secondary HA server. So the
page 162, Transparent Failover State Sync, page 164, for delivery is not finished due to HA handover. In other words,
additional information. HA handover can be initiated while spooling process of
mails is active. This effect appears especially during heavy
load, when lots of e-mails are processed by the mail
3.2.4 Visualisation gateway service.
In this case, the administrator has to move the affected
The state of the sessions is visualized within the Status
mails manually from the secondary box to the primary HA
tab of the Firewall service. See Firewall 6.3 Real Time partner and initiate the delivery. Thus no mail is lost due to
Status, page 178, for a detailed description of this tab. HA handover.
The following description shows step-by-step what has to
be done in order to perform in such a case:
Attention:
While connected via SSH avoid to enter any commands
unless you know exactly what you are doing.
Step 1 Connecting
Establish a connection to the secondary HA box using
Barracuda NG Admin. Now select SSH from the box
menu and log into the secondary HA box as root.
Change to the spool directory of the mail gateway by using
the following command line:
cd
/var/phion/spool/mgw/<server_service>/spool/
For <server>, type in the name of the server, and for
<service> type in the name of the mail gateway service
you have configured when introducing the service.

High Availability Mail Gateway with HA < Services with Additional HA Mechanisms | 409
Step 2 Check for undelivered mails Now initiate the mail insertion and delivery of the copied
This check is done by listing the content of the spool mail in the input directory:
directory. Therefore enter the following command:
/bin/kill s SIGUSR2 <server>_<service>
ls -l
For <server> type in the name of the server, and for
If the result of this command is Total 0, there are no <service> type in the name of the mail gateway service
undelivered mails left and it is not needed to carry on. In which you have configured at the time you introduced the
this case, type exit to close your SSH session. service on the box.
However, if there are files with the extension .body and
Note:
.env, continue with the next step.
Mind the case sensitivity.
Step 3 Copy the spool directory This command inserts the imported mails from the input
Copy all files to the mail input directory of the active directory to spooling process of the active mail gateway,
(primary) mail gateway service. This is accomplished by and performs the delivery. Active mail jobs in the current
using the following command line: spooling queue are not affected by this action.
scp * <IP>:/var/phion/spool/mgw/<server>_ In order to verify whether the mails have really been
<service>/input/ inserted or not, check the mail gateway logs through
The parameter <IP> indicates the box management IP of Logs > <servername> > <servicename> mailgw).
the primary HA box, where the mail gateway service is For each newly inserted mail, a log file entry, containing
active. You will be prompted to enter the root password of the text "SPOOLER new mail inserted
the primary box. (id=########-######-########)", is generated.
After that, normal delivery of inserted mails is initiated,
Step 4 Copy the vscan directory (optional) and can be checked via the operative mail gateway GUI
If the virus scanning for mails is active, it is necessary to ( MailGW).
copy this directory too.
Therefore change to the vscan directory of the mail Step 6 Removing the obsolete mails
gateway using the following command line: After successful delivery, remove mails left in the
/spool/ and /vscan/ directories of the inactive mail
cd ../vscan/
gateway on the secondary box to avoid duplicate delivery.
Now copy all files to the mail input directory of the active
To do so, terminate the SSH session to the primary box by
(primary) mail gateway service. This is accomplished by
entering exit. The system prompt of the secondary box
using the following command line:
now appears displaying the message Connection to
scp * <IP>:/var/phion/spool/mgw/<server>_ <IP> closed.
<service>/input/
Note:
Step 5 Initiating delivery manually If the bash prompt of the secondary box does not
As soon as Step 3 and Step 4 (optionally) are completed, contain the path
the manually initiated delivery can be started on the /var/phion/spool/mgw/<server>_<service>/s
primary HA box. For this purpose you need a SSH session pool, for example because you changed to a different
to the active box. This session is established by using the directory, repeat Step 1.
following command line:
Now remove all mails in the current directory using the
ssh <IP> following command within the /spool/ directory of the
secondary box:
For <IP> type in the box management IP of the primary
HA box, where the mail gateway service is active. You will rm * -f
be prompted to enter the root password of the primary
box. After that the prompt of the primary box appears. Attention:
Usage of this command removes all files in the current
directory irrecoverably. Make sure that you have not
changed to another directory before entering rm * -f.
Note:
If Step 4, page 409, was performed, it is necessary to
remove obsolete mails also from the /vscan/
directory.
Step 7 Exit
Enter the command exit to terminate the SSH session.
This concludes the e-mail synchronisation after HA
handover.

410 | Services with Additional HA Mechanisms > Mail Gateway with HA High Availability

19
Barracuda NG Control Center
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
2. Trust Center
2.1 Certificates and Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
2.2 CCs Trust Center Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
3. Installing a CC
3.1 Configuring the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
3.2 Installing the Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
4. CC User Interface
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
4.2 Standard Context Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
5. CC Control
5.1 General Characteristics of the Graphical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
5.2 Status Map Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
5.3 Favourites Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
5.4 Configuration Updates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
5.5 File Updates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
5.6 Sessions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
5.6.2 Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
5.7 Statistics Collection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
5.8 Box Execution Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
5.9 Scanner Versions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
5.10 Software Update Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
5.11 Update Tasks Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
6. CC Configuration Service
6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
6.2 Multi-Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
6.3 Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
6.4 Range Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
6.5 Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
6.6 Box Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
6.7 Defining Node Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
6.8 Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
6.9 Multiple Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
6.10 Adding/Moving/Copying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
6.11 Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) . . . . . . . . . . . . . . . . . . . . 449
6.12 Supplement: Migration of a CC to a New Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
7. CC Database
7.1 Database User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.2 Range Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.3 Cluster Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.4 Box Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.5 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.6 Service Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

412 | Barracuda NG Control Center Barracuda NG Firewall
8. CC Admins
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
8.2 Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
8.3 Admin User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
9. CC Statistics
9.1 Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
9.2 Data Collection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
9.3 Compression Cooking and Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
9.4 Transfer Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
9.5 Recovery and State Analysis of Poll Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
10. CC Eventing
10.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
10.2 Event User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
10.3 Event Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
10.4 Event Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
11. CC Syslog
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
11.2 Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.3 Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.5 Supported Ciphers and Cipher Preference by the Stunnel-based Sub-processes. . . . . . . . . . . . . 478
11.6 Filtering Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
11.7 Example Configurations for Syslog Proxy and CC Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . 479
12. CC Firewall Audit Viewer

12.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
12.2 Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
12.3 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
13. CC PKI Service

13.1 Installing and Configuring PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
13.2 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
13.3 Working with PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
14. CC Firewall
14.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
15. VPN GTI

15.1 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
15.2 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
16. Barracuda NG Earth

16.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
16.2 CC Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
16.3 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
16.4 Barracuda NG Earth Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
16.5 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
17. CC RCS
17.1 Activating / Configuring RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
17.2 Using RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
17.3 Retrieve Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

19
18. CC VPN
18.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
18.2 CC Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
18.3 Gateway Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
18.4 Remote Management Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
18.5 Additional Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
19. Admin Workspaces

19.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
19.2 How to Create Admin Workspaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
19.3 Node Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
19.4 Admin Workspace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

414 | Overview > General Barracuda NG Control Center
1. Overview
1.1 General Fig. 192 Flowchart - How a Barracuda NG Firewall becomes a Barracuda NG
Control Center
The Barracuda NG Control Center (CC) is designed to

manage a number of Barracuda NG Firewall gateways.
Fig. 191 Schematic view of a Barracuda NG Firewall topology with a Barracuda

NG Control Center Installing the CC file see 3. Installing a CC, page 418
10.0.0.0/24
Configuring the box see 3.1 Configuring the Box, page 418
Installing the license(s) see 3.2 Installing the Licenses, page 419
Barracuda
NG Control
Center
Barracuda NG Configuring the CC itself see 6. CC Configuration Service, page 434
gateways
Admin PC
Barracuda NG Control Center

The CC itself uses the Barracuda NG Firewall platform as
its basic layer. With the operative systems it shares the
layer structure Box - Server - Service. On a CC several
services are available/required:
Table 191 Barracuda NG Control Center services overview
Software Module Annotation Comment
CC-Configuration- Configuration Module necessary service
Service (rangeconf)
CC-Event-Service Event Module recommended service,
(mevent) needed for centralized
event collection
CC-VPN-Service VPN Server for Remote necessary service for
(mastervpn) Management remote managed
systems (for example
via internet)
CC-Statistics-Viewer Statistics Viewing optional service, not
(qstatm) Module available for the CC
entry edition
CC-Statistics-Collector Statistics Collector optional service, not
(dstatm) Module available for the CC
entry edition
PKI (pki) Certificate Authority optional service, not
for available for the CC
creating X509 entry edition
certificates
CC-Syslog-Service CC Syslog optional service, not
(msyslog) Server available for the CC
entry edition
DNS (DNS-Service) DNS Server the same service as on
almost all Barracuda
NG Firewall gateways
Firewall (firewall) Forwarding Firewall recommended service
Service if you have remote
managed systems (for
example via internet)
CC-Audit-Service Firewall Auditing optional, allows central
(fwaudit) Service gateway debugging
and information
viewing

Barracuda NG Control Center Certificates and Keys < Management Trust Center | 415
2. Management Trust Center
2.1 Certificates and Keys 2.1.3 X509 Certificates
X509 certificates and RSA Private/Public key pairs are X509 Certificates are used to combine keys with additional
used to obtain peer (IP address) and administrator credential information.
authenticity. For private/public key encryption two They give information of the origin and the intended usage
possible encryption methods exist: of the public key they contain. Furthermore X509
certificates can be chained together building a trust chain.
2.1.1 Private Encryption Fig. 195 Certificates and Keys X509 Certificates
Private Encryption is used for Signatures and Root Certificate

Authentication Checks. X509 Certificate X509 Certificate
Fig. 193 Certificates and Keys Private Encryption Subject Subject
Issuer Issuer
Unencrypted Encrypted
data Private Encryption data Public Public
Key Verify Key
Private Key
??????? Signature Self-signed
???????
??????? Sign
Public Key
?????
Public Decryption
Private Key
The public key owner can check if the data was encrypted
with the matching private key, which is a proof of
authenticity.
2.1.2 Public Encryption

Public Encryption is used for challenge/response and
privacy protection.
Fig. 194 Certificates and Keys Public Encryption
Unencrypted Encrypted
data Public Encryption data
Public Key
???????
???????
Private Key ???????
?????
Private Decryption
Only the private key owner can successfully decrypt the

data. This way data can be transferred safely without a
third party watching. This method can also be used for a
challenge/response authenticity check: Public encrypt a
random character sequence; send it to your partner; if the
partner is capable to send back the original sequence you
may assume that he is in possession of the private key.

416 | Management Trust Center > CCs Trust Center Model Barracuda NG Control Center
2.2 CCs Trust Center Model

Fig. 196 CC trust center
Barracuda
Key
signed by
MASTER
Box
signed by
Key Master Master
Certificate License
Box
Key
Master
Master License
Master
Box Key
Key Key
Key
Key
Old
Key Database
signed by
Key
SSH
Key Old
Key
SSH
Key
SSH
Key
BOX Barracuda NG Admin

Barracuda
verify Key
Master Box Master
Public Public
Certificate verify
Box Name & IP Address
Master
SSH Box SSH
Certificate
Key Key Key
loaded from Master

SSH
Key
loaded from Master

Barracuda NG Control Center CCs Trust Center Model < Management Trust Center | 417
With the use of X509 certificates and private/public RSA 2.2.1 Authentication Levels for
keys the following security features are obtained: Master-box Communication
z Secure Box- Master Communication
Box and Master exchange their public keys which are As stated above the master-box trust relationship is
used for all SSL communication between the two governed by private/public key technology. Hence in a
(Strong Peer Authentication). working environment the master knows its boxes and the
boxes recognize the master as their one and only reign.
z Secure Master Administration
When using the Barracuda NG Admin, the master The default level of authentication is that a box and its
credentials can be checked to assure that the master identify themselves by their keys and IP addresses.
administrative tool is really communicating with the That means that the master does not send any
intended Barracuda NG Control Center. configuration data to untrusted boxes and no box accepts
data from an untrusted master. If, however, the Barracuda
z Secure Box Administration NG Control Center does not have a valid license (and hence
Once a secure connection to the Barracuda NG Control no master certificate) or major migrations are made, it
Center has been established and the master certificate may be necessary to soften the level of authenticity for a
has been stored, all communication to the managed short time to establish a new trust relationship. Depending
boxes can be verified by means of a trust chain. on which component is the untrusted one this has to be
z Secure Box SSH Login done either on the Barracuda NG Control Center (master
The master holds a database with the box SSH public Control window - Configuration Updates tab - Untrusted
keys, which can be downloaded using the Barracuda NG Update checkbox selected) or on the box itself to make it
Admin. This way trusted SSH login is achieved. accept the incoming data.
Table 192 Possible settings of authentication levels on the box itself
Setting Meaning and effect

No level 1: anything goes. The system allows any attempt
Authentication to send or fetch configuration data.
Note:
Use only if necessary and change back as soon as
possible.
Check IP address level 0: Login is accepted if either IP address or the key
or key challenge is successful. Still quite insecure.
Check IP address level 1: Login is accepted if demanded IP address is at
hand. Still quite insecure.
Check key level 2: Login is accepted if key challenge is successful.
Check IP address level 3: This is the default setting and should remain as
and key such if there is no need to lower the security level
temporarily.
Fig. 197 Extract from the Box tab in the Box Control window where authentication
level can be lowered to interaction-free authentication
Note:
Since the Barracuda NG Admin uses the same
communication protocol as the master, this setting
applies to any Barracuda NG Admin based login attempt
with the user master.

418 | Installing a CC > Configuring the Box Barracuda NG Control Center
3. Installing a CC
Selecting managementcenter/standard-hardware in the You can also have a look at the log files of the modules
Box Type Settings when creating the kickstart disk via that you just have introduced.
Barracuda NG Installer (Getting Started 2. Barracuda NG
The log entries for a typical service start-up look similar to
Installer, page 10) installs the CC automatically.
the following example:
Table 193 Example - Log file of a System Startup
3.1 Configuring the Box Time

2002 07 16
Type
Info
Message
---------- Configd Startup type=3 version=2.2.5.7
09:04:21 --------
To configure the Barracuda NG Control Center services 2002 07 16 Notice Server Configuration changed-------------
use the Barracuda NG Admin administration tool (available 09:04:24
on the Application&Documentation CD) and login to the 2002 07 16 Notice 1st Server IP: 10.0.8.35
09:04:24
box config daemon.
2002 07 16 Notice 2nd Server IP:
Proceed as follows to set up the Barracuda NG Control 09:04:24
Center services: 2002 07 16 Notice -----------------------------------------
09:04:24
2002 07 16 Notice Service Configuration changed-------------
Step 1 Create a server 09:04:24
The actions required for creating a server are identical to 2002 07 16 Notice Service Bind: 10.0.8.35
the ones described in Configuration Service 3. Configuring a 09:04:24
New Server, page 94. The Product Type field in Virtual 2002 07 16 Notice ------------------------------------------
Server Definition differs from the one in regular boxes 09:04:24
though: 2002 07 16 Notice Box Configuration changed-------------

09:04:24
List 191 Server configuration - Virtual Server Definition on CC boxes section 2002 07 16 Notice Box Bind IP: 10.0.8.111
Virtual Server Definition 09:04:24
2002 07 16 Notice --------------------------------------
Parameter Description 09:04:24
Product Type Each product type allocates a specific range of 2002 07 16 Info Listen on 10.0.8.35:810
services (Getting Started 2.5 Barracuda Networks 09:04:24
Multi-Platform Product Support, page 16). The product
type chosen in this place determines, which 2002 07 16 Info Listen on 10.0.8.111:810
CC-services will be available for creation. Choose the 09:04:24
product type matching your purchased license. 2002 07 16 Info Starting Process ConfigUpdate
09:04:24
Step 2 Create the required services 2002 07 16 Info Starting Process Status Daemon
09:04:24
To install the required services, simply follow the
2002 07 16 Info Starting Process Exec Daemon
instructions given in Configuration Service 4. Introducing a 09:04:24
New Service, page 97, and select the services described in
1. Overview, page 414, as Software Module. Depending on the configuration of your Barracuda NG
After finishing the configuration by clicking OK, the new Control Center, one, more or all of the following processes
configuration has to be activated by clicking Activate. are running on your system (figure 198).
To verify the installation, select Control from the box To find out which processes are running, use the box menu
menu and check whether the created services are running entry Control and open the Processes tab. There, all
(figure 198). running processes are listed.
Now the Barracuda NG Control Center has its basic setup
Fig. 198 Control - Server tab with required/recommended CC services
and is ready to receive the licenses.

Barracuda NG Control Center Installing the Licenses < Installing a CC | 419
3.2 Installing the Licenses To install the master identity, simply select the Config
entry from the box menu and enter CC Identity
Before you can use your Barracuda NG Control Center in ( Multi-Range > Global Settings).
productive service, you first must install the obtained
licenses on your system. Otherwise the software will Fig. 1911 Master License configuration
remain in demo mode and will be open to anyone to
manage it.
Installing licenses is done in the following steps:
Step 1 Install the Box License

Log into the Barracuda NG Control Center box (actuate
Box button of the Barracuda NG Admin Login screen). To
do so, enter the box IP address of the Barracuda NG
Control Center box in the Address field and the correct
password in the Password field.
To install the box license, simply select the Config entry
from the box menu and enter Box > Box Licenses.
Fig. 199 Box Licenses configuration

Now lock the configuration window and click the Import
button belonging to the CC License field and select an
import type (either Import from Clipboard or Import from
File ).
If the license is password protected, an additional dialog is
opened where you are expected to enter the password.
After importing the license, you must perform additional
setup steps to complete the Master ID configuration:
Enter a company name and edit the information of the
master certificate by clicking Edit in the Master Certificate
section of this window.
Furthermore it is necessary to generate or import a new
Master Private Key and a Master SSH Key.
Now lock the configuration window and click the Import After clicking Send Changes and Activate the Master ID is
button to select the import type (either Import from activated.
Clipboard or Import from File ).
If the license is password protected, an additional dialog is Step 3 Install pool licenses
opened where you need to enter the password. To install a pool license, simply select the Config entry
After clicking Send Changes and Activate the box licenses from the box menu and enter Pool Licenses
are activated. ( Multi-Range > Global Settings).
Now lock the configuration window and click the Import
Step 2 Install the master license also known as button to select the import type (either Import from
master identity Clipboard or Import from File ).
Login into the Barracuda NG Control Center (activate CC
button of the Barracuda NG Admin Login screen). If the license is password protected, an additional dialog is
opened where youve got to enter the password.
Enter the management IP address of the Barracuda NG
Control Center in the Address field and the correct After clicking Send Changes and Activate the Master ID is
password in the Password field. activated.
When logging into the Barracuda NG Control Center for the Now your Barracuda NG Firewall Barracuda NG Control
very first time, the message shown in figure 1910 will Center is ready to operate and you can start to configure
appear, since the necessary CC licenses are not installed at the Barracuda NG Firewall appliances to be centrally
this point. Click NO to continue the login procedure. manageable.
Fig. 1910 Barracuda NG Admin warning when logging in without licenses

420 | CC User Interface > General Barracuda NG Control Center
4. CC User Interface
4.1 General 4.2 Standard Context Menu

When logging into a Barracuda NG Control Center (by Right-clicking in any tab of the control center generally
using the CC tab of the Barracuda NG Admin login screen), opens a context menu with the following entries:
you will notice that the user interface slightly differs from
z Search for Text
the one of a Barracuda NG Firewall (Getting Started 3.2 User
Through this entry a window is started to define a
Interface, page 17).
search text that all entries of this certain view are
Fig. 1912 CC user interface - Overview searched for.
The buttons Previous and Next allow you to navigate
between the found entries. Clicking the button Close
closes the dialog.
z Export List to Clipboard
Via this entry all entries of the current list are copied to
clipboard.
z Export Selected to Clipboard
This command copies only the selected entries to
clipboard.
z Print List
Prints all entries of the current view.
z Print Preview List
This entry starts a print preview from where the print
process can be started.
z Print Selected List
This entry prints only the selected entries.
As it can be seen in figure 1912, the differences are in the z Print Preview Selected List
Menu bar and in the Box menu. However, the options that This entry starts a print preview from where the print
are available via these menus have the same effect. process can be started.
z Control - see 5. CC Control, page 421 Note:
z Config - see 6. CC Configuration Service, page 434 If another context menu is displayed, either additionally
or exclusively, it will be described in the corresponding
z Database - see 7. CC Database, page 456 section of this Administrators Guide.
z Statistics - see 9. CC Statistics, page 461
z Event - see 10. CC Eventing, page 468
z PKI - see 13. CC PKI Service, page 485

Barracuda NG Control Center General Characteristics of the Graphical Interface < CC Control | 421
5. CC Control
The CC Control, amongst other things, provides real-time available through the menu item Tools (see 4.2
information about all Barracuda NG Firewall gateways the Standard Context Menu, page 420).
Barracuda NG Control Center administers. To access it,
z A menu item Arrange Icons By is included in every
click Control in the box menu. operational tab. This menu item always contains the
The following tabs are available for operational purposes: column headings of each specific section as sub-items
and allows ordering data sets by checking the
z Status Map Tab, see 5.2 Status Map Tab, page 421 corresponding label.
z Favourites Tab, see 5.3 Favourites Tab, page 422 In some places the Arrange Icons By sub-menu
contains further parameters allowing more
z Configuration Updates Tab, see 5.4 Configuration
differentiated ordering (for example Configuration
Updates Tab, page 423
Updates tab, see 5.4.3.1 Context Menu, page 424).
z Sessions Tab, see 5.6 Sessions Tab, page 424 The Arrange Icons By menu sometimes contains an
additional value Show in Groups that allows switching
z Context Menu, see 5.6.2 Context Menu, page 425
between two views, the classical view, a continuous list,
z Statistics Collection Tab, see 5.7 Statistics Collection or a list combining groups of elements.
Tab, page 425
Fig. 1913 Group view of elements in the Statistics Collection tab, sorted
z Box Execution Tab, see 5.8 Box Execution Tab, page 426 alphabetically by box name
z Software Update Tab, see 5.10 Software Update Tab,

page 429
z Update Tasks Tab, see 5.11 Update Tasks Tab, page 432
5.1 General Characteristics of

the Graphical Interface
Especially for Barracuda NG Control Centers administering
a huge number of boxes, it is desirable that data sets can
be arranged in such a way that the most wanted
information catches the eye. Giving consideration to these
needs, the CC Control incorporates several sortation
mechanisms. z Some operational tabs provide "action" bars with
buttons meant to execute specific actions (for example
To simplify matters, the main characteristics regarding Configuration tab, see 5.4.2 "Action" Bars, page 423). If
arrangement and ordering of data in the various tabs, will such action bars are present, their buttons are included
be described together in this chapter. Characteristics into the context menu as well.
exceeding the description in this place are positioned in
the respective chapter itself. z If present, the information displayed in a tab can
generally be refreshed by using the menu items
Refresh, Update List or Update Lists.
5.1.1 Title Bar(s)
z Changing the column sequence 5.1.3 Filter Settings
Information situated in the main window of each
operational tab is captioned with a title bar. The data Some tabs are equipped with the option of setting filters to
sets themselves are arranged in columns. The column narrow down the view. Filters may be applied to each
sequence may be adjusted to personal needs either by available column. By default, all columns are marked with
using the standard context menu (see 4.2 Standard an asterisk (*), which stands for a character string of any
Context Menu, page 420) or by dragging and dropping length. Click the Enter key or click the Update List
the respective column to another place. button to refresh the view after having defined a filter. As
soon as a filter applies the filtered value is displayed
z Ordering data sets
highlighted in yellow and the filter is flagged with an
Data sets may be arranged ascending or descending
respectively by clicking into the column labelling of a exclamation point. Click the Reset button to remove
title bar. The information may not only be sorted filter settings.
alphabetically, but also with regard to a specific status. A further filter option is positioned in the Configuration
Updates Tab (see 5.4 Configuration Updates Tab,
page 423).
z Right-clicking into any configuration area without
selected item, makes the standard context menu 5.2 Status Map Tab

422 | CC Control > Favourites Tab Barracuda NG Control Center
The Status Map summarizes status information of all 5.2.1.1 Context Menu of Range/Cluster Section
systems administered by the CC. It divides systems into the
hierarchical structure range, cluster and box. Clicking a For a description of the range and cluster section context
range entry uncovers all clusters belonging to the menu, please see 5.1.2 Context Menu Entries, page 421.
respective range. Clicking a cluster entry uncovers all
boxes belonging to the respective cluster.
5.2.1.2 Context Menu of Box Section
Fig. 1914 Status Map tab
For a general description of the box section context menu,
Range please see 5.1.2 Context Menu Entries, page 421.
section
Furthermore, in this place right-clicking a selected box
Cluster makes further menu items available allowing you to jump
section
directly to certain areas within the selected Barracuda NG
Firewall.
Fig. 1915 Box section context menu

Box
section
Colored icons depict the general state a structural entity is

in. Color coding is triggered by the severity IDs of events
that have been generated on the boxes (Eventing
2.1.2 Severity Tab, page 323). Color coding implies the
following:
Table 194 Color coding of status icons
Icon Description
The system is in normal state. Only informational and notice The following areas are thus straightforwardly accessible
events have been generated. from the Status Map:
Warnings have been generated. A check is recommended.
z Firewall Status
Security events and errors have been generated. A check is
mandatory. z VPN status
A server has been disabled.
z SSH session
The system is unavailable and has been disabled in the
configuration. z Control
z Log
The status summary in each case refers to specific system
entities, which are depicted by icons in the title bars of z Statistics
each section. The following icons are available: z Event Monitor
Table 195 Icons used in the title bars of range, cluster and box section
Yet another context menu entry offers the possibility to
Icon Description
add the selected Barracuda NG Firewall to the Favourites
Disk usage (Control 2.4 Resources Tab, page 36)
tab (menu entry Add to Favourites, see 5.3 Favourites
Status of the processes (Control 2.3 Processes Tab, page 36) Tab, page 422).
Status of the operative-relevant event monitoring (Eventing
2.1.2 Severity Tab, page 323)
Status of the security-relevant event monitoring (Eventing
2.1.2 Severity Tab, page 323) 5.3 Favourites Tab
Status of the servers (Control 2.1 Server Tab, page 29)
Status of the network (Control 2.2 Network Tab, page 30) The Favourites tab aims at providing fast access to
Validity of certificates/licenses (Control 2.5 Licenses Tab,
frequently needed Barracuda NG Firewall gateways. It
page 37) contains those gateways, which have been declared as
Displays status of the box (Control 2.6 Box Tab, page 38) favourites in the Status Map tab (see 5.2.1.2 Context Menu
of Box Section, page 422).
5.2.1 Context Menus

Barracuda NG Control Center Configuration Updates Tab < CC Control | 423
The used icons and color codes are identical with the ones This item removes the selected Barracuda NG Firewall
used in the Status Map (see 5.2 Status Map Tab, page 421). from the Favourites tab.
Fig. 1916 Example for a Favourites tab with wallpaper and small icons
5.4 Configuration Updates Tab

To become active, box configuration changes done on the
CC must be sent to the Barracuda NG Firewall they are
meant for. This is done through the Configuration
Updates tab. This tab gives an update status overview of
all available Barracuda NG Firewall gateways.
Fig. 1917 Configuration Updates tab
5.3.1 Context Menus
5.3.1.1 Context Menu without selected Icon
Right-clicking in the Favourites tab without having an icon

selected, opens the general context menu providing the
following entries:
z Small/Large icons
As shown in figure 1917, the display is built up of an update
This entry allows changing the icon size from large
status listing of all Barracuda NG Firewall gateways
(default) to small and vice versa.
managed by the Barracuda NG Control Center in the main
z Zoom in 10 % window, and of two "action" bars on top and on bottom of
If a bitmap is loaded as background (via entry Choose it respectively.
Bitmap ), this entry is available and allows zooming
The current status is indicated by an icon in the (Box
into the graphic in 10 % steps. As soon as such a
Icon) column and by characters in the Flags column (see
zoom-in step is taken, the entries Zoom out and Zoom
5.4.3 Listing, Box / Cluster / Range ID columns and Flags
10 % are available in order to reset the zoom level.
column, page 424).
z Choose Bitmap
This entry enables you to load a bitmap file as
wallpaper of the Favourites tab (for example a world 5.4.1 Filter Settings
map). This way the (for example geographical) location
of Barracuda NG Firewall gateways can be depicted. z Selection
(Disabled/Pending/Failed/Completed/Wild)
z Remove Bitmap
By default all filters except "Disabled" are set to yes.
This entry is only available as long as a bitmap is loaded
Setting a filter to no excludes the corresponding boxes
and allows removal of this wallpaper.
from the view in the main window's listing. As soon as a
z Export/Import Map Positions filter applies the filtered value is displayed highlighted
These entries allow you to export/import the positions in yellow and the filter is flagged with an exclamation
of the icons. That means you can create a standard point. Click the Reset button to remove filter
favourites view and send it to other administrators. settings.
5.3.1.2 Context Menu with selected Icon 5.4.2 "Action" Bars

This menu provides about the same entries as described in The items in the upper "action" bar are applicable to all
5.2.1.2 Context Menu of Box Section, page 422. existing boxes in the main windows listing.
Two further menu items exist in this place: z Clicking Restart Processes restarts the update
z Open CC Configuration processes manually.
Selecting this item effects a direct jump to the box
configuration area in the configuration tree of the CC. The items in the lower "action" bar are applicable to all
selected boxes in the main windows listing. They have the
z Remove from Favourites following functions:

424 | CC Control > File Updates Tab Barracuda NG Control Center
z Untrusted Update checkbox enables the update of The update status can be verified in the Flags column.
boxes that are not known to the Barracuda NG Control The following flags exist:
Center. Untrusted updates can as well be used on boxes,
Table 197 Update Status flags overview
in case problems with authentication keys arise.
Flag Description Comment
Attention: C Complete Update A full update with the complete
Untrusted updates are very hazardous, since they configuration has been applied.
work without strong authentication. E Update Error Last update was not successful.
F Force Update The last update has been forced
The Untrusted Update option only works on boxes that therewith overriding the internal
scheduler.
accept non-authenticated connections. On a Barracuda
U Untrusted Update Box and CC have not exchanged
NG Firewall, such a situation could arise after disaster authentication data, and thus have not
recovery using an old .par file or after installation from approved trustworthiness.
scratch. T Update Terminated Update has terminated.
B Update Blocked Updates are blocked.
z Update Now triggers immediate box update execution.
P Update Pending PAR file is ready to be sent.
z Complete Update triggers sending of the entire box S Update Scheduled Update has been scheduled.
configuration to the box and not only of the modified A Update Active Update process is active.
part of it.
z Block Update disables the possibility to perform a box z Last Success column
update. This column informs about date and time of the last
successful configuration update (the used syntax is
z Unblock Update enables scheduling of updates. yyyy mm dd hh:mm:ss).
z Delete updates which can no longer be applied, that z Last Try column
means updates allotted to boxes, which have been This column informs about date and time of the last
removed from the MCs configuration tree and have thus attempt to update a configuration (the used syntax is
been marked as "wild". yyyy mm dd hh:mm:ss).
z Force Delete deletes configuration updates of active z Tries column
boxes. Here the number of attempts to update the
configuration of a Barracuda NG Firewall is displayed.
5.4.3 Listing z Reason column

Here the status message is shown (for example
The listing in the main window, displays the configuration displaying the reason for a failed update).
status of all available boxes administered by the Barracuda
NG Control Center.
The listing is divided into the following columns:
z Box / Cluster / Range ID columns For a general description of the context menu, please see
These data sets describe the membership of the 5.1.2 Context Menu Entries, page 421.
Barracuda NG Firewall, that means its name and the
names of cluster and range it belongs to.
z (Box Icon) column 5.5 File Updates Tab
A status icon follows the box labelling. Status icons
have the following signification:
Note:
Table 196 Icons used in the Configuration Updates tab See documentation Barracuda NG Personal Firewall.
Icon Description
Box updates have been disabled.
The box is in state pending, that means an update is actively

performed. 5.6 Sessions Tab
At least the last update, possibly even multiple updates have
failed on this box. The Sessions tab lists open supervising sessions on the
The update process has completed successfully. boxes it administers. The data displayed in this place is
Updates no longer apply, because the box has been deleted similar to the information shown in the Sessions tab
from MCs configuration tree. The update status has been set available on each box itself (Control 2.7 Sessions Tab,
to wild. Wild updates can be deleted from the listing with the
Delete button in the "Action" bar.
page 40).
Note:
z Info column
The Sessions tab does not show configuration sessions,
This column displays the IP address and name of the
which for example are produced by locking
Barracuda NG Firewall. The information (wild) flags
configuration nodes, To find out about active
update settings of nonexistent boxes.
configuration sessions use the Sessions button in the
z Flags column Config section.
The following button is available in the upper "action" bar:

Barracuda NG Control Center Statistics Collection Tab < CC Control | 425
z Kill Session button 5.6.2 Context Menu

Clicking this button terminates the selected session.
For a general description of the context menu, please see
The listing is divided into the following columns: 5.1.2 Context Menu Entries, page 421.
Table 198 Session types overview
Column Description
Box This is the name of the Barracuda NG Firewall. 5.7 Statistics Collection Tab
Cluster This is the name of the cluster the box resides in.
Range ID This is the name of the range cluster and box belong to. This tab provides information about collected statistics.
Service Icon The icons describe the service responsible for the Double-clicking an entry opens a detail window
session:
summarising all available information regarding the
Firewall control session (Service firewall_)
statistics collection of the specific box.
Login session
VPN session (Service VPN-Service_*vpn) The listing is divided into the following columns:
Log viewer session (Service box_logd) Table 199 Data listed in the Stat Collect tab
Statistics viewer session (Service box_qstatd)
Column Description
Box control session (Service box_control)
(Box Icon) This column shows the status of statistics collection
Barracuda NG Admin session (Service phiona) based on the reason which has provoked this status.
The following icons depict the following states:
indicates a sync operation
Statistics collection works flawlessly.
IP This is the IP address of the Barracuda NG Firewall.
Info This is the optional box description as inserted into the Statistics collection has been aborted.
Description field of the Box Config file. Statistics collection has been disabled.
Service This is the name of the service that has been accessed. Box This is the name of the Barracuda NG Firewall.
Peer This is the IP address from where the session was Cluster This is the name of the cluster the box resides in.
started.
Range ID This is the name of the range cluster and box belong to.
Admin This is the name of the administrative account that has
logged in. IP This is the IP address of the Barracuda NG Firewall.
Start This is the period that has passed since the session has State Shows whether the statistics transfer configuration is
started. based on range settings (range) or cluster settings
(cluster). If no statistics transfer configuration is
PID This is the internal, unique Process ID. defined, disabled is shown.
Sync Displays the status of the box synchronisation:
Double-clicking an entry opens a detail window clean - The synchronisation procedure has been
summarising all available information regarding the executed correctly.
specific session. dirty - The synchronisation procedure has failed or
is still in progress.
unknown - The synchronisation status cannot be
determined.
5.6.1 Context Menu Task Shows the currently running process (for example
unknown, idle).
For a general description of the context menu, please see Last Success This column informs about date and time of the last
5.1.2 Context Menu Entries, page 421. successful synchronisation (the used syntax is yyyy
mm dd hh:mm:ss).
Last Try This column informs about date and time of the last
synchronisation try (used syntax is yyyy mm dd
hh:mm:ss).
Reason This column displays the status and/or error messages.

426 | CC Control > Box Execution Tab Barracuda NG Control Center
5.7.1 Context Menu 5.8.1 Task List

For a general description of the context menu, please see This list displays the status of tasks. The listing is divided
5.1.2 Context Menu Entries, page 421. into the following columns:
Table 1910 Data listed in the Box Execution tab
Column Description
5.8 Box Execution Tab (Box Icon) This column depicts the status of an executed task.
Box This is the name of the Barracuda NG Firewall a task
has been created for.
The Barracuda NG Control Center control facility allows
remote execution of scripts and programs on selected
Barracuda NG Firewalls. This feature can be used to
Script This is the name of the script that is currently
execute nonrecurring tasks like removal of unwanted files executed.
or termination of processes on several boxes Info This column lists additional information such as
simultaneously in a single administrative step. It is thus not IP address and short name.
required to log on each Barracuda NG Firewall separately. Flags Flags depict the current task state. The following
states are available:
To this end a collection of scripts is maintained at the F - SSH failed (SSH-network connection or login
Barracuda NG Control Center. These scripts can be edited, failed)
added and removed by the administrator. By selecting a G - Script failed (script returned a non-zero value)
particular script and a Barracuda NG Firewall, execution of D - Deleted (Box was removed from the CC)
the script can be triggered. During execution all output of U - Untrusted (Peer authentication check is
disabled)
the script is directed to a box log file which is held at the
Priority This is the assigned task priority. The following
CC and can be reviewed by the administrator after priorities are available:
execution. Consult these files for verbose output or error 0 - High priority
logging of the script. 1 - Normal priority
2 - Low priority
As shown in figure 1918, the display is divided into four
Execution Time This is the time the task is currently running.
areas:
First Attempt This column informs about date and time when the first
z An Action bar on top of the main window execution attempt was started (used syntax is yyyy
mm dd hh:mm:ss).
z Task list, see 5.8.1 Task List, page 426 Last Try This column informs about date and time when the last
execution attempt was started (used syntax is yyyy
z Box list, see 5.8.3 Box List, page 427 mm dd hh:mm:ss).
Tries This is the number of execution tries.
z Script list, see 5.8.2 Script List, page 426
Reason This is the failure reason in case the last execution try
has failed.
Fig. 1918 Box Execution tab
Action bar 5.8.1.1 Context Menu
For a general description of the context menu, see 5.1.2

Context Menu Entries, page 421.
Additionally, the following further menu items exist in the
Task list Task List window:
z Reschedule
If remote execution fails (box is not reachable over the
network, script fails or box is untrusted) a task can be
rescheduled. When doing so, time schedule, priority
settings and trust level can be re-chosen.
z Delete Task
Removes the selected tasks and terminates any running
Box list Script list processes if necessary.
5.8.2 Script List

In this place, scripts provided for execution on boxes, can
be created, modified and deleted. Use the buttons from the
action menu to perform the following operations:
z New
Click this button to create a new script. Choose a name
for the script and enter a sequence of bash commands
to be executed.
z Edit button
Select a script and click this button to modify it.

Barracuda NG Control Center Box Execution Tab < CC Control | 427
z Remove button Select the Show All Boxes checkbox to display a view
Discards a script stored on the Barracuda NG Control showing all available boxes. The boxes belonging to a
Center. saved object are shown highlighted.
Note:
The following buttons in the Edit Object window allow
A script, which can be selected together with a box or a further actions:
box group object has to exist before a task can be
Note:
created.
If buttons are activated for use or not depends on the
selected view (checkbox Show All Boxes selected or
not) and if the object has already been saved.
5.8.3 Box List
z Show Log
In the box list boxes or groups of boxes can be selected for Displays a view of the box log file containing entries
task execution. Two tabs with different functions are about the lastly executed task. Box log files are stored
available to do so. on the CC. Their view can as well be triggered by
double-clicking a box entry in the list.
5.8.3.1 Objects Tab z Clear Log

Clears a box log files contents. This should be done best
In this tab, multiple boxes can be combined to form group before executing a new task.
objects. The so-called Barracuda NG Control Center z Remove Box
Objects are a permanently grouped selection of boxes. Removes the box from the saved object.
They are intended to apply the administrator with quick
task creation opportunity. z Reload Object
Refreshes the view to display boxes saved in the object
Barracuda NG Control Center Objects are saved to the only.
Microsoft Windows System Registry on the client PC. They
can be exchanged between multiple client PCs by z Create Copy
exporting and then again importing them. Creates a copy of an already saved Barracuda NG
Control Center Object.
Note:
Barracuda NG Control Center Objects created in the Box
Execution tab may be used in the Software Updates tab 5.8.3.2 Boxes Tab
as well and vice versa.
The Boxes tab displays a listing of all existing boxes on the
Click the New button in the action menu of the Objects Barracuda NG Control Center. A selected box is displayed
tab in the box list to create a new Barracuda NG Control highlighted. Multiple boxes can be selected by
Center Object. This opens a new window enabling box simultaneous pressing of the Shift/CTRL key and clicking
selection. on a box.
Fig. 1919 Box List Edit Object The following detail information is covered in the box list:
z Box / Cluster / Range ID columns
These data sets describe the membership of the
Barracuda NG Firewall, that means its name and the
names of cluster and range it belongs to.
z Info column
This column displays additional box information (IP
address and short name).
z Version column
This is the version number of the Barracuda NG Firewall
installed on the box.
5.8.3.3 "Action" Bars

Fig. 1920 Creating a box group object The following action menu applies for both tabs in the box
list:
Enter a name for the new object in the Object Name field.
Select all desired boxes by simultaneously pressing the z Create Task button
Shift/CTRL key and clicking a box. Then, click the Save The Create Task button becomes active when a
Object button to save the object. Box/Object/Script combination is chosen from the
Scripts and Box lists.
When reopening the object after it has been saved, only Task creation opens the Schedule Task window allowing
the selected boxes are displayed in the configuration for detailed specification when and how the task should
window.

428 | CC Control > Box Execution Tab Barracuda NG Control Center
be executed. The following configuration values are

made available: 5.8.4 Example
Fig. 1921 Schedule Task window
For easier understanding of the procedure when taking
actions via the Box Execution tab, have a look at the
following example: The aim is to cleanup the /tmp
directory on all Barracuda NG Firewalls.
Fig. 1922 Box Execution tab
Action bar
List 192 Schedule Task configuration

Task list
Box The following two modes are available for
Authentication selection:
Trusted (Validate Key)
Untrusted (Ignore Key)
The untrusted mode enables the update of boxes
that are not known to the Barracuda NG Control
Center. Untrusted updates can as well be used on
boxes, in case problems with authentication keys
arise. Otherwise, trusted mode should always be
used.
Scheduling By default, tasks are scheduled for Immediate
Mode Execution. The option Delayed Execution Box list Script list
activates the parameter Scheduled Time below,
where task execution time can be configured in
detail.
Scheduled Time These two fields take a scheduling time for task
execution.
Priority When multiple tasks are configured for execution,
the priority setting determines the execution
succession. The setting may be chosen from Low Step 1 Create a new script
over Normal to High Priority.
Click the New button in the Script list window, enter
cleantmp as script name and insert the command
The following action menu only applies for the Boxes tab:
sequence shown in figure 1923.
z Show Log button
Displays a view of the box log file containing entries Fig. 1923 Shell Script
about the lastly executed task. Box log files are stored
on the CC. Their view can as well be triggered by
double-clicking a box entry in the list.
z Clear Log button
Clears the log files of all selected boxes. This should be
done best before executing a new task.
The following action menu only applies for the Objects tab:
z Edit button
Clicking this button allows editing a selected object.
z New button Step 2 Select the boxes and the cleantmp script
Creates a new object. Select all boxes on the Boxes tab in the Box list window
and the cleantmp script in the Script list window
z Remove button
simultaneously.
Removes the selected object
z Import button Step 3 Create the tasks
Imports a Barracuda NG Control Center Object into the Click the Create Task button in the Box list window.
Microsoft Windows System registry.
z Export button Step 4 Schedule the tasks
Exports a Barracuda NG Control Center Object from the Schedule the tasks for Immediate Execution in the
Microsoft Windows System registry. Box group objects Schedule Task window.
are saved to Barracuda NG Control Center Object
(*.mco) files.

Barracuda NG Control Center Scanner Versions Tab < CC Control | 429
Step 5 Watch the task list 5.8.5 Popular Scripts

The newly created tasks appear as entries with a green
indicator (figure 1924) and disappear as soon as the task Table 1911 Popular Scripts
is finished. Name Content Function

wipeevent rm - f clears all events from the
Fig. 1924 Box Exec with tasks running /var/phion/event/even selected Barracuda NG
td.db Firewall(s) at once
relcheck /etc/phion/bin/phionR performs a release check on
elCheck freshly installed Barracuda
NG Firewalls
redbutton /opt/phion/bin/phionc initiates an emergency stop
trl shutdown on the selected Barracuda
NG Firewall(s)
5.9 Scanner Versions Tab

The Barracuda NG Control Center provides a quick
overview of active content scanner versions, especially in
distributed environments.
The tab Scanner Versions displays detailed information
about the currently active Virus Scanner engine and Virus
Scanner patterns. Also, date and time for the last
successful update are available.
Table 1912 Data listed in the columns of the Scanner Versions tab
Column Description
If a task fails the according entry remains in the task list
Box The name of the CC-administered box.
and is shown with a red indicator. Have a look at the
Cluster The name of the cluster the box resides in.
Reason column for an explanation of the failure.
Range ID The range that the cluster and the box belong to.
Server The virtual server on the box.
Step 6 Review the log files
Service The assigned service on the box.
Double-click the specific Barracuda NG Firewalls to view
Product Version The product version communicated by the box.
the log files and check if the desired actions have been
Engine Version The engine version communicated by the box.
taken.
Packlib Version The packlib version communicated by the box.
Fig. 1925 Box log file view Pattern Version The Virus Scanner pattern version communicated by
the box.
Last Update Date and time of the last update.
5.10 Software Update Tab

The Software Update tab is intended for execution of
software updates on managed boxes. It is especially
designed for administration of a huge number of
Barracuda NG Firewalls with different release versions.
The handling of remote software updates is very similar to
the remote execution facility described under 5.8 Box
Step 7 Reschedule or delete failed tasks Execution Tab, page 426.
Fig. 1926 Rescheduling of a failed task
Note:
Valid software packages are RPM files for release
updates and service packs (SP) and zipped tar files
(*.tgz archives) for software hot fixes.

430 | CC Control > Software Update Tab Barracuda NG Control Center
Table 1913 Data listed in the system list of the Software Update tab
Attention:
Column Description
Only use RPMs provided by Barracuda Networks. If you
Last good This is the time that has passed since the CC has
are for some reason forced to install an arbitrary RPM, status fetched status information from a box successfully.
you yourself must make sure that the installed software Barracuda NG Firewalls 3.4.4 and later, and 3.6.1 and
is compatible with the Barracuda NG Firewall later propagate status information to the CC actively.
Information that has been "pushed" to the CC by these
components present. systems is flagged with P in the column listing.
Hotfixes are zipped TAR files which include the package Last attempt This column indicates, if the last attempt to fetch status
data and a script called doit. The activation procedure successful information from a box has been successful (yes/no).
simply unpacks the TAR file in a temporary directory Last attempt If the last attempt to fetch status information from a
and then calls the doit script within this directory. The box has been unsuccessful, this column indicates the
time that has passed since then.
script then copies the package file to the proper
Fail reason This column lists the reason for status information
location. update failure.
You can create your own hotfixes and use them to
distribute files among your boxes.
5.10.1.1 Views
The display of the Software Update tab is divided into four
areas (figure 1927):
Note:
z Action bar An Administrator only sees ranges, clusters, and boxes
z System List, see 5.10.1 System List, page 430 of his scope.
z View/Filter List, see 5.10.2 View/Filter List, page 432

In the System list, CC-administered boxes may be arranged
z Software List, see 5.10.3 Software List, page 432 in one of the following views:
Fig. 1927 Software Update tab - Groups view z Groups
Fig. 1928 Software Update tab - Groups view

Action bar
System list
The Groups view allows defining administrative groups

of boxes, in order to facilitate installation of updates on
boxes with similar configurations.
To access this view, select Groups in the Current View
View/Filter list Software list list withing the View/Filter list.
Note:
Only a root Admininstrator is allowed to edit groups
(create, delete& rename group).
5.10.1 System List z To create a group:
Click the Lock button in the Action bar.
In the system list, administrative entities may be arranged
in views corresponding to the structure of the Barracuda Right-click any item in the System list, select Create
NG Control Center configuration tree. Views are triggered Group from the context menu and specify a group
by appropriate selection in the Current View list within the name (characters: <space> ' " and | are not allowed
View/Filter list (see View/Filter List below). for group names - these characters will be replaced
by an underdash (_)).
Each view includes detailed information about every
Click the Save Groups button in the Action bar.
system the Barracuda NG Control Center administers. The
detail information is arranged in the following columns. z To delete a group:
Note that not all columns are available in every view. Click the Lock button in the Action bar.
Table 1913 Data listed in the system list of the Software Update tab
Select the group in the System list, right-click and
select Remove from the context menu. Note that
Column Description
the preconfigured group element !unassigned may
Name This is the name of the CC-administered box.
not be deleted. When a group is deleted, boxes
assigned to it are automatically moved to the group
Range This is the name of the range that the cluster and the
box belong to.
!unassigned.
Group This is the name of the group the box has been Click the Save Groups button in the Action bar.
assigned to.
z To assign a box to a group:
Version This is the software version installed on the box.
IP This is the management IP address of the box. Click the Lock button in the Action bar.
Click a box, drag it to the group it should be
assigned to and drop it.

Barracuda NG Control Center Software Update Tab < CC Control | 431
Click the Save Groups button in the Action bar. z Check all
Click here to select all systems displayed in the listing.
Note: For selected systems update tasks may be created (see
Boxes may only be assigned to one group. 5.11.1 Example, page 433).
Note:
z Uncheck all
Everybody can see all groups und move his ranges, Click here to unselect all systems.
clusters, and boxes into any group. z Collapse all
Click here to collapse the complete configuration tree.
z Ranges
z Expand all
Fig. 1929 Software Update tab - Ranges view Click here to expand the complete configuration tree.
In the Groups view, the following additional entries are
available:
Note:
In the Ranges view, boxes are arranged in a tree To enable group-related context menu items, lock the
structure as known from the configuration tree in the View/Filter list area by clicking the Lock button.
Config section of Barracuda NG Admin. z Create Group
z Boxes Click here to create a new organisational group.
z Rename
Fig. 1930 Software Update tab - Boxes view
Select a group and click here to rename it. Note that the
preconfigured group element !unassigned may not be
renamed.
z Remove
In the Boxes view, boxes are arranged ordered Select a group and click here to delete it. Note that the
alphabetically by their name. preconfigured group element !unassigned may not be
z Versions deleted. When a group is deleted, boxes assigned to it
are automatically moved to the group !unassigned.
Fig. 1931 Software Update tab - Versions view
5.10.1.3 Viewing Box Details

Fig. 1932 Box Details window
In the Versions view, boxes are summarized by the

Barracuda NG Firewall software version they are
currently installed with. Boxes that are unavailable, are
assigned to the the version item unknown.
The context menus available in the System list are

dependant on the view that has been defined in the
View/Filter list.
In all views, right-clicking a box makes the following entries
available:
z Trigger reload To view detailed box information, double-click a box in the
Click here to trigger the CC to fetch current status System list. This opens the Details window including the
information from a box. Then click the Update List following information:
button to reload the view in Barracuda NG Admin.
z Log tab
Note: This tab contains the log messages related to the last
Allow a few seconds before reloading the Barracuda software update execution. Information may be
NG Admin view. reloaded from the CC by clicking the Reload button or
cleared from the window by clicking the Clear button.
Note: Note that log entries are not cleared from the logfiles
Status information for boxes pushing content on the box itself.
actively (flagged with P in the listing) is always z Versions tab
reloaded, when Trigger Reload is executed on any This tab lists important modules installed on the box
system. and their corresponding version numbers.
z RPMs tab
This tab lists all RPMs installed on the box and indicates
their status.

432 | CC Control > Update Tasks Tab Barracuda NG Control Center
5.10.2 View/Filter List 5.10.3 Software List

Filtering options available in this section allow defining Into the Software list, update packages to be installed on
specific views in order to easily recognize systems with CC-administered boxes must be imported. From there they
identical software versions. Based on this, boxes may then can then be selected in order to create corresponding
be selected and scheduled for update concurrently. update tasks for execution. Current update packages may
be downloaded from the Barracuda Networks support
The following filtering options are available:
homepage.
z Current View
The following buttons are available in the action bar in
Options available in this list are described in detail in
order to execute one of the following operations:
5.10.1.1 Views, page 430.
z Import button
z Filter / Known hotfixes/patches
Allows importing a software package into the CC.
Combination of these filtering options allows including
or excluding boxes in or from the view respectively. The z Show button
Known hotfixes/patches field lists all patches that have Displays software package specific information. This
already been installed on an arbitrary number of boxes information may be displayed as well by double-clicking
and have been recognized by the CC. a selected software package.
z Remove button
Note:
Deletes an uploaded software package from the CC.
Only hotfixes (all) and patches 3.6.x will be shown.
(Since 4.0 patches are of type releases/packages). Note:
To change this Uploaded software packages are stored in
z Set the Current View to Versions /opt/phion/rangetree/exec/rpms on the
This will show the CC-managed boxes in sections Barracuda NG Control Center. The partition this folder
with their current software version. resides in, is 2 GB in size. To prevent the CC running out
of disk space, make sure to delete outdated update
To define a filter based on a systems software version packages from the software list regularly.
proceed as follows :
Click the Lock button in the View/Filter list.

Select an update listed in the Known 5.11 Update Tasks Tab
hotfixes/patches field.
Select Installed on in the Filter list to include boxes Update tasks that are created in the Software Update tab
that have been installed with the patch into the view are not executed immediately but instead are added to the
in the System list, or listing in the Update Tasks tab. This list displays the status
Select NOT installed on in the Filter list to exclude of tasks.
these boxes from the view. The listing is divided into the following columns:
Click the Reset button to remove filter settings.
Table 1914 Data listed in the task list of the Software Update tab
Column Description
Box This is the name of the Barracuda NG Firewall.
(Box Icon) This column depicts the status of an executed task.
The task is executed successfully.
Task execution has failed.
RPM This is the name of the RPM that is currently executed.
Info This column lists additional information such as
IP address and short name.
Status This is the assigned task status.
0 Pending Copy
1 Failed Copy
2 Completed Copy (ready for activation)
Time This column informs about date and time when the
update was started (the used syntax is yyyy mm dd
hh:mm:ss).
Reason This is the failure reason in case the last execution try
has failed.
Consider the example below to understand the context

between task creation in the Software Update tab and task
execution in the Update Tasks tab.

Barracuda NG Control Center Update Tasks Tab < CC Control | 433
5.11.1 Example Check the update task list for the status of the package
transfer and wait until the task is in the Copy Completed
The example below describes how to create a software state.
update task in the Software Update tab and add it to the
Note:
Update Tasks tab.
This may take some time.
Step 1 Import a package
Click the Import button in the Software list window, select
a package and click open to import it into the CC. Step 7 Activate the package
Access the Update Tasks tab, select the task and then
Step 2 Check the package content select Perform Update from the context menu. Wait until
Double-click the imported package in the package the update task entry disappears from the list.
selection list and make sure that it contains the desired
software. Step 8 Review the log files
In the Software Update tab, double-click the specific
Fig. 1933 RPM information window
Barracuda NG Firewall to view the log files and check if the
desired actions have been taken.
Step 9 Review the log files on the updated box

Log in to the box log facility and review the update log files
for the installed package type ( Logs > Box >
Release).
Step 10 Reschedule or delete failed tasks
Fig. 1935 Rescheduling of a failed task

Step 3 Create the update tasks
In the Software list select the package, and in the System
list check the Barracuda NG Firewall(s) that should be
updated with the imported package. Then click the Create
Task button in the View/Filter list window.
Step 4 Schedule the tasks

Schedule the tasks for Immediate Execution in the
Schedule Task window.
Fig. 1934 Scheduling a new task
Step 5 Watch the task list

For each created task an entry is added to the Update
Tasks tab.
Tasks are added with a green indicator and disappear as
soon as they have been executed.
Step 6 Check the package transfer

434 | CC Configuration Service > General Barracuda NG Control Center
6. CC Configuration Service
6.1 General Three administration entities are available:

z Range
The Configuration Service of the Barracuda NG Control
z Cluster
Center is accessible through the box menu item Config.
It allows remote configuration of the CC and of the Attention:
Barracuda NG Firewalls the CC administers. Barracuda NG Control Center 4.2 does not provide
support for managing Barracuda NG Firewall 3.2
Fig. 1936 Barracuda NG Control Center (CC) Configuration Service
clusters.
All clusters must be migrated to version 3.4 or
higher before updating the CC to Barracuda NG
Firewall 4.2 (see 6.9.3.1 Migrating a Cluster,
page 447)
z Box
6.2 Multi-Range
The configuration node Multi-Range represents the
highest level within the Barracuda NG Control Center
configuration tree hierarchy. It contains all available
ranges, clusters and boxes that are managed by the
The main window consists of two frames. The left one

shows the configuration tree, the right one shows in tabs: 6.2.1 Context Menu of Multi-Range
z Open Nodes
To access the Multi-Range context menu, right-click the
access to all opened configuration files
configuration node Multi-Range. The context menu
z Boxes makes the following CC-specific items available beside the
access to the boxes configuration files. standard entries known from the single box configuration
z Server (configuration tree item Box, see Configuration Service
access to the virtual server configuration files 2.2.1.1 Box Context Menu, page 51):
z Services z Create Range
access to the assigned services configuration files Clicking this entry allows creating a new range (see
6.4.1 Creating a New Range, page 441).
Note:
If there is no right frame on your screen open it with Note:
your mouse from the right side of the main window. Immediately click Send Changes > Activate after
having introduced a new range.
To switch from the CC to a box right-click the desired box
and choose Launch Control for Box from the context z Toggle Permission View
menu. Clicking this entry displays the configurable read (r) and
write (w) permissions for each entry of the
Fig. 1937 CC Config main window launch control for box configuration tree. For information on how to configure
permission settings, refer to 6.7 Defining Node
Properties, page 445.
z Toggle Release View
Clicking this entry displays the release version numbers
of all boxes, servers and services included in the
Multi-Range configuration. For details on Barracuda NG
Firewall multi-release features, see 6.9 Multiple
Releases, page 446.
z Restrict View to Range, Restrict View to Cluster
These entries become available with either selection of
Range or Cluster node. Clicking the respective
entry, restricts the view to the selected range or cluster
accordingly.
z Show Full tree

Barracuda NG Control Center Global Settings < CC Configuration Service | 435
This entry becomes available when the configuration The following firewall objects may be defined globally:
tree view is restricted to either range or cluster view
z Networks
(see above). Clicking it expands the configuration tree
view to display of all ranges and clusters. z Services
z Migrate Clusters, Migrate Ranges, Migrate Complete z User Groups
Tree z Content Filter
For a description of these context menu entries, refer to
6.9 Multiple Releases, page 446. Note:
In case global Firewall objects are renamed this change
has to be confirmed directly with Send Changes >
Activate before editing further Firewall objects.
6.3 Global Settings
The configuration procedure of global objects is identical
Global Settings are applicable for all ranges, clusters and to the procedure on single boxes. For details, see Firewall
boxes that the Barracuda NG Control Center administers. 2.2 Rule Set Configuration, page 140.
The following settings are available for configuration:
z Eventing 6.3.2.1 Global Firewall Objects vs.
z Global Firewall Objects Range/Cluster Firewall Objects
z Pool Licenses, page 436 For a more granulated definition of Firewall Objects, Global
z CC Identity, page 436 Firewall Objects can be overridden by Range Firewall
Objects or Cluster Firewall Objects.
z CC Parameters, page 437
Range or Cluster Firewall Objects that should override
z CC Access Notification, page 438
those defined globally, must have the same object name.
z Administrative Roles, page 438 If an identical Object is created in a Cluster or a Range, the
following Information Message appears.
z Statistics Cook Settings, page 439
z VPN GTI Editor (Global), page 439 Fig. 1938 Overriding Global Network Objects
z Box VIP Network Ranges, page 439
6.3.1 Global Settings - Eventing

Global eventing settings are effective for all events that
CC-administered boxes propagate to the Barracuda NG
Control Center. Global settings may be overridden by An Objects that overrides a globally defined object is
Range- or Cluster-specific event settings (see 6.4.2.2 indicated by .
Range-specific Event Settings, page 441, and 6.5.2.2
Note:
Cluster-specific Event Settings, page 444).
Global objects that are overridden by range or cluster
To access global eventing settings, select Eventing in objects, are not visible within the host firewall or
the configuration tree (accessible through Config > forwarding firewall rule editor on range or cluster level.
Multi-Range > Global Settings).
The override function is available for the following objects:
The configuration procedure of global eventing settings is z Networks
identical to the procedure on single boxes. For details, see
Eventing 2. Event Configuration, page 322. z Services
z User Groups
6.3.2 Global Settings - Global Firewall z Content Filter
Objects
6.3.2.2 Global GTI Objects
Global firewall objects are available to all firewall services
that the Barracuda NG Control Center administers. Making
When tunnel endpoints are created in the VPN GTI Editor
use of global firewall objects in rule sets aims at ensuring
(Global), corresponding dynamic network objects are
implementation of consistent security policies.
created at the same time (Barracuda NG Control Center
To access the global firewall objects configuration area, 15. VPN GTI, page 490). These objects are named
select Global Firewall Objects in the configuration tree <servername>_<clustername>_<rangeID> with a prefixed
(accessible through Config > Multi-Range > Global GTI-Server accordingly. Global GTI Objects are inherited as
Settings). references by Local and Forwarding Firewall rule sets of
each Firewall service related to the tunnel endpoint and
may be used for rule specification. Every time a new tunnel
endpoint is inserted into the Global VPN GTI Editor, the GTI
Objects should be reloaded in the Global Firewall Objects
window in order to become available in the configuration

436 | CC Configuration Service > Global Settings Barracuda NG Control Center
dialogs (Firewall 2.2.3 Rules Configuration, page 143,

parameter Reload GTI Objects).
Note:
As Global GTI Objects are created dynamically, they 6.3.4 Global Settings - CC Identity
cannot be renamed or modified.
The CC Identity configuration area allows configuring
various CC-related settings (for example CC IP address(es),
6.3.3 Global Settings - Pool Licenses private keys, ).
Barracuda NG Control Center licenses are attached to the Note:

hardware of the machine the Barracuda NG Control Center Make sure to configure the CC Identity section correctly
is running on. They enable the administrator to generate before introducing boxes on the Barracuda NG Control
and activate the Main Identity of the Barracuda NG Control Center. If not configured correctly, the boxes will not
Center. This Main Identity will be used for all further receive a valid box certificate and will not be able to
communication between the CC and the Barracuda NG establish a trust relationship to the CC.
Firewalls.
Note:
To access the pool licenses configuration area, select Make sure to specify both, the server and the box IP in
Pool Licenses in the configuration tree (accessible the CC Identity settings of the Barracuda NG Control
through Config > Multi-Range > Global Settings). Center (see CC IP Address and Additional CC IP
Addresses).
Fig. 1939 Pool Licenses - user interface
To access the CC Identity configuration area, select CC
Identity in the configuration tree (accessible through
Config > Multi-Range > Global Settings).
6.3.4.1 Identification
Fig. 1940 CC Identity - Identification
In the Pool Licenses configuration area, a listing of all

installed licenses is displayed.
Right-clicking the licenses list makes the standard context
menu available (see 4.2 Standard Context Menu,
page 420).
The following buttons are available for license
administration:
The Identification view makes the following configuration
z Edit
items available:
To view full license information in the licenses
Certificate View window, select a license and click the List 193 CC Identity - Identification section CC Identification
Edit button (or double-click a selected license). Parameter Description
z Import menu Organisation Into this field, insert the name of the company.
To install a new license, click Import and then click CC Identifier Information displayed in this read-only field is
extracted from the CC (Master) license.
Import from Clipboard or Import from File.
CC Product Into this field, import the Master License file that has
To export license information, select a license, click License been issued by Barracuda Networks.
Import and then click Export to Clipboard or Export To import the license file, click Import and select
to File. Import from Clipboard or Import from File.
To add an optional license description to the list, select To view the imported license in the Certificate View
window, click Show.
a license, click Import and then click Add Comment.
To delete the currently installed master license, click
z Delete Clear.
To delete one or multiple licenses, select the license(s)
List 194 CC Identity - Identification section CC IP Addresses
and click Delete. To select multiple licenses, click the
CTRL and/or SHIFT key and click the respective license Parameter Description
in the listing. CC IP Address Into this field, insert the IP address that should be used
for connections between CC and CC-administered
boxes.
Additional CC Into this field, insert the IP address(es) that should be
IP Addresses used for logins to the CC on box level.

6.3.4.2 Trust Chain List 196 CC Identity - Trust Chain Configuration section CC SSH Access Keys
List 195 CC Identity - Trust Chain Configuration section Trust Chain
Preceding CC In this section former SSH keys are stored as soon as a
Configuration SSH Key new CC SSH Key is generated.
The menu Ex/Import offers the following options:
CC Certificate The CC Certificate is the Main Identity of the
Export to Clipboard/File
Exports the old SSH key to the clipboard or to a file.
It is signed by the license key and distributed to
CC-administered boxes for authentication purposes, Export to Clipboard/File (password protected)
thus ensuring trustable communication. Exports the old SSH key to the clipboard or to a file.
However, it is necessary to define and confirm a
To insert appropriate company information into the password that has to be entered, when importing
certificate click Edit. To view certificate information the key.
click Show. Note that the certificate's public hash Export Public to Clipboard/File
(displayed to the right) changes when a new CC Exports the public key to the clipboard or to a file.
Private Key is generated (see below). Import from Clipboard/File
Note: Imports the old SSH key from the clipboard or from
Certificate installation procedure on Barracuda NG a file.
Control Centers is described in detail in 3.2 Installing
the Licenses, page 419.
CC SSL In contrast to the CC Certificate (see above), the CC 6.3.5 Global Settings - CC Parameters
Certificate SSL Certificate not signed by the license key but
self-signed instead.
The SSL certificate automatically changes when the CC These parameters describe the behavior of the Barracuda
Certificate changes. It is sent out to all managed boxes NG Control Center
in a hidden conf file (masterpub.conf). The CC SSL
Certificate is required for SSL-compatible peer
authentification between a box transmitting data and
z within the status map ( Control > Status Map)
the CC Syslog Service in context with SSL based log file
streaming. z when running a configuration update ( Control >
CC Private Key Here the MCs private key is handled. The button New Configuration Updates)
Key generates a new private key and hash (displayed to
the right). z when running remote execution

To access the CC Parameters configuration area, select
Export to Clipboard/File
Exports the master private key to the clipboard or to CC Parameters in the configuration tree (accessible
a file. through Config > Multi-Range > Global Settings).
Export to Clipboard/File (password protected)
Exports the master private key to the clipboard or to
a file. However, it is necessary to define and confirm
a password that has to be entered, when importing 6.3.5.1 Operational Setup
the key.
Export Public to Clipboard/File List 197 CC Parameters - Operational Setup section Status Map Setup
Exports the public key to the clipboard or to a file.
Import from Clipboard/File Parameter Description
Imports the master private key from the clipboard or Total Poll Time Defines the refresh rate of the status map in seconds.
from a file. Box Reachable Set to yes to create statistics about the reachability of
Preceding In this section former private keys are stored as soon Statistics the included boxes (default: no).
Private Key #1, as a new CC Private Key is generated. Trace Set to yes to trace unreachable boxes (default: no).
#2, #3 Unreachable
The menu Ex/Import offers the following options: Boxes
Import from Clipboard/File
External Boxes Via this section it is possible to integrate external boxes
Imports the old private key from the clipboard or
that are not managed by this Barracuda NG Control
from a file.
Center into the status map.
List 196 CC Identity - Trust Chain Configuration section CC SSH Access Keys Note:
Insert the CC box IP to embed the CC itself into the
Parameter Description status map.
CC SSH Key Here the MCs SSH key is handled. The button New Key
generates a new SSH key and hash (displayed to the List 198 CC Parameters - Operational Setup section Configuration Update
right). Setup
Export to Clipboard/File Max. Update This parameter defines the maximum number of
Exports the master SSH key to the clipboard or to a Processes simultaneous configuration updates.
file. HA Sync Default 120 seconds. In case of HA synchronization
Export to Clipboard/File (password protected) Timeout problems increase this timeout.
Exports the master SSH key to the clipboard or to a
file. However, it is necessary to define and confirm a List 199 CC Parameters - Operational Setup section Remote Execution Setup
password that has to be entered, when importing
the key. Parameter Description
Export Public to Clipboard/File Max. Exec This parameter defines the maximum number of
Exports the public key to the clipboard or to a file. Processes simultaneous sessions.
Import from Clipboard/File
Imports the master SSH key from the clipboard or List 1910 CC Parameters - Operational Setup section Barracuda NG Earth
from a file. Setup
Poll Box VPN Choose yes when you are using Barracuda NG Earth.
Status The CC will collect all relevant data that is necessary to
be displayed in Barracuda NG Earth.
6.3.5.2 RCS Setup

438 | CC Configuration Service > Global Settings Barracuda NG Control Center
For a description of the Revision Control System (RCS), (accessible through Config > Multi-Range > Global
refer to 17. CC RCS, page 499. Settings).
The user interface consists of a listing displaying already
6.3.6 Global Settings - CC Access existing profiles (columns display the corresponding
settings) and three buttons for interaction.
Notification
z Edit button
By means of the parameters available in this tab, the This button opens the configuration dialog with the
notification types, which are induced by specific actions, settings of the selected role.
can be configured.
z Delete button
The user interface allows configuring the so-called Service The button removes the selected role from the listing.
Defaults that apply when no special notifications are
z Insert button
set/required. The sections Type 1 Admin, Type 2 Admin,
This button allows creating a new administrative role.
and Type 3 Admin allow defining notification settings for
The first window opened requires the defining role
3 types of administrators (configurable in Admins, see number. After confirming the number by clicking the
8.3.1 Creating a New Admin Profile, Login Event menu, OK button the role configuration dialog is opened
page 460). providing the following settings:
In order to enter the access notification window, simply
List 1911 Administrative Roles - Role Setup Roles section Role Name
select the entry CC Access Notification from the
configuration tree ( Multi-Range > Global Settings).
Name This parameter takes a describing name for the
administrators role.
Currently used types are:
z Silent (no event)
Note:
z Notice The checkboxes in this following section define whether
z Warning the corresponding module can be accessed by the
administrator (checkbox selected). When selected the
z Alert permissions can be set in detail by clicking the Edit or
Set buttons.
The latter three may be used to modify the severity of a
context dependent event type. A listing of generated List 1912 Administrative Roles - Role Setup Roles section Module
events can be found in System Information 5. List of Default Parameter Permissions
Events, page 536. CC Config Kill Sessions
Permissions Change Permissions
Change Events
6.3.6.1 Barracuda NG Admin Authentication Show Admins
Success / Barracuda NG Admin Manage Admins
Authentication Failure Create/Remove Range
Create/Remove Cluster
The following objects are available for configuration: Use RCS
z Configuration Center (Success) / Configuration Create/Remove Boxes
Center (Failure) Create/Remove Server
Login to CC Config Create/Remove Service
Create/Remove Repository
z Central Event (Success) / Central Event (Failure) Manage HA Sync
Login to CC Event Create PAR File
Allow Config View on Box
z Central Statistics (Success) / Central Statistics Allow Emergency Override
(Failure) CC Control Show Map
Permissions Show Config. Updates
Login to CC Statistics
Manage Config. Updates
z Central PKI (Success) / Central PKI (Failure) Show Box REXEC
Login to CC PKI Service Manage Box REXEC
Show Box Software Updates
6.3.7 Global Settings - Administrative Manage Box Software Updates

Manage Box File Update
Roles Access to CC
PKI Service
These global settings define the restrictions for
administrative roles. They are needed when a new
administrator is introduced (see 8.3.1 Creating a New
Admin Profile, Roles, page 460).
To access the Administrative Roles configuration area,
select Administrative Roles in the configuration tree

List 1912 Administrative Roles - Role Setup Roles section Module List 1912 Administrative Roles - Role Setup Roles section Module
Parameter Permissions Parameter Permissions
Control Start/Stop Server Secure-Web- Access Cache Management,
Permissions Block Server Proxy to manipulate access cache entries
Permissions Ticket Management,
Start/Stop Service
to process access request tickets
Block Service
Cert. Authorities Management,
Delete Wild Route - to accept/deny a root CA
Activate New Configuration - to modify CRL handling
Restart Network Subsystem XML Services Management,
to modify settings for RSS-feeds or Webservices (allow,
Set or Sync Box Time
scan, deny, delete)
Restart NGFW Subsystem
Reboot System
Activate Kernel Update 6.3.8 Global Settings - Statistics Cook
Kill Sessions Settings
Import License
Remove License This section globally defines the compression of statistics
View License Data files that have been collected by the Barracuda NG Control
Event Silence Events Center from it CC-administered boxes. For a detailed
Permissions Stop Alarm description of configuration options see 9.3 Compression
Mark as Read Cooking and Deletion, page 463.
Confirm Events
Delete Events
Log Read Box Logfiles 6.3.9 Global Settings - VPN GTI Editor
Permissions Delete Box Logfiles
(Global)
Read Service Logfiles
Delete Service Logfiles
Open the Global VPN GTI Editor to access the Barracuda
Statistics Read Box Statistics
Permissions
NG Firewall VPN Graphical Tunnel Interface (GTI). For
Delete Box Statistics
detailed information on this configuration section, see 15.
Read Service Statistics
VPN GTI, page 490.
Delete Service Statistics
DHCP Server Enable Commands
Permissions
Access Control Enable Commands
6.3.10 Global Settings - Box VIP Network
Service Ranges
Permissions
CC Access Enable Commands, Configuration of this section is necessary to introduce
Control Service to modify or remove entries from the status and access
Permissions cache so-called remote management or box tunnels. A box
Block Box Sync. tunnel is used to establish an encrypted communication
to disable authentication sync within a between the Barracuda NG Control Center and the
Firewall Terminate Connections Barracuda NG Firewall if the management IP of the
Permissions Modify Connections gateway is not directly reachable (for example routing
Kill Handler Processes issues).
Dynamic Rule Control
A common example is to establish communication between
Toggle Trace
a gateway at a remote location and the CC located at the
Note:
Selecting this parameter together with View Trace headquarter where the remote site is only reachable by an
Output and Change Settings enables the admin to run internet connection.
admintcpdump on the command line. See
documentation Command Line Interface for detailed In general the box management IP is within the network
information.
address range of the remote site.
View Trace Output, see note on parameter Toggle
Trace Since it is neither recommended nor always possible to
Change Settings, see note on parameter Toggle Trace enable an external management IP, which is directly
View Rule Set accessible from the internet (for example when the
Manipulate Access Cache Entries internet provider assigns a dynamic external IP), another
VPN Server Terminate VPN Tunnels method has to be found to establish a connection between
Permissions Disable/Enable VPN Tunnels box and CC.
View Configuration
Even if a VPN tunnel between remote site and headquarter
Mail Router Enable Commands
Permissions is established, it is recommended to use box tunnels. If the
View Stripped Attachments
remote site is not reachable due to a misconfiguration of
Retrieve Stripped Attachments
the VPN tunnel or a blocked VPN service, the box tunnel
Delete Stripped Attachments
will nevertheless stay established.
Virscan Service Allow Block Virus Pattern Update
Permissions Allow Manual Virus Pattern Update VIP network ranges defined in this section are enabled as
Proxy ARPs on the Barracuda NG Control Center and
should thus not collide with used IP addresses in this
network segment.

440 | CC Configuration Service > Range Configuration Barracuda NG Control Center
In addition to the definition of VIP networks, the usage of a List 1913 Box VIP Network Ranges VPN Settings
box tunnel requires configuration of the Remote Parameter Description
Management section in the box network node. Prebuild Normally cookie are built on demand. For many tunnel
Cookies on building up simultaneously it is better to have the
Note: Startup cookie already precalculated. This causes a slower VPN
[No] service startup but a faster tunnel buildup afterwards.
Using remote management tunnels requires the This feature can be turned off configuring the VPN
introduction of an additional service 'mvpn' on the settings parameter Prebuild Cookies on Startup (see
Barracuda NG Control Center itself. list 53, page 219) .
Listen to Port Defines, whether incoming VPN connections on
A Barracuda NG Firewall that is managed through a box 443 port 443 should be accepted or not (default: Yes). In
[Yes] some cases you might want to disable using port 443
tunnel establishes an encrypted VPN connection to the for incoming VPN connections, for example
Barracuda NG Control Center. All communication between connections arriving at port 443 should be redirected
Barracuda NG Control Center and gateway is processed by the firewall service to another machine.
Using the VPN settings parameter Use port 443 (see
through the box tunnel (TCP, port 692). Even list 53, page 219) this functionality can be turned off.
communication between the admin workstation and the
remote box is handled through the box tunnel. Barracuda
NG Admin utilizes the Virtual IP (VIP) that is defined in 6.3.10.3 Rekey/Alive Rates
the Box - Network Configuration - Remote Management
section as box address (destination address) when All the limits configured here are enforced by the MVPN
establishing a connection to the CC. It is thus essential that Service on the Barracuda NG Control Center per default. If
VIP network ranges be routed from the admin workstation the remote box itself should enforce the limits, paramter
to the CC. Server enforces Limits should be set to No
List 1914 Box VIP Network Ranges Rekey/Alive Rates
6.3.10.1 VIP Networks Parameter Description

Server enforces Decides if the remote box itself should enforce limits or
Limits the MVPN service of a Barracuda NG Control Center.
To insert a Box VIP Network Range, select Box VIP
Key Time Limit rekey period
Network Ranges from the configuration tree (accessible [Minutes]
through Multi-Range > Global Settings). Key Byte Limit rekey period after specified amount of Mbytes
[Mbytes]
The user interface consists of a listing displaying already Tunnel Probing keep alive Packets sent to the remote tunnel end
existing network ranges (columns display the [Seconds]
corresponding settings) and three buttons for interaction: Tunnel Timeout Tunnel is considered as down if no answer has been
[Seconds] received after specified time by the vpnc process.
z Edit button Note:
This button opens the configuration dialog with the Should be a smaller value than the one used for Tunnel
settings of the selected network range. Probing.
z Insert button
This button allows creating a new network range. The
first opened window requires the defining name for the 6.4 Range Configuration
network range. After confirming the name with OK the
configuration dialog is opened providing the following A range is the largest configuration entity, built up of one
settings: or multiple clusters. Ranges are meant to simplify central
Address Range Start IP address administration of huge networks. Within ranges, global
Address Range Netmask settings, spanning all existent clusters can be defined.
Within clusters, in turn, global settings, spanning all
z Delete button
existent boxes can be configured. Beyond this, specific
This button deletes the selected network range from
security implementations in the Cluster Services allow
the listing.
configuration of security settings not available for regular
services (see 6.11 Supplement - Configuring the Cascaded
6.3.10.2 VPN Settings Firewall (Distributed-Firewall), page 449).
Setups with configured ranges involve the following
List 1913 Box VIP Network Ranges VPN Settings
further benefits:
Pending Session buildup is limited that once a buildup of
z Statistics
Session 5 sessions is detected any further session request will When the CC is configured to collect statistics, the
Limitation be dropped until one of the already initiated sessions is statistics data gets range classified. This amongst
[default Yes] completed.
This feature can be turned off configuring the VPN others allows range specific accounting.
settings parameter Pending Session Limitation (see
list 53, page 219). z Administrative settings
Use Tunnels for Normally a tunnel registers itself at the firewall causing Ranges can be allocated to administrative roles (see
Authentication an auth.db entry with the tunnel network and the Range Name, page 441). This allows specific ranges only
[Yes] tunnel credentials. This can be used to build firewall to be administered by explicitly assigned administrative
rule having the tunnel name or credentials as
condition. This feature is rarely used (maybe not at all). roles.
Using the VPN settings parameter Use Site to Site
Tunnels for Authentication (see list 53, page 219)
this functionality can be turned off improving the
startup speed dramatically.

Barracuda NG Control Center Range Configuration < CC Configuration Service | 441
6.4.1 Creating a New Range List 1917 Creating a new range section Specific Settings
Right-click Multi-Range and select Create Range from Own Event If the range requires special event settings, set this
Settings parameter to yes (default: no). By doing so, the file
the context menu to create a new range. Enter a
Eventing is introduced below Multi-Range >
Range Name (Note: only numbers allowed) and confirm <rangename> > Range Settings where the
your entry by clicking the OK button. This opens the range custom event settings for the range may be defined.
For information concerning the parameters available
configuration dialog (later accessible via Multi-Range > in this customising file, see 10.3.3 Cluster-specific
<rangename> > Range Properties). Event Settings, page 470.
Own Firewall Setting to yes (default: no) enables range-specific
Note: Objects firewall objects. It introduces the file Range Firewall
Make sure to click Send Changes > Activate after Objects below Multi-Range > <rangename> >
Range Settings where range-specific network
having introduced a new range. Otherwise, boxes will objects may be defined. For information on
not receive a valid box certificate and will not be able to characteristics and handling of network objects, see
establish a trust relationship to the CC. Firewall 2.2.4 Network Objects, page 148.
Own VPN GTI Setting to yes (default: no) enables a range-specific
Fig. 1941 Create Range - configuration dialog Editor VPN GTI Editor. It introduces the file VPN GTI
Editor (<rangename>) below Multi-Range >
<rangename> > Range Settings. For information
on the functionality of the VPN GTI Editor, see 15. VPN
GTI, page 490.
Own Policy Setting to yes (default: no) enables range-specific
Server Objects policy server objects. It introduces the nodes
Access Control Objects (containing files
Welcome Message, Personal Firewall Rules,
Pictures and Registry Checks), just like
Access Control Service s below Multi-Range >
<rangename> > Range Settings. For detailed
information see Configuration Service Section
Policy Based Routing, page 69.
Own Shaping Setting to yes (default: no) enables range-specific
Trees traffic shaping settings. It introduces the file Range
Shaping Trees below Multi-Range >
<rangename> > Range Settings. For detailed
information see Configuration Service 2.2.6 Traffic
Shaping, page 82.
6.4.2 Range-specific Settings

List 1915 Creating a new range section Identification
6.4.2.1 Range-specific Cook Settings
Range Name This read-only field displays the range number as
inserted during the creation dialog. Take into consideration that specific cook settings are only
Description Insert a significant range description into this field. available if the parameter Specific Cook Settings (see
6.4.1 Creating a New Range, parameter Own Cook
List 1916 Creating a new range section Contact Info Settings) is set to yes.
For information concerning the parameters available in
Full Name/ To ease approaching the range administrator, these
Contact fields should be filled with appropriate contact this customising file, please have a look at 9.3.2 Range
Person/Telepho information. Specific Settings, page 464.
ne Nr./Email
Address
List 1917 Creating a new range section Specific Settings 6.4.2.2 Range-specific Event Settings
Take into consideration that specific event settings are
Disable Update This parameter enables/disables configuration updates
for boxes from this range (default: no). only available if the parameter Specific Event Settings
Collect Setting to yes (default) triggers the Barracuda NG (see 6.4.1 Creating a New Range, parameter Own Event
Statistics Control Center to collect statistics from managed Settings) is set to yes.
boxes within this range.
If the range requires special cook settings for statistical For information concerning the parameters available in
Own Cook
Settings data, set this parameter to yes (default: no). By doing this customising file, please have a look at 10.3.2
so, the file Statistics Cook Settings is introduced Range-specific Event Settings, page 469.
below Multi-Range > <rangename> > Range
Settings where the custom cook settings for the range
may be defined. For information concerning the
parameters available in this customising file, see 9.3.2
Range Specific Settings, page 464.

442 | CC Configuration Service > Cluster Configuration Barracuda NG Control Center
6.5 Cluster Configuration Range, page 441. However, they only apply to the specific
cluster and overrule superordinate settings.
Attention: List 1918 Creating a new cluster section Identification

Barracuda NG Control Center 4.2 does not provide Parameter Description
support for managing netfence 3.2 clusters. Cluster Name This read-only displays the cluster name as inserted
All clusters must be migrated to version 3.4 or higher during the creation dialog.
before updating the CC to Barracuda NG Firewall 4.2 Description Insert a significant cluster description into this field.
(see 6.9.3.1 Migrating a Cluster, page 447). Software A cluster is the smallest entity expecting consistent
Release software versions of all CC-administered systems it
contains. Thus, when a cluster is created, the Software
A cluster is a set of operative boxes. Within a cluster, Release version has to be specified so that
configuration files can be adapted accordingly.
cluster servers and cluster services may be defined: Multi-release administration is available for netfence /
Barracuda NG Firewall release versions 3.4, 3.6, 4.0
z Cluster server and 4.2. Multi-release support is described in detail in
A cluster server provides similar functionality as the 6.9 Multiple Releases, page 446.
single box server, except for the fact that cluster
services provide flexible high-availability functionality List 1919 Creating a new cluster section Contact Information
(cluster servers do not require a dedicated HA box, but Parameter Description

the HA partner can be reconfigured while running in Full Name/ To ease approaching the cluster administrator, these
operational mode). Contact fields should be filled with appropriate contact
Person/Telepho information.
For information on how to create and configure a ne Nr./Email
cluster server, see 6.5.1.1 Creating a Cluster Server. Address
z Cluster services List 1920 Creating a new cluster section Specific Settings
Cluster services are services that can run on multiple Parameter Description
cluster servers. Disable Updates This parameter enables/disables configuration updates
An example for a cluster service is the for boxes from this range (default: no).
Distributed-Firewall service. The Distributed-Firewall Collect Setting to yes triggers the Barracuda NG Control
(Cascaded Firewall) is a cluster firewall. This means that Statistics Center to collect statistics from managed boxes within
this cluster. Setting like-range (default) inherits the
the firewall service is running in operational mode on settings from the Range Config file (see Collect
more than one box at the same time with the same Statistics, page 441).
configuration. This offers easy configuration and easy Own Cook If the cluster requires special cook settings for
implementation for load sharing scenarios. Settings statistical data, set this parameter to yes (default: no).
By doing so the file Statistics Cook Settings is
For information on how to create and configure a
introduced below Multi-Range > <rangename> >
cluster service, see 6.5.1.2 Creating a Shared Service, <clustername> > Cluster Settings where the
page 443. custom cook settings for the cluster may be defined.
this customising file, see 9.3.3 Cluster Specific Settings,
In addition to the benefits mentioned above, the other page 464.
benefits are: Own Event If the cluster requires special event settings, set this
Settings parameter to yes (default: no). By doing so the file
z Statistics Eventing is introduced below Multi-Range >
When the CC is configured to collect statistics, the <rangename> > <clustername> > Cluster
statistics data gets cluster classified. This amongst Settings where the custom event settings for the
others allows cluster specific accounting. cluster may be defined. For information concerning the
parameters available in this customising file, see 10.3.3
z Administrative settings Cluster-specific Event Settings, page 470.
Clusters can be allocated to administrative roles. Own Firewall Setting to yes (default: no) enables cluster-specific
Objects firewall objects. It introduces the file Cluster
Firewall Objects below Multi-Range >
6.5.1 Creating a New Cluster <rangename> > <clustername> > Cluster

Settings where cluster-specific network objects may
be defined. For information on characteristics and
handling of network objects refer to Firewall
Right-click Multi-Range > <rangename> and select 2.2.4 Network Objects, page 148.
Create Cluster from the context menu to create a new Own VPN GTI Setting to yes (default: no) enables a cluster-specific
cluster. Insert a Cluster Name and confirm your entry by Editor VPN GTI Editor. It introduces the file VPN GTI
clicking the OK button. This opens the cluster Editor (<clustername>) below Multi-Range >
configuration dialog (later accessible via Multi-Range > <rangename> > <clustername> > Cluster
Settings. For information on the functionality of the
<rangename> > <clustername> > Cluster VPN GTI Editor see 15. VPN GTI, page 490.
Properties). Own Policy Setting to yes (default: no) enables cluster-specific
Server Objects policy server objects. It introduces the nodes
Note: Access Control Objects (containing files
Welcome Message, Personal Firewall Rules,
Immediately click Send Changes > Activate after
Pictures and Registry Checks), just like
having introduced a new cluster. Otherwise, boxes will Access Control Service below Multi-Range >
not receive a valid box certificate and will not be able to <rangename> > <clustername> > Cluster
establish a trust relationship to the CC. Settings. For detailed information see Configuration
Service Section Policy Based Routing, page 69.
Parameters and their settings are nearly identical to the
range-specific settings described in 6.4.1 Creating a New

Barracuda NG Control Center Cluster Configuration < CC Configuration Service | 443
List 1920 Creating a new cluster section Specific Settings However, some differences need our attention:
List 1921 Creating a Cluster Service section Service Definition
Own Shaping Setting to yes (default: no) enables cluster-specific
Trees traffic shaping settings. It introduces the file Range Parameter Description
Shaping Trees below Multi-Range > Software For a cluster service only three software modules are
<rangename> > <clustername> > Cluster Module available:
Settings. For detailed information see Configuration DNS (default), for configuration information see
Service 2.2.6 Traffic Shaping, page 82. DNS, page 331
Firewall, for firewall configuration information see
Firewall, page 131. For specific firewall configuration
6.5.1.1 Creating a Cluster Server information see 6.11 Supplement - Configuring the
Cascaded Firewall (Distributed-Firewall), page 449 in
this chapter.
To create a cluster server, open the context menu of the
SNMPd, for configuration information SNMP,
configuration tree item Virtual Servers and select page 513
Create Server Insert the name of the cluster server in
List 1922 Creating a Cluster Service section Admin Restrictions
the now opened dialog and confirm by clicking the OK
button, which opens the configuration dialog. The Parameter Description
configuration of a cluster server is identical with the Administered This parameter specifies the administrators allowed to
by manage the cluster. The default setting all-authorized
configuration of a server on a Barracuda NG Firewall permits management for each configured
(Configuration Service 3. Configuring a New Server, administrator.
page 94), except that network objects may be referenced The second available setting is restricted-set.
Selecting this option enables the parameter Privileged
in the Server Address fields (Firewall 2.2.4 Network Admins.
Objects, page 148). Privileged Via this parameter the administrator explicitly allowed
Admins to manage the cluster is specified. Therefore, simply
Fig. 1942 Creating a cluster server with referencing Server IP addresses to enter the Barracuda NG Admin login name of the
network objects corresponding administrator and click the Insert
button in order to add him to the listing to the right.
Via Change you may edit an already existing name.
Select the wanted entry, modify the spelling and click
Change in order to add the new name to the listing.
By selecting an existing entry and clicking Delete, the
admin is removed from the list and thus, after
activating the changes, is no longer able to administer
the cluster service.
List 1923 Creating a Cluster Service section Access Notification

Beside the standard parameters Service Default
(Success) and Service Default (Failure) (known from
Barracuda NG Firewall service configuration, see
Configuration Service 4. Introducing a New Service,
page 97) the access notification offers success and
failure parameters for each of the 3 possible
admin-access-notification profiles.
6.5.1.3 Adding a Shared Service
6.5.1.2 Creating a Shared Service Once a Shared Service has been created, it can be added to
a Cluster Server. To add a Cluster Service to a Cluster
To create a shared service (also known as Cluster Service), Server browse to Multi-Range > <rangename> >
open the context menu of the configuration tree entry
<clustername> > Virtual Servers > <servername>,
<clustername> > Shared Services. Insert a cluster right-click the server node and select Add Shared
service name and confirm it by clicking the OK button. This Service from the context menu. A new window pops up,
opens the configuration dialog. allowing selection of the respective service. Mark the
The configuration of a shared service is identical to the service and click the OK button.
configuration of a service on a Barracuda NG Firewall
Fig. 1943 Adding a Cluster Service
(Configuration Service 4. Introducing a New Service,
page 97).

444 | CC Configuration Service > Box Configuration Barracuda NG Control Center
The Cluster Service is added to the Service node below the 6.6.1 Create Box Wizard
Cluster Server. <DNS_servername> (DNS-Service) and
<SNMPd_servername> (snmp) service nodes are created To create a new box you can right-click Boxes and select
as links to the unique Cluster Service below the Cluster Create Box from the context menu (see Configuration
Service node. The same applies to the global settings of Service 2.2.2 Box Properties, page 52) or you use the
the <cfirewall_name> (cfirewall) node. The Cascaded Create Box wizard:
Firewall Specific node is the only object, which has to be z Right-click the range or the cluster where you want to
configured below the <servername> > Assigned introduce the new box
Services node directly, as settings made here apply per
z Select Create Box Wizard from the context menu
server and not per cluster (see 6.11.4 The Local Rules
Section and The Special Rules Section, page 451). Fig. 1944 Box configuration wizard for creating a box
6.5.2 Cluster-specific Settings
6.5.2.1 Cluster-specific Cook Settings
Take into consideration that specific cook settings are only

available if the parameter Specific Cook Settings (see
6.5.1 Creating a New Cluster, page 442) is set to yes.
this configuration file, please have a look at 9.3.3 Cluster
Specific Settings, page 464.
6.5.2.2 Cluster-specific Event Settings
Take into consideration that specific cook settings are only

available if the parameter Specific Event Settings (see
z Lock the configuration
6.5.1 Creating a New Cluster, page 442) is set to yes.
z Click Run (F5)
this configuration file, please have a look at 10.3.3 z Follow the steps of the wizard and set all required
Cluster-specific Event Settings, page 470. parameters. For the description of the box parameters
see Configuration Service 2.2 Setting up the Box,
page 50. The wizard consists of the following steps:
6.6 Box Configuration Step 1 Start
The smallest configuration entity in the Barracuda NG Step 2 Product Selection

Control Center configuration tree is the Box. A box is one
operative Barracuda NG Firewall. Step 3 Administrative Setup
Note: Step 4 DNS Setup

The configuration of a box in the Barracuda NG Control
Center configuration tree affects only the respective Step 5 Time Setup
box.
Step 6 Network Interfaces
For configuration information have a look at Configuration
Service, page 41.
Step 7 Network Basic
Default settings and availability of services, which can be
installed and configured on each box, are determined by Step 8 Network Advanced
OS Platform, Product Type and Hardware Model settings
(page 52) of the box. Have a look at Getting Started Step 9 Remote Access
2.5 Barracuda Networks Multi-Platform Product Support, xDSL
page 16 to find out about each types typical
DHCP
characteristics.
ISDN
UMTS
Step 10 Box Misc

MSAD Authentication
MSCHAP Authentication
Step 11 Server Assignment

Barracuda NG Control Center Defining Node Properties < CC Configuration Service | 445
6.6.2 Launching a Box List 1925 Barracuda NG Control Center Node Properties section Administrative
Level
To switch from the CC to a box right-click the desired box Parameter Description
and choose Launch Control for Box (<box IP address>) History states configuration actions performed on this entity;
administrator and peer IP are logged:
from the context menu.
Entry Description
Fig. 1945 Box configuration launch control for box param when changes to the read or write
level were made
lock when conf entity was locked
unlock when conf entity was unlocked
change when conf entity was changed
add when a server/service object was
added to the conf tree
6.8 Repositories
For increased configuration comfort, configuration
repositories can be defined.
Configuration data that is used on more than one machine
should be stored in a repository. This saves time and
reduces configuration errors, since the information is
entered only once and is then linked from the
corresponding repository. Three types of repositories
exist:
z Cluster Repository
6.7 Defining Node Properties z Range Repository
z General Repository
For additional access restriction, the CC offers the context
menu entry Properties for each item of the
Cluster repositories should be used for saving cluster
configuration tree.
specific configuration data, while range repositories should
List 1924 Barracuda NG Control Center Node Properties contain configuration data for boxes of the whole range.
Parameter Description The general repository can be used for saving
Name purely informational; displays name of the services configuration data, which can be used on all boxes that are
software module
introduced by the Barracuda NG Control Center.
Description purely informational; displays a short description for
the software module
Fig. 1946 Different types of repositories
Created purely informational; displays date/time, admin, admin
IP of service creation
Last Modified purely informational; displays date/time, admin, admin
IP of last modification
Release Release version installed on the box (only netfence /
Barracuda NG Firewall versions 3.4, 3.6, 4.0 and 4.2 are
supported in multi-release environments).
Cluster repository
List 1925 Barracuda NG Control Center Node Properties section Administrative

Level
Repository (general)
Range repository
Your Level purely informational; displays your administrative level.
Read By entering the corresponding configuration level, the
read permission is specified.
Note:
Any level lower than the set one has access. (see 8.3.1
Creating a New Admin Profile, page 458)
Write By entering the corresponding configuration level, the
write permission is specified. Note:
Note: Due to compatibility reasons, two nodes are structured
Any level lower than the set one has access. (see 8.3.1
Creating a New Admin Profile, page 458) in a different way in box repository tree than within box
Click Change to save the new configuration. range tree configuration:
Modify Event This menu specifies the type of event notification if the z Authentication Service is placed in Advanced
corresponding file is modified. Available notification
types are: Configuration and not in Infrastructure Services
No Event (default)
z System Settings is placed in Box and not in
Normal Event (generates event Config Node
Change Notice [2400]) Advanced Configuration
Notice Event (generates event Config Node
Change Warning [2401])
Alert Event (generates event Config Node Change
Alert [2402])

446 | CC Configuration Service > Multiple Releases Barracuda NG Control Center
6.9 Multiple Releases Just like boxes, ranges and clusters repository objects can
be migrated to a newer version (see 6.9.3.4 Migrating a
Repository Object).
A Barracuda NG Firewall Barracuda NG Control Center 4.2
is equipped with the ability to manage Barracuda NG When administering a multi-release environment use the
Firewalls installed with release versions 3.4 and higher. release view to identify system information versions easily
Especially in huge network environments, where ad hoc in order to
migration of all systems to the recent version
z install correct hotfixes and updates through the
simultaneously cannot be accomplished, this feature
Software Update Tab (see 5.10 Software Update Tab,
enables easy and up-to-date administration.
page 429);
z prepare netfence 3.4/3.6/4.0 version gateways for
6.9.1 Administering Multiple Releases update to the recent Barracuda NG Firewall version 4.2.
z verify object version numbers in the repositories.
The smallest administration entity demanding uniform
software versions is a cluster. When creating a new cluster
(see 6.5.1 Creating a New Cluster), the software release 6.9.2 Updating to the Recent Version
version has to be specified. Every box that is introduced to
a cluster is then expected to work with the same release Before migrating the configuration, each gateway has to
version. be updated to the recent software version. Execute the
To verify the version number bound to each configuration software update in the Software Update Tab (see 5.10
node, select Toggle Release View from the context menu Software Update Tab, page 429).
available through right-clicking the configuration tree
Note:
entry Multi-Range. The release information is then
Keep in mind that when updating Barracuda NG
displayed to the right of each configuration node.
Firewalls to the recent version 4.2, software update has
Fig. 1947 Configuration tree displayed in default view (left) and with toggled to be accomplished per cluster. Once the decision for
release view (right) updating has been made, the software update has to be
executed for all boxes within a cluster, before the cluster
can be migrated and again be managed by the
6.9.3 Migrating the Configuration
Note:
Migration can only be executed to the applicable
succeeding software release version (that means
gateways installed with netfence 3.4 must be migrated
to version 3.6 first, before they can be migrated to
version 4.0 and then to version 4.2).
As the minimum administration entity in a multi-release

As only one repository can be created per configuration environment is a cluster, migration has to be performed in
entity (global repository, range/cluster repository), one step for at least one whole cluster within a range.
repositories cannot be equipped with version numbers as Migration can be initiated from various locations in the
whole. Thus, not the repositories themselves, but the configuration tree:
objects created in them are assigned with version z Migrate Cluster
information (figure 1948). in the right-click context menu of the locked node
Multi-Range > <rangename> > <clustername>
Fig. 1948 Repository objects flagged with version information
z Migrate Range
in the right-click context menu of the locked node
Multi-Range > <rangename>
z Migrate Clusters, Migrate Ranges, Migrate Complete
Tree
in the right-click context menu of the node
Multi-Range
Note:
Clicking Migrate Cluster(s), Range(s), Complete Tree
migrates the configuration but does not activate the
new configuration on the spot. Instead, it flags all
configuration nodes, which the migration process is
going to change. Click the Activate button to activate
the new configuration (see example Migrating a Cluster).

Barracuda NG Control Center Multiple Releases < CC Configuration Service | 447
6.9.3.1 Migrating a Cluster 6.9.3.2 Migrating a Range
Step 1 Lock the cluster and select Migrate Cluster Step 1 Lock the range and select Migrate Range from
from the context menu the context menu
Fig. 1949 Migrating a cluster - Step 1 Fig. 1952 Migrating a range - Step 1
Step 2 Choose the recent software version number

Step 2 Choose the software version number as as migration destination
migration destination
Fig. 1953 Migrating a range - Step 2
Fig. 1950 Migrating a cluster - Step 2
Step 3 Click Activate

Step 3 Review the future configuration Click Activate to activate the new configuration.
Fig. 1951 Example: Mail-Gateway configuration nodes prior to and after Migrate
Cluster activation
6.9.3.3 Migrating Multiple Clusters/Ranges
Step 1 Select Migrate Clusters/Ranges from the

context menu
Fig. 1954 Migrating multiple clusters/ranges - Step 1
As indicated in figure 1951, the MailGW Settings and the

Service Configuration nodes will be changed during the
migration process. You may open the nodes to have a look
at the new configuration dialogs.
Step 4 Click Activate

Click the Activate button to activate the new
configuration. Click the Undo button, if you wish to
withdraw from migrating.

448 | CC Configuration Service > Adding/Moving/Copying Barracuda NG Control Center
Step 2 Select nodes to be migrated 6.9.4 Preparing Repository Linked Box

Fig. 1955 Migrating multiple clusters/ranges - Step 2 Configurations for Migration
In most cases box configuration details will at least have
been partly linked to repositories for easier administration
purpose. When migrating a Barracuda NG Firewall release,
special regard should be paid to these links in order to
maintain the future administration structure as simple as it
was.
Similar to moving/copying managed boxes (see below), if a
version 3.4 cluster accessing configuration files in
3.4 version repository objects is migrated, the links cannot
be maintained. The object files contents will instead be
written to a file.
If a repository object cannot be migrated because it is still
in use by version 3.4 boxes, proceed as follows to maintain
linked configurations:
Step 3 Click Activate Step 1 Create a version 4.2 repository object with
Click Activate to activate the new configuration. the same configuration settings as the former object.
Step 2 Migrate the configuration.

6.9.3.4 Migrating a Repository Object
Step 3 Delete the configuration files, which have
Step 1 Lock the object and select Migrate Node from been created when migrating.
the context menu
Step 4 Create new links from the configuration nodes
Fig. 1956 Migrating a repository object - Step 1 to the up-to-date repository object.
Note:
Repository migration can only be executed to the
applicable succeeding software release version (that
means 3.4 version repositories are to be migrated to
version 3.6 first, before they can be migrated to
version 4.0 and then to version 4.2).
6.10 Adding/Moving/Copying
6.10.1 Adding Boxes

Proceed as follows to add a box to a CC:
6.10.1.1 Create Box
Use this method to prepare a new box for installation.
Step 1 Open the Boxes context menu CC

Step 2 Choose the recent software version number range/cluster the box should live in and select Create
as migration destination Box
Fig. 1957 Migrating a repository object - Step 2
Step 2 Define a Box Name
Step 3 Configure the Box Config file

(see Configuration Service 2.2.2 Box Properties, page 52 for
details).
Step 4 Configure the box

(see Configuration Service 2. Configuring a New System,
Step 3 Click Activate page 48 for details). Confirm your settings by clicking the
Click Activate to activate the new configuration. Activate button.

Barracuda NG Control Center Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) < CC Configuration Service | 449
Step 5 Create a PAR file of the box

Note:
by selecting Create PAR file for box from the context
The following describes moving a managed box within a
menu
CC. However, copying/moving servers and services is the
same as mentioned in the following.
Step 6 Create a kickstart file with Barracuda NG
Installer using the option Create Kickstart only (Getting
Note:
Started 2.2 Creating a "standard" Kickstart Disk,
When moving or deleting a VPN service, perform the
page 10).
following instructions to prevent an inconsistency of the
range/cluster VPN GTI Editor. Therefor, open the VPN
Step 7 Install the box using kickstart disk and PAR
GTI Editor:
file (Getting Started 1.3 Installation with a Saved
Configuration, page 8). z right click the according VPN service (lower section)
and choose Delete VPN Service from Group
z right click the Group the service belongs to (upper
6.10.1.2 Import Box from PAR
section), and choose Delete VPN Service from
This method assumes that a PAR file exists of the box, GTI-Editor...
which is going to be added. Use it when adding an already
installed and configured box to the CC. Step 1 Enter MCs configuration tree and select the
box you want to move
Step 1 Create a PAR file of the to-be-added box
Step 2 Open context menu and select Move Box
Step 2 Select the CC range/cluster the box should
live in Step 3 Select the new box location from the
displayed list and enter a new, UNIQUE name for the box
(maximum 25 characters)
Step 3 Open the Boxes context menu and select
Import Box from PAR
Step 4 Commit your selection via OK button and
have the box moved
Step 4 Enter a new, UNIQUE name for the box
(maximum 25 characters)
Step 5 Commit your selection via OK button and 6.11 Supplement - Configuring the
have the box moved
Cascaded Firewall
Attention:
Box servers and services will only be added if NO name
(Distributed-Firewall)
violation occurs. In case of already existing
configuration entities with the same name, servers and The Cascaded Firewall (Distributed-Firewall) is a so-called
services will not be added to the CC configuration. cluster service. It is a variant of the Barracuda NG Firewall
specially designed to simplify firewall administration by
multiple administrators. The Distributed-Firewall includes
6.10.2 Moving/Copying Managed Boxes, all features of the Barracuda NG Firewall. Unlike the
common firewall service, though, the Distributed-Firewall
Servers and Services is not only organized into one rule set, but can include up
to three rule sets. As a result, the firewall rule set topology
Attention: provides three organisational scopes:
Due to the hierarchal structure of repositories, it may
z Global Rules (see 6.11.3 The Global Rules Section)
happen that configurations linked from a repository are
written to a file and, thus, are no links anymore. z Local Rules (see 6.11.4 The Local Rules Section)
Table 1915 Moving/Copying Managed Boxes, Servers and Services

z Special Rules (see 6.11.5 The Special Rules Section)
Repository Move/copy to diff. range Move/copy to diff. cluster
General Link remains Link remains
Range File is written Link remains
Cluster File is written File is written

450 | CC Configuration Service > Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) Barracuda NG Control Center
6.11.1 Hierarchical Structure of Rule For further information on Cascaded Rules see Firewall
Sets 2.5 Cascaded Rule Sets, page 169.
Global Rules
6.11.2 Creating a Cascaded Firewall
The Global Rule set is the first rule set considered in the
Distributed-Firewall configuration. It manages rules valid For general information how to create a Shared Service,
for all cfirewall services within a specific cluster. please refer to 6.5.1.2 Creating a Shared Service, page 443.
Local and Special Rules are coequal but both come after The creation of the Cascaded Firewall Cluster Service
Global Rules. Local and Special rules can only work with (cfirewall) itself takes place in the following steps:
network objects that have been cascaded to them from
the Global Rules section. Step 1 Creation of the Distributed-Firewall service
Fig. 1958 Cascading the localnet network object Fig. 1961 Configuration nodes of the Distributed-Firewall service - Global section
Fig. 1959 Cascading the specialnet network object
Beside the general Service Properties node

(Configuration Service 4. Introducing a New Service,
page 97), installation of the Distributed-Firewall service
generates the following sub-node:
z Global-Rules (see Global-Rules Node)
z Localnet (see Localnet Node)
The following scheme depicts the organisational structure
of rule sets. Note, that the workflow of rules in the Global Step 2 Adding the Distributed-Firewall service to a
Rules section is intercepted through cascading to either server
Special or Local Rules section. As final step, from there the For description how to add a Cluster Service to a server,
workflow is returned to the Global Rules section with a please refer to 6.5.1.3 Adding a Shared Service, page 443.
Cascade Back. Adding the Distributed-Firewall service to a server
Fig. 1960 Workflow of rule set processing
generates the following sub-nodes below <servername>
> Cluster Services:
Local Rules Global Rules Special Rules
z a link to the Cluster Service Configuration below the
Rule 1 Rule 1 Rule 1 Cluster Services node the <cfirewall_name Specific>
(cfirewall) node with following sub-nodes:
Rule 2 Rule 2 Rule 2 Cfirewall Forwarding Settings (Firewall
2.1.2 Firewall Forwarding Settings, page 139)
Cascade Back Cascade Cascade Back Local-Rules (see The Local Rules Section)
Special-Rules (see The Special Rules Section)
Rule 3
Cascade
Rule 4

Barracuda NG Control Center Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) < CC Configuration Service | 451
Specialnet (see Specialnet Node) 6.11.4 The Local Rules Section

Fig. 1962 Configuration nodes of the Distributed-Firewall service - Server
section
Local Rules are defined per server-service. They can again
contain a complete rule set with full functionality. The
Local Rules section is only applicable, if the Global Rules
section allows it, that means it has cascaded the localnet
object to the Local Rules section (see above).
6.11.5 The Special Rules Section

Special Rules as well are defined per server-service. The
Special Rules section is only applicable, if the Global Rules
section allows it, that means it has cascaded the
specialnet object to the Special Rules section (see below).
6.11.5.1 Specialnet Node
The Specialnet configuration area serves for specification

of Special Networks. Specialnet objects are configured
below the Distributed-Firewall Specific node, thus they
only have server-service-wide validity. Every value in the
Special Networks dialog results in an entry in the Network
Object specialnet in the Global Rules section. A specialnet
usually exists of a selective range of IP addresses, which
are additionally needed to configure a subset of rules, but
are not wanted in the localnet.
6.11.3 The Global Rules Section Note:

The values entered into the Special Networks
configuration window are not visible in the configuration
6.11.3.1 Global-Rules Node dialog of the Network Object specialnet.
In the Global Rules section, rules valid for all Note:

Distributed-Firewall services bound to a specific cluster To enable configuration of specific rules related to
service are managed. To simplify maintenance, the global special networks, the specialnet network object has to
rules node can be linked into a repository. A consistent rule be cascaded to the Special Rules section
set architecture can thus be set up and administered. (6.11.1 Hierarchical Structure of Rule Sets, page 450). Do
not forget to cascade the object back (Cascade Back), if
return to the workflow of the Global Rule Set is desired.
6.11.3.2 Localnet Node
Note:
The Localnet configuration area serves for specification of Localnet objects have cluster-service-wide validity.
Trusted Local Networks. These trusted networks are specialnet objects have server-service-wide validity.
determined for cluster-service-wide use. Every value
entered in the Trusted Local Networks dialog results in an Note:
entry in the Network Object localnet in the Global Rules Use the Locals Rules section to define rules which can
section. generally be applied to servers within a cluster, and
should be maintained centrally.
Note: Use the Special Rules section to define rules which
The values entered into the Trusted Local Networks should only apply to specific server services or network
configuration window are not visible in the configuration segments.
dialog of the Network Object localnet.
Local and Special Rules sections are generally suited for
Note: administration by distinct administrators. When delegating
To enable configuration of specific rules related to rule set administration, make sure to set the appropriate
trusted networks, the localnet network object has to be user rights on the Global-, Special- and Local Rules
cascaded to the Local Rules section (see 6.11.1 nodes, and on the Localnet and Specialnet nodes.
Hierarchical Structure of Rule Sets, page 450). Do not
Note:
forget to cascade the object back (Cascade Back), if
return to the workflow of the Global Rule Set is desired. Administration rights for distinct Cascaded Firewall
administrators can be set through permissions on the
firewall related nodes in the configuration tree.
Disallowed configuration areas will be set to read-only
respectively.

452 | CC Configuration Service > Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) Barracuda NG Control Center
6.11.6 Cascaded Firewall z 11 clusters are set up in a range (one cluster for the
Holding company itself, the other 10 clusters for each of
(Distributed-Firewall) - her companies).
Configuration Example
z A cfirewall service is introduced in each cluster.
A Holding enterprise owns 10 companies, each of them z The network addresses of Companies A-J and their
disposing of 10 locations. Firewalls are installed in every respective locations are entered into the Trusted
location. Each company has its own IT department. The Networks of the Holdings Localnet object.
locations of each company communicate with one another.
z In the Range Repository, a rule set compliant with the
Holding's policy is set up in the Global Rules section.
6.11.6.1 Initial Situation z The Global Rules sections of the companies'
Distributed-Firewalls are linked to this Global Rules
The holding's security policy demands the following object in the Range Repository.
general standards to apply:
Fig. 1964 Content of the Global Rule Set, which is saved in the Range
z POP3 requests to the Internet should always be Repository
blocked.
z Internet communication processing is only allowed via
gateways (proxies, mail gateways, ).
z Communication between the Holding itself and its
10 companies (Company A-J) is only allowed to be
handled through global security policies (for example
z Permissions of Cluster Service node and nodes below
only Lotus Notes is allowed).
are set to read-only, in order to prevent change of
Localnet and link to the Global Rules object in the
On basis of these demands, the Cascaded Firewall can be Range Repository by the IT administrators in the
set up as follows: companies (figure 1963 - Protected node).
Fig. 1963 Exemplary Distributed-Firewall setup z The right to change settings in the Local Rules section
is assigned to the IT administrators of the companies.
Note:
With the settings depicted in figure 1964, only the right
to change company internal settings is assigned to the
IT administrators, as only the destination object
localnet is cascaded. Thus, as desired, the IT
administrators will not be able to change settings for
Internet access,
6.11.6.2 Special Request 1
Company B needs to open Port 5555 to the Internet for

data processing. Data transfer is only needed from
company B's headquarter, the software handling the
transfer process is installed on two client PCs. On basis of
these demands, the following configuration is possible:
Server-service-
wide configuration z The IP addresses of the two client PCs are added to the
Trusted Networks in the Specialnet object.
z A new cascading rule set allowing connections to
port 5555 is added to the Global Rules section.
Fig. 1965 Cascading of the specialnet network object
Server-service
wide configuration
Protected
node
z A new rule set, configuring handling of connections
over port 5555 is set up in the Special Rules section of
Company B.
Cluster-service-wide
configuration
(linked to Repository)

Barracuda NG Control Center Supplement: Migration of a CC to a New Segment < CC Configuration Service | 453
6.11.6.3 Special Request 2 6.12 Supplement: Migration of a

Migration of the e-mail system from Lotus Notes to CC to a New Segment
Exchange Server is planned Holding- and Company-wide.
Thus, the rules regarding the companies' communication The task is to move a Barracuda NG Control Center to a
with the Holding enterprise are to be adapted. On basis of new segment. In the example network, the Barracuda NG
these demands, the following configuration is applicable: Control Center is to be moved from the net 10.0.8.0/24 to
the net 10.0.82.0/24.
z The rule set handling Lotus Notes communication in the
Global Rules section is changed. The Service setting is Note:
changed from Lotus Notes to MS Exchange Server. It is assumed that the external IP address of the HQ
border firewall (eth1: 172.31.80.3) remains unaffected.
Fig. 1966 Rule allowing communication over MS Exchange Server
The following network diagrams give an overview of the
initial and the planned network configuration.
Fig. 1967 Initial network situation
Barracuda NG
10.0.8.110
VIP: 10.0.8.128/28
eth0: 10.0.8.34
10.0.8.0/24
FW: 10.0.8.112 eth0: 10.0.8.100

eth1: 172.31.80.3
Box
Man: 10.0.81.1
VIP: 10.0.8.129
Fig. 1968 Network after CC migration
Barracuda NG
10.0.8.110
10.0.82.110 VIP: 10.0.8.128/28
10.0.82.128/28
eth0: 10.0.8.34
10.0.8.0/24
10.0.82.34
10.0.82.0/24
eth0: 10.0.8.100
FW: 10.0.8.112 10.0.82.100
10.0.82.112
eth1: 172.31.80.3
Box
Man: 10.0.81.1
VIP: 10.0.8.129
10.0.82.129

454 | CC Configuration Service > Supplement: Migration of a CC to a New Segment Barracuda NG Control Center
6.12.1 Preparing the Network for CC Step 5 Introduce new Box VIP ranges
Migration to a New Network While you are still logged on CC level, browse to Config
> Multi-Range > Global Settings > Box VIP
The following preliminary steps must be taken before Network Ranges. Introduce the net 10.0.82.128/28 as new
actual migration of the Barracuda NG Control Center (CC). Network Range.
Note: Fig. 1970 Box VIP Network Ranges

Always remember to acknowledge network
configuration changes by clicking OK , and to confirm
the settings by clicking Send Changes and Activate.
Step 1 Introduce a new Box IP on the CC Syslog

Service into the Barracuda NG Control Center on box
level using the MIP address 10.0.8.110. Introduce an
Additional Box IP via Config > Box > Network >
Networks view > section Additional Local Networks. In
the example the new IP introduced is the address Step 6 Adapt Routing on FW
10.0.82.110. Open the network configuration of the corresponding
firewall via the configuration tree of the CC and set the
Note: Standard Routing (Config) to the new LAN (for example
When introducing the new IP make sure to set the manLAN: 10.0.82.0/24).
parameter Management IP in the Additional Local Confirm the new settings by clicking Send changes and
Networks section to yes. Activate.
Fig. 1969 Further Networks configuration dialog Note:
If you are migrating a HA (High Availability) system, do
not forget to apply the changes on the HA partner as
well.
Step 7 Introduce the additional Server IP on the

Firewall (FW)
On the Barracuda NG Firewall employing the firewall
browse to Config > Box > Servers >
<servername> > Server Properties > General view >
section Virtual Server IP Addresses. Insert the IP address
10.0.82.100 into the Additional IP field.
Note:
If you are migrating a HA (High Availability) system, do
not forget to apply the changes on the HA partner as
well.
Step 2 Introduce a second server IP on the CC box Step 8 Introduce additional FW rule sets on the HQ
(Server configuration) border firewall
Browse to Config > Box > Virtual Servers > Only rules concerning the redirection of the remote
management tunnels need to be adapted.
<servername> > Server Properties > General view >
Clone the needed existing rule sets, and perform the
section Virtual Server IP Addresses. Insert the IP address
necessary changes on the clones.
10.0.82.34 into the Second-IP field.
Step 9 Ensure correct routing from the remote boxes
Step 3 Activate the new network configuration
to the CC
Browse to Control > Box tab and click the
Activate New button. Step 10 Ensure external management access
To maintain connectivity when changing the VIP or in case
Step 4 Introduce additional Management IPs of a remote management settings misconfiguration, make
Log into the Barracuda NG Control Center on server level sure to configure management accesses to all boxes that
using the CC tab and the CC IP 10.0.8.34. work independently of the management VPN tunnels (for
Browse to Config > Multi-Range > Global Settings example define external management IPs on all boxes of
> CC Identity > General tab. the branch offices).
Insert the IP addresses 10.0.82.34 and 10.0.82.110 into the Step 11 Activate the new network configuration
field Additional CC IP Addresses. Log into the Barracuda NG Control Center on box level.
Browse to Control > Box tab and click Activate New.

Barracuda NG Control Center Supplement: Migration of a CC to a New Segment < CC Configuration Service | 455
6.12.2 Migrating the CC to a New Execute the script by selecting it in the Scripts tab and
simultaneous selection of the boxes where it is to be
Network executed in the window left to the Scripts tab. While all
needed objects are selected click the Create Task button
Note: in the Selected Boxes section. The script is now executed.
Administration of boxes will not be possible until the
next to be taken steps are thoroughly accomplished and Step 4 Check Configuration Updates for successful
migration is completed. completion
Browse to Control > Configuration Updates tab and
To relocate the CC to its new environment proceed as check the update status messages for successful
follows: completion of box network activation.
Step 1 Check Configuration Updates for successful Step 5 Set the new CC IPs
completion To assure that the correct CC IP address is used for
Log into the Barracuda NG Control Center on server level communication, interchange the Management IPs created
using the CC tab and the new CC IP 10.0.82.34. above in Step 4 Introduce additional Management IPs (see
Browse to Control > Configuration Updates tab and above).
check the update status messages in the list for all boxes
Switch the CC IPs 10.0.8.34 and 10.0.8.110 with the
bound to the Barracuda NG Control Center. Do not proceed
additional CC IPs 10.0.82.34 and 10.0.82.110 respectively.
with the following steps unless all updates have been
completed successfully.
Step 6 Delete obsolete rule sets on the HQ border
firewall
Step 2 Reconfigure remote managed boxes
Delete the former rule sets on the HQ border firewall,
Browse to Config > Multi-Range > <rangename> >
which have been replaced through introduction of
<clustername> > Boxes > Box > Network > additional r sets bound to the new IPs in "Step 8 Introduce
Management Access view > Remote Management Tunnel additional FW rule sets on the HQ border firewall" (see
section above).
Change the following network parameters:
Step 7 Assert the new network configuration
z Virtual IP (VIP) Log into the Barracuda NG Control Center on box level
Switch the Virtual IP from 10.0.8.129 to 10.0.82.129. using the Box tab and the MIP 10.0.82.110.
z Tunnel Details
Browse to Control > Box tab and click the Activate
Switch the Target Networks from 10.0.8.0/24 to
New button. Select Soft activation from the available
10.0.82.0/24.
options.
Switch the Reachable IPs from Server IP 10.0.8.34 to
10.0.82.34 and MIP 10.0.8.110 to 10.0.82.110.
Step 8 Perform a complete update via the Barracuda
NG Control Center
Step 3 Activate the new network configuration on
Log into the Barracuda NG Control Center on server level
the boxes
using the CC tab and the CC IP 10.0.82.34
Browse to Control > Box Execution.
Click New Script to generate a script for activation of the Browse to Control > Configuration Updates tab. Click
new network configuration on all boxes. the Update Now button.
Fig. 1971 Shell script "boxactivate" for box network activation
Name the script for example boxactivate.

Add the following lines to it:
#!/bin/bash
cp /opt/phion/config/configroot/boxnet.conf
/opt/phion/config/active/boxnet.conf
/etc/phion/bin/activate

456 | CC Database > Database User Interface Barracuda NG Control Center
7. CC Database
7.1 Database User Interface the Cluster Configuration (see 6.5 Cluster Configuration,
page 442).
To access the the Database user interface, log in to the CC
on server level and select Database from the box menu.
The CC Database area gives an overview of all ranges, 7.4 Box Tab
clusters, boxes, servers, and services the Barracuda NG
Control Center administers. The view is purely This tab provides information concerning all boxes that are
informational. Double-clicking an entry in any tab listing, managed via the Barracuda NG Control Center. The shown
opens the selected object in the configuration tree of the information is a summary of the input that was given
CC. during creation of the boxes and is split into columns that
are named accordingly to the parameters of the Box
The following tabs are available for operational purposes:
Configuration (see 6.6 Box Configuration, page 444).
z Range tab see 7.2 Range Tab, page 456
z Cluster tab see 7.3 Cluster Tab, page 456
z Box tab see 7.4 Box Tab, page 456 7.5 Server Tab
z Server tab see 7.5 Server Tab, page 456
This tab provides information concerning all servers that
z Service tab see 7.6 Service Tab, page 456 are managed via the Barracuda NG Control Center. The
shown information is a summary of the input that was
Note:
given during creation of the servers and is split into
The button bar on top of the window is void of any columns that are named accordingly to the parameters of
functionality and may be ignored. the Server Configuration (Configuration Service
7.2 Range Tab

7.6 Service Tab
This tab provides information concerning all ranges that
are managed via the Barracuda NG Control Center. The This tab provides information concerning all services that
shown information is a summary of the input that was are managed via the Barracuda NG Control Center. The
given during creation of the ranges and is split into shown information is a summary of the input that was
columns that are named accordingly to the parameters of given during creation of the services and is split into
the Range Configuration (see 6.4 Range Configuration, columns that are named accordingly to the parameters of
page 440). the Service Configuration (Configuration Service
4. Introducing a New Service, page 97).
7.3 Cluster Tab

This tab provides information concerning all clusters that
are managed via the Barracuda NG Control Center. The
shown information is a summary of the input that was
given during creation of the clusters and is split into
columns that are named accordingly to the parameters of

Barracuda NG Control Center Introduction < CC Admins | 457
8. CC Admins
8.1 Introduction libpwdb is required by the PAM module pam_pwdb.so and

is used by default, if the method for password changes
requiring authentication via the admin DB has not been
Administrators are managed in the Admins part of the
implemented. The implemented procedure provides for
CC. configurational and operational coherence of the
But before we can start to describe the user interface and authentication data entities.
its functions, there are some theoretical points that need System access of the user support is recommended for
our attention. serial access on the box as it is only of restricted use.
Distinguishing between a stand-alone system and a system In addition to the basic services described above, the scope
within a Barracuda NG Control Center cluster with CC the and the performance of the pAC is significantly broadened
NGFW Administration Concept (AC) offers different and enhanced in combination with a multi-administrator
services for each system. CC. Administrators are managed in the Barracuda NG
Every Barracuda NG Firewall system disposes of the user Control Center and are reported to the Barracuda NG
root who has unlimited rights in the entire system. In Firewall systems within their executive scope.
addition, the support user is granted access to the system For high availability purposes, the administrators master
via the operating system only. and ha equivalent to root are introduced:
If you need to work on the Barracuda NG Admin z ha is used for data synchronisation of two HA partner
management interface, you may introduce so-called root systems (for example fw-sync).
aliases. Within the management layer, the status of these
users is on equal terms with the status of root. On the z master is used for configuration updates, status
other hand, there are no root aliases on operating system updates,
layer allowing system access to other users than the
system users root and support. root and root alias also The user does not directly dispose of these admins,
differ in the authentication mode: For authenticating the however, their names may appear in the corresponding log
alias either a RSA 1024-bit key or a password can be used, files of the box configuration daemon.
whereas root is only authenticated through a password.
As all these users are counted among system users, the
default access notification scheme that is configured for 8.2 Concept
each particular service automatically applies for them.
Table 1916 Default user rights overview The following flowchart gives an overview of the
prerequisites to be met when creating administrators.
Access
via
Console Fig. 1972 Workflow for establishing an administration concept
User Barracud SSH Characteristics
login
a NG
Admin
root yes, RSA keys, yes, Define an administration concept
password password password
or key
support no password password default Linux user,
UID=9999
root alias yes, RSA keys, no optional, deactivation Create Administrative Roles
password password possible (6.3.7 Global Settings - Administrative Roles, page 438)
or key
The MD5 password hashes of root and support [

Define Node Properties
UID=9999, group support ] are stored in /etc/shadow (6.7 Defining Node Properties, page 445)
(operative instance for system access) and in
/opt/phion/config/configroot[active]/boxadm.
conf (global configurative instance, operative instance for
Create the required administrators
system access). Any authentication data of the root aliases to fit the concept
is stored in these two files.
libpwdb has been manipulated to disable password
changes on the command line via passwd for all users.

458 | CC Admins > Admin User Interface Barracuda NG Control Center
8.3 Admin User Interface Table 1917 Administration scopes overview

Type Scope Characteristics
To access the the Admin User Interface, log in to the CC on Administration rights on Editable.
linked ranges
server level and select Admins from the box menu.
Administration rights on Editable.
linked clusters
Fig. 1973 Admins tab
Link information (range) For information purpose
only.
Link information (cluster) For information purpose
only.
Note:
Icons that are displayed partly transparent indicate
inherited, that means linked access permissions.
The user interface is divided into two configurational 8.3.1 Creating a New Admin Profile
areas, a button bar on top of the window, and the Admins
tab in the main window.
Note:
The buttons have the following functions: Create administrative roles (see 6.3.7 Global Settings -
z Activate button Administrative Roles, page 438) and define node
Clicking Activate applies configuration changes. properties (see 6.7 Defining Node Properties, page 445)
before creating a new administrator profile.
z Undo button
Clicking Undo revokes configuration changes that have
Step 1 Locking the data set
not yet been activated.
Click the Lock button to enable content modification in the
z New Entry button Admins tab.
Clicking New Entry allows creating a new administrator
Then click the New Entry button to open the
profile (see 8.3.1 Creating a New Admin Profile,
Administrator configuration window.
page 458).
z Refresh button Fig. 1974 Administrator configuration dialog
Clicking Refresh updates the view in the Admin tab.
In the Admin tab existing administrator profiles can be Step 2 Defining General
information, page 458
arranged as follows:
z Order By Administrators
Step 4 Defining the Administrative
Arranges administrator profiles alphabetically by name. Scope, page 459
z Order By Hierarchy
Arranges administrative scopes by range and cluster.
z Order By Roles Step 5 Defining the Operative
Settings, page 460
Arranges administrator profiles by assigned roles.
z Order By Level
Arranges administrator profiles by assigned
administrative level.
The icons indicate the following: Step 2 Defining General information

In the General section the following options are available:
Table 1917 Administration scopes overview
List 1926 Creating a new administrator - Administrator tab section General
Type Scope Characteristics
root [CC cluster] Entire assembly without root [CC] is inherited from Parameter Description
right restrictions the CC as basic single Login Name Here the administrators name for the Barracuda NG
system (box) of carrier Admin login is to be defined.
system.
Note:
Note: A unique ID must be assigned to every administrator.
The root administrator is The ID may be adapted to your needs, though the
not evident in the following names may not be used:
administrator list, since he root, bin, adm, daemon, lp, system, sync, shutdown,
is always present in the halt, mail, operator, nobody, support, uucp, as they
system and not have a special meaning in the OS
parameterisable. ha, master, as they are already reserved by the
Global administration Not editable. Barracuda NG Firewall system.
rights Full Name This parameter can hold either the administrators full
Administration rights on Not editable. name or a description.
dedicated ranges
Administration rights on Not editable.
dedicated clusters
Global administration Editable.
rights (linked)

Barracuda NG Control Center Admin User Interface < CC Admins | 459
List 1926 Creating a new administrator - Administrator tab section General List 1927 Creating a new administrator - Details tab section Password
Parameters
Password Via this parameter the password for the Barracuda NG Parameter Description
Admin login has to be specified. The password has to Warning period Specifies the number of days before the password
be verified by reentering it in the field Confirm. before expiry date on which a request for password change is
For additional parameters concerning configuration of expiration displayed.
password/key handling, check Details tab (see below). Grace period Specifies the number of days after the password expiry
In addition to the parameters mentioned above, the after expiration date on which the password is still accepted.
Basic Data section offers an additional option:
Password must This checkbox defines whether the current password
disable checkbox
differ on change may be re-used on password change.
By ticking this check box, the administrators profile
is deactivated for further usage. Assigned Range This parameter defines the visibility of configuration
sessions. By selecting a range, only administrators
Attention:
authorized to configure this range see active
Please take into consideration that disabling affects
configuration sessions of this administrator.
the system only as soon as the modified admin
configuration is activated. Authentication This parameter defines the authentication that is
Level required to access a system. The following types of
External If external authentication is required, the
authentication are available: Password or Key
Authentication corresponding method can be selected here. The
(default), Password, Key, Password AND Key.
field following authentication schemes are available:
msnt - see Configuration Service 5.2.1.7 MSNT Public Key This section of the configuration dialog serves for
Authentication, page 115 handling the public key. The button Export/Import
offers import options.
ldap - see Configuration Service 5.2.1.3 LDAP
Authentication, page 113 Peer IP Specifies IP addresses and/or subnets of
Restriction administration workstations on which Barracuda NG
radius - see Configuration Service 5.2.1.4 Radius
Admin runs.
Authentication, page 114
msad - see Configuration Service 5.2.1.1 MSAD
Authentication, page 111 Step 4 Defining the Administrative Scope
rsaace - see Configuration Service By assigning elements like range or cluster, the scope
5.2.1.5 RSA-ACE Authentication, page 114 implicitly defines those systems to which the admin
Note: basically has access rights. The default settings only
Since it is mandatory that the to-be-used
authentication scheme is configured on both, CC box provide for GUI-based access. Optionally, the administrator
and administered box, Barracuda Networks highly may receive access rights to the operating system layer
recommends to configure the authentication schemes (shell login) which widens the scope.
via the repository and, then, to set appropriate
references. Additionally, every administrator is granted access to the
External login Here the login name configured within the central services of the CC, whereas his view on the system
name field corresponding authentication scheme has to be
entered. is restricted to his administrative scope.
Step 3 Details tab Note:

The Details tab makes further options for password and Access to the system layer is only provided for the CC
key handling available. root.
Fig. 1975 Administrator Details configuration dialog Note:

Please take into consideration that these settings are
sorts-of "global" settings. If it is necessary to define
administrative settings for specific services (for example
the VPN server or the Firewall), those settings are made
in the Service Properties of the corresponding service.
The section Administrative Scope provides the following
settings:
List 1928 Creating a new administrator - Administrator tab section
Administrative Scope
Range menu This menu is used for assigning existing ranges to the
administrators scope. Beside the entries -ALL-
(maximising the scope to all existing ranges) and the
currently available ranges, the menu provides an
additional entry -Linked-Only-. Selecting this option,
activates the Links menus where the scope may be
customized.
Note:
List 1927 Creating a new administrator - Details tab section Password When using the option -Linked-Only-, be sure to click
Parameters the Add button after selecting in order to add the
selection to the profile.
Parameter Description The Range menu also steers the available options of
Last Password This parameter serves only informational purpose (as it the Cluster menu (see below). The following table
Change is read-only) and displays the number of days since the shows the interconnections between selected
last time the password was changed. Range-menu entry and the available Cluster-menu
Force password Here the time interval for mandatory password entries:
change every changes can be specified. The menu to the right of this Range menu entry Cluster menu entries
parameter offers the entries Days and Weeks to define -ALL- -ALL-
the duration. As soon as this period expires, the
administrator is forced to change the password. -Linked-Only- -Linked-Only-
Selecting the menu entry Never deactivates this and any range -ALL-, -Linked-Only-, any
the following parameters of the Password Parameters cluster
section.

460 | CC Admins > Admin User Interface Barracuda NG Control Center
List 1928 Creating a new administrator - Administrator tab section

Administrative Scope
8.3.2 Context Menu
Parameter Description Right-clicking on an entry opens the context menu
Cluster menu This menu is used for assigning existing clusters to the containing the following entries:
administrators scope. Beside the entries -ALL-
(maximising the scope to all existing clusters) and the z Edit
currently available clusters, the menu provides an
additional entry -Linked-Only-. Selecting this option, Clicking Edit opens the configuration dialog for editing
activates the Links menus where the scope may be an available administrator profile.
customized.
Note: z Remove
When using the option -Linked-Only-, be sure to click Clicking Remove deletes the selected profile.
the Add button after selecting in order to add the
selection to the profile. z New
Clicking New (correspondingly to clicking the New
Step 5 Defining the Operative Settings Entry button, see 8.3 Admin User Interface, page 458)
This section specifies the administrators rights. opens the configuration window for creating a new
The following options are available: profile.
List 1929 Creating a new administrator - Administrator tab section Operative

Settings
Configuration Via this parameter the access to configuration nodes is
Level defined (see 6.7 Defining Node Properties, page 445).
Shell Level This menu provides options to control the shell access
of the administrator. The following entries are
available:
No_Login prevents the administrator from accessing
the shell.
Standard_Login allows access to the system on OS

layer via a default/standard user account (home
directory: user/phion/home/username).
Attention:
Everything a user saves to his home directory is
deleted when he logs out.
Restricted_Login permits system access via a
restricted shell (rbash). This type of shell has several
restrictions, as its name already implies, such as
specifying commands containing slashes, changing
directories by entering cd,
Such a login also restricts any writing operation to the
users home directory.
Roles This menu provides the currently available
administrative roles (see 6.3.7 Global Settings -
Administrative Roles, page 438). Be sure to click Add in
order to assign the selected role(s).
Login Event This menu specifies the way a login is recorded. The
menu entry Service Default (default) is a reference to the
settings made within the Access Notification (see
6.3.6 Global Settings - CC Access Notification,
page 438). The entry Silent suppresses any event
notification.

Barracuda NG Control Center Service Configuration < CC Statistics | 461
9. CC Statistics
9.1 Service Configuration The following configuration options are available:

List 1930 Master Statistic Collection Configuration
The services CC Statistics Collector (dstatm) and CC
Statistics Viewer (qstatm) are responsible for collecting
Parallel This option defines the number of parallel connections
and viewing of statistics files generated on connections for for collection of statistics data.
CC-administered boxes. Theyve got to be introduced on collection
the Barracuda NG Control Center box. Start Data This option defines the begin of statistics data
Collection collection. The field expects time specification using
(hour) international time format, for example, the value 4
Note: triggers data collection initiation at 04:00, and the
To introduce the services using the graphical value 13 triggers data collection initiation at 13:00.
administration tool Barracuda NG Admin, make sure to HA Sync Mode Specification of the HA Sync Mode is required, when
log on via the Box-Address (Main Box IP) of the the CC that collects statistical data operates as High
Available (HA) system. On a solitary system, leave the
Barracuda NG Control Center. default setting inactive. On an HA-system set the HA
Sync Mode to rsync, in order to activate statistics data
For a description how to introduce servers and services on synchronisation between the two HA partners.
a Barracuda NG Firewall 3.1 Configuring the Box, page 418 Note:
and Configuration Service 4. Introducing a New Service, Statistics data synchronisation is triggered by the
script file mirrorstat that is executed on a regular
page 97. basis. Data is synchronized over an SSH connection,
thus, prior to synchronisation, mirrorstat
Note: establishes an SSH connection between the HA
partners. It therefore expects the DSA key fingerprint
A license for Barracuda NG Control Center Statistics is of the HA partner to be known on the primary system.
not included in Barracuda NG Control Center Entry If the fingerprint is not yet known, because an SSH
Edition. On systems running this software version, the connection has not yet been established between the
two systems, it cannot be processed any further.
services CC Statistics Collector (dstatm) and CC Therefore, if you are unsure, about the status of the
Statistics Viewer (qstatm) are not applicable. DSA key fingerprint, prior to statistics data
synchronisation launch, initiate an SSH connection
from CC to its HA partner manually, in order to make
the DSA key fingerprint known. To establish an SSH
9.1.1 Configuring the CC Statistics connection, at the command line interface on the CC
type:
Collector Service (dstatm) # ssh -lroot <HA partner IP>
Sync Timeout Timeout until the connection termination for
To configure dstatm, log on to the CC box, in the box menu (s) synchronization will be executed (default 100 seconds)
Number of HA This option is only available when HA Sync Mode is set
click Config, and then double-click retries to rsync. It specifies the number of retries for
Master Statistic Collection (accessible through Box synchronisation of stored data.
> Virtual Servers > <servername> > Assigned Read Timeout in This parameter specifies the timeout when polling the
seconds for boxes for statistical data (default: 60).
Services > <servicename> (dstatm)). data
Fig. 1976 Master Statistic Collection Configuration dialog

9.1.2 Configuring the CC Statistics
Viewer Service (qstatm)
To configure qstatm, in the box menu click Config, and
then double-click Service Properties (accessible
through Box > Virtual Servers > <servername> >
Assigned Services > <servicename> (qstatm)).
For a description of service configuration options see
4. Introducing a New Service, page 97.
Configuration Service

462 | CC Statistics > Data Collection Configuration Barracuda NG Control Center
9.2 Data Collection Transfer Settings section of each box within the range
(see 9.4 Transfer Settings, page 465).
Configuration
9.2.2 Cluster Specific Settings
On a Barracuda NG Control Center, statistics collection
settings may be defined by range and by cluster, in which To configure cluster specific collection settings, in the box
cluster specific settings override range specific settings. menu click Config, and then double-click
Provided that CC-administered boxes are configured to Cluster Properties (accessible through Multi-Range
supply statistics data (see 9.4 Transfer Settings, > <rangename> > <clustername>).
page 465), statistics files may be collected from multiple
systems miscellaneously. Fig. 1978 Cluster Configuration dialog
Note:
Cluster and range specific statistics collection
configuration is done on the Barracuda NG Control
Center. Therefore, when connecting to the CC with the
graphical administration tool Barracuda NG Admin make
sure to log on via the CC- Address of the Barracuda NG
Control Center.
9.2.1 Range Specific Settings

To configure range specific collection settings, in the box
menu click Config, and then double-click
Range Properties (accessible through Multi-Range
> <rangename>).
Fig. 1977 Range Configuration dialog
To enable statistics data collection for all boxes within the

cluster, set parameter Collect Statistics to yes (default).
To inherit data collection configuration settings of the
superordinate range, set parameter Collect Statistics to
like-range.
When enabled, data will be collected as specified in the
Transfer Settings section of each box within the cluster
(see 9.4 Transfer Settings, page 465).
To enable statistics data collection for all boxes within a

range, set parameter Collect Statistics to yes (default).
When enabled, data will be collected as specified in the

Barracuda NG Control Center Compression Cooking and Deletion < CC Statistics | 463
9.3 Compression Cooking and 9.3.1 Global Settings

Deletion To configure global collection settings, in the box menu
click Config, and then double-click Statistics Cook
Statistics files from CC-administered boxes are collected
Settings (accessible through Multi-Range > Global
by the Barracuda NG Control Center as raw data,
regardless of local cooking settings on the corresponding Settings).
boxes themselves. Fig. 1979 Statistics Cook Settings
On a Barracuda NG Control Center, cooking settings for
collected statistics files may be defined globally, by range
or by cluster, in which cluster specific settings override
range specific settings, and these again override global
settings. Cooking is done directly on the Barracuda NG
Control Center. When statistics files are configured for
deletion, they are deleted from the pool of transferred files
on the CC and not on the boxes themselves.
Globally defined cooking settings do not apply for cooking
of statistics data generated by the Barracuda NG Control
Center itself. Instead, analogous to self managed
Barracuda NG Firewalls, local cooking settings may be
configured separately (Statistics 3.1 Service Configuration,
page 316).
Example:
On a Barracuda NG Control Center, two ranges (Range 1 The dialog allows configuration of cooking use and
and Range 2) are configured . Range 1 contains two corresponding cooking settings for each type of statistics
clusters (Cluster A and Cluster B). data.
By default, global statistics settings will be used for all List 1931 Statistics Cook Settings section Global Settings
CC-controlled Barracuda NG Firewalls. Parameter Description
If specific statistics settings are defined for Range 1, these Corrupted Data This option defines the action dstats executes when
Action it recognizes a corrupted DB file. The following options
settings will be used for data originating from this range. are available:
If specific statistics settings are defined for Cluster A, Delete - deletes the corresponding DB file (default).
Archive - moves the DB file to a lost+found
these settings will be used for data originating from this directory
cluster. Boxes within Cluster B will use the specific Note:
statistics settings from Range 1. Recognising a corrupted data file always triggers the
event Corrupted Data File [150].
All boxes within Range 2 will use the global statistics
settings. Settings for all types of statistics data are already defined
Local cooking and deletion of statistics data are processed by default. However, they may be modified freely to suit
on the boxes themselves and without coherence to the specific needs.
processes running on the CC. Local cooking settings are
Fig. 1980 Cook Settings configuration dialog
configurable separately on each box (Statistics 3.1 Service
Configuration, page 316).
The following cooking settings options are available:

List 1932 Statistics Cook Settings - Statistics Cooking section Cook Settings
In this section, it may be defined how dstats should
handle specific data types.

464 | CC Statistics > Compression Cooking and Deletion Barracuda NG Control Center
List 1932 Statistics Cook Settings - Statistics Cooking section Cook Settings List 1934 Statistics Cook Settings - Statistics Cooking section Type: Top

Settings for In this field, select the software module to whose Condense after Number of days, after which statistics data of type top
statistics data the settings below should apply. In the (days) should be merged into larger temporal bins. Data more
list, all software modules with appropriate default recent than the inserted number of days will not be
configuration are available that generate statistics affected.
data. Optionally, Pattern-Match may be selected to Delete Data Number of days, after which statistics data of type top
define a file pattern that should apply for cooking of after (days) should be deleted.
statistics data.
Selecting Pattern-Match enables the Directory Resolution Available resolutions are weekly and monthly. Settings
Pattern field below, which expects insertion of an trigger data rearrangement so as to be representative
applicable file pattern. of an entire week or a month.
Directory Pattern-Match settings apply to statistics files Attention:
Pattern available in sub-folders of /var/phion/mainstat. It is recommendable only to change this parameter as
Patterns may be specified by either inserting full folder long as the system is not productive. Thoughtless
names or by using wildcards (? and *), in which the modifying may cause imprecise visualisation in the
question mark wildcard (?) stands for a single statistics viewer due to incomplete cook instances.
character and the asterisk wildcard (*) stands for an
arbitrary number of characters.
Attention: 9.3.2 Range Specific Settings
Generally, there is no need to make use of directory
patterns when specifying cooking settings, as the
default settings suffice most needs. If you do use To configure range specific cook settings, in the box menu
directory patterns, make sure that they do not click Config, and then double-click
interfere with the module settings configuration. For a
specific data type always use EITHER module OR Range Properties (accessible through Multi-Range >
directory pattern settings. dstats works through the
configured instances successively, and will omit
<rangename>).
directory patterns that apply to directories it has
already processed. To enable specific Cook Settings for all boxes within a
Additionally, for clearly arranged management, place range, set parameter Own Cook Settings to yes (default:
directory patterns at the end of the configuration file. no) (see 6.4.2 Range-specific Settings, page 441).
Example pattern:
To include all statistics files starting with "conn" For a description of configuration options see 9.3.1 Global
generated by Firewall services running on all servers Settings, page 463.
starting with "S" in ranges 1 and 2, insert the following
pattern structure:
Actual file structure: 9.3.3 Cluster Specific Settings

/var/phion/mainstat/1/S1/service/FW/conn<
xxx>
/var/phion/mainstat/1/S2/service/FW/conn< To configure cluster specific cook settings, in the box
xxx>
menu click Config, and then double-click
xxx> Cluster Properties (accessible through Multi-Range
Directory pattern: > <rangename> > <clustername>).
*/S?/service/FW/conn*
To enable specific Cook Settings for all boxes within a
Attention:
Avoid too openly defined patterns spanning multiple cluster, set parameter Own Cook Settings to yes (default:
folders, such as */service/*/*. If you do use no) (see 6.5.2 Cluster-specific Settings, page 444).
patterns spanning multiple folders, be aware of their
implication and always position them at the list bottom. For a description of configuration options see 9.3.1 Global
Settings, page 463.
List 1933 Statistics Cook Settings - Statistics Cooking section Type: Time
Note: 9.3.4 Local Settings
Options in this section apply to Time statistics only (for
example byte (Time for Dst), conn (Time for Src), ).
Resolution 1h Number of days, after which the granularity of Note:
after (days) statistics data of type time should be increased to one Local cook settings only affect the way statistics data is
hour. Data more recent than the inserted number of
days will not be affected. processed on the Barracuda NG Firewall itself. They
Number of days, after which the granularity of have no impact on how the Barracuda NG Control
Resolution 1d
after (days) statistics data of type time should be increased to one Center processes the statistical data.
day.
Note:
The period between cooking from hour to day
To configure local cook settings of a Barracuda NG
granularity has to be 2 days minimum. If set to 1 day it Firewall, in the box menu click Config, and then
will result in a summary offset for hourly granularity of
0 days per instance. This will lead to an error message double-click Statistics (accessible through
in the dstat log file similar to the following: Cannot Multi-Range > <rangename> > <clustername>
create, file byte.hour_tot<cookInstStartTS> exists
already. Boxes > <boxname> > Box Services).
Delete Data Number of days, after which statistics data of type time
should be deleted.
For a description of configuration options see Statistics
after (days)
3.1 Service Configuration, page 316.
List 1934 Statistics Cook Settings - Statistics Cooking section Type: Top
Note:
Options in this section apply to Top statistics only (for
example byte (Top Dst), conn (Top Src), ).

Barracuda NG Control Center Transfer Settings < CC Statistics | 465
9.4 Transfer Settings List 1935 Statistics Cook Settings - Transfer Settings
The Transfer Settings sections is only available on Directory Pattern-Match settings apply to statistics files
Pattern available in sub-folders of /var/phion/mainstat.
CC-administered Barracuda NG Firewalls. Configuration is Patterns may be specified by either inserting full folder
required in context with collection of statistics files by the names or by using wildcards (? and *), in which the
CC Statistics Collector service (dstatm) running on the question mark wildcard (?) stands for a single
character and the asterisk wildcard (*) stands for an
Barracuda NG Control Center. arbitrary number of characters.
In the Transfer Settings section, define the statistics files Attention:
When using directory patterns, make sure that they do
which should be transferred to the Barracuda NG Control not interfere with the module settings configuration.
Center. For a specific data type always use EITHER module OR
directory pattern settings. dstats works through the
To configure transfer settings for a Barracuda NG Firewall, configured instances successively, and will omit
directory patterns that apply to directories it has
in the box menu click Config, and then double-click already processed.
Statistics (accessible through Multi-Range > Additionally, for clearly arranged management, place
directory patterns at the end of the configuration file.
<rangename> > <clustername> Boxes >
Example pattern:
<boxname> > Infrastructure Services). To include all statistics files starting with "conn"
generated by Firewall services running on all servers
Fig. 1981 Transfer Settings configuration dialog starting with "S" in ranges 1 and 2, insert the following
pattern structure:
Actual file structure:
xxx>
xxx>
xxx>
Directory pattern:
*/S?/service/FW/conn*
Attention:
Avoid too openly defined patterns spanning multiple
folders, such as */service/*/*. If you do use
patterns spanning multiple folders, be aware of their
implication and always position them at the list bottom.
Data Types for From this list, select the statistics type(s) that should
Service be transferred to the Barracuda NG Control Center.
Multiple selections are possible. Add each type by
clicking the Insert button.
Included Into this field, insert subservices that should be
subservice included in statistics file transfer.
directories Note:
Subservices may only be specified for server modules.
Data Types for From this list, select the subservice statistics type(s)
Subservice that should be transferred to the Barracuda NG Control
Center. Multiple selections are possible. Add each type
by clicking the Insert button.
List 1935 Statistics Cook Settings - Transfer Settings Cascading When set to yes (default: no), all cascaded sub-folders
Included (indicated by icon ) in an included subservice will be
Parameter Description transferred.
Settings for In this field, select the software module to whose Parameter When set to High (default: Standard) all sub-folders of
statistics data the settings below should apply. In the Resolution an included subservice will be transferred.
list, all software modules are available that generate
statistics data. Optionally, Pattern-Match may be
selected to define a file pattern that should apply for
cooking of statistics data.
Selecting Pattern-Match enables the Directory
Pattern field below, which expects insertion of an
applicable file pattern.

466 | CC Statistics > Transfer Settings Barracuda NG Control Center
9.4.1 Examples for Transfer Settings
9.4.1.1 Transfer all Box and Server Files

Fig. 1982 Transfer Settings - box and server files

Barracuda NG Control Center Recovery and State Analysis of Poll Sessions < CC Statistics | 467
9.4.2 Partial Transfer

Fig. 1983 Transfer Settings - partial transfer
9.5 Recovery and State Analysis

of Poll Sessions
Table 1918 Error analysis of poll sessions
Session state Analysis of error scenarios Necessary actions Box state

Idle cannot connect to box IGNORE CLEAN
Connected cannot receive transfer files ('toSend.timestamp') from box IGNORE CLEAN
State_Received cannot perform calculation of statistic file list IGNORE CLEAN
received transfer files remain in box-specific state directory and will be ignored in
subsequent poll sessions.
State_Processed A dist-operation fails. No problem because these operations are transaction protected. IGNORE CLEAN
Data_Received data files either be successfully merged or are stored within temporary data directory RECOVERY DIRTY
box state is dirty because a possible synchronisation with the HA partner would result in
inconsistent data (files in temporary data path won't be synced).
Data_Processed masterAccept-file cannot be created RESEND_ACK DIRTY
masterAccept-file cannot be send
State_Updated cannot remove temporary data directory (because it's not empty) INTERNAL DIRTY
cannot remove obsoleted state files
9.5.1 Get Statistic and Recover z Right click on a box and open the context menu
z Click Get Statistic to trigger statistic collection
In some cases it can happen that statistic collection needs or
to be triggered on demand or the statistic collection
process has to be re-initiated in case of malfunction. z Click Recover to start a recovery process is case of a
In the Statistic collection tab of a Barracuda NG Control malfunction of statistic collection.
Center GUI, each box is listed that polls statistics to a

468 | CC Eventing > Example Barracuda NG Control Center
10. CC Eventing
Event forwarding is based on a 2-way communication Step 4 Alternative a CC Event Service status
between the Box event module running on the operative changed
Barracuda NG Firewall (Box) and the CC Event Service If the status of the event is modified on the CC, the status
module running on a Barracuda NG Control Center (CC). change is propagated from the CC to the Box, which
confirms the changed status by sending an ACK.
Note:
10.1 Example The status change notification is retransmitted until the
CC receives an ACK from the Box.
The following example illustrates how this communication
process is working. Fig. 1987 CC Event Service status changed
Step 1 Box event

Box Event status changed CC
An event is generated on a Barracuda NG Firewall and
introduced into the event system on the box.
Acknowledgement
Fig. 1984 Box event
Box CC
Step 5 Alternative b Box: Event status changed
If the event status is modified on the Box that generated
the event, the status change is also propagated to the CC
Event which confirms the new status by sending an ACK.
Note:
Step 2 Event propagation The status change notification is retransmitted until the
The event is propagated to the CC and the CC confirms the Box receives an ACK from the CC.
reception by sending an acknowledgement (ACK) to the
emitter of the event. Fig. 1988 Box: Event status changed
Note:
Box Event status changed CC
The emitter retransmits its event until it receives an
ACK from the CC.
Acknowledgement
Fig. 1985 Box event propagation to CC
Box Event propagation CC

Step 6 Alternative c CC: Event deleted
If the event is deleted on the CC, the CC sends the deletion
Acknowledgement request to the Box. The Box deletes the event and returns
an acknowledgement to the CC, where the event now is
also deleted.
Step 3 Event introduced to CC Event Service module Fig. 1989 CC: Delete Event
As soon as the event is transmitted to the CC, it is
introduced into the CC Event Service module and can be
Box Delete Event CC
viewed and modified within the CC Event Service monitor
GUI.
Acknowledgement
Fig. 1986 CC: Box event occurred
Box CC
Step 7 Alternative d Box: Event deleted
If the event is deleted directly on the Box, the procedure is
the same as mentioned above. The difference is that the
Box Event Box sends the deletion request to the CC and awaits the
acknowledgement before the event is finally deleted.
Fig. 1990 Box: Delete Event
Box Delete Event CC
Acknowledgement

Barracuda NG Control Center Event User Interface < CC Eventing | 469
10.2 Event User Interface 10.3 Event Configuration

Note: Note:
For a detailed introduction of the Event user interface, This document only covers the special configuration
please consult Eventing, page 321. options that are offered when using a Barracuda NG
This document only states the differences between the Control Center.
CC Event Service GUI and the Box Event GUI. For information on how to configure an event, please
consult Eventing 2. Event Configuration, page 322.
The main difference between the two Event GUIs is that
the CC Event Service user interface is used for displaying With a Barracuda NG Control Center you are able to define
events of all boxes that are managed by the CC while the different event configurations for specific ranges and
Box Event user interface is used for displaying the events specific clusters.
of a specific box.
Note:
If an administrator has a limited administrative scope he The propagation of an event has to be configured within
will only see events of those boxes (that are Barracuda NG the box configuration.
Firewalls) that are within his administrative scope in the CC
Event Service user interface (see 8.3.1 Creating a New Due to the hierarchical structure of the CC, events can be
Admin Profile, Step 4 Defining the Administrative Scope, configured on several levels depending on the
page 459). requirements of your security policy.
To open the CC Event Service user interface, log on to an
existing Barracuda NG Control Center (using the CC tab in 10.3.1 Global Event Settings
the Barracuda NG Admin login window) and click the
Event button in the CC menu bar. These settings affect all events that are being propagated
from the Barracuda NG Firewalls to the Barracuda NG
Attention:
Control Center unless you have defined range- or
The CC Event Service user interface only displays events cluster-specific event settings.
created on CC-managed Barracuda NG Firewalls.
In order to see events created by the CC box itself it is To modify the global event settings, select Multi-Range
necessary to log in to the CC box directly (by entering > Global Settings> Eventing in the MCs configuration
the boxs IP address in the Box tab of the Barracuda NG tree (see 6.3.1 Global Settings - Eventing, page 435).
Admin login dialog).
Note:
The CC Event Service user interface is handled in the same After having accomplished the required modifications,
way as the Box Event GUI. Please consult Eventing make sure to click Send Changes and Activate in order
2.2 Event Monitoring, page 327 for further information. to activate the new configuration.
For a complete list of all available events see System
Information 5. List of Default Events, page 536.
10.3.2 Range-specific Event Settings
10.2.1 Context Menu Range-specific event settings are used if multiple ranges
requiring individual event settings are defined in the
The context menu offers the same options as described in CC-configuration tree.
Eventing 2.2.1.1 Context Menu, page 328.
To configure range-specific event settings, first set the
parameter Own Event Settings ( Multi-Range >
<rangename> > Range Properties) to yes. As soon
as this is done, the node Multi-Range > <rangename>
> Range Settings offers the entry Eventing where the
configuration of the range-specific event settings takes
place.
The configuration itself is the same as described under
Eventing 2. Event Configuration, page 322.
Note:
After having accomplished the required modifications,
make sure to click Send Changes and Activate in order
to activate the new configuration.

470 | CC Eventing > Event Propagation Barracuda NG Control Center
10.3.3 Cluster-specific Event Settings 10.4 Event Propagation

Cluster-specific event settings are used if multiple clusters Via the MCs eventing you are able to define, whether a
requiring individual event settings are defined in the specific event or all events of a range/cluster/box should
CC-configuration tree. be propagated to the Barracuda NG Control Center.
To configure cluster-specific event settings, first it is
necessary to set the parameter Multi-Range >
10.4.1 No Propagation at all
<rangename> > <clustername> > Cluster
Properties > Own Event Settings to yes. As soon as this is To define that no events from a range/cluster/box should
done, the node Multi-Range > <rangename> > be propagated to the CC, open the
<clustername> > Cluster Settings offers the entry range-/cluster-/box-specific event settings (as described
Eventing where the configuration of the cluster-specific above), open the Basic tab, and simply clear the option
event settings takes place. Send Event to CC.
The configuration itself is the same as described under Note:
2. Event Configuration, page 322.
Eventing When finished doing the required modifications, make
sure to click the buttons Send Changes and Activate in
Note:
order to activate the new configuration.
make sure to click Send Changes and Activate in order
to activate the new configuration.
10.4.2 Severity-sensitive Propagation
To define that no events from a range/cluster/box should
10.3.4 Box-specific Event Settings be propagated to the CC, open the
range-/cluster-/box-specific event settings (as described
In contrast to the global event settings and
above) and open the Severity tab, open the wanted
range/cluster-specific event settings, the box-specific
severity and simply clear the option Propagate to Master.
settings only affect the way events are processed by the
boxs event system. Note:
Therefore the effect of these settings can only be seen, if When finished doing the required modifications, make
you are directly connected to the Event user interface of sure to click the buttons Send Changes and Activate in
the corresponding Barracuda NG Firewall. order to activate the new configuration.
The configuration itself is the same as described under

Eventing 2. Event Configuration, page 322.
Note:
make sure to click the buttons Send Changes and
Activate in order to activate the new configuration.

Barracuda NG Control Center Overview < CC Syslog | 471
11. CC Syslog
11.1 Overview 11.1.2 Log Processing

The following flowchart offers a very basic overview of log
Note:
processing:
Before starting to work with Syslog Proxy and CC
Syslog, it is recommended to have read and understood Fig. 1992 Log processing flowchart
Log Viewer, page 305.
Log messages
are received
This service is intended for collecting log messages from
managed Barracuda NG Firewalls and streaming these log
messages to an external log host or sending them to the
HA partner.
Basically, syslog streaming consists of three major steps:
No Write to Stream to No
local disk? ext. loghost?
Step 1 Log reception
Step 2 Log processing Yes Yes
Step 3 Log delivery Log messages are Log messages

saved to local disk are filtered
11.1.1 Log Reception

Fig. 1991 Example for log reception via port 5144 and/or 5143 Log messages are
No Relay to streamed to external
HA partner? loghost
stunnel server (log files created in <server>_<service>_csslsrv)
Service IPs
Yes
UDP/TCP 5144 5143 (SSL)
Log messages are Log messages

relayed to HA partner are discarded
TCP:127.0.0.1:5143
syslog-engine
11.1.3 Log Delivery
Log reception via port 5144: 11.1.3.1 Log Delivery To Local Disk
Since connections to the syslog-engine are unencrypted Fig. 1993 Example for message delivery to local disk
and unauthenticated the firewall default settings restrict
access to port 5144 for both, TCP and UDP protocols, to: Log messages
z access only for managed boxes

Log reception
z access only via VPN tunnel.
syslog-engine
Log reception via port 5143:
Using port 5143 for log reception enables managed boxes
without management tunnels to connect via a SSL
connection to port 5143. Using SSL allows for both CC box
encryption and authentication.
/var/phion/mlogs/
(default)

472 | CC Syslog > Installing Barracuda NG Control Center
11.1.3.2 Log Delivery via Private Uplink (HA Sync) Barracuda NG Control Center this way of transferring is
not recommended.
Fig. 1994 Example for a HA sync via private uplink (using the override IPs is
mandatory) z SSL passive receiving
This type describes relaying to an external log via
Log messages loopback on the CC box (figure 1996), that is the syslog
Log reception service is the SSL client.
Override IPs
syslog-engine syslog-engine Fig. 1996 Example for passive SSL receiving
additional uplink stunnel client

HA1 HA2 (log files created in
Box IP Box IP Log reception <server>_<service>_sslclt)
Switch external
syslog-engine log host
/var/phion/mlogs/ Alternatively SSL connection
(default)
CC box 127.0.0.1:5144 Connection flow/
Log messages Log messages establishment
Log reception Log reception

Port 5145 external
syslog-engine syslog-engine
SSL connection
SSH connection listening
with local CC box Data flow
HA1 127.0.0.1:5146 127.0.0.1:5147 HA2
port forwarding
/var/phion/mlogs/ (port 5145)
(default) This way of transferring should be used for an HA
Barracuda NG Control Center because the external log
Log messages host does not need to know which partner is currently
active.
Log reception
z Plain passive receiving
syslog-engine syslog-engine
This type describes standard syslog streaming without
a SSL connection.
HA1 HA2
/var/phion/mlogs/ /var/phion/mlogs/
(default) (default)
11.2 Installing
To install the CC Syslog Service simply follow the
11.1.3.3 Log Delivery by Relaying
instructions in Configuration Service 4. Introducing a New
Service, page 97, and select CC Syslog Service as
When relaying log messages to an external log host,
Software Module.
Barracuda NG Firewall provides three different methods to
perform the task (used SSL cypher: AES-128):
z SSL active querying
This type describes relaying to an external log host with 11.3 Configuring
permanent reading access of the log host to the
CC-box-internal FIFO module (figure 1995), that is the Beside the standard Service Properties that each software
syslog service is the SSL server. module provides, configuring takes place in the CC
Syslog Service of the CC box. Therefore, enter the
Fig. 1995 Example for successful active SSL querying
Barracuda NG Control Center on box-level and select
stunnel server Box > Virtual Servers > <servername> >
(log files created in
<server>_<service>_sslsrv) Assigned Services > <servicename> (msyslog) >
Log reception Port 5244 CC Syslog Service.
external
SSL connection
CC box
FIFO
Connection flow/
11.3.1 Basic Setup
establishment
constantly reading List 1936 CC Syslog Server configuration section Operational Setup
Log messages Parameter Description
Log reception Idle Mode Syslogging is activated by default (setting no, that
external means not idle). When active, the service listens for
syslog-engine log host incoming log messages from its managed boxes and
SSL connection hence processes them as configured through the
FIFO
following parameters. Nonetheless, even when idle
CC box Data flow (setting yes, that means idle) it as well listens for
incoming messages to avoid ICMP Port Unreachable
messages being sent back to the connecting systems. It
then simply discards the received messages.
As a matter of fact, if this reading access is not provided
(for example because log host is down), transferring log
messages is not possible. Especially when having an HA

Barracuda NG Control Center Configuring < CC Syslog | 473
List 1936 CC Syslog Server configuration section Operational Setup List 1937 CC Syslog Server configuration section Plain Data Reception
Run as User Note: TCP Port This parameter is only available as long as the
This parameter is only available in Advanced View parameter Supported Protocols contains a TCP option
mode. and defines the port that is to be used for receiving log
This parameter defines the user name that will be used messages (default: 5144).
when synchronising the log with the HA partner Attention:
system. By default this parameter is set to system user If you change this port assignment to another port (be
msyslog. By ticking the checkbox Other (to the right) sure to use a port higher than 1024) you willve got to
you may enter any other name. adjust the local firewall rule set on the CC box.
Attention:
Once set, do not change. List 1938 CC Syslog Server configuration section Tuning Parameters
User ID Note: Parameter Description
mode. Note:
Here the ID of the system user (parameter Run as mode.
User, see above) is defined (default: 7999).
Message Queue Via this parameter you may define the maximum
Service Key This parameter is required for authentication purposes Size possible size of the out-message queue if messages are
against connecting clients using the SSL connections. not immediately deliverable (default: 16384). The
In order to create a new 1024-bit SSL private key, out-message queue is used when writing to disk,
simple click the New Key button. On the right of this transferring to HA partner or when relaying log to
line the hash of the certificate is displayed. external log hosts.
By default creating a new SSL private key results in a
freshly generated Service Certificate (see below) that Max TCP This parameter is only available as long as the
is automatically signed with the new private key. Connections parameter Supported Protocols contains a TCP option
and defines the maximum number of concurrent
Service This certificate is required for SSL connections, incoming TCP connections (default: 50). This
Certificate regardless whether they are passive or active ones. Via parameter provides improved security by preventing
button Show the certificate is displayed, and via DoS attacks.
button Edit the certificate may be modified. Again,
to the right, the hash mark is displayed. GC Idle This parameter defines the threshold (number of
Threshold objects in memory) after which garbage collection is
Attention: initiated when idle (that means no messages within
It is mandatory that both, SSL Private Key AND SSL 10 ms; default: 200).
Certificate, have the same hash mark.
GC Busy This parameter defines the threshold (number of
Support If this parameter is set to yes (as it is by default) the Threshold objects in memory) after which garbage collection is
Trusted Data service will listen for incoming SSL connections on initiated even when busy (default: 3000). If this limit is
Reception configured IPs and defined SSL Listen Port exceeded messages will be lost.
(port 5143; Trusted Data Reception view).
Note:
This option is not needed when managed boxes deliver
log content through a box management tunnel.
11.3.2 Trusted Data Reception
Boxes without a management tunnel should use the
SSL option for delivery. In this case you should not set
this option to no and likewise configure the affected Note:
boxes to use SSL for log delivery. This parameter set is only available with parameter
Store on Disk Setting this parameter to yes (default: no) causes Support Trusted Data Reception (Basic Setup view)
writing the incoming log messages to the specified
logging path (customisable via parameter Local Log
set to yes.
Directory, see 11.3.3 Local Storage, page 474). By
default the path for logging is /var/phion/mlogs. List 1939 CC Syslog Server configuration - Trusted Data Reception
Sync to HA This parameter enables the real-time transfer of log Parameter Description
Partner messages to the HA partner. As a matter of fact, this
parameter is only available if parameter Store on Disk SSL Listen Port Note:
is set to yes. Synchronising takes place via a SSHv2 This parameter is only available in Advanced View
tunnel between the HA partners. For information mode.
concerning the configuration of such high available This parameter defines the listening port for SSL
synchronisation, please have a look at 11.3.4 HA connections (default: 5143).
Synchronization, page 474.
SSL Busy Note:
External This parameter enables the optional transfer of log Timeout [s] This parameter is only available in Advanced View
Relaying messages to external loghosts. By default this mode.
parameter is set to no. For information concerning the
This timeout defines for how long (in seconds) a SSL
configuration of such external relaying, please have a
connection may be in busy condition until it is
look at 11.3.5 Relaying Setup, page 475.
terminated (default: 300).
List 1937 CC Syslog Server configuration section Plain Data Reception SSL Close Note:
Timeout [s] This parameter is only available in Advanced View
Parameter Description mode.
Note: This timeout defines for how long (in seconds) a SSL
This parameter set is only available in Advanced View connection may be in close condition until it is
mode. terminated (default: 60).
Supported Via this parameter you define what kind of sockets are SSL Idle Note:
Protocols available for incoming log messages. Available options Timeout[s] This parameter is only available in Advanced View.
are UDP&TCP (opens an UDP and a TCP socket; This timeout defines for how long (in seconds) a SSL
default), UDP (opens an UDP socket only) and TCP connection may be in idle condition until it is
(opens a TCP socket only). terminated (default: 43200).
UDP Port This parameter is only available as long as the
parameter Supported Protocols contains an UDP
option and defines the port that is to be used for
receiving log messages (default: 5144).
Attention:
If you change this port assignment to another port (be
sure to use a port higher than 1024) you need to adjust
the local firewall rule set on the CC box.

474 | CC Syslog > Configuring Barracuda NG Control Center
List 1940 CC Syslog Server configuration - Trusted Data Reception section SSL List 1941 CC Syslog Server configuration - Local Storage Setup section Local
Client Authentication Log Directory
Service Via this menu the to-be-used service certificate is Log Keep Via this parameter you define for how long the log files
Certificate selected (default: Use_MC_SSL_Cert; that means the Duration are kept on the local system. The following periods are
SSL certificate of the Barracuda NG Control Center will available:
be used for authentication, see 6.3.4.2 Trust Chain, day - log file name: <logmesssage>.$HOUR.log;
page 437). When using option Use_MC_SSL_Cert it is after 23 h the log files created by syslog are
highly recommended to use verify_peer_certificate as overwritten.
type of Client Authentication. week (default) - log file name:
Attention: <logmesssage>.$WEEKDAY.$HOUR.log; after one
When updating (not newly installing) the system from week the log files (that is mon, tue, wed, ) created by
any version prior to version 2.4.2 (all versions up to syslog are overwritten. After one week the log files are
2.4.1-x) the CC SSL Certificate is not yet present. To overwritten
create the certificate, open the CC Identity file and no-limit - log file name: <logmesssage>.log;
make a dummy change followed by activation. Note:
Barracuda NG Firewall versions 2.4.2 and higher This setting is a very specific one and, therefore,
already contain the certificate, so it need not be should be used by experts only (contacting Barracuda
activated. Networks Support highly recommended.).
Client Here you define the way clients will authenticate
Authentication themselves (default:
verify_peer_with_locally_installed_certificate). 11.3.4 HA Synchronization
Trusted Clients This section is used for importing/exporting the client
certificates required for authentication when using
SSL-based log delivery to the CC. Via this tab the log-message synchronisation between HA
partners is configured.
11.3.3 Local Storage List 1942 CC Syslog Server configuration - HA Synchronization section HA
Synchronization Setup
This tab is used for configuring the local behavior of the Parameter Description
syslog service on the Barracuda NG Control Center box. SSH Here the SSH key management is provided. By clicking
Authentication New Key you may create a new key for the SSH
This tab is only editable if parameter Store on Disk (see Key connection. Alternatively, you may import already
11.3.1 Basic Setup, page 472) is set to yes. existing keys (either from clipboard or file) or export
the newly generated key (either to clipboard or file,
List 1941 CC Syslog Server configuration - Local Storage Setup section Local password protected or not, or the public key only).
Log Directory These import/export options are available within the
menu Ex/Import.
Parameter Description For informational purpose the keys hash is displayed to
the right of this line.
Local Log Note:
Directory This parameter is only available in Advanced View SSH Host Key Here the SSH host key management is provided. By
mode. clicking New Key you may create a new SSH key.
Alternatively, you may import already existing keys
This field holds the path where the logs of the syslog
(either from clipboard or file) or export the newly
service are written to (default: /var/phion/mlogs).
generated key (either to clipboard or file, password
This directory belongs to the configured system user
protected or not, or the public key only). These
(parameter Run as User, see 11.3.1 Basic Setup,
import/export options are available within the
page 472).
Ex/Import menu.
Use Time Note: For informational purpose the keys hash is displayed to
Received This parameter is only available in Advanced View the right of this line.
mode.
SSH Listen Port Note:
Take into consideration that this parameter is only This parameter is only available in Advanced View
available if parameter Store on Disk is set to yes. Each mode.
log message has a send-time stamp when it is written
This parameter defines the port that will be used for
to disk:
establishing the SSH connection (default: 5145).
send_stamp log_message: yes - send_stamp is
rewritten using local CC receive time Use Here you may activate/deactivate data compression
send_stamp log_message no (default) - Compression (standard gzip quality) for the SSH connection (default:
send_stamp is not modified. yes).
Prepend Note: Override Note:
Received Time This parameter is only available in Advanced View SyncIP-Primary This parameter is only available in Advanced View
mode. / Override mode.
SyncIP-Second The default HA sync is carried out between the box IPs
Take into consideration that this parameter is only
ary of the HA partners. These override parameters allow
available if parameter Store on Disk is set to yes. Each
log message gets its own time stamp(s) when it is using the IP addresses of the private uplink connection
written to disk (receive_time_stamp showing CC between the HA partners. Simply enter the proper IP
receiving time; send_stamp showing Box sending addresses and the log-message transfer is done via the
time): private uplink. This may come handy if the
receive_time_stamp send_stamp log_message synchronising load is quite high.
when set to yes (default) TCP Sync As a matter of fact this parameter is only available if
send_stamp log_message when set to no. Frequency parameter Store on Disk (see 11.3.1 Basic Setup,
File Sync Note: (lines) page 472) is set to yes.
Frequency This parameter is only available in Advanced View This parameter defines the number of log messages
[lines] mode. after which synchronisation is started. The default
value of 0 indicates nothing else than immediate
This parameter defines the number of lines after which
synchronisation as soon as a log message is received.
the synchronisation is started. The default value of 0
indicates that there is currently no delay set.

11.3.5 Relaying Setup List 1945 CC Syslog Server configuration - Relay Filters section Data Origin
The following parameters are available for relaying Originator Take into consideration that this parameter group is
configuration to an external host: Systems only available if parameter Filter Box Affiliation is set
to yes. The configuration dialog for a new and/or
existing entry provides the following parameters:
List 1943 CC Syslog Server configuration - Relaying Setup section Relaying
- Hierarchy Structure
Setup
This parameter defines the structure of the log entry.
Parameter Description The following structure levels are available for
selection:
TCP Retry Here the time interval (in seconds) is defined at which a
Interval [s] TCP retry should be carried out if the connection Box-Only - adds only the box name to the log
breaks. message
Range-Only - adds only the range name to the log
List 1944 CC Syslog Server configuration - Relaying Setup section SSL Delivery message
Setup Range-Cluster - adds both, range and cluster name
to the log message
Parameter Description Range-Cluster-Box (def) - adds the complete
SSL Peer This parameter defines whether authentication takes structure to the log message
Authentication place when establishing the SSL connection. The Ranges
following options are available: This parameter is only available if parameter
no_peer_verification (default) Originator Systems is set to a value that contains
verify_peer_with_locally_installed_certificate range structure (that means all except for Box-Only)
Selecting this option requires manual import of a and allows selecting specific ranges.
valid SSL certificate from the active connecting Clusters
system to the active destination system. This parameter is only available if parameter
SSL Busy This timeout defines for how long (in seconds) a SSL Originator Systems is set to a value that contains
Timeout [s] connection may be in busy condition until it is cluster structure and allows selecting specific
terminated (default: 300). clusters.
Boxes
SSL Close This timeout defines for how long (in seconds) a SSL
This parameter is only available if parameter
Timeout [s] connection may be in close condition until it is
Originator Systems is set to a value that contains
box structure and allows selecting specific boxes.
SSL Idle This timeout defines for how long (in seconds) a SSL
Timeout[s] connection may be in idle condition until it is List 1946 CC Syslog Server configuration - Relay Filters section Data Selection
Special File Due to the structure of a streamed log message
11.3.6 Relay Filters Patterns (<range>/<cluster>/<box>/<filename>:<mess
age>), it is possible to restrict log streaming to
message containing a certain pattern in their filenames
This view offers parameters for configuring profiles, which (for example pattern fw when having a filename like
server1_fw) by using this parameter.
define the log file type which is to be
Top Level The log files offered for selection here are
transferred/streamed. However, this section requires Logdata superordinate log files build up of several instances of
parameter External Relaying (11.3.1 Basic Setup, page 472) box and service levels. The following data can be
to be set to yes in order to become active. selected:
Fatal_log: These are the log contents of the fatal log
For creating a new relay filter, click Insert and enter a (log instance name: fatal)
name for the filter. Firewall_Audit_Log: These are the log contents of
the firewall's machine readable audit data stream.
List 1945 CC Syslog Server configuration - Relay Filters section Data Origin Whether data is streamed into the
Firewall_Audit_Log has to be configured in the
Parameter Description Firewall Parameter Settings on box-level (see
SECTION AUDIT INFO GENERATION > Audit-Delivery:
Filter Box This parameter specifies whether additional
Syslog-Proxy). The log instance name corresponding
Affiliation information (for example box, cluster, range) is
to Syslog-Proxy selected will be trans7.
transmitted with the log entries (default: yes). Setting
this parameter to yes activates and requires parameter Note:
group Originator Systems (see below). When Log-File is selected in the firewall configuration
the data will go into a log file named (Box > Firewall >
audit, the instance is named box_Firewall_audit) and
thus this filter setting is not applicable. The pertinent
one then would be a selection of category Firewall
within the box selection portion of the filter.
Affected Box This parameter defines what kind of box logs are to be
Logfiles affected by the syslog daemon. The following options
are available: All (any kind of box log is affected), None
(default; none is affected) and Selection (activates
parameter group Box Log Patterns, see below).

476 | CC Syslog > Configuring Barracuda NG Control Center
List 1946 CC Syslog Server configuration - Relay Filters section Data Selection List 1948 CC Syslog Server configuration - Relay Destinations section Connect
by Destination SSL Setup
Take into consideration that this parameter group is Parameter Description
Box Log
Patterns only available if parameter Affected Box Logfiles is Local SSL Port Note:
set to Selection. The following parameters are This parameter is only available in Advanced View.
available for configuration: This menu defines the port that will be used for
Log Groups establishing the SSL connection between CC box and
This menu offers every log group for selection that external system. The available standard port range
is available on a Barracuda NG Firewall (for example reaches from 5244 (default) up to 5253. If required,
Control, Event, Firewall, ). you may enter a custom port by simply ticking the
Log Message Filter checkbox Other.
This parameter is used for defining the affected log Attention:
types: Make sure to use a port higher than 1024.
Selection (activates parameter Selected Message
Types, see below), Destination This certificate is used when selecting Active SSL
All (default), All-but-Internal, Notice-and-Higher, SSL Certificate connect by destination as Connection Type. It holds
Warning-and-Higher, Error-and-Higher the certificate of the connecting remote SSL client.
As you can see the available options are "group This line consists of two buttons:
selections". If one explicit log type is required, the Show button for displaying the current SSL
choose Selection and set your wanted type in certificate
parameter Selected Message Types, see below. the Ex/Import button for certificate transfer purpose
Selected Message Types
This parameter allows you to set explicit log types to List 1949 CC Syslog Server configuration - Relay Destinations section Stream to
be affected by syslogging. The following types are Destination Setup
available: Parameter Description
Panic, Security, Fatal, Error, Warning, Notice, Info,
Internal Destination IP This parameter is only available when Stream
plaintext to passive destination is selected as
Affected This parameter defines what kind of logs created by Connection Type. It allows you to enter the explicit IP
Service Logfiles services are to be affected by the syslog daemon. The address of the log host.
following options are available: All (any kind of service
log is affected), None (default; none is affected) and Destination This parameter is only available when Stream
Selection (activates parameter group Service Log Port plaintext to passive destination is selected as
Patterns, see below). Connection Type. It holds the port that will be used on
the log host when connecting.
Service Log Take into consideration that this parameter group is
only available if parameter Affected Service Logfiles Transmission This parameter is only available when Stream
Patterns
is set to Selection. Mode plaintext to passive destination is selected as
Connection Type. It allows you to choose the
Log Server-Services
transmission protocol (TCP (default) or UDP). When
Here you define server and service where log
selecting a SSL-capable destination type this
messages are streamed from.
parameter is implicitly set to TCP.
Log Message Filter
This parameter is used for defining the affected log Destination This certificate is used when Stream SSL to passive
types: SSL Certificate destination is selected as Connection Type. It holds
Selection (activates parameter Selected Message the SSL certificate of the destination server.
Types, see below), All (default), All-but-Internal, This line consists of two buttons:
Notice-and-Higher, Warning-and-Higher, the Show button for displaying the current SSL
Error-and-Higher certificate
the Ex/Import button for certificate transfer purpose.
Selected Message Types
This parameter allows you to set explicit log types to Destination This parameter is only available when Stream
be affected by syslogging. The following types are SSL IP plaintext to passive destination is selected as
available: Connection Type. It is used for entering the IP address
Panic, Security , Fatal, Error, Warning, Notice, of the external system the outgoing SSL tunnel should
Info, Internal connect to (figure 1996, page 472).
Destination This parameter is only available when Stream
SSL Port plaintext to passive destination is selected as
11.3.7 Relay Destinations Connection Type. It is used for entering the port on
the external system the outgoing SSL tunnel should
connect to (figure 1996, page 472).
This view offers parameters for configuring profiles, which Loopback SSL This parameter is only available when Stream
define where logging ought to be transferred/streamed to. Port plaintext to passive destination is selected as
Connection Type and defines the to-be-used port for
However, this section requires parameter External the loopback interface (figure 1996, page 472).
The available standard port range spans the ports
Relaying (11.3.1 Basic Setup, page 472) to be set to yes in 5244 (default) up to 5253. If required, you may enter
order to become active. a custom port by simply ticking the checkbox Other.
Attention:
For creating a new relay destination, click Insert and Make sure to use a port higher than 1024.
enter a name for the destination. Sender IP Note:
This parameter is only available in Advanced View.
List 1947 CC Syslog Server configuration - Relay Destinations section
Depending on your policy routing you may need an
Connection Type Setup
explicit sender IP address for streaming log files. If so,
Parameter Description this address ought to be entered here.
Connection This menu provides different types for the destination

connection: List 1950 CC Syslog Server configuration - Relay Destinations section Data Tag
Type Policy
Active SSL connect by destination
if an external system requests logs actively via SSL Parameter Description
Stream SSL to passive destination Keep Structural The default setting no removes the structural
for std. secure streaming from CC box to external Info information from streamed messages. When set to yes
system via SSL the structure information as originally sent to the CC
Stream plaintext to passive destination Syslog is preserved.
for streaming without SSL connection (standard In other words
syslog stream) <range>/<cluster>/<box>/<filename>:<messa
ge>
becomes <filename>:<message>.

11.3.8 Relay Streams

Configuring section Relay Streams concludes the
configuration of log streaming.
However, this section requires parameter External
Relaying (11.3.1 Basic Setup, page 472) to be set to yes in
order to become active.
For creating a new relay stream, click Insert and enter a
name for the relay stream.
List 1951 CC Syslog Server configuration - Relay Streams section Relay Streams
Name Here the name of the stream is displayed.
Active This parameter allows you to activate/deactivate the
selected log stream profile. By default, that is when
creating a new profile, this parameter is set to yes.
Log Here the available log destinations (defined in 11.3.7
Destinations Relay Destinations, page 476) can be selected.
Log Filters Here the available log filters (defined in 11.3.6 Relay
Filters, page 475) can be selected.
11.4 Service process and log file structure

<moduledir> = /opt/phion/modules/server/msyslog
Fig. 1997 Log file structure of service processes overview
Process name Executable GUI log file name Description

activate <moduledir>/bin/activate <server>_<service> configuration activation, on an optional CC HA partner the
activation will also trigger the start of process
<server>_<service>_sshd on both systems if HA synchronisation is
configured as on
<server>_<service> <moduledir>/bin/msylogd <server>_<service> the actual service running on the active CC partner which is in
charge of starting, terminating and monitoring of sub-processes
<server>_<service>_slgd /sbin/syslog-ng <server>_<service> the subprocess running on the active CC partner that corresponds
to the actual syslog engine. This process is in charge of the actual
log processing.
Depending on the actual configuration settings it may write
messages directly to the local disk on the active CC HA partner or
transfer all [HA sync] or a filtered subset of messages to external
UDP/TCP sockets using syslog protocol or to local TCP listening
sockets on the loopback or to named pipes (FIFOs) from where
they are read by some of the various sub-processes below.
<server>_<service>_sshc <moduledir>/ssh/sshc.msyslog n/a the subprocess running on the active CC partner that is in charge
of transferring log messages to the HA partner via SSHv2 port
forwarding (client end)
<server>_<service>_sshd <moduledir>/ssh/sshd.msyslog <server>_<service>_ssh the subprocess running on both CC HA partners that is in charge
of receiving log messages from the active CC HA partner via
SSHv2 protocol (server end) and forwarding them to the local
syslogd process which will in turn write the messages to the local
disk on the passive CC HA partner
<server>_<service>_csslsrv /usr/sbin/stunnel <server>_<service>_csslsrv the subprocess running on the active CC HA partner responsible
for the termination and forwarding to the syslog engine of
received SSL encapsulated log messages
<server>_<service>_sslsrv /usr/sbin/stunnel <server>_<service>_sslsrv the subprocess running on the active CC HA partner responsible
for the termination of SSL connections (stunnel server)
originating from external log host which seek to be fed relayed log
messages. The subprocess will read from a named pipe (FIFO)
upon successful connection by an external SSL client. Log
messages are fed into the pipe by the syslog engine and reach the
requestor via an SSL encapsulated log stream.
<server>_<service>_sslclt /usr/sbin/stunnel <server>_<service>_sslclt the subprocess running on the active CC HA partner responsible
for originating (stunnel client) SSL connections to external log
hosts which are subsequently fed relayed log messages through
the SSL connection. The subprocess will listen on a separate TCP
listening socket per destination on the loopback for messages
sent by the syslog engine and forward the messages via SSL
encapsulated log streams to the log hosts.

478 | CC Syslog > Supported Ciphers and Cipher Preference by the Stunnel-based Sub-processes Barracuda NG Control Center
11.5 Supported Ciphers and is changed to
Cipher Preference by the '<'PRI'>'<DATE/TIME> <HOSTNAME>

<LOG-INSTANCE-NAME>: <PROGRAM NAME>[
Stunnel-based '['<PID>']' ]: <MESSAGE>\n
Sub-processes An example for a log instance name would be
box_Firewall referring to log file
AES128-SHA:DES-CBC3-SHA:AES256-SHA:DH-RSA-AES128 /var/phion/logs/box_Firewall.log.
-SHA:DHE-RSA-AES128-SHA:IDEA-CBC-SHA:EDH-RSA-DES-
CBC3-SHA The added <LOG-INSTANCE-NAME> is used by the Syslog
Proxy service on a Barracuda NG Firewall to find out as to
Note: which received log messages are supposed to be sent to
DES encryption is not supported due to its limited which destination.
resistance against brute force attacks. On a per destination basis the program name field may be
overwritten by the syslog proxy before sending the log
message on to the destination. The intention behind this is
that this information is extracted by the CC Syslog Server
11.6 Filtering Policy to determine the local file underneath
/var/phion/mlogs into which the log message is written
Structure of a syslog conformant log line as received by and additionally this information may again be used for
the syslog engine: filtering purposes when log relaying to external security
'<'PRI'>'<DATE/TIME> <HOSTNAME> <PROGRAM management systems by the CC is intended
NAME>[ '['<PID>']' ]: <MESSAGE>\n The policy adopted by a Barracuda NG Firewall is as
z '<'PRI'>' - two digit decimal number enclosed in angled follows:
brackets containing information on both syslog facility z CC-managed box
and log level
Table 1919 Filtering policy CC-managed box
Note: Explicit Explicit
All logs sent by Barracuda NG Firewall systems Parameter Value node hierarchy Used program name
conform to syslog facility user. name info
Add yes <box name>/
Range/ <LOG-INSTANCE-NAME>
Note: Cluster Info no
The log facility is a parameter that can be used when
Override no
building filter conditions for log relaying. Node Name yes <NAME> Range <range/<NAME>
z <DATE/TIME> - three letter English month abbreviation Range and <range>/<cluster>/<NAME
Cluster >
'blank' day of month 'blank' 2-digit-hour
Range, <range>/<cluster>/
[00-23]:2-digit-minute[00-59]:2-digit-second[00-59] Cluster and <box name>/
example: Jul 31 14:08:01 Box <NAME>
Box <box name>/<NAME>
z <HOSTNAME> - hostname or IP address of the system
the message originates from (possibly also the address
z self-managed box
of a relay host)
Table 1920 Filtering policy self-managed box
z <PROGRAM NAME> >[ '['<PID>']' ] - typically the name of
the application the log message originates from. Note Explicit Explicit
Parameter Value node hierarchy Used program name
that an appended process ID number enclosed by name info
square brackets may be part of this so-called program Override no <box
name. A colon follows the program name. The colon is Node Name name>/<LOG-INSTANCE-
used as indicator that all remaining portions of text NAME>
actually belong to the actual log message part yes <NAME> none <range/<NAME>
Box <box name>/<NAME>
z <MESSAGE> - the actual log message data
The log messages received by the CC Syslog server thus
Barracuda NG Firewall gateways use the program name to contain additional information stored in the program
add information as to the origin of a log message. To this name. First this information is used by the CC syslog server
end the actual log line is reconstructed before being sent to determine the file into which a particular log message is
to the gateway's syslog proxy service (bsyslog) for meant to be written, provided local disc storage is desired.
external delivery. The reconstruction entails replacing the The log file is simply equal to
original program name by the name of the log instance, /var/phion/mlogs/<program name of log
that is the file, the log message would go into in directory message>. From the table above it becomes clear that this
/var/phion/logs if it were solely written to disk. The mechanism allows for hierarchical depositing of log
original program name and message are simply moved messages. If to override settings are used on the
further behind and now together form the new message transmitting managed box all streamed log instances of
part. the box are simply replicated under
'<'PRI'>'<DATE/TIME> <HOSTNAME> <PROGRAM /var/phion/mlogs/<range>/<cluster>/<box
NAME>[ '['<PID>']' ]: <MESSAGE>\n name>.

Barracuda NG Control Center Example Configurations for Syslog Proxy and CC Syslog Server < CC Syslog | 479
Yet it may sometimes be desirable to bundle together z Basic Setup view (with active Advanced View)
certain log contents, that are located in different files on
the box, either for central storage or relaying purposes. Fig. 1998 Example 1: Syslog Proxy - Basic Setup
A good example for this is the firewall log. From the box's
point of view firewall related log content goes into several
files. On one hand there is the log output generated by the
local firewall and on the other hand there is the log output
generated by the forwarding firewall service. In order to
collect both outputs into a single file on the CC you would
define a filter on the streaming box comprising the
aforementioned two logging components and a destination
corresponding to the CC where you now make use of the
override node name option. Choosing for example
"allfirewall" as an explicit node name you have ascertained
that a single file instance will be used on the CC. Depending
on your exact intentions you may now adjust the explicit
hierarchy information, that is the path information that is Set parameter Idle Mode to no.
prepended to "allfirewall". Though not using an SSL certificate, leave parameter
Use Box Certificate/Key set to yes. If setting is
changed to no, the parameters SSL Private Key and
SSL Certificate become mandatory, as it is assumed
11.7 Example Configurations for that another certificate than the box certificate will be
Syslog Proxy and CC Syslog used. With all other parameters set properly, availability
of a certificate will be ignored.
Server z Logdata Filters view
Define Infrastructure Services - Syslog Streaming -
In the following configuration examples, the essential Logdata Filters section Affected Box Logdata and
settings required to be configured in the Syslog Proxy Infrastructure Services - Syslog Streaming -
service (on the box) and on the CC Syslog Server (on box Logdata Filters section Affected Service Logdata in
level of the CC) are described. For a detailed parameter this section, specify the log file types to be sent to the
description, please refer to 5.2.3 Syslog Streaming, CC Syslog Server.
page 116 and 11.3 Configuring, page 472 in this chapter.
z Logstream Destinations view
The examples given consider the following scenarios: Set parameter Remote Loghost to explicit-IP. This
z Log message streaming using TCP&UDP (non SSL) setting causes the log files to be streamed to the
CC-Server IP.
z Log message streaming using SSL
Leave parameter Loghost Port at the default setting
z Relaying of log messages using SSL 5144.
Set parameter Use SSL Encapsulation to no.
Set parameter Add Range/Cluster Info to yes to
11.7.1 Log Message Streaming using maintain the log files structure Range/Cluster/Box.
TCP&UDP (non SSL) If set to no, the log files are saved in a directory labelled
with the box' name below the Local Log Directory
To configure log message streaming using TCP&UDP defined on the CC Syslog server (see below).
proceed as follows: z Logdata Streams view
Define combinations of Logdata Filters and
Logstream Destinations in this section. Generally, this
11.7.1.1 Configuration of Syslog Streaming
feature is useful when
Enter Box > Infrastructure Services > log files are streamed to multiple destinations.
Syslog Streaming on MCs box-level. streaming is not required continuously for all log file
types.
Note:
Through setting parameter Active to no, streaming can
be interrupted at all times.
11.7.1.2 Configuration of CC Syslog Service
Enter Box > Virtual Servers > <servername> >

Assigned Services > <servicename> (msyslog) >
CC Syslog Service on MCs box-level.
z Basic Setup view
Set parameter Idle Mode to no.

480 | CC Syslog > Example Configurations for Syslog Proxy and CC Syslog Server Barracuda NG Control Center
Create Service Key and Service Certificate. Creation 11.7.2 Log Message Streaming using
is mandatory, though key and certificate are not used SSL
without SSL Encapsulation.
Set parameter Support Trusted Data Reception to no. To configure log message streaming using SSL proceed as
Set parameter Store on Disk to yes to enable saving of follows:
received log messages to harddisk.
z Local Storage view (with active Advanced View)
Specify the Local Log Directory as saving location for 11.7.2.1 Configuration of Syslog Streaming
received log messages. The default path is
/var/phion/mlogs. You may leave the default Enter Box > Infrastructure Services >
settings. Syslog Streaming on MCs box-level.
z Basic Setup view (with active Advanced View)

Set parameter Idle Mode to no.
Set parameter Use Box Certificate/Key to yes.
z Logdata Filters view
Define Infrastructure Services - Syslog Streaming -
Logdata Filters section Affected Box Logdata and
Infrastructure Services - Syslog Streaming -
Logdata Filters section Affected Service Logdata in
this section, specify the log file types to be sent to the
CC Syslog Server.
z Logstream Destinations view
Set parameter Remote Loghost to Barracuda CC
Control. This setting causes the log files to be streamed
to the CC-Server IP.
Note:
With Remote Loghost set to Barracuda CC Control,
the Master Certificate of the CC is automatically
used as Remote Certificate, that is Peer SSL
Certificate. Importing the Master Certificate into the
Peer SSL Certificate field is thus not necessary.
Configure the parameter Loghost Port to match the
value in parameter SSL Listen Port (Trusted Data
Reception view) on the CC Syslog Server. By default,
port 5143 is used for SSL connections.
Attention:
Do not use port 5144, as this setting only works
when log messages are streamed without SSL
Encapsulation. The log file data will arrive corrupt on
the CC Syslog Server if port 5144 is used.
Note:
If you change the port assignment to another port
than the default 5143, adjusting the local firewall
rule set might become necessary.
Set parameter Transmission Mode to TCP.
Set parameter Add Range/Cluster Info to yes to
maintain the log files structure Range/Cluster/Box.
If set to no, the log files are saved in a directory labelled
with the box' name below the Local Log Directory
defined on the CC Syslog server.

Barracuda NG Control Center Example Configurations for Syslog Proxy and CC Syslog Server < CC Syslog | 481
z Logdata Streams view To configure relaying using SSL proceed as follows.

Define combinations of Logdata Filters and
Logstream Destinations in this section. Generally, this
feature is useful when 11.7.3.1 Syslog Proxy Configuration
log files are streamed to multiple destinations.
No further settings are required on the box where log
streaming is not required continuously for all log file messages are generated.
types.
Note:
Note:
A configuration requirement exists, though, regarding
Through setting parameter Active to no, streaming can the setting of the parameter Add Range/Cluster Info in
be interrupted at all times. the Log Data Tagging section as it directly influences
usage of the parameter Filter Box Affiliation in the
Relay Filters view of the CC Syslog Server. See below
11.7.2.2 Configuration of CC Syslog Service for details.

Assigned Services > <servicename> (msyslog) > 11.7.3.2 CC Syslog Server Configuration
CC Syslog Service on MCs box-level.
z Basic Setup view
Set parameter Idle Mode to no. Assigned Services > <servicename> (msyslog) >
Create Service Key and Service Certificate. CC Syslog Service on MCs box-level.
Set parameter Support Trusted Data Reception to z Basic Setup view
yes. Set parameter External Relaying to yes.
Set parameter Store on Disk to yes to enable saving of Create Service Certificate and Service Key.
received log messages to harddisk. Export the SSL Certificate to a file and make it available
z Support Trusted Data Reception view (with active for the external host. The external host has to import
Advanced View) the certificate in order to authenticate itself against the
Configure the parameter SSL Listen Port to match the CC Syslog Server (see also parameter Destination SSL
value in parameter Loghost Port (Logstream Certificate below with destination types using SSL).
Destinations view) on the Syslog Proxy. By default, z Relaying Setup view
port 5143 is used for SSL connections. Pay attention to Set parameter SSL Peer Authentication to
the limitations concerning port choice as described verify_peer_with_locally_installed_certificate.
above.
Set parameter Service Certificate to z Relay Filters view
USE_MC_SSL_Cert. With this setting, boxes can Configuration options in the Relay Filters view have a
authenticate themselves at the CC Syslog Server using similar function to the filtering options specified
their box certificates. through the Logdata Filters view in the Syslog Proxy
Set parameter Client Authentication to configuration (Configuration Service 5.2.3.2 Logdata
verify_peer_with_locally_installed_certificate. The Filters, page 116). Here they allow defining the log
setting causes the box certificate to be authenticated messages, which are to be relayed, by their type.
against the CC certificate. The effect of parameter Filter Box Affiliation set to
Import the box certificate of every box, whose log yes is directly dependant of parameter setting Add
messages are collected by the CC Syslog Server, into Range/Cluster Info in the Log Data Tagging section of
the Trusted Clients field. the Syslog Proxy (see above). Reason for this is, that for
example relaying through a Range-Cluster-Box
z Local Storage view (with active Advanced View) hierarchy structure can only work, if Range-Cluster-Box
Specify the Local Log Directory as saving location for information has originally been maintained during log
received log messages. The default path is file streaming.
/var/phion/mlogs. You may leave the default
settings. Note:
Using Filter Box Affiliation demands specification
of Originator Systems. This demand can only be
11.7.3 Relaying of Log Messages Using satisfied, if Range/Cluster/Box information has been
SSL maintained during log message streaming.
Relaying follows the streaming of log messages. Relaying Affected Box Logfiles / Affected Service Logfiles
can be configured with or without SSL encapsulation, The all-embracing method easiest to configure, is to
regardless of encryption settings defined for streaming. relay Affected Box Logfiles and Affected Service
Log messages can be relayed to an external host after Logfiles. If unfiltered relaying is not desired, choose
they have been written to disk on the CC Syslog Server or Selection in the Affected Box/Service Logfiles
they can immediately be passed to the external host parameters and select the log file types to be relayed.
without this intermediate step. The following example The parameter Special File Patterns allows setting
settings can succeed both of the configurations described relay filters on terms of filtering for character strings
above. (for example box_Event).

482 | CC Syslog > Example Configurations for Syslog Proxy and CC Syslog Server Barracuda NG Control Center
z Relay Destinations view Specify a Local SSL Port (parameter requires

Advanced View in order to be available). The
Note: connection between CC Syslog Server and
The connection type Stream plaintext to passive destination system will be established on this port.
destination is used when log messages are relayed The standard port range for this purpose spans
without SSL Encapsulation. ports 5244 to 5253.
Using Destination Type Stream SSL to passive Note:
destination: In case the CC Syslog Server has been configured to
Set parameter Connection Type to Stream SSL to Sync to HA Partner, do not specify the same port
passive destination, if the destination the CC as is defined in the parameter SSH Listen Port in
Syslog server is relaying to, is passively awaiting log the HA Synchronization view.
message delivery.
Destination SSL Certificate Destination SSL Certificate
Connection type using SSL require certificate exchange Connection types using SSL require certificate
with the external client/host messages are relayed to. exchange with the external client/host messages are
Import the destination server's certificate in this place. relayed to. Import the remote SSL client's certificate in
Define the destination IP through the parameter this place.
Destination SSL IP. Set the parameter Keep Structural Info to yes to
Define the connection port for relaying through the maintain the original names of the relayed log files.
parameter Destination SSL Port. The standard port z Relay Streams view
range for this purpose spans ports 5244 to 5253. Define combinations of Relay Destinations and Relay
Set the parameter Keep Structural Info to yes to Filters in this section. Generally, this feature is useful
maintain the original names of the relayed log files. when log files are relayed to multiple destinations
and/or relaying is not required continuously for all log
Using Destination Type Active SSL connect by file types.
destination:
Set parameter Connection Type to Active SSL Note:
connect by destination if the external host is Through setting parameter Active to no, relaying
actively querying for log messages. can be interrupted at all times.

Barracuda NG Control Center General < CC Firewall Audit Viewer | 483
12. CC Firewall Audit Viewer
12.1 General
Fig. 1999 CC FWAudit Viewer
This service allows debugging and traffic information complex queries. In contrast to the Firewall Access Cache,
viewing for multiple gateways in one central location, thus the CC Audit Viewer does not automatically aggregate
allowing to diagnose connection problems within complex data but includes date and time just like all session-related
network environments usually in a fraction of the time that information and allows filtering on these.
would be required as compared to diagnosing the problems
Filtering of FW Audit data supports the following criteria:
from the logs or the access cache on every single gateway.
z Rule name
The collection and processing of audit log information is
realized by a service on the Barracuda NG Control Center, z Protocol
the CC Audit Info Service. z Source IP Address (netmasks may be used)
For large environments or high performance z Destination IP Address (netmasks may be used)
environments, dedicated Barracuda NG Firewall boxes can
be used to collect and retrieve Firewall Audit info, the z Interface name (either Source or Destination)
so-called FW Audit Collector. z Address, i.e. either Source or Destination IP matches
The CC Audit service receives structured firewall data (netmasks may be used)
from multiple Barracuda NG Firewall boxes and stores the z Port number and service name
firewall audit information in relational database installed
on the CC. z Source Interface name
The firewall audit information provides all information z Destination Interface name
related to firewall session in a machine-readable format.
The information is similar to the already available Firewall Additionally, the so-called Type Selection supports
Audit log, but additionally the relational database allows restriction based on the following criteria:

484 | CC Firewall Audit Viewer > Activation Barracuda NG Control Center
z Traffic Selection: The service uses TCP port 680 to receive FW Audit
Forwarding traffic , Local In traffic, Local Out traffic, data. The host firewall ruleset of an updated CC box
Loopback traffic thus needs to be extended to allow access to port 680
on the management IPs and server IPs. If you have not
z Event Selection:
modified the host firewall ruleset manually you could
Allowed, Blocked, Dropped, Fail, ARP, IPS Hit, Removed
simply select "Copy from default" in the context menu.
Generation and forwarding of FW Audit data still needs
Similar to the Barracuda NG Admin Log Viewer, the
to be enabled for the Barracuda NG Firewall boxes (see
Firewall Audit Info Viewer supports navigating to a
below).
dedicated date/time just like browsing backward and
Transport of FW Audit data is encrypted by using the
forward. After a session has been removed, the FW Audit
CC- and box RSA keys.
also contains the number of transferred bytes for this
If an unmanaged Barracuda NG Firewall system should
session. Through optional accumulation of FW Audit data a
send Audit Info data to the introduced CC Audit Info
consolidated view similar to the access cache can be
service, the CC Audit Info service provides a
achieved. Additionally the centralized FW Audit Viewer
configuration to manually import box keys.
supports FW Audit queries across multiple boxes.
To enable generation and forwarding of FW Audit data,
Fig. 20 Audit Info Viewer connect to the CC configuration tree and open the
configuration node Box > Infrastructure Services >
General Firewall Configuration. Open the Settings
dialog for Audit and Reporting > Audit Info Generation
and change the Audit Delivery parameter to
Forward-only or Local-File-and-Forward. The
destination IP address and port can be left empty - in
that case the FW Audit data is automatically forwarded
to the CC IP address.
Querying is possible by using the Barracuda NG Admin
user interface connecting either to the CC management
Note:
IP (box) or to the CC server IP (CC).
Which data will be collected depends on box settings in
Config > Box > Infrastructure Services > Licensing
General Firewall Configuration > Audit and Reporting The CC Audit Info viewer is available with Barracuda NG
> Audit Information Generation Control Center Global Edition or with Barracuda NG
(see Firewall 2.1.1.5 Audit and Reporting, page 137, Control Center option pack 2.
section Recorded Conditions list 413, page 138). z Audit Info collector (separate box)
Collecting FW Audit data on a separate Barracuda NG
Firewall box is realized by the new service " Audit Info
collector". You need to introduce the new service.
12.2 Activation Configuration see CC Audit Info viewer. Due to
performance issues the service should be run on a
The Audit Info service is available for three different dedicated system.
scenarios: Queries are done by first connecting to the box
management IP.
z local FW Audit Info viewer
Writing FW audit data locally on the Barracuda NG
Licensing
Firewall can be enabled within the configuration dialog
The Audit Info collector requires an extra license and is
Box > Infrastructure Services > General Firewall
only available in conjunction with a Barracuda NG
Configuration > Audit and Reporting > Audit Info
Control Center Global Edition or with a Barracuda NG
Generation. In the Settings dialog select Local-File for
Control Center option pack 2.
Audit Delivery settings.
The firewall now generates appropriate entries for both
local and forwarding traffic.
The FW Audit Info viewer is available by using 12.3 Limitations
Barracuda NG Admin to connect to the Firewall module
and selecting the Audit tab.
Please note that writing or querying FW Audit data within
the relational database is quite CPU and IO consuming. It is
Licensing
thus strongly recommended to enable transport of FW
The local Audit Info viewer is available on every
Audit data with care.
Barracuda NG Firewall where an FW audit logfile is
generated without the need for an additional license. A Barracuda NG Firewall can handle several thousand of
session requests per second, which is already a limit for
relational databases (transactions per second). The
z CC Audit Info viewer
centralized FW Audit Log Service may get data from
To enable the CC Audit Info Viewer you need to
dozens of Barracuda NG Firewalls thus overloading the
introduce the novel service CC Audit Info Viewer on the
relational database.
CC box. The CC Audit Info viewer is now ready to
retrieve audit information from boxes managed by this Barracuda Networks recommends to make use of the
Barracuda NG Control Center. granular configuration options, which allow reducing

Barracuda NG Control Center Installing and Configuring PKI < CC PKI Service | 485
traffic by explicitly specifying which data should be collect new data. In case of a failover to the backup box,
forwarded to the FW Audit host. new Audit data is stored on the backup box and querying
of this data needs to be performed on the backup box.
The FW Audit Log Service does not synchronize audit data
within a HA cluster, neither when running as server service
(Audit collector) or when running as local FW Audit Info
viewer. For the CC Audit Info viewer and for the FW Audit
Info collector, the service may run on the backup box to
13. CC PKI Service

The Barracuda NG Control Center PKI (Public Key Enter the configuration dialog via Config > Box >
Infrastructure) is a solution similar in scope and Virtual Servers > <servername> > Assigned
functionality to Microsofts PKI delivered with Microsoft
Services > <servicename> (pki).
Windows 2000/2003 servers and uses ITU-T x509v3
certificates. Fig. 191 Configuration dialog - PKI
A certificate with the V3 extension basic constraints set to

CA:true is handled as a CA. This CA can sign end user
certificates or other CAs. An x.509v3 certificate contains
the fully distinguished name and V3 extensions defining
the range of application.
To mark a certificate as revoked, there are certificate
revocation lists. Applications can fetch certificate
revocation lists from LDAP or HTTP servers. These servers
are specified in the certificate as V3 extension
crlDistributionPoints.
Note:
For theory about certificates have a look at
"Kryptografie und Public-Key-Infrastrukturen im
Internet" by Klaus Schmeh (ISBN 3-932588-90-8) List 1952 Public Key Infrastructure (PKI) Configuration Settings section
General Settings
Usage of Certificates
z SSL/TLS encryption and authentication of TCP-based HA Sync Mode This parameter enables/disables synchronisation with
protocols like HTTP, SMTP, POP, IMAP, LDAP, an optional HA partner.
Log Level Here you specify the amount of logging. The following
z S/MIME: Encryption and signature of e-mails options are available:
Silent - No logging except for fatal logs
z IPSec, L2TP Normal - Regular logging
Verbose - Regular logging including additional logs (for
z VPN connections example for troubleshooting)
List 1953 Public Key Infrastructure (PKI) Configuration Settings section LDAP
Server
13.1 Installing and Configuring Parameter Description

Start LDAP Ticking this checkbox starts an LDAP server on the CC
PKI Server box. The service listens at the IPs defined in the PKI
Service Properties.
Listening ports are port 389 (ldap) and port 636
Attention: (ldaps).
PKI has to be licensed separately. Log Ticking this checkbox enables connection logging on
Connections the internal LDAP server.
External LDAP If an external LDAP server ought to be used instead of
Log on to the Barracuda NG Control Center on box level Server the internal one, the server IP address or
and create a new service using the software module CC DNS-resolvable name need to be entered here.
PKI Service. Base DN This parameter specifies the Base Distinguished Name
for inserting and searching CRLs on the LDAP server
(for example dc=barracuda,dc=com).
Root DN Here the distinguished name of the LDAP user for
importing CRLs on the LDAP server is defined.
Root Password This parameter holds the password for writing on the
LDAP server.

486 | CC PKI Service > User Interface Barracuda NG Control Center
13.2 User Interface Now the PKI is ready for creating a new certificate (via
button Create Certificate ).
The PKI shows the certificates in a hierarchical tree view Fig. 193 Configuration dialog - General Settings tab
(accessible via box menu entry PKI, see figure 192).
The top level shows all root certificates which need to be
certificate authorities. Additionally, there are the box
certificates to get the information of all installed boxes
managed by the CC. This information is generated
automatically on the first start of the PKI. If changes apply
to installed boxes, right-click Box Certificates and then
select Update Box Certificates from the context menu.
Fig. 192 PKI - User Interface
List 1954 Public Key Infrastructure (PKI) - Certificate Creation
Signing CA Via this parameter you specify the certificate authority
Each CA node contains four subdirectories: which ought to sign the new certificate.
CA Sign This field allows entering the password required for
z Valid contains all valid and not expired certificates. Password signature by the CA. If no password is entered only a
certificate request will be created.
z Pending contains all unsigned certificate requests.
Template Here you may select a pre-defined template (see 13.3.3
z Expired contains all certificates with exceeded finish Editing Templates, page 487) in order to fill the
parameters of this dialog with "default" values.
dates.
z Revoked contains all certificates revoked by the
administrator (for example an end-user has lost his/her 13.3.1.1 General Settings Tab
USB stick holding the VPN certificate).
List 1955 Public Key Infrastructure (PKI) - Certificate Creation - General Settings
tab
For viewing the details of a certificate, right-click on the
certificate of interest and select View Certificate. Parameter Description
Keysize in Bits Via this parameter the key size is defined. Normally the
Instead of the common name, which is used by default, the value ranges from 512 up to 4096 bits (default:
certificates can be displayed with their full subject in the 1024 bits). Due to modern CPU power, the size should
be at least 1024 bits for end-user certificates. When the
user interfaces view. To change the view setting, select CAs lifetime is 10 years or longer, the key size should be
Show Full Subject in the context menu available by at least 2048 bits (4096 bits recommended).
right-click on either top level of Root or Box Certificates. Duration of Defines the validity period of the certificate (in days;
Validity default 5000 days). For example this leads to
5475 days for a root certificate with 15-years validity
(365 * 15).
Key Algorithm Specifies the algorithm used for key creation (rsa -
13.3 Working with PKI default; dsa).
Key Encryption Specifies the algorithm used for key encryption
(TripleDES - default; IDEA; DES).
13.3.1 Creating a Certificate Message Digest

Algorithm
Specifies the hash algorithm (md2; md5; mdc2; sha1 -
default).
Password Defines the certificate password.
For creating a certificate it is necessary to change from Validate Validates the certificate password.
read-only to read-write mode by clicking Lock. Password

Barracuda NG Control Center Working with PKI < CC PKI Service | 487
13.3.1.2 Subject Tab List 1957 Public Key Infrastructure (PKI) - Certificate Creation - V3 Extensions
tab
List 1956 Public Key Infrastructure (PKI) - Certificate Creation - Subject tab Parameter Description
Parameter Description crlDistributionPoints Here the distribution points for the Certificate
Revocation List (CRL) are defined.
Common Name Name of the certificate.
DomainController Microsoft-specific extension for entering
Note:
DomainControllers.
Do not use special characters and underscores in the
common name. nsComment Allows entering a commentary.
Email Address E-mail address of the certificate owner.
Country Address and organisational information (for example
State or name of the organisation, unit name, ). 13.3.2 Viewing Certificates
Province
Locality
Organisation
For viewing a certificate, select the wanted one, open the
Organisation context menu and select View Certificate This opens
Unit the View Certificate dialog with 3 tabs providing the
complete information.
13.3.1.3 V3 Extensions
13.3.3 Editing Templates
Note:
Several parameters in this tab are, in addition to the Clicking Edit Templates opens the dialog for editing
regular active/inactive equipped with a Critical existing templates.
checkbox. Ticking this checkbox enforces the It has almost the same functionality as the Create
application to use V3 Extensions. Additionally, this Certificate dialog (see 13.3.1 Creating a Certificate,
causes that the certificate may not be used for any page 486) except for that there is neither a password field
other purposes than the ones defined through the nor, of course, a CA selection option.
parameters keyUsage and extentedKeyUsage.
To edit a template, select it from the Select Template
Note: pull-down menu, make your changes, and save it with
For additional information concerning V3 extensions, clicking Save Template.
please have a look at 13.3.13 V3 Extensions (look at RFC To create a new template, select any existing template
3280), page 489. from the pull-down menu, make your changes, enter a new
name in the Select Template field, and save it with clicking
List 1957 Public Key Infrastructure (PKI) - Certificate Creation - V3 Extensions
tab
Save Template. The new template will promptly be
available in the Template list of the Create Certificate
dialog.
basicConstraints Defines whether the certificate is a CA
(CA:true) or not (CA:false - default).
Attention:
keyUsage Defines the intended use for the certificate. The
following types of usage are available: Deleted predefined templates can only be restored if the
digitalSignature, nonRepudiation, PKI is deleted and newly established. Deletion of the PKI
keyEncipherment, dataEncipherment, will cause deletion of all available certificates as well. Be
keyAgreement, keyCertSign, cRLSign,
encipherOnly, decipherOnly. careful not to delete predefined templates.
extendedKeyUsage Extension to the intended use for the
certificate. The following types of extended
usage are available:
serverAuth, clientAuth, emailProtection,
13.3.4 Create Request
codeSigning, timeStamping, OCSPSigning,
smarCardLogon, secureMail, msCodInd (MS If the password for the signing CA is omitted in the Create
Individual Code Signing), msCodeCom (MS
Commercial Code Signing), msCTLSign (MS Certificate dialog, a certificate request is created
Trust List Signing), msSGC (MS Server Gated instead of a certificate.
Cryptography), msEFS (MS Encrypted File
System).
subjectKeyIdentifier Hash of the subject.
13.3.5 Revoke a Certificate
authorityKeyIdentifier The subject key identifier extension provides a
means of identifying certificates that contain a
particular public key. The following types of To revoke a yet valid certificate, select it in the Valid
identifiers are available: folder, right-click on it and select Revoke Certificate
keyid:always, keyid:copy, issuer:always,
issuer:copy from the context menu. You will be prompted to enter the
authorityInfoAccess The authority information access extension parent CAs Sign Password. After doing so, the revoked
indicates how to access CA information and certificate is moved to the Revoked folder.
services for the issuer of the certificate in which
the extension appears. Information and services
may include online validation services and CA
policy data. 13.3.6 Delete a Request
subjectAltName The subject alternative names extension allows
additional identities to be bound to the subject Go to a certificate request in the Pending directory and
of the certificate. The following types are
available: Email, DNS, URI, IP, MS Domain right-click on it. Select Delete Request and click the Yes
GUID, MS Domain User. button.
issuerAltName This extension is used to associate Internet
style identities with the certificate issuer.

488 | CC PKI Service > Working with PKI Barracuda NG Control Center
13.3.7 Approve a Request Fig. 196 Export Private Key dialog
Right-click on a certificate request and select Approve

Request from the context menu. The corresponding
dialog is opened displaying the values of the request. Enter
the Sign Password of the CA to approve the request.
13.3.8 Import Certificates

Select a certificate for import and enter the certificate
password. Afterwards click the Import button. If no 13.3.11 Export a CRL
problem arises, the certificate is imported. The PKI reloads
the certificates automatically. A Certificate Revokation List (CRL) is a list of client
certificates that were revoked before they expired. To
An end-user certificate will be added to the signing
export a CRL, right-click on the Certification Authority and
certificate, if existing. Otherwise the import will fail.
select Export CRL from the context menu. This opens
Fig. 194 Import Certificate dialog the Export CRL dialog, where the password of the CA and
the duration of validity is to be entered.
Fig. 197 Export CRL dialog
13.3.9 Export Certificates

For exporting a certificate, mark it and select Export
Certificate from the context menu. This opens the
Export Certificate dialog for selecting the required
format.
Fig. 195 Export Certificate dialog The CRL can either be exported as file, to clipboard or to
distribution points. The distribution points are on the ldap
server as configured in the PKI service configuration and
the local http server of the CC box.
The CRL is accessible at
z ldap://mcip/cn=CommonName,dc=AsInConfig
z ldaps://mcip/cn=CommonName,dc=AsInConfig
z mcip/pki/CommonName.crl
Example:
192.168.10.10/pki/VPN-Root.crl
ldaps://192.168.10.10/cn=VPN-Root,dc=barracu
da,dc=com
13.3.10 Export Private Key
Note:
Select the required format and export the key to a file or to For accessing the local http server a local redirect rule
the clipboard. has to be added in the CC Firewall.
Note:
For exporting to clipboard only PEM format is allowed,
since DER is a binary format.

Barracuda NG Control Center Working with PKI < CC PKI Service | 489
13.3.12 Search a Certificate Table 1921 Definition of V3 Extensions (RFC 3280)

In order to search a certificate click CTRL+F or open the authorityKeyIdentifier OID = 2.5.29.35
context menu of a certificate and select Search CANBECRIT=false
Certificate Values:
keyid:always
For example if you enter "lient" in the Common Name keyid:copy
field, all certificates containing this string in the common issuer:always
issuer:copy
name will be found, as "Client", "Client1" or also "MILIENT".
authorityInfoAccess The authority information access extension
With key F3 all found certificates can be stepped through. indicates how to access CA information and
services for the issuer of the certificate in which
the extension appears. Information and services
may include on-line validation services and CA
13.3.13 V3 Extensions (look at RFC 3280) policy data. (The location of CRLs is not
specified in this extension; that information is
Table 1921 Definition of V3 Extensions (RFC 3280) provided by the cRLDistributionPoints
extension.) This extension may be included in
Parameter Description end entity or CA certificates, and it MUST be
basicConstraints The cA boolean indicates whether the certified non-critical.
public key belongs to a CA. If the cA boolean is OID = 1.3.6.1.5.5.5.7.1.1
not asserted, then the keyCertSign bit in the key
usage extension MUST NOT be asserted. Values:
OID = 2.5.29.19 a string, for example
CANBECRIT=true OCSP;URI:ocsp.my.host/ or
caIssuers;URI:my.ca/ca.html
Values: subjectAltName The subject alternative names extension allows
true additional identities to be bound to the subject
false of the certificate. Defined options include an
keyUsage The key usage extension defines the purpose Internet electronic mail address, a DNS name,
(for example, encipherment, signature, an IP address, and a uniform resource identifier
certificate signing) of the key contained in the (URI).
certificate. The usage restriction might be OID = 2.5.29.17
employed when a key that could be used for CANBECRIT=true
more than one operation is to be restricted.
OID = 2.5.29.15 Values:
Email - enter an e-mail address or "copy" for
Values (BIT STRING): copying from subject
digitalSignature - (0) DNS
nonRepudiation - (1) URI
keyEncipherment - (2) IP
dataEncipherment - (3) MS Domain GUID - for Smartcard Server
keyAgreement - (4) MS Domain User - for Smartcard User
keyCertSign - (5) issuerAltName This extension is used to associate Internet
cRLSign - (6) style identities with the certificate issuer.
encipherOnly - (7) OID = 2.5.29.18
decipherOnly - (8) CANBECRIT=true
0) sign for entity authentication and data origin Values:

authentication with integrity 1) sign with a issuer:copy
non-repudiation service crlDistributionPoints OID = 2.5.29.31
2) encrypt keys for transport using RSA like This lists the distribution points for CRLs.
algorithms,
3) encrypt data, Example:
4) exchange keys using D-H like algorithms, ldap://some.ldap-test.eu/cn=rootcer
5) sign certificates, t,dc=ldap-test,dc=eu
6) sign CRLs, some.ldap-test.eu/crl/rootcert.crl
7) encrypt data using D-H like algorithms, and
8) decrypt data using D-H like algorithms. DomainController OID = 1.3.6.1.4.1.311.20.2
extendedKeyUsage This extension indicates one or more purposes This is a Microsoft specific extension needed for
for which the certified public key may be used, smartcard logon.
in addition to or in place of the basic purposes Values:
indicated in the key usage extension. In general, Machine for a machine
this extension will appear only in end entity SmartCardLogon for a user (logon)
certificates. SmartCardUser for a user (logon and e-mail)
OID = 2.5.29.37
CANBECRIT=true nsComment OID = 2.16.840.1.113730.1.13
Just an extension to provide a possibility for a
subjectKeyIdentifier The subject key identifier extension provides a comment. This is an old Netscape extension.
means of identifying certificates that contain a
particular public key.
OID = 2.5.29.14
CANBECRIT=false
Values:
hash

490 | CC Firewall > General Barracuda NG Control Center
14. CC Firewall
For remote managed Barracuda NG Firewalls a so-called A generic forwarder acts like a router and simply forwards
box tunnel between CC and boxes can be used. traffic to the destination. Since each Barracuda NG Firewall
applies access restrictions by using the configured box
These box tunnels are handled by the CC service CC VPN
ACL a basic security level is guaranteed.
Service and require the configuration of Virtual Box IPs.
However, if a higher security level is required the
Barracuda NG Control Center can be equipped with a
forwarding firewall (CC Firewall).
14.1 General The CC Firewall contains the same features as described in
Firewall, page 131.
When using virtual management Box IPs (Box Management
Tunnels) it is possible either to use the CC as a generic For introducing a CC Firewall it is necessary to have a valid
forwarder or to add additional protection using the CC firewall license for the Barracuda NG Control Center.
Firewall. The CC Firewall service is created on box level of the CC as
Fig. 198 User Interface of a generic forwarder
described in Configuration Service 4. Introducing a New
Service, page 97, and selecting firewall as service module.
The configuration of the CC Firewall is analogous to the
forwarding firewall of a Barracuda NG Firewall.
15. VPN GTI

The Barracuda NG Firewall VPN Graphical Tunnel Interface Fig. 199 User Interface
(GTI) combines leading VPN technology with comfortable
VPN tunnel creation and management.
VPN GTI functionality is also available per Range and per Detail
Cluster.
Main features:
z VPN tunnel creation by drag&drop functionality
z Global parameters for VPN compounds
z Individual oversteering of global parameters per tunnel
Canvas
15.1 User Interface

The GTI is accessible via:
z Config > Multi-Range > Global Settings >
VPN GTI Editor (Global) for company wide VPN As shown above, VPN GTI consists of two sections:
structures
z Detail - providing information concerning the global
z Config > Multi-Range > <rangename> > tunnel settings of this compound (only in detailed view;
Range Settings > VPN GTI Editor for range wide see below):
VPN structures Group - Name of the VPN group and type-depending
icon (star - ; hub - ; meshed - )
Note:
Requires parameter Own VPN GTI Editor (Range Services - No. of services that are part of this group
Configuration) to be set to yes. Tunnels - Number of tunnels within the compound
Type - Compound type
z Config > Multi-Range > <rangename> >
Transport - Used transport protocol
Range Settings > Cluster > Cluster Settings >
Encryption - Used/required encryption algorithm
VPN GTI Editor for cluster wide VPN structures
Authentication - Used/required authentication
method
Note:
Requires parameter Own VPN GTI Editor (Cluster Accepted Identification - Used/required
Configuration) to be set to yes. identification method

Barracuda NG Control Center User Interface < VPN GTI | 491
z Canvas - here tunnels are created, VPN services are 15.1.2 User Interface - Canvas Section
added; that means here your VPN compound is created.
For creating a tunnel, simply left-click on the tunnels Fig. 1910 Example VPN group
designated start VPN service and move the cursor
(keeping left-clicked) to the designated end VPN
service.
Note:
By default, tunnels created in VPN GTI are
active-passive ones. In order to create active-active
tunnels, simply overrule the parameter Direction
(see 15.2.2.4 Defining Tunnel Properties, page 495)
by setting to active.
Note:
Creating tunnels between external VPN services is
NOT possible.
15.1.1 User Interface - Detail Section

For adding/editing/deleting VPN groups simply right-click The GTI canvas provides the following information:
in the Detail section and select the desired action from the z Name of the VPN service; used format for Barracuda
context menu: NG Firewall VPN services:
z Edit Group - opens a dialog for editing already <servername> servicename/cluster/range
existing VPN groups; the dialog itself is identical to the z Configured server IP addresses and, optionally, Explicit
one opened when a new group is added (see 15.2.2 Bind IP addresses
Defining Global Settings for a VPN Group, page 492).
z Tunnel and tunnel direction with an arrow to the
z Add Group - opens a dialog for adding new VPN designated tunnel end point using the following colors
groups (see 15.2.2 Defining Global Settings for a VPN and line types:
Group, page 492).
black - enabled tunnel
z Delete Group - removes the existing VPN group grey - disabled tunnel
z Add VPN Service to GTI Editor - adds a VPN service to solid line - TINA tunnel
the selected VPN group chain-dotted line - IPSec tunnel
z Delete VPN Service from GTI Editor - removes a tunnels flagged with one arrow tip - active-passive
VPN service from the selected VPN group tunnel (arrow tip points to the passive tunnel
endpoint)
z GTI Editor Defaults - opens a dialog for defining
tunnels flagged with arrow tips on both ends -
default values used when new VPN groups are created
active-active tunnel
(see 15.2.1 Defining GTI Editor Defaults, page 492).
z Tunnel Info node
z Swap List View - toggles the group view between TINA
and IPSec. The default preference is TINA. Fig. 1911 Open Tunnel Info node
z Views - provides several types of views for the Detail
section (Tiles, Icons, List, Details).
z Tools - standard context menu (contains: Search for
Text, Print options, )
As depicted above, an information bubble is displayed

when clicking on a Tunnel Info node. Clicking the link
provided, opens a dialog for viewing/editing tunnel
settings.

492 | VPN GTI > Configuration Barracuda NG Control Center
In addition to the drag&drop functionality, the canvas z View as list - displays the VPN group structure in
section offers a context menu providing the following table-format; since this view is read-only youll need ti
entries: change back to graphical display in order to make
z <VPN service name> - opens a dialog window changes. This is done by using this entry again.
displaying the properties of the selected VPN service
Fig. 1913 Example VPN group displayed as table
see 15.2.2.3 Defining VPN Service Properties,
page 494).
z Set Filter to <VPN service name> - hides every VPN
service that is not endpoint of a tunnel initiated by the
selected VPN service.
Fig. 1912 New filtered for <s0-Borde> vpn-bo/cluster1/10
Note:
For every tunnel endpoint introduced through the VPN
GTI Editor (Global), dynamical Global GTI Objects are
created. These network objects can be utilized when
creating firewall rules (see Barracuda NG Control Center
6.3.2.2 Global GTI Objects, page 435 and Firewall
2.2.3 Rules Configuration, page 143, parameter Reload
GTI Objects).
15.2 Configuration
15.2.1 Defining GTI Editor Defaults

z Clear Filter - deletes the set filter
z Go to Config Tree - opens the configuration tree for Especially for lots of VPN groups sharing almost identical
the selected VPN service configurations it comes handy to define your own default
values. These customized values are set as default when
z Go to Box <box name-box IP address> - starts the login creating new VPN groups.
procedure for the box the VPN service is configured on
The parameters are the same as above except for an
z Add VPN Services to GTI Group - adds a VPN additional Root Certificates tab allowing you to import
service to the VPN group root certificates for further usage.
z Delete VPN Service from Group - removes a VPN
service from the VPN group
15.2.2 Defining Global Settings for a VPN
z Edit Tunnel - opens a dialog for modifying settings of Group
the selected tunnel
z Delete Tunnel - removes the selected tunnel The first step when creating a new VPN group is to
configure global settings valid for every tunnel of this
z Force Full Update - forces a complete update of all
group.
nodes within the VPN group
After selecting Add Group from the Details section, the
z Show Tunnel Names - adds the tunnel names to the
following parameters are available:
canvas; reselecting this entry hides the tunnel names
again Note:
z Zoom out/in - decreases/increases the zoom level Take into consideration that these global settings are
not "tacking" ones. Each one of the global parameters
z Fit to Screen - ticking this option causes that the can be adapted to individual needs of tunnels within the
complete VPN group is resized according to the VPN group.
available canvas size; however, when increasing canvas
size this entry has to be selected again in order to
resize view.
z Show Full Screen (F11) - switches canvas into full
screen mode; for leaving full screen mode, simply use
either this entry again or hit F11.

Barracuda NG Control Center Configuration < VPN GTI | 493
15.2.2.1 TINA Tab List 1958 VPN GTI Editor - Group Edit - TINA tab section General Settings
List 1958 VPN GTI Editor - Group Edit - TINA tab section General Settings
Root Certificate In the pull-down menu available root certificates are
Parameter Description offered for selection (as defined in the GTI Editor
Defaults, see above).
Name This is a read-only field, displaying the group name as
defined when creating the VPN group. Key Time Limit This parameter defines the period of time after which
the re-keying process is started. Possible settings are
Transport This setting defines the to-be-used transport protocol 5, 10 (default), 30 and 60 minutes.
and offers the following options:
Key Traffic This parameter defines the amount of traffic after
UDP
Limit which the re-keying process is started. Possible
Tunnel uses UDP port 691 to communicate. This
settings are: No Limit, 1 MB, 5 MB, 10 MB (default),
connection type is best suited for response
50 MB
optimized tunnels.
TCP Tunnel Probing The probing parameter defines the interval of sent
Tunnel uses TCP connection on port 691 or 443 (for probes. If such a probe is not answered correctly, the
HTTP proxies). This mode is required for connection parameter Tunnel Timeout (see below) is in charge.
over SOCKS4 or HTTP proxies. The available time settings (in seconds) for the probing
parameter are:
UDP&TCP silent (no probes are sent; disables the parameter),
Tunnel uses TCP AND UDP connections. The tunnel 10 secs, 20 secs, 30 secs (default) and 60 secs.
engine uses the TCP connection for UDP requests
and the UDP connection for TCP requests and Tunnel Timeout If for some reason the enveloping connection breaks
ICMP-based applications. down the tunnel has to be re-initialized. This is
extremely important for setups with redundant
ESP
possibilities to build the enveloping connection.
Tunnel uses ESP (IP protocol 50) to communicate.
The timeout parameter defines the period of time after
This connection type is best suited for performance
which the tunnel is terminated.
optimized tunnels.
The available settings (in seconds) for the timeout
Note: parameter are:
Do NOT use ESP if there are filtering or NAT interfaces 10 secs, 20 secs (default), 30 secs and 60 secs
in between.
Note:
Routing The choice of the ideal timeout parameter strongly
This transport type is only of interest in combination depends on the availability and stability of the
with Traffic Intelligence configuration (see 2.7.1.2 connection. Barracuda Networks recommends setting
Traffic Intelligence (TI), page 235). Specifying the timeout to 30 seconds for internet connections
routing as transport disables data payload and to 10 seconds for intranet or connections over a
encryption within the tunnel. This transport should dedicated line.
only be used for uncritical bulk traffic.
Accept Offers three types of identification: Public Key
Transport type Routing activates parameter Routing
Identification (default), X509 Certificate (CA signed) and
Next-Hop in the tunnel configuration dialog, where
Type X509 Certificate (explicit)
the next-hop address for routed data packets has to
be specified. Hide in Select the checkbox and the tunnel will not be visible in
Barracuda NG the Barracuda NG Earth software.
Note:
Earth
To enter a Routing Next-Hop address when the
Direction is Passive follow these steps: Meshed Selecting this checkbox (at the bottom of the
configuration window) automatically creates tunnels
Select Direction: Active
when adding a new VPN service to the group.
Select Transport: Routing
Note:
Enter the Routing Next-Hop address Take into consideration that the tunnels are NOT
Select Direction: Passive removed after deselecting this checkbox.
Encryption Encryption mode the tunnel wants to establish as the
active part. These tunnels work with various encryption List 1959 VPN GTI Editor - Group Edit - TINA tab section Accepted Ciphers
algorithms. The initialising partner tries to establish
the encrypted connection by offering ONE of the Parameter Description
following methods. Accepted Indicates what kind of ciphers are allowed for
AES Ciphers connecting to the VPN server for users of this group.
Advanced Encryption Standard; default; capable of Reset functionality is available as soon as a cipher
128 / 256 bit key length setting was modified and restores default values.
3DES
Further developed DES encryption; three keys with List 1960 VPN GTI Editor - Group Edit - TINA tab section Bandwidth Protection
each 56 bit length are used one after the other
resulting in a key length of 168 bit. Parameter Description
CAST Bandwidth Protection settings are a part of Traffic
by Carlisle Adams and Stafford Tavares; algorithm Intelligence configuration. For a description of Traffic
similar to DES with a key length of 128 bit. Intelligence please see VPN 2.7.1.2 Traffic Intelligence
(TI), page 235. For a detailed parameter description
Blowfish
please VPN Bandwidth Protection, page 238.
works with a variable key length (up to 128 bit)
DES
List 1961 VPN GTI Editor - Group Edit - TINA tab section VPN Envelope Policy
Digital Encryption Standard; since DES is only
capable of a 56 bit key length, it cannot be Parameter Description
considered as safe any longer.
VPN Envelope settings are a part of Traffic Intelligence
Attention: configuration. For a description of Traffic Intelligence
Do NOT use DES with high risk data. please see VPN 2.7.1.2 Traffic Intelligence (TI),
Authentication Defines the to-be-used algorithm for authentication. page 235. For a detailed parameter description please
Available methods are: see VPN VPN Envelope Policy, page 238.
MD5
Message Digest 5; hash length of 128 bit
SHA
Secure Hash Algorithm; hash length of 160 bit

15.2.2.2 IPSec Tab Fig. 1915 Adding a VPN Service to a VPN Group - Step 2
This tab is used for defining parameters concerning both,

Phase 1 and Phase 2, of an IPSec connection:
z Phase 1 involves policy negotiation, key material
exchange, and authentication.
z Phase 2 involves policy negotiation, session key
material refresh or exchange, and establishment.
List 1962 VPN GTI Editor - Group Edit - IPSec tab section Phase 1 / Phase2
Encryption defines what kind of description is used
Available algorithms for Phase 1: 3DES (default), DES
and CAST.
Available algorithms for Phase 2 are: AES, 3DES
(default), CAST, Blowfish and DES.
Hash Meth. defines the used hash algorithm; available algorithms
are MD5 (default for both phases) and SHA.
DH-Group Diffie-Hellman Group defines the way of key exchange;
available options for this parameter are Group1 (default
for both phases; 768-bit modulus), Group2 (1024-bit
modulus), and Group5 (1536-bit modulus).
Lifetime defines rekeying time in seconds a server offers to the
partner (default Phase 1: 28800; default
Phase 2: 3600).
Min. Lifetime defines minimum rekeying time in seconds a server
accepts from its partner (default Phase 1: 25200;
default Phase 2: 1200).
Max. Lifetime defines maximum rekeying time in seconds a server When adding a VPN service to the VPN group, you may
accepts from its partner (default Phase 1: 32400;
default Phase 2: 4800)
define several specific parameters.
List 1964 VPN GTI Editor - Adding a VPN Service to a VPN Group section
List 1963 VPN GTI Editor - Group Edit - IPSec tab section General Settings
Server/Service
Accepted offers three types of identification: Shared Passphrase
Server displays server name; read-only
Identification (default), X509 Certificate (CA signed) and
Type X509 Certificate (explicit). A passphrase is Service displays service name; read-only
automatically generated when an IPSec tunnel is Info displays an optional information text; read-only
drawn.
Root Certificate offers all available root certificates for selection (as List 1965 VPN GTI Editor - Adding a VPN Service to a VPN Group section
defined in the GTI Editor Defaults, see above) Attributes
Color defines the color in which the tunnels created from this
15.2.2.3 Defining VPN Service Properties VPN service to another one are displayed. Take into
consideration that disabled tunnels are not affected by
Fig. 1914 Adding a VPN Service to a VPN Group - Step 1 this parameter and are displayed grey regardless of the
color set. Additionally, the color is used in conjunction
with parameter Filled (see below) (default: black).
Thickness defines the thickness of displayed tunnels created from
this VPN service to another one (default: 1 pt)
Filled ticking causes the background of the selected VPN
service is equipped with a solid circle in color defined
above (default: disabled)
Hub ticking causes the selected VPN service to serve as a
hub (default: disabled)
Show Name enables/disables display of the selected VPN service
name (default: enabled)
Fully Meshed ticking causes automatic tunnel creation for the
selected VPN service (default: disabled)
List 1966 VPN GTI Editor - Adding a VPN Service to a VPN Group section
Tunnels
displays every tunnel connection created from this
VPN service to another one (including the set
parameter values); context menu offers items Edit
Tunnel (see 15.1.2 User Interface - Canvas Section,
page 491), Delete Tunnel (see 15.1.2 User Interface -
Canvas Section, page 491) and standard context menu
entries
List 1967 VPN GTI Editor - Adding a VPN Service to a VPN Group section In
Groups
purely informational and displays all groups the VPN
service is part of

Barracuda NG Control Center Configuration < VPN GTI | 495
The tabs VPN GTI Settings and Server/Service Settings in When editing a parameter the following visualisation
the VNP Service window are read only areas. Their content effects are shown:
is delivered through the VPN GTI Settings tab (VPN
2.4 Configuring VPN GTI Settings, page 221) and the Server z Parameter name turns from black into blue and is
Configuration tabs (Configuration Service 3. Configuring a displayed underlined (as shown in figure 1916)
New Server, page 94). z Parameter value changes from grey (indicating default
values) into black
Note:
Networks needed to be reachable behind the tunnels Note:
endpoints must be entered into the Networks In order to reset the modification, simply click on the
parameter of the Server Configuration area (see 3.3.2 blue, underlined parameter name and select Reset to
GTI Networks, page 96). Group default value from the menu.
Note:
15.2.2.4 Defining Tunnel Properties The information displayed is merged of the following
configuration entities:
As already mentioned above, Barracuda NG Firewall VPN
z Global VPN Settings - see 15.2.2 Defining Global
GTI offers the possibility to tweak any tunnel parameter to
Settings for a VPN Group, page 492
your needs.
z Local VPN GTI Settings on the corresponding
For tweaking tunnel parameters simply left-click the
boxes - see VPN 2.4 Configuring VPN GTI Settings,
Tunnel Info node and open the configuration dialog via the
page 221.
link (displayed in blue).
Fig. 1916 Open Tunnel Info node and Tunnel configuration dialog
15.2.2.5 Configuring Traffic Intelligence Settings
in the GTI VPN Editor
The GTI VPN Editor offers various configurations settings

for Traffic Intelligence employment.
Note:
Functionality, characteristics and configuration
parameters of Traffic Intelligence are described in detail
in VPN 2.7.1.2 Traffic Intelligence (TI), page 235. Please
read this chapter before proceeding. In this place,
only transport creation and modification process will be
described.
As described in 15.1.1 User Interface - Detail Section,

page 491, a tunnel is created by drawing a line from the
tunnels start to its end point. A left click on the Tunnel
Info node and click on the link with the tunnel name opens
the tunnel configuration dialog (figure 1917).
Fig. 1917 Tunnel configuration dialog
The configuration dialog provides every parameter

relevant for the selected tunnel.
Attention:
Tweaking tunnel parameters disables global settings.

TI-Classification and TI-ID for the transport can be

assigned through the lists in the framed area. The first
transport is by default equipped with the attributes Bulk 0.
These values cannot be edited.
Drawing further lines between the same tunnel end points
creates further transports. The configuration dialogs for
these transports immediately open expecting specification
of unique TI-Classification and TI-ID.
After having saved the settings, the Tunnel Info node
displays links indicating the specific transports. Tunnels,
which have been configured with multiple transports, are
depicted by two parallel lines.
Fig. 1918 Tunnel Info node displaying links to transports
Transport specific TI Bandwidth Protection (VPN

Bandwidth Protection, page 238) and VPN Envelope
settings (VPN 2.7.1.2 Traffic Intelligence (TI), page 235)
are configured through accordingly named tabs in the
tunnel configuration window.

Barracuda NG Control Center General < Barracuda NG Earth | 497
16. Barracuda NG Earth
16.1 General 16.4 Barracuda NG Earth Settings

Barracuda NG Earth is a graphical real time monitoring Fig. 1919 Barracuda NG Earth settings
utility for your VPN site to site connection tunnels.

Usage is only possible with GTI VPN tunnels as the
Barracuda NG Control Center needs to determine a
relationship between both tunnel endpoints. In case of
traditionally configured VPN tunnels due to NAT-issues a
relationship between the endpoints cannot be determined.
Note:
Barracuda NG Earth is only available in combination
with the CC Global Edition and CC Enterprise Edition
licenses.
16.2 CC Settings
z In the CC set the parameter Poll Box VPN Status to
yes (Global Settings > CC Parameters > Barracuda NG
Earth Setup)
(see Barracuda NG Control Center 6.3.5 Global Settings -
CC Parameters, page 437, list 1910)
z To define the position of the VPN connectors, insert the
coordinates in parameter Global Position for all your
boxes (Boxes > <boxname> > Box Properties > Note:
Operational > Barracuda NG Earth Settings) Please notice that for configuration settings,
(see Configuration Service 2.2.2.2 Creating a Box - Administrative rights are required.
Operational Settings, page 53, list 33).
Define the settings best fitting to your video card, as the
application is using DirectX 9. Check for the latest driver
16.3 Requirements update at www.microsoft.com.
List 1968 Barracuda NG Earth section Graphics
z Processor: Intel Pentium IV, AMD Athlon 64 or better Parameter Description
z OS: Windows XP SP2 or Windows VISTA 32 / 64-bit Texture Quality Move the slider to select the texture quality level. The
higher the texture level the higher the CPU load.
z Graphic card: DirectX 9 level graphics card or better Low
world.200407.2048x1024.tga (6.145 KB)
z Generic Network Adapter Medium
world.200407.8100x4050.tga (96.109 KB)
z a CC and adequate licenses (see 16.1 General, page 497) High
world.200407.10800x5400.tga (170.860 KB)
z usage of GTI VPN tunnels
World Texture Choose the world texture
from
Geometry Move the slider to select the geometry quality (number
Quality of polygons). This setting influences your performance
substantially. Recommended value is medium.
High 124.416 polygons
Medium 31.104 polygons
Low 7.776 polygons
Bump Mapping Choose Enabled or Disabled.
This setting allows the video-card to apply texture
maps (bumps) to flat textures, this setting can affect
performance.
Water is Choose Enabled or Disabled.
transparent Select the way the water will be presented, this setting
can affect performance.
Graphical API Choose DirectX or OpenGL.
If your system does not support DirectX you can
choose OpenGL as an alternative.
Please notice that as the application starts with
DirectX selection by default, a check on DirectX driver
version will be performed.

498 | Barracuda NG Earth > User Interface Barracuda NG Control Center
List 1969 Barracuda NG Earth section Connection to CC Table 1922 Barracuda NG Earth Hotkey
Parameter Description Hotkey Description

Demo Mode When no configuration is selected the application will r Sphere automatic rotation ON
start in demo mode, representing virtual tunnels. If <F5> Refresh data
selected, choose between different demo regions or
customize your own demo tunnels. <ALT> open view context menu, options are:
Server IP Insert the IP address to connect to the CC Box info - open box info context
Missing GPS data - a list of all boxes that have no
Server Port Insert the server port to connect to the CC
GPS data defined
User Insert username to connect to the CC Boxes - open list of active boxes, click on one and
Password Insert password to connect to the CC. the world will move to this box position. Press
Attention: <CTRL> and select a box from the list to open a new
The password is encrypted and stored in the ini-file. Be 2D window focused on the selected box.
aware that stored passwords even in encrypted form Close - Exit the application
may be brute-force attacked. ShowTunnels - Shows or hides tunnels according to
Note: their states: Down, Inactive, MISC or Up
Barracuda Networks strongly recommends that those <ALT>+<F4> Exit the application
responsible for the Barracuda NG Earth client ensure
that the management workstation is operated in an
environment which is free of malicious software (Trojan
horses, ). 16.5.2 Mouse Functions
Additionally Barracuda Networks recommends to
create a named administrator specifically for this Table 1923 Barracuda NG Earth Mouse functions
purpose. The administrator should only be granted
permissions for monitoring box states and tunnel Mouse Function Description
status. For these permissions the admin requires the Mouse Wheel Zoom in/out
following roles on the Barracuda NG Control Center
(Global Settings > Administrative Roles > Right Mouse and Move sphere
Administrative Role Configuration > Role): Move
In section CC Control Module: Left Mouse and Rotate sphere

Move
Access to CC Control selected
CTRL + Mouse Show Box / Tunnel Detail View, changing the value
In section CC Control Permissions parameter Show
click affects only demo mode. Get focus on the info window
Map enable
and press ESC to close it.
(6.3.7 Global Settings - Administrative Roles,
page 438) Click on box If Barracuda NG Admin is connected to the CC, a click
on a box will open the configuration of the selected
Note:
box.
Please note that the rights from the selected user will
be in place. So hierarchy rights on range/cluster/box
have impact on the represented objects.
Update every Scale updates from every 5 s to 300 s (5 minutes) 16.5.3 Status / Color Legend
Show Last Select the checkbox for an overlay stamp about last
Update Time update time Each tunnel / box is represented by a color depending on
the status.
Table 1924 Barracuda NG Earth Color legend for box
16.5 User Interface Box Status Box Color
Ready blue
Fig. 1920 Barracuda NG Earth
Warning blinking green to red
Error red
Table 1925 Barracuda NG Earth Color legend for tunnel
Tunnel Status Tunnel Color

Active green
Disabled gray
Error red
Multiple tunnel - not all are active yellow
16.6 Troubleshooting
If the desired boxes and/or VPN tunnels are not displayed
on Barracuda NG Earth, please follow the following steps.
16.5.1 Hotkeys
16.6.1 CC and Box Configuration
Table 1922 Barracuda NG Earth Hotkey
Hotkey Description
z CC: The parameter Poll Box VPN Status must be set to
b Bitmap bump map on/off
yes (Config > Multi-Range > Global Settings > CC
n New 2D View. Open a new 2D window that can be
Parameters > Barracuda NG Earth Setup).
moved on different desktop (especially for dual head
graphics card)
z Corresponding Box: The parameter Poll VPN Tunnel
s Transparent sphere on/off
Status must be set to yes (Config > Box > Box
t VPN Tunnel Mode on/off

Barracuda NG Control Center Activating / Configuring RCS < CC RCS | 499
Properties > Operational > Barracuda NG Earth 16.6.3 Barracuda NG Earth Configuration
Settings)
In addition, the coordinates of the box must be typed z Under Windows > start > All Programs > Barracuda
into the Global Position parameter. Networks > Barracuda NG Earth > 3D Settings ensure
that the CC server IP (not CC box IP) is typed into the
Server IP parameter.
16.6.2 VPN Tunnel Configuration
z Ensure that the VPN tunnel is defined using the GTI
editor.
z If the VPN tunnels are generated with the Meshed
option enabled, the VPN tunnel will only be displayed
when there is traffic. Double-click the group in the VPN
GTI Editor to check the Meshed checkbox (VPN GTI
Editor accessibility see 15.1 User Interface, page 490).
z Ensure that the checkbox Hide in Barracuda NG Earth
is not selected within the same dialog.
z Double-click the tunnel in the VPN GTI Editor and
ensure that the checkbox Hide in Barracuda NG Earth
is not selected within the VPN tunnel settings.
For further information about how to achieve the Group

Edit dialog and/or VPN tunnel settings see 15.1 User
Interface, page 490.
17. CC RCS
The Barracuda NG Control Center provides a Revision In order to activate RCS enter Config > Multi-Range >
Control System (RCS) for auditing purpose. The RCS, as Global Settings > CC Parameters > RCS Setup view.
soon as activated, provides complete information on
changes in the configuration of the Barracuda NG Control Fig. 1921 Configuration dialog - RCS
Center and its administered Barracuda NG Firewalls (in
theory, back to the moment RCS was activated - depending
on the amount of data).
Attention:
Please take into consideration that the DNS service is
not supported by RCS.
17.1 Activating / Configuring RCS

Attention:
For activating RCS an explicit license is required.
Otherwise, a fatal log entry is created.
Note:
Modifying the settings of these parameters (and
restoring a fresh installed CC with a par file) requires a
restart of module CC-Configuration-Service in order to
get active. Depending on the size of the configuration
tree, this restart may last several minutes because each
configuration tree entry gets its version numbering.
Barracuda Networks recommends to look at the log
providing exact status information.
Additionally, it is necessary to make a session
disconnect and reconnect, which enables the RCS
pull-down menu in the above upper right corner just like
the context menu entries for RCS in the User Interface.

500 | CC RCS > Using RCS Barracuda NG Control Center
List 1970 CC Parameters - RCS Setup item in the configuration tree below Global Settings or via
Parameter Description the pull-down menu RCS within an explicit configuration
Version Control This parameter activates/deactivates the RCS function. file.
System
Log Change This parameter activates/deactivates the RCS Fig. 1922 RCS Versions window
Differences functionality to log all changes made to a configuration
node (file name: servicename_changes).
Log Creation This parameter specifies how to log the change of a
Differences new configuration node. The following settings are
available:
Difference-to-Default - Only differences to the
default settings are enlisted.
Full-Info - Every setting is enlisted.
None - Only changes are taken into account.
Log Removal This parameter specifies how to log file removals within
Differences a configuration node. The following settings are
available:
Difference-to-Default - Only differences to the
default settings are enlisted.
Full-Info - Every action is enlisted.
None - Removal of files is skipped.
Report Use this field to configure automated transmission of
Processing change reports to other destinations. A shell script
Script invoking Secure Copy (scp) or e-mail delivery can be
entered here.
The RCS Versions window makes the the following
Example scripts for report transmission might look as information available:
follows:
Secure copy to an external server Table 1926 Columns available in the RCS Versions window
scp "$REPORT" root@recipient.com
Column Description
mailclt to an external server
/opt/phion/bin/mailclt -f Version This column displays the version numbers of the
sender@sender.com selected activated configuration node/file. As long as
recipient@recipient.com -s "change" -m the configuration is only sent (by clicking Send
192.168.0.1 -a "$REPORT" Changes) the displayed version is session. If this
configuration is activated (by clicking Activate) the
Attention: corresponding (increased) version number is listed.
Make sure to use the variable $REPORT when using the Editing a linked file results in additional version
tools scp and mailclt. The name of the report file is information including the file version and the complete
stored in $REPORT and is thus handed over by path of this link target.
Rangeconf.
Date This is the date when a new or modified configuration
Note: has been activated. Data is arranged as follows:
On Barracuda NG Firewall 4.2 mailclt is installed by yyyy/mm/dd.
default.
Time This is the time when a new or modified configuration
Attention: has been activated. Independent of box time settings,
The option -m expects the IP address of a reachable the effective time format is always UTC.
SMTP server to follow. As DNS resolution is not
supported by RCS the mail servers IP address and not Admin Displays the login name of the editing administrator.
its MX-Record has to be specified at any rate. Peer Displays the peer address of the editing administrator.
Force Commit If set to Yes, every RCS check-in will produce a one-line Operation Displays the peer address of the editing administrator.
Message text window allowing to enter a comment. Defaults to The following entries are possible:
No. CHANGE - Indicates a modification
Attention: ADD - Indicates an added configuration entry (for
Barracuda NG Admin versions prior to 4.2.5 can not be example a newly introduced firewall rule)
used anymore for configuration changes if the Commit
REMOVE - Indicates a removed configuration entry
Message has been activated.
(for example removing a firewall rule)
LINK - Indicates a link to a repository entry.
UNLINK - Indicates that a link to a repository entry
was removed.
Link Version This column holds information only in conjunction with
a LINK operation entry. This information consists of the
version of the link target.
Link Path This column holds information only in conjunction with
a LINK operation entry and consists of the complete
path of the link target.
17.2 Using RCS

17.2.1.1 Working with RCS Versions Window
17.2.1 RCS Versions Dialog Selection of versions for verification is done by using the
left mouse button (that means combining SHIFT and
RCS is monitored in the RCS Versions window. This left-click will not work):
window may be opened either via the context menu of any z The first click sets the start version of interest.

Barracuda NG Control Center Using RCS < CC RCS | 501
z The second click sets the end version of interest. The given commentary text may later be retrieved
separately for each configuration node through the
Fig. 1923 Example for selecting versions of interest Show RCS Versions dialog within the context menu.
Fig. 1926 RCS Change Message Text within RCS Versions Dialog
17.2.3 RCS Report Window

Fig. 1927 RCS Report window
The example shown in figure 1923 would result in a

comparison of version 1.1 and linked version 1.3.
Ticking checkbox Full History (lower left corner) causes
that every version step in between the selected version
gap is also taken into consideration for displaying
differences (see figure 1924).
Fig. 1924 Example for selecting versions of interest with selected Full History
checkbox
This RCS Report window enlists every configuration

change made according to the selected version files. It
makes the the following information available:
Table 1927 Columns available in the RCS Report window
Column Description
Node This column offers a tree view on the changes. In the
example above, the first level specifies the name of the
configuration entity, the second level provides the
name of the data set, the third level holds the position
in the configuration dialog, and the fourth level holds
the object of editing.
Operation This is the modification type. The following types are
available:
New
Change
By clicking Select All all available versions are taken into Remove
account. Move - this type indicates that the position of the
configuration entry was moved in the hierarchy (for
After the wanted selection is done click button Show example moving a rule up or down in a rule set)
Differences in order to open the RCS Report. * - this type indicates multiple changes to the
configuration entry
New This column shows the new value of the configuration
17.2.2 RCS Change Message entity.
Old This column shows the old value of the configuration
entity.
By setting the parameter RCS Setup - Note:
Force Commit Message to Yes, a one-line text box will Columns New and Old may consist of multiple lines. For
pop-up prior to every Activate process, prompting the viewing the complete information, open the node in the
Node column or simply select Details from the
user to leave some comment on his or her changes. context menu (see below).
Version Here the version number when editing is displayed. A *
Fig. 1925 RCS Change Message Dialog displayed indicates that there are multiple version
number within this node.
Stamp This is the time stamp indicating when a configuration
has been modified. Independent of box time settings,
the effective time format is always UTC. Date and time
are arranged as follows: yyyy/mm/dd hh:mm:ss.
Admin This is the administrator who has edited the
configuration.
Peer This is the IP address that is assigned to the
administrator who has edited the configuration.

502 | CC RCS > Retrieve Versions Barracuda NG Control Center
addresses. Therefore, select a configuration tree node,

Note:
open the context menu and select Show RCS Report
If the same IP address is multiply entered within a
firewall rule, the RCS Report window may show a wrong Fig. 1928 RCS Change Filter
change history, although the change was correctly
deployed.
The following entries are available:

z Details
This entry opens the dialog RCS Report Detail that fills
the information in an easier to read view
(recommended for multi-line entries).
List 1971 RCS Change Filter settings
z Expand (All)
The entries Expand and Expand All cause that either Parameter Description
the currently selected node or all nodes are expanded. Start Date / Defines the period of time that is to be displayed.
End Date
z Collapse (All) Admin Here you may enter the login name of a specific
The entries Collapse and Collapse All cause that either administrator (optional).
the currently selected node or all nodes are collapsed. Peer Here you may enter an explicit IP address (optional).
Include Node Ticking this checkbox collects the complete available
z Print (Visible Only, Landscape/Portrait) Creation version information.
Selecting the print-visible option prints the display as is checkbox Attention:
on the printer. Landscape and Portrait allow selecting When using this option, be aware of the possible high
amount of information.
the paper orientation. Landscape is recommended,
No Difference Ticking this checkbox collects only information about
though. Details whether something has changed and NOT what was
checkbox changed.
z Print (All, Landscape/Portrait)
Show Detail for Ticking this checkbox collects the complete available
Selecting the print-all option prints the expanded nodes Linked Nodes change information and, additionally, takes the
(regardless whether they are currently expanded or checkbox changes of the link target into account.
not). Landscape and Portrait allow selecting the paper Attention:
When using this option, be aware of the possible high
orientation. Landscape is recommended, though. amount of information.
17.2.3.2 Working with the RCS Report 17.3 Retrieve Versions

The "tool" bar in the lower part of the dialog offers the
The RCS pull-down menu offers the option Retrieve
following functionalities:
Version. When retrieving a version the Send Changes
z << Prev / Next >> button is inactive and the header displays the
These buttons allow jumping back/forward in version corresponding icon followed by the version number.
hierarchy using the defined version step (that means
selecting 3 versions causes that the jump back/forward Attention:
is also 3 versions, if possible). The version-retrieving function does not work for the
VPN server.
z Search string
Here you may define string you want to search for. In order to accept the retrieved version, open the RCS
Wildcards are not supported, though. pull-down menu again and select Accept Version.
z << Find / Find >> Answering the safety query with Yes reactivates Send
These buttons allow jumping back/forward in the search Changes and allows sending and activating the old version
results. of the configuration settings.
z Import / Export
Via these buttons you may export the RCS results into a
"*.prp" file for archiving purposes or import an archived
prp file.
17.2.4 Creating Specific RCS Reports

The RCS function also allows generating RCS Reports of
certain time periods and/or administrators/peer IP

Barracuda NG Control Center Retrieve Versions < CC RCS | 503

504 | CC VPN > General Barracuda NG Control Center
18. CC VPN
18.1 General This is done in:

Multi-Range > Global Settings > Box VIP
Network Ranges
Barracuda NG Control Center is designed to manage a
huge amount of Barracuda NG Firewalls all around the Fig. 1930 Box VIP Network Range configuration node
world within one single administration interface.
Therefore all Barracuda NG Firewall gateways need to
have a permanent, stable and secure connection to a
Barracuda NG Firewall gateways configured for remote
management initiate a management VPN tunnel from the
gateway to the Barracuda NG Control Center. So remote
managed gateways can also be connected to the internet
by dynamic IP assignment like xDSL, UMTS or DHCP.
At the Barracuda NG Control Center the CC VPN Service
software module is responsible for tunnel termination and
tunnel handling and needs to be introduced.
Fig. 1929 CC VPN Service Software Module
Note:
Due to migration issues the node Master VPN Settings
may be accessible on a Barracuda NG Control Center on
box-level.
Settings in this node are ignored. On a CC, the
appropriate settings must be done within the Multi
Range > Global Settings > Box VIP Network Ranges
instead.
Only for a mastervpn offloader, these settings reside
within the service node Master VPN Settings on
box-level.
List 1972 Network Address Configuration
Address Range single host or network range
Start
18.2 CC Configuration Address Range

netmask
single host or an appropriate network mask
Barracuda NG Firewalls that should be manageable by a

Note:
Barracuda NG Control Center need to have a further IP
Virtual IPs or Virtual IP ranges must not be used
address in addition to the already existing management IP.
anywhere else in the network. These addresses are
This additional virtual IP (VIP) is used to address a
exclusively reserved for remote management.
unidirectional communication from the Barracuda NG
Control Center to the remote gateways.
To terminate the incoming management VPN tunnels at
the Barracuda NG Control Center the CC VPN Service
software module is necessary and automatically
introduces the Virtual IP addresses via Proxy ARP. Hence
the Barracuda NG Control Center should have a direct
connection to the network the Virtual IPs belong to.
Note:
Proxy ARPs will be introduced for the entire VIP network
range including the network and broadcast address.
18.2.1 Box VIP Network Ranges

The virtual IPs for the remote managed gateways must be
defined at the Barracuda NG Control Center.

Barracuda NG Control Center Gateway Configuration < CC VPN | 505
18.3 Gateway Configuration Fig. 1933 Network Configuration Node
The remaining configuration for remote management has

to be done at the gateways itself.
Therefore open the network configuration node of the
desired Barracuda NG Firewall.
Fig. 1931 Network Configuration Node
Note:
Network routes for local networks are automatically
introduced by the system.
18.4 Remote Management

Configuration
To enable remote management for a Barracuda NG
Firewall open the Management Access tab, set Enable
Tunnel to yes and enter the virtual IP that was defined at
the Barracuda NG Control Center configuration.
18.3.1 Additional Local Networks Note:
Be sure that every remote managed Barracuda NG
To be able to establish a remote management tunnel from
Firewall has its unique VIP. Otherwise tunnel
the gateway to the Barracuda NG Control Center, the
establishment will fail.
managed gateway needs to have a external IP address
from where the management tunnel will be initiated. This Fig. 1934 Remote Management Tunnel
external IP address has to be configured as Networks
inside the Management Network view.
Note:
If the gateways external IP address is dynamically
assigned via DHCP or xDSL the IP address will be
automatically assigned to the default settings at box
level.
18.4.1 Management Tunnel
Fig. 1932 Network Configuration Node Configuration
List 1973 Network Address Configuration
Used VPN Protocol type of the remote management tunnel.
Protocol VPN2 is recommended.
VPN Point of Target IP address the VPN tunnel will be established to.
Entry Usually this is the external IP address of the perimeter
firewall that separates the CC from the internet.
VPN Port Port of the remote management tunnel.
Remote Networks that should be reachable from the remote
Networks gateway. Management IP and server IP of the CC need
to reside within these networks or ranges.
Type of Proxy Supported proxy types: HTTPS, SOCKS4 and SOCKS5
Transport Transport protocol the VPN tunnel is based on.
Protocol TCP or UDP
Encryption Encryption algorithm that is used to encrypt the VPN
Cipher tunnel.
Supported ciphers: AES, AES-256, CAST, Blowfish,
DES and 3DES
VPN Local IP Source IP address that is used to establish the
management tunnel from the gateway to the
If this field is left blank, the system determines the
source IP via routing lookup.
VPN Interface Source network interface that is used for tunnel
establishment.
Proxy Server IP IP address of the proxy server.

506 | CC VPN > Additional Configuration Barracuda NG Control Center
List 1973 Network Address Configuration powerful GUI for managing VPN tunnels and configuration
Parameter Description lookup.
Proxy Server Port of the proxy server. Connect to the Barracuda NG Control Center on box-level
Port
and open the VPN tab in the Box Menu on the left side.
Proxy User User name for proxy authentication.
Proxy Password Password for proxy authentication. Fig. 1936 Redirect rule
Reachable IPs These IP addresses are used for monitoring of the VPN
tunnel by sending ICMP requests over the VPN tunnel.
Key Time Limit Time period for session rekeying.
[Minutes]
Tunnel Probing Time period for tunnel probing.
[Seconds]
Tunnel Timeout Time period for tunnel timeout.
[Seconds]
18.5 Additional Configuration Successful established management VPN tunnels are

indicated by a green icon. For a detailed view of the tunnel
Usually a Barracuda NG Control Center is separated from configuration, double click the desired VPN tunnel.
the internet by a perimeter firewall. In this case the
perimeter firewall needs to redirect the VPN session to the
Barracuda NG Control Center. Hence a Redirect Object
rule has to be introduced at the perimeter firewall.
Fig. 1935 Redirect rule
18.6 Troubleshooting
To check if all the configured remote management tunnels
are up and running, the CC VPN Service module offers a

Barracuda NG Control Center Troubleshooting < CC VPN | 507

508 | Admin Workspaces > General Barracuda NG Control Center
19. Admin Workspaces
19.1 General z Click Edit... to edit CC Config Permissions
Fig. 1937 CC Config Permissions

Admin Workspaces allow Barracuda NG Control Center
administrators the creation of a customized view of
commonly used configuration nodes. The elements within
an Admin Workspace may be arranged manually and even
grouped by using separators and sub nodes.
Note:
Changes to the configuration within workspace
elements are reflected immediately within the
configuration tree. The workspace view is just a new,
differently structured view of the nodes from the
configuration tree.
Each workspace can either be shared with all
administrators or assigned to individual administrators.
The available Admin Workspaces are listed within the
column right-hand of the Barracuda NG Admin main List 1974 Workspace Permissions
viewport. From there, it is easily possible to switch Parameter Description

between different workspaces and the ordinary Create This permission allows a CC Administrator holding this
hierarchical tree. Workspace role the creation of Admin Workspaces.
Change This permission allows a CC Administrator holding this
Workspace role the performance of Workspace operations.
See 19.4 Admin Workspace Operations, page 511
19.2 How to Create

Admin Workspaces 19.2.2 Creation of an Admin Workspace
Admin Workspaces are created at the root node of the
CC Config Tree, the Multi-Range node. Therefore, right
19.2.1 Permissions
click on the Multi-Range node, open the context menu and
click Create Workspace...
A precondition for the successful creation of
Admin Workspaces are the according permissions of a CC Fig. 1938 Workspace Creation
administrator.
An administrator who wants to assign Admin Workspaces
needs at least the CC Config Permission
Create Workspaces. If an administrator needs to have full
permissions on Admin Workspaces (i.e. creation and
manipulation of Admin Workspaces), Create Workspaces
and Change Workspaces must be set.
In order to define the desired properties for a
CC administrator, edit the appropriate parameters within
Multi Range > Global Settings > Administrative Roles.
z Select the desired Role and click Edit...

Barracuda NG Control Center Node Operations < Admin Workspaces | 509
Fig. 1939 Workspace Settings z Click Lock Workspace for Modifications
Fig. 1941 Lock Workspace for Modifications
List 1975 Workspace Settings

Short Name The internal name of the workspace.
Label The visible name of the workspace.
Creator Admin who created the workspace. This field will be set
by the system.
Admins to use Enter the administrators who are permitted to use this
the workspace workspace as a comma or whitespace separated list.
Note:
Note:
It is possible to use the wildcard characters "*"
A locked workspace is indicated by yellow background
(asterisk) and "?" (question mark) in order to define color.
ranges of matching administrator names.
Admins to Enter the administrators who are permitted to change
change the
workspace
this Admin Workspace as a comma or whitespace
separated list. 19.3.1 Adding Nodes to an
Note: Admin Workspace
It is possible to use the wildcard characters "*"
(asterisk) and "?" (question mark) in order to define
ranges of matching administrator names. Nodes can only be added to an Admin Workspace if it is
Note: locked for modifications. If there is more than one
These administrators also need the permission workspace assigned at the Barracuda NG Control Center,
Change Workspace, to be set within the
Administrative Role Settings.
then these workspaces may be locked for modification
See 19.2.1 Permissions, page 508 simultaneously.
Note:
If this field is left blank, then the concerning workspace
z Open the CC Configuration Tree
is only editable by its creator.
z Right click a configuration node, then open the context
IP addresses/ Restrict access to a workspace by defining IP addresses
networks to use and network ranges. Leave this field blank in order to
menu
the workspace allow ALL.
z Click Add Node to Workspace
z Select the desired workspace
Successfully assigned workspaces will be listed within the
within the Workspaces tab, placed within the right frame Fig. 1942 Add Node to Workspace
of the Barracuda NG Admin main window..
Fig. 1940 Workspace Settings
19.3 Node Operations Note:

It is unneccessary to lock configuration nodes of the
In order to change the nodes within an Admin Workspace, config tree in order to add them to a workspace.
the desired workspace needs to be prepared for
modifications. z Choose a Node Name and select whether to remain in
the configuration tree view or to switch to the
Switch to the workspace, then open the context menu by
workspace.
right-clicking the workspaces root node.

510 | Admin Workspaces > Node Operations Barracuda NG Control Center
z Now switch to the workspace, open the context menu z Select Rename Node from the context menu.
and click Activate Workspace Changes in order to
save the modifications. Fig. 1945 Rename Node within Admin Workspace
Fig. 1943 Add Node to Workspace
19.3.4 Moving of Admin Workspace

19.3.2 Removing Nodes from an
Nodes
Admin Workspace
z Lock the desired workspace.
z Lock the desired workspace.
z Right-click the node to be moved.
z Right-click the node to be removed.
z Click Mark Node for Move.
z Click Remove Node.
Nodes that are marked for moving are indicated by this
z Now switch to the workspace, open the context menu icon: .
and click Activate Workspace Changes in order to
save the modifications. Fig. 1946 Move Node within Workspace
Fig. 1944 Remove Node from Adm in Workspace
z Right-click another node, then click Move Node...after...

or Move Node...before...
19.3.5 Creating Admin Workspace

19.3.3 Renaming of Admin Workspace Directories
Nodes
Within Admin Workspaces holding a huge amount of nodes,
For a better usability, nodes of a workspace may be it is possible to create directories in order to improve the
labelled individually. usability of the workspace.
z Lock the desired workspace. z Lock the desired workspace.
z Right-click the node to be renamed. z Right-click the workspaces root node.
z Click Create Directory...
z Enter a directory name.

Barracuda NG Control Center Admin Workspace Operations < Admin Workspaces | 511
Directories are indicated by an icon like this: . z Click Create Label...
Fig. 1947 Add node to Admin Workspace Fig. 1948 Create Label
Admin Workspace nodes may be moved into a workspace

directory with the Mark Node for Move operation.
Workspace nodes may be moved above or below a
For in-depth information about this, see also workspace label using the Mark Node for Move operation.
19.3.4 Moving of Admin Workspace Nodes, page 510.
For more in-depth information, see 19.3.4 Moving of
Admin Workspace Nodes, page 510
19.4 Admin Workspace

Operations
List 1976 Admin Workspace Operations
Show All available workspaces and the CC configuration tree
19.3.6 Creating Admin Workspace Workspaces are listed here for quick navigation between
Labels workspaces and the ordinary config tree.
Refresh Reloads the currently active workspace.
Workspace
Labels can be used to partition an Admin Workspace into Lock Workspace Locks the currently active workspace to enable the
different sections. for performance of operations on the workspace.
Modifications
z Lock the desired workspace. Unlock Unlocks the currently active workspace.
Workspace
z Right-click the root node of the workspace.
Edit Workspace Opens the workspace settings dialog.
Properties...
Delete Deletes the currently active workspace.
Workspace
Save Workspace Saves the currently active workspace into a
to File... configuration file.
Load Workspace Loads a configuration file containing a saved
from File... workspace.
Note:
Loading a workspace overwrites the currently active
workspace.
Create Creates a directory within the currently active
Directory... workspace.
Create Label... Creates a label within the currently active workspace.
Show this When connecting to a Barracuda NG Control Center via
Workspace on Barracuda NG Admin client, the default view will be this
Startup workspace instead of the hierarchical config tree.
Show Tree on When connecting to a Barracuda NG Control Center via
Startup Barracuda NG Admin client, the default view will be the
ordinary config tree.

512 | Admin Workspaces > Admin Workspace Operations Barracuda NG Control Center

20
SNMP
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
2. Configuration
2.1 Single Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
2.2 Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

514 | Overview > General SNMP
1. Overview
1.1 General z system information (for example configurable

description, configurable contact information,
configurable location, box name)
The Simple Network Management Protocol (SNMP) is part
of the Internet Standard Management Framework z interface information (for example available interfaces,
standardized by the IETF. The basic model of network interface media type, MAC addresses, interface
management divides network nodes into the following statistics, IP addresses)
categories:
z address translation table, which permits mappings
z managed nodes: network nodes (for example router, from network addresses (for example IP addresses) to
switches, firewalls, servers) providing information. A physical addresses (for example MAC addresses)
so-called SNMP agent runs on each managed node to
z IP information (for example IP addresses and
gather and provide information.
netmasks, routing table)
z management nodes: are used to monitor and control
managed nodes. Note:
For an overview of MIBs implemented in Barracuda NG
Firewall, refer to the file
Due to changing requirements nowadays three versions of /usr/local/share/snmp/mibs/PHION-SNMP-MIB
the SNMP protocol are standardized. .txt that is available on every Barracuda NG Firewall
system.
Note:
Barracuda NG Firewall only supports the most Since Barracuda NG Firewalls implement their own
widespread versions 1 and 2c. extended configuration management, it is prohibited to set
system values using SNMP.
For details about SNMP please refer to the IETF website
(www.ietf.org - section RFC) Both SNMPv1 and SNMPv2c define a community-based
administrative framework allowing implementation of
In general, SNMP is used to access information from SNMP
basic access restrictions. The community-based
capable interfaces, set configurative values and to notify a
administrative framework allows restrictions to MIB
management station in case of failures. The latter action is
modules where the community name acts as a form of
called "sending an SNMP trap" and could be performed by
"password".
the Barracuda NG Firewall event daemon. Thus the
configuration for sending SNMP traps is described in Note that the SNMP protocol does not specify encryption
Eventing 2.1.3 Notification Tab, page 324. and all data transferred is thus sent unencrypted.
Barracuda Networks recommends to restrict the usage of
SNMP over TCP/IP uses the (unreliable) UDP protocol.
the SNMP Service to trusted environments (for example
SNMP queries are sent on UDP port 161 while SNMP traps
within the corporate network). If the SNMP Service is
use UDP port 162.
activated on perimeter firewalls, Barracuda Networks
In many cases the monitoring of larger network strongly recommends to block external traffic to the SNMP
environments is performed by special network Service by introducing a blocking rule in the local firewall
management tools (for example Tivoli NetViewTM or rule set (UDP port 161).
HP OpenViewTM). To integrate a Barracuda NG Firewall into
References:
these monitored environments, Barracuda Networks
delivers a configurable SNMP agent (in the following called z RFC 3410 - Introduction and Applicability Statements
snmpd or SNMP Service). Since SNMP security using for Internet-Standard Management Framework
SNMPv1 or SNMPv2 is generally considered low, the z RFC 1157 - Simple Network Management Protocol -
Barracuda NG Firewall SNMP Service only allows querying [SNMPv1]
of a minimum set of information.
z RFC 1901 - Introduction to Community-based SNMP -
Management information is viewed as a collection of [SNMPv2c]/
managed objects, residing in a virtual information store,
called the Management Information Base (MIB). z RFC 1156 - Management Information Base for Network
Collections of related objects are defined in MIB modules. Management of TCP/IP based internets
The Barracuda NG Firewall SNMP Service provides the

following MIB modules:

SNMP Single Box < Configuration | 515
2. Configuration
2.1 Single Box The section SNMP Access Groups allows defining (simple)
access restrictions. By default access to the SNMP Service
Configuring SNMP Service on a Barracuda NG Firewall is not granted. To allow SNMP queries, a new access group
starts with introducing a corresponding SNMP Service. For has to be defined. The following parameters are available:
installing simply follow the instructions mentioned in List 201 SNMP Configuration - section Access Groups
Configuration Service 4. Introducing a New Service, page 97,
and select SNMPd as Software Module.
Peers Here the defined peers for the current access group
After the service has been created, the following two are enlisted. To add a new peer click Insert Each
peer is defined by an identifier (Name) and consists of
configuration entries are available in the configuration an IP Address/Mask and a Community.
tree: IP Address/Mask defines which hosts/networks are
granted to query the SNMP Service.
z Service Properties - settings made during the Community defines the community name (acts as a
introduction of the service sort of password) to identify membership of a
community.
z SNMP Service Settings - described in the following View allows restriction to specific MIB modules.
Available entries are:
Fig. 201 SNMP Service configuration dialog *-ALL-* allows access to all available MIB modules
as described above
*system* restricts access to the MIB module
"system"
*interfaces* restricts access to the MIB module
"interfaces"
*at* restricts access to the MIB module "address
translation table"
*ip* restricts access to the MIB module "ip"
Note:
There has to be a default Access Group. If not, the
service will allow queries without restriction.
With SNMP services created after installation/update of
Barracuda NG Firewall 4.2 a default access group is
being introduced prohibiting unintended query in case
of default configuration.
The three entries on the top of the dialog, Description,
The SNMP Service of a Barracuda NG Firewall is available
Contact Info and Location are used to specify
at the configured server IPs.
administrative information which can be queried in the
systems information MIB module. Note:
The field Enterprise ID contains the registered enterprise Please take into consideration that the local firewall rule
ID of Barracuda Networks (as assigned by IANA - set may block access to the SNMP Service. Thus, it
www.iana.org) and is therefore read-only. It is used to might be necessary to insert a local inbound rule which
identify the vendor of the SNMP agent and to enable the allows access to UDP port 161.
vendors to define their own private enterprise objects. For details concerning the local firewall rule set, see
Firewall, page 131.
2.2 Barracuda NG Control Center

The SNMP Service is also available as a so-called Cluster
Service (Barracuda NG Control Center 6.5 Cluster
Configuration, page 442). The introduction of the SNMP
cluster service simplifies the configuration as the cluster
service can be added to any of the servers within the
current cluster.
The configuration of such a SNMPd cluster service,
however, is the same as mentioned under 2.1 Single Box,
page 515.

516 | Configuration > Barracuda NG Control Center SNMP

21
OSPF and RIP
1. OSPF and RIP

1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
1.1.1 OSPF Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
1.1.2 RIP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
1.1.3 OSPF vs RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
1.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
1.3.1 Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
1.3.2 OSPF Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
1.3.3 OSPF Router Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
1.3.4 OSPF Area Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
1.3.5 RIP Router Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
1.3.6 RIP Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
1.3.7 Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
1.3.8 Neighbour Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
1.3.9 Filter Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
1.3.10 GUI as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
1.3.11 Text Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
1.4 Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
1.5 HA Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
2. Example for OSPF and RIP Configuration

2.1 Network Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
2.2 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
2.2.1 OSPF Basic Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
2.2.2 Redistribution of Connected Networks to OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
2.2.3 Injecting the Default Route to OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
2.2.4 OSPF Multipath Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
2.2.6 OSPF Route Summarisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
2.2.6 OSPF Route Summarisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
2.2.7 RIP Basic Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
2.2.8 Redistribution between RIP and OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

518 | OSPF and RIP > Overview OSPF and RIP
1. OSPF and RIP
1.1 Overview To advertise LSAs, the router has to live in OSPF

neighbourship with other routers. When this neighbourship
is fully established, the interfaces begin sending the
Currently Barracuda NG Firewall supports the dynamic
updates (LSAs). To build an adjacency, hello packets are
routing protocols Open Shortest Path First (OSPF) and
continuously exchanged between neighbouring routers.
Routing Information Protocol (RIP Version 1 and RIP
This also keeps track of the existence of the connected
Version 2). Both protocols are Interior Gateway Protocols
OSPF neighbours.
(IGP) and distribute routing information within an
autonomous system. Firewalls sometimes need to use a To lower down the number of updates exchanged on a
dynamic routing protocol when they segment large Broadcast Medium (for example Ethernet), LSAs are only
networks where multiple paths are possible and static sent to a so called Designated Router (DR). This interface
routing is not practicable. advertises the information to all other routers on the
shared medium. Without a DR, an any-to-any
Since not all systems support OSPF, there is still need for
neighbourship between all OSPF routers on this segment
RIP which is implemented in most of the common
would be needed. For backup reasons, a Backup DR (BDR)
operating systems and small routers.
is elected. Each other router establishes neighbourship
OSPF is defined in RFC 2328, the standard for RIPv2 is only with the DR and BDR.
documented in RFC 2453.
Areas can be configured as stub areas, where external
A short description of both protocols is provided below. routes are not advertised by ABRs to the Area Routers.
Instead, a default route is injected to the area. Area 0
cannot be stub.
1.1.1 OSPF Basics
Note:
OSPF is a link state protocol and uses Dijkstra algorithm to OSPF is very CPU and memory intensive. Therefore, be
calculate the shortest path tree. A router's interface is the careful when enabling OSPF on low-end interfaces in a
"link". The "state" of this interface is summed up by its IP large network.
address, subnet mask, interface type, neighbour state
Every router keeps track of all connected interfaces and
states and sends this information with Multicasts to its 1.1.2 RIP Basics
neighbours. These packets are known as LSAs (Link State
Advertisements). RIP is a distance-vector protocol. The expression
The router builds its Link State Database with the "distance-vector" can be defined as follows: The vector is
information provided by the LSAs. Every time a network the direction to the destination (next hop); the distance is
change occurs, LSAs containing the new information are treated as a metric type. Example: Destination A is a
sent thus triggering every router to update its database. distance of 3 hops away and the direction is via router AA.
After having received all LSAs, the router calculates the RIP uses Hop Count as metric. A maximum of 15 hops are
loop-free topology. LSAs cannot be filtered within an area possible; metric 16 means that a network is unreachable.
because all routers in an area must have the same Link
All RIP routers periodically send routing updates. Every
State database. If some information is missing, routing
update includes the whole routing table. The following
loops can occur.
techniques have been introduced to prevent routing loops:
OSPF is a hierarchical IGP - it uses Areas to achieve this.
z Split Horizon
The top-level Area is known as Backbone Area and the
When sending Updates out a particular interface, the
number of this Area always has to be 0 or 0.0.0.0 - this is a
routes learned from this interface are not included in
must. All other Areas must be physically connected to this
the update
Backbone Area. A very important thing within OSPF is that
Areas must not be split. (If this cannot be avoided, a virtual z Split Horizon with Poison reverse
link has to be used to expand Area 0 over any other area.) This method is an extension to Split Horizon. The router
includes learned routes in the update but marks these
Routers within an area are known as Area Routers.
routes as unreachable.
Routers connected to two or more areas are known as
Area Border Routers (ABR) and routers connected to z Counting to infinity
other Autonomous systems are called Autonomous To recognize unreachable networks on link failures.
System Boundary Routers (ASBR). Routing information Infinity in RIP is defined as 16 hops. Every time a routing
may be summarized on ABRs and ASBRs, it is not possible update passes a router, the hop count is increased by 1.
to summarize routing information within an area. When the counter reaches 16, the network is considered
unreachable.
The metric used by OSPF is cost. Every link has an
associated cost value, derived from the link bandwidth. The
RIPv1 is classful, which means that subnet information
metric to a destination is calculated by adding up all costs.
cannot be distributed. RIPv2, on the other hand, is
If there are more possible paths to a destination the route
classless, that means the subnet mask is included in the
with the lowest cost is chosen as the best route.
routing update.

OSPF and RIP Installation < OSPF and RIP | 519
1.1.3 OSPF vs RIP 1.3.1 Operational Setup

The following table summarizes the feature differences In this section, the general parameters of the dynamic
between OSPF and RIP. routing protocols, like enabling/disabling the protocol and
handling of dynamic routes are configured.
Table 211 Feature differences between OSPF and RIP
Attribute OSPF RIP Note:

Convergence Fast Slow On a Barracuda NG Firewall, route selection is directly
Network size For large and small Only for small to dependant of the metric of a route; routes with a lower
networks medium networks due metric are preferred to routes with a higher metric.
to the fact that max.
metric is 15 hops Static routes have a metric of 1 by default. RIP routes
Need of device Memory and CPU Much less memory and can have a maximum metric of 15 hops and OSPF routes
resources intensive CPU intensive than will mostly have a cost of more than 20.
OSPF As it is desirable that OSPF routes be preferred to RIP
Need of network Less than RIP; Bandwidth consuming; routes, metrics can be increased artificially through
resources Only small Updates are Whole Routing table is
sent sent (default: every defining administrative distances. The corresponding
90 seconds) parameter Administrative Distance for RIP (see
Metric Is based on bandwidth Is based on hop count, Administrative Distance, page 522) is by default set
no matter how fast the
connections are
to 120. The congeneric parameter Admin Distance
Design Hierarchical network Flat network
related to OSPF (see Admin Distance, page 520) is by
possible default left empty. The value specified for the
Troubleshooting More complex Less complex administrative distance is going to be added to every
route learned through OSPF or RIP respectively.
List 211 OSPF/RIP Settings section Operational Setup

1.2 Installation Parameter Description
Idle Mode If this parameter is set to yes, the OSPF/RIP wrapper
gets started by the control daemon but does not start
To configure either OSPF or RIP on a Barracuda NG up the actual OSPF and RIP routing service.
Firewall system a new server service has to be introduced. Run OSPF By setting this value the OSPF routing functionality can
Select Config from the box menu and introduce the Router be enabled or disabled.
service by choosing Create Service from the context Run RIP Router By setting this value the RIP routing functionality can
be enabled or disabled.
menu of Assigned Services. Select OSPF/RIP Service
Hostname Allows overriding the propagated hostname, which by
as software module. default is the box hostname.
Operation Mode The operation mode defines handling of route learning
Note: and propagation. The following settings are possible:
Please see Configuration Service 4. Introducing a New advertise-only
Service, page 97, for detailed information concerning routes are only advertised
procedure and available options for service creation. learn-only
networks are not propagated, except those networks
living on the interfaces configured for OSPF or RIP
themselves; learned routes from other systems are
still advertised
1.3 Configuration advertise-learn

OSPF routes are learned and propagated
Router ID Every OSPF router is identified by its Router ID. This ID
is defined by an IP address explicitly configured for this
To configure OSPF/RIP Settings browse to OSPF/RIP router. If the Router ID is not set, the system uses any
Settings (accessible through Config > Box > IP address for it. For troubleshooting reasons, it is
common to set this option manually.
Router ID Mask Here the mask of the router is defined (default: 8-Bit).
Services > <servicename> (ospf) ) in the configuration
tree.
1.3.2 OSPF Preferences
List 212 OSPF/RIP Settings - OSPF Preferences section OSPF Preferences
Configuration
Log Level Specifies the verbosity of the OSPF routing service.
Available values are:
critical
debugging
emergencies
errors
informational (default)
notifications
warnings
alerts
Use Special By setting this parameter to yes and selecting a table
Routing Table name below, routes learned by the OSPF service are
introduced into an own routing table. Note that the
routing table is not automatically introduced but has to
be configured manually by introducing Policy Routes.

520 | OSPF and RIP > Configuration OSPF and RIP
List 212 OSPF/RIP Settings - OSPF Preferences section OSPF Preferences

Configuration
1.3.3 OSPF Router Setup
Parameter Description This tab only has to be configured when OSPF has been
Table Names A list of policy routing names can be specified here. activated in the General tab through setting the Run OSPF
Routes learned by the routing daemon are introduced
into each of the enlisted routing tables. Router parameter to yes.
Multipath ignore The essential OSPF configuration, specification of global
Handling multipath routes will be discarded
parameters and definition of networks used by OSPF to
Attention:
OSPF summarizes routes to multipath routes build neighbourship and advertise routes, is done in this
automatically if more than one next hop to a prefix place.
exists. Use setting "ignore" with caution.
assign-internal-preferences For tuning interface or area specific parameters, please
multipath routes will be translated to several routes use the Network Interfaces, page 523 and the OSPF Area
with different metrics (preferences)
Setup, page 521 respectively.
accept-on-same-device
multipath routes will be introduced as multipath if all List 214 OSPF/RIP Settings - OSPF Router Setup section OSPF Router
nexthops are reachable on the same interface Configuration
accept-all (default)
multipath routes will be introduced Parameter Description
ABR Type Defines Area Border Router (ABR) behavior of the
List 213 OSPF/RIP Settings - OSPF Preferences section RIP SETTINGS OSPF routing daemon. The following types are
available for selection:
Not an ABR
Log Level Specifies the verbosity of the RIP routing service. Cisco Type
IBM Type
critical
Standard RFC 2328 Type
debugging
Terminal Password to connect via telnet. OSPF router is
emergencies
Password reachable on TCP port 2604 (loopback only).
errors
Privileged Password to enable configuration via telnet.
informational (default) Terminal
notifications Password
warnings RFC1583 Defines RFC 1583 compatibility behavior.
alerts Compatibility
Use Special By setting this parameter to yes and selecting a table Auto-Cost Ref The OSPF metric is calculated as reference bandwidth
Routing Tables name below, routes learned by the RIP service are Bwidth [MBit/s] divided by bandwidth.
introduced into an own routing table. Note that the The default setting is 10000.
routing table is not automatically introduced, but has Attention:
to be configured manually by introducing Policy This value is overwritten by explicit cost statements.
Routes.
Attention:
Table Names A list of policy routing names can be specified here. This setting should be used equally with all OSPF
Routes learned by the routing daemon are introduced routers in an autonomous system. Otherwise, the
into each of the enlisted routing tables. metric calculation will be incorrect.
Multipath ignore Network Prefix Defines the interfaces on which OSPF runs and the
Handling multipath routes will be discarded networks which are propagated as OSPF Intra-Area or
Attention: Inter-Area routes.
RIP summarizes routes to multipath routes Advanced Support Opaque Set to yes to enable Opaque LSA.
automatically if more than one next hop to a prefix Settings LSA
exists. Use setting "ignore" with caution.
SPF Delay Specifies the amount of time (sec)
assign-internal-preferences Timer to wait before running an SPF after
multipath routes will be translated to several routes receiving a database change.
SPF Hold Timer Specifies the amount of time (sec)
to wait between consecutive SPF
multipath routes will be introduced as multipath if all
runs.
nexthops are reachable on the same interface
accept-all (default) Refresh Timer Valid values from 10 to 1800.
multipath routes will be introduced Default Metric Defines the default metric for the
OSPF protocol. Use if other
protocols are used for
metric-translation, too.
Admin Distance To determine which routing
protocol to use if two protocols
provide routing information for the
same destination, the
administrative distance is used as
the first criterion. Higher distance
values imply lower trust ratings
The admin distance setting is used
to increase the metric of routes
introduced to the system. For
instance, an externally learned RIP
route with metric 2 and
Administrative Distance 100 is
introduced with metric 102. This will
effect that the OSPF route is
favoured over the RIP route.
Note:
Remember that administrative
distance is not advertised and thus
only has local impact.

OSPF and RIP Configuration < OSPF and RIP | 521
List 215 OSPF/RIP Settings - OSPF Router Setup section Router Distribution List 216 OSPF/RIP Settings section OSPF Area Configuration
Configuration
Parameter Description Virtual Link ID Note:
Default Route Click the Edit button to specify default route (ABR) This parameter is only available in Advanced View
Distribution distribution settings: mode.
OSPF Metric Set the metric in the routers link Sets the virtual link ID for this area.
state advertisement. The SPF Virtual Link Note:
algorithm uses this value to Params This parameter is only available in Advanced View
calculate the cost for each route. mode.
Routes with lower cost are
preferred over routes with higher Parameters for the virtual link. For a description see
costs. OSPF/RIP Settings - Network Interfaces Configuration -
Parameter Template Configuration section OSPF
OSPF External Set external metrics type: Parameters, 1.3.7.3 Section Parameter Template
Metric Type1 Configuration.
Type1 external routes have a cost
Area Default The area default cost is the cost for the default route
that is the sum of the cost of this
Cost injected into an attached stub area.
external route plus the cost to
reach the ASBR. Summary Summary Range IP/Mask
Type2 Range IP/Mask Create summary ranges in the area to special actions
The cost of Type2 external on that range.
routes is defined alike the cost of
Type1 routes but without the cost Range Action (default: advertise):
to reach the ASBR. Special action for a range:
advertise (default)
Originate Enables the router to send the
Always default route 0.0.0.0 to a neighbour. non-advertise
The neighbour can then use this substitute
route to reach the router if all other
routes are not available. Range Cost
Route Maps Filter definitions. References Cost for a range.
OSPF/RIP Settings - Filter Setup -
Route Map Filters section Route Advertised Range
Map Filters in 1.3.9 Filter Setup. Advertise configured range to.
Route Click the Insert button to specify individual route Area Export Set an export ACL.
Redistribution redistribution settings: Filters
Route Types Available route type settings are: Area Import Set an import ACL.
Filters
connected
Area in Filters Set an import prefix list.
RIP
Area out Filters Set an export prefix list.
OSPF Metric See OSPF Metric parameter
description above.
OSPF External See OSPF External Metric
Metric parameter description above. If no 1.3.5 RIP Router Setup
external metric setting is needed,
the value NOT-SET can be defined
in this place.
This tab only has to be configured when RIP has been
Route Maps Filter definitions. References
activated in the General tab through setting the Run RIP
OSPF/RIP Settings - Filter Setup - Router parameter to yes.
Route Map Filters section Route
Map Filters in 1.3.9 Filter Setup. Specification of global RIP settings such as version, timers
and authentication, and definition of interfaces on which
the RIP process is to run, is done in this place.
1.3.4 OSPF Area Setup
For interface specific tuning please use the Network
In this section, area specific parameters are set. Interfaces, page 523.
List 216 OSPF/RIP Settings section OSPF Area Configuration List 217 OSPF/RIP Settings - RIP Router Setup section RIP Router
Configuration
Enable Set to no to disable this area configuration.
Configuration RIP Keychains Key/Key String To enable RIP authentication,
so-called key chains must be
Area ID Format Defines which area format is used: introduced. A key chain can consist
Integer (default) of several keys, where each key is
Quad-IP identified by a number and a key
string (password).
Area ID [IP] Area ID as Quad-IP (for example 0.0.0.1)
RIP Version The Barracuda NG Firewall routing service allows usage
Area ID [Int] Area as number (for example 1) of both standardized RIP versions RIPv1 or RIPv2. The
Authentication Defines authentication for the area following values are thus available for selection:
Type (default: Digest-MD5) Version_1 (classful)
Simple Define here the OSPF area authentication credentials. Version_2 (classless)
Authentication
RIP Terminal Password to connect via telnet and query status
Key
Password information of the RIP router. The RIP router is
Digest Define here the OSPF area authentication credentials. reachable on TCP port 2604 (loopback only).
Authentication This is mainly useful for debugging purposes.
Key Note that remote connection to the RIP terminal is not
Special Type Stub areas do not import or originate external LSAs. possible.
NSSAs are the "OSPF Not-So-Stubby Area" where an Privileged RIP Password to connect via telnet and change
ASBR can be located in a stub area (see RFC 3101) Terminal configuration of the RIP router (not recommended
(default: NONE). Password since changes made via the terminal are not
NSSA-ABR This setting option is defined by RFC 3101. persistent).
Translate Note that remote connection to the RIP terminal is not
Election possible.
Disable Disables summary LSAs. Networks Network Defines the interfaces on which the
Summary Prefix/Device RIP daemon runs.

List 217 OSPF/RIP Settings - RIP Router Setup section RIP Router List 218 OSPF/RIP Settings - RIP Router Setup section Router Distribution
Configuration Configuration
Advanced Update Timer Specifies the time span (sec) Route Update Route Update Filtering is used to provide Access
Settings between the unsolicited sending of Filtering Control Mechanisms and mechanisms to fine-tune RIP
response messages to all metrics.
neighbours containing the routing Metric Offsets Update Configuring
table. Direction Metric Offsets
Default: 30
Enforced Metric adds an offset to
Timeout Timer Specifies the validity timeout (sec) incoming and
of a route. The route is retained in ACLs outgoing metrics
the routing tables but is no longer Devices to routes learned
valid. via RIP.
Default: 180 Route In/Out Update Route Filters are
Garbage Collect Specifies the time span (sec) after Filters Direction used to control
Timer which an invalid route is removed Object Type the advertising
from the routing table. and learning of
Default: 120 ACLs routes in routing
Administrative To determine which routing IP Prefix List updates. Filters
Distance protocol to use if two protocols with the
Devices
provide routing information for the parameter
same destination, the Update Direction
administrative distance is used as set to "in" apply
the first criterion. to routes
Higher distance values imply lower processed in
trust ratings, RIP default is 120. incoming routing
The administrative distance setting updates. The
is used to increase the metric of filter is matched
routes introduced to the system. For against the
instance, an externally learned RIP content of the
route with metric 2 and update, not
Administrative Distance 100 is against the
introduced with metric 102. This will source or
effect that the OSPF route is destination of
favoured over the RIP route. the routing
update packets.
Note:
Remember that administrative
distance is not advertised and thus
only has local impact. 1.3.6 RIP Preferences
Default Metric Defines the default metric for
redistributed routes. Does not apply List 219 OSPF/RIP Settings - RIP Preferences section RIP Preferences
to connected routes. Configuration
Default: 1
Interface Default interface policy for RIP.
Default Possible values are: Log Level Specifies the verbosity of the RIP routing service.
passive
network is only advertised; no critical
RIP Hello packets are sent out debugging
from this interface emergencies
active (default) errors
informational (default)
List 218 OSPF/RIP Settings - RIP Router Setup section Router Distribution notifications
Configuration
warnings
Parameter Description alerts
Default Route Select checkbox to redistribute default routes. Use Special By setting this parameter to yes and selecting a table
Redistribution A list of routes which should be redistributed can be Routing Table name below, routes learned by the RIP service are
specified. introduced into an own routing table. Note that the
Route Route Types The route type can be either routing table is not automatically introduced, but has
Redistribution connected or OSPF. In the first to be configured manually by introducing Policy
case, Barracuda NG Firewall routes, Routes.
which have the flag Propagate via Table Names A list of policy routing names can be specified here.
OSPF set to Yes, are redistributed. Routes learned by the routing daemon are introduced
In the latter case routes learned via into each of the enlisted routing tables.
OSPF are redistributed.
Multipath ignore
Note that direct routes on an active
Handling multipath routes will be discarded
interface are always redistributed.
Attention:
RIP Metric Sets the metric for the selected
RIP summarizes routes to multipath routes
type of routes.
automatically if more than one next hop to a prefix
Route Maps Filter definitions. References Route exists. Use setting "ignore" with caution.
maps in FILTER tab.
assign-internal-preferences
multipath routes will be translated to several routes
multipath routes will be introduced as multipath if all
nexthops are reachable on the same interface
accept-all (default)
multipath routes will be introduced

OSPF and RIP Configuration < OSPF and RIP | 523
1.3.7 Network Interfaces 1.3.7.3 Section Parameter Template

Configuration
In this section, interface specific parameters of the routing
List 2115 OSPF/RIP Settings - Network Interfaces Configuration - Parameter
protocols are configured. This applies to OSPF and RIP. Template Configuration section OSPF Parameters
1.3.7.1 Section Network Interfaces Authentication Authentication for neighbours on specified interface.
Type Either no authentication (default: null), simple
Configuration authentication as specified in RFC1583 or the
cryptographic authentication digest-MD5 (RFC2328)
List 2110 OSPF/RIP Setting section Network Interface Configuration can be used.
Parameter Description Simple Password for simple authentication. This value only has
Authentication to be specified with Authentication type set to simple.
Load Interface If set to yes, the list of available interfaces is loaded Key
Info after execution of Send Changes.
Digest Password for digest authentication. This value only has
Interfaces see list 2111 Authentication to be specified with Authentication type set to
Key digest-MD5.
List 2111 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces Message Digest Key for digest authentication. This value only has to be
section Shared Interface Configuration Key ID specified with Authentication type set to digest-MD5.
Parameter Description OSPF Priority Set to a higher value, the router will be more eligible to
Interface Informational text field. become a Designated Router or a Backup Designated
Description Router. Set to 0, the router is no longer eligible to
become a Designated Router.
Apply to Specifies the network interface to which the following Default: 1
Interface settings apply.
OSPF Dead Seconds for timer value used for Wait Timer and
Activate Config Specifies the routing protocols for which the settings Interval Inactivity Timer. This value must be the same for all
for should be activated on this interface. routers attached to a common network.
Possible settings are OSPF, RIP or OSPF+RIP.
OSPF Hello Time to wait between OSPF "hello" messages to
Passive On a passive interface the routing protocol does not Interval neighbours (sec). This value must be the same for all
Interface send Hello packets. The network configured for this routers attached to a common network.
interface is still advertised. An interface is active by
default (setting: No). OSPF Minimum time waited between retransmissions (sec).
Retransmit
Parameter References templates for this interface. Interval
Template
OSPF Transmit Sets number of seconds for InfTransDelay value. The
Delay InfTransDelay parameter defines the estimated time
List 2112 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces required to send a link-state update packet on the
section OSPF Specific Parameters interface.
List 2116 OSPF/RIP Settings - Network Interfaces Configuration - Parameter
Network Type Type of network. Ethernet is normally broadcast.
Template Configuration section RIP Parameters
Sometimes there may be a need to use point-to-point
for Ethernet-Links, for example when there is only a Parameter Description
/30 subnet. Type non-broadcast is needed to
propagate OSPF over a VPN tunnel. Authentication Authentication for neighbours on specified interface.
Type Either no authentication (default: null), text
Bandwidth Bandwidth of the interface. Configuration is highly authentication or the cryptographic authentication
[kBit/s] recommended since this information can not be digest-MD5 (RFC2082) can be used.
determined automatically. This setting is used by OSPF
to calculate the metric. RIP Key Chain The pull-down menu displays the configured key chains
(see 1.3.5 RIP Router Setup) and allows selection of a
Interface Interface By specifying an Interface Address key chain which is used for authentication.
Addresses Addresses the configuration only applies for a
single OSPF network. This RIP Text Secret Specifies the text secret used for authentication
parameter can be useful in multinet purposes. Note that the value specified here always
environments. Otherwise the takes precedence over the RIP Keychains settings.
parameters applies to all OSPF Send Protocol Configures protocol types for transmission. Possible
networks on the given interface. values are Version_1, Version_2 or Version_1+2.
Parameter References templates for this Receive Configures protocol types for reception. Possible
Template for interface. Protocol values are Version_1, Version_2 or Version_1+2.
Address
List 2113 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces

section RIP Specific Parameters 1.3.8 Neighbour Setup
For connectivity issues it is sometimes recommended to
Enable Split Split Horizon is a mechanism used by RIP to reduce the
Horizon possibility of routing loops. By enabling this parameter set the neighbours statically. Do this in the following
(default: yes), routes learned from a specific interface, section.
are not re-advertised on this interface.
Enable This technology is an extension to Split Horizon. By List 2117 OSPF/RIP Settings - Neighbor Setup section Neighbors
Poisoned enabling this setting (default: no), routes learned from
Reverse a specific interface are re-advertised on this interface Parameter Description
but the metric is set to infinity (16). Active Set to no to disable this neighbour configuration.
Routing Specifies which routing protocols should be exchanged
Protocols with this neighbour. Possible values are OSPF, RIP or
RIP+OSPF.
1.3.7.2 Section Available Interfaces
Neighbor IP IP address of the neighbour to exchange routing
information with.
List 2114 OSPF/RIP Settings - Network Interfaces Configuration - Available
Interfaces section Available Interfaces
Displays a read-only list of the available network
interfaces.

List 2118 OSPF/RIP Settings - Neighbor Setup section OSPF Parameters List 2122 OSPF/RIP Settings - Filter Setup - Route Map Filters section OSPF
Specific Conditions
Neighbor The Neighbor Priority parameter influences the Parameter Description
Priority Designated Router election. Set to a higher value, the Type Action for route map:
router will be more eligible to become a Designated permit (default)
Router. Set to 0, the router is no longer eligible to
deny
become a Designated Router or a Backup Designated
Router. Match The route map entry matches when the route matches
Default: 1 Condition the configured criteria or filter:
Dead Neighbor Seconds between two neighbour probings. ACL (default)
Poll Interval PREFIXLIST
Gateway-IP
Interface-Name
1.3.9 Filter Setup ACL Name Name of ACL defined in the Access-Lists section
above.
A filter is needed for example when redistributing routes IP Prefix List Name of IP prefix list defined in OSPF/RIP Settings -
Filter Setup - IP Prefix List Filters section IP Prefix
from one protocol to another. Available filters are ACLs List Filters List 2124.
and Prefix lists. Prefix lists are easier to use. See 1.3.9.1 Gateway IP IP of the Next Hop in the route.
Example for IP Prefix List Filter Usage for further Out Interface See interfaces to gain available interface names.
information. Name
Set Action Defines action to set:
Route maps can be used to modify routing information. In
Metric
route maps, the filter is applied to match the routes. Some
Metric-Type
set actions can be applied to the matching routes.
Set OSPF Set metric for route map.
Example: The RIP learned route 10.0.0.0/24 with metric Metric
4 hops should have metric 6 instead. The match condition Set OSPF Set external metric-type for route map.
in the route map must be a filter matching 10.0.0.0/24 and External Metric
the set condition must be metric 6.
List 2123 OSPF/RIP Settings - Filter Setup - Route Map Filters section RIP
When applying route filters in the RIP or OSPF section, only Specific Conditions
ACLs or Prefix-lists but no route maps are needed. Parameter Description
Sequence Unique identifier for a route map entry.
Note: Number
This dialog is restricted to basic ACLs (1-99). Extended Type Action for route map:
ACLs must be be configured in Tab Text Based permit (default)
Configuration (page 525). deny
Match The route map entry matches when the route matches
List 2119 OSPF/RIP Settings - Filter Setup section Access List Filters Condition the configured criteria or filter:
ACL (default)
Parameter Description PREFIXLIST
This section allows the definition of filters which can be Gateway-IP
referenced within the 1.3.4 OSPF Area Setup and within
Interface-Name
the RIP Route Update Filtering section (list 217,
page 521). Metric
Name This is the ACL name. ACL Name Name of ACL defined in the Access-Lists section
above.
Description A short description of the ACL.
IP Prefix List Name of IP prefix list defined in OSPF/RIP Settings -
Network Prefix Network/Netmask Filter Setup - IP Prefix List Filters section IP Prefix
Note: List Filters List 2124.
Enter the address in Inverted CIDR Notation (Getting Gateway IP IP of the Next Hop in the route.
Started 5. Inverted CIDR Notation, page 25). The
address will be converted to Cisco notation for the Interface Name See interfaces to gain available interface names.
config file. Set Action Defines action to set:
Type Action for prefixitem Next-Hop
permit (default) Metric
deny Set RIP Metric Set metric for route map.
Set RIP Set next-hop IP address.
List 2120 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Next-Hop IP
Map Filters
Parameter Description List 2124 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP
Prefix List Filters
Route maps are used to control and modify routing
information that is exchanged between routing Parameter Description
domains.
Prefix lists are easier to understand for route-filters
Name This is the Route Map Name. than ACLs. See 1.3.9.1 Example for IP Prefix List Filter
Usage below for information on prefix list usage.
List 2121 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Name This is the name of the IP prefix list.
Map Configuration
Parameter Description List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP
Prefix List Configuration
Description A short description of the route map.
List 2122 OSPF/RIP Settings - Filter Setup - Route Map Filters section OSPF Description A short description of the IP prefix list.
Specific Conditions
Sequence Unique identifier for a prefixlist item.
Parameter Description Number
Sequence Unique identifier for a route map entry. Network Prefix Network/Netmask
Number

OSPF and RIP Routing Configuration < OSPF and RIP | 525
List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI
Prefix List Configuration
Parameter Description RIP Text Created RIP syntax configuration. Shown, if Show as
Type Action for prefixitem Text is set to yes.
permit
deny
Extent Type Matching condition: 1.3.11 Text Based Configuration
none (default)
greater-than Configure dynamic routing here, if you do not want to
less-than configure it with the GUI. Already done GUI configuration
Prefix Length Minimum or maximum prefix length to be matched. will be replaced. Syntax as used for quagga or Cisco
applies.
1.3.9.1 Example for IP Prefix List Filter Usage List 2127 OSPF/RIP Settings - Text Based Configuration section Free Format
OSPF Configuration / Free Format RIP Configuration
The following examples show how a prefix list can be used. Parameter Description
Use Free Set this to yes to use free OSPF/RIP syntax
Table 212 Example for IP Prefix List Filter prefix list Format configuration.
Network Prefix Type Extent Type Free Format OSPF/RIP syntax configuration. This field applies when
Text parameter Use Free OSPF format is set to yes.
Deny default 0.0.0.0/32 deny none
route 0.0.0.0/32
permit prefix 10.0.0.0/24 permit none
10.0.0.0/24
1.4 Routing Configuration
The following examples show how to specify a group of
prefixes.
Attention:
Table 213 Example for IP Prefix List Filter group of prefixes Network routes which are required for an OSPF/RIP
Extent
network prefix must NOT be a subset of another route
Network Prefix Type (see below for an explanation).
Type
accept a mask length of 192.168.0.0/24 permit less- 24-Bit
up to 24 bits in routes than Table 214 Configuration example
with the prefix 192.168/8
Configuration Entity Values
deny mask lengths 192.168.0.0/24 deny greate- 25-Bit
greater than 25 bits in than OSPF network prefix 10.0.66.0/24
routes with a prefix of Server IP 10.0.66.98
192/8
Box network route 10.0.66.0/24 via dev eth1
permit mask lengths from 0.0.0.0/32 permit greate- 8-Bit
Additional box network route 10.0.0.0/8 via dev eth0
8 to 24 bits in all address than
spaces 0.0.0.0/32 permit less- 24-Bit
than In the configuration example (table 214), the required box
deny mask lengths 0.0.0.0/32 deny greate- 25-Bit network route "10.0.66.0/24 via dev eth1" is completely
greater than 25 bits in all than included in the additional box network route (bold). This
address spaces
will lead to a mismatch in the OSPF configuration. OSPF
deny all mask lengths 10.0.0.0/24 deny less- 32-Bit
within the network 10/8 than will neither detect eth0 nor eth1 as OSPF enabled and
deny all masks with a 192.168.1.0/8 deny greate- 25-Bit therefore not work.
length greater than or than
equal to 25 bits within the
network 192.168.1/24
permit all routes 0.0.0.0/32 permit less-
than
32-Bit
1.5 HA Operation
The OSPF/RIP service synchronizes externally learned
1.3.10 GUI as Text routes with its HA partner. Routes cannot be introduced on
the partner, while this is "passive" because network routes
Note:
required to do so are missing. The external routes HA
This parameter set is only available in Advanced View information is thus stored in a file and introduced on the
mode. HA system during startup of the OSFP/RIP service.
Take over and startup of the OSPF/RIP service usually take
The configuration done with the GUI is displayed here in a few seconds. The HA routes are introduced as protocol
quagga/Cisco commands. "extha" (number 245). These routes are then either
replaced by newly learned external OSPF or RIP routes
List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI
(protocols "ospfext" or "ripext") or removed with the HA
Parameter Description garbage collection after five minutes.
Show as Text Set this to yes to show created OSPF syntax
configuration after Send Changes.
OSPF Text Created OSPF syntax configuration. Shown, if Show as
Text is set to yes.

526 | Example for OSPF and RIP Configuration > Network Setup OSPF and RIP
2. Example for OSPF and RIP Configuration
2.1 Network Setup z Router 2

OSPF learned networks from OSPF Cloud 1:
The following description is meant to point out a 62.99.0.0/24
convenient way for OSPF and RIP configuration on a z Router 3
Barracuda NG Firewall. The example assumes that a RIP and OSPF learned networks from OSPF and RIP
Barracuda NG Firewall is added to a network already Cloud 2
configured for OSPF. 194.93.0.0/24
Four routers are appointed to learn routes from OSPF and 192.168.10.0/24
RIP "Clouds". Router 1 and router 2 are both attached to 192.168.11.0/24
LAN segment 62.99.0.0/24 and belong to OSPF Area 0. z Router 4
Router 3 is attached to LAN segment 194.93.0.0/24 RIP learned networks from RIP Cloud 2
serving as OSPF router in OSPF Area 1 and as RIP router 194.93.0.0/24
for RIP Cloud 2. Router 4 is a sole RIP router attached to
LAN segment 194.93.0.0/24. Two further networks
192.168.10.0/24 and 192.168.11.0/24 live in Rip Cloud 2.
Fig. 211 Example setup for OSPF and RIP configuration 2.2 Configuration Steps
Internet
The instruction is broken down into the segments listed
below:
z OSPF basic setup (see 2.2.1)
z Redistribution of connected networks to OSPF (see
10.0.8.0/24
OSPF Area 1 2.2.2)
OSPF Cloud 2 z Injecting the default route to OSPF (see 2.2.3)
172.16.0.0/24 194.93.0.0/24 3 z OSPF Multipath routing (see 2.2.4)
eth3 eth2
RIP Cloud 2
z OSPF Link Authentication (see 2.2.5)
OSPF Area 0 eth1 z OSPF Route Summarisation (see 2.2.6)
4 192.168.10.0/24
62.99.0.0/24
192.168.11.0/24 z RIP basic setup (see 2.2.7)
z Redistribution between RIP and OSPF (see 2.2.8)
1 2
2.2.1 OSPF Basic Setup
OSPF Cloud 1
The network is already configured for OSPF. Several
destinations are reachable through multiple paths. The
newly installed Barracuda NG Firewall should participate in
the routing and load-sharing is to be used.
z Router 1
OSPF learned networks from OSPF Cloud 1:
Step 1 Install the OSPF/RIP service
62.99.0.0/24
For a description how to install the service, see 1.2
Installation, page 519.

OSPF and RIP Configuration Steps < Example for OSPF and RIP Configuration | 527
Step 2 Add the network interfaces speaking OSPF to z OSPF Router Setup
the Server Properties Specify a Terminal Password and a Privileged
OSPF is spoken on two interfaces linking to the following Terminal Password. These passwords are needed to to
networks: eth1 (62.99.0.0/24) and eth2 (194.93.0.0/24). access the routing engine directly via telnet.
Setting Auto-Cost Ref Bandwidth to 10000 causes a
Fig. 212 Configuring of addresses in the Server Properties more granular cost in LAN environments. The cost is
calculated as ref-bandwidth divided by intf-bandwidth
(MBit/s). In the example, a 1 GBit link would have a cost
of 10 (10000/1000).
Fig. 214 OSPF Routing Settings - OSPF Router Setup
Step 3 Configure OSPF Routing Settings

z Operational Setup
The Barracuda NG Firewall is configured to operate as
"normal" router. The operation mode is set to
"active-passive" (that is advertise-learn). By this
means, all routes are learned and forwarded.
Setting a Router ID is mandatory. It is important for
easily identifying LSAs during troubleshooting. Specify the interfaces where OSPF should be enabled
Fig. 213 OSPF Routing Settings - Operational Setup
and where adjacencies should be built through the
Network Prefix parameter. In the example, the
Barracuda NG Firewall is made an Area Border Router
(ABR) with interfaces in Area 0 and Area 1. The
network 62.99.0.0/24 is part of Area 0; the network
194.93.0.0/24 is part of Area 1.
Step 4 Send Changes and Activate the configuration

The basic OSPF setup is complete. The routes learned
through OSPF can now be viewed in the Barracuda NG
Firewall's routing table.
Fig. 215 Routing table displaying routes learned through OSPF
A further way to see more detailed information regarding

the OSPF service is to connect to the quagga engine itself
with a telnet to localhost:2604 at the Command Line
Interface. This mode can also be used for debugging
purposes. If needed, see www.quagga.net for
information about the Quagga Routing Suite.

528 | Example for OSPF and RIP Configuration > Configuration Steps OSPF and RIP
Figure 216 shows the output of the commands sh ip 2.2.2 Redistribution of Connected
ospf neigh and sh ip ospf route. Networks to OSPF
Fig. 216 Quagga engine output
Proceed as follows to configure redistribution of
[root@NF1:~]# telnet localhost 2604 connected networks:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Step 5 Activate OSPF advertising
Hello, this is quagga (version 0.96.5). Browse to Config > Box > Network > Networks and
Copyright 1996-2002 Kunihiro Ishiguro.
set parameter Advertise Route to yes.
User Access Verification
Password: Step 6 Configure Route Redistribution

NF1> en
Password:
Route Redistribution is configured in the OSPF Router tab
NF1# sh ip ospf neigh within the OSPF Routing Settings configuration.
Neighbor ID Pri State Dead Time Address In the example, the following values are specified for the
Interface RXmtL RqstL DBsmL
192.168.254.3 1 Full/DR 00:00:35 194.93.0.254 available parameters:
eth2:194.93.0.105 0 0 0
192.168.254.2 1 Full/DR 00:00:33 62.99.0.253
eth1:62.99.0.105 0 0 0 Fig. 217 Configuring Route Redistribution
192.168.254.1 1 Full/Backup 00:00:35 62.99.0.254
eth1:62.99.0.105 0 0 0
NF1# sh ip ospf route
============ OSPF network routing table ============
N 62.99.0.0/24 [1000] area: 0.0.0.0
directly attached to eth1
N 192.168.1.0/24 [1010] area: 0.0.0.0
via 62.99.0.253, eth1
D IA 192.168.10.0/23 Discard entry
N 192.168.10.0/24 [1010] area: 0.0.0.1
via 194.93.0.254, eth2
N 192.168.11.0/24 [1010] area: 0.0.0.1
via 194.93.0.254, eth2
N 192.168.12.0/24 [1010] area: 0.0.0.1
via 194.93.0.254, eth2
N 192.168.254.1/32 [1001] area: 0.0.0.0
via 62.99.0.254, eth1
N 192.168.254.2/32 [1001] area: 0.0.0.0
via 62.99.0.253, eth1
N 192.168.254.3/32 [1001] area: 0.0.0.1
via 194.93.0.254, eth2
N 194.93.0.0/24 [1000] area: 0.0.0.1
directly attached to eth2
============ OSPF router routing table =============

R 192.168.254.1 [1000] area: 0.0.0.0, ABR, ASBR
via 62.99.0.254, eth1
R 192.168.254.2 [1000] area: 0.0.0.0, ABR
via 62.99.0.253, eth1
R 192.168.254.3 [1000] area: 0.0.0.1, ABR, ASBR
via 194.93.0.254, eth2
With these configuration settings, all networks connected
============ OSPF external routing table ===========
N E1 10.0.84.0/24 [1010] tag: 0 to the Barracuda NG Firewall will be redistributed to OSPF
via 62.99.0.254, eth1 with a cost of 10 and Metric-type External 1.
N E1 28.235.0.0/24 [1010] tag: 0
via 62.99.0.254, eth1
N E1 38.232.0.0/24 [1010] tag: 0
N E1 38.232.1.0/24
via 62.99.0.254, eth1
[1010] tag: 0 2.2.3 Injecting the Default Route to
N E1 56.47.0.0/24
via 62.99.0.254, eth1
[1010] tag: 0 OSPF
via 62.99.0.254, eth1
N E1 56.47.1.0/24 [1010] tag: 0
via 62.99.0.254, eth1 Step 7 Activate OSPF advertising
N E1 79.29.0.0/24 [1010] tag: 0
via 62.99.0.254, eth1 Static Routes as well are only advertised via OSPF when
N E1 79.29.1.0/24 [1010] tag: 0 the Advertise Route option is set in the network
via 62.99.0.254, eth1
N E1 123.43.0.0/24 [1010] tag: 0 configuration. If not already done, browse to Config >
via 62.99.0.254, eth1
N E1 123.43.1.0/24 [1010] tag: 0 Box > Network > Networks and set parameter
via 62.99.0.254, eth1 Advertise Route to yes.
N E1 134.46.0.0/24 [1010] tag: 0
via 62.99.0.254, eth1
N E1 134.46.1.0/24 [1010] tag: 0
via 62.99.0.254, eth1

OSPF and RIP Configuration Steps < Example for OSPF and RIP Configuration | 529
Step 8 Configure Default Route Redistribution Authentication configuration is done in the Network
Default Route Redistribution is configured in the OSPF Interfaces section of the OSPF Routing configuration.
Router tab within the OSPF Routing Settings configuration. Proceed as follows to configure Link Authentication:
In the example, the following values are specified for the
Step 9 Configure a parameter template
available parameters:
Open the Network Interfaces section and click the
Fig. 218 Configuring Default Route Redistribution Insert button in the Parameter Template Configuration
section to create a new parameter template. The following
values are defined in the example: MD5 Authentication
usage with key ID "1" and authentication key "Barracuda".
Fig. 219 Configuring a parameter template
With these configuration settings, the default route (if

configured) will be redistributed to OSPF with a cost of 10
and Metric-type External 1. If a default route should always
be distributed unless configured or not, set parameter
Originate Always to yes.
2.2.4 OSPF Multipath Routing Step 10 Create a reference to the parameter template
Click the Insert button in Network Interface >
Multipath routing is configured in the OSPF Routing Interfaces (Network Interfaces view) to configure link
Settings OSPF Preferences view. authentication on an interface. The example defines the
following values:
Three options are available for Multipath Handling:
z ignore Fig. 2110 Creating a link to the parameter template
No Multipath routing is used; learned Multipath routes
are ignored.
z assign internal preferences
The metric of every equal cost route is translated to
different values - load-sharing is not used. Additional
routes are only used as backup.
z accept on same device
Multipath routing is enabled but it is only available
when the routes are learned on the same interface.
Note:
All other routers on this interface must have the same
The example configuration uses the setting accept on settings. Otherwise, adjacency cannot be established.
same device.
2.2.5 OSPF Link Authentication 2.2.6 OSPF Route Summarisation

In large networks is it useful to summarize routes on Area
Two methods for OSPF authentication exist:
or Autonomous system borders. In the example setup, two
z Authentication in an Area networks live in Area 1: 192.168.10.0/24 and 192.168.11.0/24.
The aim is to summarize these two networks to
z Authentication on a Link
192.168.10.0/23.
The configuration for summarisation of areas is done in
Area authentication is configured within the OSPF Area
the OSPF Area Setup.
Setup. For Link Authentication first a parameter template
has to be created, and then a reference to this template Click the Insert button to create new configuration
has to be established. The example uses Link settings for Area 1. Set the value for Area ID [Int] to "1".
Authentication. Create a new entry for parameter Summary Range
IP/Mask by clicking Insert

530 | Example for OSPF and RIP Configuration > Configuration Steps OSPF and RIP
A new window opens allowing for configuration of the 2.2.8 Redistribution between RIP and
following values:
OSPF
Fig. 2111 Configuring route summarisation
To implement redistribution between RIP and OSPF the
following minimum settings must be configured:
z OSPF Router Setup
To redistribute routes learned by RIP insert a new entry
in the Route Redistribution Configuration section.
Fig. 2114 Configuring route redistribution
Range 192.168.10.0/23 is now going to be advertised as

summary route with cost 10. A router in Area 0 is going to
create an entry in its routing table alike the following one:
Fig. 2112 Entry in routing table

SW2#sh ip route 192.168.10.0
Routing entry for 192.168.10.0/23, supernet
Known via "ospf 1", distance 110, metric 1020, type inter area
Last update from 62.99.0.105 on Vlan111, 00:03:46 ago
Routing Descriptor Blocks:
* 62.99.0.105, from 192.168.254.10, 00:03:46 ago, via Vlan111
Route metric is 1020, traffic share count is 1
z RIP Router Setup
To redistribute routes learned by OSPF insert a new
entry in the Route Redistribution Configuration
2.2.7 RIP Basic Setup section.
Basic RIP settings are to be configured within the Fig. 2115 Configuring route redistribution
Operational Setup, the RIP Preferences and the RIP
Router Setup. In the example setup, RIP Version 2 is used
and multipath routes are discarded. Therefore, the
following configuration settings apply:
z Operational Setup
RIP is activated by setting parameter Run RIP Router
to yes.
z RIP Preferences
Parameter Multipath Handling is set to ignore.
z RIP Router Setup
RIP Version 2 is enabled on Network Device eth2 in
the Networks section.
Redistribution of connected networks to RIP is
configured in the Route Redistribution section. In the
example, all connected networks are redistributed to
RIP with a hopcount of 2.
Fig. 2113 Configuring RIP settings - RIP Router Setup

22
System Information
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
2. Networking Layer
2.1 Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
2.2 Activation Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
3. Operative Layer
3.1 Directory Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
3.1.1 Static Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
3.1.2 Dynamic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
4. Ports
4.1 Ports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
5. List of Default Events

5.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
5.2 Operational Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
5.3 Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539

532 | Overview > General System Information
1. Overview
1.1 General
Attention:
The underlying Linux system is especially designed to
serve as a base for the Barracuda NG Firewall. Direct
interfering on the command line is not necessary for
normal operation. Such operations should be carried
out only by authorized personnel with excellent
knowledge of Linux systems and its special Barracuda
Networks implementation.
The Barracuda NG Firewall system basically consists of

three parts:
Table 221 Basic overview of the NGFW OS Linux system and its licensing
concepts.
Layer Description Licensing
Basic Linux Standard Linux system Except for the FW
with the modified engine, mostly under
NGFW OS kernel, GPL or other Open
whose source is of Source Licenses.
course part of the
distribution
Barracuda NG Handles all steps Barracuda Networks
networking dealing with Public License. Can be
networking used freely for all
purposes except
commercial
redistribution.
Barracuda NG Operative Barracuda Proprietary Barracuda
operative Networks Software; Networks License
consists of box services
(logging, statistics,
control) and server (for
example VPN, mail
gateway, DNS, )
This part of the documentation does not cover the

administration of the Basic Linux layer. If you want to learn
more about Linux systems in general, we want to refer to a
number of excellent books and to a continually growing
number of information sites on the internet. However, the
NGFW OS Linux base does not serve as an operating
system for general purpose. It does not include a number
of packages which are necessary for most applications. We
did not include those packages because of security
reasons and we cannot give support for modifying the
Linux system on the NGFW OS CD.

System Information Configuration Files < Networking Layer | 533
2. Networking Layer
The NGFW OS networking layer is installed by the z #BOX_NETWORK
phionetc_box package. It is called phionetc_box, because If set to N, literally nothing will happen when trying to
almost all relevant files live in the directory /etc/phion. start networking in the NGFW OS way.
The main purpose of the package is to control every part z NET_RETRY
of the system which communicates over the network. Number of entries to establish a network link. This may
Beside the Barracuda NG Firewall software modules there be useful for unreliable token ring networks.
are other packages like openssh or ntp, which get their
z PHION_START
configuration and are started by specific scripts.
If set to N, the NGFW OS operative layer will not be
started at all. Use this if you want to have a box without
proprietary Barracuda Networks software running.
2.1 Configuration Files z NETDB_START
Only of use if you have a box with a NetDB database
There are three configuration files steering and controlling system on it.
the networking behavior of the system: z START_ORA and START_ADABAS
z /etc/phion/options Only of use for a Master configuration server with an
Oracle or ADABAS D database.
z /etc/phion/boxadm.conf
z /etc/phion/boxnet.conf
The boxadm.conf file holds all information, which does
not need a network restart to be activated. Additionally it
The options file is the only one, which is not edited through holds information for Barracuda NG Firewall box services,
the GUI Barracuda NG Admin. too.
Template of the options file: An example of an operative configuration file:
Fig. 221 Example options file Fig. 222 Example boxadm.conf file
####### ACLLIST[] = 10.0.0.8/29 10.0.0.231

## Systemwide options ACTBOXSERVICES = y
## File is sourced by several start scripts DNSSERVER[] = 10.1.103.179 10.1.100.204
## DOMAIN = m086
ENABLESHOSTS = y
# start networking at all? MAINADMIN = n
BOX_NETWORK="Y" MASTER[] = 10.1.17.42
RID = 86
# Number of retries to bring up all RMASTER[] = 10.1.17.42
devices, sometimes useful for token ring RPASSWD = $1$someMD5encryption
devices SPASSWD = $1$someMD5encryption
NET_RETRY=0 STARTNTP = y
STATISTICS = y
# should the NGFW Subsystem be started ? SYNC = y
PHION_START="Y" TMASTER[] = 10.1.16.21
TZONE = Europe/Vienna
#for some historical reason: should the UTC = y
NetDB subsystem be started? #CAUTION:
Activate only if you know very well what [boxtuning]
you are doing. FILEMAX = 32768
NETDB_START="N" IDETUNING = y
INODEMAX = 65536
# for advanced Servers SYSTUNING = n
START_ORA="N" #Y/N start ORACLE on BOOT
START_ADABAS="N" #Y/N start ADABAS on BOOT

534 | Networking Layer > Activation Scripts System Information
For explanation of the parameters see Configuration Service 2.2 Activation Scripts
5.1 Box Settings Advanced Configuration, page 100.
There are two scripts which are intended to be started
Attention:
from the command line:
Be extremely cautious in changing these files on the
command line. z /etc/rc.d/init.d/phion (which is actually a link to
/etc/phion/rc.d/phionrc)
The boxnet.conf file holds all information which deals with
network connections. These are the hostname and the z /etc/phion/bin/activate
network interfaces, IP addresses and routing information. All other scripts should not be started on the command line
but are invoked by the 2 scripts above.
Again, let us have a look on a sample file:
For more information see User Documentation Command
Fig. 223 Example boxnet.conf file Line Interface.
HOSTNAME = sega [addroute_QA]

DEST = 10.0.0.244
[addnet_dmz] DEV = eth0
BIND = n FOREIGN = y
CRIT = y MASK = 8
DEV = eth1 SRC = 10.0.0.8
IP = 192.168.32.1 TARGET = 192.168.10.0
IPCHAINS = y TYPE = gw
MASK = 8
PING = y [boxnet]
DEV = eth0
[addroute_default IP = 10.0.0.8
] MASK = 8
DEST =
195.23.11.6 [cards_eepro]
DEV = MOD = eepro100.o
FOREIGN = y MODOPTIONS[] =
MASK = 32 NUM = 1
PREF = TYPE = eth
REACHIP[] =
SRC = [cards_realtek]
TARGET = 0.0.0.0 MOD = rtl18139.o
TYPE = gw MODOPTIONS[] =
For explanation of the parameters see Configuration Service

5.1 Box Settings Advanced Configuration, page 100.

System Information Directory Structure < Operative Layer | 535
3. Operative Layer
3.1 Directory Structure z /var/phion/stat

Root directory for the statistics data structure. The
data files are Berkeley DB files in binary form. They can
3.1.1 Static Data be viewed with the showstat utility
(/opt/phion/bin/).
The whole operative date resides in /opt/phion.
Attention:
Note:
Again: Do NOT change anything in this directories
It is not recommended to change anything below this manually.
directory. z /var/phion/logcache
The full configuration of a Barracuda NG Firewall box is Home of the Log Access Files (*.laf). These are
held under /opt/phion/config/active. The Berkeley DB files for fast access to large log files.
configuration files may be modified manually by a z /var/phion/run/<module>
Barracuda Networks support engineer or by a specially Services may store operational data in these
trained system engineer. If you are not absolutely sure directories.
about what you are doing, do not change anything in this
place.
Intervention on command line is generally not intended on
the NGFW OS operative layer. Nevertheless there is one
3.1.2 Dynamic Data powerful tool to steer the processes. It can be used to
gather comprehensive information about system state,
Log files and statistics data reside in /var/phion. routing, servers, processes. Furthermore it is able to start /
stop / block / disable servers and box processes. It is called
This directory has the following substructure. phionctrl and resides in /opt/phion/bin. For more
z /var/phion/logs information see the User Documentation Command Line
All log files are stored here. You can read it with any Interface.
editor.
Attention:
DO NOT write to it, DO NOT rename it, DO NOT put
any files in here. Every manual action can result in
strange behavior of the log GUI.
4. Ports
The following table enlists the ports of a Barracuda NG Table 222 Ports overview
Firewall that are required for communication. Port Protocol Type Daemon
807 TCP box qstatd
807 UDP box cstatd
808 TCP/UDP box event
4.1 Ports Overview 808 TCP/UDP service mevent
809 TCP box boxconfig
Table 222 Ports overview
810 TCP service masterconfig
Port Protocol Type Daemon 811 TCP service map/status
22 TCP service sshd 814 TCP service vpnserver
691 and 443 TCP/UDP service vpn 815 TCP service mailgw
680 TCP service FW-audit 816 TCP service DHCP
688 TCP service firewall 817 UDP service trans7
692 TCP/UDP VPN management 818 TCP service PKI
tunnel
843 TCP service HTTPs Proxy GUI
801 TCP box controld/status
844 TCP service policyserver
801 UDP box controld/
HA-heartbeat 845 TCP box distd
802 TCP box phibsd 880 TCP service HTTP Proxy
Fail-Cache
803 TCP box logd
44000 and TCP service policyserver
805 TCP box distd 44001
806 TCP service qstatd

536 | List of Default Events > General System Information
5. List of Default Events
5.1 General A double-click on the event entries framed in red discloses

that the first entry with Layer Description conf has
Layer-ID 3 and Class-ID 2 assigned, whereas the second
Events with identical Event-ID may be generated by
entry with Layer Description log has Layer-ID 2 and
multiple processes. Each process, which is responsible for
Class-ID 2 assigned.
event generation is characterized by an assigned Class and
Layer-ID allowing for rough categorisation. Fig. 225 Event Properties windows
The following Class- and Layer-IDs apply for
categorisation:
z Layer IDs:
Table 223 Layer-IDs overview
Layer-ID Layer Title Description

1 Boot Layer Events that are generated during
system boot-up
2 Box Layer Events that are generated by a box
service (controld, logd, )
3 Server/Service Events that are generated by a
Layer server/service process
The following events are defined on a Barracuda NG

z Class IDs:
Firewall/Barracuda NG Control Center:
Table 224 Class-IDs overview
Note:
Class-ID Class Title Description
Events flagged with "not available" in the Relevance
1 Operative Events that are related to the
operative service of the system field of the following table are not utilized in Barracuda
2 Resources Events that are related to system NG Firewall 4.2.
resources
3 Security Events that are related to system
security
Because Class- and Layer-IDs are not attributable to

exactly one Class or Layer, Class and Layer descriptions
are not included in the list below. They can be learned from
the Event Monitor GUI.
The example below shows a snapshot from the Event
Monitor GUI. Entries with identical Event-IDs are
highlighted. Have a look at the corresponding different
entries in the Layer Desc column.
Fig. 224 Event Monitor GUI

System Information Operational Events < List of Default Events | 537
5.2 Operational Events

Table 225 Operational Events overview
Event-ID Description Relevance Severity Notification Persistent

10 Disk Space Low On at least one partition between 70 and 90 % of available disk space are Warning 1 yes
in use. Disk usage is graphically depicted in the Box Control > Resources Tab
(see page 36). Low disk space is characterized by a yellow status bar.
11 Disk Space Critical On at least one partition more than 90 % of available disk space are in use. Error 1 yes
Disk usage is graphically depicted in the Box Control > Resources Tab (see
page 36). Critical disk space is characterized by a red status bar.
20 Memory Low At least 70 or up to 90 % of available memory are in use. Memory usage is Warning 1 yes
graphically depicted in the Box Control > Processes Tab (see page 36). Low
memory availability is characterized by a yellow status bar.
21 Memory Critical More than 90 % of available memory are in use. Memory usage is Error 1 yes
graphically depicted in the Box Control > Processes Tab (see page 36).
Critical memory availability is characterized by a red status bar.
30 High System Load The "Warning" Infrastructure Services - Control - CPU-Load Monitoring Warning 1 yes
section CPU-Load Warning Thresholds have been exceeded. Thresholds
may be configured in Config > Box > Box Services > Control > CPU-LOAD tab
(page 119).
31 Excessive System Load The "Critical" Infrastructure Services - Control - CPU-Load Monitoring Error 1 yes
section CPU-Load Warning Thresholds have been exceeded. Thresholds
may be configured in Config > Box > Box Services > Control > CPU-LOAD tab
(page 119).
34 Critical System Condition The Watchdog repair binary could not be executed flawlessly (see 5.1.10 Error 1 yes
Watchdog, page 108, and parameter Run S.M.A.R.T, page 110).
48 Device Mismatch Error 1 no
49 Device Activation Failed A network interface could not be activated. Error 1 no
50 Device Down A network interface has been disabled. Error 1 yes
51 IP Address Added The control daemon has added a server IP to the network configuration (for Information 1 no
example after manual configuration changes, enabling a server, ).
52 IP Address Removed The control daemon has removed a hitherto existing server IP address from Information 1 no
the network configuration (for example after manual configuration
changes, blocking or disabling a server, ).
54 IP Property Change Failed not available Error 1 no
55 Assigned IP Address Changed An IP address, which has been assigned to the system by an DHCP server Information 1 no
has changed.
56 Duplicate DHCP IP An DHCP server assigned IP address living on the system has additionally Warning 1 no
been detected in the network.
57 Dyn DNS Update Succeeded Update of a configured DynDNS account (for example DHCP network or Information 1 no
58 Dyn DNS Update Failed ISDN network configuration) has succeeded/failed. Warning 1 no
60 Route Added A route has been added to the active network configuration, for example Information 1 no
because an xDLS connection has been activated or a gateway has become
available.
61 Route Deleted A route has been deleted from the system, for example because a gateway Information 1 no
has become unavailable.
62 Route Changed The state or a parameter of a route has changed. Information 1 no
63 Route Enabled A route has been activated, because for example a server IP has been Information 1 no
added to the configuration.
64 Route Disabled A route has been disabled, because for example a server IP has been Information 1 no
deleted from the configuration.
65 Route Reactivated See also Event-ID 66 Route Deactivated. A gateway route has been Information 1 no
reactivated because the initial state has been restored.
66 Route Deactivated A gateway route has been deactivated because a former gateway IP has Information 1 no
become a local IP on a Barracuda NG Firewall system. This event might
occur on secondary HA boxes, when the server IP of the primary box
(former gateway IP for the secondary box) changes to the secondary box
after HA takeover.
70 Flash RAM auto detection The Storage Architecture option available in the Box Configuration file Error 1 no
might have been misconfigured (see Storage Architecture, page 53).
90 Module Error Error 1 no
100 Missing Configuration File A server or service configuration file cannot be retrieved, that means it Error 1 no
might have been deleted.
110 Missing Sysctrl not available Error 1 yes
120 Missing Executable A binary needed at start-up could not be found (for example acpfctrl for Error 1 yes
setting parameters, ).
131 Resource Missing A resource needed for full system functionality is missing, for example a Error 1 no
configured network interface is not available.
135 Resource Limit Pending Less than 50 % of maximum command value remain (see 2.2.3.7 SMS Warning 1 yes
Control, Successive Command Maximum, page 58).

538 | List of Default Events > Operational Events System Information

136 Resource Limit Exceeded The number of concurrent connections allowed to connect to a service or a Warning 1 yes
configured maximum limit has reached a critical value or has been
exceeded (for example, see Mail Gateway 3.2.7 Reporting, page 272,
Parallel Connection Limit, page 272, Spooling Limit, page 272, and
DHCP 2.2.2 Global Settings, page 299, Leases Low / Leases Critical,
page 299).
The maximum command counter has been reached or has been exceeded
(see 2.2.3.7 SMS Control, Successive Command Maximum, page 58).
150 Corrupted Data File The utility dstats has identified a corrupt data file (Configuration Service Error 1 no
5.2.5 Statistics, page 119).
400 Time Discontinuity Detected The statistics daemon has detected a time shift, that means a deviation Warning 1 no
from former time settings (for example date/time settings have been
changed manually, hardware clock settings are wrong after reboot).
500 Invalid License The license that is installed on the system is invalid, for example the Error 1 yes
Hardware ID of the system does not match with the ID the license has been
issued for or the validity period has been exceeded.
501 No License Found Error 1 yes
505 License Limit Exceeded The license limit of IPs protected by the firewall has been exceeded Error 1 no
(Firewall 6.6.2 Protected IPs, page 186).
510 Invalid Argument The Watchdog repair binary could not be executed flawlessly (see 5.1.10 Error 1 no
Watchdog, page 108).
600 HA Partner Unreachable Connectivity between a Barracuda NG Firewall and its high availability Error 1 yes
partner is disrupted.
620 Box Unreachable Connectivity between CC and one of its administered boxes is disrupted. Warning 1 yes
This event is only generated on the CC.
622 Box Reachable Again Connectivity between CC and one of its administered boxes has been Information 1 no
restored. This event is only generated on the CC.
666 Process Core Found The core-search utility has found a core dump of a Barracuda NG Firewall Warning 1 no
process and has moved it to /var/phion/crash.
2000 Start Server A server has been started either by the system or manually. Information 1 no
2001 Start Service A service has been started either by the system or manually. Information 1 no
2002 Start Box Service A box-service has been started either by the system or manually. Information 1 no
2010 Stop Server A server has been stopped either by the system or manually. Information 1 no
2011 Stop Service A service has been stopped either by the system or manually. Information 1 no
2012 Stop Box Service A box-service has been stopped either by the system or manually. Information 1 no
2020 Restart Server A server has been restarted either by the system or manually. Information 1 no
2021 Restart Service A service has been restarted either by the system or manually. Information 1 no
2022 Restart Box Service A box-service has been restarted either by the system or manually. Information 1 no
2030 Block Server A server has been blocked manually. Warning 1 no
2031 Block Service A service has been blocked manually. Warning 1 no
2032 Block Box Service A box-service has been blocked manually. Warning 1 no
2040 Deactivate Server Warning 1 no
2041 Deactivate Service Warning 1 no
2042 Deactivate Box Service Warning 1 no
2044 No Valid License for Service Warning 1 yes
2045 Entering GRACE Mode A system with a formerly valid license has changed into grace mode, either Warning 1 no
because the host-key the license has been issued for does not match with
the systems host key or because the CC-administered box could not
validate its license with the CC.
2046 Entering DEMO Mode The system has been installed without importing a valid license or a valid Error 1 no
box license has been removed from it.
2047 GRACE Mode Expired Grace mode has expired and all services have been deactivated. Error 1 no
2050 Reactivate Server Warning 1 no
2051 Reactivate Service Warning 1 no
2052 Reactivate Box Service Warning 1 no
2054 Subprocess Kill Requested A sub-process has been killed manually. Information 1 no
2056 Connection Kill Requested Information 1 no
2058 Session Kill Requested Information 1 no
2060 Emergency Server Start A server has started because the HA partner is not available. Warning 1 no
2061 Emergency Server Stop A server has stopped because the HA partner server is in state active. Warning 1 no
2070 Daemon Startup Failed A daemons startup/shutdown has failed/succeeded. The daemon Warning 1 no
2071 Daemon Startup Succeeded responsible for the event will be included in the event message. Eventing Information 1 no
notifications may be configured per daemon (for example NTPd - see
2072 Daemon Shutdown Failed page 57, SSH - see page 106). They will only be generated for controlled Information 1 no
2073 Daemon Shutdown Succeeded startup/shutdown sequences and not for manual process terminations. Information 1 no
2080 Time Synchronisation Failed NTP sync with the configured NTP server has failed. NTP synchronisation Warning 1 no
settings are defined in Config > Box > Settings > TIME/NTP tab (see
page 56).
2081 Time Synchronisation NTP sync with the configured NTP server has succeeded. NTP Information 1 no
Succeeded synchronisation settings are defined in Config > Box > Settings > TIME/NTP
tab (see page 56).

System Information Security Events < List of Default Events | 539

2082 Time Synchronisation Denied NTP sync with the configured NTP server has been denied. NTP Error 1 no
synchronisation settings are defined in Config > Box > Settings > TIME/NTP
tab (see page 56).
2102 Network Restart Requested A network restart has been triggered manually using Barracuda NG Admin. Information 1 no
2103 Activate New Network A new network configuration has been activated manually using Barracuda Information 1 no
Configuration NG Admin.
2104 NGFW Subsystem Start The NGFW Subsystem (network and NGFW OS processes) has been started. Information 1 no
2105 NGFW Subsystem Stop The NGFW Subsystem (network and NGFW OS processes) has been Information 1 no
stopped.
2120 Mail DSN Message Sent A DSN (Delivery Status Notification) message has been generated and sent Information 1 no
by the mail gateway (for example due to undeliverable mail). Further DSN
generation conditions are configurable in the Limits configuration section
of the mail gateway (Mail Gateway 3.2.6 Limits, page 271).
2210 Network Subsystem Restart The network subsystem (routes, IP addresses, network interface drivers) Information 1 no
has been restarted.
2212 Unclean Network Subsystem An error has occurred during network subsystem activation. Warning 1 no
Activation
2220 Network Subsystem Shutdown The network subsystem (routes, IP addresses, network interface drivers) Information 1 no
has been shut down.
2222 Unclean Network Subsystem An error has occurred during network subsystem shutdown. Information 1 no
Shutdown
2230 Network Subsystem Check The network subsystem configuration has been checked for consistency. Information 1 no
2232 Network Subsystem Check The network subsystem configuration has been checked for consistency. Information 1 no
2234 Network Subsystem Check An error has been discovered during network subsystem configuration Warning 1 no
Failed check.
2240 Link Activation Failed Activation of a dynamic link (for example xDSL, UMTS, DHCP) has failed. Error 1 no
The reason for activation failure is provided in the event message.
2242 Sublink Activation Failed Error 1 no
2250 PCMCIA Bus Reset Resetting the PCMCIA bus to recover from potential modem lockup by Error 1 no
power cycling it.
2380 Flawed Configuration Data The rule file containing the domain settings of the mail gateway service is Error 1 no
Activation either missing or a corrupt rule file has been loaded. This event is only
reported when parameter Bad Rulefile Loaded (see page 272) is set to yes.
2500 FW Forwarding Loop These events are triggered when the firewall engine delivers a local Information 1 yes
Suppressed targeted session from the local firewall to the forwarding firewall (because
2502 FW Local Redirection of a non existing local listening socket) and in the forwarding firewall a rule Information 1 yes
Suppressed matches that does not perform DNAT. They are only generated when
parameter settings Local Redirection / Local Routing Loop, see page 138
are set to yes.
2511 FW Worker Limit Exceeded Error 1 yes
3000 VPN Server Tunnel Terminated A VPN tunnel has been terminated manually. Information 1 no
3001 VPN Alternative Tunnel A VPN alternative tunnel will be activated, when the active partner of the Warning 1 no
Activated tunnel changes his Bind-IP address (for example provider failure).
3002 VPN Server Tunnel Activated A VPN Site-to-Site tunnel has been activated. Information 1 no
3003 activation of on-demand tunnel A on-demand VPN Site-to-Site tunnel has been activated. Notice 1 no
3004 deactivation of on-demand A on-demand VPN Site-to-Site tunnel has been activated. Notice 1 no
tunnel
5.3 Security Events

Table 226 Security Events overview

53 Duplicate IP Detected An IP address living on the system has additionally been detected in the Warning 2 yes
network.
140 Mail Size Limit Exceeded The size of an e-mail has exceeded the configured limit (see parameter Mail Notice 2 no
Data Size Limit, page 272). This event is only reported when parameter
Mail Data Size Limit (see page 272) is set to yes.
300 User ID (UID) Invalid Security 3 no
304 Reserved Login ID Used Security 3 no
2099 CTRL-ALT-DEL A system reboot has been triggered manually at the physical console by Warning 2 no
pressing the keys CTRL-ALT-DEL simultaneously.
2100 Reboot Requested A system reboot has been triggered manually using Barracuda NG Admin. Warning 2 no
2101 System Halt Requested A system shutdown has been triggered manually. Warning 2 no
2400 Config Node Change Notice A configuration file has been edited in the Barracuda NG Control Center Notice 2 no
2401 Config Node Change Warning configuration tree. "Config node change" events are only reported if event Warning 2 no
notification has been configured for configuration file changes (Barracuda
2402 Config Node Change Alert NG Control Center 6.7 Defining Node Properties, page 445). The Security 3 no
following events apply:
Normal Event - Event-ID 2400
Notice Event - Event-ID 2401
Alert Event - Event-ID 2402

540 | List of Default Events > Security Events System Information

2420 NGFW Subsystem Login Notice An application has been granted administrative access to the system. Notice 2 no
2421 NGFW Subsystem Login Barracuda Networks applications generate "Barracuda Networks Subystem Warning 2 no
Warning Login" notifications every time a user has successfully logged into an
application that interacts with the graphical administration tool Barracuda
2422 NGFW Subsystem Login Alert NG Admin (for example control, event, statistics, config). The severity level Security 3 no
for notifications regarding access to box services is configurable in Config >
Box > Box Misc. > Access Notification tab, see page 105; Notifications for
other services may be customized per service (list 391, page 98).
2510 FW Global Connection Limit The number of total sessions allowed for a request has been exceeded (see Security 3 yes
Exceeded Max. Session Slots, page 135).
2600 DHCP Lease Deleted not available Notice 2 no
3011 CRL Collection Failed Collection of the Certificate Revocation List (CRL) has failed. Paths to CRLs Security 3 no
are defined in the VPN settings > Root Certificates tab > Certificate
Revocation tab (VPN 2.3.3 Root Certificates Tab, page 220). Polling for
CRL retrieval is defined through parameter CRL Poll Time (see page 219).
3012 VPN Client Version not available Warning 2 no
3013 Antivir Pattern Update Failed Update to the recent Virus Scanner definitions has not succeeded. Security 3 no
4000 FW Port Scan Detected The number of blocked requests has exceeded the Port Scan Threshold Notice 2 no
within the configured Port Scan Detection Interval. Limit values can be
customized in the Firewall Settings > Reporting tab (see page 137).
4002 FW Flood Ping Protection The Min Delay time for pinging defined in a Firewall Service Object Warning 2 no
Activated (Firewall > Service Objects > Min Delay, see page 152) has been under-run
and the connection has thus been blocked by the FW.
4004 FW Activating Perimeter The Inbound Threshold (%) value specified in the Local Firewall settings Security 3 no
Defence (inbound mode) (see page 136) has been exceeded. This event is only reported when
parameter Pending Accepts Critical (see page 138) is set to yes.
4006 FW Pending TCP Connection The number of pending TCP sessions per source IP exceeds the allowed Security 3 no
Limit Reached maximum. Requests initiating further pending sessions will be blocked.
The threshold is configurable in the Firewall Forwarding Settings > Firewall
tab (see page 139, parameter Max. Pending Forward Accepts/Src). This
event is only reported when parameter Accept Limit Exceeded (see
page 137) is set to yes.
4008 FW UDP Connection per Source The maximum number of UDP sessions per source IP has been exceeded. Warning 2 no
Limit Exceeded The thresholds can be configured in the Local Firewall Settings > Session
Limits tab (parameter Max Local-In UDP/Src, see page 136) and in the
Firewall Forwarding Settings > Firewall tab (parameter Max. Forwarding
UDP/Src, see page 139). This event is only reported when parameter
UDP/Src Limit Exceeded (see page 137) is set to yes.
4009 FW UDP Connection Limit The maximum number of UDP sessions has been exceeded. The threshold Security 3 no
Exceeded can be configured in the Local Firewall Settings > Session Limits tab
(parameter Max UDP (%), see page 135) This event is only reported when
parameter UDP/Src Limit Exceeded (see page 137) is set to yes.
4010 FW Oversized SYN Packet An oversized SYN packet has been dropped by the firewall (see Oversized Notice 2 no
Dumped SYN Packet, page 138). This event is only reported when parameter
Oversized SYN Packet (see page 138) is set to yes.
4012 FW Large ICMP Packet Dumped An ICMP-ECHO packet larger than the configured Max Ping Size (see Notice 2 no
page 152) has been dropped by the firewall. This event is only reported
when parameter Large ICMP Packet (see page 137) is set to yes.
4014 FW IP Spoofing Attempt An IP spoofing attempt has been discovered. This event is only reported Notice 2 no
Detected when parameter IP Spoofing (see page 138) is set to yes.
4015 FW Potential IP Spoofing A SYN flooding attack has been identified (see 2.3.4.3 Accept Policies, Notice 2 no
Attempt page 166). This event is only reported when parameter IP Spoofing (see
page 138) is set to yes.
4016 FW Rule Connection Limit The maximum number of concurrent connections allowed per rule has Warning 2 no
Exceeded been exceeded. The maximum value is defined by parameter Max. Number
of Sessions (see page 164). This event is only reported when parameter
Rule Limit Exceeded (see page 137) is set to yes.
4018 FW Rule Connection per Source The maximum number of concurrent connections allowed per rule and Warning 2 no
Limit Exceeded source has been exceeded. The maximum value is defined by parameter
Max. Number of Sessions per Source (see page 164). This event is only
reported when parameter Source/Rule Limit Exceeded (see page 137) is
set to yes.
4020 FW Rule Notice A firewall rule equipped with event generation has been processed. The Notice 2 no
4021 FW Rule Warning severity level of the generated event is defined by the rule (see parameter Warning 2 no
Eventing, page 164).
4022 FW Rule Alert Security 3 no
4024 FW Global Connection per The maximum number of concurrent connections allowed per source has Warning 2 no
Source Limit Exceeded been exceeded. The maximum value is defined by parameters Max Local-In
Session/Src in the Local Firewall Settings (see page 135) and Max.
Forwarding Session/Src in the Forwarding Firewall Settings (see page 139).
This event is only reported when parameter Session/Src Limit Exceeded
(see page 137) is set to yes.
4026 FW ICMP-ECHO Connection per The maximum number of concurrent ICMP-ECHO connections allowed per Warning 2 no
Source Limit Exceeded source has been exceeded. The maximum value is defined by parameters
Max Local-In Echo/Src in the Local Firewall Settings (see page 136) and
Max. Forwarding Echo/Src in the Forwarding Firewall Settings (see
page 139). This event is only reported when parameter Echo/Src Limit
Exceeded (see page 137) is set to yes.

System Information Security Events < List of Default Events | 541

4027 FW ICMP-ECHO Connection The maximum number of ICMP-ECHO connections has been exceeded. The Warning 2 no
Limit Exceeded threshold can be configured in the Local Firewall Settings > Session Limits
tab (parameter Max Echo (%), see page 135) This event is only reported
when parameter Echo Limit Exceeded (see page 137) is set to yes.
4028 FW OTHER-IP Connection per The maximum number of concurrent OTHER-IP connections (all IP Warning 2 no
Source Limit Exceeded protocols except TCP, UDP and ICMP) allowed per source has been
exceeded. The maximum value is defined by parameters Max Local-In
Other/Src in the Local Firewall Settings (see page 136) and Max.
Forwarding Other/Src in the Forwarding Firewall Settings (see page 139).
This event is only reported when parameter Other/Src Limit Exceeded
4029 FW OTHER-IP Session Limit The maximum number of OTHER-IP sessions (all IP protocols except TCP, Warning 2 no
Exceeded UDP and ICMP) has been exceeded. The threshold can be configured in the
Local Firewall Settings > Session Limits tab (parameter Max Other (%), see
page 135). This event is only reported when parameter Other Limit
Exceeded (see page 137) is set to yes.
4050 FW ARP MAC Address Changed not available Notice 2 no
4051 FW ARP Ambiguous Duplicate not available Notice 2 no
Reply
4052 FW ARP Request Device not available Notice 2 no
Mismatch
4053 FW ARP Reverse Routing not available Notice 2 no
Interface Mismatch
4100 User Unknown A system login has been attempted with an unknown login ID (see Config > Warning 2 no
Box > Box Misc. > Access Notification tab, page 105, and List 391 Service
Configuration - Notification section Access Notification, page 98).
4110 Authentication Failure Notice A login attempt with a valid login ID has failed (see Config > Box > Box Misc. Notice 2 no
> Access Notification tab, page 105, and List 391 Service Configuration -
Notification section Access Notification, page 98).
4111 Authentication Failure Warning A login attempt with a valid login ID has failed the second time (see Config > Warning 2 no
Box > Box Misc. > Access Notification tab, page 105, and List 391 Service
Configuration - Notification section Access Notification, page 98).
The ACL does not match (see 2.2.3.7 SMS Control, Allowed Phone
Numbers, page 58).
4112 Authentication Failure Alert A login attempt with a valid login ID has failed at least three times (see Security 3 no
Config > Box > Box Misc. > Access Notification tab, page 105, and List 391
Service Configuration - Notification section Access Notification, page 98).
Password authentication failure and/or unsuccessful command match (see

2.2.3.7 SMS Control, section Administrative Settings - SMS Control
section Command Codes, page 58).
4120 Session Opened Notice Notice 2 no
4121 Session Opened Warning A traced user has initiated an SSH connection (SSH Gateway 1. SSH Warning 2 no
Proxy, page 386, Recorded Users, page 388).
4122 Session Opened Alert Security 3 no
4124 Remote Command Execution Remote command execution has been triggered remotely by the Barracuda Notice 2 no
Notice NG Control Center (in CC Control > Box Execution tab) or by an authorized
4125 Remote Command Execution user. Note that copying files with SCP also generates this event. Warning 2 no
Warning
Successful authentication and command is accepted (see 2.2.3.7 SMS
4126 Remote Command Execution Control, section Administrative Settings - SMS Control section Security 3 no
Alert Command Codes, page 58).
4130 System Login Notice The quality of these event notifications is determined by the settings made Notice 2 no
4131 System Login Warning in Config > Box > Box Misc. > Access Notification tab, see page 105. The Warning 2 no
following notifications apply with default settings: Notice (not assigned),
4132 System Login Alert Warning (successful SSH and remote SSH login), Alert (successful console Security 3 no
login). Login failure triggers events 4110, 4111, and 4112 (see above).
4160 Log Data Deleted Notice 2 no
4162 Statistics Data Deleted Notice 2 no
4163 Statistics Collection Failed Notice 2 no
4200 CTRL-ALT-DEL Warning 2 no
4202 System Reboot The system has been rebooted. Manual reboot will trigger this event just Warning 2 no
like the Watchdog repair binary (see 5.1.10 Watchdog, page 108).
4204 System Shutdown The system has been shut down. Warning 2 no
4206 Runlevel Changed The runlevel of the operating system has changed. Runlevels change during Notice 2 no
system boot.
4210 Single User Mode The system has been booted in Single User mode using the boot option Warning 2 no
"single".
4212 Problems During Bootup Warning 2 no
4214 Incomplete Previous Boot The previous system bootup could not be completed. Warning 2 no
4220 System Boot The system is starting the bootup process. Notice 2 no
4222 Emergency System Boot Warning 2 no
4240 Bootloader Configuration Notice 2 no
Change
4242 Two Phase Kernel Update Notice 2 no
4244 Automatic Kernel Update Notice 2 no

542 | List of Default Events > Security Events System Information

4246 Kernel Update Rejected Warning 2 no
4248 Custom Bootloader or Kernel Notice 2 no
Update
4250 Bootloader Test Activation Notice 2 no
Failure
4252 Bootloader Activation Failed Warning 2 no
4254 Bootloader Disaster Recovery Warning 2 no
4256 Bootloader Reconfigured Notice 2 no
4258 Kernel Update Warning 2 no
4260 Pending Kernel Update Warning 2 no
4261 Activate Pending Kernel Warning 2 no
Update
4262 Bootloader Reconfiguration Warning 2 no
Failed
4264 Kernel Update Failed Warning 2 no
4300 Empty ACL Encountered Security 3 no
4302 Overlong ACL Encountered Security 3 no
4304 Password Update Failure Security 3 no
4306 Password Updated The password of the support user or the user "root" has changed. Warning 2 no
4307 Key Updated The root public RSA key has changed. Warning 2 no
4400 Release Update Triggered Software update has been triggered manually. Notice 2 no
4402 Subsystem Release Update Notice 2 no
Succeeded
4404 Subsystem Release Update A software update has been cancelled. Notice 2 no
Cancelled
4406 Subsystem Release Update Warning 2 no
Aborted
4408 Release Update Failed Security 3 no
4410 Release Inconsistencies Incorrect RPM packages have been installed, for example hotfixes intended Warning 2 no
Detected for another Barracuda NG Firewall release version, or Barracuda Networks
files have been modified, for example by manually editing a Barracuda
Networks script.
4412 Active Kernel not in RPM-DB The Linux Kernel in use has not been added to the RPM database. Notice 2 no
4500 Mail Data Discarded An e-mail has been discarded from the mail queue (Mail Gateway 5.3 Mail Notice 2 no
Queue Tab, page 279, Discard Mail, page 280. This event is only reported
when parameter Admin Reception Commands (see page 272) is set to yes.
4504 Mail Operation Changed An e-mail has been allowed or blocked manually (Mail Gateway Notice 2 no
5.6 Processes Tab, page 282, Allow Mail Reception/Block Mail Reception,
page 282. This event is only reported when parameter Admin Discard Mail
Cmd (see page 272) is set to yes.
4506 Mail Delivery Refused E-mail delivery to a banned recipient has been refused. This event is only Notice 2 no
reported when parameter Recipient Dropped (see page 272) is set to yes.
4508 Mail Relaying Denied Relaying of an e-mail has been denied according to content filter Notice 2 no
configuration. This event is only reported when parameter Mail Denied
4512 Mail Rule Notice These are customized events with corresponding customized descriptions, Notice 2 no
4513 Mail Rule Warning which are triggered when Action type Event (Mail Gateway Warning 2 no
3.2.4 Advanced Setup, page 266, Expert Settings section, page 267) is used
4514 Mail Rule Alert in the Expert Settings configuration area. Security 3 no
Event-ID 0 = Severity Notice
Event-ID 1 = Severity Warning
Event-ID 2 = Severity Security
Events will only be reported when parameter User Defined Rule Event
(see page 272) is set to yes (default).
4600 Attempted Illegal Assignment Security 3 no

23
Appendix
1. How to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
1.1 How to gather Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
1.2 How to tune Barracuda NG Firewall for High Performance Environments . . . . . . . . . . . . . . . . . . 545
1.3 How to set up for SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
1.4 How to mount USB Flashdisk on Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
2. Barracuda NG Firewall Appliances Parameter Defaults . . . . . . . . . . . . . . . . . 548
3. Index of Dialog Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
4. Index of Dialog Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
5. Parameter List Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
6. Index of Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
7. Table Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
8. Figure Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
9. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
10. Barracuda Networks Warranty and Software License Agreement (v2.1) . . . . 611
10.1 Barracuda Networks Limited Hardware Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
10.2 Barracuda Networks Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
10.3 Barracuda Networks Energize Updates and Other Subscription Terms . . . . . . . . . . . . . . . . . . . . . . 613

544 | How to Appendix
1. How to
1.1 How to gather Group The search result now displays the Distinguished Name.
Information Fig. 232 Search result containing group information
Group information is/may be required for the following

services:
z FTP - see FTP Gateway, page 369
z URL Filter - see Proxy 3. URL Filter, page 360
z VPN - see VPN, page 211
z Firewall Authentication - see Firewall 10. Firewall
Authentication, page 199
The distinguished name containing the group information

is needed for external authentication using MSAD and
LDAP.
1.1.1 MSAD
Open the management console by selecting > My
Network Places > Search Active Directory. Select the
searching domain. Enter the name of the user you are
searching for and click the Find Now button.
After you have found the user, enable the X500
Distinguished Name column in the view. Therefore, select
1.1.2 LDAP
View > Choose columns from the menu, select X500
You may gather distinguished names for the
Distinguished Name and click the Add >> button
authentication scheme LDAP with an arbitrary LDAP
(figure 231).
browser.
Fig. 231 Adding a new column to the view Open this LDAP browser and connect to your domain
controller to retrieve the distinguished name (figure 233).
Fig. 233 LDAP browser with marked distinguished name

Appendix How to | 545
1.2 How to tune Barracuda NG 1.2.2.3 NIC Receive Buffers

Firewall for High Increasing the number of receive buffer improves the
Performance Environments performance when packet bursts occur.
The default value for Intel Gigabit NIC is 256. It can be
increased by running the following command:
1.2.1 General
ethtool -g eth3 (Show settings)
In certain high load environments where ethtool -G eth3 rx 1024 (Set Value)
z over 50.000 concurrent sessions persist or
Note:
z where more than 5000 new sessions are generated per This is a per interface setting and has to be applied for
second each interface.
z in combination with a multi gigabit forwarding traffic To make this configuration permanent, add the command
flow to a box network Special Needs script (Box > Network >
Special Needs) (Configuration Service 2.2.5.11 Special Needs,
some tuning may be necessary to achieve an optimal page 80).
outcome.
Note: 1.2.2.4 NOATIME Mount

For an optimal result, install Barracuda NG Firewall
version 4.0.3 or higher. In a default Barracuda NG Firewall installation, file access
times are tracked when a file is accessed. This issues a
write command even if a file is opened for reading only and
1.2.2 Procedures so additional I/O load is created. To avoid this, mount the
partitions with the mount option noatime.
Note: Edit the file /etc/fstab and replace the value defaults
These settings should only be made by experts. in the 4th column with noatime for the /, the /boot and
the /phion0 partition.
Note:
1.2.2.1 Interrupt Throttle Rate
This modification will not be saved in the PAR file. After
If your hardware uses Intel Gigabit NICs the interrupt rate a new installation edit the fstab file again.
should be throttled to 10.000 interrupts. Otherwise the The partitions should be then defined like in this example:
kernel tries to fetch packets from the NIC too often which
slows down overall performance. This can be done using LABEL=/ / ext3 noatime 1 1
the module parameter: LABEL=/boot /boot ext3 noatime 1 1
InterruptThrottleRate=10000 for one NIC and

InterruptThrottleRate=10000,10000 for two NICs. This is a permanent setting and will be preserved.
Add as much additional ,10000 parameters to reflect the

total number of Intel Gigabit NICs in your system. 1.2.2.5 ACPF Kernel Timer Mode
Module parameters can be set in Box > Network >
Interfaces > Network Interface Cards > Driver Options. This timer is an interruptible kernel thread.
This way, for the case of many (more than 3000)
concurrent sessions the timer handling is spread in smaller
1.2.2.2 Processing Priority for "ksoftirqd" portions which may be interrupted by the packet handling
soft-IRQs. The old timer model caused rather long (3 ms)
Under heavy load, some packets cannot be handled via the blackout periods for soft-IRQs.
hardware interrupt and are treated by the ksoftirqd
daemon. The default priority is set in a way to treat other To check if you may take advantage of the new timer, look
processes with a higher priority to ksoftirqd. To avoid this, at the profiling information of the ACPF module:
run the following command: # cat /proc/net/acpf_prof
Id CPU Usage [%] count time[nsec]
renice -19 -p $(ps ax | grep ksoftirqd | grep acpf_input 0.0 0 0
acpf_output 0.0 0 0
-v grep | awk '{print $1}') acpf_timer 0.0 10 6540
Packets In = 19
Bytes In = 18698
This will set the priority to - 19. Packets Out = 36
Bytes Out = 37288
To make this configuration permanent, add the command Drops = 0
Blocks = 0
to a box network Special Needs script (Box > Network > Sessions = 2
Special Needs) (Configuration Service 2.2.5.11 Special Needs, SessionsNum = 9
creation load = 0
page 80). lo : 0
pqd0 : 0
tap0 : 0
tap1 : 0
tap2 : 0
tap3 : 0

546 | How to Appendix
eth0 : 0
1.3 How to set up for SCEP
The line acpf_timer displays the time consumed for the
Note:
sessions to be handled in the time[nsec] tab. If the time
This documentation covers the configuration and usage
is longer than one millisecond (= 1000000 ns), you may
of the SCEP protocol within the Barracuda NG Firewall
gain higher performance when you switch to the new timer
software. Although some configuration steps will be
model.
explained on the certificate authority side, the
Run the following commands to switch the timer model: installation and operation of such a server is not part of
this documentation.
acpfctrl tune timermode 1 (new model)
acpfctrl tune timermode 0 (old model) The goal of SCEP (Simple Certificate Enrollment Protocol)
To make this configuration permanent, add the command is to support the secure issuance of certificates to network
to a box network Special Needs script (Box > Network > devices in a scalable manner, using existing technology
Special Needs) (Configuration Service 2.2.5.11 Special Needs, whenever possible. The protocol supports the following
page 80). operations:
z CA and RA public key distribution
1.2.2.6 Increasing the Routing Cache z Certificate enrollment
z Certificate query
If you have your Barracuda NG Firewall handling traffic
from big networks with a large number of IPs on both sides z CRL query
of the forwarding firewall, increase the routing cache to
gain higher performance. The X.509 certificates retrieved through SCEP can be used
currently only for site-to-site VPN. TINA and IPSec both
Increase the number of Max Routing Cache Entries to support the use of SCEP certificates.
200.000 (Box > Advanced Configuration > System
Settings > Routing Cache) (Configuration Service Note:
5.1.1.3 Routing Cache, page 100). More information about the SCEP protocol can be found
at http://tools.ietf.org/html/draft-nourse-scep-17.
Note:
200000 is a reference value. You may increase it if
necessary. 1.3.1 Configuring SCEP
The following steps are required in order to use SCEP on a
1.2.2.7 Disable CPU Power Savings Barracuda NG Firewall:
To enable highest performance on modern server systems, z Configuring the box administrative settings
the CPU power savings need to be turned off. Modify the z Configuring the VPN tunnel settings (with GTI)
servers bios settings accordingly.
z Configuring the VPN tunnel settings (without GTI)
1.2.3 Example
1.3.1.1 Configuring the Box Administrative
Example for a Special needs script (Box > Network > Settings
Special Needs):
z Select Config > Box > Administrative Settings >
renice -19 -p $(ps ax | grep ksoftirqd | grep -v grep | awk '{print
$1}') SCEP > BOX SCEP Settings.
ethtool -G port1 rx 1024
ethtool -G port2 rx 1024 z Set the parameter Enable SCEP to yes.
ethtool -G port3 rx 1024
ethtool -G port4 rx 1024 z Enter the SCEP Settings by clicking on Set or Edit.
acpfctrl tune timermode 1
See Configuration Service 2.2.3.8 SCEP, page 58 for the
description of the available parameters.

Appendix How to | 547
1.3.2 Configuring the VPN Tunnels Click on the Authentication tab

Set parameter Identification Type to Box SCEP
Once SCEP has been setup properly in the box Certificate (CA signed)
administrative settings, the VPN tunnels can now be Click OK
configured for using the X.509 certificates retrieved by the
SCEP protocol. The use of such certificates is not different
than any other certificate. Each tunnel can be configured 1.3.3 Operating SCEP
for using SCEP certificates as an authentication method.
This is true for both TINA and IPSec VPN tunnels.
1.3.3.1 Interactive Functions
1.3.2.1 Using the GTI Unless the SCEP password policy was set to
Enter-Password-at-Box, no further intervention is
Importing the Root Certificate required for successful operation after SCEP has been
First, the root certificate used by the CA for signing the correctly configured.
SCEP certificates must be imported into the GTI. However, Barracuda NG Admin offers a few options to
z Right-click the group window of the GTI and select GTI interact with the SCEP subsystem in order to:
Editor Defaults z Show SCEP status
z Go to the Root Certificates tab, right-click the main z Re-initiate SCEP pending request
window and import the root certificate(s) via Import
PEM from File z Force SCEP update or retry
z Set the SCEP password
Selecting the authentication method
Just like any other VPN tunnel setting, the SCEP Box SCEP Status
authentication method can be set at the GTI level, at any The SCEP status and control menu are available via
GTI group level, or individually per tunnel, under Control > Box, when connected to the desired Barracuda
Identification type. NG Firewall. For the description of the available commands
z TINA tunnel: see Control 2.6.6 Section BOX SCEP Status, page 40.
Click on the TINA tab Files location
Set parameter Accept Identification Type to Box The files hold by the SCEP subsystem are stored on the
SCEP Certificate (CA signed) gateway in the directory /opt/phion/certs/scep-*
Click OK
z IPSec tunnel:
Click on the IPSec tab 1.4 How to mount USB Flashdisk
Certificate (CA signed)
on Barracuda NG Firewall
Click OK
1.4.1 Procedure
1.3.2.2 Using the Legacy Method
Enter the following commands:
Importing the root certificate z mkdir /mnt/usb
First, the root certificate used by the CA for signing the z mount /dev/sda1 /mnt/usb
SCEP certificates must be imported into the VPN service.
Note:
z Go to the desired VPN service in the configuration tree
Depending on the controller the command differs:
and open the VPN settings configuration window.
IDE, CCISS: /dev/sda1
z Select the Root Certificates tab, right-click the main
window and import the root certificate(s) via Import SCSI, SAS, SATA, RAID: /dev/sdb1
PEM from File Now the USB Flashdisk is ready for usage.
Selecting the authentication method Before you remove the USB Flashdisk enter the following
For each tunnel configured through the legacy method, the command:
SCEP certificate can be used as authentication method: z umount /mnt/usb
z TINA tunnel:
Click on the Identify tab
Certificate (CA signed)
Click OK
z IPSec tunnel:

548 | Barracuda NG Firewall Appliances Parameter Defaults Appendix
2. Barracuda NG Firewall Appliances Parameter Defaults
2.1 Barracuda NG Firewall F800 Table 232 Barracuda NG Firewall F600 Box > Network
Config Node Config Label Config Entry Value
Networks Devicename [boxnet$zdev_eth1] port1
2.1.1 Box > Network Networks Devicename [boxnet$zdev_eth2] port2
Table 231 Barracuda NG Firewall F800 - Box > Network Networks Devicename [boxnet$zdev_eth4] port4
Config Node Config Label Config Entry Value Networks Devicename [boxnet$zdev_eth5] port5
General Verification CHECKLESS 0 (Always) Networks Devicename [boxnet$zdev_eth6] port6
Devices Appliance Model DEVMAP Barracuda Networks Devicename [boxnet$zdev_eth7] port7
NG Networks Devicename [boxnet$zdev_eth8] port8
Firewall
F800
Devices Network cards > ACTSTATE y
Activate Driver
Devices Network cards >
Fallback Module
AMOD NONE
2.3 Barracuda NG Firewall F200
Name
Devices Network cards > AMODOPTS[]
Fallback Driver
Options 2.3.1 Box > Network
Devices Network cards > BLTIN module
Driver Type Table 233 Barracuda NG Firewall F200 Box > Network
Devices Network cards > IFAMOD n Config Node Config Label Config Entry Value
Fallback Enabled General Verification CHECKLESS 0 (Always)
Devices Network cards > MOD e1000e, Devices Appliance Model DEVMAP Barracuda
Operation Mode ixgbe NG
Devices Network cards > MODOPTS[] Firewall
Driver Options F200
Devices Network cards > MTU1 1500 Devices Network cards > ACTSTATE y
Ethernet MTU Activate Driver
Devices Network cards > NUM Devices Network cards > AMOD NONE
Number of Devices Fallback Module
Devices Device Usage [boxnet$zgendeu_OK] OK Name
Fallback Driver
Options
2.2 Barracuda NG Firewall F600 Driver Type
Devices Network cards > IFAMOD n
Fallback Enabled
2.2.1 Box > Network Devices Network cards >

Operation Mode
MOD 8139too
Table 232 Barracuda NG Firewall F600 Box > Network Devices Network cards > MODOPTS[]
Driver Options
Config Node Config Label Config Entry Value Devices Network cards > MTU1 1500
General Verification CHECKLESS 0 (Always) Ethernet MTU
Devices Appliance Model DEVMAP Barracuda Devices Network cards > NUM
NG Number of Devices
Firewall Devices Device Usage [boxnet$zgendeu_OK] OK
F600
Devices Network cards > ACTSTATE y
Activate Driver Networks Devicename [boxnet$zdev_eth1] port3
Devices Network cards > AMOD NONE Networks Devicename [boxnet$zdev_eth2] port2
Fallback Module Networks Devicename [boxnet$zdev_eth3] port1
Name
Fallback Driver
Options
Devices Network cards > BLTIN module 2.4 Barracuda NG Firewall F100
Driver Type
Devices Network cards > IFAMOD n
Fallback Enabled 2.4.1 Box > Network
Devices Network cards > MOD e1000e
Operation Mode Table 234 Barracuda NG Firewall F100 Box > Network
Devices Network cards > MODOPTS[]
Driver Options Config Node Config Label Config Entry Value
Devices Network cards > MTU1 1500 General Verification CHECKLESS 0 (Always)
Ethernet MTU Devices Appliance Model DEVMAP Barracuda
Devices Network cards > NUM NG
Number of Devices Firewall
F100
Devices Device Usage [boxnet$zgendeu_OK] OK

Appendix Barracuda NG Firewall Appliances Parameter Defaults | 549
Table 234 Barracuda NG Firewall F100 Box > Network Table 234 Barracuda NG Firewall F100 Box > Network
Config Node Config Label Config Entry Value Config Node Config Label Config Entry Value
Devices Network cards > ACTSTATE y Devices Network cards > MODOPTS[]
Activate Driver Driver Options
Devices Network cards > AMOD NONE Devices Network cards > MTU1 1500
Fallback Module Ethernet MTU
Name Devices Network cards > NUM
Devices Network cards > AMODOPTS[] Number of Devices
Fallback Driver Devices Device Usage [boxnet$zgendeu_OK] OK
Options
Driver Type Networks Devicename [boxnet$zdev_eth1] port3
Devices Network cards > IFAMOD n Networks Devicename [boxnet$zdev_eth2] port2
Fallback Enabled Networks Devicename [boxnet$zdev_eth3] port1
Devices Network cards > MOD 8139too
Operation Mode

550 | Index of Dialog Sections Appendix
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
3. Index of Dialog Sections

A C
Accepted Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228, 493 Cache Behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Access Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Access List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 388 Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Access List Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Channel Bonding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 75
ACCESS NOTIFICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 ClamAV Archive Scanning . . . . . . . . . . . . . . . . . . . . . . . . . 392
Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 ClamAV Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . 393
Access Rights Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 ClamAV General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 ClamAV Mail Scanning Options. . . . . . . . . . . . . . . . . . . . . 392
ACL Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 ClamAV Misc Scanning Options . . . . . . . . . . . . . . . . . . . . 392
ACL FileList . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 ClamAV Phishing Options . . . . . . . . . . . . . . . . . . . . . . . . . 393
ACTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 ClamAV Possibly Unwanted Applications (PUA) . . . . . . 392
ACTIVE LICENSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 ClamAv Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Additional Local Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Address Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . 289 Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Client Group Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291
Admin Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Client Match & Address Assignment . . . . . . . . . . . . . . . . .291
Administrative Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Cloning and Archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Adminstrative Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Common . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Advanced. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14, 351, 390 Common Settings . . . . . . . . . . . . . . . . . . . . . . . 104, 108, 222
Advanced Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22, 75
Advanced DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Affected Box Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configuration Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Affected Service Logdata. . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Allowed Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . 388 Configuration Update Setup . . . . . . . . . . . . . . . . . . . . . . . 437
Allowed Relaying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Confirmed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Application Access Authorization. . . . . . . . . . . . . . . . . . . 247 Connect by Destination SSL Setup. . . . . . . . . . . . . . . . . . 476
Application Tunneling Configuration . . . . . . . . . . . . . . . . 247 Connection Details . . . . . . . . . . . . . . . . . . . . . . . . .59, 73, 74
ARP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Connection Monitoring . . . . . . . . . . . . . . 67, 73, 74, 76, 78
Attachment Stripping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Connection to MC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494 Connection Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . 137, 139
Audit Info Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Connection Type Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Audit Information Generation . . . . . . . . . . . . . . . . . . 137, 138 Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Authentication . . . . . . . . . . . . . . . . . . . . . . . .72, 75, 77, 343 Contact Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Authentication Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Cook Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316, 463
Authentication Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Corporate ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Auto Logout Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Counting / Eventing / Audit Trail . . . . . . . . . . . . . . . . . . . 164
Available Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 CPU-Load Error Thresholds. . . . . . . . . . . . . . . . . . . . . . . . . 119
Available Server IPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 CPU-Load Warning Thresholds . . . . . . . . . . . . . . . . . . . . . . 119
Avira Archive Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 CRL error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Avira General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Avira Non-Virus Detection . . . . . . . . . . . . . . . . . . . . . . . . . 391 Custom Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Avira Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
D
B
Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Band A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Data Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Band B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Data Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Band C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Data Tag Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Band D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Data Transfer Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Band E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Default Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Band F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Default Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . .219
Band G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Default SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Bandwidth Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Default User Specific. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Desktop Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Basic DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Destination Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
BASIC OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Basic Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Device Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11, 73
Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 DNS Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
BEHAVIOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 DNS Update Configuration. . . . . . . . . . . . . . . . . . . . . . . . . 294
Bind IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 DoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Dynamic DNS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 293
BOB Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Dynamic Firewall Rule Activation Authorization . . . . . . 248
Box Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Dynamic Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Box public key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Dynamic Network Connections . . . . . . . . . . . . . . . . . . . . . . 39
BOX SCEP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
BOX SCEP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Appendix Index of Dialog Sections | 551
E K
Encoding Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Kernel Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
entegra Access Control Setup . . . . . . . . . . . . . . . . . . . . . 244
entegra Policy Service Options. . . . . . . . . . . . . . . . . . . . . 292 L
Entries in Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 L2TP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148, 150 LAN Rule Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Event Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148, 150 LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Expert Settings (use with care). . . . . . . . . . . . . . . . . . . . . 267 Lease Contraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 LEGACY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
EXTENDED OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 License Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Extended Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 License Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Extented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
External Group Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Limits and Operational Settings . . . . . . . . . . . . . . . . . . . . . 137
F Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Local Domain Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . .154 LOCAL PARAMETERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
File Specific Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Flash Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Free Format OSPF Configuration . . . . . . . . . . . . . . . . . . . 525 Log Data Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Free Format RIP Configuration. . . . . . . . . . . . . . . . . . . . . 525 Log File Rotation and Removal. . . . . . . . . . . . . . . . . . . . . . 138
FW Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . .199 Log File Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101, 115, 341
G Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152, 458 Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
General IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 M
General Service Settings . . . . . . . . . . . . . . . . . . . . . 243, 387
General Settings . . . . . . . . . . . . . . . . . . 106, 485, 493, 494 Mail Gateway Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
General Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Mail Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Generic Application Tunneling Authorization . . . 247, 248 Main Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Global Domain Parameters . . . . . . . . . . . . . . . . . . . . . . . . 263 Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316, 463 MC Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 MC IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Grey Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 MC SSH Access Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Group Based Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . .291 Misc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
GUI AS TEXT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Misc. Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Miscellaneous. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
H Miscellaneous Parameters. . . . . . . . . . . . . . . . . . . . . . . . . 293
Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
HA Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 118
Monitoring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
HA Synchronization Setup. . . . . . . . . . . . . . . . . . . . . . . . . 474
Multi Subnet Configuration . . . . . . . . . . . . . . . . . . . . . . . . 290
Header Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 N
HOST IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
HTML Tag Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Neighbour Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
I Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Network Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ICMP Echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Network Interface Configuration . . . . . . . . . . . . . . . 63, 523
ICMP Gateway Monitoring Exemptions . . . . . . . . . . . . . . . 118
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441, 442 Network Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
NETWORK SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Identification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
IKE Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
In Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Inbound (traffic received by the device) . . . . . . . . . . . . . . 86
NTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Installation Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installation scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installation-script files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Integrity Check Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333, 335
Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IP Address & Networking . . . . . . . . . . . . . . . . . . . . . . . . . . 225
IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
IP Prefix List Configuration . . . . . . . . . . . . . . . . . . . . . . . . 524
IP Prefix List Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
IPSec Phase I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
IPSec Phase II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
ISDN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
ISS Proventia Cascaded Redirector . . . . . . . . . . . . . . . . . 364
ISS Proventia Database Settings . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Deny Message. . . . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia General Settings. . . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Logging Settings . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
ISS Proventia Statistics Settings . . . . . . . . . . . . . . . . . . . 365

552 | Index of Dialog Sections Appendix
O R
OCSP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 RAM Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
OCSP Server Identification . . . . . . . . . . . . . . . . . . . . . . . . .221 Recorded Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
ONCRPC Servers / DCERPC Servers . . . . . . . . . . . . . . . . 205 Redirector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .351, 362
ONLINE TESTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Registry Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Relay Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Operation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Relaying Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Operation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Release Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 53, 266 Remote Execution Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116, 472 Remote Management Tunnel . . . . . . . . . . . . . . . . . . . . . . . 66
Operative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 356 Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Option Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 RIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Option Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 RIP Preferences Configuration . . . . . . . . . . . . . . . . . . . . . 522
Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313, 315 RIP Router Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .521
OSPF Area Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 521 RIP SETTINGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
OSPF Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . 523, 524 RIP Specific Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
OSPF Preferences Configuration . . . . . . . . . . . . . . . . . . . 519 RIP Specific Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . 523
OSPF Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . 520 Role Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
OSPF Specific Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Root Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
OSPF Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 523 Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
OTHER DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Route Map Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Outbound (traffic being sent over the device) . . . . . . . . . 86 Route Map Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Outlook Web Access Authorization . . . . . . . . . . . . . . . . . 246 Router Distribution Configuration . . . . . . . . . . . . . .521, 522
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72, 74, 76, 78
P Routing Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
RPC Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Rule Mismatch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Partner Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Rule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Password and Peer Restriction . . . . . . . . . . . . . . . . . . . . . 225
RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Password Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Peer Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240, 494
Phase 1 (default). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Phase 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227, 240
Phase2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Phibs Authentication Settings . . . . . . . . . . . . . . . . . . . . . . 200
PHIBS Specific Authentication Scheme . . . . . . . . . . . . . . 344
Plain Data Reception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Policy Based Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Policy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Policy Source Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Policy Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
POP3 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
PPPOE Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . 72
PPTP Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
PPTP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Preauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Protocol Version 1 Options . . . . . . . . . . . . . . . . . . . . . . . . . 107
Protocol Version 2 Options . . . . . . . . . . . . . . . . . . . . . . . . 107
PROVENTIA LIMIT HANDLING . . . . . . . . . . . . . . . . . . . . . . 365
Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221, 222, 391
PUBLIC KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Q
Quarantine Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Quarantine Class 1 Rule Policy. . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Class 2 Rule Policy . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Class 3Rule Policy. . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Appendix Index of Dialog Sections | 553
S U
Scanner Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 UMTS (3G) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
SCEP HTTP Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . 59 UMTS Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . .77
SCEP HTTP Server Authentication. . . . . . . . . . . . . . . . . . . 59 URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
SCEP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
SCEP X509 Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 USER AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . 267
SCEP X509 Request Password . . . . . . . . . . . . . . . . . . . . . . 59 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 244, 387
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334, 335 User Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 User Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Serial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 V
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 VERSION STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Virtual LAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . 95, 96
Server Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Server Specific Firewall Settings . . . . . . . . . . . . . . . . . . . .139 Virtual Server Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
SERVER STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Virtual Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 95
Server/Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Virtual Server/GTI Networks. . . . . . . . . . . . . . . . . . . . . . . . 96
Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269, 396
Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Virus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 393
Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Service Identification . . . . . . . . . . . . . . . . . . . . . . . . 244, 387 Virus Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Service Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
VPN Envelope Policy . . . . . . . . . . . . . . . . . . . . . . . . 238, 493
SERVICE STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Session Limits and Memory Settings. . . . . . . . . . . . . . . . .135 VPN Traffic Intelligence (TI) Settings . . . . . . . . . . . . . . . . 154
Session Password Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 VPN User Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Shared Interface Configuration . . . . . . . . . . . . . . . . . . . . 523 VPN World Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Show Short/Long Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 VPN World Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Software Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 W
Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Spamfilter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Watchdog Monitored Entities . . . . . . . . . . . . . . . . . . . . . . . . 111
SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Watchdog Operational Setup . . . . . . . . . . . . . . . . . . . . . . . 110
SPECIAL DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Watchdog Repair Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Special Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Web Resource Access Authorization. . . . . . . . . . . . . . . . 246
Specific Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441, 442 Web Resource Configuration . . . . . . . . . . . . . . . . . . . . . . 246
SSH Colours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 WebDAV Resource Access Authorization. . . . . . . . . . . . 247
SSH KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 WebDAV Resource Configuration . . . . . . . . . . . . . . . . . . 247
SSH Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WHITE/BLACK LISTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
SSL Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 474
SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 X
SSL Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 248 X509 Certificate Conditions . . . . . . . . . . . . . . . . . . . . . . . . 231
Statistic Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 X509 Certificate Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Statistic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 X509 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Statistics Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 xDSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Statistics Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Status Map Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Stream Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Stream to Destination Setup . . . . . . . . . . . . . . . . . . . . . . . 476
Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
SUBNET SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
System Identification & Authentication . . . . . . . . . . . . . . 116
T
TCP & UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
TCP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Template Description . . . . . . . . . . . . . . . . . . . . . . . . 292, 293
TEST CONNECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
TEST RESULT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
TI Traffic Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
TI Transport Classification. . . . . . . . . . . . . . . . . . . . . . . . . 236
TI Transport Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Time Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Time Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Time Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
TIME SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Timeout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Top Level Logdata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Top List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Transparent Agent Access Authorization. . . . . . . . . . . . 245
Trust Chain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 437
Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Tunnel Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Type Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316, 464
Type Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317, 464

554 | Index of Dialog Tabs Appendix
4. Index of Dialog Tabs

A D
Accepted Ciphers [Barracuda NG Control Center] . . . . . . . 493 Default Permissions [SSH Gateway] . . . . . . . . . . . . . . . . . . . . 388
ACCESS [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . 91 Deny Message [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Access [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182, Details [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . 459
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253, DHCP Option Templates [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . 292
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 DNS [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Access Control [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343, Dynamic [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Dynamic DNS [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Access Limitations [Configuration Service] . . . . . . . . . . . . . 58 Dynamic Rules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Access Lists [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Dynamic Services [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Account Description [Configuration Service] . . . . . . . . . . . . 91 E
Active [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Active Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Events [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Additional Schemes [Configuration Service] . . . . . . . . . . . . 115 EXCEPTIONS [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Admin & MC Settings [Getting Started] . . . . . . . . . . . . . . . . . 23 Explicit Groups [Configuration Service] . . . . . . . . . . . . . . . . . 115
Administrative Sessions [Configuration Service] . . . . . . . . 118 Extended Domain Setup [Mail Gateway] . . . . . . . . . . . . . . . . . 263
Administrator [Barracuda NG Control Center]. . . . . . . . . . . 458 External CA [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Administrator Access Control [Configuration Service] . . . 92 F
Administrator Authorization [Configuration Service]. . . . . 91 Favourites [Barracuda NG Control Center] . . . . . . . . . . . . . . 422
Admins [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 458 File Updates [Barracuda NG Control Center] . . . . . . . . . . . . . 424
Advanced [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, Filter Settings [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 495 Filter Setup [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Advanced Setup [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 266 FILTERS [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 116
Advanced System Access [Configuration Service] . . . . . . . 54 Firewall [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
AFS-Database (AFSDB) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 338 G
Alias (CNAME) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 GENERAL [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 105,
Archive Scanning [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 391 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289,
ARP Settings [Configuration Service] . . . . . . . . . . . . . . . . . . 100 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 437,
ARPs [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 438
Attachments [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 282 General [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 95,
Audit and Reporting [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 137 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222,
Authentication [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139, [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241, [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Authentication & Login [SSH Gateway] . . . . . . . . . . . . . . . . . 387 General Settings [Barracuda NG Control Center] . . . . . . . . . 486
AuthUser [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Global Limits [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
B Grey Listing [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
GTI Networks [Configuration Service] . . . . . . . . . . . . . . . . . . . 96
Base configuration [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
GUI as Text [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294,
Basic [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Basic Setup [Configuration Service] . . . . . . . . . . . . . . . . . . . 116,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262, H
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390, H.323 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 472 HA Synchronization [Barracuda NG Control Center] . . . . . . 474
Basics [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 495 Host (A) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336,
Box [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38, [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456 Host Information (HINFO) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . 337,
Box Execution [Barracuda NG Control Center] . . . . . . . . . . 426 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Boxes [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21, I
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 427 I/0 Settings [Configuration Service] . . . . . . . . . . . . . . . . . . . . 101
Bridging [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 ICMP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Bridging ARPs [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Identification [Barracuda NG Control Center] . . . . . . . . . . . . 436
C Identify [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Cache Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 IDENTITY [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 96
Cache Selection [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Inbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Cascaded Redirector [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . 364 Inbound-User [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Certificate details [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Interface Groups [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Certificate revocation [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Interface/IPs [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
CERTIFICATES [Barracuda NG Control Center] . . . . . . . . . . 437 Interfaces [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31,
Certificates & Private Keys [Getting Started]. . . . . . . . . . . . 23 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 63
Classes [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 IP Tunneling [Configuration Service]. . . . . . . . . . . . . . . . . . . . 79
Client [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 IPs [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Client Action [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 IPSec [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
Client to Site [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
Cluster [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456 IPv4 Settings [Configuration Service] . . . . . . . . . . . . . . . . . . . 100
Command Codes [Configuration Service] . . . . . . . . . . . . . . . 58 IPv6-Host (AAAA) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Common [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 ISDN [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Configuration Updates [Barracuda NG Control Center] . . . 423 K
Connections [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Known Clients [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Content Filter [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 269
Content Inspection [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
CPU-Load Monitoring [Configuration Service] . . . . . . . . . . . 119

Appendix Index of Dialog Tabs | 555
L R
L2TP/IPSEC [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 RADIUS [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 114
LDAP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Range [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . 456
Licenses [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 RCS Setup [Barracuda NG Control Center] . . . . . . . . . . . . . . 437
Limit Handling [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Redirect Availability [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 186
Limits [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Registry [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Local Networks [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Relay Destinations [Barracuda NG Control Center] . . . . . . . 476
Local Storage [Barracuda NG Control Center] . . . . . . . . . . . 474 Relay Filters [Barracuda NG Control Center]. . . . . . . . . . . . . 475
Logdata Streams [Configuration Service] . . . . . . . . . . . . . . . 118 Relay Streams [Barracuda NG Control Center] . . . . . . . . . . . 477
Logging [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Relaying Setup [Barracuda NG Control Center] . . . . . . . . . . 475
Logstream Destinations [Configuration Service] . . . . . . . . . 117 Reporting [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
M Resources [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Mail Queue [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Responsible Person (RP) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . 338
Mail Rename (MR) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RIP Preferences [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 522
Mailbox (MB) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RIP Router Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521
Mailbox information (MINFO) [DNS]. . . . . . . . . . . . . . . . . . . . . 337, Root Certificates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 492
Mail-Exchanger (MX) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337, Route (RT) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Routing Cache [Configuration Service]. . . . . . . . . . . . . . . . . . 100
Mailgroup (MG) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RPC [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Main Rules [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 RSA-ACE [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 114
Mainboard [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Rule Tester [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
MC [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . . . 420 Rules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143,
Messages [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Monitoring [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 95 S
Monitoring Setup [Configuration Service] . . . . . . . . . . . . . . . 118 Scanner Versions [Barracuda NG Control Center] . . . . . . . . 429
MSAD [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 111 Scanning Options [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 391
MS-CHAP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 112 SCEP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 58
MSNT [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 115 Scripts [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 96,
N [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Server [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29,
Nameserver (NS) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336, [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Server Action [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Neighbor Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 523
Server Certificates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Network [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Server Key/Settings [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Network Interfaces [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 523 Server/Service Settings [Barracuda NG Control Center] . . 495
Network Routes [Configuration Service] . . . . . . . . . . . . . . . . 68 Service [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456
Networks [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 61, Service or Server (SRV) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 338
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Services [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Notification [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Session Limits [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
O Sessions [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 424
Objects [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 427 Settings [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Obsolete Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Severity [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
OCSP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 115, SIP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Offline FW [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Site to Site [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Operational [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 SMS Control [Configuration Service] . . . . . . . . . . . . . . . . . . . 57
Operational Setup [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . 519 SMS Control Settings [Configuration Service] . . . . . . . . . . . 58
OSPF [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spam [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
OSPF Area Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521 Special Needs [Configuration Service] . . . . . . . . . . . . . . . . . . 80
OSPF Preferences [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . 519 SSL [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . . 473
OSPF Router Setup [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . 520 Start of authority (SOA) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 335
Outbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 STATISTICS [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Outbound-User [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Statistics [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
P Statistics Collection [Barracuda NG Control Center] . . . . . . 425
Page 1 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Statistics Cooking [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Page 2 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Status [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178,
Parameter [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Parameter Templates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Status Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179,
Parameters [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Partner [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Status Map [Barracuda NG Control Center] . . . . . . . . . . . . . . 421
Partner Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Subject [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 487
Permission Profiles [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388 SUBNETS [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Personal Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 System Access (Basic View) [Configuration Service]. . . . . . 54
Phibs [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Phion [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Phion VPN CA [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Pictures [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Pointer (PTR) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Pool Licenses [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
POP3 Setup [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
PPTP [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Processes [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Protected IPs [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Proxy ARPs [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Public Host Keys [Getting Started] . . . . . . . . . . . . . . . . . . . . . 24

556 | Index of Dialog Tabs Appendix
T
Templates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Test Report [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Text (TXT) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Text Based Configuration [DHCP]. . . . . . . . . . . . . . . . . . . . . . 294,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Thresholds [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
TI [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
TI - Bandwidth Protection [Barracuda NG Control Center] 495
TI - VPN Envelope Policy [Barracuda NG Control Center] . 495
Time Objects [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
TIME/NTP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 56
TINA [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 493
TINA Tunnels [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Traffic Selection [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Type 1 Admin [Barracuda NG Control Center] . . . . . . . . . . . 438
Type 3 Admin [Barracuda NG Control Center] . . . . . . . . . . . 438
TYPE1 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105,
TYPE2 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105
TYPE3 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105
U
UMTS [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 77
User Authorization [SSH Gateway] . . . . . . . . . . . . . . . . . . . . 388
User Groups [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
User List [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Userspecific [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
V
V3 Extensions [Barracuda NG Control Center] . . . . . . . . . . 487
Virtual LANs [Configuration Service]. . . . . . . . . . . . . . . . . . . 65
VPN FW [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
VPN GTI Settings [Barracuda NG Control Center] . . . . . . . . 495
VPN Selection [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
VPN Service [Barracuda NG Control Center] . . . . . . . . . . . . 494
VPN Settings [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
W
Well-Known Services (WKS) [DNS] . . . . . . . . . . . . . . . . . . . . . 337,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
WWW [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
X
X25 (X25) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
xDSL/ISDN/DHCP [Configuration Service] . . . . . . . . . . . . . . 70

Appendix Parameter List Directory | 557
5. Parameter List Directory

1 Getting Started
List 11 Configuring Installation Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
List 12 Configuring System Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
List 13 Configuring System Settings with Barracuda NG Installer section DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
List 14 Configuring System Settings with Barracuda NG Installer section Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
List 15 Configuring Partition Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
List 16 NIC Adapter configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
List 17 Configuring Security Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
List 18 Configuring Security Settings with Barracuda NG Installer section Root Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
List 19 Configuring Security Settings with Barracuda NG Installer section Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
List 110 Configuring Software Packages with Barracuda NG Installer section Software Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
List 112 Configuring Script Settings with Barracuda NG Installer section Installation scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List 113 Configuring Script Settings with Barracuda NG Installer section Installation-script files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List 114 Configuring Script Settings with Barracuda NG Installer section Box public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List 111 Configuring Software Packages with Barracuda NG Installer section Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List 115 Configuring USB Stick Settings with Barracuda NG Installer section Installation Mode Settings (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
List 116 Configuring USB Stick Settings with Barracuda NG Installer section Installation Mode Settings (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
List 117 Configuring Barracuda NG Admin settings - Client tab section Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 118 Configuring Barracuda NG Admin settings - Client tab section Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 119 Configuring Barracuda NG Admin settings - Client tab section Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 120 Configuring Barracuda NG Admin settings - Client tab section System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 121 Configuring Barracuda NG Admin settings - Client tab section Show Short/Long Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 122 Configuring Barracuda NG Admin settings - Client tab section Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 123 Configuring Barracuda NG Admin settings - Client tab section Desktop Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 124 Configuring Barracuda NG Admin settings - Client tab section SSH Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
List 125 Configuring Advanced Cryptographic API Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
List 126 Configuring Advanced Cryptographic API Settings section Store Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2 Control
List 21 Types of network activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3 Configuration Service
List 31 Box Config section Identification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
List 32 Box Config section Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
List 33 Box Config section Barracuda NG Earth Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
List 34 Administrative Settings - System Access section Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 35 Administrative Settings - System Access section Service Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 36 Administrative Settings - System Access section Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 37 Administrative Settings - System Access section Serial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 38 Administrative Settings section Advanced Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 39 Administrative Settings - DNS section Basic DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 310 Administrative Settings - DNS section Advanced DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 311 Administrative Settings - Caching DNS Service section Advanced DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 312 Administrative Settings - TIME/NTPs section Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
List 313 Administrative Settings - TIME/NTPs section NTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
List 314 Administrative Settings - SMS Control section SMS Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 315 Administrative Settings - SMS Control section Access Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 316 Administrative Settings - SMS Control section Command Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 317 Administrative Settings SCEP section BOX SCEP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 318 Administrative Settings SCEP SCEP Settings section SCEP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 319 Administrative Settings SCEP SCEP Settings section SCEP Server section SCEP HTTP Server Authentication . . . . . . . . . . . . . . . . . . 59
List 320 Administrative Settings SCEP SCEP Settings section SCEP X509 Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 321 Administrative Settings SCEP SCEP Settings section SCEP X509 Request Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 322 Administrative Settings SCEP SCEP Settings section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 323 Administrative Settings SCEP SCEP Settings section Connection Details section SCEP HTTP Proxy Settings . . . . . . . . . . . . . . . . . . . 59
List 324 Administrative Settings SCEP SCEP Settings section Encoding Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 325 Identity section Box Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
List 326 Identity section SSH Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
List 327 Network - Management Network section Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
List 328 Network - Management Network section Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
List 329 Box Network section Network Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
List 330 Network - Virtual LANs Configuration section Virtual LAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
List 331 Management Access section Remote Management Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
List 333 Remote Management Access Tunnel Details section Management Tunnel Configuration (CC-managed box) . . . . . . . . . . . . . . . . . . . . . . 67
List 334 Remote Management Access Tunnel Details section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
List 332 Management Access section Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
List 335 Network section Main Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
List 336 Network Routes - Policy Routing section Policy Source Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

558 | Parameter List Directory Appendix
List 337 Network Routes - Policy Routing section Policy Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
List 338 Network - xDSL configuration section Link Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
List 339 Network - xDSL configuration section PPTP Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
List 340 Network - xDSL configuration section PPPOE Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 341 Network - xDSL configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 342 Network - xDSL configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 343 Network - xDSL configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 344 Networks - DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 345 Networks - DHCP configuration section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 346 Networks - DHCP configuration section DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 347 Networks - DHCP configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 349 Networks - ISDN configuration section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 348 Networks - DHCP configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 350 Networks - ISDN configuration section Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
List 351 Networks - ISDN configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
List 352 Networks - ISDN configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
List 353 Networks - ISDN configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
List 354 Networks - UMTS configuration section UMTS (3G) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 355 Networks - UMTS configuration section UMTS Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 356 Networks - UMTS configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 357 Networks - UMTS configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 359 Connection monitoring of dynamic links section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 358 Networks - UMTS configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 360 Networks - IP Tunnels configuration section Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
List 361 Integrity Check configuration section Integrity Check Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
List 362 The monitoring executable openxdsl and its commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
List 363 Traffic Shaping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 364 Traffic Shaping configuration section Outbound (traffic sent over the device) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 365 Traffic Shaping configuration section Inbound (traffic received by device) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 366 Device/Tunnel Tree Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 367 Traffic Shaping configuration Shaping connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 368 Shape Connector Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 369 Shape Connector Rule section Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 370 Traffic Shaping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 371 Traffic Shaping configuration section Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 372 Traffic Shaping configuration section Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
List 373 Administrators configuration section Account Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 374 Administrators configuration section Administrator Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 375 Administrators configuration section Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 376 Administrators configuration section Administrator Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
List 377 Advanced Configuration section License Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
List 378 Server configuration - General settings on single boxes section Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 379 Server configuration - General settings on single boxes section Virtual Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 380 Server configuration (single box) - Monitoring settings section Operation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 381 Server configuration (single box) - Monitoring settings section IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 383 Server configuration (single box) - Scripts configuration section Server Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 384 Server configuration (CC) - General configuration section Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 382 Server configuration (single box) - Monitoring settings section Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 385 Server configuration - IDENTITY tab section Virtual Server Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 386 Server configuration - NETWORKS tab section Virtual Server/GTI Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 387 Service Configuration - General section Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 388 Service Configuration - General section Bind IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 389 Service Configuration - General section Available Server IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 390 Service Configuration - Statistics section Statistics Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 391 Service Configuration - Notification section Access Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
List 392 System Settings section General IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 393 System Settings section ARP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 394 System Settings - Routing Cache section Routing Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 395 System Settings - Routing Cache section Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 396 System Settings - I/O Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 397 Box Tuning - Flash Memory section RAM Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 398 Box Tuning - Flash Memory section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 399 Box Tuning - Flash Memory section Flash Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 3100 Advanced Configuration - Bootloader section Kernel Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
List 3101 Advanced Configuration - Bootloader section Header Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
List 3102 Advanced Configuration - Log Cycling section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3103 Log Cycling - File Specific Settings section Log File Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3104 Log Cycling - File Specific Settings - section Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3105 Box Misc - Log Cycling - File Specific Settings - section Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3106 Box Misc - Access Notification section Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
List 3107 Box Misc - SSH Basic Setup section General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
List 3108 Box Misc - SSH Advanced Setup section Protocol Version 2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
List 3109 Box Misc - SSH Advanced Setup section Protocol Version 1 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
List 3110 Advanced Configuration - Software Update section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
List 3111 Advanced Configuration - Software Update section Release Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
List 3112 Advanced Configuration - Watchdog Basic Setup section Monitoring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3113 Advanced Configuration - Watchdog Basic Setup section Watchdog Repair Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3114 Advanced Configuration - Watchdog Details section Watchdog Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3115 Advanced Configuration - Watchdog Details section Watchdog Monitored Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
List 3116 MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3117 MSAD Authentication Basic section Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3120 Parameters for MS-CHAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3118 MSAD Authentication Basic section Mail Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3119 MSAD Authentication Basic section Extented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3121 Parameters for LDAP Authentication section LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
List 3122 Parameters for Radius Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3123 Parameters for RSA-ACE Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3124 Parameters for MSNT Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3125 Parameters for MSNT Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3126 Parameters for OCSP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3127 Parameters for Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3128 Parameters for Timeouts and Logging section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3129 Parameters for Timeouts and Logging section Timeout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3130 Parameters for Timeouts and Logging section Expert Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3131 Infrastructure Services - Syslog Streaming - Basic Setup section Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3132 Infrastructure Services - Syslog Streaming - Basic Setup section System Identification & Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3133 Infrastructure Services - Syslog Streaming - Logdata Filters section Affected Box Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3134 Infrastructure Services - Syslog Streaming - Logdata Filters section Affected Service Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3135 Infrastructure Services - Syslog Streaming - Logstream Destinations section Destination Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3136 Infrastructure Services - Syslog Streaming - Logstream Destinations section Data Transfer Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations section Log Data Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3138 Infrastructure Services - Syslog Streaming - Logdata Streams section Stream Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3139 Infrastructure Services - Control - Monitoring Setup section Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3140 Infrastructure Services - Control - Monitoring Setup section HA Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3141 Infrastructure Services - Control - Monitoring Setup section ICMP Gateway Monitoring Exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3142 Infrastructure Services - Control - Administrative Sessions section Auto Logout Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3144 Infrastructure Services - Control - CPU-Load Monitoring section Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3145 Infrastructure Services - Control - CPU-Load Monitoring section CPU-Load Warning Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3146 Infrastructure Services - Control - CPU-Load Monitoring section CPU Load Error Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3143 Infrastructure Services - Control - Administrative Sessions section Session Password Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3147 Infrastructure Services - Log Configuration section Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4 Firewall
List 41 Box Services - General Firewall Configuration - Peer-to-Peer Detection and Protocol Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
List 42 Box Services - General Firewall Configuration - Peer-to-Peer Protocol Detection Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
List 43 General Firewall Configuration - Global Limits section Session Limits and Memory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 44 General Firewall Configuration - Global Limits section Access Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 45 General Firewall Configuration - Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 46 General Firewall Configuration - Operational . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
List 47 General Firewall Configuration - Audit and Reporting tab section Limits and Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 48 General Firewall Configuration - Audit and Reporting tab section Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 49 General Firewall Configuration - Audit and Reporting tab section Audit Information Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 410 General Firewall Configuration - Audit and Reporting tab section Connection Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 411 General Firewall Configuration - Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 412 Audit Information Generation Settings section Audit Info Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 413 Audit Information Generation Settings section Recorded Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 414 Audit Information Generation Settings section Log File Rotation and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 415 General Firewall Configuration - Connection Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
List 416 Firewall Forwarding Settings - Firewall section Server Specific Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
List 417 Items of the Navigations Bars main element "Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
List 418 Subordinate elements of the item Information in the navigation bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
List 419 Firewall configuration - Rule Creation/Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
List 420 Firewall configuration - Action section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
List 421 Firewall configuration - Destination section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
List 422 Firewall configuration - Redirection section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
List 423 Firewall configuration - Connection section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
List 424 Firewall configuration - Time Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
List 425 Net Object configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List 426 Net Object configuration parameters section Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List 427 Net Object configuration parameters section Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
List 428 Network Object - Type Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
List 429 Network Object - Type Hostname section Entry / Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
List 430 Firewall configuration - Service Objects parameters section TCP & UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 431 Firewall configuration - Service Objects parameters section ICMP Echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 432 Firewall configuration - Service Objects parameters section General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 433 Firewall configuration - Service Objects - General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
List 434 Firewall configuration - Service Objects - General settings section Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

List 435 Firewall configuration - Service Objects - General settings section VPN Traffic Intelligence (TI) Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
List 436 Firewall configuration - Service Objects - General settings section BOB Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
List 437 Proxy ARP object configuration values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
List 438 Firewall configuration - Content Filter creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
List 439 Port Protocol Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
List 440 Port Protocol Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
List 441 Firewall configuration - Advanced Rule Parameters section Rule Mismatch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
List 442 Firewall configuration - Advanced Rule Parameters section TCP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
List 443 Firewall configuration - Advanced Rule Parameters section Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 444 Firewall configuration - Advanced Rule Parameters section Counting / Eventing / Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 445 Firewall configuration - Advanced Rule Parameters section Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 447 Firewall configuration - Enhanced Advanced Rule Parameters section Rule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
List 446 Firewall configuration - Advanced Rule Parameters section Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
List 448 Firewall configuration - Time Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
List 449 Firewall configuration - Accept Policy section section Firewall configuration - Advanced Rule Parameters section Resource Protection 166
List 450 Firewall configuration - Accept Policy section section Firewall configuration - Advanced Rule Parameters section TCP Policy . . . . . . 166
List 451 Firewall Forwarding Settings - Bridging section Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
List 452 Firewall Forwarding Settings - Bridging section Quarantine Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
List 453 Firewall Forwarding Settings - Bridging section Quarantine Bridging- Quarantine Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
List 454 Firewall configuration - Authentication parameters section FW Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
List 455 Firewall configuration - PHIBS settings section Phibs Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
List 456 Firewall configuration - Rules - User Groups section Authentication Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 457 Firewall configuration - Rules - User Groups section Policy Roles Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 458 Firewall configuration - Rules - User Groups section X509 Certificate Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 459 Firewall configuration - Rules - User Groups section VPN User Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 460 Firewall configuration - Rules - User Groups section Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 461 Firewall configuration - Forwarding Firewall - RPC tab section RPC Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
List 462 Firewall configuration - Forwarding Firewall - RPC tab section ONCRPC Servers / DCERPC Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
5 VPN
List 51 VPN Configuration - Personal Network Network Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
List 52 VPN Vonfiguration - Server Certificates - General Access Control Service Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 53 VPN Configuration - Server Certificates - General Server Configuration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 54 VPN Configuration - Server Certificates - General Default Server Certificate Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 55 VPN configuration - Server Certificates - Advanced Device Configuration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 56 VPN configuration - Server Certificates - Advanced section IKE Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 57 VPN configuration - Server Certificates - Advanced section Custom Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 58 VPN Configuration- Root Certificates - Certificate Details Tab Certificate Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 59 VPN Configuration- Root Certificates - Certificate Details Tab Usage Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 510 VPN configuration- Root Certificates - Certificate Details Tab CRL Error Handling Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 511 VPN Configuration - Root Certificates - Certificate Revocation Tab URI Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 512 VPN Configuration - Root Certificates - Certificate Revocation Tab Login Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 513 VPN Configuration - Root Certificates - Certificate Revocation Tab Proxy Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 514 VPN Configuration- Root Certificates - OCSP Tab OCSP Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 515 VPN Configuration- Root Certificates - OCSP Tab OCSP Server IdentificationTab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 516 VPN Configuration- VPN GTI Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 517 VPN Configuration- VPN GTI Settings Proxy Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 518 VPN configuration- L2TP/PPTP Settings - General section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 520 VPN Configuration - L2TP/PPTP Settings - PPTP PPTP Settings Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 519 VPN Configuration- L2TP/PPTP Settings - L2TP/IPSEC L2TP Settings Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 521 VPN Configuration- L2TP/PPTP Settings - User List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 522 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
List 523 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation IP Address & Networking Section . . . . . . . . . . . . . . . . . . . . . 225
List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation Password and Peer Restriction Section . . . . . . . . . . . . . . . 225
List 525 VPN configuration - Client to Site - VPN CA Tab - Personal License Creation Active Certificate / Obsolete Certificate Section . . . . . . . . 226
List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
List 527 VPN Configuration - Client to Site - External CA Tab > IPSec Tab Phase 1 (default) / Phase 2 Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
List 528 VPN Configuration - Client to Site - External CA Tab > IPSec Tab Lifetime Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Barracuda Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 530 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Accepted Ciphers Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 531 VPN Configuration - Client to Site - External CA Tab > Common Tab Common Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 532 VPN Configuration - Client to Site - External CA Tab > Common Tab Network Routes Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
List 533 VPN Configuration - Client to Site - External CA Tab > Common Tab ACL Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
List 534 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings X.509 Client Security Section . . . . . . . . . 229
List 537 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group VPN Settings > Preauthentication Details . . . . . . . . . . . . . . . . . 230
List 535 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings Server Section . . . . . . . . . . . . . . . . . . . . . . . 230
List 536 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings section Preauthentication . . . . . . . . . . . . . 230
List 538 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition > AD Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
List 539 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition > AD Lookup > AD Lookup Advanced Settings 231
List 540 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
List 541 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition X509 Certificate Conditions Section . . . . . . 231
List 542 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition External Group Condition Section . . . . . . . . . 231
List 543 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition Peer Condition Section . . . . . . . . . . . . . . . . . . 231

List 544 VPN Configuration - Client to Site - Registry Tab > New Registry Rule Set Registry Entry Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel General Tunnel Settings Section . . . . . . . . . . . . . . . . . . . . . . . . 233
List 546 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel TI Transport Classification Section . . . . . . . . . . . . . . . . . . . . . . 236
List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport Selection Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
List 548 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Traffic Prioritisation Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
List 549 VPN configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel > TI Tab - Bandwidth Protection Section . . . . . . . . . . . . . . . . . . . 238
List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA Tunnel > TI tab section VPN Envelope Policy . . . . . . . . . . . . . . . . . . . . . 238
List 551 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel > TI Tab Transport (complement) Section . . . . . . . . . . . . . . . . . 239
List 552 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section . . . 240
List 554 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab Networks Section . . . . . . . . . . . . . 240
List 555 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
List 556 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab Partner Identification Section . . . . . . 241
List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab Parameters Section . . . . . . . . . . . . . . . 241
List 558 VPN configuration - SSL-VPN Basic Setup section General Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
List 559 VPN configuration - SSL-VPN Basic Setup section Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 560 VPN configuration - SSL-VPN Authentication & Login section User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 561 VPN configuration - SSL-VPN Authentication & Login section Corporate ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 562 VPN configuration - SSL-VPN Barracuda NG Network Access Client Access Control section Barracuda NG Network Access Client Access Control Setup
244
List 563 VPN configuration - SSL-VPN Barracuda NG SSL-VPN Client section Barracuda NG SSL-VPN Client Setup . . . . . . . . . . . . . . . . . . . . . . . . 245
List 564 Barracuda NG SSL-VPN Client section Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
List 565 Barracuda NG SSL-VPN Client Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 566 Barracuda NG SSL-VPN Client Transport Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 567 VPN configuration - SSL-VPN Web Resources section Web Resource Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 568 Web Resources section Web Resource Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook Web Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 570 VPN configuration - SSL-VPN WebDAV/Sharepoint section WebDAV Resource Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 571 WebDAV Resources section WebDAV Resource Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 572 VPN configuration - SSL-VPN Application Tunneling section Application Tunneling Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 573 Application Tunneling Configuration Service Configuration section Application Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 574 Application Tunneling Configuration Generic Application Tunneling section Generic Application Tunneling Authorization . . . . . . . . . . 247
List 576 VPN configuration - SSL-VPN Dynamic Firewall Rules section Dynamic Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 577 Firewall Rule Activation section Dynamic Firewall Rule Activation Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 578 VPN configuration - SSL-VPN Access Rights Query section Access Rights Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 575 Generic Application Tunneling Authorization SSL Tunnels section SSL Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
6 Mail Gateway
List 61 MailGW Settings - Basic Setup section Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 62 MailGW Settings - Basic Setup section Local Domain Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 63 MailGW Settings - Basic Setup section Global Domain Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 64 MailGW Settings section Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 65 MailGW Settings section Extended Domain Setup Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
List 66 MailGW Settings - Pop3 Setup section POP3 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
List 67 MailGW Settings - Advanced Setup section Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
List 68 MailGW Settings - Advanced Setup section Allowed Relaying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
List 69 MailGW Settings - Advanced Setup section Cloning and Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
List 610 MailGW Settings - Content Filter - Attachment Stripping section Advanced Attachment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
List 611 MailGW Settings - Content Filter - Grey Listing section Advanced Grey Listing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
List 612 MailGW Settings - Content Filter - Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
List 613 MailGW Settings - Content Filter - HTML-Tag Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 614 MailGW Settings - Content Filter - Misc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 615 MailGW Settings - Limits section Mail Gateway Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 616 MailGW Settings - Limits section DoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 617 MailGW Settings section Entries in Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
List 618 MailGW Settings - Event Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
List 619 MailGW Settings - Spam Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
List 620 Spamfilter Config section Spamfilter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 621 Spamfilter Config section WHITE/BLACK LISTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 622 Spamfilter Config section ONLINE TESTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 625 Spamfilter Config - Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 623 Spamfilter Config section RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 624 Spamfilter Config section TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 626 Spamfilter Config section TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
7 DHCP
List 71 DHCP Enterprise Configuration - Operational Setup section Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 72 DHCP Enterprise Configuration - Operational Setup section HA Synchronisation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 73 DHCP Enterprise - Address Pool Configuration section Address Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 74 DHCP Enterprise - Address Pool Configuration section Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
List 76 DHCP Enterprise Configuration - SUBNETS tab section Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
List 78 DHCP Enterprise Configuration - Known Clients section Group Based Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 79 DHCP Enterprise - Known Clients - Client Group Member section Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 710 DHCP Enterprise - Known Clients - Client Group Member section Client Match & Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 711 DHCP Enterprise - Known Clients - Client Group Member section Advanced Client Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 712 DHCP Enterprise - DHCP Option Templates section Template Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 713 DHCP Enterprise - DHCP Option Templates section Basic Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 714 DHCP Enterprise - DHCP Option Templates section Barracuda NG Network Access Clients Access Control Service Options . . . . . . . . . . 292
List 715 DHCP Enterprise - DHCP Option Templates section Extended Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 716 DHCP Enterprise - Parameter Templates section Template Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 717 DHCP Enterprise - Parameter Templates section Lease Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 719 DHCP Enterprise - Parameter Templates section Miscellaneous Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 720 DHCP Enterprise - Classes section Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 721 DHCP Enterprise - Dynamic DNS section DNS Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 722 DHCP Enterprise - Dynamic DNS section DNS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 723 DHCP Enterprise - GUI as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 724 DHCP Enterprise - Text Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 725 DHCP Server Settings section GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 726 DHCP Server Settings - section Option Section and IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 727 DHCP Server Settings section SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 728 DHCP Server Settings section BASIC OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 729 DHCP Server Settings section EXTENDED OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 730 DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
8 Log Viewer
9 Statistics
List 91 Control field for type Curve with time axis section Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
List 92 Control field for type Curve with time axis section Time Interval - Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
List 93 Control field for type Curve with time axis section Time Interval - Bars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
List 94 Infrastructure Services - Statistics General section Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 95 Box Services - Statistics Cooking section Statistic Cooking section Cook Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 96 Statistic Cooking section Type: Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 98 Statistic Transfer Transfer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
List 97 Statistic Cooking section Type: Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
10 Eventing
List 101 Events tab - Event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
List 103 Severity tab - Severity details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 102 Severity tab - Column view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 104 Notification tab - Column view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 105 Server Action tab - Type SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
List 106 SNMP Service Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 107 SNMP Service Notifications section Default SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 108 SNMP Service Notifications section Default Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 109 Event Properties - Page 1 tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
List 1010 Event Properties - Page 2 tab section Confirmed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
List 1011 Event Properties - Page 2 tab section Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
11 DNS
List 111 DNS Server - Properties configuration section Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
List 112 DNS Server - Properties configuration section Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
List 113 DNS Server - Zone configuration section General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
List 114 DNS Server - Zone configuration - Advanced Settings section Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 115 DNS Server - Zone configuration - Advanced Settings section Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 116 DNS Server - SOA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 117 DNS Server - Name Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
List 118 DNS Server - Adding a New Host Host (A) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
List 1112 DNS Server - Adding a New Mail-Exchanger Mail-Exchanger (MX) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1113 DNS Server - Adding a New Mail-Exchanger Mailbox information (MINFO) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1114 DNS Server - Adding a New Mail-Exchanger Well-Known Services (WKS) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 119 DNS Server - Adding a New Host Host Information (HINFO) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1110 DNS Server - Adding a New Host Text (TXT) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1111 DNS Server - Adding a New Host Well-Known Services (WKS) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
12 Proxy
List 121 HTTP Proxy Service Parameters - General section Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 122 HTTP Proxy Service Parameters - General section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 123 HTTP Proxy Service Parameters - General section Misc. Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

List 124 HTTP Proxy Service Parameters - General section Fail Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 125 HTTP Proxy Service Parameters - Network section Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 126 HTTP Proxy Service Parameters - General - Neighbour Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 127 HTTP Proxy Service Parameters - General - Neighbour Settings section Option Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 128 HTTP Proxy Service Parameters - General - Neighbour Settings section Cache Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 129 HTTP Proxy Service Parameters - General section SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
List 1210 HTTP Proxy Service Parameters - Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
List 1211 HTTP Proxy Service Parameters - Authentication Settings section PHIBS Specific Authentication Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 344
List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
List 1213 HTTP Proxy Service Parameters - Authentication Settings - Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1214 HTTP Proxy Service Parameters - Authentication Settings - ACL FileList . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1215 ACL Filelist Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1216 HTTP Proxy Service Parameters - Authentication Settings - Legacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
List 1217 HTTP Proxy Service Parameters - Authentication Settings - Time Restriction configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
List 1218 ACL ENTRIES configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
List 1219 Proxy Service Parameters section Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1220 Proxy Service Parameters - Advanced view section Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1221 Proxy Service Parameters - Advanced view section Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1222 HTTP Proxy Fail Cache Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1223 Secure Web Proxy section SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
List 1224 Secure Web Proxy - SSL Certificates section Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1226 Secure Web Proxy - SSL Certificates section Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1227 Secure Web Proxy - Advanced - section Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1228 Proxy Service Parameters - section Redirector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1229 URL Filter Configuration - General section URL Filter General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1230 URL Filter Configuration - General section URL Filter Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1231 URL Filter Configuration - General section URL Filter Support Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1232 URL Filter Configuration section URL Filter Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1233 URL Filter Configuration - Filter Settings section URL Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1234 URL Filter Configuration - Filter Settings section Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1235 URL Filter Configuration - Filter Settings section TIME SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1236 URL Filter Configuration section URL Filter Deny Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1237 URL Filter Configuration section URL Filter Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1238 URL Filter Configuration section URL Filter Cascaded Redirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1239 URL Filter Configuration section URL Filter Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1240 URL Filter Configuration section URL Filter Limit Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
13 FTP Gateway
List 131 FTP-GW Settings configuration section BEHAVIOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 132 FTP-GW Settings configuration section Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 133 FTP-GW Settings configuration section Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 134 FTP-GW Settings Configuration - User specific section Configuration Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 135 FTP-GW Settings Configuration - User specific section Special Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 136 FTP-GW Settings Configuration - User specific section Default User Specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 137 FTP-GW Settings Configuration - User specific section Time Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 138 FTP-GW Settings Configuration - User specific - Default User Specific section SPECIAL DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 139 FTP-GW Settings Configuration - User specific - Default User Specific section OTHER DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 1310 FTP-GW Settings Configuration - User specific - Default User Specific section Time Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 1311 FTP-GW Settings Configuration section Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
14 Voice over IP
List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
List 142 Box Firewall Settings - SIP Parameters section Access Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
List 143 Forwarding Firewall Settings - SIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15 Wireless LAN
List 151 382
List 152 383
List 153 383
List 154 Primary Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
List 156 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 157 EAP Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 158 WPA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 155 Radius Fallback Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 159 Operational Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 1510 Logging Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
16 SSH Gateway
List 161 SSH Proxy configuration - General section General Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

List 162 SSH Proxy configuration - General section Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 163 SSH Proxy configuration - Authentication & Login section User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 164 SSH Proxy configuration - Authentication & Login section User Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 165 SSH Proxy configuration - Default Permissions section Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 166 SSH Proxy configuration - Default Permissions section Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 167 SSH Proxy configuration Access Lists section Access List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 168 SSH Proxy configuration - Access Lists Access List Configuration section Access List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 169 SSH Proxy configuration - Access Lists Access List Configuration section Allowed Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 1610 SSH Proxy configuration - User Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
17 Anti-Virus
List 171 Virus Scanner Settings - Basic Setup section Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 172 Virus Scanner Settings - Basic Setup section Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 173 Virus Scanner Settings - Basic Setup section Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 174 Virus Scanner Settings - Updates - section General Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 175 Virus Scanner Settings - Updates - section Avira Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 176 Virus Scanner Settings - Updates - section ClamAv Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 177 Virus Scanner Settings - Updates - section Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 178 Virus Scanner Settings - Avira section Avira General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 179 Virus Scanner Settings - Avira - section Avira Archive Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 1710 Virus Scanner Settings - Avira section Avira Non-Virus Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 1711 Virus Scanner Settings - ClamAV section ClamAV General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1712 Virus Scanner Settings - ClamAV section ClamAV Archive Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1713 Virus Scanner Settings - ClamAV section ClamAV Possibly Unwanted Applications (PUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1714 Virus Scanner Settings - ClamAV section ClamAV Misc Scannning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1715 Virus Scanner Settings - ClamAV section ClamAV Mail Scanning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1716 Virus Scanner Settings - ClamAV section ClamAV Phishing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1717 Virus Scanner Settings - ClamAV section ClamAV Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1718 Virus Scanner Settings - Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1719 HTTP Proxy Settings - Content Inspection section Virus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1720 Content Inspection section Virus Scanner Progress Popup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
List 1721 HTTP Proxy Settings - Content Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1722 MailGWSettings - Virus Scanning section Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1723 MailGWSettings - Advanced Virus Protection Option section Scanner Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1724 MailGWSettings - Advanced Virus Protection Option section Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1725 MailGWSettings - Advanced Virus Protection Option section Adaptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1726 MailGWSettings - Advanced Virus Protection Option section No Scan Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1727 MailGWSettings - External Scan Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
18 High Availability
19 Barracuda NG Control Center

List 191 Server configuration - Virtual Server Definition on CC boxes section Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
List 192 Schedule Task configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
List 193 CC Identity - Identification section CC Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
List 194 CC Identity - Identification section CC IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
List 195 CC Identity - Trust Chain Configuration section Trust Chain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 196 CC Identity - Trust Chain Configuration section CC SSH Access Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 197 CC Parameters - Operational Setup section Status Map Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 198 CC Parameters - Operational Setup section Configuration Update Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 199 CC Parameters - Operational Setup section Remote Execution Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 1910 CC Parameters - Operational Setup section Barracuda NG Earth Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
List 1911 Administrative Roles - Role Setup Roles section Role Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
List 1912 Administrative Roles - Role Setup Roles section Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
List 1913 Box VIP Network Ranges VPN Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
List 1914 Box VIP Network Ranges Rekey/Alive Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
List 1915 Creating a new range section Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
List 1916 Creating a new range section Contact Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
List 1917 Creating a new range section Specific Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
List 1918 Creating a new cluster section Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
List 1919 Creating a new cluster section Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
List 1920 Creating a new cluster section Specific Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
List 1921 Creating a Cluster Service section Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
List 1922 Creating a Cluster Service section Admin Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
List 1923 Creating a Cluster Service section Access Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
List 1924 Barracuda NG Control Center Node Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
List 1925 Barracuda NG Control Center Node Properties section Administrative Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
List 1926 Creating a new administrator - Administrator tab section General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
List 1927 Creating a new administrator - Details tab section Password Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
List 1928 Creating a new administrator - Administrator tab section Administrative Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
List 1929 Creating a new administrator - Administrator tab section Operative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
List 1930 Master Statistic Collection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
List 1931 Statistics Cook Settings section Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

List 1932 Statistics Cook Settings - Statistics Cooking section Cook Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
List 1933 Statistics Cook Settings - Statistics Cooking section Type: Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
List 1934 Statistics Cook Settings - Statistics Cooking section Type: Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
List 1935 Statistics Cook Settings - Transfer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
List 1936 CC Syslog Server configuration section Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
List 1937 CC Syslog Server configuration section Plain Data Reception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
List 1939 CC Syslog Server configuration - Trusted Data Reception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
List 1938 CC Syslog Server configuration section Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
List 1941 CC Syslog Server configuration - Local Storage Setup section Local Log Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
List 1940 CC Syslog Server configuration - Trusted Data Reception section SSL Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
List 1942 CC Syslog Server configuration - HA Synchronization section HA Synchronization Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
List 1943 CC Syslog Server configuration - Relaying Setup section Relaying Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
List 1944 CC Syslog Server configuration - Relaying Setup section SSL Delivery Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
List 1945 CC Syslog Server configuration - Relay Filters section Data Origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
List 1946 CC Syslog Server configuration - Relay Filters section Data Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
List 1947 CC Syslog Server configuration - Relay Destinations section Connection Type Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
List 1948 CC Syslog Server configuration - Relay Destinations section Connect by Destination SSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
List 1949 CC Syslog Server configuration - Relay Destinations section Stream to Destination Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
List 1950 CC Syslog Server configuration - Relay Destinations section Data Tag Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
List 1951 CC Syslog Server configuration - Relay Streams section Relay Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
List 1952 Public Key Infrastructure (PKI) Configuration Settings section General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
List 1953 Public Key Infrastructure (PKI) Configuration Settings section LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
List 1954 Public Key Infrastructure (PKI) - Certificate Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
List 1955 Public Key Infrastructure (PKI) - Certificate Creation - General Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
List 1956 Public Key Infrastructure (PKI) - Certificate Creation - Subject tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
List 1957 Public Key Infrastructure (PKI) - Certificate Creation - V3 Extensions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
List 1958 VPN GTI Editor - Group Edit - TINA tab section General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
List 1959 VPN GTI Editor - Group Edit - TINA tab section Accepted Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
List 1960 VPN GTI Editor - Group Edit - TINA tab section Bandwidth Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
List 1961 VPN GTI Editor - Group Edit - TINA tab section VPN Envelope Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
List 1962 VPN GTI Editor - Group Edit - IPSec tab section Phase 1 / Phase2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1963 VPN GTI Editor - Group Edit - IPSec tab section General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1964 VPN GTI Editor - Adding a VPN Service to a VPN Group section Server/Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1965 VPN GTI Editor - Adding a VPN Service to a VPN Group section Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1966 VPN GTI Editor - Adding a VPN Service to a VPN Group section Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1967 VPN GTI Editor - Adding a VPN Service to a VPN Group section In Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
List 1968 Barracuda NG Earth section Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
List 1969 Barracuda NG Earth section Connection to CC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
List 1970 CC Parameters - RCS Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
List 1971 RCS Change Filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
List 1972 Network Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
List 1973 Network Address Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
List 1974 Workspace Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
List 1975 Workspace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
List 1976 Admin Workspace Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
20 SNMP
List 201 SNMP Configuration - section Access Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
21 OSPF and RIP

List 211 OSPF/RIP Settings section Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
List 212 OSPF/RIP Settings - OSPF Preferences section OSPF Preferences Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
List 213 OSPF/RIP Settings - OSPF Preferences section RIP SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
List 214 OSPF/RIP Settings - OSPF Router Setup section OSPF Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
List 216 OSPF/RIP Settings section OSPF Area Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
List 215 OSPF/RIP Settings - OSPF Router Setup section Router Distribution Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
List 217 OSPF/RIP Settings - RIP Router Setup section RIP Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
List 218 OSPF/RIP Settings - RIP Router Setup section Router Distribution Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
List 219 OSPF/RIP Settings - RIP Preferences section RIP Preferences Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
List 2110 OSPF/RIP Setting section Network Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2111 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces section Shared Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2112 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces section OSPF Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2113 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces section RIP Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2114 OSPF/RIP Settings - Network Interfaces Configuration - Available Interfaces section Available Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2115 OSPF/RIP Settings - Network Interfaces Configuration - Parameter Template Configuration section OSPF Parameters . . . . . . . . . . . . . . 523
List 2116 OSPF/RIP Settings - Network Interfaces Configuration - Parameter Template Configuration section RIP Parameters . . . . . . . . . . . . . . . . 523
List 2117 OSPF/RIP Settings - Neighbor Setup section Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
List 2119 OSPF/RIP Settings - Filter Setup section Access List Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2120 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Map Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2121 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Map Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2122 OSPF/RIP Settings - Filter Setup - Route Map Filters section OSPF Specific Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524

List 2123 OSPF/RIP Settings - Filter Setup - Route Map Filters section RIP Specific Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2124 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP Prefix List Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP Prefix List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2118 OSPF/RIP Settings - Neighbor Setup section OSPF Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
List 2127 OSPF/RIP Settings - Text Based Configuration section Free Format OSPF Configuration / Free Format RIP Configuration . . . . . . . . . . . 525
22 System Information
23 Appendix

Appendix Index of Configuration Parameters | 567
6. Index of Configuration Parameters

Numerics [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 477,
2-Way [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Active 2nd Channel [Configuration Service] . . . . . . . . . . . . 77
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Active Box [Configuration Service] . . . . . . . . . . . . . . . . . . . . 95
A Active Content Rewrite [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . 246
ABR Type [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Active directory searching user [Configuration Service]. . 112
Accept Identification Type [VPN] . . . . . . . . . . . . . . . . . . . . . . 222, Active Sync (DOWN) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 181
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493 Active Sync (UP) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Accept Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . . . 137 Active Zone [Configuration Service] . . . . . . . . . . . . . . . . . . . 56
Accept Loose Domain Name [Mail Gateway] . . . . . . . . . . . . 271 AD searching user password [Configuration Service] . . . . 112
Accept Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Add Agent ID (AID) [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Accept Timeout (s) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 163 Add Body to Notice [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 396
Accepted Ciphers [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227, Add Group [Barracuda NG Control Center] . . . . . . . . . . . . . 491
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493 Add Status in Body [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 396
Accepted Identification Type [Barracuda NG Control Center]494 Add UTC Offset [Configuration Service] . . . . . . . . . . . . . . . . 118
Access Cache Entry [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 164 Add VPN Service to GTI Editor [Barracuda NG Control Center]491
Access Cache Management [Barracuda NG Control Center] 439 Add VPN Services to GTI Group [Barracuda NG Control Center]
Access Concentrator [Configuration Service] . . . . . . . . . . . 72 492
Access Configuration [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 344 Add X-Status in Header [Anti-Virus] . . . . . . . . . . . . . . . . . . . 396
Access Control Entries [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 348 Additional Addresses (NAT) [Firewall]. . . . . . . . . . . . . . . . . . 205
Access Control Policy [SSH Gateway] . . . . . . . . . . . . . . . . . . 388 Additional gateway route [Getting Started] . . . . . . . . . . . . . 13
Access Lists [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Additional Interfaces [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . 159
Access Password [Configuration Service]. . . . . . . . . . . . . . . 72, Additional IP [Configuration Service] . . . . . . . . . . . . . . . . . . 95
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73, Additional IP Addresses [Configuration Service] . . . . . . . . 62
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77, Additional Mail Fields [Configuration Service] . . . . . . . . . . . 112
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78 Additional MC IP Addresses [Barracuda NG Control Center] 436
Access to MC PKI [Barracuda NG Control Center]. . . . . . . . 438 Additional Pattern [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 264
Access Type [Configuration Service] . . . . . . . . . . . . . . . . . . . 54 Address Control [Configuration Service] . . . . . . . . . . . . . . . 75
Account [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Address Pools [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Account Info Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . 371 Address Selection [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 154
ACK Timeout [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Admin [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 502
ACL [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, Admin Connections [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 266
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 54, Admin Discard Mail Cmd [Mail Gateway]. . . . . . . . . . . . . . . . 272
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229, Admin Distance [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 520
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Admin Reception Commands [Mail Gateway] . . . . . . . . . . . 272
ACL Description [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Administered by [Barracuda NG Control Center] . . . . . . . . 443
ACL Entries [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Administrative Distance [OSPF and RIP]. . . . . . . . . . . . . . . . 522
ACL Entries for this Action [Proxy] . . . . . . . . . . . . . . . . . . . . 347 Advanced Attachments Options [Mail Gateway] . . . . . . . . . 269
ACL Filelist [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Advanced Cryptographic Settings [Getting Started] . . . . . 22
ACL list [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Advanced Grey Listing Options [Mail Gateway]. . . . . . . . . . 270
ACL Name [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Advanced IDE Options [Configuration Service] . . . . . . . . . . 101
ACL Priority [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Advanced Mode Configuration [Getting Started] . . . . . . . . 22
ACL Type [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Advanced Options [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
ACLs [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Advanced RAW ISAKMP settings [VPN] . . . . . . . . . . . . . . . . 241
ACPF Allowed Msg Buffer [Firewall]. . . . . . . . . . . . . . . . . . . . 138 Advanced Settings [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 520,
ACPF Blocked Msg Buffer [Firewall]. . . . . . . . . . . . . . . . . . . . 138 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
ACPF Dropped Msg Buffer [Firewall] . . . . . . . . . . . . . . . . . . . 138 Advanced Spam Options [Mail Gateway] . . . . . . . . . . . . . . . 275
ACPF Memory (MB) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 135 Advanced Virus Protection Option [Anti-Virus]. . . . . . . . . . 396
Action [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 104, Advertise Route [Configuration Service] . . . . . . . . . . . . . . . 62,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 69,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 72,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Activate Config for [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 523
Activate Driver [Configuration Service] . . . . . . . . . . . . . . . . 63
Activate Kernel Update [Barracuda NG Control Center] . . 439
Activate New Configuration [Barracuda NG Control Center] 439
Activate Scheme [Configuration Service] . . . . . . . . . . . . . . . 112,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 115
Activation Lag [Configuration Service] . . . . . . . . . . . . . . . . . 65
Active [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 118,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247,

568 | Index of Configuration Parameters Appendix
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247,

[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 80, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Advertise via OSPF [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 also notify [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Advertised Range [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 521 Alternative [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Affected Box Logfiles [Barracuda NG Control Center] . . . 475 Alternative HA IP [Configuration Service] . . . . . . . . . . . . . . 118
Affected Groups [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363, Alternative Name [Configuration Service] . . . . . . . . . . . . . . 59
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 AltName [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Affected IPs for Anonymous [FTP Gateway]. . . . . . . . . . . . 371 Always Block Cloak [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 393
Affected Networks [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Always Block SSL Mismatch [Anti-Virus]. . . . . . . . . . . . . . . . 393
Affected Service Logfiles [Barracuda NG Control Center] 476 Always Keep (File instances) [Configuration Service] . . . . 104
Affected Users [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363, Always use session password [Getting Started] . . . . . . . . . 22
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Analyse Internal Mails [Mail Gateway] . . . . . . . . . . . . . . . . . . 275
After Number of Days [Firewall] . . . . . . . . . . . . . . . . . . . . . . 138 APN Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 77
AID Relay Policy [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Appliance Model [Configuration Service] . . . . . . . . . . . . . . . 53,
Alarm [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 63
Alarm Period [Configuration Service] . . . . . . . . . . . . . . . . . 67 Application Protocol [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Algorithmic Detection [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 392 Application Server IP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Aliases [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 55 Application TCP Port [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247,
ALL [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
All Clients Policy [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Apply to Device [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 523
All Game Protocols [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . 134 Architecture [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . 13
All P2P Protocols [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Archiving Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 267
All P2P/IM/Game Protocols [Firewall] . . . . . . . . . . . . . . . . . 134 Area Default Cost [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 521
All Stream Protocols [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 134 Area Export Filters [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 521
All Tunnel Protocols [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . 134 Area ID Format [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . 521
All VOIP Protocols [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 134 Area Import Filters [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 521
all-OR-all-present [Configuration Service]. . . . . . . . . . . . . . 95 Area in Filters [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . 521
Allow Active-Active Mode [Firewall] . . . . . . . . . . . . . . . . . . . 136 Area out Filters [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 521
Allow Block Virus Pattern Update [Barracuda NG Control Center] ARP Cache Size [Configuration Service] . . . . . . . . . . . . . . . . 100
439 ARP Reverse Route Check [Firewall] . . . . . . . . . . . . . . . . . . . 136
Allow Bulk Transports [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 237 ARP Src IP Announcement [Configuration Service] . . . . . . 100
Allow CommonName Wildcards [Proxy]. . . . . . . . . . . . . . . . 356 Assigned Network [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Allow Compression [Configuration Service] . . . . . . . . . . . . 77, Assigned Range [Barracuda NG Control Center] . . . . . . . . . 459
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 107 Assigned Source IP [Configuration Service] . . . . . . . . . . . . . 69
Allow Config View on Box [Barracuda NG Control Center] 438 Assigned Virtual Tree [Configuration Service]. . . . . . . . . . . 87
Allow Emergency Override [Barracuda NG Control Center] 438 Assigned VPN Group Policy [VPN] . . . . . . . . . . . . . . . . . . . . . 231
Allow Fallback Transports [VPN]. . . . . . . . . . . . . . . . . . . . . . 237 Associated Netmask [Configuration Service] . . . . . . . . . . . . 62
Allow Inbound Compression [SSH Gateway] . . . . . . . . . . . . 387, Assumed Rate [Configuration Service] . . . . . . . . . . . . . . . . . 86
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 at [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Allow Local Access [SSH Gateway]. . . . . . . . . . . . . . . . . . . . 388 Attachment Stripping [Mail Gateway] . . . . . . . . . . . . . . . . . . 269
Allow Manual Virus Pattern Update [Barracuda NG Control Cen- Audit Delivery [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
ter] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Authenticated User [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 165
allow notify [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334, Authentication [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
Allow Public Keys [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342,
Allow Quality Transports [VPN]. . . . . . . . . . . . . . . . . . . . . . . 237 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
allow query [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334, Authentication error page [Firewall] . . . . . . . . . . . . . . . . . . . 199
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Authentication index page [Firewall] . . . . . . . . . . . . . . . . . . . 200
allow recursion [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Authentication Level [Configuration Service] . . . . . . . . . . . 91,
Allow Relaying from [Mail Gateway] . . . . . . . . . . . . . . . . . . . 263, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 459
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Authentication logout page [Firewall] . . . . . . . . . . . . . . . . . . 200
Allow SSLv2 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Authentication Method [Configuration Service] . . . . . . . . . 72,
Allow TCP Forwarding [Configuration Service] . . . . . . . . . 107 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
allow transfer [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Authentication Mode [Getting Started] . . . . . . . . . . . . . . . . . 13,
allow update [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 54
Allow Visit After Confirm [Proxy] . . . . . . . . . . . . . . . . . . . . . 356 Authentication Scheme [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . 230,
Allowed Broadcast Reply [DHCP] . . . . . . . . . . . . . . . . . . . . . 291 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244,
Allowed Classes [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Allowed Hosts [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 388 Authentication Scheme General [Proxy] . . . . . . . . . . . . . . . . 343
Allowed Hosts List [SSH Gateway] . . . . . . . . . . . . . . . . . . . . 388 Authentication success page [Firewall] . . . . . . . . . . . . . . . . . 199
Allowed Local Sessions [Firewall] . . . . . . . . . . . . . . . . . . . . . 138 Authentication Sync Zone [Configuration Service]. . . . . . . 53
Allowed MIME-Types [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . 393 Authentication Text [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Allowed Networks [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 194 Authentication Text MS-CHAP [Proxy] . . . . . . . . . . . . . . . . . 343
Allowed Phone Numbers [Configuration Service] . . . . . . . 58 Authentication Type [Configuration Service] . . . . . . . . . . . . 59,
Allowed Sessions [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 138 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521,
Allowed URLs per IP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 365 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Allowed URLs per User [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 365 Authentication Worker [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 344
Allowed User Groups [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 244, Authentication Worker MS-CHAP [Proxy] . . . . . . . . . . . . . . . 343
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245, authorityInfoAccess [Barracuda NG Control Center] . . . . . 487
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246, authorityKeyIdentifier [Barracuda NG Control Center] . . . 487
Authorized Root Keys [Configuration Service] . . . . . . . . . . 55
Auto white list (senders) [Mail Gateway]. . . . . . . . . . . . . . . . 270
Auto-Cost Ref Bwidth [OSPF and RIP] . . . . . . . . . . . . . . . . . . 520
Automatic Hostname Assignment [DHCP] . . . . . . . . . . . . . . 291
Automatically Detect MIME-Type [Mail Gateway] . . . . . . . . 269
Availability [Configuration Service] . . . . . . . . . . . . . . . . . . . . 64
Average 1/5/15 Mins [Configuration Service] . . . . . . . . . . . . 119
AVIRA license [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

B [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168,
Backup Box [Configuration Service]. . . . . . . . . . . . . . . . . . . . 95 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Backup MX [Configuration Service] . . . . . . . . . . . . . . . . . . . . 72, Block & Terminate [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 168
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74, Block Box Sync [Barracuda NG Control Center] . . . . . . . . . 439
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78 Block encrypted archives [Anti-Virus] . . . . . . . . . . . . . . . . . . 391,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Bad Rulefile Loaded [Mail Gateway]. . . . . . . . . . . . . . . . . . . . 272
Block if mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 148,
Balance Preferred and Second [VPN] . . . . . . . . . . . . . . . . . . 237 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166,
Balanced Timeout [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 152 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Band [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Block If User Limit Exceeded [Proxy]. . . . . . . . . . . . . . . . . . . 365
Band A-G [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 89 Block on Mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 163
Band Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239, Block on other error [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . 391
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Block Server [Barracuda NG Control Center]. . . . . . . . . . . . 439
Bandwidth [Configuration Service] . . . . . . . . . . . . . . . . . . . . 89, Block Service [Barracuda NG Control Center] . . . . . . . . . . . 439
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Block Unknown State [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 356
Bandwidth Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Block unsupported archives [Anti-Virus] . . . . . . . . . . . . . . . 391
Base DN [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 112,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 485 Block Update [Barracuda NG Control Center] . . . . . . . . . . . 424
Basic [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 112 Blocked Local Sessions [Firewall]. . . . . . . . . . . . . . . . . . . . . . 138
basicConstraints [Barracuda NG Control Center] . . . . . . . . 487 Blocked Sessions [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Bind IP [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Blocked User Groups [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 244,
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Bind IPs [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Blocked Users [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 388
Bind NTPd [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 62
BOB Settings [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Bind policy [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Boot File [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Bind To Authenticate [Configuration Service] . . . . . . . . . . . 113
Boot File Name [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293,
Bind Type [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 97 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Bitmap [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226, Boot File Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Boot Loader Location [Configuration Service] . . . . . . . . . . 102
BK Colour [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 22
Boot Unknown Clients [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . 293
Black List [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
BOOTP Clients Policy [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 290
blackhole [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Boottime Release Check [Configuration Service] . . . . . . . . 108
Blacklist From [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 276
Box [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
Blacklists [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Block [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Box Authentication [Barracuda NG Control Center] . . . . . . 428
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Box Certificate [Configuration Service] . . . . . . . . . . . . . . . . 60
Box DNS Domain [Configuration Service]. . . . . . . . . . . . . . . 55
Box Inventory [Configuration Service] . . . . . . . . . . . . . . . . . 103
Box Log Patterns [Barracuda NG Control Center] . . . . . . . 476
Box Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 52
Box Private Key [Configuration Service] . . . . . . . . . . . . . . . 60
Box Reachable Statistics [Barracuda NG Control Center] . 437
Box Unique Name [Configuration Service] . . . . . . . . . . . . . . 52
Box->MC Access [Configuration Service] . . . . . . . . . . . . . . . 53
Bridging Device [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging Group [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging TTL Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 195
Broadcast Address [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Broadcast RAS [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . 377
Broad-Multicast [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Browse... [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Browser [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Browser Cleanup [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Browsers [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
BSD [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Buffer-overflow protection [FTP Gateway] . . . . . . . . . . . . . 371
Bump Mapping [Barracuda NG Control Center]. . . . . . . . . . 497
Transfer Rate Limit [Configuration Service] . . . . . . . . . . . . 75

C [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343,
[SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
CA Root [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Complete Update [Barracuda NG Control Center]. . . . . . . . 424
CA Sign Password [Barracuda NG Control Center] . . . . . . 486 Completed [Barracuda NG Control Center]. . . . . . . . . . . . . . 423
Cache Direct Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 342 Compression [Configuration Service] . . . . . . . . . . . . . . . . . . 104,
Cache Domain Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 342 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Cache IP Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Condense after (days) [Barracuda NG Control Center] . . . 464
Cache MSAD-groups [Configuration Service] . . . . . . . . . . . 112 Condense Data after (Days) [Statistics] . . . . . . . . . . . . . . . . 317
Cache Peer Access [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuration Level [Barracuda NG Control Center] . . . . . 460
Cache Priority [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuration Read [Getting Started] . . . . . . . . . . . . . . . . . . 22
Cache Timeout (sec) [Configuration Service] . . . . . . . . . . . 115 Configurations [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Call Redirect [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . 377 Confirm Events [Barracuda NG Control Center] . . . . . . . . . 439
Cascade [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Confirmed [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Connect Timeout [Configuration Service]. . . . . . . . . . . . . . . 77
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Connection Color [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cascade Back [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Connection Timeout [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 154
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Connection Type [Configuration Service] . . . . . . . . . . . . . . . 71,
Cascaded is Primary [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 364 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 476
Cascaded Redirector [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 364 Connections [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Cascading Included [Barracuda NG Control Center] . . . . . 465 Consistency Verification [Configuration Service] . . . . . . . . 80
Categories [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Console Max. Idle [Configuration Service] . . . . . . . . . . . . . . 118
CCP Control Protocol [Configuration Service] . . . . . . . . . . 75 Console(COM1)AndManagement [Configuration Service] . 54
Cert. Authorities Management [Barracuda NG Control Center] ConsoleOnly(COM1) [Configuration Service]. . . . . . . . . . . . . 54
439 Contact Info [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Certificate Login Matching [VPN] . . . . . . . . . . . . . . . . . . . . . 229 Contact Mail [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341,
Certificate Mgmt... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391,
Certificate Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Challenge Timeout (sec) [Configuration Service] . . . . . . . 115 Contact Person [Barracuda NG Control Center] . . . . . . . . . 441,
Change Events [Barracuda NG Control Center] . . . . . . . . . 438 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
Change HW clock to UTC [Getting Started]. . . . . . . . . . . . . 12 Content [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Change Permissions [Barracuda NG Control Center] . . . . 438 Content Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Change Personal Network [VPN]. . . . . . . . . . . . . . . . . . . . . . 218 Context Identifier [Configuration Service] . . . . . . . . . . . . . . 77
Change Server Password... [VPN] . . . . . . . . . . . . . . . . . . . . . 226 Continue if mismatch [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 148,
Change Settings [Barracuda NG Control Center]. . . . . . . . 439 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Channel Bonding Settings [Configuration Service] . . . . . . 75 Continue on Mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 158,
Check Interval [Configuration Service] . . . . . . . . . . . . . . . . 79, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 110 Control Permissions [Barracuda NG Control Center] . . . . . 439
Check Reachability [Configuration Service] . . . . . . . . . . . . 80 Cookie Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
Check Spam [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 266 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Check System Load [Configuration Service]. . . . . . . . . . . . 111 Cookie Timeout (Min.) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Check User Home [Configuration Service] . . . . . . . . . . . . . 107 Copy to Obsolete [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Class [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Corrupted Data Action [Statistics] . . . . . . . . . . . . . . . . . . . . . 316,
Clear [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 463
Clear DF Bit [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Count Destination IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 164
Clear Filter - deletes the set filter [Barracuda NG Control Center] Count Source IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
492 Country [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 59,
Clear Log [Barracuda NG Control Center] . . . . . . . . . . . . . . 427 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 487
Clear Log ... [Barracuda NG Control Center] . . . . . . . . . . . . 428 Create Boxes [Barracuda NG Control Center] . . . . . . . . . . . 438
Clear on Failure [Configuration Service] . . . . . . . . . . . . . . . 108 Create Cluster [Barracuda NG Control Center] . . . . . . . . . . 438
Clear on Success [Configuration Service] . . . . . . . . . . . . . . 108 Create Copy ... [Barracuda NG Control Center] . . . . . . . . . . 427
Client [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, Create Default Route [Configuration Service] . . . . . . . . . . . 72,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74,
Client Alive Interval [SSH Gateway] . . . . . . . . . . . . . . . . . . . 387 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Client Alive Max Count [SSH Gateway] . . . . . . . . . . . . . . . . 387 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Client Authentication [Barracuda NG Control Center] . . . 474 Create New Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Client Certificate Action [Proxy] . . . . . . . . . . . . . . . . . . . . . . 356 Create PAR File [Barracuda NG Control Center] . . . . . . . . . 438
Client Codepage [Configuration Service]. . . . . . . . . . . . . . . 115 Create Proxy ARP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
Client Description [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Client DHCP Options [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 291
Create Range [Barracuda NG Control Center] . . . . . . . . . . . 438
Client Hostname [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Create Repository [Barracuda NG Control Center] . . . . . . . 438
Client Log Level [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . 388
Create Server [Barracuda NG Control Center]. . . . . . . . . . . 438
Client Loopback TCP Port [VPN] . . . . . . . . . . . . . . . . . . . . . . 247,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Create Service [Barracuda NG Control Center] . . . . . . . . . . 438
Client Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Create Task [Barracuda NG Control Center] . . . . . . . . . . . . 427
Client Port Used [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Create Time Interval for Rule [Firewall] . . . . . . . . . . . . . . . . 148
Client Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Created [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 445
Clone Routes [Configuration Service] . . . . . . . . . . . . . . . . . 73, CRL Poll Time [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 74, crlDistributionPoints [Barracuda NG Control Center]. . . . . 487
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 76, Cryptographic Service Provider [Getting Started] . . . . . . . 23
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78 Cumulative Interval [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 137
Closing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Cumulative Maximum [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 137
Cluster [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 460 Custom Template Logo [Anti-Virus]. . . . . . . . . . . . . . . . . . . . 395
Cluster Name [Barracuda NG Control Center] . . . . . . . . . . 442 Cut Whitelists [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 269
Collect Statistics [Configuration Service] . . . . . . . . . . . . . . 53, Cycle [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Color [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164,
Comment [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
[Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Common Name [Configuration Service] . . . . . . . . . . . . . . . 59,
Community [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325,

D [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147,
Daily Report Mail to [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 270 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Daily Schedule [Configuration Service] . . . . . . . . . . . . . . . . . 103 Deny active ftp-data transfer [FTP Gateway] . . . . . . . . . . . 371
Data Limit (kB) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Deny additional ftp- commands [FTP Gateway]. . . . . . . . . . 371
Data Selection [Configuration Service] . . . . . . . . . . . . . . . . . 116, Deny delete dir [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 372
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 117 Deny Expired Certificates [Proxy] . . . . . . . . . . . . . . . . . . . . . 356
Data Selector [Configuration Service] . . . . . . . . . . . . . . . . . . 116, Deny file-delete [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 372
Deny file-download [FTP Gateway] . . . . . . . . . . . . . . . . . . . . 371,
Data Trickle Buffer Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . 394 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Data Trickle Dest. Domains [Anti-Virus] . . . . . . . . . . . . . . . . 394 Deny file-extensions [FTP Gateway] . . . . . . . . . . . . . . . . . . . 372
Data Trickle Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 394 Deny file-rename [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 372
Data Trickle URL Pattern [Anti-Virus] . . . . . . . . . . . . . . . . . . 394 Deny file-upload [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 371,
Data Types for Service [Barracuda NG Control Center]. . . 465 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Data Types for Subservice [Barracuda NG Control Center] 465 Deny make dir [FTP Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 372
Database Mirror [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Deny on Mismatch [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Dataport range [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 371 Deny Page [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
DDNS Domainname [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Deny passive ftp data-transfer [FTP Gateway] . . . . . . . . . . 371
DDNS Hostname [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Deny structure mount [FTP Gateway] . . . . . . . . . . . . . . . . . . 372
Deactivation Lag [Configuration Service] . . . . . . . . . . . . . . . 65 Deny Threshold [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 275
Dead Neighbor Poll Interval [OSPF and RIP]. . . . . . . . . . . . . 524 Deny URL [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Dead Peer Detection Interval (s) [VPN] . . . . . . . . . . . . . . . . . 220 Description [Configuration Service]. . . . . . . . . . . . . . . . . . . . 97,
Debug Level [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 118
Debug Log Level [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 390 Dest. [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Def Lease Time [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Destination [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
Default [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344, [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371,
Default HTTPS Certificate [Firewall] . . . . . . . . . . . . . . . . . . . 200 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Default HTTPS Private Key [Firewall] . . . . . . . . . . . . . . . . . . 200 Destination Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 187
Default Image Name [Configuration Service]. . . . . . . . . . . . 102 Destination IP [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346,
Default Internal Mail Server [Mail Gateway] . . . . . . . . . . . . . 264 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 476
Default Internal MX [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 263 Destination Port [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 187,
Default Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 476
Default Master DNS [Configuration Service] . . . . . . . . . . . . 56 Destination SSL Certificate [Barracuda NG Control Center] 476
Default Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 520, Destination SSL IP [Barracuda NG Control Center] . . . . . . 476
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Destination SSL Port [Barracuda NG Control Center] . . . . 476
Default NIC [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 13 Destination-specific SSL-Settings [Firewall]. . . . . . . . . . . . . 200
Default Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164, Detect AdSpy [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Detect All PUA [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Default Poll Time (secs) [Firewall] . . . . . . . . . . . . . . . . . . . . . 205 Detect All Types [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Recipient DB [Mail Gateway] . . . . . . . . . . . . . . . . . . . 263 Detect Appl. Model Mismatch [Configuration Service] . . . . 53
Default Recipients [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 263 Detect BDC [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Recipients Lookup [Mail Gateway] . . . . . . . . . . . . . . 263, Detect Broken Executables [Anti-Virus] . . . . . . . . . . . . . . . . 392
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Detect Dialers [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Route Distribution [OSPF and RIP]. . . . . . . . . . . . . . 521 Detect Games [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Route Redistribution [OSPF and RIP] . . . . . . . . . . . 522 Detect HiddenExt [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Store [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . 23 Detect Jokes [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default User specific [FTP Gateway] . . . . . . . . . . . . . . . . . . . 372 Detect Pck [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Browser Access [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 346 Detect Phish [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Maximum Connections [Proxy]. . . . . . . . . . . . . . . . . . 346 Detect Spr [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Request Method [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 346 Detection Regex [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . 394
Define Transfer Protocol [Proxy] . . . . . . . . . . . . . . . . . . . . . . 346 Device [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
Defined Connections [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 89,
Delay [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Delete [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 424 Device Addresses Reside [Firewall] . . . . . . . . . . . . . . . . . . . . 149
Delete Box Logfiles [Barracuda NG Control Center] . . . . . . 439 Device Autodetection [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 289
Delete Box Statistics [Barracuda NG Control Center]. . . . . 439 Device Index [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
Delete Data after (Days) [Statistics] . . . . . . . . . . . . . . . . . . . 317 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Delete Data after (days) [Barracuda NG Control Center]. . 464 Device IP Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Delete Events [Barracuda NG Control Center] . . . . . . . . . . . 439 Device Name [Configuration Service] . . . . . . . . . . . . . . . . . . 86
Delete Group [Barracuda NG Control Center] . . . . . . . . . . . 491 Device Realm [Configuration Service]. . . . . . . . . . . . . . . . . . 80
Delete Infected Mails [Mail Gateway] . . . . . . . . . . . . . . . . . . . 266 Devices [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 89,
Delete Service Logfiles [Barracuda NG Control Center]. . . 439 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Delete Stripped Attachments [Barracuda NG Control Center]439 devmtu [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 73
Delete Task [Barracuda NG Control Center]. . . . . . . . . . . . . 426 DHCP Client Identifier [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 291
Delete Tunnel [Barracuda NG Control Center] . . . . . . . . . . . 492, DHCP Connect Timeout [Configuration Service]. . . . . . . . . 73
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494 DHCP Enabled [Configuration Service] . . . . . . . . . . . . . . . . . 73
Delete VPN Service from Group [Barracuda NG Control Center] DHCP Interface [Configuration Service] . . . . . . . . . . . . . . . . 73
492 DHCP Packet Size [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Delete VPN Service from GTI Editor [Barracuda NG Control Cen- DHCP Server Identifier [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . 289
ter]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 DHCP Server IPs [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Delete Wild Route [Barracuda NG Control Center] . . . . . . . 439 DHCP Server Permissions [Barracuda NG Control Center] 439
Delivered Entries [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 272 DH-Group [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
Delivery IPs [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
Delivery Policy [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 264 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 494
Demo Mode [Barracuda NG Control Center]. . . . . . . . . . . . . 498 Dial Allowed From [Configuration Service]. . . . . . . . . . . . . . 75
Demo or Export Mode [Getting Started] . . . . . . . . . . . . . . . . 11 Dial Allowed Until [Configuration Service] . . . . . . . . . . . . . . 75
Denied Classes [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Dial Mode [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 75
Denied source-networks [FTP Gateway] . . . . . . . . . . . . . . . . 372 Dial Out Prefix [Configuration Service] . . . . . . . . . . . . . . . . . 74
Denied URLs per IP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Digest Authentication Key [OSPF and RIP]. . . . . . . . . . . . . . 521,
Denied URLs per User [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . 365 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Deny [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Direction [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Directory Pattern [Statistics]. . . . . . . . . . . . . . . . . . . . . . . . . 316, Drop Mails over Attachment Limit [Mail Gateway] . . . . . . . 271
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 464, Drop prohibited Protocols [Firewall] . . . . . . . . . . . . . . . . . . . 162
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 465 Dropped Packets [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Disable [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 DSA Host Key [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 387
Disable & Terminate [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . 168 DSN for Max Data Size Excess [Mail Gateway] . . . . . . . . . . . 271
Disable Assembler Ciphers [Firewall] . . . . . . . . . . . . . . . . . . 136 DSN for Max Recipients Excess [Mail Gateway] . . . . . . . . . . 271
Disable Box [Configuration Service] . . . . . . . . . . . . . . . . . . . 53 DSN Mails in MIME-Format [Mail Gateway] . . . . . . . . . . . . . . 266
Disable Device Check [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 158 Dst Statistics [Configuration Service] . . . . . . . . . . . . . . . . . . 97
Disable Events System Tray [Getting Started] . . . . . . . . . . 22 Dst Time-Statistics [Configuration Service] . . . . . . . . . . . . . 97
Disable FTP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Duplicates Policy [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Disable Interface Check [Firewall]. . . . . . . . . . . . . . . . . . . . . 158 Duration of Validity [Barracuda NG Control Center]. . . . . . 486
Disable Nagle Algorithm (No Delayed ACK) [Firewall] . . . 163 Dyn. Service [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Disable Quarantine Group [Firewall]. . . . . . . . . . . . . . . . . . . 195 Dyn. Service Name Entries [Firewall] . . . . . . . . . . . . . . . . . . . 135
Disable Service [Configuration Service] . . . . . . . . . . . . . . . 97 Dynamic Address Assignment [Configuration Service] . . . 75
Disable Session Passwords [Configuration Service] . . . . . 119 Dynamic BOOTP Lease Time [DHCP] . . . . . . . . . . . . . . . . . . . 293
Disable Smartcard / Token [Getting Started] . . . . . . . . . . . 23 Dynamic DNS Params [Configuration Service]. . . . . . . . . . . 72,
Disable Summary [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 521 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
Disable Update [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 390, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 441 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Disable Updates [Barracuda NG Control Center] . . . . . . . . 442 Dynamic Rule Control [Barracuda NG Control Center]. . . . 439
Disable/Enable VPN Tunnels [Barracuda NG Control Center]439 Dynamic Rule Selector [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 248
Disabled [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 91, Dyndns Name [Configuration Service]. . . . . . . . . . . . . . . . . . 72,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 423 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
Disc Write [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Disk [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DLP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
DLP Exception URLs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 351,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
DNS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
DNS Config [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
DNS Database Info [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 391
DNS Lifetime (Sec) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 150
DNS Master IP [Configuration Service] . . . . . . . . . . . . . . . . 56
DNS Query [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
DNS Query ACL [Configuration Service] . . . . . . . . . . . . . . . 56
DNS Query Rotation [Configuration Service] . . . . . . . . . . . 55
DNS Query Timeout [Configuration Service] . . . . . . . . . . . 55
DNS Resolved IP [Configuration Service] . . . . . . . . . . . . . . 114
DNS Reverse Lookup [SSH Gateway] . . . . . . . . . . . . . . . . . . 387
DNS Search Domains [Configuration Service] . . . . . . . . . . 55
DNS Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
DNS Server IP [Configuration Service]. . . . . . . . . . . . . . . . . 55,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
DNS Servers [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
DNS Slave Zones [Configuration Service] . . . . . . . . . . . . . . 56
DNS Update Scheme [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 294
DNS Zone [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
DNS Zones [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Do Fwd Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Domain [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 59,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Domain Action [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 275
Domain Config [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Domain Controller [Configuration Service] . . . . . . . . . . . . . 113,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Domain Controller IP [Configuration Service] . . . . . . . . . . 112,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 115
Domain Controller Name [Configuration Service] . . . . . . . 112,
Domain Manipulation [Mail Gateway] . . . . . . . . . . . . . . . . . . 267
Domain Name [Configuration Service]. . . . . . . . . . . . . . . . . 115,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Domain Realm [Configuration Service] . . . . . . . . . . . . . . . . 112
Domain Restrictions [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 342
Domain Suffix [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 11
Domain Whitelist [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . 275
DomainController [Barracuda NG Control Center] . . . . . . 487
Domains [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Download CRLs at Hour (0.23) [Proxy] . . . . . . . . . . . . . . . . 356
Download Server [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 391
Driver Module Name [Configuration Service] . . . . . . . . . . . 63
Driver Options [Configuration Service] . . . . . . . . . . . . . . . . 63
Driver Type [Configuration Service]. . . . . . . . . . . . . . . . . . . 63
Drop Event [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Drop event [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Drop Fragmented Mails [Mail Gateway] . . . . . . . . . . . . . . . . 271
E Ethernet MTU [Configuration Service] . . . . . . . . . . . . . . . . . 63

Ethernet Trunks [Configuration Service] . . . . . . . . . . . . . . . 65
Echo Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 137
Event ID [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Echo/Src Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . 137
Event must be confirmed [Eventing] . . . . . . . . . . . . . . . . . . . 324
Edit ... [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 426,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 428 Event on NTPd [Configuration Service] . . . . . . . . . . . . . . . . 57
Edit Certificate... [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Event on SSH [Configuration Service]. . . . . . . . . . . . . . . . . . 106
Edit Group [Barracuda NG Control Center]. . . . . . . . . . . . . . 491 Event Permissions [Barracuda NG Control Center] . . . . . . 439
Edit Tunnel [Barracuda NG Control Center] . . . . . . . . . . . . . 492, Event Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 272
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494 Eventing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
EMail Address [Configuration Service] . . . . . . . . . . . . . . . . . 59 Exceeding MBytes [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Email Address [Barracuda NG Control Center] . . . . . . . . . . 441, Exception Regex [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 394
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442, Exchange Timeout (s) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 220
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 487 Exclude Networks [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 159
ENA [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225, Excluded Domains [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 395
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Excluded Sources [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 395
Enable [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Exclusive Parent [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Enable Attachment Stripping [Mail Gateway]. . . . . . . . . . . . 269 Executable [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Enable Autonegotiation [Configuration Service] . . . . . . . . . 64 Executable and Linking Format [Anti-Virus] . . . . . . . . . . . . 392
Enable Avira [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Execute [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
Enable Blacklist [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 270 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
Enable Certificate Verification [Proxy] . . . . . . . . . . . . . . . . . 355 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Enable ClamAV [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Expire (TTL) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336,
Enable Cloning and Archiving [Mail Gateway] . . . . . . . . . . . 267 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Enable Commands [Barracuda NG Control Center]. . . . . . . 439 Expire after [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Enable Compression [Getting Started] . . . . . . . . . . . . . . . . . 22 Expiry Grace Period [Configuration Service] . . . . . . . . . . . . 92
Enable Configuration [OSPF and RIP] . . . . . . . . . . . . . . . . . . 521 Explicit [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
Enable Data Trickle Feature [Anti-Virus]. . . . . . . . . . . . . . . . 394 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Enable Domain Check [Mail Gateway] . . . . . . . . . . . . . . . . . . 275
Explicit Bind IP [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 371
Enable Fail Cache [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Explicit Bind IPs [Configuration Service]. . . . . . . . . . . . . . . . 97
Enable FW Compression [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
Explicit Box IP [Configuration Service] . . . . . . . . . . . . . . . . . 53
Enable Grey Listing [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 269
Explicit Groups [Configuration Service] . . . . . . . . . . . . . . . . 115
Enable H.323 Gatekeeper [Voice over IP] . . . . . . . . . . . . . . . 377
Explicit IP [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Enable HA Sync [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 276,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Explicit Listen IPs [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Enable Inbound Shaping [Configuration Service] . . . . . . . . 89 Explicit MC IP [Configuration Service]. . . . . . . . . . . . . . . . . . 53
Enable L2TP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Explicit Node Name [Configuration Service] . . . . . . . . . . . . 117
Enable Monitoring on Secondary [Configuration Service] . 95 Explicit X509 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Enable Peer-To-Peer Detection [Firewall] . . . . . . . . . . . . . . . 134 Explicitly Add Protocols [Firewall] . . . . . . . . . . . . . . . . . . . . . 134
Enable Poisoned Reverse [OSPF and RIP]. . . . . . . . . . . . . . . 523 Explicitly Skip Protocols [Firewall] . . . . . . . . . . . . . . . . . . . . . 134
Enable Post Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . 267 Export ... [Barracuda NG Control Center] . . . . . . . . . . . . . . . 428
Enable PPP Multilink [Configuration Service]. . . . . . . . . . . . 71 Export Issuer Cert... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enable Pre Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 267 Export Rulelist... [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Enable Progress Popup [Anti-Virus]. . . . . . . . . . . . . . . . . . . . 394 Export to Clipboard... [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enable Proxy [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Export to File... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Enable Public Folder [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Expose Postmaster Alerts [Anti-Virus] . . . . . . . . . . . . . . . . . 396
Enable Redirector [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Expose Sender Alerts [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . 396
Enable Revocation Check [Proxy]. . . . . . . . . . . . . . . . . . . . . . 356 extendedKeyUsage [Barracuda NG Control Center]. . . . . . 487
Enable SCEP [Configuration Service]. . . . . . . . . . . . . . . . . . . 58 Extent Type [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Enable serial console [Getting Started] . . . . . . . . . . . . . . . . . 14 External Authentication [Configuration Service] . . . . . . . . 91,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229,
Enable SNMP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 459
Enable Spam Analysis [Mail Gateway] . . . . . . . . . . . . . . . . . . 275 External Boxes [Barracuda NG Control Center]. . . . . . . . . . 437
Enable Split Horizon [OSPF and RIP] . . . . . . . . . . . . . . . . . . . 523 External DB Files [Configuration Service]. . . . . . . . . . . . . . . 115
Enable SSL Descryption [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 355 External LDAP Server [Barracuda NG Control Center] . . . 485
Enable SSL-VPN [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 External Listen Address [Mail Gateway] . . . . . . . . . . . . . . . . 263
Enable Traffic Shaping [Configuration Service]. . . . . . . . . . 88 External Login Name [Configuration Service] . . . . . . . . . . . 92
Enable Training [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 277 External login name [Barracuda NG Control Center] . . . . . 459
Enable Trickle Feature [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 393 External Relaying [Barracuda NG Control Center] . . . . . . . 473
Enable Tunnel [Configuration Service] . . . . . . . . . . . . . . . . . 66 External Root CA Certificate [Proxy]. . . . . . . . . . . . . . . . . . . 355
Enable Virus Detection [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 396 External Root CA Private Key [Proxy] . . . . . . . . . . . . . . . . . . 355
Enable Virus Scanner [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . 393 External Scan Engine [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . 396
Encapsulation Mode [Configuration Service] . . . . . . . . . . . . 74, External-Signed Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . 244
External-Signed Private Key [VPN] . . . . . . . . . . . . . . . . . . . . 244
Encryption [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
Encryption Level [Configuration Service] . . . . . . . . . . . . . . . 53,
End Date [Barracuda NG Control Center] . . . . . . . . . . . . . . . 502
Ending Offset [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Endpoint Descriptor [Configuration Service] . . . . . . . . . . . . 71
Enforced Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 522
Enter in Registry [Getting Started]. . . . . . . . . . . . . . . . . . . . . 14
Enterprise [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Enterprise ID [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Envelope Band Value [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . 239,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Envelope TOS Value [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 238,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Error mailbox (MB) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Established [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Estimated Bandwidth [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . 238
F G
Failed [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 423 Garbage Collect Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . 522
Failed Local Sessions [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 138 Gatekeeper Bind IP [Voice over IP]. . . . . . . . . . . . . . . . . . . . . 377
Failed Sessions Termination [Firewall]. . . . . . . . . . . . . . . . . 138 Gatekeeper Name [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . 377
Failing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Gatekeeper Password [Voice over IP] . . . . . . . . . . . . . . . . . . 377
Failure Retry Intervals (Minutes) [Configuration Service] 59 Gateway [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
Failure Standoff [Configuration Service]. . . . . . . . . . . . . . . 67, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 69,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 79 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Fallback [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Gateway Hostname [Voice over IP] . . . . . . . . . . . . . . . . . . . . 377
Fallback Driver Options [Configuration Service] . . . . . . . . 63 Gateway IP [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 377,
Fallback Enabled [Configuration Service] . . . . . . . . . . . . . . 63 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Fallback Module Name [Configuration Service] . . . . . . . . . 63 Gateway to Modem IP [Configuration Service] . . . . . . . . . . 72
File [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 GC Busy Threshold [Configuration Service] . . . . . . . . . . . . . 116,
File Extension Filter [Mail Gateway] . . . . . . . . . . . . . . . . . . . 269 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 473
File Limit [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 GC Elasticity [Configuration Service] . . . . . . . . . . . . . . . . . . . 100
File Sync Frequency (lines) [Barracuda NG Control Center] 474 GC Idle Threshold [Configuration Service] . . . . . . . . . . . . . . 116,
File system [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 12
GC Interval [Configuration Service] . . . . . . . . . . . . . . . . . . . . 101
Filename [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
GC Min Interval [Configuration Service] . . . . . . . . . . . . . . . . 101
Filename Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 371
GC Threshold [Configuration Service] . . . . . . . . . . . . . . . . . . 101
Filled [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
GC Timeout [Configuration Service]. . . . . . . . . . . . . . . . . . . . 101
Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
[Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Generate Audit Info [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 138
Filter Box Affiliation [Barracuda NG Control Center] . . . . 475 Generate Events [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Find String [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Generate Statistics [Configuration Service] . . . . . . . . . . . . . 97
Firewall Always ON [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Generic Application Tunneling [VPN]. . . . . . . . . . . . . . . . . . . 247
Firewall login [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Generic Forwarded Networks [Firewall] . . . . . . . . . . . . . . . . 137
Firewall Permissions [Barracuda NG Control Center] . . . . 439 Generic OID [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Firewall Rule Activation [VPN]. . . . . . . . . . . . . . . . . . . . . . . . 248 Generic Schedule [Configuration Service] . . . . . . . . . . . . . . 103
First DNS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Generic squid.conf Entries [Proxy] . . . . . . . . . . . . . . . . . . . . . 351
First WINS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Geometry Quality [Barracuda NG Control Center] . . . . . . . 497
First-IP (S1) [Configuration Service] . . . . . . . . . . . . . . . . . . . 95 Global Append Option [Configuration Service] . . . . . . . . . . 102
Fit to Screen [Barracuda NG Control Center] . . . . . . . . . . . 492 Global Position [Configuration Service]. . . . . . . . . . . . . . . . . 53
Fixed IP Address [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Global Replay Window Size [VPN]. . . . . . . . . . . . . . . . . . . . . . 219
Fixed Radius Password [Voice over IP] . . . . . . . . . . . . . . . . 377 Global Reverse Device Policy [Firewall]. . . . . . . . . . . . . . . . . 136
Fixed Radius User [Voice over IP] . . . . . . . . . . . . . . . . . . . . . 377 Global TCP Delay Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
Flags [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Global TOS Copy [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Flood Ping [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Go to Box [Barracuda NG Control Center] . . . . . . . . . . . . . . 492
Follow Referrals [Configuration Service]. . . . . . . . . . . . . . . 112 Go to Config Tree [Barracuda NG Control Center] . . . . . . . 492
Force Delete [Barracuda NG Control Center] . . . . . . . . . . . 424 Grace period after expiration [Barracuda NG Control Center]459
Force Flash [Configuration Service] . . . . . . . . . . . . . . . . . . . 101 Graphical API [Barracuda NG Control Center] . . . . . . . . . . . 497
Force Full Update [Barracuda NG Control Center]. . . . . . . 492 GRE with Assigned IP [Configuration Service] . . . . . . . . . . . 73,
Force Key Authentication [Configuration Service] . . . . . . 107 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Force MSS (Maximum Segment Size) [Firewall] . . . . . . . . . 163 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Force Non Flash [Configuration Service]. . . . . . . . . . . . . . . 101 Greeting Name [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 263
Force password change every [Barracuda NG Control Center] Grey Listing Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . 269
459 Grey Listing Time [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 270
Force re-authentication [Firewall] . . . . . . . . . . . . . . . . . . . . 199 Group [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
foreign [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Group Attribute [Configuration Service] . . . . . . . . . . . . . . . . 113,
Foreign IP Sufficient [Configuration Service] . . . . . . . . . . . 69 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 114
Forward [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178, Group Attribute Delimiter [Configuration Service] . . . . . . . 114
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Group Attribute Usage [Configuration Service] . . . . . . . . . . 114
forward [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Group Description [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward Band [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Group DHCP Options [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward Log Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 137 Group Name [Configuration Service] . . . . . . . . . . . . . . . . . . . 115
forward source-ip [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Group Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward X11 Connection [SSH Gateway] . . . . . . . . . . . . . . . 387 Group Pattern [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Forward X11 connections [SSH Gateway] . . . . . . . . . . . . . . . 388 Group Patterns [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Forward Zone Name [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 294 Groups [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
forwarders [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 grow [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Forwards [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 GTI Editor Defaults [Barracuda NG Control Center] . . . . . . 491
Free Format Text [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295, GUI Corresponding Text [DHCP] . . . . . . . . . . . . . . . . . . . . . . . 294
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
FTP-command/protocol check [FTP Gateway] . . . . . . . . . . 371
Full Address Manipulation [Mail Gateway]. . . . . . . . . . . . . . 267
Full Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 55,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 91,
Fully Meshed [Barracuda NG Control Center]. . . . . . . . . . . 494
Further Subnets [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Further Tries Transport Selection Policy [VPN] . . . . . . . . . 237

H
H.323 Alias [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
H.323 Endpoints [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 377
H.323 Neighbors [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 377
HA Sync [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
HA Sync Key [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 387
HA Sync Mode [Barracuda NG Control Center] . . . . . . . . . . 461,
HA Sync Period [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
HA Sync Timeout [Barracuda NG Control Center]. . . . . . . . 437
HA Synchronisation [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Halfside Close Timeout (s) [Firewall] . . . . . . . . . . . . . . . . . . . 163
hared Network Device [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 289
Hash Meth. [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
Header Reordering [Configuration Service] . . . . . . . . . . . . . 66
Header Trickle Dest. Domains [Anti-Virus] . . . . . . . . . . . . . . 394
Header Trickle Pattern [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 394
Help Text (html) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Heuristic Macro Detection [Anti-Virus] . . . . . . . . . . . . . . . . . 391
Heuristic Others Detection [Anti-Virus]. . . . . . . . . . . . . . . . . 392
Heuristic Scan Precedence [Anti-Virus] . . . . . . . . . . . . . . . . 392
Hide in netfence VPN World [Barracuda NG Control Center] 493
Hint [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Hint Zone [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
History [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . 445
HMAC-MD5 Key [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Host [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Host IP [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 55
Host Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 55,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Host Name or IP Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . 231
Hosting Interface [Configuration Service] . . . . . . . . . . . . . . 65
Hostname [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . . . 11,
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Hostname via Rev-DNS [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . 293
HTML Templates [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 390
HTTP Authentication [Configuration Service] . . . . . . . . . . . 59
HTTP/1.1-Keep-Alive [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 199
HTTP/1.1-Keep-Alive timeout [Firewall] . . . . . . . . . . . . . . . . . 199
Hub [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . . . 494
HW Accel. [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
HW Acceleration [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

I ip [SNMP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
IP Address [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
I/O Tuning [Configuration Service] . . . . . . . . . . . . . . . . . . . . 101 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 62,
ICP Port [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205,
ID [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223,
IDE-DMA Support [Configuration Service]. . . . . . . . . . . . . . 101 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299,
Identification Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Idle Hangup Time [Configuration Service]. . . . . . . . . . . . . . 75 IP address [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Idle Mode [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 116, IP Address or Device used for Tunnel Address [VPN]. . . . . 235
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387, IP Address/Mask [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 472, IP Addresses [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Idle Timeout [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 IP Begin [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
IEN Name Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, IP Blacklist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 IP Configuration [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
Image [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Import ... [Barracuda NG Control Center] . . . . . . . . . . . . . . 428, IP Dyn Address [Configuration Service] . . . . . . . . . . . . . . . . 100
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 432 IP End [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Import Key... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 IP Monitoring Policy [Configuration Service] . . . . . . . . . . . . 95
Import License [Barracuda NG Control Center] . . . . . . . . . 439 IP Netmask [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Import Rulelist... [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 IP Prefix List [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 522,
Impress Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 IP Ranges [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
Inactive [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 54, [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 IP Spoofing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
inactive [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 IP/Hostname [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Inactivity Grace Time [SSH Gateway]. . . . . . . . . . . . . . . . . . 388 IP/Mask [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Inbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136, IP-Begin [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163, IP-End [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
IPs Allowed To Connect (ACL) [Mail Gateway] . . . . . . . . . . . 277
Inbound Bandwidth [Configuration Service] . . . . . . . . . . . . 89
IPSec Client [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Inbound Rate [Configuration Service] . . . . . . . . . . . . . . . . . 87
IPSec Log Level [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Inbound SMS Handling [Configuration Service] . . . . . . . . . 77
IPSec Personal [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Inbound Threshold (%) [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
IPSec PSK [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Inbound-User [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
IPSec Site-to-Site [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Include Node Creation [Barracuda NG Control Center] . . 502
IRC [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Include Server IPs [Configuration Service] . . . . . . . . . . . . . 80
ISDN Card [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 74
Include Subdomains [Mail Gateway] . . . . . . . . . . . . . . . . . . . 263
ISDN Enabled [Configuration Service] . . . . . . . . . . . . . . . . . . 74
Included subservice directories [Barracuda NG Control Center]
465 ISDN MSN [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 74
Info [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 494 ISDN on Standby [Configuration Service] . . . . . . . . . . . . . . . 74
Initial Data Trickle Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . 394 ISDN Settings [Configuration Service]. . . . . . . . . . . . . . . . . . 74
Initial directory [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 371 Issuer [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219,
Initiation Timeout [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Insert [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 issuerAltName [Barracuda NG Control Center] . . . . . . . . . . 487
Insert new Personal Network [VPN] . . . . . . . . . . . . . . . . . . . 218
Install Utilities [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 13
K
Instances [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Keep Fail Cache Entries (d) [Proxy] . . . . . . . . . . . . . . . . . . . . 341
Area ID [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Keep Log Structure [Configuration Service] . . . . . . . . . . . . 104
Inteface Realm [Configuration Service]. . . . . . . . . . . . . . . . 62 Keep Mails In Mailbox [Mail Gateway] . . . . . . . . . . . . . . . . . . 277
Interface [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, Keep Structural Info [Barracuda NG Control Center] . . . . . 476
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Kernel Parameter [Getting Started] . . . . . . . . . . . . . . . . . . . . 14
Interface Addresses [OSPF and RIP] . . . . . . . . . . . . . . . . . . 523 Key Algorithm [Barracuda NG Control Center] . . . . . . . . . . 486
Interface Computation [Configuration Service] . . . . . . . . . 64 Key Encryption [Barracuda NG Control Center] . . . . . . . . . 486
Interface Default [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 522 Key Length [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 23
Interface Description [OSPF and RIP] . . . . . . . . . . . . . . . . . 523 Key Regeneration Period [Configuration Service]. . . . . . . . 107
Interface Groups [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Key Time Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
Interface Monitoring Policy [Configuration Service] . . . . . 96 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
Interface Name [Configuration Service] . . . . . . . . . . . . . . . 62, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 65, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 69, Key Traffic Limit [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
Interface Realm [Configuration Service] . . . . . . . . . . . . . . . 69, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 73, Key/Key String [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . 521
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 74, Keyboard Layout [Getting Started] . . . . . . . . . . . . . . . . . . . . 11
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 76, Keysize in Bits [Barracuda NG Control Center] . . . . . . . . . . 486
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78 keyUsage [Barracuda NG Control Center]. . . . . . . . . . . . . . . 487
Interface Usage [Configuration Service] . . . . . . . . . . . . . . . 64 Kill Handler Processes [Barracuda NG Control Center] . . . 439
Interface/Tunnel Name [Configuration Service] . . . . . . . . 87 Kill Sessions [Barracuda NG Control Center] . . . . . . . . . . . . 438,
Interfaces [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 439
interfaces [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Kill Worker Process [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 272
internal [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Kind of Application [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Internal Interface Name [Configuration Service] . . . . . . . . 63 Known Clients [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,
Internal IP-Addresses [Mail Gateway] . . . . . . . . . . . . . . . . . 266 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Internal Listen Address [Mail Gateway] . . . . . . . . . . . . . . . . 263 Known Hosts [Configuration Service] . . . . . . . . . . . . . . . . . . 55
Introduce Route on Device [Firewall] . . . . . . . . . . . . . . . . . . 159
Introduce Routes [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Invalid ARPs [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Inventory [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 103
INVITE Timeout [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 378
Area ID [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
IP [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

L Localnet [Barracuda NG Control Center] . . . . . . . . . . . . . . . 450

Location [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 59,
LACPDU Packet Rate [Configuration Service] . . . . . . . . . . . 65 [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
LAN Interfaces [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Log Add. Meta-directory Fields [Configuration Service] . . 115
Language on Error Pages [Proxy] . . . . . . . . . . . . . . . . . . . . . 341 Log Allowed URLs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Large ICMP Packet [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 137 Log append file [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 371
Last ACK Timeout (s) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 163 Log Categories per URL [Proxy]. . . . . . . . . . . . . . . . . . . . . . . 362
Last Modified [Barracuda NG Control Center] . . . . . . . . . . . 445 Log Change Differences [Barracuda NG Control Center] . 500
Last Password Change [Barracuda NG Control Center] . . . 459 Log change to upper dir denies [FTP Gateway]. . . . . . . . . . 371
Layer [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Log Connections [Barracuda NG Control Center] . . . . . . . . 485
LCP Check Interval [Configuration Service] . . . . . . . . . . . . . 79 Log create dir denies [FTP Gateway]. . . . . . . . . . . . . . . . . . . 371
LCP Echo Failure [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Log create directory [FTP Gateway] . . . . . . . . . . . . . . . . . . . 371
LCP Echo Interval [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Log Creation Differences [Barracuda NG Control Center] 500
LDAP Admin DN [Configuration Service] . . . . . . . . . . . . . . . 113 Log Decisions [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
LDAP Admin Password [Configuration Service] . . . . . . . . . 113 Log delete dir denies [FTP Gateway] . . . . . . . . . . . . . . . . . . . 371
LDAP Alternative Login Name Field [VPN] . . . . . . . . . . . . . . 230 Log delete directory [FTP Gateway] . . . . . . . . . . . . . . . . . . . 371
LDAP Authentication Selector Field [VPN] . . . . . . . . . . . . . . 230 Log delete file [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 371
LDAP Base DN [Configuration Service] . . . . . . . . . . . . . . . . . 113 Log delete file-denies [FTP Gateway] . . . . . . . . . . . . . . . . . . 371
LDAP Group Information [VPN] . . . . . . . . . . . . . . . . . . . . . . . 230 Log denied ftp-commands [FTP Gateway] . . . . . . . . . . . . . . 371
LDAP IP Attribute [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Log denied local logins [FTP Gateway] . . . . . . . . . . . . . . . . . 371
LDAP Password Field [Configuration Service] . . . . . . . . . . . 113 Log Denied URLs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
LDAP Server [Configuration Service] . . . . . . . . . . . . . . . . . . 113 Log destination denies [FTP Gateway] . . . . . . . . . . . . . . . . . 371
LDAP Server Port [Configuration Service] . . . . . . . . . . . . . . 113 Log Destinations [Configuration Service] . . . . . . . . . . . . . . . 118,
LDAP User Field [Configuration Service] . . . . . . . . . . . . . . . 113 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 477
LDAP VPN Group Attribute [VPN] . . . . . . . . . . . . . . . . . . . . . 230 Log DNS Queries [Configuration Service]. . . . . . . . . . . . . . . 56
Lease Limit [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Log download file [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 371
Lease Time [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Log extension denies [FTP Gateway]. . . . . . . . . . . . . . . . . . . 371
Leases Critical [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Log File Entry [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Leases Low [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Log file-download denies [FTP Gateway] . . . . . . . . . . . . . . . 371
Level1 Directories [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Log file-upload denies [FTP Gateway] . . . . . . . . . . . . . . . . . . 371
Level2 Directories [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Log Filters [Configuration Service] . . . . . . . . . . . . . . . . . . . . 118,
License [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 477
License is disabled [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Log Groups [Configuration Service] . . . . . . . . . . . . . . . . . . . 115,
License Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 117
Licenses [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, Log Keep Duration [Barracuda NG Control Center] . . . . . . 474
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 93 Log Level [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 78,
Lifetime [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 485,
LILO linear [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . 14 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519,
Limit Mail Data Size [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 271 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520,
Link Active [Configuration Service] . . . . . . . . . . . . . . . . . . . . 71, [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73 Log Local Session Termination [Firewall] . . . . . . . . . . . . . . . 138
Link Check [Configuration Service] . . . . . . . . . . . . . . . . . . . . 65 Log logins [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Link Check Mode [Configuration Service] . . . . . . . . . . . . . . . 65 Log Message Filter [Configuration Service] . . . . . . . . . . . . . 117
Link Description [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246, Log other file-actions [FTP Gateway] . . . . . . . . . . . . . . . . . . 371
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247, Log other ftp-commands [FTP Gateway] . . . . . . . . . . . . . . . 371
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Log Permissions [Barracuda NG Control Center] . . . . . . . . 439
Link Properties [Configuration Service] . . . . . . . . . . . . . . . . 71 Log protocol denies [FTP Gateway] . . . . . . . . . . . . . . . . . . . . 371
List of Critical Ports [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . 146 Log Removal Differences [Barracuda NG Control Center] 500
Listen on [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Log rename file [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 371
Listen on Devices [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Log rename-file denies [FTP Gateway] . . . . . . . . . . . . . . . . . 371
Listen timeout [FTP Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 371 Log Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
Listen to Port 443 [Barracuda NG Control Center]. . . . . . . 440 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Listening Port [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 277, Log Session State Change [Firewall] . . . . . . . . . . . . . . . . . . . 164
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Log structure-mount denies [FTP Gateway] . . . . . . . . . . . . 371
Load Interface Info [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 523 Log succeeded local logins [FTP Gateway]. . . . . . . . . . . . . . 371
Load Network Info [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Log Synced Sessions [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . 136
Loader Delay [Configuration Service] . . . . . . . . . . . . . . . . . . 102 Log to Disk [Configuration Service] . . . . . . . . . . . . . . . . . . . . 119
Loader Password [Configuration Service] . . . . . . . . . . . . . . 102 Log upload file [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 371
Local Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Log via Syslog [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Logfile Name Patterns [Configuration Service]. . . . . . . . . . 104
Local Clock Stratum [Configuration Service] . . . . . . . . . . . . 57 Loghost IP Address [Configuration Service] . . . . . . . . . . . . 117
Local Deliver IP [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 264 Loghost Port [Configuration Service] . . . . . . . . . . . . . . . . . . 117
Local End IP [Configuration Service] . . . . . . . . . . . . . . . . . . . 80 Login DN [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Local In [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Login Event [Configuration Service] . . . . . . . . . . . . . . . . . . . 92,
Local IP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 71 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 460
Local IP Selection [Configuration Service] . . . . . . . . . . . . . . 71 Login Grace Time [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . 387
Local Log Directory [Barracuda NG Control Center] . . . . . 474 Login Greeting Text [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 244,
Local Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Local Out [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Login Name [Configuration Service] . . . . . . . . . . . . . . . . . . . 115,
Local Part Manipulation [Mail Gateway] . . . . . . . . . . . . . . . . 267 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
Local Redirect [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 458
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Login Timeout [Configuration Service] . . . . . . . . . . . . . . . . . 107
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Login+Password Authentication [Firewall]. . . . . . . . . . . . . . 201
Local Redirect Object [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 145, Logo [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Logtick [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 111
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Loopback [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Local Redirection / Local Routing Loop [Firewall] . . . . . . . 138 Loopback SSL Port [Barracuda NG Control Center] . . . . . . 476
Local SSL Port [Barracuda NG Control Center] . . . . . . . . . . 476 Low Priority Lower Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . 238
Local Subnets [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, Low Priority Upper Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . 238
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 LPR Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
Local Tunnel IP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Locality [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 487

M Max. Dynamic Rules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 135

Max. Exec Processes [Barracuda NG Control Center]. . . . . 437
Mac [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Max. Fail Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
MAC Address [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Max. file RAM usage (MB) [Anti-Virus] . . . . . . . . . . . . . . . . . . 390
MAC Change Allowed [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 194
Max. file size (MB) [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 392
MAC Type [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Max. Forwarding Echo/Src [Firewall] . . . . . . . . . . . . . . . . . . . 139
MAC-Address [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Max. Forwarding Other/Src [Firewall] . . . . . . . . . . . . . . . . . . 139
Mail Data Size (MB) [Mail Gateway] . . . . . . . . . . . . . . . . . . . 271
Max. Forwarding Session/Src [Firewall] . . . . . . . . . . . . . . . . 139
Mail Data Size Limit [Mail Gateway] . . . . . . . . . . . . . . . . . . . 272
Max. Forwarding UDP/Src [Firewall] . . . . . . . . . . . . . . . . . . . 139
Mail Denied [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Max. Hops for Referrals [Configuration Service] . . . . . . . . . 112
Mail Follow URLs [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 392
Max. Lifetime [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
Mail Queue [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
Mail Router Permissions [Barracuda NG Control Center]. 439 Max. Multiple Redirect IPs [Firewall] . . . . . . . . . . . . . . . . . . . 135
Mail Server [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Max. nesting [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391,
Mail Transfer Agents (MTAs) [Mail Gateway] . . . . . . . . . . . 266 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Mailbox (MB) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Max. Num. Workers [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 390
Mailbox FORGET [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 277 Max. Number of Sessions [Firewall] . . . . . . . . . . . . . . . . . . . . 164
Mailbox HAM [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 277 Max. Number of Sessions per Source [Firewall]. . . . . . . . . . 164
Mailbox SPAM [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 277 Max. Pending Forward Accepts/Src [Firewall] . . . . . . . . . . . 139
Mailserver (A) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Max. Pending Inbounds [Firewall] . . . . . . . . . . . . . . . . . . . . . . 135
Mailserver (IMAP) [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 277 Max. phase 1 Lifetime (s) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . 223
Mailserver priority [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Max. Plugins [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Manage Admins [Barracuda NG Control Center] . . . . . . . . 438 Max. Segment Size [Configuration Service] . . . . . . . . . . . . . 72
Manage Box File Update [Barracuda NG Control Center] . 438 Max. Session Slots [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Manage Box REXEC [Barracuda NG Control Center] . . . . . 438 Max. SIP Calls [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135,
Manage Box Software Updates [Barracuda NG Control Center] [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
438 Max. SIP Media [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135,
Manage Config. Updates [Barracuda NG Control Center]. 438 [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Manage HA Sync [Barracuda NG Control Center] . . . . . . . 438 Max. SIP Transaction [Voice over IP] . . . . . . . . . . . . . . . . . . . 378
Management IP [Configuration Service] . . . . . . . . . . . . . . . 62 Max. SIP Transactions [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 135
Management IP (MIP) [Configuration Service] . . . . . . . . . . 62 Max. Size (MB) [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 275
Management IP address / Subnet mask [Getting Started] 13 Max. size (MB) [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 391,
Management Traffic [Configuration Service] . . . . . . . . . . . 88 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
ManagementOnly [Configuration Service] . . . . . . . . . . . . . 54 Max. SMTP Line Length [Mail Gateway]. . . . . . . . . . . . . . . . . 271
Mandatory Client Credentials [VPN]. . . . . . . . . . . . . . . . . . . 229 Max. Status Age [Configuration Service]. . . . . . . . . . . . . . . . 115
Manipulate Access Cache Entries [Barracuda NG Control Center] Max. Tunnels [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
439 Max. Update Processes [Barracuda NG Control Center] . . 437
Map [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Max. Validity Discrepancy [Configuration Service] . . . . . . . 115
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Maximal allowed workers [FTP Gateway] . . . . . . . . . . . . . . . 371
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147, Maximum [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Maximum Bytes [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Map to Network [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Maximum Children [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 265,
Mark as Read [Barracuda NG Control Center] . . . . . . . . . . 439 [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Master [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Maximum Connections [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 346
Master Device [Configuration Service] . . . . . . . . . . . . . . . . 65 Maximum Counts [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Masters [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Maximum Number of Recipients [Mail Gateway] . . . . . . . . . 271
Match Condition [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 524 Maximum Number of Tunnels [VPN] . . . . . . . . . . . . . . . . . . . 219
Match Parameter [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Maximum Number shown [Statistics]. . . . . . . . . . . . . . . . . . . 315
Max Acceptors [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Maximum Receive Unit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 222
Max Age of crashed Mails (d) [Mail Gateway] . . . . . . . . . . . 271 Maximum Transmission Unit [VPN] . . . . . . . . . . . . . . . . . . . . 222
Max Echo (%) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Key Byte Limit [Barracuda NG Control Center] . . . . . . . . . . 440
Max Event Records [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . 327 MC Activates Network Changes [Configuration Service] . . 53
Max files to cache [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 200 MC Certificate [Barracuda NG Control Center] . . . . . . . . . . 437
Max Illegal Inputs [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388 MC Config Permissions [Barracuda NG Control Center]. . . 438
Max Int TCP Conns [Configuration Service] . . . . . . . . . . . . 116 MC Control Permissions [Barracuda NG Control Center] . . 438
Max ISS Proventia Processes [Proxy]. . . . . . . . . . . . . . . . . . 362 MC Identifier [Barracuda NG Control Center]. . . . . . . . . . . . 436
Max Lease Time [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 MC IP Address [Barracuda NG Control Center] . . . . . . . . . . 436
Max Load (1-15 mins) [Configuration Service] . . . . . . . . . . . 111 MC License [Barracuda NG Control Center] . . . . . . . . . . . . . 436
Max Local-In Echo/Src [Firewall]. . . . . . . . . . . . . . . . . . . . . . 136 MC Policy Service Permissions [Barracuda NG Control Center]
Max Local-In Other/Src [Firewall] . . . . . . . . . . . . . . . . . . . . . 136 439
Max Local-In Session/Src [Firewall] . . . . . . . . . . . . . . . . . . . 135 MC Private Key [Barracuda NG Control Center] . . . . . . . . . 437
Max Local-In UDP/Src [Firewall] . . . . . . . . . . . . . . . . . . . . . . 136 MC SSH Key [Barracuda NG Control Center] . . . . . . . . . . . . 437
Max Memory Used [Configuration Service]. . . . . . . . . . . . . 111 MC SSL Certificate [Barracuda NG Control Center] . . . . . . 437
Max MTU/MRU Size [Configuration Service]. . . . . . . . . . . . 72 MC->Box Access [Configuration Service]. . . . . . . . . . . . . . . . 53
Max Other (%) [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Meshed [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 493
Max Pending Local Accepts/Src [Firewall] . . . . . . . . . . . . . 136 Message [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
Max Ping Size [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Max Queued Message [Configuration Service] . . . . . . . . . . 116 Message Digest Algorithm [Barracuda NG Control Center] 486
Max Routing Cache Entries [Configuration Service] . . . . . 100 Message Digest Key ID [OSPF and RIP] . . . . . . . . . . . . . . . . . 523
Max size of a file to cache (kb) [Firewall]. . . . . . . . . . . . . . . 200 Message for Deny [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Max Storage Time [Configuration Service] . . . . . . . . . . . . . 104 Message Queue Size [Barracuda NG Control Center] . . . . . 473
Max TCP Connections [Barracuda NG Control Center] . . . 473 Message to Recipient [Mail Gateway]. . . . . . . . . . . . . . . . . . . 269
Max UDP (%) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Method [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 112,
Max. Access Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 135 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 113,
Max. ARP Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 135 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 114,
Max. Attachments [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . 271 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 115,
Max. Bandwidth [Configuration Service] . . . . . . . . . . . . . . . 89 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Max. Block Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 135 Metric Offsets [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . 522
Max. compression ratio [Anti-Virus] . . . . . . . . . . . . . . . . . . . 391 Mgmt Baud Rate [Configuration Service] . . . . . . . . . . . . . . . 54
Max. count [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391, Mgmt COM Port [Configuration Service] . . . . . . . . . . . . . . . . 54
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Migrate Cluster [Barracuda NG Control Center] . . . . . . . . . 446
Max. DNS Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Migrate Clusters [Barracuda NG Control Center] . . . . . . . . 446
Max. Drop Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Migrate Complete Tree [Barracuda NG Control Center]. . . 446

Migrate Node [Barracuda NG Control Center] . . . . . . . . . . . 448

Migrate Range [Barracuda NG Control Center] . . . . . . . . . . 446
Migrate Ranges [Barracuda NG Control Center] . . . . . . . . . 446
MIME-Type [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
MIME-Type Exceptions [Mail Gateway] . . . . . . . . . . . . . . . . . 269
Mime-Types [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Min Delay [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Min Lease Time [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Min. Credit Card Count [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 393
Min. Lifetime [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
Min. phase 1 Lifetime (s) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . 223
Min. SSN Count [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Minimum [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Minimum TTL [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Key Time Limit [Configuration Service] . . . . . . . . . . . . . . . . 67,
Misc Settings [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . 271
Modem Device [Configuration Service] . . . . . . . . . . . . . . . . . 72,
Modem IP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 71
Modify Connections [Barracuda NG Control Center] . . . . . 439
Modify Event [Barracuda NG Control Center] . . . . . . . . . . . 445
Module parameters [Getting Started] . . . . . . . . . . . . . . . . . . 13
Monitor Devs I / II [Configuration Service] . . . . . . . . . . . . . . 96
Monitor IPs I [Configuration Service]. . . . . . . . . . . . . . . . . . . 95
Monitor IPs I/ II [Configuration Service] . . . . . . . . . . . . . . . . 95
Monitoring Method [Configuration Service] . . . . . . . . . . . . . 79
Monthly Schedule [Configuration Service] . . . . . . . . . . . . . . 103
Move Files to Directory [Firewall] . . . . . . . . . . . . . . . . . . . . . . 138
MPPE Encryption Strength [VPN]. . . . . . . . . . . . . . . . . . . . . . 223
MTA Retry Sequence [Mail Gateway]. . . . . . . . . . . . . . . . . . . 266
MTAs for Urgent Mail [Mail Gateway] . . . . . . . . . . . . . . . . . . 266
MTU [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 62,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Multicast Addresses [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Multipath Gateway [Configuration Service] . . . . . . . . . . . . . 69
Multipath Handling [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 520,
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Must Be Healthy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
MX Record [Configuration Service] . . . . . . . . . . . . . . . . . . . . 72,
My Domains List [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 263
My IP Explicit [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
My IP Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
My Peer IP Explicit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
My Peer Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
N
Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 65,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342,

[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 476, NTP sync on Startup [Configuration Service]. . . . . . . . . . . . 56

[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 477, Number of HA retries [Barracuda NG Control Center] . . . . 461
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 493 Number of Interfaces [Configuration Service] . . . . . . . . . . . 63
Name of NIC [Configuration Service] . . . . . . . . . . . . . . . . . . 64 Number of Processes [Configuration Service] . . . . . . . . . . . 112,
Nameserver [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . 10 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 113,
NAS IP Address [Configuration Service] . . . . . . . . . . . . . . . 114 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 114,
NAS IP Port [Configuration Service]. . . . . . . . . . . . . . . . . . . 114 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 115
NAS-ID [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 114 Number of Queued Mails [Mail Gateway]. . . . . . . . . . . . . . . . 272
NBDD Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, Number of Redirectors [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 362
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 O
Neighbor IP [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Object Filter [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Neighbor Priority [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 524 Object Name [Barracuda NG Control Center]. . . . . . . . . . . . 427
Neighbor Timeout [Voice over IP]. . . . . . . . . . . . . . . . . . . . . 377 Object Type [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Neighbour Settings [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Offline Rules [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
Neighbour Type [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Net Join Status [Configuration Service] . . . . . . . . . . . . . . . 113 Offline sync (every n min./hour) [Configuration Service] . 112
Netbios Domain Name [Configuration Service] . . . . . . . . . 112 On Demand Transport Delay [VPN] . . . . . . . . . . . . . . . . . . . . 239
Netbios Node Type [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . 292, On Demand Transport Timeout [VPN] . . . . . . . . . . . . . . . . . . 239
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 one-AND-one-present [Configuration Service] . . . . . . . . . . 95
Netbios Scope Id [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, Open Files [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 101
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Operation Mode [Configuration Service]. . . . . . . . . . . . . . . . 65,
netfence base system [Getting Started] . . . . . . . . . . . . . . . 13 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 86,
Netmask [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Optimised Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
NetTool [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Option Section [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Network [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Optional Bind IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Network ACL [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 388 Options [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Network Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 159, Organisation [Barracuda NG Control Center]. . . . . . . . . . . . 436,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 487
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Organisation Unit [Barracuda NG Control Center] . . . . . . . 487
Network Device [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521 Organization [Configuration Service] . . . . . . . . . . . . . . . . . . 59
Network Interface Cards [Configuration Service] . . . . . . . 63 Origin [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Network Mask [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Origin Domain Name [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Network Prefix [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 520, Original Prefix [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . 377
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Originate Always [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521
Network Routes [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227, Originator Systems [Barracuda NG Control Center] . . . . . . 475
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 OS Platform [Configuration Service] . . . . . . . . . . . . . . . . . . . 52
Network Type [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 523 OSPF Dead Interval [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 523
Networks [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142, OSPF External Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . 521
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 OSPF Hello Interval [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 523
New ... [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . 426, OSPF Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 521
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 428 OSPF Priority [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 523
New Domain Name [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 OSPF Retransmit Interval [OSPF and RIP] . . . . . . . . . . . . . . 523
New Others [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 OSPF Text [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
New Prefix [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 OSPF Transmit Delay [OSPF and RIP] . . . . . . . . . . . . . . . . . . 523
New Root Passwd [Configuration Service] . . . . . . . . . . . . . 54 Other Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 137
New Service Password [Configuration Service] . . . . . . . . . 54 Other root [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Next Forced Change [Configuration Service] . . . . . . . . . . . 92 Other/Src Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . 137
NIC Type [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 63, Out Interface Name [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . 524
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 64 Outbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136,
NIS Domain Name [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
NIS Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, Outbound Bandwidth [Configuration Service] . . . . . . . . . . . 89
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Outbound Rate [Configuration Service] . . . . . . . . . . . . . . . . 87
No ACPI [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . 14, Outbound-User [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 102 Override Node Name [Configuration Service] . . . . . . . . . . . 117
No Difference Details [Barracuda NG Control Center] . . . 502 Override SyncIP-Primary [Barracuda NG Control Center] . 474
No graphic adapter available [Getting Started] . . . . . . . . . 14 Override SyncIP-Secondary [Barracuda NG Control Center] 474
NO ICMP AT ALL [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Oversized SYN Packet [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 138
No Inline Authentication [Firewall] . . . . . . . . . . . . . . . . . . . . 201 OWA URL [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
No local authorization needed [FTP Gateway] . . . . . . . . . . 372 Own Cook Settings [Barracuda NG Control Center] . . . . . . 441
No Popups If Less Than (sec) [Anti-Virus]. . . . . . . . . . . . . . 395 Own Event Settings [Barracuda NG Control Center]. . . . . . 441,
No Probing for Interfaces [Configuration Service] . . . . . . 118 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
No Protocol Protection [Firewall] . . . . . . . . . . . . . . . . . . . . . 162 Own Firewall Objects [Barracuda NG Control Center] . . . . 441,
No Rule Update Time Range [Firewall]. . . . . . . . . . . . . . . . . 137 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
No Scan For (Recipients) [Anti-Virus] . . . . . . . . . . . . . . . . . 396 Own IP [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
No Scan For (Sender) [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 396 Own Log File [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
No. of ICMP Probes [Configuration Service] . . . . . . . . . . . . 67, Own Policy Server Objects [Barracuda NG Control Center] 441,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 79 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
No. of LCP Checks [Configuration Service] . . . . . . . . . . . . . 79 Own Routing Table [Configuration Service] . . . . . . . . . . . . . 72,
no-monitoring [Configuration Service] . . . . . . . . . . . . . . . . 95 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74,
None [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Notification ID [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
[Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Own Shaping Trees [Barracuda NG Control Center] . . . . . . 441,
notify [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 443
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Own VPN GTI Editor [Barracuda NG Control Center] . . . . . 441,
Notify Again After (min) [Proxy] . . . . . . . . . . . . . . . . . . . . . . 355 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
Notify User [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Nr. [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
nsComment [Barracuda NG Control Center]. . . . . . . . . . . . 487
NSSA-ABR Translate Election [OSPF and RIP] . . . . . . . . . . 521
NTP Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

P [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 459,

P2P [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 498
Packer [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Password Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 371
Packet Forwarding [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 163 Password must differ on change [Barracuda NG Control Center]
Packet Hop Count [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 459
Packet Load Balancing [Configuration Service]. . . . . . . . . . 69 Password Protection [Configuration Service] . . . . . . . . . . . 102
Paged Time Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Path [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Parallel Connection Limit [Mail Gateway] . . . . . . . . . . . . . . . 272 Pattern [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
Parallel connections for collection [Barracuda NG Control Center] [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
461 PDP Context [Configuration Service] . . . . . . . . . . . . . . . . . . 77
Parallel Inbound Conn. per Peer [Mail Gateway] . . . . . . . . . 271 PDP Type [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 77
Parallel Inbound Connections [Mail Gateway] . . . . . . . . . . . 271 Peer [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 502
Parallel Outbound Conn. per Peer [Mail Gateway] . . . . . . . 271 Peer Address/Network [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 231
Parallel Outbound Connections [Mail Gateway]. . . . . . . . . . 271 Peer IP Restriction [Configuration Service] . . . . . . . . . . . . . 92,
Parameter Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . 371 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 459
Parameter Resolution [Barracuda NG Control Center] . . . 465 Peer SSL Certificate [Configuration Service]. . . . . . . . . . . . 117
Parameter Template [OSPF and RIP]. . . . . . . . . . . . . . . . . . . 523 Peers [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Parameter Template for Address [OSPF and RIP]. . . . . . . . 523 Peer-To-Peer Bandwidth [Firewall] . . . . . . . . . . . . . . . . . . . . 134
Parameters... [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Peer-To-Peer Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 134
Parent Network [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Peer-To-Peer Shape Connector [Firewall] . . . . . . . . . . . . . . 134
Partner Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Pending [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178,
Pass [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 423
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Pending Accepts Critical [Firewall] . . . . . . . . . . . . . . . . . . . . 138
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Pending Session Limit [SSH Gateway]. . . . . . . . . . . . . . . . . . 387
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147, Pending Session Limitation [VPN] . . . . . . . . . . . . . . . . . . . . . 219,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 440
Passive Interface [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 523 Perform DDNS Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . 290,
Passive Sync (DOWN) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 181 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Passive Sync (UP) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Perform Mask Discovery [DHCP] . . . . . . . . . . . . . . . . . . . . . . 292,
Password [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . 13, [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 54, Perform Router Discovery [DHCP]. . . . . . . . . . . . . . . . . . . . . 292,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 59, [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 92, Performance Statistics [Configuration Service] . . . . . . . . . 119
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221, Permission Profile [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223, Permit Root Login [Configuration Service] . . . . . . . . . . . . . 107
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277, Persistence [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342, Persistent [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391, Phase 1 Lifetime (s) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
PHIBS Authentication Scheme [Firewall] . . . . . . . . . . . . . . . 200,
[Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
PHIBS Listen IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200,
[Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Phibs Scheme [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Phibs settings [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 372
PHIBS Timeout [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200,
[Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Phion Archive Files [Getting Started] . . . . . . . . . . . . . . . . . . 15
Phion Client [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Phion Personal [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Phion Site-to-Site [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
phiona Max. Idle [Configuration Service] . . . . . . . . . . . . . . . 118
Phishing Scan URLs [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . 392
Phone Number [Configuration Service] . . . . . . . . . . . . . . . . 77
Physical Interfaces [Configuration Service] . . . . . . . . . . . . . 64
Ping Check [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Ping Timeout [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
PKCS7 Cipher [Configuration Service] . . . . . . . . . . . . . . . . . 59
PKCS7 Hash [Configuration Service] . . . . . . . . . . . . . . . . . . . 59
PKCS7 Replay Protection [Configuration Service] . . . . . . . 59
Plugin [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Policy [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 89,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164,

[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201, Proxy Domain [Configuration Service] . . . . . . . . . . . . . . . . . 59

[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371, Proxy Dynamic [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Proxy First [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Policy Server IP [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Proxy Host [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Policy Service IPs/Names [DHCP] . . . . . . . . . . . . . . . . . . . . . 292 Proxy IP Address [Configuration Service]. . . . . . . . . . . . . . . 59
Policy Service Permissions [Barracuda NG Control Center] 439 Proxy Password [Configuration Service]. . . . . . . . . . . . . . . . 59,
Poll Box VPN Status [Barracuda NG Control Center] . . . . 437 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 67,
Poll VPN Tunnel Status [Configuration Service] . . . . . . . . 53 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Polling Time (secs) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 205 Proxy Port [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342,
Pool description [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Pool IP-Begin [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Proxy Port Number [Configuration Service]. . . . . . . . . . . . . 59
Pool Size [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Proxy Second [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Popup After (sec) [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 395 Proxy Server IP [Configuration Service] . . . . . . . . . . . . . . . . 67
Port [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183, Proxy Server Port [Configuration Service] . . . . . . . . . . . . . . 67
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221, Proxy Settings [Configuration Service] . . . . . . . . . . . . . . . . . 59
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231, Proxy Type [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Port Labelling [Configuration Service]. . . . . . . . . . . . . . . . . 63 Proxy User [Configuration Service] . . . . . . . . . . . . . . . . . . . . 67,
Port Range [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222,
Port Scan [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Port Scan Detection Interval [Firewall] . . . . . . . . . . . . . . . . 137 Proxy User Name [Configuration Service] . . . . . . . . . . . . . . 59
Port Scan Threshold [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 137 Proxydyn [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Portable Executable [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . 392 Public Key [Barracuda NG Control Center] . . . . . . . . . . . . . . 459
Portmapper Port [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Public RSA Key [Configuration Service] . . . . . . . . . . . . . . . . 54,
Position [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 92
Post Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 267 PwTool [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Postinstall-script [Getting Started] . . . . . . . . . . . . . . . . . . . . 14 Q
Postmaster Mail-Address [Mail Gateway] . . . . . . . . . . . . . . 263 Quarantine [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
PPP Local IP [Configuration Service] . . . . . . . . . . . . . . . . . . 67 Quarantine Class 1 Interface [Firewall] . . . . . . . . . . . . . . . . . 195
PPP Remote IP [Configuration Service]. . . . . . . . . . . . . . . . 67 Quarantine Class 2 Interface [Firewall] . . . . . . . . . . . . . . . . . 195
PPTP Bind IP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Quarantine Class 3 Interface [Firewall] . . . . . . . . . . . . . . . . . 195
PPTP Enable [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Quarantine Directory [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . 391
Pre Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Quarantine Group [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Preauthentication Scheme [VPN] . . . . . . . . . . . . . . . . . . . . . 230 Query Process Priority [Statistics] . . . . . . . . . . . . . . . . . . . . . 316
Prebuild Cookies on Startup [VPN]. . . . . . . . . . . . . . . . . . . . 219, Query Source Address [Configuration Service] . . . . . . . . . . 56
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 440 Queue Size (Bytes) [Configuration Service] . . . . . . . . . . . . . 86
Preceding Private Key #1, #2, #3 [Barracuda NG Control Center]
437
Preceding SSH Key [Barracuda NG Control Center] . . . . . 437
Prefer Routing over Bridging [Firewall] . . . . . . . . . . . . . . . . 164
Preferred Transport Class [VPN] . . . . . . . . . . . . . . . . . . . . . 237
Preferred Transport ID [VPN] . . . . . . . . . . . . . . . . . . . . . . . . 237
Prefix [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Prefix Length [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 525
Preinstall-script [Getting Started]. . . . . . . . . . . . . . . . . . . . . 14
Prepend Hierarchy Info [Configuration Service] . . . . . . . . 118
Prepend Received Time [Barracuda NG Control Center] . 474
Primary / Secondary [Getting Started] . . . . . . . . . . . . . . . . 11
Primary Box [Configuration Service] . . . . . . . . . . . . . . . . . . 96
Primary Link [Configuration Service] . . . . . . . . . . . . . . . . . . 71
Primary Network Interface [Firewall] . . . . . . . . . . . . . . . . . . 159
Primary Sever [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Print Header [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . 22
Priority [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 87,
Priority Adjustment [Configuration Service] . . . . . . . . . . . 86
Priority Switch after (minutes) [Mail Gateway] . . . . . . . . . 266
Priority Weights [Configuration Service]. . . . . . . . . . . . . . . 86
Privileged Admins [Barracuda NG Control Center] . . . . . . 443
Privileged RIP Terminal Password [OSPF and RIP] . . . . . . 521
Privileged Terminal Password [OSPF and RIP] . . . . . . . . . . 520
Product Type [Configuration Service] . . . . . . . . . . . . . . . . . 52,
Progress Popup [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 394
Progress Template [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . 395
Propagate to MC [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . 323,
[Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Propagation List [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Protection Profile [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 264
Proto. [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Protocol [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Protocol Field [Configuration Service] . . . . . . . . . . . . . . . . . 75
Protocol Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Provider Name [Configuration Service] . . . . . . . . . . . . . . . . 72,
Provider Phone Number [Configuration Service]. . . . . . . . 74
Proxy [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Proxy Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Proxy ARPs [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Proxy Assigned [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Proxy Authentication Type [Configuration Service] . . . . . 59

R Remote End IP [Configuration Service]. . . . . . . . . . . . . . . . . 80

Remote Loghost [Configuration Service] . . . . . . . . . . . . . . . 117
Radio Preference [Configuration Service] . . . . . . . . . . . . . . 77
Remote Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Radius IDCache Timeout [Voice over IP] . . . . . . . . . . . . . . . . 377
Remote Peer IP [Configuration Service] . . . . . . . . . . . . . . . . 78
Radius Password [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . 377
Remove [Barracuda NG Control Center]. . . . . . . . . . . . . . . . 427,
Radius Server [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . 377 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 428,
Radius Server Address [Configuration Service]. . . . . . . . . . 114 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 432
Radius Server Key [Configuration Service] . . . . . . . . . . . . . 114 Remove Box [Barracuda NG Control Center] . . . . . . . . . . . . 427
Radius Server Port [Configuration Service] . . . . . . . . . . . . . 114 Remove Boxes [Barracuda NG Control Center] . . . . . . . . . . 438
Radius Server Timeout [Voice over IP] . . . . . . . . . . . . . . . . . 377 Remove Cluster [Barracuda NG Control Center] . . . . . . . . . 438
Radius Server Transmission [Voice over IP]. . . . . . . . . . . . . 377 Remove from Grey List after (h) [Mail Gateway]. . . . . . . . . 270
Radius with Terminal Alias [Voice over IP] . . . . . . . . . . . . . . 377 Remove from White List after (d) [Mail Gateway] . . . . . . . . 270
Range [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 459 Remove HTML Img Src Tag [Mail Gateway] . . . . . . . . . . . . . 271
Range Action [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 521 Remove HTML Link Tag [Mail Gateway] . . . . . . . . . . . . . . . . 271
Range Cost [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Remove HTML Tags [Mail Gateway]. . . . . . . . . . . . . . . . . . . . 271
Range DHCP Options [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . 290 Remove License [Barracuda NG Control Center] . . . . . . . . 439
Range IDs [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 104 Remove Phion ID [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 271
Range Name [Barracuda NG Control Center] . . . . . . . . . . . . 441 Remove Range [Barracuda NG Control Center] . . . . . . . . . 438
RAS Authentication [Voice over IP] . . . . . . . . . . . . . . . . . . . . 377 Remove Repository [Barracuda NG Control Center] . . . . . 438
RAT [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Remove Server [Barracuda NG Control Center] . . . . . . . . . 438
Raw [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Remove Service [Barracuda NG Control Center] . . . . . . . . 438
RDP Application Path [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Renew Time [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Reachable IPs [Configuration Service] . . . . . . . . . . . . . . . . . 67, Repair Attempts [Configuration Service] . . . . . . . . . . . . . . . 110
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 69, Repair Mode [Configuration Service]. . . . . . . . . . . . . . . . . . . 110
Replay Window Size [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 239,
Read [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . . 445 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Read Box Logfiles [Barracuda NG Control Center] . . . . . . . 439 Reply AID Mismatch Policy [DHCP] . . . . . . . . . . . . . . . . . . . . 302
Read Box Statistics [Barracuda NG Control Center] . . . . . . 439 Reply Delay [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Read Only Colour [Getting Started]. . . . . . . . . . . . . . . . . . . 22 Reply Timeout [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . 378
Read Service Logfiles [Barracuda NG Control Center] . . . . 439 Reply to Ping [Configuration Service] . . . . . . . . . . . . . . . . . . 95
Read Timeout (sec.) [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Report Language [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 276
Read Timeout in seconds for data [Barracuda NG Control Center] Report Processing Script [Barracuda NG Control Center]. 500
461
Report Prohibited Protocols [Firewall] . . . . . . . . . . . . . . . . . 162
Read Timeout(sec.) [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Request Timeout (sec) [Configuration Service]. . . . . . . . . . 115
Real IP/Mask [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Requestmethod [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Realtime Mode [Configuration Service]. . . . . . . . . . . . . . . . . 110
Require PAP [Configuration Service] . . . . . . . . . . . . . . . . . . 67
Rebind Time [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Required DHCP Link [Configuration Service]. . . . . . . . . . . . 71
Reboot [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 58
Required for All Users [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 346
Reboot System [Barracuda NG Control Center] . . . . . . . . . 439
Requires Authentication [Anti-Virus] . . . . . . . . . . . . . . . . . . 391
Rebuild Mgmt Tunnel [Configuration Service] . . . . . . . . . . . 58
Re-Reachable Command [Configuration Service] . . . . . . . . 69
Receive Protocol [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 523
Reschedule [Barracuda NG Control Center]. . . . . . . . . . . . . 426
Recipient Blacklist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 270
Reset Prohibited Protocols [Firewall] . . . . . . . . . . . . . . . . . . 162
Recipient DB [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Resolution [Statistics]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317,
Recipient Dropped [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 272 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 464
Recipient Lookup [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 264 Resolution 1d after (Days) [Statistics] . . . . . . . . . . . . . . . . . . 317
Recipient Whitelist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 269 Resolution 1d after (days) [Barracuda NG Control Center] 464
Recipients [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Resolution 1h after (Days) [Statistics] . . . . . . . . . . . . . . . . . . 317
Recipients Lookup req. Groups [Mail Gateway] . . . . . . . . . . 263, Resolution 1h after (days) [Barracuda NG Control Center] 464
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Resolve [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Reconnect Network [Configuration Service] . . . . . . . . . . . . 58
Resolve Access Cache IPs [Firewall] . . . . . . . . . . . . . . . . . . . 137
Record Terminal Session [SSH Gateway] . . . . . . . . . . . . . . . 388
Resource Location Server [DHCP] . . . . . . . . . . . . . . . . . . . . . 292,
Recorded Users [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . 388 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
recursion [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Responds to Ping [Configuration Service] . . . . . . . . . . . . . . 62
Redirect [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Responsible person [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Restart Network Subsystem [Barracuda NG Control Center]439
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147, Restart phion Services [Configuration Service] . . . . . . . . . 58
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Restart Phion Subsystem [Barracuda NG Control Center] 439
Redirect Object [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Restart Processes [Barracuda NG Control Center]. . . . . . . 423
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Restrict PARP to Parent Network [Firewall]. . . . . . . . . . . . . 149
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Resume Delivery [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 280
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Retransmission Timeout (s) [Firewall]. . . . . . . . . . . . . . . . . . 163
Redirected [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Retries [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Redirection [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Retrieve Stripped Attachments [Barracuda NG Control Center]
Referenced Map [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 439
References [Configuration Service] . . . . . . . . . . . . . . . . . . . . 64 Retry after [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Refresh (% Lifetime) [Configuration Service] . . . . . . . . . . . 59 Retry Time [Configuration Service] . . . . . . . . . . . . . . . . . . . . 74,
Refresh after [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
Refresh auth every ... min [Firewall]. . . . . . . . . . . . . . . . . . . . 200 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Refresh auth tolerance ... min [Firewall] . . . . . . . . . . . . . . . . 200 Rev DDNS Domainname [DHCP] . . . . . . . . . . . . . . . . . . . . . . . 293
Refresh Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 520 Reverse [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Refuse Empty Mail from [Mail Gateway] . . . . . . . . . . . . . . . . 271 Reverse Band [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Register in Standby [Configuration Service] . . . . . . . . . . . . 77 Reverse Interface [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Register Timeout [Configuration Service] . . . . . . . . . . . . . . 77 Reverse Lookup Net [Configuration Service]. . . . . . . . . . . . 56,
Registry [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Regular Poll Interval [Configuration Service]. . . . . . . . . . . . 118 Reverse Lookup Netmask [Configuration Service] . . . . . . . 56
Relay Interfaces [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Rewrite [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Release [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 445 RFC1048 Conformance [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . 293
Reload Externals [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 RFC1583 Compatibility [OSPF and RIP] . . . . . . . . . . . . . . . . . 520
Reload GTI Objects [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 143 RIP Key Chain [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 523
Reload Object [Barracuda NG Control Center]. . . . . . . . . . . 427 RIP Keychains [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 521
Remote Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 RIP Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Remote Control via SMS [Configuration Service] . . . . . . . . 58 RIP Terminal Password [OSPF and RIP] . . . . . . . . . . . . . . . . 521
RIP Text [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
RIP Text Secret [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 523

RIP Version [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Roles [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 91,
Root Aliases [Configuration Service] . . . . . . . . . . . . . . . . . . 54
Root CA Certificate [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Root CA Private Key [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 355
Root Certificate [Barracuda NG Control Center] . . . . . . . . 493,
Root certificates [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Root DN [Barracuda NG Control Center] . . . . . . . . . . . . . . . 485
Root Password [Barracuda NG Control Center] . . . . . . . . . 485
Root Public RSA Key [Configuration Service]. . . . . . . . . . . 54
Root RSA Key [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 13
Route In/Out Filters [OSPF and RIP]. . . . . . . . . . . . . . . . . . . 522
Route Maps [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 521,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Route Preference Number [Configuration Service]. . . . . . 69,
Route Redistribution [OSPF and RIP] . . . . . . . . . . . . . . . . . . 521,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Route Type [Configuration Service] . . . . . . . . . . . . . . . . . . . 69
Route Types [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 521,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Route Update Filtering [OSPF and RIP] . . . . . . . . . . . . . . . . 522
Router [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Router ID [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Router ID Mask [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 519
Routes [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 70
Routing Next-Hop [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
Routing Protocols [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . 523
RSA Configuration File [Configuration Service] . . . . . . . . . 114
RSA Host Key [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 387
RSA Next Token Timeout (sec) [Configuration Service] . . 115
RSA Server IP [Configuration Service]. . . . . . . . . . . . . . . . . 114
RSA Slave-Server IP [Configuration Service] . . . . . . . . . . . 114
RSA Unique Name [Configuration Service] . . . . . . . . . . . . . 114
Rule [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Rule Change Behaviour [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
Rule Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 137
Rule Tester [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Rules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Run as User [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 387,
Run Forwarding/Caching DNS [Configuration Service] . . 55
Run OSPF Router [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 519
Run Probes Every [Configuration Service] . . . . . . . . . . . . . 67
Run RIP Router [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . 519
Run S.M.A.R.T [Configuration Service]. . . . . . . . . . . . . . . . . 110
Run Slave DNS [Configuration Service] . . . . . . . . . . . . . . . . 56
Run Watchdog [Configuration Service] . . . . . . . . . . . . . . . . 110

S Server Certificate [Configuration Service] . . . . . . . . . . . . . . 96,

[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Minimum Slave Uptime [Configuration Service] . . . . . . . . . 75 Server Default [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Safe Browsing [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Server enforces Limits [Barracuda NG Control Center]. . . 440
Same Port [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Server IP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248,
Save Object [Barracuda NG Control Center] . . . . . . . . . . . . 427 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,
Save to [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291,
Save to Disk [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . 14 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 498
Scan Archives [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391, Server Is Authoritative [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . 289,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,
Scan Engine IPs [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 396 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Scan Engine Port [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 396 Server Key [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Scan HTML [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Server Key Length (Bits) [Configuration Service]. . . . . . . . 107
Scan OLE2 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Server Log Level [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . 387
Scan Partial Messages [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 392 Server Name [Configuration Service] . . . . . . . . . . . . . . . . . . 95
Scanner IP [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Server Port [Barracuda NG Control Center]. . . . . . . . . . . . . 498
Scanner Location [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 393, Server Private Key [Configuration Service] . . . . . . . . . . . . . 96
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Server Protocol Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Scanning Exceptions [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . 393 Server/GTI Networks [Configuration Service] . . . . . . . . . . . 96
SCEP HTTPS Client Cert. [Configuration Service] . . . . . . . . 59 Servername [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
SCEP HTTPS Client Key [Configuration Service] . . . . . . . . . 59 Service [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
SCEP Password [Configuration Service] . . . . . . . . . . . . . . . . 59 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183,
SCEP Password Policy [Configuration Service] . . . . . . . . . . 59 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
SCEP Password Search Pattern [Configuration Service] . . 59 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 494
SCEP Password URL Path [Configuration Service] . . . . . . . 59 Service Certificate [Barracuda NG Control Center] . . . . . . 473,
SCEP Server IP or Hostname [Configuration Service] . . . . 58 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 474
SCEP server port number [Configuration Service] . . . . . . . 59 Service Configuration [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 247
SCEP server protocol [Configuration Service] . . . . . . . . . . . 59 Service Default (Failure) [Configuration Service] . . . . . . . . 98
SCEP Settings [Configuration Service] . . . . . . . . . . . . . . . . . 58 Service Default (Success) [Configuration Service] . . . . . . . 98
SCEP URL path [Configuration Service] . . . . . . . . . . . . . . . . 59 Service Key [Barracuda NG Control Center] . . . . . . . . . . . . 473
Scheduled Time [Barracuda NG Control Center] . . . . . . . . . 428 Service Label [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Scheduler Priority [Configuration Service]. . . . . . . . . . . . . . 110 Service Log Patterns [Configuration Service] . . . . . . . . . . . 117,
Scheduling Mode [Barracuda NG Control Center] . . . . . . . . 428
Service Name [Configuration Service] . . . . . . . . . . . . . . . . . 72,
Scheme [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 97
Script [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Service Statistics [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Second DNS [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Service Type [Configuration Service] . . . . . . . . . . . . . . . . . . 78
Second Try Transport Class [VPN] . . . . . . . . . . . . . . . . . . . . . 237 Services [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Second Try Transport ID [VPN]. . . . . . . . . . . . . . . . . . . . . . . . 237 Session Duration Limit (s) [Firewall] . . . . . . . . . . . . . . . . . . . 164
Second WINS [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Session Termination [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 138
Secondary Box [Configuration Service]. . . . . . . . . . . . . . . . . 96 Session Timeout [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Second-IP (S2) [Configuration Service] . . . . . . . . . . . . . . . . . 95 Session/Src Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . 137
Tunnel Probing [Configuration Service] . . . . . . . . . . . . . . . . 67, Set Action [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Set allow [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147,
Tunnel Timeout [Configuration Service] . . . . . . . . . . . . . . . . 67, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 440 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166,
Secure Client [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348,
Secure FTP Support [Configuration Service] . . . . . . . . . . . . 107 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Secure Update [Configuration Service] . . . . . . . . . . . . . . . . . 72, Set HW Clock to UTC [Configuration Service] . . . . . . . . . . . 56
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73, Set Multicast Flag [Configuration Service] . . . . . . . . . . . . . . 79
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75, Set or Sync Box Time [Barracuda NG Control Center] . . . . 439
Set OSPF External Metric [OSPF and RIP] . . . . . . . . . . . . . . 524
Secure-Web-Proxy Permissions [Barracuda NG Control Center]
439 Set OSPF Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 524
Select Encryption Certificate [Configuration Service] . . . . 59 Set RIP Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 524
Select Smartcard Reader [Getting Started] . . . . . . . . . . . . . 23 Set RIP Next-Hop IP [OSPF and RIP] . . . . . . . . . . . . . . . . . . . 524
Selected Message Types [Configuration Service] . . . . . . . . 117 Set Timeout [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Selection [Barracuda NG Control Center] . . . . . . . . . . . . . . . 423 Set TOS Value [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Self Check [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Settings [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Self-Signed Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 244
Settings for [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316,
Self-Signed Private Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . 244 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 464
Send Event to MC [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . 327 settings for [Barracuda NG Control Center]. . . . . . . . . . . . . 465
Send Keepalives [Configuration Service] . . . . . . . . . . . . . . . 107 Setup [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Send Protocol [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . 523 Severity ID [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323,
Send TCP RST for OOS Pkts. [Firewall] . . . . . . . . . . . . . . . . . 137 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Send to IP Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 138 severity_tab_R.gif [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . 323
Send to Port [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Shared DHCP Options [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 289,
Send Unsolicited ARP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 159 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Sender Blacklist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 270 Shared Network Device [DHCP] . . . . . . . . . . . . . . . . . . . . . . . 290
Sender IP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 117, Shared Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 289,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 476 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Sender Whitelist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 269 Shell Level [Configuration Service] . . . . . . . . . . . . . . . . . . . . 91,
Sequence Number [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 524 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 460
Serial [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Show ... [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 432
Serial Access / Serial Settings [Configuration Service] . . . 54 Show Admins [Barracuda NG Control Center] . . . . . . . . . . . 438
Serial Console [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . 11, Show as Text [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 525
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 102 Show Box REXEC [Barracuda NG Control Center]. . . . . . . . 438
Serial Number [Configuration Service] . . . . . . . . . . . . . . . . . 53 Show Box Software Updates [Barracuda NG Control Center]438
Serial Settings [Configuration Service] . . . . . . . . . . . . . . . . . 54 Show Config. Updates [Barracuda NG Control Center] . . . 438
Server [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201, Show Detail for Linked Nodes [Barracuda NG Control Center]502
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392, Show Full Screen (F11) [Barracuda NG Control Center] . . . 492
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494 Show GUI as Text [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Server Address Labels [Configuration Service] . . . . . . . . . . 97 Show Last Update Time [Barracuda NG Control Center] . . 498
Server Alive Interval [SSH Gateway] . . . . . . . . . . . . . . . . . . . 388 Show Legacy Models [Configuration Service] . . . . . . . . . . . 53

Show Log ... [Barracuda NG Control Center]. . . . . . . . . . . . 427,

Show Map [Barracuda NG Control Center] . . . . . . . . . . . . . 438
Show Name [Barracuda NG Control Center] . . . . . . . . . . . . 494
Show Save Button [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 394
Show Selected Object... [Firewall] . . . . . . . . . . . . . . . . . . . . . 169
Show Tunnel Names [Barracuda NG Control Center] . . . . 492
Signing CA [Barracuda NG Control Center]. . . . . . . . . . . . . 486
Silence Events [Barracuda NG Control Center] . . . . . . . . . 439
Silent Box [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Silently Drop Phishing Mail [Anti-Virus] . . . . . . . . . . . . . . . . 396
SIM PIN [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 77
Simple Authentication Key [OSPF and RIP] . . . . . . . . . . . . 521,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Single IPs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Size [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Size (%) [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 101
Size (MB) [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 101
Size in MB [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Size Settings [Configuration Service]. . . . . . . . . . . . . . . . . . 101
Skip Null Stats [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Skip RBL-Tests [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 276
Slave [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Slave Channel Policy [Configuration Service]. . . . . . . . . . . 75
Slave Devices [Configuration Service] . . . . . . . . . . . . . . . . . 65
SMB Path [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
SMP Kernel [Configuration Service] . . . . . . . . . . . . . . . . . . . 102
SNMP Access Groups [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . 515
SNMP Address [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
SNMP Community [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . 327
SNMP Destination [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . 327
SNMP Port [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
SNMP Settings [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Socket Connect [Getting Started] . . . . . . . . . . . . . . . . . . . . . 22
Socks Port on 1st IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 139
Socks Port on 2nd IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 139
Software Module [Configuration Service] . . . . . . . . . . . . . . 97,
Software Release [Barracuda NG Control Center]. . . . . . . 442
Source [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Source Address [Configuration Service] . . . . . . . . . . . . . . . 69,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Source Address Restriction [Firewall] . . . . . . . . . . . . . . . . . 159
Source Interface [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Source IP [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 79
Source IP Config [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Source IP Type [Configuration Service]. . . . . . . . . . . . . . . . 79
Source Mask [Configuration Service] . . . . . . . . . . . . . . . . . . 79
Source Networks [Configuration Service] . . . . . . . . . . . . . . 70,

[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76, Stop Service [Barracuda NG Control Center]. . . . . . . . . . . . 439

[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78, Storage Architecture [Configuration Service] . . . . . . . . . . . 53
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 80 Storage Dir [Configuration Service]. . . . . . . . . . . . . . . . . . . . 104
Source Port [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Storage Time [Configuration Service] . . . . . . . . . . . . . . . . . . 104
Source/Rule Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . 137 Store on Disk [Barracuda NG Control Center] . . . . . . . . . . . 473
Spam Analyser IP [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 275 Stream Forwarding [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 163
Spam Analyser Port [Mail Gateway]. . . . . . . . . . . . . . . . . . . . 275 strictly internal [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 264
Spam Detection [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 269 strictly_foreign [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 264
SPAM Mail Modification [Mail Gateway] . . . . . . . . . . . . . . . . 276 String Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 371
Spawn Parameter [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Strip HTTP1.1 Enc. Header Lines [Proxy] . . . . . . . . . . . . . . . . 356
Spawn Subclasses [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Strip Received Lines [Mail Gateway] . . . . . . . . . . . . . . . . . . . 271
Spec Type [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Strip Received Lines Text [Mail Gateway]. . . . . . . . . . . . . . . 271
Special File Patterns [Barracuda NG Control Center] . . . . . 475 Structured Data Detection [Anti-Virus]. . . . . . . . . . . . . . . . . 393
Special Networks [Barracuda NG Control Center]. . . . . . . . 451 Subject [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
Special Type [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 521 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219,
Specialnet [Barracuda NG Control Center] . . . . . . . . . . . . . . 451 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
Specific Cook Settings [Barracuda NG Control Center] . . . 442 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231,
Specifies the provider type [Getting Started] . . . . . . . . . . . 23 [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Specify Destination Port Address [Proxy]. . . . . . . . . . . . . . . 346 Subject Blacklist [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . 270
Speed (baud) [Configuration Service] . . . . . . . . . . . . . . . . . . 77 subjectAltName [Barracuda NG Control Center]. . . . . . . . . 487
SPF Delay Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 520 subjectKeyIdentifier [Barracuda NG Control Center] . . . . . 487
SPF Hold Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 520 Subnet Description [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Spool ID [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Subnet DHCP Options [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 290,
Spool Queue Sync [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 266 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Spooling Limit [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 272 Subnet mask [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . 10
Spy [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Subnet Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,
[DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Src Filter [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Subnet Type [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Src Statistics [Configuration Service] . . . . . . . . . . . . . . . . . . 97
Subnetmask [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
Src Time-Statistics [Configuration Service] . . . . . . . . . . . . . 97 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Src-Dst Statistics [Configuration Service]. . . . . . . . . . . . . . . 97 Successive Command Maximum [Configuration Service] . 58
SSH Authentication Key [Barracuda NG Control Center]. . 474 Summary Range IP/Mask [OSPF and RIP] . . . . . . . . . . . . . . 521
SSH Escape Character [SSH Gateway] . . . . . . . . . . . . . . . . . 388 Superordinate domain [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 336,
SSH Host Key [Barracuda NG Control Center] . . . . . . . . . . . 474 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
SSH login [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 106 Support Agent Forwarding [SSH Gateway] . . . . . . . . . . . . . 388
SSH Private Key [Configuration Service] . . . . . . . . . . . . . . . 60 Support Opaque LSA [OSPF and RIP] . . . . . . . . . . . . . . . . . . 520
SSHd Port [Barracuda NG Control Center] . . . . . . . . . . . . . . 474 Support Trusted Data Reception [Barracuda NG Control Center]
SSHd rexec [Configuration Service]. . . . . . . . . . . . . . . . . . . . 106 473
SSL Busy Timeout [Barracuda NG Control Center] . . . . . . . 473, Support X11 Forwarding [SSH Gateway] . . . . . . . . . . . . . . . . 387
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 475 Supported Protocols [Configuration Service] . . . . . . . . . . . 107,
SSL Certificate [Configuration Service] . . . . . . . . . . . . . . . . 116 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 473
SSL Close Timeout [Barracuda NG Control Center] . . . . . . 473, Supported SSH Protocol [SSH Gateway] . . . . . . . . . . . . . . . 388
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 475 Swap List View [Barracuda NG Control Center] . . . . . . . . . 491
SSL Idle Timeout [Barracuda NG Control Center] . . . . . . . . 473, Swap Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 475 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
SSL Listen Port [Barracuda NG Control Center] . . . . . . . . . 473 SYN Cookie High Watermark (%) [Firewall] . . . . . . . . . . . . . 136
SSL Peer Authentication [Configuration Service] . . . . . . . . 117, SYN Cookie Low Watermark (%) [Firewall] . . . . . . . . . . . . . 136
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 475 Syn Flood Protection (Forward) [Firewall] . . . . . . . . . . . . . . 163
SSL Private Key [Configuration Service]. . . . . . . . . . . . . . . . 116 Syn Flood Protection (Reverse) [Firewall] . . . . . . . . . . . . . . 163
SSL Tunnels [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Sync Authentication to Trustzone [VPN] . . . . . . . . . . . . . . . 219
SSN Format [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Sync Timeout (s) [Barracuda NG Control Center] . . . . . . . . 461
Standalone [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Sync to HA Partner [Barracuda NG Control Center]. . . . . . 473
Standby Mode [Configuration Service] . . . . . . . . . . . . . . . . . 71, Synchronous PPP [Configuration Service] . . . . . . . . . . . . . . 71
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77 Sys-CMD (login) [Configuration Service]. . . . . . . . . . . . . . . . 106
Start Data Collection (hour) [Barracuda NG Control Center] 461 Sys-CMD (su) [Configuration Service] . . . . . . . . . . . . . . . . . . 106
Start Date [Barracuda NG Control Center] . . . . . . . . . . . . . . 502 system [SNMP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Start LDAP Server [Barracuda NG Control Center]. . . . . . . 485 T
Start NTPd [Configuration Service] . . . . . . . . . . . . . . . . . . . . 57 t. disabled [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Start Script [Configuration Service]. . . . . . . . . . . . . . . . . . . . 96 Table Names [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 520,
Start Server [Barracuda NG Control Center] . . . . . . . . . . . . 439 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Start Service [Barracuda NG Control Center] . . . . . . . . . . . 439 Table Placement [Configuration Service] . . . . . . . . . . . . . . . 70,
Startup Poll Interval [Configuration Service] . . . . . . . . . . . . 118 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 80
Stat. Name [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 TAC+ ID Port [Configuration Service] . . . . . . . . . . . . . . . . . . 114
State [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 59 TAC+ IP Address [Configuration Service] . . . . . . . . . . . . . . . 114
State or Province [Barracuda NG Control Center] . . . . . . . 487 TAC+ Key [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 114
Static Bridge MAC [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 195 TAC+ Login Type [Configuration Service] . . . . . . . . . . . . . . 114
Static Gateway IP [Configuration Service] . . . . . . . . . . . . . . 75 TAC+ Server Port [Configuration Service] . . . . . . . . . . . . . . 114
Static IP/Mask [Configuration Service] . . . . . . . . . . . . . . . . . 75 Target Alive Interval [SSH Gateway] . . . . . . . . . . . . . . . . . . . 388
Static Route [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Target Alive Max Count [SSH Gateway] . . . . . . . . . . . . . . . . 388
Static Route Net [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Target FQDN [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . 388
Static Source IP [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . 388 Target IP Address [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388
Statistic [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Target List [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Statistic Name [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Target Network Address [Configuration Service] . . . . . . . . 69
Statistics Entry [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Target Networks [Configuration Service] . . . . . . . . . . . . . . . 67,
Statistics for Local Firewall [Firewall] . . . . . . . . . . . . . . . . . . 137 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 72,
Statistics Permissions [Barracuda NG Control Center] . . . 439
Statistics Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 272
Statistics Type [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Statistics type [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Stop Alarm [Barracuda NG Control Center] . . . . . . . . . . . . . 439
Stop Script [Configuration Service] . . . . . . . . . . . . . . . . . . . . 96
Stop Server [Barracuda NG Control Center] . . . . . . . . . . . . 439

[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 76, Transmission Mode [Configuration Service]. . . . . . . . . . . . . 117,

[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 476
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 80 Transparent Failover State Sync [Firewall]. . . . . . . . . . . . . . 164
TCP ECN Active [Configuration Service] . . . . . . . . . . . . . . . 100 Transport [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
TCP Listen Port [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . . 387 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
TCP Listening Port [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Transport Protocol [Configuration Service] . . . . . . . . . . . . . 67
TCP Outgoing Address [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 341 Tree Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 86
TCP Port [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346, Trickle HTTP 1.0 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 394
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 473 Trickle Period (sec) [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 394
TCP Retry Interval [Configuration Service]. . . . . . . . . . . . . 116, Trickle Size Low Watermark (MB) [Anti-Virus]. . . . . . . . . . . 394
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 475 Trusted Clients [Barracuda NG Control Center]. . . . . . . . . . 474
TCP Sync Frequency (lines) [Barracuda NG Control Center] 474 Trusted Local Networks [Barracuda NG Control Center] . . 451
Telephone Nr. [Barracuda NG Control Center] . . . . . . . . . . 441, Tunnel Check Interval (s) [VPN] . . . . . . . . . . . . . . . . . . . . . . . 220
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 442 Tunnel Client Application [VPN] . . . . . . . . . . . . . . . . . . . . . . . 247
Template [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266, Tunnel Details [Configuration Service] . . . . . . . . . . . . . . . . . 67
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 486 Tunnel HA Sync [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Template Zone [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Tunnel Parameter Template [VPN] . . . . . . . . . . . . . . . . . . . . 235
Terminal Password [OSPF and RIP] . . . . . . . . . . . . . . . . . . . 520 Tunnel Probing [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
Terminate Connections [Barracuda NG Control Center] . 439 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
Terminate existing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 148, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
Terminate VPN Tunnels [Barracuda NG Control Center] . 439 Tunnel Timeout [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
Test Report [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
Text [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
Text To Insert Into Subject [Mail Gateway] . . . . . . . . . . . . . 276 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
Texture Quality [Barracuda NG Control Center] . . . . . . . . 497 Tunnel TTL [Configuration Service] . . . . . . . . . . . . . . . . . . . . 79
TFTP Server Name [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . 292, Type [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154,
Thickness [Barracuda NG Control Center]. . . . . . . . . . . . . . 494 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
Threshold [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218,
[Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328,
TI Classification [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334,
TI Learning Policy [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524,
Ticket Management [Barracuda NG Control Center]. . . . . 439 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
TI-ID [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Type of Logfile [Configuration Service]. . . . . . . . . . . . . . . . . 104
Time [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Type of Proxy [Configuration Service] . . . . . . . . . . . . . . . . . 67
Time (h) [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Time (min) [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Time Interval [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Time Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Time Object [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Time Object Name [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 147
Time Offset [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Time Period [Configuration Service] . . . . . . . . . . . . . . . . . . 88
Time Restriction [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Time Restrictions [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Time Server [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Time Server IP [Configuration Service] . . . . . . . . . . . . . . . . 57
Time Settings [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Time Zone [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 11,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Timed [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
timed [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Timeout [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Timeout (min.) [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Timeout Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 522
Timezone [Configuration Service] . . . . . . . . . . . . . . . . . . . . 56
Toggle Release View [Barracuda NG Control Center] . . . . 446
Toggle Trace [Barracuda NG Control Center]. . . . . . . . . . . 439
Tool [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Tools [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 491
Top Level Logdata [Barracuda NG Control Center]. . . . . . 475
Top most directory [FTP Gateway] . . . . . . . . . . . . . . . . . . . . 371
TOS [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 88
TOS Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Total Poll Time [Barracuda NG Control Center] . . . . . . . . . 437
Trace Reachable Statistics [Barracuda NG Control Center] 437
Traffic Limit [Configuration Service] . . . . . . . . . . . . . . . . . . 88
Transaction ID Encoding [Configuration Service] . . . . . . . 59
Transaction Timeout [Voice over IP] . . . . . . . . . . . . . . . . . . 378
Transfer Source Address [Configuration Service] . . . . . . . 56
transfer-source-ip [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Translated HA IP [Configuration Service] . . . . . . . . . . . . . . 118

U Use Provider DNS [Configuration Service] . . . . . . . . . . . . . . 72,

UDP Incoming Address [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 341 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
UDP Limit Exceeded [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 137 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77
UDP Listen Port [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Use Pyzor [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
UDP Outgoing Address [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 341 Use Razor V2 [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 276
UDP Port [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302, Use RCS [Barracuda NG Control Center] . . . . . . . . . . . . . . . 438
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 473 Use Reverse Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 168
UDP/Src Limit Exceeded [Firewall]. . . . . . . . . . . . . . . . . . . . . 137 Use Self-Signed Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . 244,
UMTS Enabled [Configuration Service] . . . . . . . . . . . . . . . . . 77 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
UMTS Modem Card [Configuration Service] . . . . . . . . . . . . . 77 Use Service Names for Statistics [Firewall] . . . . . . . . . . . . . 137
Unattended Installation [Getting Started]. . . . . . . . . . . . . . . 14 Use Site to Site Tunnels for Authentication [VPN] . . . . . . . 219
Unblock Update [Barracuda NG Control Center] . . . . . . . . . 424 Use Special Routing Table [OSPF and RIP]. . . . . . . . . . . . . . 519,
Undelivered Entries [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 272 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Unit [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Use Special Routing Tables [OSPF and RIP] . . . . . . . . . . . . . 520
Unknown Clients [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Use SSL [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 112,
Unknown Downloads Template [Anti-Virus] . . . . . . . . . . . . . 395 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 113,
Unreachable Command [Configuration Service] . . . . . . . . . 69 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221,
Unrestricted IPs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Use SSL Encapsulation [Configuration Service] . . . . . . . . . 117
Unrestricted MACs [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 194 Use Table [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 80
Unrestricted Users [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 364, Use Target Address [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . 168
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Use Template [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Unstructured Address [Configuration Service] . . . . . . . . . . 59 Use Time Received [Barracuda NG Control Center] . . . . . . 474
Unstructured Name [Configuration Service] . . . . . . . . . . . . 59 Use Tunnels for Authentication [Barracuda NG Control Center]
Untrusted Update [Barracuda NG Control Center] . . . . . . . 424 440
Update [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Used by [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Update Direction [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 522 Used Driver [Configuration Service] . . . . . . . . . . . . . . . . . . . 64
Update every [Barracuda NG Control Center] . . . . . . . . . . . 498 Used Root Certificates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 230
Update Every (min) [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 390 Used Subnet [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Update Now [Barracuda NG Control Center] . . . . . . . . . . . . 424 Used VPN Protocol [Configuration Service]. . . . . . . . . . . . . 67
Update Policy [Configuration Service]. . . . . . . . . . . . . . . . . . 102 User [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
Update Static Leases [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 293 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221,
Update Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . 522 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231,
[Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342,
Upload Unknown URLs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 362 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 498
URL [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10, User Access ID [Configuration Service] . . . . . . . . . . . . . . . . 72,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
URL Extensions [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77,
URL Fetching [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
URL Path [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 User Access Sub-ID [Configuration Service] . . . . . . . . . . . . 72,
URL Path Extensions [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . 346 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
URL-Path [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77
Usage Policy [Configuration Service]. . . . . . . . . . . . . . . . . . . 118 User Authentication [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 223,
Usage pull-down [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346,
USB Device on Box [Getting Started]. . . . . . . . . . . . . . . . . . . 14 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Use Assigned IP [Configuration Service]. . . . . . . . . . . . . . . . 74, User Defined Rule Event [Mail Gateway]. . . . . . . . . . . . . . . . 272
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76, User Groups [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Use Black List Tests [Mail Gateway]. . . . . . . . . . . . . . . . . . . . 276 User ID [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225,
Use Box Certificate/Key [Configuration Service] . . . . . . . . 116 [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387,
Use Channel Bonding [Configuration Service] . . . . . . . . . . . 75 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 473
Use Compression [Barracuda NG Control Center]. . . . . . . . 474 User Info Helper Scheme [Configuration Service] . . . . . . . 112,
Use current AD connection [VPN] . . . . . . . . . . . . . . . . . . . . . 231 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 114,
Use DCC [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 115
Use Dynamic DNS [Configuration Service] . . . . . . . . . . . . . . 72, User List [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73, [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75, [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 77 User List Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200,
Use Event ID [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344,
Use Forward Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 168 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Use Free Format [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294, User Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 59
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 User Names [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Use Group Policies [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244, User Real-Time Check (OCSP) [Proxy] . . . . . . . . . . . . . . . . . 356
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 User specific [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Use HTML Tag Removal [Mail Gateway] . . . . . . . . . . . . . . . . 266 User Visible Name [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388
Use HTTP-Proxy [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Userlinks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Use IP BARP Entries [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 194 Username [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223,
Use IPSec dynamic IP [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 220 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248,
Use Kernel Ruleset [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 136 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Use Linear Mode [Configuration Service] . . . . . . . . . . . . . . . 102 Username Length [FTP Gateway]. . . . . . . . . . . . . . . . . . . . . . 371
Use Local Box Time [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Users [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Use Local Database [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Using Time Server [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Use Local Time [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363,
[FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Use local virus scanner [FTP Gateway] . . . . . . . . . . . . . . . . . 371
Use Max. Tunnels [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Use MSAD-groups with NTLM [Configuration Service]. . . . 112
Use NTP [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Use ospf [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Use Phishing Signatures [Anti-Virus]. . . . . . . . . . . . . . . . . . . 393
Use Policy Routing [Configuration Service] . . . . . . . . . . . . . 80
Use POP3 [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Use port 443 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
V W
Validate Password [Barracuda NG Control Center] . . . . . . 486 Waiting Period [Configuration Service] . . . . . . . . . . . . . . . . . 67
Value [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Waiting Period (s/probe) [Configuration Service] . . . . . . . . 79
Vendor [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Warning Period [Configuration Service] . . . . . . . . . . . . . . . . 92
Verbose [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Warning period before expiration [Barracuda NG Control Center]
Verbose Logging [Configuration Service] . . . . . . . . . . . . . . 104, 459
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 111 Watch Control Daemon [Configuration Service] . . . . . . . . . 111
Version Control System [Barracuda NG Control Center] . 500 Watch SSH Daemon [Configuration Service] . . . . . . . . . . . . 111
View [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Water is transparent [Barracuda NG Control Center]. . . . . 497
View as list [Barracuda NG Control Center] . . . . . . . . . . . . 492 Web Resources [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
View Configuration [Barracuda NG Control Center] . . . . . 439 WEbDAV Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View License Data [Barracuda NG Control Center] . . . . . . 439 WebDAV Resources [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View Rule Set [Barracuda NG Control Center] . . . . . . . . . . 439 WEbDAV Sharename [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View Stripped Attachments [Barracuda NG Control Center] 439 Weekday/Hour [Configuration Service]. . . . . . . . . . . . . . . . . 88
View Trace Output [Barracuda NG Control Center]. . . . . . 439 Weight [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Views [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 491 Weight Number [Configuration Service] . . . . . . . . . . . . . . . . 69
Virscan Service Permissions [Barracuda NG Control Center]439 Welcome message [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . 372
Virtual Device [Configuration Service]. . . . . . . . . . . . . . . . . 88 Went Operational [Configuration Service] . . . . . . . . . . . . . . 53
Virtual IP (VIP) [Configuration Service] . . . . . . . . . . . . . . . . 67 When using BULK transports [VPN] . . . . . . . . . . . . . . . . . . . . 237
Virtual Link ID (ABR) [OSPF and RIP] . . . . . . . . . . . . . . . . . . 521 When using QUALITY transports [VPN]. . . . . . . . . . . . . . . . . 237
Virtual Link Params [OSPF and RIP]. . . . . . . . . . . . . . . . . . . 521 White List [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Virus Protection [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 269 White List Peers [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 270
Visible Hostname [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 White List Senders [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 270
Visible Interface Name [Configuration Service] . . . . . . . . . 63 Whitelist From [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 276
Visible Name [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246, Whitelist To [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247, Wild [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 423
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Wildcard Support [Configuration Service] . . . . . . . . . . . . . . 72,
VJ Connection-ID [Configuration Service] . . . . . . . . . . . . . 75 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
VJ TCP Header [Configuration Service] . . . . . . . . . . . . . . . 75 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
VLAN Description [Configuration Service] . . . . . . . . . . . . . 65 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
VLAN ID [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 65 Windows Domain Name [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 343
VPN Device Index [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235, WINS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
VPN Group [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 WINS Server [Configuration Service] . . . . . . . . . . . . . . . . . . . 113,
VPN HW Modules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 136 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
VPN Interface [Configuration Service]. . . . . . . . . . . . . . . . . 67 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
VPN Local IP [Configuration Service]. . . . . . . . . . . . . . . . . . 67 Workgroup Name [Configuration Service] . . . . . . . . . . . . . . 112
VPN Name [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 World Texture from [Barracuda NG Control Center]. . . . . . 497
VPN Point of Entry [Configuration Service] . . . . . . . . . . . . 67 Write [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . 445
VPN Port [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 67 Write Cache-Log [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
VPN Rate Limit [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Write Store-Log [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
VPN Rules [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226, Write USB stick [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 14
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 WWW root [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
VPN Server Permissions [Barracuda NG Control Center] 439 X
VPN-Server Listen IPs [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 245 X509 Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
VPN-Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 X509 Certificate & Login+Password Authentication [Firewall]201
X509 Certificate Authentication [Firewall] . . . . . . . . . . . . . . 201
X509 Key Usage [Configuration Service] . . . . . . . . . . . . . . . 59
X509 Login Extraction Field [VPN]. . . . . . . . . . . . . . . . . . . . . 230
xDSL Enabled [Configuration Service]. . . . . . . . . . . . . . . . . . 71
XML Services Management [Barracuda NG Control Center] 439
Y
Yearly Schedule [Configuration Service] . . . . . . . . . . . . . . . 103
Your Level [Barracuda NG Control Center] . . . . . . . . . . . . . 445
Z
Zone Keys [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Zone Type [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 56,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Zoom out/in [Barracuda NG Control Center] . . . . . . . . . . . . 492

Appendix Table Directory | 591
7. Table Directory
Table 01 Text conventions of the documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1 Getting Started
Table 11 USB stick Formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 12 Types of DEMO versions in Barracuda NG Firewall 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 13 Availability of services on Appliance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 14 Contents of the Overview segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 15 Comparison CIDR - inverted CIDR notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2 Control
Table 21 Status icons flagging tabs in the Control window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 22 Connection status icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 23 Server status and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 24 Icons for network interface types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 25 Icons for network connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 26 Example: Route handling, networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 27 Example: Route handling, corresponding direct route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 28 Example: Route handling, no Source IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 29 Example: Route handling, gateway routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 210 Example: Route handling, valid source IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 211 Example configuration for router and firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 212 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 213 Routing state on active firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 214 Routing state on backup firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 215 Routing state on both firewall boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 216 Routing state on both firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 217 Tabular listing of the elements of the process status panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 218 Version Status - Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 219 Possible authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 220 Box control BOX SCEP Status commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 221 Session types overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 31 Required software modules sufficient for management and controlled low level operation of a box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 32 Lock indicator icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 33 Box configuration window icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 34 Buttons of configuration window for session management and status retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 35 Box specific configuration items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 36 Classification of the available sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 37 NICs supporting VLAN technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 38 Routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 39 Traffic Shaping Settings Virtual Tree commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 310 Traffic Shaping Settings Interface commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 311 Traffic Shaping Settings Shaping connector commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 312 Realtime Information Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 313 Realtime Information Shaping commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 314 Bandwidth calculation by ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 315 Bandwidth calculation by total percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 316 Example 1 Policy Definition configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Table 317 Example 1 Interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Table 318 Example 2 Policy Definition configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Table 319 Example 2 Interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

592 | Table Directory Appendix
Table 320 Authorisations associated with administrator roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Table 321 Example Box configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Table 322 Service configuration Statistics dependent or independent from the statistics settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Table 323 Overview of the five notification schemes on Barracuda NG Firewall systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 324 Overview of the checks watchdog runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Table 325 Listing of the four available error handling policies offered by the repair utility of the watchdog module . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Table 326 Error code to error origin assignment assumed by the repair utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Table 327 Support Call Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 328 Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 329 Contents of System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4 Firewall
Table 41 Firewall notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 42 Audit events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 43 Rule marks utilized in the rule overview window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Table 44 Currently available modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Table 45 Example Setup 1 Rule configuration firewalls A and B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 46 Example Setup 2 Rule configuration firewalls A and B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 47 Recommendation for creation of Proxy ARPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table 48 Forward policy comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Table 49 Rule Tester Test Result icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Table 410 Exemplary LAN scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Table 411 Exemplary rule configuration in comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Table 412 Improved rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 413 Status types and their origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table 414 Overview of possible access cache entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table 415 Reasons for connections denials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 416 Reasons for connection blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 417 Reasons for connection drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 418 Reasons for connection failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Table 419 Columns available in the upper section of the Dynamic Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 420 Columns available in the lower section of the Dynamic Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 421 Columns in the protected IPs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 422 Rule state overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 423 Possible tracing conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 424 Bridging characteristics in comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Table 425 Structural breakdown of bridging units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Table 426 Overview of bridging operational information in the Bridging ARPs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Table 427 Broad-Multicast action type rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Table 428 Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Table 429 RPC comparison passive / active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Table 430 Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
5 VPN
Table 51 ClientServer Communication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Table 52 Comparison of Different Tunnel Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 53 VPN configuration - Introduce and Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Table 54 Involved Objects within a VPN Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Table 55 Example for TI Learning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Table 56 SSL tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Table 57 Possible "Last Connection" States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Table 58 Fully Transparent Tunnel VPN Configuration on VPN server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 59 Fully Transparent Tunnel VPN configuration on VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 510 Stealth Tunnel VPN Configuration on VPN Server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 511 Stealth Tunnel VPN configuration on VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 512 Relationship between Local and Partner Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 513 Redundant VPN Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 514 Redundant VPN Tunnel Example Parameter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 515 Redundant VPN Tunnel Direct Routes for VPN Server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 516 Redundant VPN tunnel Direct Routes for VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
6 Mail Gateway
Table 61 Items of the Navigations Bars main element "Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Table 62 E-mail client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Appendix Table Directory | 593
Table 63 SMTP levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Table 64 Variables used in the Expert Settings section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Table 65 Operators used in the Expert Settings section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Table 66 IF statements used in the Expert Settings section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Table 67 Actions used in the Expert Settings section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
7 DHCP
Table 71 Example Configuration parameters for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 72 Example Configuring Address Pool 1 for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 73 Example Configuring Address Pool 2 for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 74 Example Configuration parameters for Subnet2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 75 Example Configuring Address Pool 1 for Subnet2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 76 Example Configuration parameters for Known Clients 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 77 Example Configuration parameters for Known Clients 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
8 Log Viewer
Table 81 Navigation arrows and their function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 82 Log Entry types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 83 Event Log Message Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 84 Event Log Message ID and text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 85 Log file entries related to clock skew detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 86 Log file entries related to synchronisation of polling list and database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 87 Log file entries related to synchronisation of polling list and database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 88 Log file entries related to synchronisation between HA-databases - Scenarios which will stop task MAIN . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 89 Log file entries related to synchronisation between HA-databases - Scenarios which will not stop task MAIN . . . . . . . . . . . . . . . . . . . . . . . 310
9 Statistics
Table 91 Services responsible for statistics files handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
10 Eventing
Table 101 Overview of events in the Events tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 102 Font styles characterising event settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 103 SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Table 104 SNMP Service notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11 DNS
Table 111 Supplementary DNS configuration objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
12 Proxy
Table 121 Short overview of metacharacters in regular expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Table 122 Actions configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Table 123 Example: squid.conf file httpd_accel directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 124 Example: squid.conf file corresponding options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 125 URL categories overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
13 FTP Gateway
14 Voice over IP
Table 141 SIP Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
15 Wireless LAN
16 SSH Gateway
17 Anti-Virus
Table 181 State table with working communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 182 Communication between HA partners; ARPs are independent from a HA system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 183 Designing a HA System Used IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 184 Designing a HA system Translated HA IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 185 Designing a HA system network routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

594 | Table Directory Appendix

Table 191 Barracuda NG Control Center services overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Table 192 Possible settings of authentication levels on the box itself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Table 193 Example - Log file of a System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Table 194 Color coding of status icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Table 195 Icons used in the title bars of range, cluster and box section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Table 196 Icons used in the Configuration Updates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Table 197 Update Status flags overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Table 198 Session types overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Table 199 Data listed in the Stat Collect tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Table 1910 Data listed in the Box Execution tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Table 1911 Popular Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Table 1912 Data listed in the columns of the Scanner Versions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Table 1913 Data listed in the system list of the Software Update tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Table 1914 Data listed in the task list of the Software Update tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Table 1915 Moving/Copying Managed Boxes, Servers and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Table 1916 Default user rights overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Table 1917 Administration scopes overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Table 1918 Error analysis of poll sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Table 1919 Filtering policy CC-managed box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Table 1920 Filtering policy self-managed box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Table 1921 Definition of V3 Extensions (RFC 3280) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Table 1922 Barracuda NG Earth Hotkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Table 1923 Barracuda NG Earth Mouse functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Table 1924 Barracuda NG Earth Color legend for box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Table 1925 Barracuda NG Earth Color legend for tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Table 1926 Columns available in the RCS Versions window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Table 1927 Columns available in the RCS Report window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
20 SNMP
21 OSPF and RIP

Table 211 Feature differences between OSPF and RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Table 212 Example for IP Prefix List Filter prefix list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Table 213 Example for IP Prefix List Filter group of prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Table 214 Configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Table 221 Basic overview of the NGFW OS Linux system and its licensing concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Table 222 Ports overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Table 223 Layer-IDs overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Table 224 Class-IDs overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Table 225 Operational Events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Table 226 Security Events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
23 Appendix
Table 231 Barracuda NG Firewall F800 - Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 232 Barracuda NG Firewall F600 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 233 Barracuda NG Firewall F200 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 234 Barracuda NG Firewall F100 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 235 Glossary A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Table 236 Glossary C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Table 237 Glossary D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Table 238 Glossary E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Table 239 Glossary F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2310 Glossary G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2311 Glossary H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2312 Glossary I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2313 Glossary K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2314 Glossary L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2315 Glossary M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2316 Glossary N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2317 Glossary O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2318 Glossary P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2319 Glossary R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Table 2320 Glossary S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2321 Glossary T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2322 Glossary U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2323 Glossary V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2324 Glossary W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Appendix Figure Directory | 595
8. Figure Directory
Figure 01 Example: Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 02 Example section Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Getting Started
Figure 11 Window Box Licenses in read/write mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 12 Defining Box Type Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 13 Configuring System Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 14 Configuring Partition Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 15 NIC adapter configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 16 Configuring USB stick settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 17 Box Type Settings window in Create Kickstart only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 18 rawwritewin.exe - Start screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 19 Login dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 110 Barracuda NG Admin User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 111 Start screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 112 Dialog for customising the tool bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 113 Tool bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 114 Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 115 Barracuda NG Admin Settings - Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 116 Enter New Box dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 117 Barracuda NG Admin Settings - Client tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 118 Configuring Advanced Cryptographic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 119 Barracuda NG Admin Settings - Public Host Keys tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2 Control
Figure 21 Tabs in the Control window flagged by status icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 22 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 23 Network Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 24 Interface/IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 25 Table section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 26 Network diagram illustrating the concept of a pending route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 27 Network diagram, pending direct routes and gateway routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 28 Example for a screened host setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 29 Sample process status view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 210 Sample Info Dialogdialog window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 211 Sample Resources tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 212 Box Control > Licenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 213 Network Activation dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 214 View of the box control window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 215 Box Domain Registration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 216 Typical view of the CPU information panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 31 Interdependencies of the various basic configuration entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 32 Box configuration window in compressed connection state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 33 Menu after pressing right mouse button on yet unlocked item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 34 Menu after pressing right mouse button on locked item from another session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 35 Configuration Sessions window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 36 Box configuration window detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 37 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 38 Config tree Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 39 Example for an Edit / Insert / Delete mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 310 Change / Insert / Delete mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 311 Barracuda NG Admin Configuration list and part of Clipboard content after Copy to Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 312 Part of Clipboard content and Barracuda NG Admin Configuration list after Merge with Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 313 Structure of the config tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 314 Creating a box on a CC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 315 Box config file on a CC-administered box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 316 Administrative Settings - System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 317 Administrative Settings - DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 318 Administrative Settings - TIME/NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 319 Administrative Settings - SMS Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 320 Administrative Settings - SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 321 Box Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 322 Certificate window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 323 Output of a certificate at the command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 324 Box Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 325 Additional Local Networks configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 326 Virtual LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 327 Direct route configuration for Virtual LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Figure 328 Main Routing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 329 Policy Routing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 330 xDSL/ISDN/DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 331 IP Tunnels configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 332 Special Needs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
596 | Figure Directory Appendix
Figure 333 Process list output for a link bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Figure 334 Listing of /var/phion/run/boxnet/xDSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Figure 335 Listing of /var/phion/config/boxnet/xDSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Figure 336 Enterprise Shaping Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Figure 337 Enterprise Shaping Firewall Rule Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Figure 338 Enterprise Shaping Example 1: Simple traffic prioritisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 339 Enterprise Shaping Example 2: ISP customer bandwidth assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 340 Enterprise Shaping Example 3: Advanced traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 341 Traffic Shaping Settings Virtual Shaping Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Figure 342 Traffic Shaping Settings dialog box Virtual Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 343 Traffic Shaping Settings dialog box, new virtual interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 344 Traffic Shaping Settings dialog box Device/Tunnel Tree Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Figure 345 Traffic Shaping Settings dialog box TINA Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 346 Traffic Shaping Settings Shaping Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 347 Traffic Shaping Settings dialog box Shape connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 348 Traffic Shaping Settings dialog box Shape Connector Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure 349 Realtime Information Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Figure 350 Config Section - Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Figure 351 Traffic Shaping scenario 1 - Bandwidth configuration for inbound and outbound connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Figure 352 Traffic Shaping scenario 2 Prioritisation of applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Figure 353 License Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Figure 354 Context-menu of the Servers directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Figure 355 Server configuration (single box) - General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Figure 356 Context menu of the Services directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Figure 357 Service directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Figure 358 Example: condensed excerpt from Paul Vixie's man page on crontab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Figure 359 Log Cycling - section File Specific Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Figure 360 Configuration Dialog - Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 361 Various configuration instances the notification model relies upon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Figure 362 Configuration Dialog - Access Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Figure 363 Configuration Dialog - Software update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Figure 364 Scheme for external authentication provided by the Barracuda Networks infrastructure daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Figure 365 Configuration Dialog - MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Figure 366 Configuration Dialog - Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 367 Configuration Dialog - RSA SECURID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 368 Configuration Dialog - TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Figure 369 Configuration Dialog - MSNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 370 Configuration Dialog - OCSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Figure 371 Infrastructure Services - Syslog Streaming - Logdata Filters section Top Level Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Figure 372 Creating a PAR file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Figure 373 Way of Supplying a Box with a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 374 Show History window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Figure 375 Copy to Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 376 Select Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 377 Location in Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 378 Link from Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 379 Repository Node Containing Data to Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 380 Configuration Node Linked from Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Figure 381 Override Link Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 382 Override Link Data Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 383 Activating Override Entry on a Boolean Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 384 Now Locally Overridden Boolean Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 385 Repository Linked Text Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 386 Activating Override for the Text Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 387 Locally Overriding the Text Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 388 Activating Strict Override (Clear) on a List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 389 Locally Cleared List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 390 Entering Local Data into a List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Figure 391 Activating Strict Override (Copy) on a List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 392 List with Copied Data from the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 393 Copied and then Locally Modified List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 394 Activating Merge Override on a Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 395 Adding a Local Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 396 Locally Stored Item and a Repository Stored Item within a Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 397 Unoverride Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Figure 398 Copying from Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Figure 399 initiate support calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Figure 3100 Support Call Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Figure 3101 initiate support calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Figure 3102 Live Assist Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Figure 3103 Barracuda NG Admin Live Assist support view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Figure 3104 Generating System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 3105 Choose the Contents of System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Figure 3106 System Report Progress Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4 Firewall
Figure 41 Basic connection diagram describing the notions used throughout the firewall engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Figure 42 Tree locations of the general firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Figure 43 Config Section - Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Figure 44 Connection Tracing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Figure 45 Config Section - Firewall Forwarding Settings - Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Figure 46 Schematic of terms involved in establishing a network connection through a Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Figure 47 Rule set configuration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Figure 48 Open navigation bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Figure 49 New Rule dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Figure 410 Time Object configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Figure 411 Creating/editing a net object called allwebservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Figure 412 Firewall - Networks window - Listing of Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Figure 413 Network Object - Type Hostname (DNS Resolved) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Figure 414 Hostname Network Object configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Figure 415 Part of the predefined services for the Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Figure 416 Service objects TCP-ALL and FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Figure 417 Parameter section for TCP and UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Figure 418 Connection situation for a UDP connection of tftp kind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Figure 419 Connection situation for a SQL client connecting to an Oracle server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Figure 420 Standard Connections - Edit / Create a Connection Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Figure 421 Standard Connections Example Setup 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 422 Standard Connections Example Setup 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Figure 423 Simple redundancy through next hop detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Figure 424 Handling of assisted multipath routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Figure 425 Configuration example for Source Address Cycling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Figure 426 Configuration example for multipath routing (Packet Load Balancing is set to "No") . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Figure 427 Configuration example for ACPF Assisted Multipath routing (Packet Load Balancing is set to "Yes") . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Figure 428 Address Translation Map configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Figure 430 Create a Proxy ARP Object dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Figure 429 Proxy ARPs tab of the firewall configuration window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Figure 431 Firewall - Content Filter window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Figure 432 Creating/editing filter a pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Figure 433 Creating/editing filter a pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Figure 434 Creating/Editing Filter Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Figure 435 Assigning Peer to Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Figure 436 Port Protocol Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 437 Port Protocol Protection Example Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Figure 438 Advanced Rule Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Figure 439 Advanced Rule Parameters - Multiple Rules Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Figure 440 Time restriction dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Figure 441 Building up a connection with outbound accept policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Figure 443 Building up a connection with inbound accept policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 444 Simple SYN flooding attack with faked IP addresses on a firewall with inbound accept policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 442 Simple SYN flooding attack with faked IP addresses on a firewall with outbound accept policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 445 Forward Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 446 Reverse Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 447 Forward / Reverse / Target Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 448 ICMP Handling parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Figure 449 ICMP Handling Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Figure 450 Change Dynamic Rule dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Figure 451 Warning dialog when trying to delete a referenced object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Figure 452 Cascading of rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Figure 453 Rule for cascading into a rule-sublist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Figure 454 Local rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 455 Local Rule scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Figure 456 Example for overlapping rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Figure 457 Rule tester window with all information of consequences of the matching rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Figure 458 Example for firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Figure 459 Network situation for a typical LAN to Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Figure 460 Network situation for a ftp connection to our FTP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 461 Network situation for a ftp connection from our FTP server to another FTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 462 Network situation for a secure connection to the webmail server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 463 Network situation for a client connection to our webserver farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 464 Network situation for remote web server support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 465 Network situation for sending a mail to the mail server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 466 Rule for redirection of mail traffic to internal mailserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Figure 467 Rule which implements load balancing for the web server farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Figure 468 Rule which maps the ftp server to the internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Figure 469 Rule for LAN access to the whole world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Figure 470 Network situation for a typical LAN to Internet connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 471 Connection object dialog window for translation map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 472 Rule dialog for the news access rule via explicit source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Figure 473 Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Figure 474 Status tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Figure 475 Traffic meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Figure 476 Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Figure 477 Flat network structure before segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Figure 478 Network segmentation in a Transparent Layer2 bridged environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Figure 479 Network segmentation in a Routed Transparent Layer2 bridged environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Figure 480 Flat network structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Figure 481 Non Transparent Translational Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Figure 482 Destination MAC spoofing prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Figure 483 Configuration of Transparent Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Figure 484 Bridging Group Setup for Transparent Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Figure 485 Configuration of Transparent Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Figure 486 Bridging Group Setup for Routed Transparent Layer2 Bridging - Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Figure 487 Configuration of Routed Transparent Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Figure 488 Bridging Group Setup for Routed Transparent Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Figure 489 Configuration of Non Transparent Translational Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Figure 490 Net Object creation for LAN2 PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 491 Bridging Parameters configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 492 Proxy ARP Object - Bridging Parent Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 493 Proxy ARP Object - Bridging Host Proxy ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 494 Firewall > Dynamic > Bridging ARPs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Figure 495 Utilising action type Broad-Multicast for Bridging Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Figure 496 Connection buildup using inline authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Figure 497 Connection buildup using offline authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Figure 498 Configuration dialogs - User Object & User Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Figure 499 fwauthd redirection rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Figure 4100 fwauthd user authentication rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Figure 4101 Firewall Authentication login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Figure 4102 Firewall Authentication succeeded login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Figure 4103 General Service Object needed for creating a pass rule to enable passive ONCRPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Figure 4104 Service Object needed for enabling nfs usage via a portmapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 4105 RPC Server information configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 4106 General Service Object needed for creating a pass rule to enable active ONCRPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Figure 4108 General Service Object needed for creating a pass rule to enable active&passive ONCRPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Figure 4110 General Service Object needed for creating a pass rule to enable passive DCERPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Figure 4111 Service Object needed for enabling MS-File Replication Service usage via an end point mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Figure 4112 General Service Object needed for creating a pass rule to enable active DCERPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
5 VPN
Figure 51 General Scheme of Remote Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 52 Remote Access with the Client Placed Behind a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 53 Remote Access with the Client Using a Proxy or SOCKS Server for Routing Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 54 Two Corporate Networks Linked Together via VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 55 Example for a VPN Constellation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Figure 56 Data Scheme for VPN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Figure 57 ESP and NoHash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Figure 58 VPN Configuration Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 59 VPN Configuration - Introduce and Configure Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 510 VPN Configuration Block Diagram - Configure VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 511 Personal Network Configuration Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 512 VPN Configuration with Routed Network (Static Route; Virtual Network / DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 513 VPN configuration with Local (Proxy ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 514 Server Certificates Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Figure 515 Certificate Revocation Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Figure 516 Server Certificates with Open Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 517 Configuration Dialog for L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 518 Configuration Dialog for Chap Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 519 VPN Configuration Block Diagram Configure Personal VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 520 Heredity of Barracuda Networks Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 521 Pool License Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 522 Pool License in Plain Text Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 523 Edit Personal License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 524 Template Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 525 VPN Configuration Block Diagram Configure Group VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 526 New Barracuda NG Client Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 527 New Common Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 528 Configuration Dialog - New policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Figure 529 Change Group Match Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Figure 530 Preauthentication Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Figure 531 Configuration Dialog - Group Policy Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Figure 532 AD Lookup Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 533 Certificate Conditions Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 534 Configuration Dialog for Registry Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 535 VPN Configuration Block Diagram - Configure VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 536 Scheme with the Basic Notations of VPN Tunnelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 537 Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 538 Traffic Intelligence (TI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Figure 539 Transport Selection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 540 TINA Tunnel with multiple transport modes added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 541 TI Learning Policy Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 542 IPSec Tunnel Configuration - Base Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Figure 543 IPSec Tunnel Configuration > Authentication Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Figure 544 SSL-VPN login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 545 SSL-VPN web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 546 SSL-VPN configuration node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 547 SSL-VPN web portal my Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 548 SSL-VPN web portal my Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 549 Barracuda NG SSL-VPN Client installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 550 Barracuda NG SSL-VPN Client login prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Figure 551 SSL-VPN web portal dynamic firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Figure 552 Java runtime version query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Figure 553 Upload Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Figure 554 Fully Transparent Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 555 Stealth Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Figure 556 Star-Shaped Topology with One HQ and Two Outposts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Figure 557 Configuring Redundant VPN Tunnels - Example Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
6 Mail Gateway
Figure 61 MailGW Settings configuration area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Figure 62 Mail gateway positioning in a network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Figure 63 POP3 scanning example setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Figure 64 Blacklist configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 65 Overview: Spam filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 66 Header of an e-mail identified as spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 67 Flowchart - Spam filter client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Figure 68 Spam Analysis configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 69 Flowchart - Spam filter Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 610 Spam filter configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 611 Example script for e-mail collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 612 Filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Figure 613 Statistics tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
7 DHCP
Figure 71 Processes structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Figure 72 DHCP Enterprise Configuration - Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 73 DHCP Enterprise Configuration - Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 74 DHCP Enterprise Configuration - Known Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Figure 75 DHCP Enterprise - Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Figure 76 Real Time Information - DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Figure 77 Example environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 78 Example Configuring CLASS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 79 Example Configuring Subnet settings for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 710 DHCP Server Settings with pre-configured settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Figure 711 Configuration - IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 712 Configuration - SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 713 Configuration - BASIC OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 714 Real Time Information - DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Figure 715 Example of use for a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 716 DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 717 Cascading DHCP Relay with interfaces to be configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8 Log Viewer
Figure 81 LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Figure 82 Navigation section of the LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Figure 83 Log Sequence Number in Relation to System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
9 Statistics
Figure 91 Statistics user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 92 Tree structure of the Statistics module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 93 Control field for type Curve with time axis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Figure 94 Curve type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 95 Time Interval selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 96 Bar type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 97 Control field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Figure 98 Example for Top list statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Figure 99 Configuration dialog - Statistics - Statistics Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Figure 910 Event chain of a cooking instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Figure 911 Timed connection statistics starting at 08.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Figure 912 Timed connection statistics starting at 09.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
10 Eventing
Figure 101 Event detail window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Figure 102 Severity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Figure 103 Notification tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Figure 104 Server Action tab - Type Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 105 Server Action tab - Type Execute Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 106 Server Action tab - Type SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 107 Example for a SNMP trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Figure 108 Example for occurring event and settings for Threshold tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Figure 109 Basic tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 1010 Event monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 1011 Context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1012 Page 1 of the Properties dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1013 Page 2 of the Properties dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1014 Filter dialog with values according to the example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 1015 Add Criterion dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 1016 Event monitor in live mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
11 DNS
Figure 111 File structure of the DNS service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 112 DNS configuration area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 113 DNS server properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 114 DNS properties with open advanced window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 115 Configuring a new SOA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 116 Configuring a new name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 117 Adding a nameserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 118 Configuring a New Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 119 Configuring a new mail exchanger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 1110 Configuring a new sub-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 1111 Create reverse lookup zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
12 Proxy
Figure 121 Creating the HTTP Proxy service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 122 Creating the HTTP Proxy service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 123 HTTP Proxy Config node in the Configuration Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 124 HTTP Proxy Service Parameters - Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 125 SNMP Service message handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 126 Config Section Dialog - Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 127 Proxy Access Handling Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Figure 128 ACL Time Interval configuration - Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Figure 129 ACL Time Interval configuration - Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 1210 ACL Entries and Actions configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 1211 Configuration of Action webaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 1212 Proxy neighbour cache configuration - Example setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 1213 HTTP Proxy Fail Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Figure 1214 Reverse proxy example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Figure 1215 Secure Web Proxy User Notification and Confirmation Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Figure 1216 Missing Embedded Data on a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 1217 Correct View of the Web Site from the Previous Figure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 1218 Secure Web Proxy GUI - Access tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 1219 Secure Web Proxy GUI - Tickets tab with detail info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Figure 1220 Secure Web Proxy GUI - Certificates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Figure 1221 Overview: URL filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 1222 Flowchart - URL Filter Redirector & Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 1223 Local rule granting access from URL Filter to Proventia Internet Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Figure 1224 Principle of Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Figure 1225 Principle of High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
13 FTP Gateway
Figure 131 FTP-GW Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
14 Voice over IP
Figure 141 Provisioning the plugin in a service object for the SCCP signalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Figure 142 RTP Stream service object with the default service name set to RTP:Skinny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 143 VoIP infrastructure with 2 virtual subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 144 Creating an Address Translation Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 145 Skinny signal protocol firewall rule with Skinny firewall plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 146 RTP firewall rule with network address translation from the voipnat address translation map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 147 Firewall Forwarding Settings - H.323 Gatekeeper Configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Figure 148 Network setup without NAT SIP/RTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15 Wireless LAN
Figure 151 382
Figure 152 383
Figure 153 384
16 SSH Gateway
Figure 161 Configuration dialog - SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
17 Anti-Virus
Figure 171 Scanning exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 172 Schematic overview of proxy integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 173 Scan exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Figure 174 Progress bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Figure 175 Schematic overview of mail gateway integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Figure 176 Schematic overview of FTP gateway integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Figure 177 Disabling virus pattern updates manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Figure 181 Load Balancing with a HA system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Figure 182 HA monitoring without private uplink (HA state exchanged via 10.0.8.0/24 network) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 183 HA monitoring with private uplink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 184 Designing a HA system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 185 Context menu of Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Figure 186 Exporting the public key to a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 187 Public Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 188 Creation of CC-administered HA partners - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 189 Creation of CC-administered HA partners - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 1810 Sync Status of two HA partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1811 Emergency Override of a HA Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1812 Confirmation query for Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1813 Example for test report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 1814 Synchronising procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Figure 191 Schematic view of a Barracuda NG Firewall topology with a Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Figure 192 Flowchart - How a Barracuda NG Firewall becomes a Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Figure 193 Certificates and Keys Private Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Figure 194 Certificates and Keys Public Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Figure 195 Certificates and Keys X509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Figure 196 CC trust center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Figure 197 Extract from the Box tab in the Box Control window where authentication level can be lowered to interaction-free authentication . . . 417
Figure 198 Control - Server tab with required/recommended CC services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Figure 199 Box Licenses configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Figure 1910 Barracuda NG Admin warning when logging in without licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Figure 1911 Master License configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Figure 1912 CC user interface - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Figure 1913 Group view of elements in the Statistics Collection tab, sorted alphabetically by box name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Figure 1914 Status Map tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Figure 1915 Box section context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Figure 1916 Example for a Favourites tab with wallpaper and small icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Figure 1917 Configuration Updates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Figure 1918 Box Execution tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Figure 1919 Box List Edit Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Figure 1920 Creating a box group object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Figure 1921 Schedule Task window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Figure 1922 Box Execution tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Figure 1923 Shell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Figure 1924 Box Exec with tasks running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Figure 1925 Box log file view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Figure 1926 Rescheduling of a failed task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Figure 1927 Software Update tab - Groups view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Figure 1928 Software Update tab - Groups view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Figure 1929 Software Update tab - Ranges view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Figure 1930 Software Update tab - Boxes view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Figure 1931 Software Update tab - Versions view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Figure 1932 Box Details window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Figure 1933 RPM information window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Figure 1934 Scheduling a new task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Figure 1935 Rescheduling of a failed task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Figure 1936 Barracuda NG Control Center (CC) Configuration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Figure 1937 CC Config main window launch control for box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Figure 1938 Overriding Global Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Figure 1939 Pool Licenses - user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Figure 1940 CC Identity - Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Figure 1941 Create Range - configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Figure 1942 Creating a cluster server with referencing Server IP addresses to network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Figure 1943 Adding a Cluster Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Figure 1944 Box configuration wizard for creating a box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Figure 1945 Box configuration launch control for box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Figure 1946 Different types of repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Figure 1947 Configuration tree displayed in default view (left) and with toggled release view (right) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Figure 1948 Repository objects flagged with version information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Figure 1949 Migrating a cluster - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1950 Migrating a cluster - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1951 Example: Mail-Gateway configuration nodes prior to and after Migrate Cluster activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1952 Migrating a range - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1953 Migrating a range - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1954 Migrating multiple clusters/ranges - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Figure 1955 Migrating multiple clusters/ranges - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Figure 1956 Migrating a repository object - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Figure 1957 Migrating a repository object - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Figure 1958 Cascading the localnet network object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Figure 1959 Cascading the specialnet network object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Figure 1960 Workflow of rule set processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Figure 1961 Configuration nodes of the Distributed-Firewall service - Global section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Figure 1962 Configuration nodes of the Distributed-Firewall service - Server section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Figure 1963 Exemplary Distributed-Firewall setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Figure 1964 Content of the Global Rule Set, which is saved in the Range Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Figure 1965 Cascading of the specialnet network object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Figure 1966 Rule allowing communication over MS Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

Figure 1967 Initial network situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Figure 1968 Network after CC migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Figure 1969 Further Networks configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Figure 1970 Box VIP Network Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Figure 1971 Shell script "boxactivate" for box network activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Figure 1972 Workflow for establishing an administration concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Figure 1973 Admins tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Figure 1974 Administrator configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Figure 1975 Administrator Details configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Figure 1976 Master Statistic Collection Configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Figure 1977 Range Configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Figure 1978 Cluster Configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Figure 1979 Statistics Cook Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Figure 1980 Cook Settings configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Figure 1981 Transfer Settings configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Figure 1982 Transfer Settings - box and server files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Figure 1983 Transfer Settings - partial transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Figure 1984 Box event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1985 Box event propagation to CC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1986 CC: Box event occurred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1987 CC Event Service status changed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1988 Box: Event status changed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1989 CC: Delete Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1990 Box: Delete Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Figure 1991 Example for log reception via port 5144 and/or 5143 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Figure 1992 Log processing flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Figure 1993 Example for message delivery to local disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Figure 1994 Example for a HA sync via private uplink (using the override IPs is mandatory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Figure 1995 Example for successful active SSL querying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Figure 1996 Example for passive SSL receiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Figure 1997 Log file structure of service processes overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Figure 1998 Example 1: Syslog Proxy - Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Figure 1999 CC FWAudit Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Figure 20 Audit Info Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Figure 191 Configuration dialog - PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Figure 192 PKI - User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Figure 193 Configuration dialog - General Settings tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Figure 194 Import Certificate dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Figure 195 Export Certificate dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Figure 196 Export Private Key dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Figure 197 Export CRL dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Figure 198 User Interface of a generic forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Figure 199 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Figure 1910 Example VPN group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Figure 1911 Open Tunnel Info node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Figure 1912 New filtered for <s0-Borde> vpn-bo/cluster1/10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Figure 1913 Example VPN group displayed as table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Figure 1914 Adding a VPN Service to a VPN Group - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Figure 1915 Adding a VPN Service to a VPN Group - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Figure 1916 Open Tunnel Info node and Tunnel configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Figure 1917 Tunnel configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Figure 1918 Tunnel Info node displaying links to transports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Figure 1919 Barracuda NG Earth settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Figure 1920 Barracuda NG Earth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Figure 1921 Configuration dialog - RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Figure 1922 RCS Versions window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Figure 1923 Example for selecting versions of interest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 1924 Example for selecting versions of interest with selected Full History checkbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 1925 RCS Change Message Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 1926 RCS Change Message Text within RCS Versions Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 1927 RCS Report window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Figure 1928 RCS Change Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Figure 1929 CC VPN Service Software Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Figure 1930 Box VIP Network Range configuration node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Figure 1931 Network Configuration Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Figure 1934 Remote Management Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Figure 1935 Redirect rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Figure 1936 Redirect rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Figure 1937 CC Config Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Figure 1938 Workspace Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Figure 1940 Workspace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Figure 1939 Workspace Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Figure 1941 Lock Workspace for Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Figure 1942 Add Node to Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Figure 1943 Add Node to Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Figure 1944 Remove Node from Adm in Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Figure 1945 Rename Node within Admin Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Figure 1946 Move Node within Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Figure 1947 Add node to Admin Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Figure 1948 Create Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
20 SNMP
Figure 201 SNMP Service configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
21 OSPF and RIP

Figure 211 Example setup for OSPF and RIP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Figure 212 Configuring of addresses in the Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Figure 213 OSPF Routing Settings - Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Figure 214 OSPF Routing Settings - OSPF Router Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Figure 215 Routing table displaying routes learned through OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Figure 216 Quagga engine output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Figure 217 Configuring Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Figure 218 Configuring Default Route Redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Figure 219 Configuring a parameter template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Figure 2110 Creating a link to the parameter template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Figure 2111 Configuring route summarisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Figure 2112 Entry in routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Figure 2113 Configuring RIP settings - RIP Router Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Figure 2114 Configuring route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Figure 2115 Configuring route redistribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Figure 221 Example options file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Figure 222 Example boxadm.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Figure 223 Example boxnet.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Figure 224 Event Monitor GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Figure 225 Event Properties windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
23 Appendix
Figure 231 Adding a new column to the view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Figure 232 Search result containing group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Figure 233 LDAP browser with marked distinguished name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544

604 | Glossary Appendix
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
9. Glossary
A C
Table 235 Glossary A Table 236 Glossary C
Access Cache History list of already performed firewall connections / Certificate Barracuda NG Firewall boxes make use of x.509
mail jobs / VPN connections. conformant digital certificates. For a single box without
ACK Third part of the Three-Way Handshake of a TCP Barracuda Networks trust center being available the
connection (see also SYN/ACK, SYN, FIN, Flag, certificate is basically identical to a mere RSA public
Handshake) key.
ACPF Application Controlled Packet Forwarding CGI Common Gateway Interface is a standard for
interfacing external applications with web servers.
ACL Access control list. List of IP addresses which are
allowed to manage a box Checksum The sum of a group of data items, which sum is used for
checking purposes.
Admin, Flower An administrator account which is granted only read
rights to a system (see also root) Note:
A checksum is stored or transmitted with the group of
Admin, Power An administrator account which is granted full access data items and is calculated by treating the data items
to a system (see also root) as numeric values.
ADSL Asymmetric Digital Subscriber Line, technology to Checksums are used in error detecting and correcting.
allow high speed internet connections over ordinary The value computed on data to detect error or
copper cables via the telephone net (see also manipulation during transmission (see also HASH).
Broadband)
Alive Packets ICMP packets to check the system status (see also HA)
ANSI ANSI (American National Standards Institute) is the
primary organization for fostering the development of
technology standards in the United States.
ARP Address Resolution Protocol is a protocol for mapping
an Internet Protocol address (IP address) to a physical
machine address (MAC address) that is recognized in
the local network (see also IP address, MAC).
Authentication Authentication is the process of determining whether
someone or something is, in fact, who or what it is
declared to be. In private and public computer
networks (including the Internet), authentication is
commonly done through the use of logon passwords.
There is also the possibility to make use of digital
certificates issued and verified by a Certificate
Authority (CA) as part of a public key infrastructure
(PKI) is considered likely to become the standard way
to perform authentication on the Internet. (see also
Certificate, PKI)
B
Glossary B
Bandwidth Bandwidth (the width of a band of electromagnetic
frequencies) is used for defining how fast data flows on
a given transmission path (see also Broadband).
Bash Bourne Again SHell, standard linux shell
Bind IP IP address of the firewall which is used for the further
connection (see also Destination IP, Source IP, Connect
IP)
Block Firewall Rule Type: A TCP / UDP / ICMP connection
attempt is denied due to a firewall rule match. If there
is no firewall rule defined, all connections will be
blocked (see also Pass, Redirect, Map).
Border Firewall Firewall which has a direct connection to the internet
and protects the interior part of a network.
Box Services Infrastructure services that are providing HA support,
real time system monitoring, accounting (statistics) and
logging
Box Lowest layer of Barracuda NG architecture. Entities and
processes belonging to the box layer exist
independently of all server processes.
Break Lock Attempt to break an existing lock of a configuration file
by another management session which was made by
another administrator
Broadband Links of high data rate are called broadband
connections (see also Bandwidth).
Broadcast A network segment which is limited by a network-layer
Domain device (for example a router or a Barracuda NG
Firewall)
Broadcast Data is sent to all peers in a broadcast domain

Appendix Glossary | 605
Table 236 Glossary C Table 236 Glossary C

Symptoms: CIFS The Common Internet File System is a further
When changing the configuration of an existing development of the SMB protocol and serves as an
IPSec-tunnel, the Barracuda NG Admin client suddenly addition and improvement to the standard protocols
disconnects the session. After reconnecting, the FTP and HTTP.
VPN Site to Site configuration node is not openable any Clock skew Clock skews are events that describe an inconsistency
more and existing IPSec-tunnels disappear at the in the timed recording of sequences. This can occur
gateways VPN Active Tab. when the system time has been changed for example,
through which the incremental record of the time
stamp is disturbed in the log.
Cause:
The Barracuda NG Admin client does not support Cluster Several boxes which belong together logically form a
management of Barracuda NG Firewalls that have a cluster - it is very useful to segment large networks into
HIGHER version number than the Barracuda NG Admin clusters.
client itself. This may lead to an inconsistent system Cluster Server Server available for a whole cluster
configuration and can cause operative malfunctions.
Cluster Service Service of a cluster server available for whole cluster.
Of course the Barracuda NG Admin client is capable of
managing Barracuda NG Firewalls that have a LOWER Collision Network segment which is limited by a data-link layer
version number than the Barracuda NG Admin client Domain device (for example a switch)
itself. Connect IP IP address to which the firewall connects (see also Bind
IP, Destination IP, Source IP)
Connection UDP / TCP or ICMP connection type.
type
CPU Central Processing Unit, another term for processor
Solution:
To solve this problem, a manual intervention on the
D
configuration file responsible for VPN-tunnel
configuration is needed. Table 237 Glossary D
Daemon System process (control daemon, cstat daemon)
If you are not familiar with the Vi text editor please get
in contact with your Barracuda NetworksBarracuda Decryption Previously encrypted data has to be decrypted in order
Networks partner, to avoid further-reaching impacts to to be able to read the original data. The decryption
your actual Barracuda NG Firewall configuration. algorithm must be the same as the algorithm used for
encryption (see also Encryption).
Default Refer to Route, Default
Proceed with the following steps: Gateway
Block the rangeconf-service (or boxconfig-service in
case of a single box) to avoid simultaneous access to Destination IP IP address to which the source connects (see also Bind
the affected configuration file. IP, Connect IP, Source IP)
DHCP Dynamic Host Configuration Protocol, a DHCP server
On Barracuda NG Control Center-boxes: provides normally information like IP addresses,
netmask, routes and DNS servers
/* DMA Direct Memory Access
vi
/opt/phion/maintree/configroot/<rangenumber>/<clust DMZ Demilitarized Zone, network to put in every from the
ername>/clusterservers/<servername>/services/<servic internet reachable machines (for example Mail-, Web-,
ename>/vpntunnel.conf or FTP-Servers)
/* DNS (BIND) Domain Name Service is used to resolve Domain names
to IP addresses, BIND is the Berkeley internet name
On single-boxes: demon (mostly used DNS server)
/*
DNS, Name The programs which store information about the
vi
Servers domain name space are called name servers.
/opt/phion/config/configroot/servers/<servername>/ser
vices/<servicename>/vpntunnel.conf DNS, Zone The transfer of zone information from a master to a
/* Transfer slave is called zone transfer
DNS, Zone Name Servers generally have complete information
Locate the string RAWIPSEC and change these sections about some part of the name space, called a zone.
like described below and save the file.
DNS, Zone, A forward zone is used to direct all queries in it to other
-------------------------- Forward servers. The specification of options in such a zone will
HIER DEIN ERSETZUNGSMUSTER override any global options declared in the options
-------------------------- statement.
DNS, Zone, Hint The initial set of root nameservers is specified using a
Final step: hint zone. When the server starts up, it uses the root
hints to find a root nameserver and get the most recent
list of root nameservers.
On Barracuda NG Control Centers: DNS, Zone, The server has a master copy of the data for the zone
Master and will be able to provide authoritative answers for it.
Start the rangeconf-service and trigger a complete
update (Control->Configuration Updates) by DNS, Zone, To resolve IP addresses to host names (domains) a
righclicking the affected Barracuda NG Firewall box and Reverse Reverse Lookup is performed
selecting "Complete Update" in the context menu. Lookup
DNS, Zone, A slave zone is a replica of a master zone. The masters
On single boxes: Slave list specifies one or more IP addresses that the slave
contacts to update its copy of the zone.
Start the boxconfig-service and copy the modified file
DST Daylight Saving Time (see also UTC, Time Zone)
to the corresponding folder (overwrite the existing file):
/*
cp E
/opt/phion/config/configroot/servers/<servername>/ser
vices/<servicename>/vpntunnel.conf Table 238 Glossary E
/opt/phion/config/active/servers/<servername>/service
s/<servicename>/vpntunnel.conf EIDE refer to IDE
/* Emergency Usually, Barracuda NG Control Center (CC) maintained
Override boxes can only be configured via the CC, unless an
emergency override is performed. This enables
configuration changes directly performed via the box
configuration.

Table 238 Glossary E Table 2311 Glossary H

ENA Exclusive Network Access, VPN option to enable Handshake A TCP connection involves some components called
exclusive network access to the Barracuda Networks flags, to make a proper TCP connection correct set
VPN adapter (see also VPN) flags are needed, the so called Three Way Handshaking
Encryption Data is changed according to a certain algorithm for (see also SYN, SYN/ACK, ACK, FIN, Flag)
security reasons- encrypted data cannot be read. HASH 1. The result obtained by subjecting a set of data to an
Ethernet Trunk A ethernet trunk may be used to bond several ethernet algorithm for purposes of checking the data at the time
interfaces together to form so called bonding channels the algorithm is applied or for use at a later time such
or ethernet trunks as after transmission or retrieval from storage. 2. A
value computed on data to detect error or
Ethernet Ethernet is the most widely-installed local area network manipulation. (see also Checksum)
(LAN) technology. Specified in a standard, IEEE 802.3,
Ethernet was originally developed by Xerox and then Host Keys Unique keys to verify a machine to a license, usually
developed further by Xerox, DEC, and Intel. An CPU ID's or MAC addresses (see also MAC, CPU).
Ethernet LAN typically uses coaxial cable or special Hot Fix A hot fix repairs actual problems and could be provided
grades of twisted pair wires. Ethernet is also used in within a short amount of time (see also Service Pack).
wireless LANs. The most commonly installed Ethernet HTTP The Hypertext Transfer Protocol (HTTP) is the set of
systems are called 10BASE-T and provide transmission rules for exchanging files (text, graphic images, sound,
speeds up to 10 Mbps. Interfaces are connected to the video, and other multimedia files) on the World Wide
cable and compete for access using a Carrier Sense Web. Relative to the TCP/IP suite of protocols (which
Multiple Access with Collision Detection (CSMA/CD) are the basis for information exchange on the Internet),
protocol. HTTP is an application protocol.
Ethernet, Fast or 100BASE-T provides transmission speeds up to 100
megabits per second and is typically used for LAN
backbone systems, supporting workstations with
I
10BASE-T cards. Gigabit Ethernet provides an even
higher level of backbone support at 1000 megabits per Table 2312 Glossary I
second (1 gigabit or 1 billion bits per second). 10-Gigabit
ICMP ICMP (Internet Control Message Protocol) is a message
Ethernet provides up to 10 billion bits per second.
control and error-reporting protocol between a host
server and a gateway to the Internet. ICMP uses
F Internet Protocol (IP) datagrams, but the messages are
processed by the IP software and are not directly
Table 239 Glossary F apparent to the application user
IDE IDE (Integrated Drive Electronics) is a standard
FIN The FIN flag ends a TCP connection (see also SYN, electronic interface used between a computer
SYN/ACK, ACK, FIN, Flag, Handshake) motherboard's data paths or bus and the computer's
Firewall A firewall is a set of related programs, located at a disk storage devices. The IDE interface is based on the
network gateway server, that protects the resources of IBM PC Industry Standard Architecture (ISA) 16-bit bus
a private network from users from other networks. standard, but it is also used in computers that use
Note: other bus standards. Most computers sold today use an
The term also implies the security policy that is used enhanced version of IDE called Enhanced Integrated
with the programs. Drive Electronics (EIDE).
An enterprise with an intranet that allows its workers IEN Internet Engineering Notes
access to the wider Internet installs a firewall to IMAP Internet Message Access Protocol (IMAP) is a standard
prevent outsiders from accessing its own private data protocol for accessing email from your local server.
resources and for controlling what outside resources IMAP (the latest version is IMAP4) is a client/server
its own users have access to (see also Rule, Rule Set, protocol in which email is received and held for you by
Gateway). your Internet server.
Flag Part of a TCP connection (see also SYN, SYN/ACK, ACK, Inbound The inbound/outbound policy is a very important
FIN, Flag, Handshake) parameter to protect servers from SYN flooding
Foreign Lock A configuration file that has been locked by another attacks on allowed connections. The firewall tries first
administrator to establish a connection to the requesting source and
then establish the connection between itself and the
Forwarding, IP IP forwarding is a mechanism to route IP packets from requested destination (see also Outbound).
one network interface to another.
IP address A 32-bit (4 dot-separated bytes) number to address
Forwarding, Port forwarding works by mapping a local port on the hosts/networks on the network-layer. One byte
Port client to a remote port on the server presents the numbers 0 to 255.
FQDN Fully qualified domain name IP Tunnel Simple point-to-point tunnels using generic routing or
FTP File Transfer Protocol (FTP), a standard Internet plain IP in IP encapsulation. The box-based tunnels you
protocol, is the simplest way to exchange files between may configure here do neither offer peer
computers on the Internet. FTP is an application authentication nor encryption support. (see also Box,
protocol that uses the Internet's TCP/IP protocols. VPN)
FDDI Fibre Distributed Data Interface (FDDI); type of IPsec IPsec (Internet Protocol Security) is a developing
interface used for sending digital data over fibre optic standard for security at the network or packet
cable. FDDI networks are token-passing networks with processing layer of network communication.
up to 100Mbps used as backbones
J
G
Table 2310 Glossary G K
Gateway A gateway is a network point that acts as an entrance Table 2313 Glossary K
to another network
GUI Graphical User Interface: an application which runs on Kernel The essential part of Unix or other operating systems,
a graphical desktop oriented operation system (such as responsible for resource allocation, low-level hardware
Microsoft Windows). The GUI of Barracuda NG interfaces, security
Firewall software is Barracuda NG Admin. Kernel, SMP Symmetric Multiprocessor Kernel (see also Kernel,
Multi Processor)
H Kick-Start File File which contains information about hardware
configuration (partitions, keyboard, time-zone,
Table 2311 Glossary H language) and provides them at the installation routine,
Red Hat (r) proprietary
HA High availability on Barracuda NG Firewalls is done by
swapping the server from one box to the other. This
process is triggered by the control daemon.

L Table 2315 Glossary M

Multi Processor A computer system which has two or more processors
Table 2314 Glossary L connected in the same cabinet, managed by one
operating system, sharing the same memory, and
LDAP LDAP (Lightweight Directory Access Protocol) is a
having equal access to input/output interfaces.
software protocol for enabling anyone to locate
Application programs may run on any or all processors
organizations, individuals, and other resources such as
in the system- assignment of tasks is decided by the
files and interfaces in a network, whether on the public
operating system.
Internet or on a corporate intranet.
Multicast Data is sent to multiple peers
Lease(s) Used for DHCP; consists of an IP address and
corresponding options for lending to a client PC.
License, A freshly installed unlicensed single box runs in N
Evaluation evaluation mode. This is a fully functional Barracuda
NG Firewall box, without working box ACLs and with Table 2316 Glossary N
root and support user password f1r3wall (see also root,
ACL). NAS Network Access Server
License, Grace A single box which was installed with wrong licenses, NAT Network Address Translation is the translation of an
this will lead to the so called grace period where the Internet Protocol address (IP address) used within one
box is fully functional, the grace period is configurable, network to a different IP address known within another
after this time the box changes to evaluation mode. network. One network is designated the inside network
and the other is the outside. Typically, a company maps
License, License to access a VPN network its local inside network addresses to one or more global
Personal outside IP addresses and unmaps the global IP
License, License for Barracuda NG Firewall system processes addresses on incoming packets back into local IP
System addresses.
License, Valid A single box with valid licenses. NBDD NetBios Datagram Distribution
LACPDU Link Aggregation Control Protocol Data Unit NetBIOS Network Basic Input/Output System; very common
protocol and is supported on Ethernet and TokenRing.
Linux An open-source operating system which is the base of
In NetBIOS, TCP and UDP communication are
Barracuda NG Firewall software (not the GUI)
supported. It supports broadcasts and multicasting and
Load Balancing Load (traffic) is split up to several servers in order to three distinct services: Naming, Session, and Datagram.
improve data rate and reliability
Netmask To separate network and host addresses the netmask is
Lock To avoid the situation that configuration files are used.
edited from several administrators at the same time, a
NIC Network Interface Card
configuration file has to be locked
NiS Network Information System; network lookup service
consisting of databases and processes to provide
M information that has to be known throughout a
network (for example login names and passwords, host
Table 2315 Glossary M names and IP addresses)
MAC Media Access Control addresses (see also ARP, NTP The Network Time Protocol is a protocol that is used to
Broadcast) synchronize computer clock times in a network of
computers.
Mail Body This is the actual content of the email. The mail body
begins after the subject and ends at the end of the
email. Attachments are also part of the mail body. O
Mail Envelope This is the SMTP part of email delivery. Like a real mail
envelope it contains sender and recipient address. Table 2317 Glossary O
Mail Exchange official DNS host name of a mail server- a MX server Outbound The inbound/outbound policy is a very important
(MX) usually contains mail boxes parameter to protect your servers from SYN flooding
Mail Header To every email a mail header, which contains sender / attacks on allowed connections. The firewall tries to
recipient / reply-to address, date, email client version, establish a connection to the requested destination
MIME version etc, is added. and then establishes the connection between itself and
the client (see also Inbound).
Mail Relay Abuse of a mail gateway to distribute spam mail
OSPF The Open Shortest Path First protocol is a hierarchical
Barracuda NG Administrative "headquarters" to administer and interior gateway protocol (IGP) for routing in Internet
Control Center configure a multi firewall architecture. Protocol, using a link-state in the individual areas that
Management IP The IP address that is used for managing the make up the hierarchy. A computation based on
Barracuda NG Firewall. Use this IP address to connect Dijkstra's algorithm is used to calculate the shortest
yourself with the Barracuda NG Admin administration path tree inside each area. The current version, Version
GUI to the system. 3, defined in RFC 2740 (OSPFv3 1999), supports IPv6
Map Extensive Destination NAT (of whole subnets) (see also only, while OSPF version 2 supports IPv4. (OSPFv2
NAT) 1998). (see also RIP)
Masquerading Masquerading is used to mask internal IP addresses
with an official IP address (see also NAT) P
MIME Multipurpose Internet Mail Extension; for adding mail
Table 2318 Glossary P
extensions (for example picture attachments which
most email client applications display in the mail body), PAP Password Authentication Protocol
MIME is used.
PAR Portable Archive, Barracuda Networks standard to save
Module A kernel module is a special program that can be configurations via so-called PAR files
loaded into (become a part of) the Linux kernel on
demand (see also Kernel). Pass A TCP / UDP / ICMP connection attempt is granted due
to a firewall rule match
MSAD Authentication over a MS Active Directory Server
PAT Port Address Translation (PAT) is a feature of a
MSNT Authentication over a MSNT Server network device that translates TCP or UDP
MTA Mail Transfer Agent: Service process of the mail communications made between hosts on a private
gateway service which is responsible for mail delivery network and hosts on a public network. It allows a
to a foreign mail server single public IP address to be used by many hosts on
the private network.
Multi In an environment with a Barracuda NG Control Center
Administrator and several firewalls it is possible that there is more Peer IP IP address of a foreign host which is source or
than one administrator with different privileges (see destination of a connection
also Admin, Flower, Admin, Power, root, Barracuda NG Barracuda NG Barracuda Networks administration tool (see also GUI)
Control Center) Admin
Barracuda NG Barracuda Networks installation tool
Installer

Table 2318 Glossary P Table 2319 Glossary R

phionctrl Command line tool to take control of Barracuda NG RAS Reliability, Availability, Serviceability.
processes Remote Access Service
Inverted CIDR The inverted CIDR notation is contrary to the CIDR RDP Remote Desktop Protocol
notation notation (for example 255.255.255.255 - CIDR: 32, Redirect to exe With firewall rules it is possible to redirect IP addresses
Inverted CIDR:0). (Getting Started 5. Inverted CIDR to executable files
Notation, page 25)
Redirect with A kind of load balancing
Ping Command to send ICMP echo requests cycling
PKI A PKI (public key infrastructure) enables users of a Redirect With firewall rules it is possible to redirect IP addresses
basically insecure public network such as the Internet to other IP addresses.
to securely and privately exchange data and money
through the use of a public and a private cryptographic Redundant Redundant describes computer or network system
key pair that is obtained and shared through a trusted components, such as fans, hard disk drives, servers,
authority. The public key infrastructure provides for a operating systems, switches, and telecommunication
digital certificate that can identify an individual or an links that are installed to back up primary resources in
organisation and directory services that can store and, case they fail.
when necessary, revoke the certificates. Repository Part of the config tree of a Barracuda NG Control
Point of Entry CC itself or array of IP addresses (points of entry or Center (CC) maintained box where configuration
POE) which masquerade the CC. settings can be stored.
POP3 POP3 (Post Office Protocol 3) is the most recent RIP The Routing Information Protocol allows network
version of a standard protocol for receiving email. routers to adapt dynamically to changing network
POP3 is a client/server protocol in which email is connections by swapping information about which
received and held for you by your Internet server. networks each router can reach, and how far away
those networks are. (see also OSPF)
Primary Box In a HA environment the box which runs all servers and
services until a serious fault occurs or the system has root Alias Aliases for the root administrator account
to be shut down for system maintenance and the root Administrator of Unix systems
secondary box will start servers and services (see also
Round Robin In computer operation, one method of having different
Secondary Box, HA)
program process take turns using the resources of the
Private Key In cryptography, a private or secret key is an computer is to limit each process to a certain short
encryption/decryption key known only to the party or time period, then suspending that process to give
parties that exchange secret messages. In traditional another process a turn (or "time-slice"). This is often
secret key cryptography, a key would be shared by the described as round-robin process scheduling. This term
communicators so that each could encrypt and decrypt is also used for a simple way of load balancing in a
messages. The risk in this system is that if either party server farm.
loses the key or it is stolen, the system is broken. A
Route In a route is defined which way a packet has to be
more recent alternative is to use a combination of
forwarded (see also Router)
public and private keys. In this system, a public key is
used together with a private key. See public key Route, Default Every traffic where no own routing table exists is
infrastructure (PKI) for more information (see also routed via the default gateway (see also Router)
Public Key, PKI). Route, Direct Traffic is routed over an interface
Processes A process is a collection of operations which perform Route, Gateway Traffic is routed over a gateway
certain tasks
Route, Pending One of the advanced features of Barracuda NG Firewall
Protocol In information technology, a protocol is the special set boxes is that you may still configure such so-called
of rules that end points in a telecommunication pending direct routes since they will be hidden from
connection use when they communicate. Protocols the operating system until an appropriate source
exist at several levels in a telecommunication address becomes available. In the context of firewalling
connection. There are hardware telephone protocols. this would allow you to configure a routing setup that
There are protocols between each of several functional becomes only active when the firewall is active. The
layers and the corresponding layers at the other end of advantage of this is that the box as such will never be
a communication. Both end points must recognize and directly accessible as a target for malicious activity.
observe a protocol. Protocols are often described in an
industry or international standard. Route, Wild Barracuda Networks specific for a route which is
activated direct on a box instead of the network
Proxy In an enterprise that uses the Internet, a proxy server configuration GUI
is a server that acts as an intermediary between a
workstation user and the Internet so that the Router On the Internet, a router is a device or, in some cases,
enterprise can ensure security, administrative control, software in a computer, that determines the next
and caching service. (see also Masquerading, NAT) network point to which a packet should be forwarded
towards its destination. The router is connected to at
Proxy ARP IP addresses for which the firewall answers to ARP least two networks and decides which way to send each
requests, these IP addresses do not "live" on this information packet based on its current understanding
system of the state of the networks it is connected to. A router
Public Key In cryptography, a public key is a value provided by is located at any gateway (where one network meets
some designated authority as an encryption key that, another), including each Internet point-of-presence.
combined with a private key derived from the public Routing, Policy Policy routing is a means to implement more complex
key, can be used to effectively encrypt messages and routing scenarios. Since the firewall configuration (on a
digital signatures. The use of combined public and per rule basis) allows you to specify the address with
private keys is known as asymmetric cryptography. A which an allowed connection is established policy
system for using public keys is called a public key routing represents an extremely powerful instrument
infrastructure (PKI) (see also Private Key, PKI) to manage firewalling in topologically complex
environments.
Q RPM The RedHat Package Manager (RPM) is a powerful
command line driven package management system
capable of installing, uninstalling, verifying, querying,
R and updating software packages. Each software
package consists of an archive of files along with
Table 2319 Glossary R information about the package like its version, a
description, Barracuda Networks hot fixes and
RADIUS RADIUS (Remote Authentication Dial-In User Service) service packs are provided in RPM packages (see also
is a client/server protocol and software that enables Hot Fix, Service Pack)
remote access servers to communicate with a central Rule In a firewall rule is defined in which way a request is
server to authenticate dial-in users and authorize their handled (see also Block, Pass, Redirect)
access to the requested system or service. RADIUS
allows a company to maintain user profiles in a central Rule, Dynamic A rule which is activated manually and stays active for
database that all remote servers can share. a configurable amount of time
Range Several clusters which belong together logically form a Rule, Time A rule which is only active on determined hours of a
range Dependent day (e.g private surfing only after 5 pm)

Table 2319 Glossary R Table 2322 Glossary U

Rule Set The entireness of all firewall rules of a box forms a rule Undo Click this button to perform a complete rollback of an
set. altered configuration. This will only work before
Rule Set, The Barracuda NG Firewall supports the unique feature clicking the Commit button
Cascaded of cascaded rule sets. For multi-administrator clusters Unicast Data is sent to one peer only
access to parts of the rule set can be restricted for UTC Universal Time Coordinated or Greenwich Mean Time
sub-administrators (see also Multi Administrator, (GMT) (see also DST, Time Zone)
Barracuda NG Control Center, Rule Set).
V
S
Table 2323 Glossary V
Table 2320 Glossary S
Virtual LAN A Virtual LAN is used to simulate several networks on
SCSI The Small Computer System Interface, is a set of ANSI one NIC, and one switch port behaves like more
standard electronic interfaces that allow personal switches.
computers to communicate with peripheral hardware
such as disk drives, tape drives, CD-ROM drives, Virtual This becomes the primary management IP, where the
printers, and scanners faster and more flexibly than management IP box is administered by a Barracuda NG Control Center.
previous interfaces. (see also ANSI, IDE, EIDE) VNC Virtual Network Computing
Secondary Box This box checks the primary box, if the primary is VPN Virtual Private Network
unreachable it starts its server and services (see also
VPN Tunnel A second popular example for tunnelling is the
Primary Box, HA)
Stealth so-called stealth mode or half-side transparent tunnel.
Send Changes By clicking this button, configuration changes are sent In this case a local network is granted access to a
from the GUI to the Barracuda NG Firewall. The partner network, but not the other way round.
changes are not yet activated. Moreover, it hides its internal IP structure to the
Server Collection of IP addresses under which the services are partner network.
made available. VPN Tunnel The simplest configuration for tunnels is to connect
Service Pack A service pack provides a bunch of updates, the Transparent two networks with different address ranges
database which holds the version numbers is updated transparently. The effect should be that two networks
(see also Hot Fix) are connected together just like if there were nothing
but an open firewall in between.
Service Operational services that provide the actual
functionality of the Barracuda NG Firewall VPN Tunnel, Most real world VPN topologies include a headquarters
Star Shaped structure. That means that many VPN tunnels
SMB Server Message Block (protocol) terminate on one VPN server. Traffic between outposts
SMTP Simple Mail Transport Protocol is typically routed via the headquarters. This reduces
SNMP Simple Network Management Protocol; set of protocols the number of tunnels to manage.
for managing complex networks
Socks 4/5 A protocol for handling TCP traffic through a proxy W
server. It can be used with virtually any TCP
application. There are two main versions of SOCKS - V4 Table 2324 Glossary W
and V5. V5 adds an authentication mechanism for
additional security. There are many freeware Watchdog Barracuda Networks routine to control and repair
implementations of both versions. One of the most system processes
common V5 implementations is SOCKS5 (see also WebDAV Web-based Distributed Authoring and Versioning
Proxy, NAT) Wild Cards To simplify data input, certain characters stand for all
Source IP IP address of the connecting instance (see also Bind IP, other possible characters: "?" replaces a single
Connect IP, Destination IP) character- '*' replaces a whole string- wildcards and
Spool Service process of the mail gateway service which is other characters
responsible for scheduling incoming mail jobs WINS Windows Internet Naming Service; is used for providing
SSH Secure Shell, an encrypted remote shell to administer a name resolution for computers with special
system, formerly telnet or rlogin was used, but without arrangement (Server and Client must run MS
encryption they are senseless in a secure environment Windows). Such a service uses a automatically updated
database with the names of currently available PCs and
SSL Secure Socket Layer IP addresses (see also DHCP).
SYN First part of the Three-Way Handshake of a TCP
connection (see also ACK, SYN/ACK, FIN, Flag, X
Handshake)
SYN/ACK Second part of the Three-Way Handshake of a TCP
connection (see also ACK, SYN, FIN, Flag, Handshake) Y
T
Z
Table 2321 Glossary T
TCP Transmission Control Protocol
Time Server To synchronize several machines to the same time a
time server is needed (see also NTP)
Time Statistics Type of statistics which reflect traffic / data /
connections over a certain period of time.
Time Zone Time zone where a box is geographically (for example
GMT - Greenwich Mean Time)
Token Ring A token ring network is a local area network in which all
computers are connected in a ring or star topology and
a binary digit or token-passing scheme is used in order
to prevent the collision of data between two computers.
Top Statistics Type of statistics which reflect traffic / data /
connections from peers. Top statistics can be
separated in Source and Destination statistics
U
Table 2322 Glossary U
UDP User Datagram Protocol


Barracuda Networks Warranty and Software License Agreement 611
10. Barracuda Networks Warranty and Software License

Agreement (v2.1)
10.1 Barracuda Networks Limited Hardware 10.2 Barracuda Networks Software License
Warranty Agreement
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT
1. Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or ("AGREEMENT") CAREFULLY BEFORE USING THE BARRACUDA
authorized Distributor selling the Barracuda Networks product, if sale is not NETWORKS SOFTWARE. BY USING THE BARRACUDA SOFTWARE
directly by Barracuda Networks, Inc., ("Barracuda Networks") warrants that YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE.
commencing from the date of delivery to Customer (but in case of resale by a IF YOU ARE A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY,
Barracuda Networks reseller, commencing not more than sixty (60) days after THEN THE SOFTWARE LICENSE GRANTED UNDER THIS AGREEMENT
original shipment by Barracuda Networks, Inc.), and continuing for a period of IS EXPRESSLY CONDITIONED UPON ACCEPTANCE BY A PERSON
one (1) year: (a) its products (excluding any software) will be free from WHO IS AUTHORIZED TO SIGN FOR AND BIND THE ENTITY. IF YOU
material defects in materials and workmanship under normal use; and (b) the ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE ENTITY OR DO
software provided in connection with its products, including any software NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT
contained or embedded in such products will substantially conform to USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS
Barracuda Networks published specifications in effect as of the date of LICENSE YOU MAY RETURN THE SOFTWARE OR HARDWARE
manufacture. Except for the foregoing, the software is provided as is. In no CONTAINING THE SOFTWARE FOR A FULL REFUND TO YOUR PLACE
event does Barracuda Networks warrant that the software is error free or that OF PURCHASE.
Customer will be able to operate the software without problems or
interruptions. In addition, due to the continual development of new techniques 1. The software and documentation, whether on disk, in flash memory, in
for intruding upon and attacking networks, Barracuda Networks does not read only memory, or on any other media or in any other form (collectively
warrant that the software or any equipment, system or network on which the "Barracuda Software") is licensed, not sold, to you by Barracuda Networks,
software is used will be free of vulnerability to intrusion or attack. The limited Inc. ("Barracuda") for use only under the terms of this Agreement, and
warranty extends only to you the original buyer of the Barracuda Networks Barracuda reserves all rights not expressly granted to you. The rights
product and is non-transferable. granted are limited to Barracuda's intellectual property rights in the Barracuda
Software and do not include any other patent or intellectual property rights.
2. Exclusive Remedy. Your sole and exclusive remedy and the entire liability You own the media on which the Software is recorded but Barracuda retains
of Barracuda Networks under this limited warranty shall be, at Barracuda ownership of the Software itself. If you have not completed a purchase of the
Networks or its service centers option and expense, the repair, replacement Software and made payment for the purchase, the Software may only be
or refund of the purchase price of any products sold which do not comply with used for evaluation purposes and may not be used in any production
this warranty. Hardware replaced under the terms of this limited warranty may capacity. Furthermore the Software, when used for evaluation, may not be
be refurbished or new equipment substituted at Barracuda Networks option. secure and may use publically available passwords.
Barracuda Networks obligations hereunder are conditioned upon the return of
affected articles in accordance with Barracuda Networks then-current Return 2. Permitted License Uses and Restrictions. If you have purchased a
Material Authorization ("RMA") procedures. All parts will be new or Barracuda Networks hardware product, this Agreement allows you to use the
refurbished, at Barracuda Networks discretion, and shall be furnished on an Software only on the single Barracuda labeled hardware device on which the
exchange basis. All parts removed for replacement will become the property software was delivered. You may not make copies of the Software. You may
of Barracuda Networks. In connection with warranty services hereunder, not make a backup copy of the Software. If you have purchased a
Barracuda Networks may at its discretion modify the hardware of the product Barracuda Networks Virtual Machine you may use the software only in the
at no cost to you to improve its reliability or performance. The warranty period licensed number of instances of the licensed sizes and you may not exceed
is not extended if Barracuda Networks repairs or replaces a warranted the licensed capacities. You may make a reasonable number of backup
product or any parts. Barracuda Networks may change the availability of copies of the Software. If you have purchased client software you may install
limited warranties, at its discretion, but any changes will not be retroactive. IN the software only on the number of licensed clients. You may make a
NO EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE reasonable number of backup copies of the Software. For all purchases you
PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, may not modify or create derivative works of the Software except as provided
INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE by the Open Source Licenses included below. You may not make the
USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS Software available over a network where it could be utilized by multiple
DOCUMENTATION. devices or copied. Unless otherwise expressly provided in the
documentation, your use of the Software shall be limited to use on a single
3. Exclusions and Restrictions. This limited warranty does not apply to hardware chassis, on a single central processing unit, as applicable, or use
Barracuda Networks products that are or have been (a) marked or identified on such greater number of chassis or central processing units as you may
as "sample" or "beta," (b) loaned or provided to you at no cost, (c) sold "as is," have paid Barracuda Networks the required license fee; and your use of the
(d) repaired, altered or modified except by Barracuda Networks, (e) not Software shall also be limited, as applicable and set forth in your purchase
installed, operated or maintained in accordance with instructions supplied by order or in Barracuda Networks' product catalog, user documentation, or web
Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, site, to a maximum number of (a) seats (i.e. users with access to install
misuse, negligence or to an accident. Software), (b) concurrent users, sessions, ports, and/or issued and
outstanding IP addresses, and/or (c) central processing unit cycles or
EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS instructions per second. Your use of the Software shall also be limited by any
MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, other restrictions set forth in your purchase order or in Barracuda Networks'
WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING product catalog, user documentation or Web site for the Software. The
WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE
AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR
FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR COMMUNICATION SYSTEMS, LIFE SUPPORT MACHINES, OR OTHER
ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR EQUIPEMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL
TRADE. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE
NETWORKS' PRODUCTS AND THE SOFTWARE ARE PROVIDED "AS-IS" NOT TO USE IT IN ANY OF THESE OPERATIONS.
AND BARRACUDA NETWORKS DOES NOT WARRANT THAT ITS
PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE 3. You may not transfer, rent, lease, lend, or sublicense the Software or allow
UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR a third party to do so. YOU MAY NOT OTHERWISE TRANSFER THE
THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE SOFTWARE OR ANY OF YOUR RIGHTS AND OBLIGATIONS UNDER
CORRECTED. FURTHERMORE, BARRACUDA NETWORKS DOES NOT THIS AGREEMENT. You agree that you will have no right and will not, nor
WARRANT THAT BARRACUDA NETWORKS PRODUCTS, THE will it assist others to: (i) make unauthorized copies of all or any portion of the
SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH Software; (ii) sell, sublicense, distribute, rent or lease the Software; (iii) use
BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE the Software on a service bureau, time sharing basis or other remote access
OF VULNERABILITY TO INTRUSION OR ATTACK. system whereby third parties other than you can use or benefit from the use
of the Software; (iv) disassemble, reverse engineer, modify, translate, alter,
decompile or otherwise attempt to discern the source code of all or any
portion of the Software; (v) utilize or run the Software on more computers
than you have purchased license to; (vi) operate the Software in a fashion
that exceeds the capacity or capabilities that were purchased by you.
4. THIS AGREEMENT SHALL BE EFFECTIVE UPON INSTALLATION OF

THE SOFTWARE OR PRODUCT AND SHALL TERMINATE UPON THE
Barracuda Networks Inc. 2010

612 Barracuda Networks Warranty and Software License Agreement
EARLIER OF: (A) YOUR FAILURE TO COMPLY WITH ANY TERM OF THIS prohibited; (vi) DR6 contains a security feature from Microsoft that will
AGREEMENT OR (B) RETURN, DESTRUCTION OR DELETION OF ALL automatically reboot the system without warning after 24 hours of continuous
COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of use; (vii) Barracuda alone will provide support for customer issues with DR6
Barracuda Networks and your obligations shall survive any termination of this and Microsoft and its Affiliates are released of all liability related to its use and
Agreement. Upon termination of this Agreement by Barracuda Networks, You operation; and, (viii) DR6 is subject to U.S. export jurisdiction.
shall certify in writing to Barracuda Networks that all copies of the Software
have been destroyed or deleted from any of your computer libraries, storage
devices, or any other location. 10. Trademarks. Certain portions of the product and names used in this
Agreement, the Software and the documentation may constitute trademarks
of Barracuda Networks. You are not authorized to use any such trademarks
5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF for any purpose.
THE BARRACUDA SOFTWARE IS AT YOUR OWN RISK AND THAT THE
ENTIRE RISK AS TO SATISFACTION, QUALITY, PERFORMANCE, AND
ACCURACY IS WITH YOU. THE BARRACUDA SOFTWARE IS PROVIDED 11. Export Restrictions. You may not export or re-export the Software without:
"AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, (a) the prior written consent of Barracuda Networks, (b) complying with
AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES AND applicable export control laws, including, but not limited to, restrictions and
CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, regulations of the Department of Commerce or other United States agency or
EITHER EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT authority and the applicable EU directives, and (c) obtaining any necessary
NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF permits and licenses. In any event, you may not transfer or authorize the
MERCHANTIBILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR transfer of the Software to a prohibited territory or country or otherwise in
ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF violation of any applicable restrictions or regulations. If you are a United
THIRD PARTY RIGHTS. BARRACUDA DOES NOT WARRANT THE States Government agency the Software and documentation qualify as
CONTINUED OPERATION OF THE SOFTWARE, THAT THE "commercial items", as that term is defined at Federal Acquisition Regulation
PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE ("FAR") (48 C.F.R.) 2.101, consisting of "commercial computer software" and
FUNCTIONS WILL MEET YOUR REQUIREMENTS, THAT THE "commercial computer software documentation" as such terms are used in
OPERATION WILL BE ERROR FREE OR CONTINUOUS, THAT CURRENT FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1
OR FUTURE VERSIONS OF ANY OPERATING SYSTEM WILL BE through 227.7202-4, and notwithstanding any other FAR or other contractual
SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR clause to the contrary in any agreement into which this Agreement may be
WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED incorporated, Government end user will acquire the Software and
BARRACUDA REPRESENTATIVE SHALL CREATE A WARRANTY. documentation with only those rights set forth in this Agreement. Use of either
SHOULD THE BARRACUDA SOFTWARE PROVE DEFECTIVE, YOU the Software or documentation or both constitutes agreement by the
ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR, Government that the Software and documentation are "commercial computer
OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS SHALL software" and "commercial computer software documentation", and
ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE constitutes acceptance of the rights and restrictions herein.
WHICH WERE CAUSED BY IMPROPER OPERATION, USE OF
UNSUITABLE RESOURCES, ABNORMAL OPERATING CONDITIONS (IN
12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE
PARTICULAR DEVIATIONS FROM THE INSTALLATION CONDITIONS) AS
STATE OF CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA
WELL AS BY TRANSPORTATION DAMAGE. IN ADDITION, DUE TO THE
COUNTY, CALIFORNIA, UNLESS YOUR HEADQUARTERS IS LOCATED
CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING
IN SWITZERLAND, THE EU, OR JAPAN. IF YOUR HEADQUARTERS IS
UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES
LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW SHALL BE
NOT WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM
USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR
OR NETWORK ON WHICH THE SOFTWARE IS USED WILL BE FREE OF
HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE
VULNERABILITY TO INTRUSION OR ATTACK. YOU EXPRESSLY
USED AND JURISDICTION SHALL BE INNSBRUCK. IF YOUR
ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED
HEADQUARTERS IS LOCATED IN JAPAN, JAPANESE LAW SHALL BE
PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY
USED AND JURISDICTION SHALL BE TOKYO. THIS AGREEMENT WILL
PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU
NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY
EITHER OWN OR CONTROL THAT ARE UTILIZED IN ANY BARRACUDA
JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE
PRODUCT.
U.N. CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES
OF GOODS. This Agreement is the entire agreement between You and
6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE Barracuda Networks regarding the subject matter herein and supersedes any
ABSOLUTE AND UNILATERAL RIGHT AT ITS SOLE DISCRETION TO other communications with respect to the Software. If any provision of this
DENY USE OF, OR ACCESS TO BARRACUDA SOFTWARE, IF YOU ARE Agreement is held invalid or unenforceable, the remainder of this Agreement
DEEMED BY BARRACUDA TO BE USING THE SOFTWARE IN A MANNER will continue in full force and effect. Failure to prosecute a party's rights with
NOT REASONABLY INTENDED BY BARRACUDA OR IN VIOLATION OF respect to a default hereunder will not constitute a waiver of the right to
ANY LAW. enforce rights with respect to the same or any other breach.
7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN 13. Assignability. You may not assign any rights or obligations hereunder
NO EVENT SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR without prior written consent from Barracuda Networks.
ANY INCIDENTAL SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
14. Billing Issues. You must notify Barracuda of any billing problems or
LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR
discrepancies within sixty (60) days after they first appear on the statement
ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF
you receive from your bank, Credit Card Company, other billing company or
OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE
Barracuda Networks. If you do not bring such problems or discrepancies to
BARRACUDA SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE
Barracuda Networks attention within the sixty (60) day period, you agree that
THEORY OF LIABILITY AND EVEN IF BARRACUDA HAS BEEN ADVISED
you waive the right to dispute such problems or discrepancies.
OF THE POSSIBILITY OF DAMAGES. In no event shall Barracuda's total
liability to you for all damages exceed the amount of one hundred dollars.
15. Collection of Data. You agree to allow Barracuda Networks to collect
information ("Statistics") from the Software in order to fight spam, virus, and
8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD
other threats as well as optimize and monitor the Software. Information will be
PARTY TO) COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT,
collected electronically and automatically. Statistics include, but are not
DISTRIBUTE, OR BURN TO CD (OR ANY OTHER MEDIUM) ANY
limited to, the number of messages processed, the number of messages that
COPYRIGHTED CONTENT THAT YOU ACCESS OR RECEIVE THROUGH
are categorized as spam, the number of virus and types, IP addresses of the
USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU ASSUME
largest spam senders, the number of emails classified for Bayesian analysis,
ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF
capacity and usage, and other statistics. Your data will be kept private and
COPYRIGHTED CONTENT. You agree not to publish any benchmarks,
will only be reported in aggregate by Barracuda Networks.
measurements, or reports on the product without Barracuda Networks
written express approval.
16. Subscriptions. Software updates and subscription information provided
by Barracuda Energize Updates or other services may be necessary for the
9. Third Party Software. Some Software which supports Bare Metal Disaster
continued operation of the Software. You acknowledge that such a
Recovery of Microsoft Windows Vista and Microsoft Windows 2008 Operating
subscription may be necessary. Furthermore some functionality may only be
Systems (DR6) contains and uses components of the Microsoft Windows
available with additional subscription purchases. Obtaining Software
Pre-Installation Environment (WINPE) with the following restrictions: (i) the
updates on systems where no valid subscription has been purchased or
WINPE components in the DR6 product are licensed and not sold and may
obtaining functionality where subscription has not been purchased is strictly
only be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda
forbidden and in violation of this Agreement. All initial subscriptions
and its suppliers reserve all rights not expressly granted; (iv) license to use
commence at the time of activation and all renewals commence at the
DR6 and the WINPE components is limited to use of the product as a
expiration of the previous valid subscription. Unless otherwise expressly
recovery utility program only and not for use as a general purpose operating
provided in the documentation, you shall use the Energize Updates Service
system; (v) Reverse engineering, decompiling or disassembly of the WINPE
and other subscriptions solely as embedded in, for execution on, or (where
components, except to the extent expressly permitted by applicable law, is
the applicable documentation permits installation on non-Barracuda
Networks equipment) for communication with Barracuda Networks equipment make sure that they, too, receive or can get the source code. And you must
owned or leased by you. All subscriptions are non-transferrable. Barracuda show them these terms so they know their rights.
Networks makes no warranty that subscriptions will continue un-interrupted.
Subscription may be terminated without notice by Barracuda Networks for
lack of full payment. We protect your rights with two steps: (1) copyright the software, and (2) offer
you this license which gives you legal permission to copy, distribute and/or
modify the software.
17. Auto Renewals. If your Software purchase is a time based license,
includes software maintenance, or includes a subscription, you hereby agree
to automatically renew this purchase when it expires unless you notify Also, for each author's protection and ours, we want to make certain that
Barracuda 15 days before the renewal date. Barracuda Networks will everyone understands that there is no warranty for this free software. If the
automatically bill you or charge you unless notified 15 days before the software is modified by someone else and passed on, we want its recipients
renewal date. to know that what they have is not the original, so that any problems
introduced by others will not reflect on the original authors' reputations.
18. Time Base License. If your Software purchase is a time based license
you expressly acknowledge that the Software will stop functioning at the time Finally, any free program is threatened constantly by software patents. We
the license expires. You expressly indemnify and hold harmless Barracuda wish to avoid the danger that redistributors of a free program will individually
Networks for any and all damages that may occur because of this. obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's
free use or not licensed at all.
19. Support. Telephone, email and other forms of support will be provided to
you if you have purchased a product that includes support. The hours of
support vary based on country and the type of support purchased. Barracuda The precise terms and conditions for copying, distribution and modification
Networks Energize Updates typically include Basic support. follow.
20. Changes. Barracuda Networks reserves the right at any time not to TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
release or to discontinue release of any Software or Subscription and to alter MODIFICATION
prices, features, specifications, capabilities, functions, licensing terms,
release dates, general availability or other characteristics of any future
0. This License applies to any program or other work which contains a notice
releases of the Software or Subscriptions.
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such
21. Open Source Licensing. Barracuda Networks products may include program or work, and a "work based on the Program" means either the
programs that are covered by the GNU General Public License (GPL) or Program or any derivative work under copyright law: that is to say, a work
other Open Source license agreements, in particular the Linux operating containing the Program or a portion of it, either verbatim or with modifications
system. It is expressly put on record that the Software does not constitute an and/or translated into another language. (Hereinafter, translation is included
edited version or further development of the operating system. These without limitation in the term "modification".) Each licensee is addressed as
programs are copyrighted by their authors or other parties, and the authors "you".
and copyright holders disclaim any warranty for such programs. Other
programs are copyright by Barracuda Networks. Further details may be
Activities other than copying, distribution and modification are not covered by
provided in an appendix to this agreement where the licenses are re-printed.
this License; they are outside its scope. The act of running the Program is not
Barracuda Networks makes available the source code used to build
restricted, and the output from the Program is covered only if its contents
Barracuda products available at source.barracuda.com. This directory
constitute a work based on the Program (independent of having been made
includes all the programs that are distributed on the Barracuda products.
by running the Program). Whether that is true depends on what the Program
Obviously not all of these programs are utilized, but since they are distributed
does.
on the Barracuda product we are required to make the source code available.
1. You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
10.3 Barracuda Networks Energize Updates appropriately publish on each copy an appropriate copyright notice and
and Other Subscription Terms disclaimer of warranty; keep intact all the notices that refer to this License and
to the absence of any warranty; and give any other recipients of the Program
a copy of this License along with the Program.
10.3.1 The GNU General Public License (GPL) Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
You may charge a fee for the physical act of transferring a copy, and you may
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA at your option offer warranty protection in exchange for a fee.
Everyone is permitted to copy and distribute verbatim copies of this license 2. You may modify your copy or copies of the Program or any portion of it,
document, but changing it is not allowed. thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you
also meet all of these conditions:
Preamble
a) You must cause the modified files to carry prominent notices stating that
The licenses for most software are designed to take away your freedom to
you changed the files and the date of any change.
share and change it. By contrast, the GNU General Public License is
intended to guarantee your freedom to share and change free software--to
make sure the software is free for all its users. This General Public License b) You must cause any work that you distribute or publish, that in whole or in
applies to most of the Free Software Foundation's software and to any other part contains or is derived from the Program or any part thereof, to be
program whose authors commit to using it. (Some other Free Software licensed as a whole at no charge to all third parties under the terms of this
Foundation software is covered by the GNU Library General Public License License.
instead.) You can apply it to your programs, too.
c) If the modified program normally reads commands interactively when run,

When we speak of free software, we are referring to freedom, not price. Our you must cause it, when started running for such interactive use in the most
General Public Licenses are designed to make sure that you have the ordinary way, to print or display an announcement including an appropriate
freedom to distribute copies of free software (and charge for this service if copyright notice and a notice that there is no warranty (or else, saying that
you wish), that you receive source code or can get it if you want it, that you you provide a warranty) and that users may redistribute the program under
can change the software or use pieces of it in new free programs; and that these conditions, and telling the user how to view a copy of this License.
you know you can do these things. (Exception: if the Program itself is interactive but does not normally print such
an announcement, your work based on the Program is not required to print an
announcement.)
To protect your rights, we need to make restrictions that forbid anyone to
deny you these rights or to ask you to surrender the rights. These restrictions
translate to certain responsibilities for you if you distribute copies of the These requirements apply to the modified work as a whole. If identifiable
software, or if you modify it. sections of that work are not derived from the Program, and can be
reasonably considered independent and separate works in themselves, then
this License, and its terms, do not apply to those sections when you distribute
For example, if you distribute copies of such a program, whether gratis or for
them as separate works. But when you distribute the same sections as part of
a fee, you must give the recipients all the rights that you have. You must
a whole which is a work based on the Program, the distribution of the whole

must be on the terms of this License, whose permissions for other licensees
extend to the entire whole, and thus to each and every part regardless of who If any portion of this section is held invalid or unenforceable under any
wrote it. particular circumstance, the balance of the section is intended to apply and
the section as a whole is intended to apply in other circumstances.
Thus, it is not the intent of this section to claim rights or contest your rights to
work written entirely by you; rather, the intent is to exercise the right to control It is not the purpose of this section to induce you to infringe any patents or
the distribution of derivative or collective works based on the Program. other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
In addition, mere aggregation of another work not based on the Program with distribution system, which is implemented by public license practices. Many
the Program (or with a work based on the Program) on a volume of a storage people have made generous contributions to the wide range of software
or distribution medium does not bring the other work under the scope of this distributed through that system in reliance on consistent application of that
License. system; it is up to the author/donor to decide if he or she is willing to distribute
software through any other system and a licensee cannot impose that choice.
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 This section is intended to make thoroughly clear what is believed to be a
and 2 above provided that you also do one of the following: consequence of the rest of this License.
a) Accompany it with the complete corresponding machine-readable source 8. If the distribution and/or use of the Program is restricted in certain countries
code, which must be distributed under the terms of Sections 1 and 2 above either by patents or by copyrighted interfaces, the original copyright holder
on a medium customarily used for software interchange; or, who places the Program under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this
b) Accompany it with a written offer, valid for at least three years, to give any License incorporates the limitation as if written in the body of this License.
third party, for a charge no more than your cost of physically performing
source distribution, a complete machine-readable copy of the corresponding
source code, to be distributed under the terms of Sections 1 and 2 above on a 9. The Free Software Foundation may publish revised and/or new versions of
medium customarily used for software interchange; or, the General Public License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to address new
problems or concerns.
c) Accompany it with the information you received as to the offer to distribute
corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object Each version is given a distinguishing version number. If the Program
code or executable form with such an offer, in accord with Subsection b specifies a version number of this License which applies to it and "any later
above.) version", you have the option of following the terms and conditions either of
that version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of this License,
The source code for a work means the preferred form of the work for making you may choose any version ever published by the Free Software
modifications to it. For an executable work, complete source code means all Foundation.
the source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation of
the executable. However, as a special exception, the source code distributed 10. If you wish to incorporate parts of the Program into other free programs
need not include anything that is normally distributed (in either source or whose distribution conditions are different, write to the author to ask for
binary form) with the major components (compiler, kernel, and so on) of the permission. For software which is copyrighted by the Free Software
operating system on which the executable runs, unless that component itself Foundation, write to the Free Software Foundation; we sometimes make
accompanies the executable. exceptions for this. Our decision will be guided by the two goals of preserving
the free status of all derivatives of our free software and of promoting the
sharing and reuse of software generally.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source
code from the same place counts as distribution of the source code, even NO WARRANTY
though third parties are not compelled to copy the source along with the
object code. 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE
IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED
4. You may not copy, modify, sublicense, or distribute the Program except as BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN
expressly provided under this License. Any attempt otherwise to copy, WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
modify, sublicense or distribute the Program is void, and will automatically PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
terminate your rights under this License. However, parties who have received EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
copies, or rights, from you under this License will not have their licenses THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
terminated so long as such parties remain in full compliance. A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
5. You are not required to accept this License, since you have not signed it. NECESSARY SERVICING, REPAIR OR CORRECTION.
However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
(or any work based on the Program), you indicate your acceptance of this AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
License to do so, and all its terms and conditions for copying, distributing or OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
modifying the Program or works based on it. PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
6. Each time you redistribute the Program (or any work based on the TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
Program), the recipient automatically receives a license from the original DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
licensor to copy, distribute or modify the Program subject to these terms and SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
conditions. You may not impose any further restrictions on the recipients' PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
exercise of the rights granted herein. You are not responsible for enforcing SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
compliance by third parties to this License. POSSIBILITY OF SUCH DAMAGES.
7. If, as a consequence of a court judgment or allegation of patent END OF GNU TERMS AND CONDITIONS
infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that
contradict the conditions of this License, they do not excuse you from the Barracuda Networks Products may contain programs that are copyright
conditions of this License. If you cannot distribute so as to satisfy (c)1995-2005 International Business Machines Corporation and others. All
simultaneously your obligations under this License and any other pertinent rights reserved. These programs are covered by the following License:
obligations, then as a consequence you may not distribute the Program at all. "Permission is hereby granted, free of charge, to any person obtaining a copy
For example, if a patent license would not permit royalty-free redistribution of of this software and associated documentation files (the "Software"), to deal
the Program by all those who receive copies directly or indirectly through you, in the Software without restriction, including without limitation the rights to
then the only way you could satisfy both it and this License would be to refrain use, copy, modify, merge, publish, distribute, and/or sell copies of the
entirely from distribution of the Program. Software, and to permit persons to whom the Software is furnished to do so,
provided that the above copyright notice(s) and this permission notice appear

in all copies of the Software and that both the above copyright notice(s) and
this permission notice appear in supporting documentation."
Barracuda Networks Products may include programs that are covered by the 1. Definitions.
BSD License: "Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are
met: "License" shall mean the terms and conditions for use, reproduction, and
Redistributions of source code must retain the above copyright notice, this list distribution as defined by Sections 1 through 9 of this document.
of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this "Licensor" shall mean the copyright owner or entity authorized by the
list of conditions and the following disclaimer in the documentation and/or copyright owner that is granting the License.
other materials provided with the distribution.
The names of the authors may not be used to endorse or promote products "Legal Entity" shall mean the union of the acting entity and all other entities
derived from this software without specific prior written permission. that control, are controlled by, or are under common control with that entity.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS For the purposes of this definition, "control" means (i) the power, direct or
OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE indirect, to cause the direction or management of such entity, whether by
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
PARTICULAR PURPOSE." outstanding shares, or (iii) beneficial ownership of such entity.
Barracuda Networks Products may include the libspf library which is "You" (or "Your") shall mean an individual or Legal Entity exercising
Copyright (c) 2004 James Couzens & Sean Comeau, All rights reserved. It is permissions granted by this License.
covered by the following agreement: Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the
following conditions are met: 1. Redistributions of source code must retain the "Source" form shall mean the preferred form for making
above copyright notice, this list of conditions and the following disclaimer. 2. modifications,including but not limited to software source code,
Redistributions in binary form must reproduce the above copyright notice, this documentation source, and configuration files.
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution. THIS SOFTWARE IS
"Object" form shall mean any form resulting from mechanical transformation
PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
or translation of a Source form, including but not limited to compiled object
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
code, generated documentation, and conversions to other media types.
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF
THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, "Work" shall mean the work of authorship, whether in Source or Object form,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL made available under the License, as indicated by a copyright notice that is
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF included in or attached to the work (an example is provided in the Appendix
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR below).
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) "Derivative Works" shall mean any work, whether in Source or Object form,
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF that is based on (or derived from) the Work and for which the editorial
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. revisions, annotations, elaborations, or other modifications represent, as a
whole, an original work of authorship. For the purposes of this License,
Derivative Works shall not include works that remain separable from, or
Barracuda Networks Products may contain programs that are Copyright (c) merely link (or bind by name) to the interfaces of, the Work and Derivative
1998-2003 Carnegie Mellon University. All rights reserved. Redistribution and Works thereof.
use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: 1. Redistributions of source
code must retain the above copyright notice, this list of conditions and the "Contribution" shall mean any work of authorship, including the original
following disclaimer. 2. Redistributions in binary form must reproduce the version of the Work and any modifications or additions to that Work or
above copyright notice, this list of conditions and the following disclaimer in Derivative Works thereof, that is intentionally submitted to Licensor for
the documentation and/or other materials provided with the distribution. The inclusion in the Work by the copyright owner or by an individual or Legal
name "Carnegie Mellon University" must not be used to endorse or promote Entity authorized to submit on behalf of the copyright owner. For the
products derived from this software without prior written permission. For purposes of this definition, "submitted" means any form of electronic, verbal,
permission or any other legal details, please contact Office of Technology or written communication sent to the Licensor or its representatives, including
Transfer, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA but not limited to communication on electronic mailing lists, source code
15213-3890 (412) 268-4387, fax: (412) 268-7395, control systems, and issue tracking systems that are managed by, or on
tech-transfer@andrew.cmu.edu . Redistributions of any form whatsoever behalf of, the Licensor for the purpose of discussing and improving the Work,
must retain the following acknowledgment: "This product includes software but excluding communication that is conspicuously marked or otherwise
developed by Computing Services at Carnegie Mellon University designated in writing by the copyright owner as "Not a Contribution."
(http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND "Contributor" shall mean Licensor and any individual or Legal Entity on
FITNESS, AND IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY behalf of whom a Contribution has been received by Licensor and
BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL subsequently incorporated within the Work.
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
2. Grant of Copyright License. Subject to the terms and conditions of this
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
License, each Contributor hereby grants to You a perpetual, worldwide,
CONNECTION WITH THE USE OR PERFORMANCE OF THIS
non-exclusive, no-charge, royalty-free, irrevocable copyright license to
SOFTWARE.
reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or
Object form.
Barracuda Networks Software may include programs that are covered by the
Apache License or other Open Source license agreements. The Apache 3. Grant of Patent License. Subject to the terms and conditions of this
license is re-printed below for you reference. These programs are License, each Contributor hereby grants to You a perpetual, worldwide,
copyrighted by their authors or other parties, and the authors and copyright non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this
holders disclaim any warranty for such programs. Other programs are section) patent license to make, have made, use, offer to sell, sell, import,
copyright by Barracuda Networks. and otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily infringed by
10.3.2 Apache License their Contribution(s) alone or by combination of their Contribution(s) with the
Work to which such Contribution(s) was submitted. If You institute patent
Version 2.0, January 2004 litigation against any entity (including a cross-claim or counterclaim in a
http://www.apache.org/licenses/ lawsuit) alleging that the Work or a Contribution incorporated within the Work
constitutes direct or contributory patent infringement, then any patent
licenses granted to You under this License for that Work shall terminate as of
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND the date such litigation is filed.
DISTRIBUTION

4. Redistribution. You may reproduce and distribute copies of the Work or 10.3.3 AdoDB - BSD Style-License
Derivative Works thereof in any medium, with or without modifications, and in
Source or Object form, provided that You meet the following conditions: Barracuda Networks Products may contain programs and software that are
copyright (c) 2000, 2001, 2002, 2003, 2004 John Lim All rights reserved.
Redistribution and use in source and binary forms, with or without
(a) You must give any other recipients of the Work or Derivative Works a copy modification, are permitted provided that the following conditions are met:
of this License; and Redistributions of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following
(b) You must cause any modified files to carry prominent notices stating that disclaimer in the documentation and/or other materials provided with the
You changed the files; and distribution.Neither the name of the John Lim nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission. DISCLAIMER:THIS
(c) You must retain, in the Source form of any Derivative Works that You SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
distribute, all copyright, patent, trademark, and attribution notices from the CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
Source form of the Work, excluding those notices that do not pertain to any WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
part of the Derivative Works; and WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JOHN
(d) If the Work includes a "NOTICE" text file as part of its distribution, then LIM OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
any Derivative Works that You distribute must include a readable copy of the INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
attribution notices contained within such NOTICE file, excluding those notices (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
that do not pertain to any part of the Derivative Works, in at least one of the GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
following places: within a NOTICE text file distributed as part of the Derivative BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
Works; within the Source form or documentation, if provided along with the OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Derivative Works; or, within a display generated by the Derivative Works, if (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
and wherever such third-party notices normally appear. The contents of the OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
NOTICE file are for informational purposes only and do not modify the POSSIBILITY OF SUCH DAMAGE.
License. You may add Your own attribution notices within Derivative Works
that You distribute, alongside or as an addendum to the NOTICE text from 10.3.4 AMCC
the Work, provided that such additional attribution notices cannot be
Barracuda Networks Products may contain programs and software that are
construed as modifying the License.
copyright protected by: AMCC
215 Moffet Park Drive, Sunnyvale California, CA-94089,
You may add Your own copyright statement to Your modifications and may USAwww.amcc.com. AMCC grants to you a non-exclusive, non-transferable,
provide additional or different license terms and conditions for use, non-sublicensable license to use the Product.
reproduction, or distribution of Your modifications, or for any such Derivative
LIMITS
Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License. You may not copy, modify, rent, sell, distribute, or transfer any part of the
Software except as provided in this Agreement, and you agree to prevent
unauthorized copying of the Software; (2) you may not reverse engineer,
5. Submission of Contributions. Unless You explicitly state otherwise, any decompile, or disassemble the Software; and (3) you many not sublicense
Contribution intentionally submitted for inclusion in the Work by You to the the Software.
Licensor shall be under the terms and conditions of this License, without any
OWNERSHIP OF SOFTWARE AND COPYRIGHTS
additional terms or conditions. Notwithstanding the above, nothing herein
shall supersede or modify the terms of any separate license agreement you Title to all copies of the Software will remain with AMCC or its suppliers. The
may have executed with Licensor regarding such Contributions. Software is copyrighted and protected by United States and Austrian
copyright laws and international treaty provisions. You may not remove any
copyright, patent, or other proprietary notices from the Software. AMCC and
6. Trademarks. This License does not grant permission to use the trade BARRACUDA NETWORKS or its suppliers may make changes to the
names, trademarks, service marks, or product names of the Licensor, except Software, or to items referenced therein, at any time without notice, but is not
as required for reasonable and customary use in describing the origin of the obligated to support or update the Software. Except as otherwise expressly
Work and reproducing the content of the NOTICE file. provided, AMCC grants no express or implied right under AMCC patents,
copyrights, trademarks, or other intellectual property rights. You may transfer
the Software only if the recipient agrees to be fully bound by these terms and
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in if you retain no copies of the Software.
writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR LIMITATION OF LIABILITY
CONDITIONS OF ANY KIND, either express or implied, including, without IN NO EVENT SHALL AMCC AND BARRACUDA NETWORKS OR ITS
limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, BUSINESS
are solely responsible for determining the appropriateness of using or INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE
redistributing the Work and assume any risks associated with Your exercise OF OR INABILITY TO USE THE SOFTWARE, EVEN IF AMCC HAS BEEN
of permissions under this License. ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
JURISDICTIONS PROHIBIT EXCLUSION OR LIMITATION OF LIABILITY
FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL
8. Limitation of Liability. In no event and under no legal theory, whether in tort DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. YOU
(including negligence), contract, or otherwise, unless required by applicable MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM
law (such as deliberate and grossly negligent acts) or agreed to in writing, JURISDICTION TO JURISDICTION.
shall any Contributor be liable to You for damages, including any direct,
indirect, special, incidental, or consequential damages of any character TERMINATION
arising as a result of this License or out of the use or inability to use the Work This agreement will be terminated at any time if you violate its terms. Upon
(including but not limited to damages for loss of goodwill, work stoppage, termination, you will immediately destroy the software.
computer failure or malfunction, or any and all other commercial damages or
RESTRICTED RIGHTS LEGEND
losses), even if such Contributor has been advised of the possibility of such
damages. The AMCC Software Products are Restricted Computer Software. If the
Software Products are licensed for use by the United States or for use in the
performance of a United States government prime contract or subcontract,
9. Accepting Warranty or Additional Liability. While redistributing the Work or Customer agrees that the Software Products are delivered as: (i) commercial
Derivative Works thereof, You may choose to offer, and charge a fee for, computer software as defined in DFARS 252.227-7013, Rights in Technical
acceptance of support, warranty, indemnity, or other liability obligations Data Noncommercial Items; DFARS 252.227-7014, Rights In
and/or rights consistent with this License. However, in accepting such Noncommercial Computer Software and Noncommercial Computer Software
obligations, You may act only on Your own behalf and on Your sole Documentation; and DFARS 252.227-7015, Technical Data Commercial
responsibility, not on behalf of any other Contributor, and only if You agree to Items; (ii) as a commercial item as defined in FAR 2.101; or (iii) as
indemnify, defend, and hold each Contributor harmless for any liability restricted commercial software as defined in FAR 52.227-19, Commercial
incurred by, or claims asserted against, such Contributor by reason of your Computer Software Restricted Rights; whichever is applicable. The use,
accepting any such warranty or additional liability. duplication, and disclosure of the Software Products by the Department of
Defense shall be subject to the terms and conditions set forth in the
accompanying license agreement as provided in DFARS 227.7202. All other
END OF TERMS AND CONDITIONS use, duplication and disclosure of the Software Products and Documentation
by the United States shall be subject to the terms and conditions set forth in
the accompanying license agreement and the restrictions contained in
subsection (c) of FAR 52.227-19, Commercial Computer Software

Restricted Rights, or FAR 52.227-14, Rights in Data. Contractor/licensor is of conditions and the following disclaimer.2. Redistributions in binary form
AMCC, 6290 Sequence Drive, San Diego, CA 92121. must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
10.3.5 bind License with the distribution.THIS SOFTWARE IS PROVIDED BY THE AUTHOR
`ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
Barracuda Networks Products may contain programs and software that are BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1996-2003 Internet Software Consortium. DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
Permission to use, copy, modify, and distribute this software for any purpose DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
with or without fee is hereby granted, provided that the above copyright notice CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
and this permission notice appear in all copies. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER DAMAGE.
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10.3.9 JavaScript Virtual Keyboard
PERFORMANCE OF THIS SOFTWARE. $Id: COPYRIGHT,v 1.6.2.2.8.2 Barracuda Networks Products may contain programs and software that are
2004/03/08 04:04:12 marka Exp $ Portions Copyright (C) 1996-2001 covered by the License below.
Nominum, Inc. Permission to use, copy, modify, and distribute this software
for any purpose with or without fee is hereby granted, provided that the above The Code Project Open License (CPOL) 1.02
copyright notice and this permission notice appear in all copies. THE Preamble
SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL This License governs Your use of the Work. This License is intended to allow
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL developers to use the Source Code and Executable Files provided as part of
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO the Work in any application in any form. The main points subject to the terms
EVENT SHALL NOMINUM BE LIABLE FOR ANY SPECIAL, DIRECT, of the License are:
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, Source Code and Executable Files can be used in commercial applications;
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER Source Code and Executable Files can be redistributed; and
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
Source Code can be modified to create derivative works.
USE OR PERFORMANCE OF THIS SOFTWARE.
No claim of suitability, guarantee, or any warranty whatsoever is provided.
10.3.6 Broadcom Corporation The software is provided "as-is". The Article accompanying the Work may not
be distributed or republished without the Author's consent This License is
End User Agreement entered between You, the individual or other entity reading or otherwise
making use of the Work licensed pursuant to this License and the individual
or other entity which offers the Work under the terms of this License
Barracuda Networks Products may contain programs and software that are ("Author").
copyright Broadcom Corporation.
END USER AGREEMENT for usage of linux driver BCM9IPS500A /
BCM9IPS1000 No Warranty. THE SOFTWARE IS OFFERED "AS IS", AND License
BROADCOM GRANTS AND LICENSEE RECEIVES NO WARRANTIES OF THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS
ANY KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OF THIS CODE PROJECT OPEN LICENSE ("LICENSE"). THE WORK IS
CONDUCT WITH LICENSEE, OR OTHERWISE. BROADCOM PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY
SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS
MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE OR LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY
NONINFRINGEMENT CONCERNING THE SOFTWARE OR ANY RIGHTS TO THE WORK PROVIDED HEREIN, YOU ACCEPT AND AGREE
UPGRADES TO OR DOCUMENTATION FOR THE SOFTWARE. WITHOUT TO BE BOUND BY THE TERMS OF THIS LICENSE. THE AUTHOR
LIMITATION OF THE ABOVE, BROADCOM GRANTS NO WARRANTY GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION
THAT THE SOFTWARE IS ERROR-FREE OR WILL OPERATE WITHOUT OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. IF YOU
INTERRUPTION, AND GRANTS NO WARRANTY REGARDING USE OR DO NOT AGREE TO ACCEPT AND BE BOUND BY THE TERMS OF THIS
THE RESULTS THEREFROM INCLUDING, WITHOUT LIMITATION, ITS LICENSE, YOU CANNOT MAKE ANY USE OF THE WORK.
CORRECTNESS, ACCURACY OR RELIABILITY.
1. Definitions.
10.3.7 DHCP Relay / DHCP Enterprise Server
a. "Articles" means, collectively, all articles written by Author which describes
Barracuda Networks Products may contain programs and software that are how the Source Code and Executable Files for the Work may be used by a
copyright (c) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (c) user.
1995-2003 Internet Software Consortium. All rights reserved. Redistribution
and use in source and binary forms, with or without modification, are b. "Author" means the individual or entity that offers the Work under the terms
permitted provided that the following conditions are et: 1. Redistributions of of this License.
source code must retain the above copyright notice, this list of conditions and c. "Derivative Work" means a work based upon the Work or upon the Work
the following disclaimer. 2. Redistributions in binary form must reproduce the and other pre-existing works.
above copyright notice, this list of conditions and the following disclaimer in d. "Executable Files" refer to the executables, binary files, configuration and
the documentation and/or other materials provided with the distribution. 3. any required data files included in the Work.
Neither the name of ISC, ISC DHCP, nor the names of its contributors may be
used to endorse or promote products derived from this software without e. "Publisher" means the provider of the website, magazine, CD-ROM, DVD
specific prior written permission. THIS SOFTWARE IS PROVIDED BY or other medium from or by which the Work is obtained by You.
INTERNET SYSTEMS CONSORTIUM AND CONTRIBUTORS "AS IS" AND f. "Source Code" refers to the collection of source code and configuration files
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT used to create the Executable Files.
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
g. "Standard Version" refers to such a Work if it has not been modified, or has
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
been modified in accordance with the consent of the Author, such consent
EVENT SHALL ISC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
being in the full discretion of the Author.
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF h. "Work" refers to the collection of files distributed by the Publisher, including
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR the Source Code, Executable Files, binaries, data files, documentation,
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON whitepapers and the Articles.
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT i. "You" is you, an individual or entity wishing to use the Work and exercise
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) your rights under this License.
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2. Fair Use/Fair Use Rights. Nothing in this License is intended to reduce,
10.3.8 ISAKMP License limit, or restrict any rights arising from fair use, fair dealing, first sale or other
limitations on the exclusive rights of the copyright owner under copyright law
Barracuda Networks Products may contain programs and software that are or other applicable laws.
Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved.
modification, are permitted provided that the following conditions are met: 1. 3. License Grant. Subject to the terms and conditions of this License, the
Redistributions of source code must retain the above copyright notice, this list Author hereby grants You a worldwide, royalty-free, non-exclusive, perpetual

(for the duration of the applicable copyright) license to exercise the rights in SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY
the Work as stated below: DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK
a. You may use the standard version of the Source Code or Executable Files OR OTHERWISE, EVEN IF THE AUTHOR OR THE PUBLISHER HAS
in Your own applications. BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
b. You may apply bug fixes, portability fixes and other modifications obtained
from the Public Domain or from the Author. A Work modified in such a way 9. Termination.
shall still be considered the standard version and will be subject to this a. This License and the rights granted hereunder will terminate automatically
License. upon any breach by You of any term of this License. Individuals or entities
c. You may otherwise modify Your copy of this Work (excluding the Articles) who have received Derivative Works from You under this License, however,
in any way to create a Derivative Work, provided that You insert a prominent will not have their licenses terminated provided such individuals or entities
notice in each changed file stating how, when and where You changed that remain in full compliance with those licenses. Sections 1, 2, 6, 7, 8, 9, 10 and
file. 11 will survive any termination of this License.
d. You may distribute the standard version of the Executable Files and b. If You bring a copyright, trademark, patent or any other infringement claim
Source Code or Derivative Work in aggregate with other (possibly against any contributor over infringements You claim are made by the Work,
commercial) programs as part of a larger (possibly commercial) software your License from such contributor to the Work ends automatically.
distribution. c. Subject to the above terms and conditions, this License is perpetual (for the
e. The Articles discussing the Work published in any form by the author may duration of the applicable copyright in the
not be distributed or republished without the Author's consent. The author Work). Notwithstanding the above, the Author reserves the right to release
retains copyright to any such Articles. You may use the Executable Files and the Work under different license terms or to stop distributing the Work at any
Source Code pursuant to this License but you may not repost or republish or time; provided, however that any such election will not serve to withdraw this
otherwise distribute or make available the Articles, without the prior written License (or any other license that has been, or is required to be, granted
consent of the Author. under the terms of this License), and this License will continue in full force
Any subroutines or modules supplied by You and linked into the Source Code and effect unless terminated as stated above.
or Executable Files this Work shall not be considered part of this Work and
will not be subject to the terms of this License.
10. Publisher. The parties hereby confirm that the Publisher shall not, under
any circumstances, be responsible for and shall not have any liability in
3 Patent License. Subject to the terms and conditions of this License, each respect of the subject matter of this License. The Publisher makes no
Author hereby grants to You a perpetual, worldwide, non-exclusive, warranty whatsoever in connection with the Work and shall not be liable to
no-charge, royalty-free, irrevocable (except as stated in this section) patent You or any party on any legal theory for any damages whatsoever, including
license to make, have made, use, import, and otherwise transfer the Work. without limitation any general, special, incidental or consequential damages
arising in connection to this license. The Publisher reserves the right to cease
making the Work available to You at any time without notice
4. Restrictions. The license granted in Section 3 above is expressly made
subject to and limited by the following restrictions:
a. You agree not to remove any of the original copyright, patent, trademark, 11. Miscellaneous
and attribution notices and associated disclaimers that may appear in the This License shall be governed by the laws of the location of the head office
Source Code or Executable Files. of the Author or if the Author is an individual, the laws of location of the
b. You agree not to advertise or in any way imply that this Work is a product principal place of residence of the Author.
of Your own. If any provision of this License is invalid or unenforceable under applicable
c. The name of the Author may not be used to endorse or promote products law, it shall not affect the validity or enforceability of the remainder of the
derived from the Work without the prior written consent of the Author. terms of this License, and without further action by the parties to this License,
such provision shall be reformed to the minimum extent necessary to make
e. You agree not to sell, lease, or rent any part of the Work. This does not such provision valid and enforceable.
restrict you from including the Work or any part of the Work inside a larger
software distribution that itself is being sold. The Work by itself, though, No term or provision of this License shall be deemed waived and no breach
cannot be sold, leased or rented. consented to unless such waiver or consent shall be in writing and signed by
the party to be charged with such waiver or consent.
d. You may distribute the Executable Files and Source Code only under the
terms of this License, and You must include a copy of, or the Uniform This License constitutes the entire agreement between the parties with
Resource Identifier for, this License with every copy of the Executable Files or respect to the Work licensed herein. There are no understandings,
Source Code You distribute and ensure that anyone receiving such agreements or representations with respect to the Work not specified herein.
Executable Files and Source Code agrees that the terms of this License The Author shall not be bound by any additional provisions that may appear
apply to such Executable Files and/or Source Code. You may not offer or in any communication from You. This License may not be modified without
impose any terms on the Work that alter or restrict the terms of this License or the mutual written agreement of the Author and You.
the recipients' exercise of the rights granted hereunder. You may not
sublicense the Work. You must keep intact all notices that refer to this 10.3.10 Microdasys
License and to the disclaimer of warranties. You may not distribute the
Executable Files or Source Code with any technological measures that
covered by the License below.
control access or use of the Work in a manner inconsistent with the terms of
this License.
f. You agree not to use the Work for illegal, immoral or improper purposes, or 1.GRANT OF LICENSE
on pages containing illegal, immoral or improper material. The Work is a) BARRACUDA NETWORKS grants to you a non-exclusive,
subject to applicable export laws. You agree to comply with all such laws and non-transferable, non-sublicensable license to use BARRACUDA
regulations that may apply to the Work after Your receipt of the Work. NETWORKS SSLPRX service, the respective BARRACUDA NETWORKS
software module.
6. Representations, Warranties and Disclaimer. THIS WORK IS PROVIDED b) BARRACUDA NETWORKS SSLPRX contains one or more of the following
"AS IS", "WHERE IS" AND "AS AVAILABLE", WITHOUT ANY EXPRESS OR software modules; SCIP, XMLRay, and/or SX-Suite (the "Product" or the
IMPLIED WARRANTIES OR CONDITIONS OR GUARANTEES. YOU, THE "Software"), in binary executable form, which are copyright protected by:
USER, ASSUME ALL RISK IN ITS USE, INCLUDING COPYRIGHT Microdasys Inc.
INFRINGEMENT, PATENT INFRINGEMENT, SUITABILITY, ETC. AUTHOR
EXPRESSLY DISCLAIMS ALL EXPRESS, IMPLIED OR STATUTORY Worldwide Headoffice
WARRANTIES OR CONDITIONS, INCLUDING WITHOUT LIMITATION, 385 Pilot Road, Suite A
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, Las Vegas, NV 89119, USA
MERCHANTABLE QUALITY OR FITNESS FOR A PARTICULAR
PURPOSE, OR ANY WARRANTY OF TITLE OR NON-INFRINGEMENT, OR www.microdasys.com
THAT THE WORK (OR ANY PORTION THEREOF) IS CORRECT, USEFUL, Microdasys grants to you a non-exclusive, non-transferable,
BUG-FREE OR FREE OF VIRUSES. YOU MUST PASS THIS DISCLAIMER non-sublicensable license to use the Product.
ON WHENEVER YOU DISTRIBUTE THE WORK OR DERIVATIVE WORKS.
2 . PERMITTED USES
7. Indemnity. You agree to defend, indemnify and hold harmless the Author
a) Subject to timely payment of license fees BARRACUDA NETWORKS
and the Publisher from and against any claims, suits, losses, damages,
shall grant you an exclusive right to install and use the programme on a data
liabilities, costs, and expenses (including reasonable legal or attorneys fees)
storage device from issuance of the license certificate for the licensed period
resulting from or relating to any use of the Work by You.
of time. The license exclusively concerns the use of the Product by you for
your own data processing processes. You shall not be entitled to grant third
8. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY parties access to the Product. You undertake to keep the Software safe so
APPLICABLE LAW, IN NO EVENT WILL THE AUTHOR OR THE that access and, thus, copying or using the Software by third parties is
PUBLISHER BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY prevented.

b) This Software End User License Agreement ("Agreement") permits you to 8. NOTE ON SSL SUPPORT
use one copy of the Product, as a server for up to a number of computers for The Product contains support for encrypted programs using SSL. SSL
which you have paid for this license (each, a "Seat"); as a special case you technology is not fault tolerant and is not designed, manufactured, or
may have been granted a license for an unlimited number of users. A intended for use or resale as on-line control equipment in hazardous
computer serves as a Seat when the user at the Seat accesses or utilizes, environments requiring fail-safe performance, such as in the operation of
directly or indirectly, the Product. Use of software or hardware which reduces nuclear facilities, aircraft navigation or communication systems, air traffic
the number of computers directly accessing or utilizing the Product (also control, direct life support machines, or weapons systems, in which the failure
known as "pooling" or "multiplexing") will not be deemed to reduce the of SSL technology could lead directly to death, personal injury, or severe
number of Seats. Each computer indirectly accessing or utilizing the Product physical or environmental damage. Generally speaking, and regardless of the
is still considered a Seat. You are permitted to install the product on more SSL support the product is not intended for any uses in which , in which the
than one server for load-balancing and High-Availability reasons, provided failure of the product could lead directly to death, personal injury, or severe
that the total number of licensed seats accessing either one of these servers physical or environmental damage. Furthermore, the Product does not
is not exceeded. provide complete protection against harmful applications.
YOU ARE EXPLICITLY WARNED THAT THE SECURITY ENHANCEMENT
3. TESTING FEATURES OF THE PRODUCT DO NOT PROVIDE TOTAL PROTECTION
The Software is available for evaluation purposes by way of time limited AGAINST DAMAGING SOFTWARE ROUTINES.
evaluation licenses. The evaluation license required to test the software can
be obtained free of charge. The Software must only be used in connection 9. LIMITED WARRANTY
with an implementation of a BARRACUDA NETWORKS system. The scope
of use of the Software will be partly restricted by those systems. Subject to payment of applicable license fees, Microdasys warrants that the
Product will perform substantially in accordance with the accompanying
Product manual(s) or on-line documentation for a period of 90 days from the
4. COPYRIGHT date of fee payment. Any implied warranties on the Product are limited to 90
a) All title and copyrights in and to the Product and any copies thereof are days. Microdasys does not warrant that the Product is error free.
owned by Microdasys or its suppliers. The Product is protected by US and Microdasys's entire liability and your exclusive remedy under this warranty
Austrian copyright laws, international treaty provisions and all other shall be, at Microdasys's option, either (a) return of the price paid or (b) repair
applicable national laws. The Product is licensed, not sold. All title and or replacement of the Product that does not meet this limited warranty and
intellectual property rights in and to the content which may be accessed which is returned to Microdasys with a copy of your receipt. This limited
through use of the Product are the property of the respective content owner warranty is void if failure of the Product has resulted from accident, abuse, or
and may be protected by applicable copyright or other intellectual property misapplication. Any replacement Product will be warranted for the remainder
laws and treaties. This agreement grants you no rights to use such content. of the original warranty period or 30 days, whichever is longer.
Therefore, you must treat the Product like any other copyrighted material
(e.g. a book or musical recording) except that if the Product is not copy 10. NO OTHER WARRANTIES
protected, you may make one copy of the Product solely for backup or
archival purposes, provided any copy must contain all of the original EXCEPT AS EXPLICITLY SET FORTH IN THIS AGREEMENT, THE
Product's proprietary notices. You may not copy the Product manual(s), PRODUCT IS PROVIDED "AS IS". NEITHER MICRODASYS NOR
on-line documentation, or any written materials accompanying the Product. If BARRACUDA NETWORKS WARRANT THAT THE PRODUCT IS
you receive your first copy of the Product electronically, and a second copy ERROR-FREE. ADDITIONALLY, MICRODASYS AND BARRACUDA
on media, the second copy may be used for archival purposes only, and must NETWORKS DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR
contain the same proprietary notices which appear on and in the Product. IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
This Agreement does not grant you any right to any enhancement or update. MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE, AND
NON-INFRINGEMENT.
b) You expressly acknowledge that Microdasys is the owner of all proprietary
rights and rights to use the Product which result from copyright. In case you
violate such rights and other mandatory copyright provisions, Microdasys 11. NO LIABILITY FOR CONSEQUENTIAL DAMAGES
shall be entitled to all legal remedies which are provided for under copyright
IN NO EVENT SHALL MICRODASYS AND BARRACUDA NETWORKS OR
law to defend copyrights protection.
ITS SUPPLIERS BE LIABLE FOR ANY CONSEQUENTIAL OR INDIRECT
DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION,
5. RESTRICTIONS DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER
a) You may not rent or lease the Product, and may not transfer your rights PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO
under this Agreement without obtaining the prior written consent of USE THIS MICRODASYS AND BARRACUDA NETWORKS, EVEN IF
BARRACUDA NETWORKS. To the extent such restriction is allowable under MICRODASYS AND BARRACUDA NETWORKS HAVE BEEN ADVISED OF
law, and unless provided otherwise by mandatory statutory provisions, you THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION SHALL APPLY
shall not be entitled to translate the programme from object code into source NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY
code (e.g. by reverse engineering, disassembling or decompiling). LIMITED REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE
b) You shall not be entitled to crack or change the license key. EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON HOW
c) You shall not be entitled to modify or delete any notes regarding rights, LONG AN IMPLIED WARRANTY MAY LAST, OR THE EXCLUSION OR
trademarks or the like which are stated in the programme or on the media on LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE
which the programme is stored. ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. THIS
AGREEMENT GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY
d) You may not distribute copies of the Product to third parties unless ALSO HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO
explicitly authorized to do so by an additional written agreement. JURISDICTION
e) You may not integrate, incorporate or bundle the Product into any other
software or include the Product in other software or hardware without
receiving the prior written consent of BARRACUDA NETWORKS. 12. EXPORT REGULATIONS
BARRACUDA NETWORKS g) You acknowledge that the source code form a) This software contains cryptography and is therefore subject to US
of the Product remains a confidential trade secret of Microdasys and/or its government export control under the U.S. Export Administration Regulations
suppliers. You must maintain all copyright notices on all copies of the (EAR). EAR Part 740.13(e) allows the export and reexport of publicly
Product. available encryption source code that is not subject to payment of license fee
or royalty payment. Object code resulting from the compiling of such source
h) The license may be linked to the hardware configuration via a license key. code may also be exported and reexported under this provision if publicly
In the case of modifications of the hardware configuration BARRACUDA available and not subject to a fee or payment other than reasonable and
NETWORKS shall be free to issue another license key to you free of charge. customary fees for reproduction and distribution. This kind of encryption
You shall then lose the right to continue to use the first license key. source code and the corresponding object code may be exported or
BARRACUDA NETWORKS shall be entitled to request evidence thereof reexported without prior U.S. government export license authorization
within fourteen days of receipt of the new license key. provided that the U.S. government is notified about the Internet location of the
software. The open source software used in this product is publicly available
without license fee or royalty payment, and all binary software is compiled
6. TERM
from the open source code. The U.S. government has been notified about
The term of this Agreement is perpetual. However, you may terminate your this software as explained above. Therefore, the source code and compiled
license at any time by destroying all copies of the Product and Product object code may be downloaded and exported under U.S. export license
documentation. exception (without a U.S. export license) except to the following destinations:
Afghanistan (Taliban controlled areas), Cuba, Iran, Iraq, Libya, North Korea,
Serbia, Sudan and Syria. This list of countries is subject to change.
7. TERMINATION
b) Products delivered by BARRACUDA NETWORKS are designed for being
Your license will terminate automatically if you fail to comply with the used within and for remaining in the EU. Re-export, be it separately or
limitations described above. On termination, you must destroy all copies of integrated into a system, shall be subject to exportapproval. You must comply
the Product. with all applicable foreign trade legislation and US Export Regulations
including valid ECCN numbers. Reselling to customers that operate,

manufacture, service or otherwise are involved with any nuclear material for license from time to time. Each revision is distinguished by a version number.
any purpose,shall require special permits. BARRACUDA NETWORKS You may use this Software under terms of this license revision or under the
reserves the right to adjust the provisions on export and import at any time if terms of any subsequent revision of the license.THIS SOFTWARE IS
national or international legislation so requires. PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS
"AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
13. MISCELLANEOUS MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
a) This Agreement represents the complete agreement concerning the DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS
license between you and Microdasys and supersedes all prior agreements CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE
and representations between you and Microdasys. SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
b) It may be amended only by writing executed by you, Microdasys and
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
BARRACUDA NETWORKS. If any provision of the Agreement is held to be
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
unenforceable for any reason, such provision shall be reformed only to the
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
extent necessary to make it enforceable.
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
c) This Agreement is governed by the laws of the United States of America. (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
Should you have any questions concerning this Agreement, or if you desire to OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
contact BARRACUDA NETWORKS for any reason, please contact the POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright
BARRACUDA NETWORKS affiliate serving your country or write to: holders must not be used in advertising or otherwise to promote the sale, use
BARRACUDA NETWORKS ,Inc., 385 Pilot Rd., Suite A, Las Vegas, NV, or other dealing in this Software without specific, written prior permission.
89141 Title to copyright in this Software shall at all times remain with copyright
d) If individual provisions of this contract are or become ineffective, the holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation.
remaining provisions of this contract shall not be affected. The contracting Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California,
parties shall co-operate as partners in order to find a provision which comes USA. All Rights Reserved. Permission to copy and distribute verbatim copies
as close as possible to the ineffective provisions. of this document is granted.(eay@cryptsoft.com).The implementation was
written so as to conform with Netscapes SSL.This library is free for
commercial and non-commercial use as long as the following conditions are
14. RPA aheared to. The following conditions apply to all code found in this
All Certificate Authorities ("CA") have some sort of agreement in place distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL
(usually called Relying Party Agreement, "RPA"). We strongly recommend code. The SSL documentation included with this distribution is covered by the
that you read these prior to using any of their services, including but not same copyright terms except that the holder is Tim Hudson
limited to Certificate Revocation List ("CRL") and Online Certificate Status (tjh@cryptsoft.com).Copyright remains Eric Young's, and as such any
Protocol ("OCSP") repositories. It is your sole responsibility to retrieve these Copyright notices in the code are not to be removed.If this package is used in
agreements from each CA's respective website and decide to whether or not a product, Eric Young should be given attribution as the author of the parts of
to agree to the terms and conditions of the RPA of each CA. You may only the library used.This can be in the form of a textual message at program
use the Microdasys/ BARRACUDA NETWORKS SCIP CRL and OCSP and startup or in documentation (online or textual) provided with the
the Microdasys/ BARRACUDA NETWORKS SCIP Certificate Validation package.Redistribution and use in source and binary forms, with or without
Engine for certificates of those CAs which RPA you have read, understood modification, are permitted provided that the following onditions are
and agreed to. You are also responsible for re-visiting the websites of the met:Redistributions of source code must retain the copyright notice, this list of
CAs from time to time, to verify whether or not the content of the RPA has conditions and the following disclaimer.Redistributions in binary form must
been amended. By installing and using the phi BARRACUDA NETWORKS reproduce the above copyright notice, this list of conditions and the following
on SCIP product and the Microdasys/ BARRACUDA NETWORKS CRL and disclaimer in the documentation and/or other materials provided with the
OCSP Engine and Database, you declare that you have read and understood distribution.All advertising materials mentioning features or use of this
the above and accept its conditions. software must display the following acknowledgement:"This product includes
cryptographic software written by Eric Young (eay@cryptsoft.com)"The word
This product includes software developed by the OpenSSL Project for use in 'cryptographic' can be left out if the routines from the library being used are
the OpenSSL Toolkit (http://www.openssl.org/) not cryptographic related :-).If you include any Windows specific code (or a
derivative thereof) from the apps directory (application code) you must
include an acknowledgement: "This product includes software written by Tim
15. PURCHASE PRICE
Hudson (tjh@cryptsoft.com)"THIS SOFTWARE IS PROVIDED BY ERIC
Unless otherwise agreed in the course of distribution, the following regulation YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
shall apply: INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
The purchase price for the Program including the license certificate shall be MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
transferred to the company account of BARRACUDA NETWORKS within DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
fourteen days of delivery of the license certificate without another invoice for BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
the due purchase price being necessary. If your are in default of payment of EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT
the purchase price, BARRACUDA NETWORKS shall be entitled to charge LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
default interest at a rate of 8 % p.a. above the three-months EURIBOR LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
applicable from time to time. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
16. ENHANCEMENTS OF PROGRAMMES (UPDATES) AND SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
MODIFICATIONS OF PROGRAMMES DAMAGE.The license and distribution terms for any publically available
a) BY PURCHASING THE LICENSE CERTIFICATE YOU SHALL NOT version or derivative of this code cannot be changed. i.e. this code cannot
ACQUIRE ANY RIGHT TO FURTHER SUPPORT BY BARRACUDA simply be copied and put under another distribution license [including the
NETWORKS OR TO DELIVERY OF UPDATES OR PROGRAMME GNU Public License.]
EXTENSIONS.
10.3.12 OpenSSH License
b) You expressly agree that data concerning you which becomes known to
BARRACUDA NETWORKS within the scope of the business relationship with Barracuda Networks Products may contain programs and software that are
you shall be collected and processed by BARRACUDA NETWORKS for the covered by the License below.
purpose of information about the development of updates and new
programme versions and for offering of maintenance contracts and for other
offers. Licensed Software: This file is part of the OpenSSH software.The licenses
which components of this software fall under are as follows. First, we will
c) You acknowledge and agree that your personal data be stored and
summarize and say that all components are under a BSD license, or a license
processed by BARRACUDA NETWORKS for the purpose of internal data
more free than that.
collection, data processing and for information about the development in
connection with the delivered product and of updates and new programme OpenSSH contains no GPL code.
versions. In accordance with Section 107 TKG [Austrian Telecommunications 1. Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved
Act] you expressly agree to receipt of such information also by e-mail.
As far as I am concerned, the code I have written for this software can be
used freely for any purpose. Any derived versions of this software must be
10.3.11 The OpenLDAP Public License clearly marked as such, and if the derived work is incompatible with the
Barracuda Networks Products may include programs that are covered by the protocol description in the RFC file, it must be called by a name other than
OpenLDAP Redistribution and use of this software and associated "ssh" or "Secure Shell".
documentation ("Software"), with or without modification, are permitted [Tatu continues]
provided that the following conditions are met:Redistributions of source code
However, I am not implying to give any licenses to any patents or copyrights
must retain copyright statements and notices, Redistributions in binary form
held by third parties, and the software includes parts that are not under my
must reproduce applicable copyright statements and notices, this list of
direct control. As far as I know, all included source code is used in
conditions, and the following disclaimer in the documentation and/or other
accordance with the relevant license agreements and can be used freely for
materials provided with the distribution, and Redistributions must contain a
verbatim copy of this document.The OpenLDAP Foundation may revise this

any purpose (the GNU license being the most restrictive); see below for THIS SOFTWARE IS PROVIDED BY THE AUTHORS "AS IS" AND ANY
details. EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
[However, none of that term is relevant at this point in time. All of these TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
restrictively licensed software components which he talks about have been FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
removed from OpenSSH, i.e., THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
RSA is no longer included, found in the OpenSSL library DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
IDEA is no longer included, its use is deprecated SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
DES is now external, in the OpenSSL library
GMP is no longer used, and instead we call BN code from OpenSSL LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
Zlib is now external, in a library ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The make-ssh-known-hosts script is no longer included
TSS has been removed
5. One component of the ssh source code is under a 3-clause BSD license,
MD5 is now external, in the OpenSSL library held by the University of California, since we pulled these parts from original
RC4 support has been replaced with ARC4 support from OpenSSL Berkeley code.
Blowfish is now external, in the OpenSSL library Copyright 1983, 1990, 1992, 1993, 1995 The Regents of the University of
California. All rights reserved.
[The license continues]
Note that any information and cryptographic algorithms used in this software Redistribution and use in source and binary forms, with or without
are publicly available on the Internet and at any major bookstore, scientific modification, are permitted provided that the following conditions are met: 1.
library, and patent office worldwide. More information can be found e.g. at Redistributions of source code must retain the above copyright notice, this list
"http://www.cs.hut.fi/crypto". of conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
The legal status of this program is some combination of all these permissions with the distribution. 3. Neither the name of the University nor the names of
and restrictions. Use only at your own responsibility. You will be responsible its contributors may be used to endorse or promote products derived from this
for any legal consequences yourself; I am not making any claims whether software without specific prior written permission. THIS SOFTWARE IS
possessing or using this is legal or not in your country, and I am not taking PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
any responsibility on your behalf. EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE,
6. The progresssmeter code used by scp(1) and sftp(1) is copyright by the
YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
NetBSD Foundation.
CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW
OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY Copyright 1997-2003 The NetBSD Foundation, Inc. All rights reserved.
OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE This code is derived from software contributed to The NetBSD Foundation by
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, Luke Mewburn.
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGE ARISING OUT OF THE USE OR INABILITY This code is derived from software contributed to The NetBSD Foundation by
TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF Jason R. Thorpe of the Numerical Aerospace Simulation Facility, NASA
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES Ames Research Center.
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE Redistribution and use in source and binary forms, with or without
PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF modification, are permitted provided that the following conditions are met: 1.
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE Redistributions of source code must retain the above copyright notice, this list
POSSIBILITY OF SUCH DAMAGES. of conditions and the following disclaimer. 2. Redistributions in binary form
2. The 32-bit CRC compensation attack detector in deattack.c was with the distribution. 3. All advertising materials mentioning features or use of
contributed by CORE SDI S.A. under a BSD-style license. Cryptographic this software must display the following acknowledgement: This product
attack detector for ssh - source code includes software developed by the NetBSD Foundation, Inc. and its
Copyright 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights contributors. 4. Neither the name of The NetBSD Foundation nor the names
reserved. Redistribution and use in source and binary forms, with or without of its contributors may be used to endorse or promote products derived from
modification, are permitted provided that this copyright notice is retained. this software without specific prior written permission. THIS SOFTWARE IS
PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A.
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE
DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
USE OR MISUSE OF THIS SOFTWARE. Ariel Futoransky
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
3. ssh-keygen was contributed by David Mazieres under a BSD-style license. BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
Copyright 1995, 1996 by David Mazieres. INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
Modification and redistribution in source and binary forms is permitted LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
provided that due credit is given to the author and the OpenBSD project by (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
leaving this copyright notice intact. OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
4. The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and 7. Remaining components of the software are provided under a standard
Paulo Barreto is in the public domain and distributed with the following 2-term BSD license with the following names as copyright holders:
license:
@version 3.0 (December 2000) Optimised ANSI C code for the Rijndael Markus Friedl
cipher (now AES) Theo de Raadt
@author Vincent Rijmen Niels Provos
@author Antoon Bosselaers Dug Song
@author Paulo Barreto Aaron Campbell
This code is hereby placed in the public domain. Damien Miller

Kevin Steves Redistributions of source code must retain the copyright notice, this list of
Daniel Kouril conditions and the following disclaimer. 2. Redistributions in binary form
Wesley Griffin following disclaimer in the documentation and/or other materials provided
Per Allansson with the distribution. 3. All advertising materials mentioning features or use of
this software must display the following acknowledgement: "This product
Nils Nordman
includes cryptographic software written by Eric Young (eay@cryptsoft.com)."
The word 'cryptographic' can be left out if the routines from the library being
Redistribution and use in source and binary forms, with or without used are not cryptographic related :-). 4. If you include any Windows specific
modification, are permitted provided that the following conditions are met: 1. code (or a derivative thereof) from the apps directory (application code) you
Redistributions of source code must retain the above copyright notice, this list must include an acknowledgement: "This product includes software written by
of conditions and the following disclaimer. 2. Redistributions in binary form Tim Hudson (tjh@cryptsoft.com)."
must reproduce the above copyright notice, this list of conditions and the THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY
following disclaimer in the documentation and/or other materials provided EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publically available version or
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
derivative of this code cannot be changed. i.e. this code cannot simply be
DAMAGE.
copied and put under another distribution license [including the GNU Public
License.]
10.3.13 OpenSSL License
Barracuda Networks Products may contain programs and software that are 10.3.14 The PHP License,
Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
The PHP License, version 3.0
modification, are permitted provided that the following conditions are met: Barracuda Networks Products may contain programs and software that are
Copyright (c) 1999 - 2002 The PHP Group. All rights reserved. Redistribution
1. Redistributions of source code must retain the above copyright notice, this
and use in source and binary forms, with or without modification, is permitted
list of conditions and the following disclaimer.
provided that the following conditions are met: 1. Redistributions of source
2. Redistributions in binary form must reproduce the above copyright notice, code must retain the above copyright notice, this list of conditions and the
this list of conditions and the following disclaimer in the documentation and/or following disclaimer. 2. Redistributions in binary form must reproduce the
other materials provided with the distribution. above copyright notice, this list of conditions and the following disclaimer in
3. All advertising materials mentioning features or use of this software must the documentation and/or other materials provided with the distribution. 3.
display the following acknowledgment: "This product includes software The name "PHP" must not be used to endorse or promote products derived
developed by the OpenSSL Project for use in the OpenSSL Toolkit. from this software without prior written permission. For written permission,
(http://www.openssl.org/)" please contact group@php.net. Products derived from this software may not
be called "PHP", nor may "PHP" appear in their name, without prior written
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used permission from group@php.net. You may indicate that your software works
to endorse or promote products derived from this software without prior in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP
written permission. For written permission, please contact Foo" or "phpfoo". 4. The PHP Group may publish revised and/or new
openssl-core@openssl.org. versions of the license from time to time. Each version will be given a
5. Products derived from this software may not be called "OpenSSL" nor may distinguishing version number. Once covered code has been published under
"OpenSSL" appear in their names without prior written permission of the a particular version of the license, you may always continue to use it under
OpenSSL Project. the terms of that version. You may also choose to use such covered code
6. Redistributions of any form whatsoever must retain the following under the terms of any subsequent version of the license published by the
acknowledgment: "This product includes software developed by the PHP Group. No one other than the PHP Group has the right to modify the
OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" terms applicable to covered code created under this License. 5.
Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes PHP, freely available from
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT DEVELOPMENT TEAM AS IS'' AND ANY EXPRESSED OR IMPLIED
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
DAMAGE. SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE. This software consists of voluntary contributions made by many
==============================================
individuals on behalf of the PHP Group. The PHP Group can be contacted via
This product includes cryptographic software written by Eric Young Email at group@php.net. For more information on the PHP Group and the
(eay@cryptsoft.com). This product includes software written by Tim Hudson PHP project, please see <http://www.php.net>. This product includes the
(tjh@cryptsoft.com).Original SSLeay License Copyright (C) 1995-1998 Eric Zend Engine, freely available at <http://www.zend.com>.
Young (eay@cryptsoft.com) All rights reserved. This package is an SSL
implementation written by Eric Young (eay@cryptsoft.com). The 10.3.15 PostgreSQL
implementation was written so as to conform with Netscapes SSL. This
library is free for commercial and non-commercial use as long as the Barracuda Networks Products may contain programs and software that are
following conditions are aheared to. The following conditions apply to all code Copyright (c) 1996-2005, The PostgreSQL Global Development Group
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just Portions Copyright (c) 1994, The Regents of the University of California
the SSL code. The SSL documentation included with this distribution is Permission to use, copy, modify, and distribute this software and its
covered by the same copyright terms except that the holder is Tim Hudson documentation for any purpose, without fee, and without a written agreement
(tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any is hereby granted, provided that the above copyright notice and this
Copyright notices in the code are not to be removed. If this package is used in paragraph and the following two paragraphs appear in all copies. IN NO
a product, Eric Young should be given attribution as the author of the parts of EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY
the library used. This can be in the form of a textual message at program PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
startup or in documentation (online or textual) provided with the package. CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING
Redistribution and use in source and binary forms, with or without OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
modification, are permitted provided that the following conditions are met: 1. EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE. THE UNIVERSITY OF CALIFORNIA IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT ARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT,
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
10.3.16 PuTTY License LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
Barracuda Networks Products may contain programs and software that are ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1997-2000 Simon Tatham. Portions copyright Robert de Bath,
Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez 10.3.19 SNMPD License
Furlong, Nicolas Barry.Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated documentation files Barracuda Networks Products may contain programs and software that are
(the "Software"), to deal in the Software without restriction, including without covered by the License below.
limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions: The The BARRACUDA NETWORKS SNMP daemon is based on the net snmp
above copyright notice and this permission notice shall be included in all project. The following license conditions are valid for the original part of the
copies or substantial portions of the Software. THE SOFTWARE IS software.
PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
Various copyrights apply to this package, listed in 3 separate parts below.
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
Please make sure to take note of all parts. Up until 2001, the project was
NONINFRINGEMENT. IN NO EVENT SHALL SIMON TATHAM BE LIABLE
based at UC Davis, and the first part covers all code written during this time.
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
From 2001 onwards, the project has been based at SourceForge, and
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
Networks Associates Technology, Inc hold the copyright on behalf of the
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
wider Net-SNMP community, covering all derivative work done since then. An
OTHER DEALINGS IN THE SOFTWARE.
additional copyright section has been added as Part 3 below also under a
BSD license for the work contributed by Cambridge Broadband Ltd. to the
10.3.17 RipeMD160 project since 2001. ---- Part 1: CMU/UCD copyright notice: (BSD like) -----
Barracuda Networks Products may contain programs and software that are Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work -
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents of the University
This package is an SSL implementation written by Eric Young of California All Rights Reserved
(eay@cryptsoft.com). The implementation was written so as to conform with Permission to use, copy, modify and distribute this software and its
Netscapes SSL. This library is free for commercial and non-commercial use documentation for any purpose and without fee is hereby granted, provided
as long as the following conditions are aheared to. The following conditions that the above copyright notice appears in all copies and that both that
apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, copyright notice and this permission notice appear in supporting
etc., code; not just the SSL code. The SSL documentation included with this documentation, and that the name of CMU and The Regents of the University
distribution is covered by the same copyright terms except that the holder is of California not be used in advertising or publicity pertaining to distribution of
Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as the software without specific written permission.
such any Copyright notices in the code are not to be removed. If this package CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA
is used in a product, Eric Young should be given attribution as the author of DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
the parts of the library used. This can be in the form of a textual message at INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
program startup or in documentation (online or textual) provided with the FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE
package. Redistribution and use in source and binary forms, with or without UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT
modification, are permitted provided that the following conditions are met: 1. OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
Redistributions of source code must retain the copyright notice, this list of RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER
conditions and the following disclaimer. 2. Redistributions in binary form IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
must reproduce the above copyright notice, this list of conditions and the ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
following disclaimer in the documentation and/or other materials provided PERFORMANCE OF THIS SOFTWARE.
with the distribution. 3. All advertising materials mentioning features or use of
this software must display the following acknowledgement: "This product
includes cryptographic software written by Eric Young (eay@cryptsoft.com)". ---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) -----
The word 'cryptographic' can be left out if the routines from the library being
Copyright (c) 2001, Networks Associates Technology, Inc All rights reserved.
used are not cryptographic related :-). 4. If you include any Windows specific
code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement: "This product includes software written by Redistribution and use in source and binary forms, with or without
Tim Hudson (tjh@cryptsoft.com)". THIS SOFTWARE IS PROVIDED BY modification, are permitted provided that the following conditions are met:
ERIC YOUNG AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, Redistributions of source code must retain the above copyright notice, this
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF list of conditions and the following disclaimer. Redistributions in binary form
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE must reproduce the above copyright notice, this list of conditions and the
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS following disclaimer in the documentation and/or other materials provided
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, with the distribution.
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; Neither the name of the NAI Labs nor the names of its contributors may be
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) used to endorse or promote products derived from this software without
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE COPYRIGHT HOLDERS AND CONTRIBUTORS `ÀS IS'' AND ANY
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
DAMAGE. The license and distribution terms for any publically available FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
version or derivative of this code cannot be changed. i.e. this code cannot THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY
simply be copied and put under another distribution license [including the DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
GNU Public License.] CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
10.3.18 SHA2 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
Barracuda Networks Products may contain programs and software that are CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
Copyright 2000 Aaron D. Gifford. All rights reserved. Redistribution and use OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
in source and binary forms, with or without modification, are permitted SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
provided that the following conditions are met: 1. Redistributions of source DAMAGE.
code must retain the above copyright notice, this list of conditions and the ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) -----
following disclaimer. 2. Redistributions in binary form must reproduce the
Portions of this code are copyright (c) 2001, Cambridge Broadband Ltd. All
above copyright notice, this list of conditions and the following disclaimer in
rights reserved.
the documentation and/or other materials provided with the distribution. 3.
Neither the name of the copyright holder nor the names of contributors may Redistribution and use in source and binary forms, with or without
be used to endorse or promote products derived from this software without modification, are permitted provided that the following conditions are met:
specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE Redistributions of source code must retain the above copyright notice, this
AUTHOR(S) AND CONTRIBUTOR(S) AS IS'' AND ANY EXPRESS OR list of conditions and the following disclaimer. Redistributions in binary form
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE must reproduce the above copyright notice, this list of conditions and the

following disclaimer in the documentation and/or other materials provided of a larger (possibly commercial) software distribution provided that you do
with the distribution. The name of Cambridge Broadband Ltd. may not be not advertise this Package as a product of your own.
used to endorse or promote products derived from this software without 6. The scripts and library files supplied as input to or produced as output from
specific prior written permission. the programs of this Package do not automatically fall under the copyright of
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER `ÀS IS'' this Package, but belong to whomever generated them, and may be sold
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT commercially, and may be aggregated with this Package.
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 7. C or perl subroutines supplied by you and linked into this Package shall
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO not be considered part of this Package.
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 8. The name of the Copyright Holder may not be used to endorse or promote
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF products derived from this software without specific prior written permission.
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) PARTICULAR PURPOSE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 10.3.21 TUN/TAP driver for Mac OS X
10.3.20 SpamAssassin (Artistic License) Barracuda Networks Products may contain programs and software that are
A part of this software uses the tun/tap driver for Mac OS X provided
byMattias Nissler. This driver comes along with following terms of
Preamble license:tun/tap driver for Mac OS X Copyright (c) 2004, 2005 Mattias Nissler
The intent of this document is to state the conditions under which a Package <mattias.nissler@gmx.de>
may be copied, such that the Copyright Holder maintains some semblance of Redistribution and use in source and binary forms, with or without
artistic control over the development of the package, while giving the users of modification, are permitted provided that the following conditions are met:
the package the right to use and distribute the Package in a more-or-less Redistributions of source code must retain the above copyright notice, this list
customary fashion, plus the right to make reasonable modifications. of conditions and the following disclaimer. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the
Definitions: distribution. The name of the author may not be used to endorse or promote
"Package" refers to the collection of files distributed by the Copyright Holder, products derived from this software without specific prior written permission.
and derivatives of that collection of files created through textual modification. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND
"Standard Version" refers to such a Package if it has not been modified, or ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
has been modified in accordance with the wishes of the Copyright Holder. LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO
"Copyright Holder" is whoever is named in the copyright or copyrights for EVENT SHALL THEAUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
the package. INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES
"You" is you, if you're thinking about copying or distributing this Package. (INCLUDING, BUT NOTLIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSSOF USE, DATA, OR PROFITS; OR
"Reasonable copying fee" is whatever you can justify on the basis of media
BUSINESS INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY
cost, duplication charges, time of people involved, and so on. (You will not be
OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT
required to justify it to the Copyright Holder, but only to the computing
(INCLUDING NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY OUT
community at large as a market that must bear the fee.)
OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE
"Freely Available" means that no fee is charged for the item itself, though POSSIBILITY OF SUCH DAMAGE.
there may be fees involved in handling the item. It also means that recipients
of the item may redistribute it under the same conditions they received it. 10.3.22 Vortex and AXL
1. You may make and give away verbatim copies of the source form of the
Standard Version of this Package without restriction, provided that you Barracuda Networks Products may contain programs and software that are
duplicate all of the original copyright notices and associated disclaimers. copyright (C) 2007 Advanced Software Production Line, S.L. All rights
reserved. the software includes source code from the following projects,
2. You may apply bug fixes, portability fixes and other modifications derived which are covered by their own licenses: Vortex Library, fully available at
from the Public Domain or from the Copyright Holder. A Package modified in http://www.aspl.es/vortex AXL, fully available at: http://www.aspl.es/axl
such a way shall still be considered the Standard Version.
DISCLAIMER: THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
3. You may otherwise modify your copy of this Package in any way, provided HOLDERS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
that you insert a prominent notice in each changed file stating how and when INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
you changed that file, and provided that you do at least ONE of the following: MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
a) place your modifications in the Public Domain or otherwise make them DISCLAIMED. IN NO EVENT SHALL JOHN LIM OR CONTRIBUTORS BE
Freely Available, such as by posting said modifications to Usenet or an LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
equivalent medium, or placing the modifications on a major archive site such EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
as ftp.uu.net, or by allowing the Copyright Holder to include your LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
modifications in the Standard Version of the Package. LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b) use the modified Package only within your corporation or organization.
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
c) rename any non-standard executables so the names do not conflict with OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
standard executables, which must also be provided, and provide a separate SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
manual page for each non-standard executable that clearly documents how it DAMAGE.
differs from the Standard Version.
d) make other distribution arrangements with the Copyright Holder. 10.3.23 WinPcap
4. You may distribute the programs of this Package in object code or Barracuda Networks Products may contain programs and software that are
executable form, provided that you do at least ONE of the following: Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). Copyright
a) distribute a Standard Version of the executables and library files, together (c) 2005 - 2008 CACE Technologies, Davis (California). All rights reserved.
with instructions (in the manual page or equivalent) on where to get the Redistribution and use in source and binary forms, with or without
Standard Version. modification, are permitted provided that the following conditions are met: .
b) accompany the distribution with the machine-readable source of the Redistributions of source code must retain the above copyright notice, this list
Package with your modifications. of conditions and the following disclaimer. 2. Redistributions in binary form
c) accompany any non-standard executables with their corresponding
Standard Version executables, giving the nonstandard executables
with the distribution. 3. Neither the name of the Politecnico di Torino, CACE
non-standard names, and clearly documenting the differences in manual
Technologies nor the names of its contributors may be used to endorse or
pages (or equivalent), together with instructions on where to get the Standard
promote products derived from this software without specific prior written
Version.
permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
d) make other distribution arrangements with the Copyright Holder. HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
5. You may charge a reasonable copying fee for any distribution of this IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
Package. You may charge any fee you choose for support of this Package. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
You may not charge a fee for this Package itself. However, you may distribute PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
this Package in aggregate with other (possibly commercial) programs as part COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, form must reproduce the above copyright notice, this list of conditions and the
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF following disclaimer in the documentation and/or other materials provided
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER with the distribution. 3. All advertising materials mentioning features or use of
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN this software must display the following acknowledgement: "This product
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE includes software developed by Yen Yen Lim and North Dakota State
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS University" 4. The name of the author may not be used to endorse or promote
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH products derived from this software without specific prior written permission.
DAMAGE. This product includes software developed by the University of THIS SOFTWARE IS PROVIDED BY THE AUTHOR `ÀS IS'' AND ANY
California, Lawrence Berkeley Laboratory and its contributors. This product EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
includes software developed by the Kungliga Tekniska Hgskolan and its TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
contributors. This product includes software developed by Yen Yen Lim and FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
North Dakota State University. THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-------------------------------------------------------------------------------- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
Portions Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
Regents of the University of California. All rights reserved. Redistribution and INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
use in source and binary forms, with or without modification, are permitted LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
provided that the following conditions are met: 1. Redistributions of source (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
code must retain the above copyright notice, this list of conditions and the OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
following disclaimer. 2. Redistributions in binary form must reproduce the POSSIBILITY OF SUCH DAMAGE.
above copyright notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distribution. 3. All --------------------------------------------------------------------------------
advertising materials mentioning features or use of this software must display Portions Copyright (c) 1993 by Digital Equipment Corporation. Permission to
the following acknowledgement: "This product includes software developed use, copy, modify, and distribute this software for any purpose with or without
by the University of California, Berkeley and its contributors." 4. Neither the fee is hereby granted, provided that the above copyright notice and this
name of the University nor the names of its contributors may be used to permission notice appear in all copies, and that the name of Digital
endorse or promote products derived from this software without specific prior Equipment Corporation not be used in advertising or publicity pertaining to
written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE distribution of the document or software without specific, written prior
AND CONTRIBUTORS `ÀS IS'' AND ANY EXPRESS OR IMPLIED permission. THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL
REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT USE OR PERFORMANCE OF THIS SOFTWARE.
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) --------------------------------------------------------------------------------
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All
rights reserved. Redistribution and use in source and binary forms, with or
-------------------------------------------------------------------------------- without modification, are permitted provided that the following conditions are
Portions Copyright (c) 1983 Regents of the University of California. All rights met: 1. Redistributions of source code must retain the above copyright notice,
reserved. this list of conditions and the following disclaimer. 2. Redistributions in binary
Redistribution and use in source and binary forms are permitted provided that form must reproduce the above copyright notice, this list of conditions and the
the above copyright notice and this paragraph are duplicated in all such forms following disclaimer in the documentation and/or other materials provided
and that any documentation, advertising materials, and other materials with the distribution. 3. Neither the name of the project nor the names of its
related to such distribution and use acknowledge that the software was contributors may be used to endorse or promote products derived from this
developed by the University of California, Berkeley. The name of the software without specific prior written permission. THIS SOFTWARE IS
University may not be used to endorse or promote products derived from this PROVIDED BY THE PROJECT AND CONTRIBUTORS `ÀS IS'' AND ANY
software without specific prior written permission. THIS SOFTWARE IS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
PROVIDED `ÀS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
PARTICULAR PURPOSE. INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-------------------------------------------------------------------------------- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
Portions Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Hgskolan PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
(Royal Institute of Technology, Stockholm, Sweden). All rights reserved. ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
Redistribution and use in source and binary forms, with or without LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
modification, are permitted provided that the following conditions are met: 1. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Redistributions of source code must retain the above copyright notice, this list ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
of conditions and the following disclaimer. 2. Redistributions in binary form --------------------------------------------------------------------------------
following disclaimer in the documentation and/or other materials provided Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved.
with the distribution. 3. All advertising materials mentioning features or use of Redistribution and use in source and binary forms, with or without
this software must display the following acknowledgement: "This product modification, are permitted provided that: (1) source code distributions retain
includes software developed by the Kungliga Tekniska Hgskolan and its the above copyright notice and this paragraph in its entirety, (2) distributions
contributors." 4. Neither the name of the University nor the names of its including binary code include the above copyright notice and this paragraph
contributors may be used to endorse or promote products derived from this in its entirety in the documentation or other materials provided with the
software without specific prior written permission. THIS SOFTWARE IS distribution. The name of Juniper Networks may not be used to endorse or
PROVIDED BY THE INSTITUTE AND CONTRIBUTORS `ÀS IS'' AND ANY promote products derived from this software without specific prior written
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED permission. THIS SOFTWARE IS PROVIDED `ÀS IS'' AND WITHOUT ANY
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, FITNESS FOR A PARTICULAR PURPOSE.
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL --------------------------------------------------------------------------------
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF Portions Copyright (c) 2001 Daniel Hartmeier All rights reserved.
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR Redistribution and use in source and binary forms, with or without
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON modification, are permitted provided that the following conditions are met: -
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT Redistributions of source code must retain the above copyright notice, this list
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) of conditions and the following disclaimer. - Redistributions in binary form
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF must reproduce the above copyright notice, this list of conditions and the
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. following disclaimer in the documentation and/or other materials provided
-------------------------------------------------------------------------------- with the distribution. THIS SOFTWARE IS PROVIDED BY THE
Portions Copyright (c) 1997 Yen Yen Lim and North Dakota State University. COPYRIGHT HOLDERS AND CONTRIBUTOR "AS IS" AND ANY
All rights reserved. Redistribution and use in source and binary forms, with or EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
without modification, are permitted provided that the following conditions are TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
met: 1. Redistributions of source code must retain the above copyright notice, FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
this list of conditions and the following disclaimer. 2. Redistributions in binary THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, bind-devel BSD-like

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF bind-utils BSD-like
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN binutils GPL
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE bison GPL
bootparamd BSD
DAMAGE. busybox GPL
-------------------------------------------------------------------------------- busybox-anaconda GPL
Portions Copyright 1989 by Carnegie Mellon. Permission to use, copy, byacc public domain
modify, and distribute this program for any purpose and without fee is hereby bzip2 BSD
granted, provided that this copyright and permission notice appear on all
copies and supporting documentation, the name of Carnegie Mellon not be bzip2-devel BSD
used in advertising or publicity pertaining to distribution of the program bzip2-libs BSD
without specific prior permission, and notice be given in supporting cdecl distributable
documentation that copying and distribution is by permission of Carnegie
Mellon and Stanford University. Carnegie Mellon makes no representations chkconfig GPL
about the suitability of this software for any purpose. It is provided "as is" chkfontpath GPL
without express or implied warranty.
cipe GPL
10.3.24 WPA Supplicant compat-db BSDish

compat-egcs GPL
copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> and contributors All Rights compat-glibc LGPL
Reserved. This program is dual-licensed under both the GPL version 2 and compat-libstdc++ GPL
BSD license. Redistribution and use in source and binary forms, with or
console-tools GPL
withoutmodification, are permitted provided that the following conditions are
met: 1. Redistributions of source code must retain the above copyright cpio GPL
notice, this list of conditions and the following disclaimer. 2. Redistributions in cpp GPL
binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other cproto Public Domain
materials provided with the distribution. 3. Neither the name(s) of the cracklib Artistic
above-listed copyright holder(s) nor the names of its contributors may be cracklib-dicts Artistic
used to endorse or promote products derived from this software without
specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE crontabs Public Domain
COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ctags GPL
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
curl MIT/X derivate
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL curl MPL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY cyrus-sasl Freely Distributable
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, cyrus-sasl-md5 Freely Distributable
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF DAVExplorer GPL
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER db1 BSD
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE db1-devel BSD
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS db4 GPL
db4-devel GPL
DAMAGE.
dbus AFL/GPL
dbus-glib AFL/GPL
_____________________________________________________________
dbus-python AFL/GPL
dcc BSD-like
dev GPL
Software Package Listing and Licenses
dev86 GPL
dhcp BSD 3-Clause
dhcpcd GPL
Module License
dhcp-relay BSD 3-Clause
________________________________________________
dhcp-server BSD 3-Clause
anaconda GPL
diag-ether GPL
anaconda-help distributable
dietlibc GPL
anaconda-runtime GPL
diffutils GPL
anacron GPL
dmalloc public domain
apr Apache Software License
dmidecode GPL
apr-util Apache Software License
dosfstools GPL
arpwatch BSD
dump BSD
ash BSD
e2fsprogs GPL
at GPL
eject GPL
atk LGPL
ethtool GPL
authconfig GPL
expat GPL
autoconf GPL
fbset GPL
autoconf253 GPL
fetchmail GPL
automake GPL
file distributable
automake15 GPL
filesystem Public Domain
Basesystem public domain
fileutils GPL
Bash GPL
findutils GPL
bash-doc GPL
flex BSD
bc GPL
fonts-ISO8859-2 Freely distributable
bdflush Distributable
fonts-ISO8859-2-75dpiFreely distributable
bind BSD-like
freeradius GPLv2+ and LGPLv2+
bind-chroot BSD-like
freetype GPL - see www.freetype.org ksymoops GPL

freetype-utils GPL kudzu GPL
ftp BSD kudzu-devel GPL
fuse GPL l2tpd GPL
gawk GPL lcd4linux GPL
gcc GPL less GPL
gcc-c++ GPL libaio LGPL
gcc-objc GPL libao GPL
gd GNU libcap BSD-like and LGPL
gdb GPL libcap-devel BSD-like and LGPL
gdbm GPL libcurl4 MIT/X derivate
genromfs GPL libelf distributable
gettext GPL/LGPL libghttp LGPL
getty_ps Distributable-Copyright 1989,1990 by Paul Sutcliffe Jr. libglade LGPL
glib10 LGPL libglib-2.0_0 LGPL
glib LGPL libgmodule-2.0_0 LGPL
glib2 LGPL libgobject-2.0_0 LGPL
glib2-devel LGPL libgsasl LGPL
glibc LGPL libgthread-2.0_0 LGPL
glibc-common LGPL libjpeg GNU
glibc-debug LGPL libol GPL
glibc-devel LGPL libol-devel GPL
glibc-kernheaders GPL libole2 GPL
glibc-profile LGPL libpcap BSD
glibc-utils LGPL libpng-1.2.8 GPL
gmp LGPL librsvg LGPL
gnugk GPL libsigc++ LGPL
gnupg GPL libstdc++ GPL
gpm GPL libstdc++-devel GPL
grep GPL libtermcap LGPL
groff GPL libtool GPL
groff-perl GPL libtool-libs13 GPL
grub GPL libtool-libs GPL
gtk-doc LGPL libunicode LGPL
gzip GPL libusb LGPL
hdparm BSD libuser LGPL
hotplug GPL libvortex LGPL
httpd Apache License, Version 2.0 libvortex-axl LGPL
hwbrowser GPL libxml10 LGPL
hwcrypto GPL libxml2_2 MIT
hwdata GPL/MIT libxml2 MIT
hwtool GPL libxml2-devel MIT
ifenslave distributable libxml2-python MIT
indent GPL libxslt-python MIT
indexhtml distributable lilo MIT
info GPL lm_sensors GPL
initscripts GPL locale_config GPL
intltool GPL lockdev LGPL
iproute GNU GPL logrotate GPL
iptables GPL losetup distributable
iptables-ipv6 GPL lrzsz GPL
iptraf GPL lslk Free
iputils BSD lsof Free
irda-utils GPL ltrace GPL
isdn4k-utils GPL lvm GPL
isdncards GPL lynx GPL
jfsutils GPL m2crypto BSD
jta GPL m4 GPL
kernel GPL make GPL
kernel-BOOT GPL MAKEDEV GPL
kernel-doc GPL man GPL
kernel-source GPL man-pages distributable
kon2 distributable mc GPL
krb5 Copyright(C) 1985-2005 by the Massachusetts memtest86+ GPL
Institute of Technology mgetty GPL
krb5-libs Copyright(C) 1985-2005 by the Massachusetts mingetty GPL
Institute of Technology
minicom GPL

mkbootdisk GPL postgresql BSD

mkinitrd GPL postgresql-libs BSD
mktemp BSD ppp distributable
mm Apache Software License pptp GPL
mod_ssl Apache License, Version 2.0 pptpd GPL
modutils GPL procmail GPL or artistic
mount distributable procps GPL
mouseconfig distributable properJavaRDP GPL
ncftp distributable psacct GPL
ncompress distributable psmisc BSD/GPL
ncurses4 distributable psutils distributable
ncurses distributable pump MIT
ncurses-devel distributable pwdb GPL or BSD
netdump GPL pwlib MPL
net-tools GPL pwlib-devel MPL
newt LGPL pxe BSD
nfreporter Mixed (see LICENSE) python distributable
nss_db GPL python24 PSF
nss_db-compat GPL python-clap GPL
ntp distributable python-devel distributable
open GPL python-docs distributable
openh323 MPL python-popt GPL
openh323-devel MPL python-tools distributable
openldap12 OpenLDAP python-xmlrpc BSDish
openldap OpenLDAP pyzor GPL
openldap-clients OpenLDAP quagga GPL
openldap-servers OpenLDAP quagga-contrib GPL
openssh BSD quagga-devel GPL
openssh38 Other License(s), see package raidtools GPL
openssh-clients BSD rcs GPL
openssh-server BSD readline2.2.1 GPL
openssl096b BSDish readline GPL
openssl BSDish readline-devel GPL
p3pmail Strict redhat-lsb GPL
p3scan GPL reiserfs-utils GPL
pam GPL or BSD rmt BSD
pam-devel GPL or BSD rootfiles public domain
parted GPL rpm GPL
passwd BSD rpm-build GPL
patch GPL rpm-devel GPL
patchutils GPL rpm-python GPL
pciutils GPL rp-pppoe GPL
pciutils-devel GPL rsync GPL
pcre GPL sac Freely Distributable
pcre-devel GPL samba GNU GPL version 2
perl Artistic or GPL samba-client GNU GPL version 2
perl-Archive-Tar Artistic samba-common GNU GPL version 2
perl-Authen-NTLM Artistic or GPL samba-doc GNU GPL version 2
perl-Digest-HMAC distributable sash GPL
perl-Digest-SHA1 GPL or Artistic sed GPL
perl-HTML-Parser GPL or Artistic setup public domain
perl-HTML-Tagset distributable sgml-common GPL
perl-IO-Zlib Artistic shadow-utils BSD
perl-libwww-perl Artistic sh-utils GPL
perl-Net-DNS distributable slang GPL
perl-Razor-Agent Artistic slocate GPL
perl-Time-HiRes distributable smartsuite GPL
perl-URI distributable smstools GPL v2
php The PHP license (see "LICENSE" file included in spamassassin Artistic
distribution) specspo GPL
phpPgAdmin GPL sqlite Strict
pidentd Public domain squid GPL
pinfo GPL sslprxsquid GPL
pkgconfig GPL stat GPL
pmake BSD strace BSD
popt GPL stunnel GPL
portmap BSD symlinks distributable

syslinux BSD
syslog-ng GPL To protect your rights, we need to make restrictions that forbid distributors to
sysreport GPL deny you these rights or to ask you to surrender these rights. These
restrictions translate to certain responsibilities for you if you distribute copies
tar GPL of the library or if you modify it.
tcl BSD
tcpdump BSD For example, if you distribute copies of the library, whether gratis or for a fee,
tcp_wrappers Distributable you must give the recipients all the rights that we gave you. You must make
sure that they, too, receive or can get the source code. If you link other code
tcsh distributable
with the library, you must provide complete object files to the recipients, so
telnet BSD that they can relink them with the library after making changes to the library
termcap Public Domain and recompiling it. And you must show them these terms so they know their
rights.
texinfo GPL
textutils GPL
We protect your rights with a two-step method: (1) we copyright the library,
tightvnc GPL and (2) we offer you this license, which gives you legal permission to copy,
time GPL distribute and/or modify the library.
tmpwatch GPL
traceroute BSD To protect each distributor, we want to make it very clear that there is no
ttcp Public Domain warranty for the free library. Also, if the library is modified by someone else
and passed on, the recipients should know that what they have is not the
unzip BSD original version, so that the original author's reputation will not be affected by
usbutils GPL problems that might be introduced by others.
usermode GPL
utempter MIT Finally, software patents pose a constant threat to the existence of any free
program. We wish to make sure that a company cannot effectively restrict the
util-linux distibutable
users of a free program by obtaining a restrictive license from a patent holder.
vconfig distributable Therefore, we insist that any patent license obtained for a version of the
vera_ttf GPL library must be consistent with the full freedom of use specified in this license.
vim-common freeware
vim-minimal freeware Most GNU software, including some libraries, is covered by the ordinary GNU
General Public License. This license, the GNU Lesser General Public
vixie-cron distributable License, applies to certain designated libraries, and is quite different from the
watchdog GPL ordinary General Public License. We use this license for certain libraries in
wget GPL order to permit linking those libraries into non-free programs.
which GPL
wireless-tools GPL When a program is linked with a library, whether statically or using a shared
library, the combination of the two is legally speaking a combined work, a
words freeware derivative of the original library. The ordinary General Public License
xauth XFree86 therefore permits such linking only if the entire combination fits its criteria of
freedom. The Lesser General Public License permits more lax criteria for
xml-common GPL
linking other code with the library.
zend-optimizer GPL
zlib BSD
We call this license the "Lesser" General Public License because it does Less
zlib-devel BSD to protect the user's freedom than the ordinary General Public License. It also
provides other free software developers Less of an advantage over
competing non-free programs. These disadvantages are the reason we use
Barracuda Networks Products may contain programs and software that are the ordinary General Public License for many libraries. However, the Lesser
covered by the Lesser General Public License The Lesser General Public license provides advantages in certain special circumstances.
License license is re-printed below for you reference.
10.3.25 GNU Lesser General Public License For example, on rare occasions, there may be a special need to encourage
the widest possible use of a certain library, so that it becomes a de-facto
Version 2.1, February 1999 standard. To achieve this, non-free programs must be allowed to use the
Copyright (C) 1991, 1999 Free Software Foundation, Inc. library. A more frequent case is that a free library does the same job as widely
used non-free libraries. In this case, there is little to gain by limiting the free
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
library to free software only, so we use the Lesser General Public License.
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
In other cases, permission to use a particular library in non-free programs
enables a greater number of people to use a large body of free software. For
[This is the first released version of the Lesser GPL. It also counts as the example, permission to use the GNU C Library in non-free programs enables
successor of the GNU Library Public License, version 2, hence the version many more people to use the whole GNU operating system, as well as its
number 2.1.] variant, the GNU/Linux operating system.
Preamble Although the Lesser General Public License is Less protective of the users'
The licenses for most software are designed to take away your freedom to freedom, it does ensure that the user of a program that is linked with the
share and change it. By contrast, the GNU General Public Licenses are Library has the freedom and the wherewithal to run that program using a
intended to guarantee your freedom to share and change free software--to modified version of the Library.
make sure the software is free for all its users.
The precise terms and conditions for copying, distribution and modification
This license, the Lesser General Public License, applies to some specially follow. Pay close attention to the difference between a "work based on the
designated software packages--typically libraries--of the Free Software library" and a "work that uses the library". The former contains code derived
Foundation and other authors who decide to use it. You can use it too, but we from the library, whereas the latter must be combined with the library in order
suggest you first think carefully about whether this license or the ordinary to run.
General Public License is the better strategy to use in any particular case,
based on the explanations below.
Terms and Conditions for Copying, Distribution and Modification
0. This License Agreement applies to any software library or other program
When we speak of free software, we are referring to freedom of use, not which contains a notice placed by the copyright holder or other authorized
price. Our General Public Licenses are designed to make sure that you have party saying it may be distributed under the terms of this Lesser General
the freedom to distribute copies of free software (and charge for this service if Public License (also called "this License"). Each licensee is addressed as
you wish); that you receive source code or can get it if you want it; that you "you".
can change the software and use pieces of it in new free programs; and that
you are informed that you can do these things.

A "library" means a collection of software functions and/or data prepared so Once this change is made in a given copy, it is irreversible for that copy, so
as to be conveniently linked with application programs (which use some of the ordinary GNU General Public License applies to all subsequent copies
those functions and data) to form executables. and derivative works made from that copy.
The "Library", below, refers to any such software library or work which has This option is useful when you wish to copy part of the code of the Library into
been distributed under these terms. A "work based on the Library" means a program that is not a library.
either the Library or any derivative work under
copyright law that is to say, a work containing the Library or a portion of it, 4. You may copy and distribute the Library (or a portion or derivative of it,
either verbatim or with modifications and/or translated straightforwardly into under Section 2) in object code or executable form under the terms of
another language. (Hereinafter, translation is included without limitation in the Sections 1 and 2 above provided that you accompany it with the complete
term "modification".) corresponding machine-readable source code, which must be distributed
under the terms of Sections 1 and 2 above on a medium customarily used for
"Source code" for a work means the preferred form of the work for making software interchange.
modifications to it. For a library, complete source code means all the source
code for all modules it contains, plus any associated interface definition files, If distribution of object code is made by offering access to copy from a
plus the scripts used to control compilation and installation of the library. designated place, then offering equivalent access to copy the source code
from the same place satisfies the requirement to distribute the source code,
Activities other than copying, distribution and modification are not covered by even though third parties are not compelled to copy the source along with the
this License; they are outside its scope. The act of running a program using object code.
the Library is not restricted, and output from such a program is covered only if
its contents constitute a work based on the Library (independent of the use of 5. A program that contains no derivative of any portion of the Library, but is
the Library in a tool for writing it). Whether that is true depends on what the designed to work with the Library by being compiled or linked with it, is called
Library does and what the program that uses the Library does. a "work that uses the Library". Such a work, in isolation, is not a derivative
work of the Library, and therefore falls outside the scope of this License.
1. You may copy and distribute verbatim copies of the Library's complete
source code as you receive it, in any medium, provided that you However, linking a "work that uses the Library" with the Library creates an
conspicuously and appropriately publish on each copy an appropriate executable that is a derivative of the Library (because it contains portions of
copyright notice and disclaimer of warranty; keep intact all the notices that the Library), rather than a "work that uses the library". The executable is
refer to this License and to the absence of any warranty; and distribute a copy therefore covered by this License. Section 6 states terms for distribution of
of this License along with the Library. such executables.
You may charge a fee for the physical act of transferring a copy, and you may When a "work that uses the Library" uses material from a header file that is
at your option offer warranty protection in exchange for a fee. part of the Library, the object code for the work may be a derivative work of
the Library even though the source code is not. Whether this is true is
2. You may modify your copy or copies of the Library or any portion of it, thus especially significant if the work can be linked without the Library, or if the
forming a work based on the Library, and copy and distribute such work is itself a library. The threshold for this to be true is not precisely defined
modifications or work under the terms of Section 1 above, provided that you by law.
also meet all of these conditions:
a) The modified work must itself be a software library. If such an object file uses only numerical parameters, data structure layouts
b) You must cause the files modified to carry prominent notices stating that and accessors, and small macros and small inline functions (ten lines or less
you changed the files and the date of any change. in length), then the use of the object file is unrestricted, regardless of whether
it is legally a derivative work. (Executables containing this object code plus
c) You must cause the whole of the work to be licensed at no charge to all portions of the Library will still fall under Section 6.)
third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a table of data to
be supplied by an application program that uses the facility, other than as an Otherwise, if the work is a derivative of the Library, you may distribute the
argument passed when the facility is invoked, then you must make a good object code for the work under the terms of Section 6. Any executables
faith effort to ensure that, in the event an application does not supply such containing that work also fall under Section 6, whether or not they are linked
function or table, the facility still operates, and performs whatever part of its directly with the Library itself.
purpose remains meaningful.
6. As an exception to the Sections above, you may also combine or link a
(For example, a function in a library to compute square roots has a purpose "work that uses the Library" with the Library to produce a work containing
that is entirely well-defined independent of the application. Therefore, portions of the Library, and distribute that work under terms of your choice,
Subsection 2d requires that any application-supplied function or table used provided that the terms permit modification of the work for the customer's own
by this function must be optional: if the application does not supply it, the use and reverse engineering for debugging such modifications.
square root function must still compute square roots.) You must give prominent notice with each copy of the work that the Library is
used in it and that the Library and its use are covered by this License. You
must supply a copy of this License. If the work during execution displays
These requirements apply to the modified work as a whole. If identifiable copyright notices, you must include the copyright notice for the Library among
sections of that work are not derived from the Library, and can be reasonably them, as well as a reference directing the user to the copy of this License.
considered independent and separate works in themselves, then this Also, you must do one of these things:
License, and its terms, do not apply to those sections when you distribute
them as separate works. But when you distribute the same sections as part of a) Accompany the work with the complete corresponding machine-readable
a whole which is a work based on the Library, the distribution of the whole source code for the Library including whatever changes were used in the
must be on the terms of this License, whose permissions for other licensees work (which must be distributed under Sections 1 and 2 above); and, if the
extend to the entire whole, and thus to each and every part regardless of who work is an executable linked with the Library, with the complete
wrote it. machine-readable "work that uses the Library", as object code and/or source
code, so that the user can modify the Library and then relink to produce a
modified executable containing the modified Library. (It is understood that the
Thus, it is not the intent of this section to claim rights or contest your rights to user who changes the contents of definitions files in the Library will not
work written entirely by you; rather, the intent is to exercise the right to control necessarily be able to recompile the application to use the modified
the distribution of derivative or collective works based on the Library. definitions.)
b) Use a suitable shared library mechanism for linking with the Library. A
suitable mechanism is one that (1) uses at run time a copy of the library
In addition, mere aggregation of another work not based on the Library with
already present on the user's computer system, rather than copying library
the Library (or with a work based on the Library) on a volume of a storage or
functions into the executable, and (2) will operate properly with a modified
distribution medium does not bring the other work under the scope of this
version of the library, if the user installs one, as long as the modified version
License.
is interface-compatible with the version that the work was made with.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do this, you
must alter all the notices that refer to this License, so that they refer to the c) Accompany the work with a written offer, valid for at least three years, to
ordinary GNU General Public License, version 2, instead of to this License. (If give the same user the materials specified in Subsection 6a, above, for a
a newer version than version 2 of the ordinary GNU General Public License charge no more than the cost of performing this distribution.
has appeared, then you can specify that version instead if you wish.) Do not d) If distribution of the work is made by offering access to copy from a
make any other change in these notices. designated place, offer equivalent access to copy the above specified
materials from the same place.

e) Verify that the user has already received a copy of these materials or that
you have already sent this user a copy. 13. The Free Software Foundation may publish revised and/or new versions
of the Lesser General Public License from time to time. Such new versions
For an executable, the required form of the "work that uses the Library" must will be similar in spirit to the present version, but may differ in detail to
include any data and utility programs needed for reproducing the executable address new problems or concerns.
from it. However, as a special exception, the materials to be distributed need
not include anything that is normally distributed (in either source or binary Each version is given a distinguishing version number. If the Library specifies
form) with the major components (compiler, kernel, and so on) of the a version number of this License which applies to it and "any later version",
operating system on which the executable runs, unless that component itself you have the option of following the terms and conditions either of that
accompanies the executable. version or of any later version published by the Free Software Foundation. If
the Library does not specify a license version number, you may choose any
It may happen that this requirement contradicts the license restrictions of version ever published by the Free Software Foundation.
other proprietary libraries that do not normally accompany the operating
system. Such a contradiction means you cannot use both them and the 14. If you wish to incorporate parts of the Library into other free programs
Library together in an executable that you distribute. whose distribution conditions are incompatible with these, write to the author
to ask for permission. For software which is copyrighted by the Free Software
7. You may place library facilities that are a work based on the Library Foundation, write to the Free Software Foundation; we sometimes make
side-by-side in a single library together with other library facilities not covered exceptions for this. Our decision will be guided by the two goals of preserving
by this License, and distribute such a combined library, provided that the the free status of all derivatives of our free software and of promoting the
separate distribution of the work based on the Library and of the other library sharing and reuse of software generally.
facilities is otherwise permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work based on NO WARRANTY
the Library, uncombined with any other library facilities. This must be
distributed under the terms of the Sections above.
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE
b) Give prominent notice with the combined library of the fact that part of it is IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY
a work based on the Library, and explaining where to find the accompanying APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING
uncombined form of the same work. THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
8. You may not copy, modify, sublicense, link with, or distribute the Library EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
except as expressly provided under this License. Any attempt otherwise to IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
copy, modify, sublicense, link with, or distribute the Library is void, and will PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
automatically terminate your rights under this License. However, parties who PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE
have received copies, or rights, from you under this License will not have their LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
licenses terminated so long as such parties remain in full compliance. NECESSARY SERVICING, REPAIR OR CORRECTION.
9. You are not required to accept this License, since you have not signed it. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
However, nothing else grants you permission to modify or distribute the AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
Library or its derivative works. These actions are prohibited by law if you do OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
not accept this License. Therefore, by modifying or distributing the Library (or LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
any work based on the Library), you indicate your acceptance of this License INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
to do so, and all its terms and conditions for copying, distributing or modifying CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
the Library or works based on it. TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
10. Each time you redistribute the Library (or any work based on the Library), LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH
the recipient automatically receives a license from the original licensor to HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY
copy, distribute, link with or modify the Library subject to these terms and OF SUCH DAMAGES.
conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing
compliance by third parties with this License. END OF TERMS AND CONDITIONS
11. If, as a consequence of a court judgment or allegation of patent Barracuda Networks Products may contain programs and software that are
infringement or for any other reason (not limited to patent issues), conditions covered by the Artistic License The Artistic license is re-printed below for you
are imposed on you (whether by court order, agreement or otherwise) that reference.
contradict the conditions of this License, they do not excuse you from the
conditions of this License. If you cannot distribute so as to satisfy 10.3.26 The "Artistic License"
simultaneously your obligations under this License and any other pertinent
Preamble
obligations, then as a consequence you may not distribute the Library at all.
For example, if a patent license would not permit royalty-free redistribution of The intent of this document is to state the conditions under which a Package
the Library by all those who receive copies directly or indirectly through you, may be copied, such that the Copyright Holder maintains some semblance of
then the only way you could satisfy both it and this License would be to refrain artistic control over the development of the package, while giving the users of
entirely from distribution of the Library. the package the right to use and distribute the Package in a more-or-less
customary fashion, plus the right to make reasonable modifications.
Definitions
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply, and "Package" efers to the collection of files distributed by the Copyright Holder,
the section as a whole is intended to apply in other circumstances. and derivatives of that collection of files created through textual modification.
It is not the purpose of this section to induce you to infringe any patents or "Standard Version" refers to such a Package if it has not been modified, or
other property right claims or to contest validity of any such claims; this has been modified in accordance with the wishes of the Copyright Holder as
section has the sole purpose of protecting the integrity of the free software specified below.
distribution system which is implemented by public license practices. Many "Copyright Holder" is whoever is named in the copyright or copyrights for
people have made generous contributions to the wide range of software the package.
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to distribute "You" is you, if you're thinking about copying or distributing this Package.
software through any other system and a licensee cannot impose that choice. "Reasonable copying fee" is whatever you can justify on the basis of media
cost, duplication charges, time of people involved, and so on. (You will not be
required to justify it to the Copyright Holder, but only to the computing
This section is intended to make thoroughly clear what is believed to be a community at large as a market that must bear the fee.)
consequence of the rest of this License.
"Freely Available" means that no fee is charged for the item itself, though
there may be fees involved in handling the item. It also means that recipients
12. If the distribution and/or use of the Library is restricted in certain countries of the item may redistribute it under the same conditions they received it.
either by patents or by copyrighted interfaces, the original copyright holder Conditions
who places the Library under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is 1. You may make and give away verbatim copies of the source form of the
permitted only in or among countries not thus excluded. In such case, this Standard Version of this Package without restriction, provided that you
License incorporates the limitation as if written in the body of this License. duplicate all of the original copyright notices and associated disclaimers.

2. You may apply bug fixes, portability fixes and other modifications derived AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
from the Public Domain or from the Copyright Holder. A Package modified in INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
such a way shall still be considered the Standard Version. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
3. You may otherwise modify your copy of this Package in any way, provided SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
that you insert a prominent notice in each changed file stating how and when PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
you changed that file, and provided that you do at least ONE of the following: ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
a) place your modifications in the Public Domain or otherwise make them ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Freely Available, such as by posting said modifications to Usenet or an ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. (Note: The above
equivalent medium, or placing the modifications on a major archive site such license is copied from the BSD license at:
as uunet.uu.net, or by allowing the Copyright Holder to include your www.opensource.org/licenses/bsd-license.html, substituting the appropriate
modifications in the Standard Version of the Package. references in the template.) (end)
b) use the modified Package only within your corporation or organization.
c) rename any non-standard executables so the names do not conflict with 10.3.28 Mozilla Public License
standard executables, which must also be provided, and provide a separate Barracuda Networks Software may include programs that are covered by the
manual page for each non-standard executable that clearly documents how it Mozilla Public License Version 1.1
differs from the Standard Version.
d) make other distribution arrangements with the Copyright Holder.
1. Definitions.
4. You may distribute the programs of this Package in object code or
executable form, provided that you do at least ONE of the following: 1.0.1 "Commercial Use" means distribution or otherwise making the Covered
Code available to a third party.
a) distribute a Standard Version of the executables and library files, together
with instructions (in the manual page or equivalent) on where to get the 1.1 "Contributor" means each entity that creates or contributes to the
Standard Version. creation of Modifications.
b) accompany the distribution with the machine-readable source of the
Package with your modifications. 1.2 "Contributor Version" means the combination of the Original Code, prior
c) give non-standard executables non-standard names, and clearly Modifications used by a Contributor, and the Modifications made by that
document the differences in manual pages (or equivalent), together with particular Contributor.
instructions on where to get the Standard Version.
d) make other distribution arrangements with the Copyright Holder. 1.3 "Covered Code" means the Original Code or Modifications or the
5. You may charge a reasonable copying fee for any distribution of this combination of the Original Code and Modifications, in each case including
Package. You may charge any fee you choose for support of this Package. portions thereof.
You may not charge a fee for this Package itself. However, you may distribute
this Package in aggregate with other (possibly commercial) programs as part
1.4 "Electronic Distribution Mechanism" means a mechanism generally
of a larger (possibly commercial) software distribution provided that you do
accepted in the software development community for the electronic transfer
not advertise this Package as a product of your own. You may embed this
of data.
Package's interpreter within an executable of yours (by linking); this shall be
construed as a mere form of aggregation, provided that the complete
Standard Version of the interpreter is so embedded. 1.5 "Executable" means Covered Code in any form other than Source Code.
6. The scripts and library files supplied as input to or produced as output from
the programs of this Package do not automatically fall under the copyright of
this Package, but belong to whoever generated them, and may be sold 1.6 "Initial Developer'' means the individual or entity identified as the Initial
commercially, and may be aggregated with this Package. If such scripts or Developer in the Source Code notice required by Exhibit A.
library files are aggregated with this Package via the so-called "undump" or
"unexec" methods of producing a binary executable image, then distribution 1.7 "Larger Work'' means a work which combines Covered Code or portions
of such an image shall neither be construed as a distribution of this Package thereof with code not governed by the terms of this License.
nor shall it fall under the restrictions of Paragraphs 3 and 4, provided that you
do not represent such an executable image as a Standard Version of this
Package. 1.8 "License'' means this document.
7. C subroutines (or comparably compiled subroutines in other languages)
supplied by you and linked into this Package in order to emulate subroutines
1.9 "Modifications'' means any addition to or deletion from the substance or
and variables of the language defined by this Package shall not be
structure of either the Original Code or any previous Modifications. When
considered part of this Package, but are the equivalent of input as in
Covered Code is released as a series of files, a Modification is:
Paragraph 6, provided these sub-routines do not change the language in any
way that would cause it to fail the regression tests for the language. A. Any addition to or deletion from the contents of a file
8. Aggregation of this Package with a commercial distribution is always containing Original Code or previous Modifications.
permitted provided that the use of this Package is embedded; that is, when B. Any new file that contains any part of the Original Code or
no overt attempt is made to make this Package's interfaces visible to the end
user of the commercial distribution. Such use shall not be construed as a previous Modifications.
distribution of this Package.
9. The name of the Copyright Holder may not be used to endorse or promote 1.10. "Original Code'' means Source Code of computer software code which
products derived from this software without specific prior written permission. is described in the Source Code notice required by Exhibit A as Original
10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS Code, and which, at the time of its release under this License is not already
OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE Covered Code governed by this License.
IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A "Patent Claims" means any patent claim(s), now owned or hereafter
PARTICULAR PURPOSE. acquired, including without limitation, method, process, and apparatus claims,
in any patent Licensable by grantor.
The End
1.11. "Source Code" means the preferred form of the Covered Code for
10.3.27 MIT-License making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and
Barracuda Networks Products may contain programs and software that are installation of an Executable, or source code differential comparisons against
covered by the MIT-License either the Original Code or another well known, available Covered Code of
Redistribution and use in source and binary forms, with or without the Contributor's choice. The Source Code can be in a compressed or
modification, are permitted provided that the following conditions are met: * archival form, provided the appropriate decompression or de-archiving
Redistributions of source code must retain the above copyright notice, this list software is widely available for no charge.
of conditions and the following disclaimer. * Redistributions in binary form
1.12. "You" (or "Your") means an individual or a legal entity exercising rights
under, and complying with all of the terms of, this License or a future version
with the distribution. * Neither the names of the author(s) nor the names of
of this License issued under Section 6.1. For legal entities, "You" includes
other contributors may be used to endorse or promote products derived from
any entity which controls, is controlled by, or is under common control with
this software without specific prior written permission. Disclaimer THIS
You. For purposes of this definition, "control" means (a) the power, direct or
SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
indirect, to cause the direction or management of such entity, whether by
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
contract or otherwise, or (b) ownership of more than fifty percent (50 %) of the
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
outstanding shares or beneficial ownership of such entity.
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

2. Source Code License. If Contributor has knowledge that a license under a third party's intellectual
2.1 The Initial Developer Grant. property rights is required to exercise the rights granted by such Contributor
under Sections 2.1 or 2.2, Contributor must include a text file with the Source
The Initial Developer hereby grants You a world-wide, royalty-free, Code distribution titled "LEGAL" which describes the claim and the party
non-exclusive license, subject to third party intellectual property claims: making the claim in sufficient detail that a recipient will know whom to contact.
(a) under intellectual property rights (other than patent or trademark) If Contributor obtains such knowledge after the Modification is made available
Licensable by Initial Developer to use, reproduce, modify, display, perform, as described in Section 3.2, Contributor shall promptly modify the LEGAL file
sublicense and distribute the Original Code (or portions thereof) with or in all copies Contributor makes available thereafter and shall take other steps
without Modifications, and/or as part of a Larger Work; and (such as notifying appropriate mailing lists or newsgroups) reasonably
calculated to inform those who received the Covered Code that new
(b) under Patents Claims infringed by the making, using or selling of Original
knowledge has been obtained.
Code, to make, have made, use, practice, sell, and offer for sale, and/or
otherwise dispose of the Original Code (or portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date (b) Contributor APIs.
Initial Developer first distributes Original Code under the terms of this If Contributor's Modifications include an application programming interface
License. and Contributor has knowledge of patent licenses which are reasonably
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for necessary to implement that API, Contributor must also include this
code that You delete from the Original Code; 2) separate from the Original information in the LEGAL file.
Code; or 3) for infringements caused by: i) the modification of the Original
Code or ii) the combination of the Original Code with other software or
devices. (c) Representations
Contributor represents that, except as disclosed pursuant to Section 3.4(a)
above, Contributor believes that Contributor's Modifications are Contributor's
2.2 Contributor Grant. original creation(s) and/or Contributor has sufficient rights to grant the rights
Subject to third party intellectual property claims, each Contributor hereby conveyed by this License.
grants You a world-wide, royalty-free, non-exclusive license:
(a) under intellectual property rights (other than patent or trademark) 3.5 Required Notices.
Licensable by Contributor, to use, reproduce, modify, display, perform,
sublicense and distribute the Modifications created by such Contributor (or You must duplicate the notice in Exhibit A in each file of the Source Code. If it
portions thereof) either on an unmodified basis, with other Modifications, as is not possible to put such notice in a particular Source Code file due to its
Covered Code and/or as part of a Larger Work; and structure, then You must include such notice in a location (such as a relevant
directory) where a user would be likely to look for such a notice. If You
(b) under Patent Claims infringed by the making, using, or selling of created one or more Modification(s) You may add your name as a Contributor
Modifications made by that Contributor either alone and/or in combination to the notice described in Exhibit A. You must also duplicate this License in
with its Contributor Version (or portions of such combination), to make, use, any documentation for the Source Code where You describe recipients' rights
sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications or ownership rights relating to Covered Code. You may choose to offer, and
made by that Contributor (or portions thereof); and 2) the combination of to charge a fee for, warranty, support, indemnity or liability obligations to one
Modifications made by that Contributor with its Contributor Version (or or more recipients of Covered Code. However, You may do so only on Your
portions of such combination). own behalf, and not on behalf of the Initial Developer or any Contributor. You
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date must make it absolutely clear than any such warranty, support, indemnity or
Contributor first makes Commercial Use of the Covered Code. liability obligation is offered by You alone, and You hereby agree to indemnify
the Initial Developer and every Contributor for any liability incurred by the
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for
Initial Developer or such Contributor as a result of warranty, support,
any code that Contributor has deleted from the Contributor Version; 2)
indemnity or liability terms You offer.
separate from the Contributor Version; 3) for infringements caused by: i) third
party modifications of Contributor Version or ii) the combination of
Modifications made by that Contributor with other software (except as part of 3.6. Distribution of Executable Versions.
the Contributor Version) or other devices; or 4) under Patent Claims infringed
by Covered Code in the absence of Modifications made by that Contributor. You may distribute Covered Code in Executable form only if the requirements
of Section 3.1-3.5 have been met for that Covered Code, and if You include a
notice stating that the Source Code version of the Covered Code is available
3. Distribution Obligations. under the terms of this License, including a description of how and where You
have fulfilled the obligations of Section 3.2. The notice must be conspicuously
3.1 Application of License.
included in any notice in an Executable version, related documentation or
The Modifications which You create or to which You contribute are governed collateral in which You describe recipients' rights relating to the Covered
by the terms of this License, including without limitation Section 2.2. The Code. You may distribute the Executable version of Covered Code or
Source Code version of Covered Code may be distributed only under the ownership rights under a license of Your choice, which may contain terms
terms of this License or a future version of this License released under different from this License, provided that You are in compliance with the
Section 6.1, and You must include a copy of this License with every copy of terms of this License and that the license for the Executable version does not
the Source Code You distribute. You may not offer or impose any terms on attempt to limit or alter the recipient's rights in the Source Code version from
any Source Code version that alters or restricts the applicable version of this the rights set forth in this License. If You distribute the Executable version
License or the recipients' rights hereunder. However, You may include an under a different license You must make it absolutely clear that any terms
additional document offering the additional rights described in Section 3.5. which differ from this License are offered by You alone, not by the Initial
Developer or any Contributor. You hereby agree to indemnify the Initial
Developer and every Contributor for any liability incurred by the Initial
3.2 Availability of Source Code. Developer or such Contributor as a result of any such terms You offer.
Any Modification which You create or to which You contribute must be made 3.7. Larger Works.
available in Source Code form under the terms of this License either on the
same media as an Executable version or via an accepted Electronic You may create a Larger Work by combining Covered Code with other code
Distribution Mechanism to anyone to whom you made an Executable version not governed by the terms of this License and distribute the Larger Work as a
available; and if made available via Electronic Distribution Mechanism, must single product. In such a case, You must make sure the requirements of this
remain available for at least twelve (12) months after the date it initially License are fulfilled for the Covered Code.
became available, or at least six (6) months after a subsequent version of that
particular Modification has been made available to such recipients. You are
4. Inability to Comply Due to Statute or Regulation.
responsible for ensuring that the Source Code version remains available
even if the Electronic Distribution Mechanism is maintained by a third party. If it is impossible for You to comply with any of the terms of this License with
respect to some or all of the Covered Code due to statute, judicial order, or
regulation then You must: (a) comply with the terms of this License to the
3.3 Description of Modifications. maximum extent possible; and (b) describe the limitations and the code they
You must cause all Covered Code to which You contribute to contain a file affect. Such description must be included in the LEGAL file described in
documenting the changes You made to create that Covered Code and the Section 3.4 and must be included with all distributions of the Source Code.
date of any change. You must include a prominent statement that the Except to the extent prohibited by statute or regulation, such description must
Modification is derived, directly or indirectly, from Original Code provided by be sufficiently detailed for a recipient of ordinary skill to be able to understand
the Initial Developer and including the name of the Initial Developer in (a) the it.
Source Code, and (b) in any notice in an Executable version or related
documentation in which You describe the origin or ownership of the Covered
5. Application of this License.
Code.
This License applies to code to which the Initial Developer has attached the
notice in Exhibit A, and to related Covered Code.
3.4 Intellectual Property Matters
(a) Third Party Claims.
6. Versions of the License.

6.1 New Versions. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY,

Netscape Communications Corporation ("Netscape") may publish revised WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR
and/or new versions of the License from time to time. Each version will be OTHERWISE, SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER
given a distinguishing version number. CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY
SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
6.2 Effect of New Versions. DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION,
DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER
Once Covered Code has been published under a particular version of the
FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL
License, You may always continue to use it under the terms of that version.
DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN
You may also choose to use such Covered Code under the terms of any
INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
subsequent version of the License published by Netscape. No one other than
LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH
Netscape has the right to modify the terms applicable to Covered Code
OR PERSONAL INJURY RESULTING FROM SUCH PARTY'S
created under this License.
NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH
LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION
6.3 Derivative Works. OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
If You create or use a modified version of this License (which you may only
do in order to apply it to code which is not already Covered Code governed by
this License), You must (a) rename Your license so that the phrases 10. U.S. GOVERNMENT END USERS.
"Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any
The Covered Code is a "commercial item," as that term is defined in 48
confusingly similar phrase do not appear in your license (except to note that
C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and
your license differs from this License) and (b) otherwise make it clear that
"commercial computer software documentation," as such terms are used in
Your version of the license contains terms which differ from the Mozilla Public
48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48
License and Netscape Public License. (Filling in the name of the Initial
C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S. Government
Developer, Original Code or Contributor in the notice described in Exhibit A
End Users acquire Covered Code with only those rights set forth herein.
shall not of themselves be deemed to be modifications of this License.)
11. MISCELLANEOUS.
7. DISCLAIMER OF WARRANTY.
This License represents the complete agreement concerning subject matter
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS"
hereof. If any provision of this License is held to be unenforceable, such
BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
provision shall be reformed only to the extent necessary to make it
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE
enforceable. This License shall be governed by California law provisions
COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
(except to the extent applicable law, if any, provides otherwise), excluding its
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS
conflict-of-law provisions. With respect to disputes in which at least one party
TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS
is a citizen of, or an entity chartered or registered to do business in the United
WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY
States of America, any litigation relating to this License shall be subject to the
RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER
jurisdiction of the Federal Courts of the Northern District of California, with
CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING,
venue lying in Santa Clara County, California, with the losing party
REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY
responsible for costs, including without limitation, court costs and reasonable
CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF
attorneys' fees and expenses. The application of the United Nations
ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER
Convention on Contracts for the International Sale of Goods is expressly
THIS DISCLAIMER.
excluded. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not apply to this License.
8. TERMINATION.
8.1 This License and the rights granted hereunder will terminate 12. RESPONSIBILITY FOR CLAIMS.
automatically if You fail to comply with terms herein and fail to cure such
As between Initial Developer and the Contributors, each party is responsible
breach within 30 days of becoming aware of the breach. All sublicenses to
for claims and damages arising, directly or indirectly, out of its utilization of
the Covered Code which are properly granted shall survive any termination of
rights under this License and You agree to work with Initial Developer and
this License. Provisions which, by their nature, must remain in effect beyond
Contributors to distribute such responsibility on an equitable basis. Nothing
the termination of this License shall survive.
herein is intended or shall be deemed to constitute any admission of liability.
8.2. If You initiate litigation by asserting a patent infringement claim
(excluding declatory judgment actions) against Initial Developer or a
Contributor (the Initial Developer or Contributor against whom You file such 13. MULTIPLE-LICENSED CODE.
action is referred to as "Participant") alleging that: Initial Developer may designate portions of the Covered Code as
"Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer
permits you to utilize portions of the Covered Code under Your choice of the
(a) such Participant's Contributor Version directly or indirectly infringes any
NPL or the alternative licenses, if any, specified by the Initial Developer in the
patent, then any and all rights granted by such Participant to You under
file described in Exhibit A.
Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from
Participant terminate prospectively, unless if within 60 days after receipt of
notice You either: (i) agree in writing to pay Participant a mutually agreeable EXHIBIT A -Mozilla Public License.
reasonable royalty for Your past and future use of Modifications made by
such Participant, or (ii) withdraw Your litigation claim with respect to the "The contents of this file are subject to the Mozilla Public License Version 1.1
Contributor Version against such Participant. If within 60 days of notice, a (the "License"); you may not use this file except in compliance with the
reasonable royalty and payment arrangement are not mutually agreed upon License. You may obtain a copy of the License at
in writing by the parties or the litigation claim is not withdrawn, the rights http://www.mozilla.org/MPL/
granted by Participant to You under Sections 2.1 and/or 2.2 automatically
terminate at the expiration of the 60 day notice period specified above. Software distributed under the License is distributed on an "AS IS" basis,
WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
(b) any software, hardware, or device, other than such Participant's License for the specific language governing rights and limitations under the
Contributor Version, directly or indirectly infringes any patent, then any rights License.
granted to You by such Participant under Sections 2.1(b) and 2.2(b) are
revoked effective as of the date You first made, used, sold, distributed, or had The Original Code is ______________________________________.
made, Modifications made by that Participant.
The Initial Developer of the Original Code is ________________________.
Portions created by ______________________ are Copyright (C)
8.3 If You assert a patent infringement claim against Participant alleging that _____________________________. All Rights Reserved.
such Participant's Contributor Version directly or indirectly infringes any
patent where such claim is resolved (such as by license or settlement) prior to
the initiation of patent infringement litigation, then the reasonable value of the Contributor(s): ______________________________________.
licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken
into account in determining the amount or value of any payment or license.
Alternatively, the contents of this file may be used under the terms of the
8.4 In the event of termination under Sections 8.1 or 8.2 above, all end user
_____ license (the "[___] License"), in which case the provisions of [______]
license agreements (excluding distributors and resellers) which have been
License are applicable instead of those above. If you wish to allow use of
validly granted by You or any distributor hereunder prior to termination shall
your version of this file only under the terms of the [____] License and not to
survive termination.
allow others to use your version of this file under the MPL, indicate your
decision by deleting the provisions above and replace them with the notice
9. LIMITATION OF LIABILITY. and other provisions required by the [___] License. If you do not delete the

provisions above, a recipient may use your version of this file under either the 25. [28]Lars H. Mathiesen <thorinn@diku.dk> adaptation of foundation code
MPL or the [___] License." for Version 3 as specified in RFC-1305
26. [29]David L. Mills <mills@udel.edu> Version 4 foundation: clock
[NOTE: The text of this Exhibit A may differ slightly from the text of the notices discipline, authentication, precision kernel; clock drivers:
in the Source Code files of the Original Code. You should use the text of this Spectracom, Austron, Arbiter, Heath, ATOM, ACTS, KSI/Odetics; audio
Exhibit A rather than the text found in the Original Code Source Code for clock drivers: CHU, WWV/H, IRIG
Your Modifications.] 27. [30]Wolfgang Moeller <moeller@gwdgv1.dnet.gwdg.de> VMS port
28. [31]Jeffrey Mogul <mogul@pa.dec.com> ntptrace utility
_____________________________________________________________ 29. [32]Tom Moore <tmoore@fievel.daytonoh.ncr.com> i386 svr4 port
30. [33]Kamal A Mostafa <kamal@whence.com> SCO OpenServer port
10.3.29 NTP License
31. [34]Derek Mulcahy <derek@toybox.demon.co.uk> and [35]Damon
Barracuda Networks Software may include programs that are covered by the Hart-Davis <d@hd.org> ARCRON MSF clock driver
NTP License This file is automatically generated from html/copyright.htm
Copyright Notice [Dolly the sheep] "Clone me," says Dolly sheepishly The 32. [36]Rainer Pruy <Rainer.Pruy@informatik.uni-erlangen.de>
following copyright notice applies to all files collectively called the Network monitoring/trap scripts, statistics file handling
Time Protocol Version 4 Distribution. Unless specifically declared otherwise 33. [37]Dirce Richards <dirce@zk3.dec.com> Digital UNIX V4.0 port
in an individual file, this notice applies as if the text was explicitly included in 34. [38]Wilfredo Snchez <wsanchez@apple.com> added support for
the file. NetInfo
35. [39]Nick Sayer <mrapple@quack.kfu.com> SunOS streams modules
/******************************************************************** 36. [40]Jack Sasportas <jack@innovativeinternet.com> Saved a Lot of space
* Copyright (c) David L. Mills 1992-2000 * on the stuff in the html/pic/ subdirectory
* Permission to use, copy, modify, and distribute this software and its 37. [41]Ray Schnitzler <schnitz@unipress.com> Unixware1 port
documentation for any purpose and without fee is hereby granted, provided 38. [42]Michael Shields <shields@tembel.org> USNO clock driver
that the above copyright notice appears in all *
39. [43]Jeff Steinman <jss@pebbles.jpl.nasa.gov> Datum PTS clock driver
* copies and that both the copyright notice and this permission *
40. [44]Harlan Stenn <harlan@pfcs.com> GNU automake/autoconfigure
* notice appear in supporting documentation, and that the name * makeover, various other bits (see the ChangeLog)
* University of Delaware not be used in advertising or publicity * 41. [45]Kenneth Stone <ken@sdd.hp.com> HP-UX port
* pertaining to distribution of the software without specific, * 42. [46]Ajit Thyagarajan <ajit@ee.udel.edu>IP multicast/anycast support
* written prior permission. The University of Delaware makes no * 43. [47]Tomoaki TSURUOKA <tsuruoka@nc.fukuoka-u.ac.jp>TRAK clock
* representations about the suitability this software for any * driver
* purpose. It is provided "as is" without express or implied * 44. [48]Paul A Vixie <vixie@vix.com> TrueTime GPS driver, generic
* warranty. * TrueTime clock driver
* * 45. [49]Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> corrected and

validated HTML documents according to the HTML DTD
********************************************************************
The following individuals contributed in part to the Network Time Protocol

Distribution Version 4 and are acknowledged as authors of this work. [50]Home
1. [1]Mark Andrews <marka@syd.dms.csiro.au> Leitch atomic clock [51]David L. Mills <mills@udel.edu>

controller
2. [2]Viraj Bais <vbais@mailman1.intel.com> and [3]Clayton Kirkwood References
<kirkwood@striderfm.intel.com> port to WindowsNT 3.5
3. [4]Michael Barone <michael,barone@lmco.com> GPSVME fixes 1. mailto:marka@syd.dms.csiro.au
4. [5]Karl Berry <karl@owl.HQ.ileaf.com> syslog to file option 2. mailto:vbais@mailman1.intel.co
5. [6]Greg Brackley <greg.brackley@bigfoot.com> Major rework of WINNT 3. mailto:kirkwood@striderfm.intel.com
port. Clean up recvbuf and iosignal code into separate modules.
4. mailto:michael.barone@lmco.com
6. [7]Marc Brett <Marc.Brett@westgeo.com> Magnavox GPS clock driver
5. mailto:karl@owl.HQ.ileaf.com
7. [8]Piete Brooks <Piete.Brooks@cl.cam.ac.uk> MSF clock driver, Trimble
PARSE support 6. mailto:greg.brackley@bigfoot.com
8. [9]Steve Clift <clift@ml.csiro.au> OMEGA clock driver 7. mailto:Marc.Brett@westgeo.com
9. [10]Casey Crellin <casey@csc.co.za> vxWorks (Tornado) port and help 8. mailto:Piete.Brooks@cl.cam.ac.uk
with target configuration 9. mailto:clift@ml.csiro.au
10. [11]Sven Dietrich <sven_dietrich@trimble.com> Palisade reference clock 10. mailto:casey@csc.co.za
driver, NT adj. residuals, integrated Greg's Winnt port.
11. mailto:Sven_Dietrich@trimble.COM
11. [12]John A. Dundas III <dundas@salt.jpl.nasa.gov> Apple A/UX port
12. mailto:dundas@salt.jpl.nasa.gov
12. [13]Torsten Duwe <duwe@immd4.informatik.uni-erlangen.de> Linux port
13. mailto:duwe@immd4.informatik.uni-erlangen.de
13. [14]Dennis Ferguson <dennis@mrbill.canet.ca> foundation code for NTP
14. mailto:dennis@mrbill.canet.ca
Version 2 as specified in RFC-1119
15. mailto:glenn@herald.usask.ca
14. [15]Glenn Hollinger <glenn@herald.usask.ca> GOES clock driver
16. mailto:iglesias@uci.edu
15. [16]Mike Iglesias <iglesias@uci.edu> DEC Alpha port
17. mailto:jagubox.gsfc.nasa.gov
16. [17]Jim Jagielski <jim@jagubox.gsfc.nasa.gov> A/UX port
18. mailto:jbj@chatham.usdesign.com
17. [18]Jeff Johnson <jbj@chatham.usdesign.com> massive prototyping
overhaul 19. mailto:jones@hermes.chpc.utexas.edu
18. [19]William L. Jones <jones@hermes.chpc.utexas.edu> RS/6000 AIX 20. mailto:Hans.Lambermont@nl.origin-it.com
modifications, HPUX modifications 21. mailto:H.Lambermont@chello.nl
19. [20]Hans Lambermont <Hans.Lambermont@nl.origin-it.com> or 22. www4.informatik.uni-erlangen.de/~kardel
[21]<H.Lambermont@chello.nl> ntpsweep
23. mailto:Frank.Kardel@informatik.uni-erlangen.de
20. [22]Frank Kardel [23]<Frank.Kardel@informatik.uni-erlangen.de> PARSE
<GENERIC> driver (14 reference clocks), STREAMS modules for PARSE, 24. mailto:dkatz@cisco.com
support scripts, syslog cleanup 25. mailto:leres@ee.lbl.gov
21. [24]Dave Katz <dkatz@cisco.com> RS/6000 AIX port 26. mailto:lindholm@ucs.ubc.ca
22. [25]Craig Leres <leres@ee.lbl.gov> 4.4BSD port, ppsclock, Magnavox 27. mailto:louie@ni.umd.edu
GPS clock driver 28. mailto:thorinn@diku.dk
23. [26]George Lindholm <lindholm@ucs.ubc.ca> SunOS 5.1 port 29. mailto:mills@udel.edu
24. [27]Louis A. Mamakos <louie@ni.umd.edu> MD5-based authentication 30. mailto:moeller@gwdgv1.dnet.gwdg.de

31. mailto:mogul@pa.dec.com DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR

32. mailto:tmoore@fievel.daytonoh.ncr.com OTHERWISE USING PYTHON 2.4, OR ANY DERIVATIVE THEREOF,
EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
33. mailto:kamal@whence.com
34. mailto:derek@toybox.demon.co.uk
6. This License Agreement will automatically terminate upon a material
35. mailto:d@hd.org breach of its terms and conditions.
36. mailto:Rainer.Pruy@informatik.uni-erlangen.de
37. mailto:dirce@zk3.dec.com 7. Nothing in this License Agreement shall be deemed to create any
38. mailto:wsanchez@apple.com relationship of agency, partnership, or joint venture between PSF and
Licensee. This License Agreement does not grant permission to use PSF
39. mailto:mrapple@quack.kfu.com
trademarks or trade name in a trademark sense to endorse or promote
40. mailto:jack@innovativeinternet.com products or services of Licensee, or any third party.
41. mailto:schnitz@unipress.com
42. mailto:shields@tembel.org 8. By copying, installing or otherwise using Python 2.4, Licensee agrees to
43. mailto:pebbles.jpl.nasa.gov be bound by the terms and conditions of this License Agreement.
44. mailto:harlan@pfcs.com
10.3.31 XFree86 Licenses
45. mailto:ken@sdd.hp.com
Version 1.1 of XFree86 Project License.
46. mailto:ajit@ee.udel.edu
47. mailto:tsuruoka@nc.fukuoka-u.ac.jp
48. mailto:vixie@vix.com
Copyright (C) 1994-2004 The XFree86Project, Inc. All rights
49. mailto:Ulrich.Windl@rz.uni-regensburg.de reserved.Permission is hereby granted, free of charge, to any person
50. file://localhost/backroom/ntp4+/html/index.htm obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without
51. mailto:mills@udel.edu limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to
10.3.30 PSF Python Software Foundation License whom the Software is furnished to do so, subject to the following conditions:1.
Redistributions of source code must retain the above copyright notice, this
list of conditions, and the following disclaimer. 2. Redistributions in binary
form must reproduce the above copyright notice, this list of conditions and
The Python Software Foundation (PSF) holds the copyright of Python 2.1 and the following disclaimer in the documentation and/or other materials
newer versions. provided with the distribution, and in the same place and form as other
copyright, license and disclaimer information. 3. The end-user
documentation included with the redistribution, if any, must include the
PSF LICENSE AGREEMENT FOR PYTHON 2.4 following acknowledgment: "This product includes software developed by
The XFree86 Project, Inc (http://www.xfree86.org/) and its contributors", in
1. This LICENSE AGREEMENT is between the Python Software Foundation the same place and form as other third-party acknowledgments. Alternately,
("PSF"), and the Individual or Organization ("Licensee") accessing and this acknowledgment may appear in the software itself, in the same form
otherwise using Python 2.4 software in source or binary form and its and location as other such third-party acknowledgments. 4. Except as
associated documentation. contained in this notice, the name of The XFree86 Project, Inc shall not be
used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization from The XFree86
2. Subject to the terms and conditions of this License Agreement, PSF Project, Inc. THIS SOFTWARE IS PROVIDED `ÀS IS'' AND ANY
hereby grants Licensee a nonexclusive, royalty-free, world-wide license to EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
reproduce, analyze, test, perform and/or display publicly, prepare derivative LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
works, distribute, and otherwise use Python 2.4 alone or in any derivative FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
version, provided, however, that PSF's License Agreement and PSF's notice EVENT SHALL THE XFREE86 PROJECT, INC OR ITS CONTRIBUTORS
of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004 Python Software BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
Foundation; All Rights Reserved" are retained in Python 2.4 alone or in any EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
derivative version prepared by Licensee. LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
3. In the event Licensee prepares a derivative work that is based on or CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
incorporates Python 2.4 or any part thereof, and wants to make the derivative OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
work available to others as provided herein, then Licensee hereby agrees to SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
include in any such work a brief summary of the changes made to Python 2.4. DAMAGE.
4. PSF is making Python 2.4 available to Licensee on an "AS IS" basis. PSF
MAKES NO REPRESENTATIONS OR WARRANTIES,
EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION,
PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR
WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY Barracuda Networks makes available the source code used to build
PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 2.4 WILL NOT Barracuda products available at source.barracuda.com. This directory
INFRINGE ANY THIRD PARTY RIGHTS. includes all the programs that are distributed on the Barracuda products.
Obviously not all of these programs are utilized, but since they are distributed
on the Barracuda product we are required to make the source code available.
5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS
OF PYTHON 2.4 FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL

Barracuda NG Firewall Admin Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Barracuda NG Firewall Admin Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Barracuda NG Firewall 4.2.

Barracuda Networks Inc.

Barracuda NG Firewall 4.2.10 | Revision 3.5

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

1. Conventions in this Administrators Guide

1.1 Text Conventions

1.2 Parameter Lists, Tables and 1.2.1 Example

The numbering of parameter lists, tables, and figures

Three parameter lists follow this figure, one for every

(Origin: VPN 2.6.2.6 Common Tab, page 228)

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

2. How to Gather Information from this Documentation

2.1 Course of Action 2.2 Feedback

Fig. 02 Example section Condition

z If you are looking for a certain parameter list, table, or

z For general information use the main directory

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

1. Installation of a Barracuda NG Firewall

5. Inverted CIDR notation

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

1. Installation of a Barracuda NG Firewall

1.1 General 1.3 Installation with a Saved

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

1.4.2 Crash Recovery with New 1.5 Installation & Configuration

Step 5 Create dedicated HA box (optional)

Step 8 Backup configuration

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

2.1 General 2.2 Creating a "standard"

Table 11 USB stick Formatting

Installation system FAT16 FAT32

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

Step 3 Defining Box Type settings Step 4 Defining System Settings

The Model/Appliance combination determines product Parameter Description

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

List 18 Configuring Security Settings with Barracuda NG Installer section Root

Continue with Next.

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

Continue with Next.

Step 9 Configuring Script Settings

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

2.3 Creating a Disk in "Kickstart

To create a kickstart file in "kickstart only" mode, proceed

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

Step 2 Selecting the proper boot image 2.5 Barracuda Networks

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

3.2 User Interface

Fig. 110 Barracuda NG Admin User Interface

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

3.2.1 Start Screen Table 14 Contents of the Overview segment

The Services section gives a quick overview of the

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

3.2.2.2 File Menu Log Viewer, page 305

3.2.2.4 Box Menu

The box menu contains all available services.

z VPN The ? menu contains one item About Barracuda NG

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

3.2.3 Tool Bar 3.2.5 Main Window

Note: The main window contains the configuration and

3.2.4 Box Menu

Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010

4.1 Boxes z Button Remove Selected

Fig. 116 Enter New Box dialog