Beruflich Dokumente
Kultur Dokumente
10
Administrators Guide
Revision 3.5
Barracuda Networks
Barracuda NG Firewall 4.2.10
Contents
1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3 Configuration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
5 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6 Mail Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
7 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8 Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
9 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
10 Eventing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
11 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
12 Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
13 FTP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
14 Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
15 Wireless LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
16 SSH Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
17 Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
18 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
19 Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
20 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
21 OSPF and RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
22 System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
23 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Note:
Tables and parameter lists have their own range of
numbers.
Directories:
z Parameter List Directory, page 557
z Table Directory, page 591
z Figure Directory, page 595
Section
Condition
Getting Started
2. Barracuda NG Installer
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Creating a "standard" Kickstart Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Creating a Disk in "Kickstart Only" Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.4 Creating a Kickstart Disk for Installation via Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Barracuda Networks Multi-Platform Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3. Barracuda NG Admin
3.1 Logging in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.1 Start Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.2 Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.3 Tool Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.4 Box Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.5 Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.6 Mini Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.7 Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. Settings
4.1 Boxes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3 Admin & CC Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Certificates & Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4.1 Using Keys on a Barracuda NG Firewall 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5 Public Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Attention:
This method only works if identical hardware (CPU-ID,
MAC addresses, motherboard ID) is used for recovery.
Step 7 Licensing
Obtain licenses for your system (gather necessary
information first) and import them. For more information,
see:
z Licensing, page 529
2. Barracuda NG Installer
Local administration rights are needed to install files on Gateway Enter a gateways IP address here if it is needed.
an USB stick. Nameserver You may optionally specify a DNS server here.
Device Configure the network interface card here, which is
active during installation (default: eth0).
Note:
For installation with USB stick, a supported and properly Continue with Next.
formatted USB stick is needed. One of the following
formattings should be used:
Fig. 12 Defining Box Type Settings with Barracuda NG Installer Fig. 13 Configuring System Settings with Barracuda NG Installer
Here select the hardware type you are installing. List 12 Configuring System Settings with Barracuda NG Installer
specific default settings and availability of services, again Hostname Specify a name for the host you are installing without
its domain suffix. In a hostname only characters (a-z,
with typical default settings. Make the correct selection to A-Z), numbers (0-9), and hyphens ("-") are allowed. The
achieve full profit from this feature. maximum length of this parameter is 25 characters.
Later change of the hostname is possible
Combine standard/standard-hardware if you are not (Configuration Service 2.2.3.1 System Access,
page 54).
using one of the listed appliance models. Barracuda NG
Note:
Firewall default settings then apply for all services. This is a mandatory field. Installation cannot continue
without a hostname.
Combine controlcenter/standard-hardware, if you are
Time Zone Select the proper time zone for the Barracuda NG
installing a Barracuda NG Control Center. menu Firewall.
Each types typical characteristics are listed at the end of Keyboard This menu allows you to select the required keyboard
Layout layout.
this chapter (2.5 Barracuda Networks Multi-Platform
Note:
Product Support, page 16). For a list of default values see If the suggested keyboard layouts are insufficient,
2. Barracuda NG Firewall Appliances Parameter Defaults, experienced users may select the appropriate setting
page 548. by using the Advanced option.
Serial Console Ticking this checkbox activates the interface for serial
Select the Demo or Export Mode checkbox if you are console.
installing a system for testing purposes. Attention:
Make sure to activate a serial port in your servers BIOS
Note: when using this option.
On unlicensed Barracuda NG Firewalls (DEMO Mode) List 13 Configuring System Settings with Barracuda NG Installer section DNS
encryption is restricted to DES. Stronger encryption is
Parameter Description
only available on systems without export flag.
Attention:
If the DNS servers are located in a different subnet
Table 12 Types of DEMO versions in Barracuda NG Firewall 4.2 than the box and the Barracuda NG Admin
Version Characteristics administration computer, routing has to be configured
correspondingly in order to make these addresses
DEMO cryptographic weak (DES, RSA-512) accessible for the box (Configuration Service
Testing License with export flag cryptographic weak (DES, RSA-512) 2.2.5.5 Network Routes, page 68).
Testing License without export flag cryptographic strong Primary / These fields are used for defining DNS servers.
Secondary
Domain Suffix If the box is located in a DNS domain, the
Note: corresponding domain can be entered in this field.
Box Type Settings defines the content of the
configuration file Box Properties (Configuration Service List 14 Configuring System Settings with Barracuda NG Installer section
Network Time Protocol
2.2.2 Box Properties, page 52).
Parameter Description
Attention:
If the NTP server is located in a different subnet than
the box and the Barracuda NG Admin administration
computer, the routing has to be configured
correspondingly in order to make the address
accessible for the box (Configuration Service
2.2.5.5 Network Routes, page 68).
List 14 Configuring System Settings with Barracuda NG Installer section List 15 Configuring Partition Settings with Barracuda NG Installer
Network Time Protocol
Parameter Value
Parameter Description Size Assign disk space of your choice here.
Use NTP If a timeserver is available you can activate its use by Disk menu Disk names are assigned according to the selected Disk
ticking the checkbox 'Use NTP'. This will activate the Type:
following parameters.
Disk IDE SCSI CCISS RD
IP This field holds the IP address of the NTP server. No. (Linux) (Linux)
Change HW This checkbox can be used for changing the BIOS clock 1 hda sda cciss/c0d0 rd/c0d0
clock to UTC to universal time.
2 hdb sdb cciss/c0d1 rd/c0d1
Note:
Using this option is highly recommended. 3 hdc sdc cciss/c0d2 rd/c0d2
4 hdd sdd cciss/c0d3 rd/c0d3
Continue with Next. 5 hde sde cciss/c0d4 rd/c0d4
Select the all checkbox to display all disk types in the
Step 5 Configuring Partition Settings Disk list.
Select the change all checkbox to change the disk type
Select the Disk Type that suits your system. The following for all partitions and not only for the selected one.
disk types are available for selection: File system The following file systems are available for selection:
menu ext2 - standard Linux file system
z IDE (default) ext3 (default) - journal extension to ext2 on Linux;
journaling can result in a massively reduced time spent
z SCSI recovering a file system after a crash, and therefore this
is recommended for high demand environments, where
z CCISS high availability is important.
reiserfs - journaling file system
z RD
grow checkbox By ticking this checkbox, the selected partition will grow
to the maximum available size. This way you do not need
Thereafter insert the Fixed Disk Capacity and click to specify the exact size of your disk.
Suggest. This will lead to an automatic partitioning
suggestion, which will work for most systems. Of course Note:
you still have the option to edit each partition manually If you have selected a specific appliance model in the
after suggestion. Select the partition you want to modify box type settings screen (see Step 3) partitioning
(this is now highlighted in yellow) and edit the fields shown settings will be suggested.
below the partition list.
Continue with Next.
The following parameters are available for editing the
partition suggestion: Step 6 Configuring your network interfaces
In the next step the appropriate network interface cards
Fig. 14 Configuring Partition Settings with Barracuda NG Installer
(NICs) are to be configured.
For adding a new NIC, click Add This opens a NIC reseller
list.
Select a Reseller to display a list of available NICs. If you
use more cards of a single model, you can enter the
number of these cards in the upper right corner of this
dialog (field Number).
Attention:
If you use multi-port cards, each port counts as one card
(for example, a dual-port card counts as two cards).
Should the offered NICs not suit your system click
Advanced (lower left corner) where you can select a
certain module that fits your NIC.
Note:
Linux does not have special drivers for every single
model of network card but a family of cards using the
same network chip set. Again you can insert the number
of cards you wish to use.
When you click OK the NIC is added to your configuration Step 7 Configuring Security Settings
and is ready for adapting. So select the NIC (now This dialog offers several security-relevant parameters:
highlighted in yellow) and either click on Properties or
List 17 Configuring Security Settings with Barracuda NG Installer
simply double-click.
Parameter Description
Fig. 15 NIC adapter configuration parameters Licenses list This listing displays the available licenses. In order to
import licenses, click Import License from File and
select the corresponding .lic file.
Note:
If no license is imported here, your Barracuda NG
Firewall will run in demo mode until a valid license is
applied.
ACL list The Access Control List (ACL) contains IP
addresses/netmasks which have exclusive access to the
management IP address. The ACL protects the box
from Denial of Service (DoS) attacks.
Note:
In order to avoid unnecessary exposure of the
Barracuda NG Firewall to DoS attacks, restrict the
scope of the ACL to addresses from which access to the
management IP address is to be granted.
List 111 Configuring Software Packages with Barracuda NG Installer section Step 10 Configuring USB Stick Settings
Advanced
(only available if parameter Write USB stick is set to yes)
Parameter Description
Kernel This field allows to enter kernel-related parameters. This configuration dialog provides USB stick-relevant
Parameter field Attention: settings and additionally allows importing the ISO image.
When using this field be absolutely sure to know what
you are doing. Contact Barracuda Networks support Fig. 16 Configuring USB stick settings with Barracuda NG Installer
before entering anything into this field.
Note:
This parameter takes no effect when parameter
Kickstart only or Install mode > USB Stick has been
selected.
LILO linear Selecting this checkbox may be required by some
checkbox controllers.
No graphic Select this checkbox if your system does not employ a
adapter graphic adapter and you intend administering it via a
available serial console.
No ACPI Select this checkbox if your system does not employ an
Advanced Configuration and Power Interface (ACPI).
Note:
This parameter takes no effect when parameter
Kickstart only or Install mode > USB Stick has been
selected.
List 116 Configuring USB Stick Settings with Barracuda NG Installer section Fig. 17 Box Type Settings window in Create Kickstart only mode
Installation Mode Settings (2)
Parameter Description
Image The pull-down menu of this parameter allows selecting
the installation media:
Create from CD - creates an ISO image directly from a
CD-ROM selected in the list
Copy ISO image - imports an already existing ISO
image file to the USB stick
Attention:
Any selection starts the related process immediately
without user interaction.
Portable If you are installing with USB stick you may add
Archive Files portable archive files (*.par) and compressed portable
archive files (*.pgz) files to the kickstart disk in order to
take over complete box configurations when installing.
If you have added more then one archive file you will be
queried which one to apply during installation.
Note:
Only the settings stated above will be effective when
installing the system. Effective settings included in the
PAR file will NOT be overwritten.
Barracuda
Product Module standard NG Firewall
F10
Firewall Firewall
DHCP Relay DHCP-Relay
VPN Server VPN-Service
HTTP Proxy HTTP-Proxy -
URL Filter URL-Filter -
Mail Gateway Mail-Gateway -
SPAM Filter SPAM-Filter -
FTP Gateway FTP-Gateway -
SSH Proxy SSH-Proxy -
Virus Scanner Virus-Scanner -
Secure Web Proxy sslprx -
Access Control Server Access-Control-
Service
DNS Server DNS-Service -
DHCP Enterprise Server DHCP-Service -
SNMPd snmp
OSPF/RIP Service ospf -
3. Barracuda NG Admin
The program Barracuda NG Admin (available on your The header of this dialog displays the version and build
Application flash USB stick) - is the tool to administer number of the Barracuda NG Admin tool:
Barracuda NG Firewall.
z buttons Box / CC
Note:
These two buttons define which kind of Barracuda NG
It is highly recommended to use the Barracuda NG Firewall system you are logging into. Especially when
Admin delivered with the Application CD to ensure that logging into a Barracuda NG Control Center (CC) a
all features of the Barracuda NG Firewall are available. If correct selection is required due to the different IP
it is necessary to change the Barracuda NG Admin, addresses that are used (Box - IP address of the
please contact the Barracuda Networks Support for Barracuda NG Firewall itself; CC - Management IP
detailed information which version of Barracuda NG address).
Admin should be used. z Box-Address / CC-Address line & menu
Enter the IP address or DNS-resolvable name to which
you wish to connect. For enhanced comfort, the menu
provides every IP address that was used for connection
3.1 Logging in via Barracuda NG Admin before. At the same time, the
selection Box or CC address (see above) is reassigned
Login is started by clicking twice on the Barracuda NG and does not need to be re-entered.
Admin executable. This opens the login dialog (figure 19). z Login line
Fig. 19 Login dialog
Enter the login name of the administrator.
z Password line
Enter the password.
z Proxy
z Menu entry Lock
Proxy, page 339
This command allows you to lock the Barracuda NG
Admin user interface (for example when leaving the z Reload Box Service
workplace). To unlock the Barracuda NG Admin, This command refreshes the service icons view in the
re-enter the correct user and password into the login box menu of the Barracuda NG Admin user interface.
screen, which is opened as soon as the Barracuda NG Apply it for instance after having created a service.
Admin is locked.
z Menu entry Settings 3.2.2.5 View Menu
Due to its complexity please refer to a description of
this menu item at 4. Settings, page 21 z Menu item Toolbars
z Menu entry Print Setup This item allows you to hide or to customize the tool
The Barracuda NG Admin allows you to print log files, bar.
rule sets, Configure your printer by using this menu z Menu item Status Bar
item. This item allows you to hide the Status Bar (figure 110,
z Menu entry Exit page 17).
This command closes the Barracuda NG Admin z Menu item Mini Map
application. This item allows you to hide the Mini Map (figure 110,
page 17).
3.2.2.3 Edit Menu Fig. 112 Dialog for customising the tool bar
The items within this menu have the same meaning and
function as known from MS Windows.
Note:
The service item order of the pull-down box menu does
not match with the order of the Barracuda NG Admin
user interface box menu.
Currently, the following box menu entries are available: 3.2.2.6 Window Menu
z Config The functions of this menu are the same as known from MS
Configuration Service, page 41 Windows. The menu item Windows manages views of
z Control currently open windows.
see chapter "Control" - Control
z Firewall 3.2.2.7 ? Menu
Firewall, page 131
All buttons that are available in the tool bar are also 3.2.7 Status Bar
accessible via the menu bar:
The status bar displays information about the SSL
z Lock Barracuda NG Admin
connection status (including used encryption algorithm, if
see 3.2.2.2 File Menu, Menu entry Lock, page 19
available), the certificate and the time zone specified in the
z Login box time settings (translated to the corresponding GMT
see 3.2.2.2 File Menu, Menu entry Login , page 19 time zone as used in Microsoft Windows operating
z Settings systems). A few linux specific time zones exist, which
see 3.2.2.2 File Menu, Menu entry Settings , page 19 cannot be translated into GMT time zones. In this case, the
system time of the client running Barracuda NG Admin will
z Window list be displayed instead of box time settings.
see 3.2.2.6 Window Menu, page 19
Fig. 114 Status bar
z About
see 3.2.2.7 ? Menu, page 19 Connection info
SSL status Certificate information
Note:
The entries listed under 3.2.2.4 Box Menu, page 19 are
also valid for the user interface box menu though the
item order varies.
4. Settings
Note:
As soon as you are logged into a box the short-cut of
the box is also available in the group Active.
4.2 Client List 119 Configuring Barracuda NG Admin settings - Client tab section Timeouts
Parameter Description
Use this tab to configure your Barracuda NG Admin client. Configuration Specifies the duration a connection attempt (through
Read utilisation of the Connect button) may last until in case
[sec.] of failure the attempt is stopped and a failure message
Note: is displayed (default: 30 seconds). Furthermore this
All parameters set here affect only the currently used setting determines the read timeout of the
Barracuda NG Admin. They are not saved on the configuration file effective in the Box Control > Licenses
tab view (see 2.5 Licenses Tab, page 37).
Barracuda NG Firewall for example. You will need to
Note:
repeat the configuration if you use another Barracuda The read timeout also has impact on PAR file creation
NG Admin. of comprehensive configurations. Temporarily set to
200 seconds or higher if necessary. See Configuration
Service 5.3 Creating PAR Files, page 119 for details.
Fig. 117 Barracuda NG Admin Settings - Client tab
Statistic Defines how long (in seconds) a statistic-view attempt
[sec.] may last until the attempt is stopped and a message is
displayed (default: 30 seconds). Increase this
parameter if you expect large statistics files.
List 120 Configuring Barracuda NG Admin settings - Client tab section System
Parameter Description
Disable Events Clear this checkbox to disable the icon in the system
System Tray tray which indicates an active event.
Always use This setting triggers Barracuda NG Admin always to
session use the last known password when reconnecting to a
password box after a session has been disconnected. The session
password loses its validity when Barracuda NG Admin is
closed.
Print Header Allows entering a custom header for prints. Especially
when multiple administrators use one printer this
feature becomes handy because it allows identifying
the owner very easily.
List 121 Configuring Barracuda NG Admin settings - Client tab section Show
Short/Long Date
Parameter Description
This setting determines the date format display which
is used in various overview listings (for example CC
Control)
Parameter Description Position Align the wallpaper here. Available options are: Tile,
Center, Stretch, and Bottom Right.
Advanced Opens the Advanced Crypto API Settings
Cryptographic configuration window (figure 118, page 23).
List 124 Configuring Barracuda NG Admin settings - Client tab section SSH
Settings
Colors
List 119 Configuring Barracuda NG Admin settings - Client tab section Timeouts Parameter Description
Parameter Description Define the layout of the SSH Login interface here.
Socket Connect Defines the duration a login attempt may last until in Modify Chose one of the modifiable options (Background, Bold
[sec.] case of failure it is stopped and a failure message is Background, Cursor Text, Cursor Color) and change its
displayed (default: 6 seconds). color with Modify
Note:
The socket connect timeout also has impact on PAR file
creation of comprehensive configurations. Temporarily
set to 200 seconds or higher if necessary. See
Configuration Service 5.3 Creating PAR Files,
page 119 for details.
The following parameters are available for configuration in 4.3 Admin & CC Settings
the Advanced Cryptographic Settings dialog:
z Section CC Selection
Fig. 118 Configuring Advanced Cryptographic Settings
This section allows you to view the certificates of
Barracuda NG Control Center(s) you have logged into
using this Barracuda NG Admin. To remove MCs from
the view of Barracuda NG Admin click Remove Entry.
Otherwise chose an available CC in the field CC and
click Show Certificate to display a detailed view of the
certificate.
Note:
After having removed a CC you got to accept the
certificate again when logging into it the next time.
z Section Change Administrator Password
This section offers the opportunity to change
passwords of Barracuda NG Control Center and single
List 125 Configuring Advanced Cryptographic API Settings box local administrators.
Parameter Description To change a password of a Barracuda NG Control Center
Disable Note: marked in the section CC Selection, select Change
Smartcard Selecting the checkbox Disable Smartcard / Token Admin Credentials for CC Admin from the pull-down
/Token deactivates the complete configuration section.
menu, enter the administrator's login name, the current
Cryptographic Barracuda Networks supports all CSPs (Cryptographic
Service Service Provider) using the Microsoft Crypto API. All
(old) password and the new password (twice, for
Provider CSPs installed on your local workstation are enlisted. security reasons). Click Change Password to activate
Key Length The key length depends on the selected CSP. Minimum, the new settings.
maximum and default value for key lengths are To change the password of a single box local
displayed in the Cryptographic Service Provider menu.
administrator, select Change Admin Credentials for
List 126 Configuring Advanced Cryptographic API Settings section Store Local Admin (Single Box) from the pull-down menu. A
Parameters new field Box IP Address now appears to the right of
Parameter Description the menu. Enter the box IP address and proceed as
Default Store This parameter defines the default store for certificates described above to change the password.
(default: MY).
z Section Change Administrator Key
Specifies the This parameter allows defining where the certificate is
provider type living. The following options are available: If, for a successful login procedure, key files are needed
CERT_STORE_PROV_SYSTEM - Certificate available in addition to the password, this administration key is to
in MS Management Console
CERT_STORE_PROV_PHYSICAL - Certificate
be edited/assigned in this section.
available on eToken/Smartcard To change an administrator key, enter the correct login
Flags This parameter defines the availability of the name and password and import the proper key via
certificate. Possible values are 'current user only' or Import. Change Admin Key activates the new settings.
'local workstation' regardless of the logged-in user. Use
one of the values below for configuring:
CERT_SYSTEM_STORE_CURRENT_USER -
Certificate is dedicated to this user only
CERT_SYSTEM_STORE_LOCAL_MACHINE -
Certificate is dedicated to local workstation
4.4 Certificates & Private Keys
Select Allows selecting an available Smartcard Reader. If no
Smartcard Smartcard Reader is available on the system, this z This tab contains the private key administration. Login
Reader parameter is inactive.
and authentication of the administrator on a Barracuda
NG Firewall are processed using a 2-factor
authentication technique. The authenticity of the admin
workstation is verified with a challenge-response
method. Beyond this the administrator has to
authenticate himself with a personal password.
Note:
Despite the fact that it is not mentioned in the tab
header, it is also possible to use eToken and smartcards.
However, they are used in the same way.
z Creating a new Certificate
To generate a new certificate/key by using Microsoft
Strong Cryptographic Provider v1.0 click Create New
Certificate/Key This opens a window where several
values (for example Country, State, Name, Expiring
date, ) are to be entered. After confirming your entry
the new certificate is displayed in the list.
The columns in the main tab derive from the
information entered while creating the certificate.
However, two columns differ:
Control
1. Overview
1.1 Control Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2. Control Tabs
2.1 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.1 Section Server Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.1.2 Section Service Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2 Network Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.1 Interface/IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.2 IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.3 Interfaces Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.4 Proxy ARPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.5 ARPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.6 Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.7 OSPF Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.8 Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.3 Processes Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.4 Resources Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Licenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.1 Section Version Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.2 Section Active Licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.3 Section License Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.5.4 Section Host IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6 Box Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.6.1 Section Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.6.2 Section Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.3 Section Time Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.4 Section Dynamic Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.5 Section Authentication Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.6 Section BOX SCEP Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.7 Sessions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.8 Mainboard Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Overview
The Control window is an essential monitoring and 1.1 Control Window
administration tool that provides real-time information
about the status of a system and makes a variety of The contents of the Control window are arranged in eight
fundamental administration tasks available. Important tabs:
information it displays is related to the following:
z Server tab - see 2.1 Server Tab, page 29
z Server/Service and Network status
z Network tab - see 2.2 Network Tab, page 30
z Status of disk usage
z Processes tab - see 2.3 Processes Tab, page 36
z Status of currently active processes and sessions
z Disks tab - see 2.4 Resources Tab, page 36
z Hardware information
z Licenses tab - see 2.5 Licenses Tab, page 37
z License information
z Box tab - see 2.6 Box Tab, page 38
(keys and status of installed licenses)
z Sessions tab - see 2.7 Sessions Tab, page 40
z Release information
(version numbers and build-dates of installed z Mainboard tab - see 2.8 Mainboard Tab, page 40
Barracuda Networks software modules)
All tabs but the latter two are flagged by a status indicator
To access the Control window, click Control in the box icon, which indicates the current status of the respective
menu. box subsystem.
Note: Table 21 Status icons flagging tabs in the Control window
The Control window may as well be accessed from the Icon Meaning Comment
Status Map tab in the Barracuda NG Control Center OK Normal operation
Control Center (Barracuda NG Control Center
5.2 Status Map Tab, page 515). Warning / Abnormal condition not affecting
Activation normal operation and activation box
- network
Critical condition Seriously abnormal condition
Warning Fault
Compressed connected
Not connected
2. Control Tabs
Service is blocked
Service is stopped
Interface/IPs Tab, page 146
Service is blocked, stopped or disabled IPs Tab, page 147
(inherited property because the server has been Interfaces Tab, page 147
blocked, stopped or disabled) Proxy ARPs Tab, page 148
ARPs Tab, page 148
Note:
When evaluating a service status, make sure to
evaluate the current server status.
z Num Proc column
This column displays the number of processes for each
service.
z Num FD column
This columns displays the number of file descriptors
used by the service processes. Tables, page 148
z Mem KB column
This column displays the total memory (exclusive and
shared) used by the service processes.
z Module column 2.2.1 Interface/IPs Tab
This column displays name and corresponding icon of
the installed software module. This information is This tab contains all interfaces, their current state
important regarding services running on user defined (visualized with an icon, see below) and the IP addresses
servers, as these may be named without indication to that are assigned to the interface.
the service type. Fig. 24 Interface/IPs Tab
Table 24 Icons for network interface types This tab contains the same information as given in the
Icon Description Interface/IPs Tab, but the content is sorted according to IP
tap interface (internal interface for SYN proxying & VPN) addresses instead of interfaces.
Tunnel interface The State column shows the state of the IP
address/netmask as does the icon in the IP column.
The following icons indicating the network connection
The Interface column is formatted as follows: Name of the
status are available:
interface used (for example, eth0, tr0, tap0, ) followed by
Table 25 Icons for network connection status a colon and the label of the interface. For a description of
the label syntax, please have a look at 2.2.1 Interface/IPs
Icon Description
Tab, Label column, page 147.
up
z Name column Fig. 26 Network diagram illustrating the concept of a pending route
This column shows the given name of the route.
10.0.0.0/24
controld reads out the currently active network 10.11.22.0/24
configuration from file
/opt/phion/config/active/boxnet.conf. One of
the tasks of the controld daemon is to verify that the eth0: 10.0.0.18/24 tr0: 10.11.22.33/24
routes configured therein are actually valid. The basis logic
goes as follows: eth1: 10.14.55.66/27 eth2
BOX
controld does not introduce IPs with a mask other than 0
(single IPs). By this means controld looks after server IPs
and proxyARPs but not after networks local to the box. 10.14.55.64/27 1.2.3.0/29 1.2.3.1
This does however not mean that controld will not mark
networks as down. It will merely refuse to reintroduce Now suppose you have already configured a corresponding
deleted box IP addresses. direct route under section Section Main Routing Table
As far as routing is concerned controld will play a more (Configuration Service 2.2.5.5 Network Routes,
lively role and will activate and deactivate routes page 184) of the network configuration dialog.
depending on available configuration information and
Table 28 Example: Route handling, no Source IP address
environmental conditions.
Source IP
Target network Table on Interface
One of the features of Barracuda NG Firewall boxes is that address
you may configure what we call pending direct routes. 1.2.3.0/29 - main eth2
These routes are special insofar as they point to a target
network via an available interface to which no IP address Quite evidently this route cannot be introduced right away
has yet been assigned. As such the route cannot be as no valid source IP address is available. However, since it
introduced directly as no source IP address is available. has been configured it will be displayed as in state off (icon
) by the control daemon.
We now assume that the following gateway routes have The Network diagram in figure 27 illustrates the way in
also been introduced: which pending direct routes and gateway routes depending
on them are activated by firing up an IP address on the so
Table 29 Example: Route handling, gateway routes
far not configured interface eth2:
Target network Gateway Table Preference
0.0.0.0/0 1.2.3.1 default 100 Fig. 27 Network diagram, pending direct routes and gateway routes
0.0.0.0/0 10.0.0.100 default 200
Note:
A route is automatically assigned to table default if and 10.0.0.100
only if the target is equal to 0.0.0.0/0.
10.0.0.0/24
Clearly the preferred default route via gateway 1.2.3.1 10.11.22.0/24
cannot be activated as no active route to address 1.2.3.1 is
available. The control daemon will thus display this route
as in state off (icon ). We refer to such gateway routes as eth0: 10.0.0.18/24 tr0: 10.11.22.33/24
pending gateway routes, as their introduction only takes eth1: 10.14.55.66/27 eth2
place pending a prior successful introduction of a not yet BOX Server IP address: 1.2.3.2
available but configured direct route.
If gateway 10.0.0.100 is pingable and the address is not
local to the box itself then this route will be active, which 10.14.55.64/27 1.2.3.0/29 1.2.3.1
Source IP
Target network
address
Table on Interface 2.2.8.2 Interoperation with a Router
1.2.3.0/24 1.2.3.2 main eth2
An interesting routing issue arises when the firewall box is
meant to work together with a router in what is called a
screened host setup commonly used to separate LAN
segments from one another.
Source
Destination LAN B
With help of a small transit LAN scenarios may be Table 212 Router configuration
visualized in which a logical separation of LAN A and Interface
Firewall Additional routing table entries
LAN B may even be achieved with a single NIC at the address
firewall. In order for this to work the firewall and a router not active no transit LAN
10.x.y.100
or gateway exclusively share a small transit network
(usually 2 to 3 bits). As far as the routing setup for the firewall is concerned the
The advantages of such a single homed setup are evident. firewall boxes must clearly have two default routes with
If youve got to deal with various kinds of network traffic different preferences configured. The preferred one will be
within a large WAN or LAN at the same time, for example the one corresponding to active firewall operation.
SNA, IPX, and IP, youve got to let SNA and IPX traffic The following scenarios may occur:
bypass the firewall. At the same time you would like to use
the firewall to manage and monitor your IP traffic. This is z the router operates in its firewall configuration
not possible if the firewall is dual homed in the traditional
Table 213 Routing state on active firewall box
sense since then everything has to run through the
firewall. Thus it is better to resort to a dual homed setup in Target
Gateway Table Preference Status
network
address space. The single firewall NIC is configured to have
0.0.0.0/0 10.255.128.1 default 100 up
network addresses that make it part of LAN A and
0.0.0.0/0 10.x.y.100 default 200 up
additional network addresses from a small transit network
it shares exclusively with the router/gateway component.
The router/gateway does not have a valid IP address Note:
within LAN A. The backup default route is not up but off since
10.x.y.100 is pingable but also local to the currently
For all IP traffic the router will use one of the transit active firewall.
network IPs of the firewall box as its next hop for traffic
from LAN B to LAN A. Within LAN A routing is configured Table 214 Routing state on backup firewall box
in such a way that one of the firewalls addresses in LAN A Target
is the default gateway for traffic into LAN B. The firewall Gateway Table Preference Status
network
passes on this traffic via the transit network to the 0.0.0.0/0 10.255.128.1 default 100 up
router/gateway, which then knows where to send it 0.0.0.0/0 10.x.y.100 default 200 up
further.
At the same time all non IP traffic passes unharmed from Note:
LAN A to LAN B via the router/gateway since a direct Both default routes are up since 10.x.y.100 is pingable
physical link is established and all IP routing information is on the active firewall box.
ignored.
z router operates in its non firewall configuration
Below is an example configuration for the successful
interplay of router and firewall (redundant scenario Table 215 Routing state on both firewall boxes
included) to create a single homed setup: Target
Gateway Table Preference Status
network
Table 211 Example configuration for router and firewall 0.0.0.0/0 10.255.128.1 default 100 dis
Object Address 0.0.0.0/0 10.x.y.100 default 200 up
LAN A 10.x.y.0/24
LAN A default gateway 10.x.y.100 Note that the preferred default route is not up but
Transit LAN 10.255.128.0/29 (shared by firewall and router) disabled since 10.255.128.1 is no longer pingable. In
FW-box-IP 10.x.y.108 order to make sure that the box still has a valid default
FW2-box-IP 10.x.y.109 (optional in case of a redundant setup) route the firewall IP 10.x.y.100 will be deactivated on the
FW-default GW 10.255.128.1 (routers transit LAN address) when active firewall box.
active
10.x.y.100 when inactive Note:
FW-Transit Netw.-IP 10.255.128.2 This behavior is only triggered by specifying the
FW2-Transit Netw.-IP 10.255.128.3 (optional in case of a redundant routers transit LAN IP 128.255.128.1 to be pingable
setup)
as a necessary prerequisite for firewall operation.
Firewall service IP 10.x.y.100 and 10.255.128.4
z router failure
The two different router configurations needed for an If the router is down completely both default routes
active and inactive firewall, respectively: would be in state disabled.
Table 212 Router configuration Table 216 Routing state on both firewall box
Interface Target
Firewall Additional routing table entries Gateway Table Preference Status
address network
active transit LAN: static routes: 0.0.0.0/0 10.255.128.1 default 100 dis
10.255.128.1 10.x.y.0/24 via 10.255.128.4 + OSPF
propagation 0.0.0.0/0 10.x.y.100 default 200 dis
10.x.y.108 via 10.255.128.2
10.x.y.109 via 10.255.128.3
2.3 Processes Tab Table 217 Tabular listing of the elements of the process status panel.
In a Barracuda NG Firewall default installation, the described in detail in a separate chapter (Licensing,
following file systems should at least be present: page 615).
2.6 Box Tab opens a window with the following buttons and
corresponding functions:
The Box tab of the control window is used for controlling List 21 Types of network activation
key aspects of box operation. It consists of three sections
Network
and a report window. activation type
Impact
Attention:
The Mainboard Tab shows some hard core information
Authentication level changes are effective immediately. which is available about the system hardware including
Use with due care. Mainboard and CPU information, PCI interfaces, Some
vendors do not use DMI standard thus producing
incomprehensible results.
2.6.6 Section BOX SCEP Status The aim of this view is purely informative.
Table 220 Box control BOX SCEP Status commands Fig. 216 Typical view of the CPU information panel
Command Description
Show Shows information about the certificated retrieved by
Certificate Info SCEP, or shows the reason of failure
Save Certificate Exports the certificate to the Clipboard (PEM)
to Clipboard
Save Certificate Exports the certificate to a file (PEM)
to File
Initiate Pending Instructs the SCEP subsystem to initiate the enrollment
Request process immediately
Force SCEP Instructs the SCEP subsystem to initiate a SCEP update
Update immediately
Set SCEP Turns SCEP debugging ON or OFF.
Debug ON Additional debugging information will be included in
Set SCEP the SCEP log (Box/Control/SCEP) when turned on.
Debug OFF
Set SCEP Prompt for the SCEP Password.
Password This option is available only if the SCEP password
policy is set to Enter-Password-At-Box
Service session
Configuration Service
1. Overview
1.1 Barracuda NG Firewall Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.1.1 The Administrative Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.1.2 The Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.1.3 The Logical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.1.4 The Functional Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.2 Elements of the Configuration Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6. Repository
6.1 Working with a Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
7. Troubleshooting
7.1 Live Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.2 Initiate Support Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.3 Barracuda NG Live Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4 From Our Supports Point of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.5 System Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
1. Overview
1.1 Barracuda NG Firewall functionality and system design. The module entity is thus
on par with the service entity.
Concept
Fig. 31 Interdependencies of the various basic configuration entities
1.1.2 The Physical Layer This layer contains a single entity named server. For NGFW
OS operated systems the server in main incorporates one
This layer contains a single entity named box. The box or several IP addresses, which enables utilisation of
corresponds to a piece of hardware with an operating higher-level software functionality. The functionality itself
system and a number of Barracuda NG Firewall software is not directly provided by the server but by software
modules required for the management of the box. The box modules called services (see 1.1.4 The Functional Layer). In
acts as the basic platform for higher-level software contrast to the traditional concept of a server as a piece of
functionality (or example firewalling, VPN Service, hardware providing some functionality, the Barracuda NG
SMTP-gatewaying, ) provided by server/service Firewall approach facilitates a separation into a physical
combinations. The box contents itself with providing the server (box) and logical server(s) (server).
required underlying networking functionality, basic
Note:
administrative services, such as logging or accumulation of
statistical data, and a daemon for remote configuration Since all software functionality is made available under
updates. Most notably it also hosts the control daemon the servers own IP addresses we may easily transfer
which is in charge of watching and controlling the functionality from one box to another by simply
operation of all additional advanced software functionality transferring the respective IP addresses. High
just like advanced networking needs. availability is thus achieved by assigning a server to a
primary and a secondary box, which both hold all
In a manner of speaking one could refer to the primary IP relevant configuration data. Moreover it becomes quite
address of the box as a default server address under which simple to migrate a server from one box or from a pair
all functionality required for the management of the box is of boxes to another box or a pair of boxes.
made available. We refer to the services providing this
functionality as box services, see also the section on the A server has to be assigned to at least one box to have any
control, event, log, and statistics windows. operational impact. Moreover a server can be assigned to a
pair of boxes to achieve High Availability (High Availability,
Each box service corresponds to a different software page 399).
module.
The following modules are available as box services:
1.1.4 The Functional Layer
Table 31 Required software modules sufficient for management and controlled low
level operation of a box
The functional layer comprises two entities, service and
Module name Daemon Task module, as shown in figure 31, page 43.
bdns bdns Local DNS service
Barracuda Networks ships all available software modules
boxconfig boxconfigd Management of configuration
updates as part of the standard distribution. You will need an
boxfw boxfw Local Firewall appropriate license key to activate a modules functionality
bsms bsms Service for control via SMS beyond the trial period.
bsyslog bsyslogd Syslog streaming of log data to a The service entity is basically the outer shell for a software
remote log host
module. Therefore a service provides the software
control controld Control of box and server/service
operation functionality it inherits from an encapsulated software
cstat cstatd Collection of statistics module. Moreover, a service carries all further information
dist distd Transfer daemon for High required to actually harness the software functionality.
Availability and Barracuda NG This includes the IP port under which the functionality is
Control Center
made available, just like other settings.
event eventd Configurable active notification via
mail, SNMP traps or pop-up window A service is explicitly assigned to a single server.
log logd Logging
logwrap logwrapd Log file rotation and indexing
phibs phibsd Authentication service facility
psyslog psyslogd Connectivity bridge to syslogd 1.2 Elements of the
qstat qstatd Handling of statistics queries
Configuration Window
Note:
As soon as you establish a connection to the box
The box services (except for cstat which does require a configuration daemon (boxconfig) you are allotted your
license to write statistics to the disc) do not require a own private session. The ID of your session is shown in the
license to be active. They form, what we refer to as, the window bar of the config dialog window.
Barracuda NG Firewall box infrastructure.
Note:
Since the box represents the platform that hosts
The GCSID (Generic Configuration Session ID) contains
higher-level software functionality it may also operate
the following elements: IP and source port of connecting
completely independently. For this reason the box itself as
client followed by the PID of the server process (daemon
a configuration object does not need to know anything
boxconfigd) handling the current connection.
about servers or services.
Session based operation is a necessary prerequisite for
two major reasons: Firstly, it forms the basis for
1.1.3 The Logical Layer simultaneous access of several administrators to non
overlapping regions of configuration space. Secondly,
changes are made to a copy of the configuration tree,
thereby not affecting the momentary operational status. In The box configuration window is divided into three main
case you wish to have changes made undone sessioning areas:
lets you carry out an undo. In order to commit your
changes you need to click Activate, which requires a z The upper part is reserved for several control buttons
separate willful act. and combo boxes used to retrieve tree, session, and
update status information, change the view of the tree,
Fig. 32 Box configuration window in compressed connection state and activate or undo configuration changes made
during the current session.
z The left frame contains all configuration entities.
z The right frame shows all open configuration files
Note:
If you lock a directory or a whole branch of the tree, all
items belonging to this directory or branch will also be
locked.
Fig. 33 Menu after pressing right mouse button on yet unlocked item
Fig. 34 Menu after pressing right mouse button on locked item from another
session
right mouse button. Then, select Show Lock info from The following states are available:
the menu.
Table 33 Box configuration window icons
You may break foreign locks if they belong to broken
Icon Description
sessions older than 10 minutes. Locks belonging to intact
no changes in session
or active sessions may not be broken. This is necessary in
order to not interfere with other administrator's sessions. node: changes in session but not yet sent
global: changes not yet activated
However, you may kill the session that owns the lock. Your
session locked (read-write mode)
ability to do so depends on both, your range affiliation
(principal range) and authorisation level. session locked by another administrator (read-only
mode)
Note: RCS file imported but not yet accepted
An active session turns into a broken session when the
associated client is suddenly disconnected and has not configuration file write protected
successfully reconnected.
linked configuration file
Attention:
configuration file is going to be deleted
Killing a session means initiating a forced undo on the
database. As a consequence the admin owning the
session will lose all not yet activated configuration
Note:
changes made to the tree.
Status changes of the tree (locks triggered by someone
The Configuration Sessions window is invoked by clicking else) are not necessarily immediately visible to you as
on the Sessions button located in the upper part of the the management console only periodically retrieves tree
configuration window. status information. You may speed up the process by
making use of the right mouse button menu item
Fig. 35 Configuration Sessions window Refresh From Here / Refresh Complete Tree (right
mouse button on the box itself).
It is advisable to unlock (again by holding down the right
mouse button) all locked configuration files before quitting
a session or temporarily quitting after another task. You
may find out about your own locks by making use of
Locks located in the upper part of the configuration
window.
An active session that gets terminated unexpectedly may
be resumed by simply reconnecting to the box. This
feature gives extra protection against loss of configuration
changes due to network hick-ups. If you disconnect or
We strongly advise against indiscriminate killing of active logout properly your session will be cleared (undo on
foreign sessions. We recommend to make use of the Show database).
Locks and Show Transactions buttons of the session Note that configuration dialog windows (for each item) are
window to retrieve detailed information on the current and issued with a Lock and a Send Changes button. Thus after
past activities inside the targeted session. double-clicking a yet unlocked item you may also lock the
Newly introduced elements are marked by the "new item from within the respective configuration dialog.
indicator" icon . Altered items such as edited files are Send Changes is of particular importance as all changes
marked with the "changed indicator" icon . Items to be that have not been sent only reside within the GUI, but
deleted are marked with a "deleted indicator" icon . have not yet been added to your session. This means that
further configuration changes depending on not yet sent
Note: changes will not be possible. Moreover, unsent
You may not delete arbitrary items. Deletable items configuration information will not be recoverable by a
need to be deleted via the right mouse button menu. reconnect in case of unexpected connection termination.
Currently only services, servers, and HA partner boxes The notable difference here is introduction or deletion of
are deletable. either server or service, where invoking the action as such
automatically involves a send changes operation. In order
All of these indicators apply to items inside your session.
to actually activate the changes made within a session you
The cumulative session status (upper part, figure 32, need to activate them.
page 45) will automatically change from a "no
To this end the main configuration window features a
modifications" state to a "some modifications" state if only
button labelled Activate. Before activating you may
a single item has been introduced, changed or marked for
investigate the effects your configuration changes will
deletion.
have on the various configuration entities and the tree.
Fig. 36 Box configuration window detail
z Clicking Send Changes only sends the changed
configuration to the Barracuda NG Control Center (or
Box configuration service if the changes are performed
directly on a Barracuda NG Firewall) were it is
associated with the current session ID. In this state the
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
Configuration Service Elements of the Configuration Window < Overview | 47
performed changes are neither sent to the gateway nor Clear Dirty Status - If the primary box fails,
merged into the configuration tree at the Barracuda NG configuration changes are to be performed on the
Control Center. The latter also means that the secondary box. In normal operation it is not possible
configuration changes are not visible to other to alter configuration via the secondary box. If there
administrators, as each configurative connection gets is the need to do so, the HA box has to be switched
its own session ID assigned. to the Emergency Override mode. After
z Clicking Transactions opens a new window listing all re-establishing the primary box, the synchronisation
pending changes associated with the current session ID has to be started manually.
(for example changes executed from the current Previous versions of Barracuda NG Firewall required
Barracuda NG Admin window). As configuration shell access with root permissions to manually
changes may depend on each other (changing the bind restore a clean configuration state. Instead of using
IP in the Service Configuration section may require the command line Barracuda NG Firewall 4.2 allows
server IP changes in the Server Configuration section) restoring a clean configuration state by using the
configurative changes are not activated immediately. GUI. The administrative role "Manage HA Sync"
Activate pending changes by clicking Activate. grants this privilege even to non-root
administrators.
z When you click on Undo all pending transactions
Refresh - Refreshes the current window thus
(configuration changes which have not been activated
reflecting the new Synchronisation Status and
yet) are undone. Click Transactions to view currently
displays up to date information in the "Last Action"
pending configuration changes.
field.
z HA Sync allows management of the configuration Close - Closes the HA Box synchronisation window.
synchronisation between the boxes and visualizes the
synchronisation status (in case of HA boxes or a HA Table 34 Buttons of configuration window for session management and status
retrieval
Barracuda NG Control Center). The window contains the
following elements: Button Description
Send Changes Transfers changes from the management console to
Synchronisation Status - Status of the the session held at the CAS.
configuration synchronisation. If a HA sync is HA Sync Displays update status in case of a HA reinforced
pending the appropriate information is displayed, installation.
otherwise the informational text will be "Nothing to Transactions Displays transaction to be carried out to the tree by
synchronize". changes made during the session.
Undo Undoes all not yet activated changes made during a
Last Action - displays details about the last HA session.
sync, for example date and time when the last Activate Activates changes made during the session on the
synchronisation sequence was performed or failure configuration tree on the CAS.
reasons if the last sync failed.
HA Partner IP - This field allows configuration on
how synchronisation should be performed. The HA
partner IP can either be the primary Box IP of a HA
partner or in case of a dedicated HA link a
management IP within the HA network. Selecting
the checkbox on the left labelled Change Address
enables read-write mode.
Use Sender IP - Here the sender IP for the HA
synchronisation can be changed. In general this IP
will be the primary Box IP. Selecting the checkbox
on the left labelled Change Address enables
read-write mode.
Do Update - If a HA sync is pending the
synchronisation can be triggered immediately by
clicking this button. If configuration has not
changed since the last successful synchronisation
procedure, nothing is done.
Do Complete Update - Synchronizes the complete
configuration tree of the current box to the HA
partner box.
Discard Update - Discards a pending configuration
synchronisation.
2.1.1 Screenshots
The screenshots below are examples, hence some or all of
them may differ slightly from the current display of your
system. When configuring a Barracuda NG Firewall, the
parameter sequence described in this document has to be
adjusted to your settings.
2.1.2 User Interface As soon as the box is in emergency override mode the
box icon changes from to .
Please consider that any configuration change on a box
2.1.2.1 General Buttons in emergency override mode has to be repeated on the
Barracuda NG Control Center.
Fig. 37 User Interface
z Close button
This button closes the configuration dialog. When
closing a modified dialog without sending changes, a
pop-up with respective information will open. Chose the
appropriate answer to confirm or cancel your action.
yet been added to the list. Always be aware that only Consider the following example for better
values appearing in the list will be added to the understanding:
configuration.
Fig. 311 Barracuda NG Admin Configuration list and part of Clipboard
Fig. 310 Change / Insert / Delete mask content after Copy to Clipboard
to eth2
Merge with
Clipboard
2.2 Setting up the Box The configuration scope of a box borrows from all these
elements.
The box is a vital configuration entity which actually In a first step of issuing a box with more advanced
corresponds to a solid piece of hardware. The box as a capabilities, it initially suffices to concentrate on the two
whole is a rather complex configuration object. However, principal configuration files named Administrative
as far as the basic configuration is concerned only very Settings and Network. We will thus start out with a
little information has to be supplied. However, the settings discussion of these two. Next in line is Identity which is
the box comes up with after installation will not suffice to security related and is used to set or change the identity,
exploit the full potential of a Barracuda NG Firewall with which the box advertises itself to the world.
system.
Note:
The box is special insofar as it represents the hosting The plus sign (+) is used to emphasize the importance of
platform for a Barracuda NG Firewall system. It is essential a file. Importance normally goes hand in hand with a
that all relevant aspects of the basic box operations are certain inherent complexity. The networking
individually adjustable. As a consequence of this the tree configuration is always box specific as it contains the
belonging to an individual box contains a number of box box' IP addresses and thus must not be shared.
specific configuration files.
List 31 Box Config section Identification Settings List 31 Box Config section Identification Settings
Note:
The section Operational Settings is only available on
CC-administered boxes.
2.2.3 Administrative Settings List 37 Administrative Settings - System Access section Serial Access
Parameter Description
The configuration file Administrative Settings contains Serial Access / Click the Edit button to enter the configuration
information relevant for proper operation of a Barracuda Serial Settings dialog.
Firewall NG system as the one contained in file Network. Access Types ConsoleOnly This setting enables box access
(COM1) using a terminal emulation program
Its nature is, however, such that per se it does not such as hyperterm via a the serial
interface COM1 (terminal emulation:
necessarily contain data specific to the exact location of a ansi; baud rate: 19200).
box within the network. Thus a single instance of this file Note:
may be shared amongst a number of boxes. The parameters Mgmt COM Port
and Mgmt Baud Rate are inactive
Open the network configuration by double-clicking the when this option is set.
Administrative Settings node. Management With this setting the box can be
Only accessed with the Barracuda NG
Admin GUI via COM1 (therefore
Mgmt COM Port is inactive; default
2.2.3.1 System Access Mgmt Baud Rate: 57600).
Console(COM1) This option combines the two above
Fig. 316 Administrative Settings - System Access And (default Mgmt COM Port: COM1;
Management default Mgmt Baud Rate: 57600).
Mgmt COM Port This option defines the serial port
that is to be used.
Mgmt Baud With this setting the Baud Rate is
Rate defined.
Note:
This parameter group is only available in Advanced
View mode.
Parameter Description
Authentication Choose from Key-OR-Password, Password, Key or
Mode Key-AND-Password. Note that the usage of keys should
always be favoured over usage of passwords, as no
security relevant information needs to be exchanged
when authentication takes place via public-key
cryptography (challenge-response approach).
List 34 Administrative Settings - System Access section Root Password
Root Public Allows you to import a public RSA key from a file or the
Parameter Description RSA Key clipboard. With an appropriate authentication mode the
New Root The root password of the NGFW Subsystem and the Barracuda NG Firewall box will authenticate an admin
Passwd Linux OS. Passwords with less than 5 characters are via public key cryptography. As a necessary prerequisite
not permitted. Barracuda NG Admin needs to have loaded the
matching private RSA key.
List 35 Administrative Settings - System Access section Service Password Note:
For security reasons you should not use unencrypted
Parameter Description private keys.
New Service The password of an unprivileged Linux OS user for Note:
Password support purposes. The root public RSA key is only applicable for controlled
Note: Barracuda NG Admin logins. If a key for automated SSH
Passwords with less than 5 characters are not login is required use the Authorized Root Keys option
permitted. instead (see below).
Root Aliases Note:
List 36 Administrative Settings - System Access section Access Control List Root Aliases are only available on CC-administered
boxes. On single boxes multiple administrator roles may
Parameter Description be created in Admins (accessible via Config > Box,
ACL Access control list to protect the box from denial of see 2.2.7 Administrators, page 91).
service (DOS) attacks. Array of IP/mask pairs for which Click the Insert button to insert a new root alias name.
exclusive access to the administrative IP addresses of
the box at TCP port 22 (secure shell) and TCP Inactive A newly introduced root alias is
ports 800-820 is granted. TCP based access from all ready for use immediately after
other addresses to these port/address combinations is creation (default setting: no). Set
administratively prohibited. By default, access is to yes to disable its login
allowed from an arbitrary address. temporarily.
List 38 Administrative Settings section Advanced Access Settings List 39 Administrative Settings - DNS section Basic DNS Settings
Parameter Description Parameter Description
Authorized The Authorized Root Keys field may be used to insert DNS Server IP List of DNS server IP addresses serving the domain
Root Keys public keys assigned to user root in OpenSSH format. specified above.
Public keys apply for key-based authentication using Note:
SSH and can be employed, for example to enable Both, Box DNS Domain and DNS Server IP, are to be
automated key based SSH logins for backup creation set when using a proxy service. Otherwise the proxy
reasons, service cannot start.
The inserted string is appended to the
authorized_keys2 file assigned to user root, thus The resolver system layer does not monitor the
permitting login with an OpenSSH Client disposing of /etc/resolv.conf file. Thus, services using this
the corresponding private key. Details on OpenSSH layer (in contrast to services using the Barracuda NG
Client configuration are available at Firewall resolver) will not recognize changed DNS
http://www.redhat.com/docs/manuals/linux/ server settings automatically. Examples for services
RHL-9-Manual/custom-guide/s1-openssh-clie using the resolver layer are a number of phibs
nt-config.html. authenticators, proxy, snmp and dhcpe. Therefore,
when changing DNS Server IP settings Barracuda NG
Note: Firewall services should be restarted manually. Do so
Insert multiple keys one per line. by clicking the OS Restart button (see OS Restart,
Public keys available in another than SSH format may page 39).
be converted using the ssh-keygen utility (refer to man
ssh-keygen for details). On UNIX systems, the user's List 310 Administrative Settings - DNS section Advanced DNS Settings
public keys are usually written to
~/.ssh/id_rsa.pub (for RSA based keys) or Parameter Description
~/.ssh/id_dsa.pub (for DSA based keys). DNS Search Names of those domains, which should automatically
Note: Domains be appended to an alias name when performing a DNS
The Authorized Root Keys option is only required for query. Separate multiple domains with spaces.
automated logins by user root. Key-based SSH login DNS Query Note:
option (controlled and automated) for non-root users is Rotation This parameter is only available in Advanced View
configurable in the following places: mode.
On single boxes When multiple DNS servers are used, this parameter
Config > Box > Administrators > Public RSA defines whether DNS queries should regularly rotate
Key (see 2.2.7 Administrators, page 91) between them. Set to yes (default: no) to activate
On CC-administered boxes rotation.
Admins > Details tab > Public Key (Barracuda NG DNS Query Note:
Control Center 8.3 Admin User Interface, Timeout This parameter is only available in Advanced View
page 458) mode.
Defines the timeout [sec] for DNS queries. When the
timeout exceeds the specified value, the next DNS
2.2.3.3 DNS server is queried.
Known Hosts Note:
Fig. 317 Administrative Settings - DNS This parameter is only available in Advanced View
(Host mode.
Name/Host Use this section to add user-defined entries to the
IP/Full system's file /etc/hosts.
Name/Aliases) This file will by default always be consulted first for
name resolution. It is useful to specify address/name
pairs of locally known hosts here, for which no name
resolution via DNS is available. The name specified in
the first column Name of this section will as well be
used as alias.
To open the Known Hosts configuration window click
Insert.
As the bare minimum you willve got to supply the
Host IP address. This address is associated with the
name of the section instance. Optionally, you may
specify a fully qualified domain name (dots as name
space delimiter) and a whole list of additional Aliases
(no dots).
List 311 Administrative Settings - Caching DNS Service section Advanced DNS 2.2.3.5 TIME/NTP Tab
Settings
Parameter Description Fig. 318 Administrative Settings - TIME/NTP
Run Slave DNS This parameter activates/deactivates a local Slave DNS
service (default no = deactivated). Setting to yes
activates the fields Default Master DNS and DNS
Slave Zones (see below). The slave DNS service obtains
its slave zone configuration from the entries specified
through DNS Slave Zones field and additionally fetches
further zone configuration files from the servers
specified in the Default Master DNS field.
Query Source This parameter allows to specify which IP address to use
Address as source address when querying the DNS or Master
DNS server(s). The following settings are possible:
Wildcard (default) - IP selection is accounted for
dynamically according to definitions in the routing
table.
VIP (on CC administered boxes only) - Uses the
systems Virtual Management IP.
MIP - Uses the systems management IP, which is the
Main Box IP.
Select checkbox Other to specify an IP address
explicitly.
DNS Query Here single IP addresses or netmasks can be defined
ACL that may access the DNS service via a local redirect List 312 Administrative Settings - TIME/NTPs section Time Settings
firewall rule.
Note: Parameter Description
Do not forget to create this rule in the Forwarding Timezone Select the desired time zone for your NGFW OS system.
Firewall Rule set. Note that changing the time zone later on is a rather
Log DNS If this parameter is set to yes (default: no) every DNS momentous measure as far as its implications for data
Queries query will be logged. accounting, logging, and eventing are concerned.
Default Master This parameter takes a single or a list of DNS servers, Note:
DNS the local slave DNS service queries for zone files. Time zones available for configuration in the pull-down
menu are stated in POSIX compliant style according to
DNS Slave Click the Insert button to create a new slave zone their derivation from a UNIX system. This means that in
Zones entry. Enter the fully qualified domain name of the zone Etc/GMT time zones, hours preceded by a minus (-) are
into the Name field of the newly opened DNS Slave counted to the east of the Prime Meridian, and hours
Zone window. The following parameters are then preceded by a plus (+) are counted to the west of the
available for configuration: Prime Meridian. Conversion to daylight saving time
Active Zone A newly created zone is active by (DST) is not considered in Etc/GMT time zones. To do so,
default (setting: yes). The time settings in Country/City format must be used.
configuration can be deactivated Accordingly, Etc/GMT-1 (GMT+1 without the preceding Etc
temporarily by setting the on Microsoft Windows operating systems) specifies the
parameter value to no. time zone 1 hour to the east of Greenwich Mean Time
without, and Europe/Berlin specifies the same time zone
Zone Type This value determines the DNS zone
with consideration of DST conversion.
type (Forward (default), Reverse or
Both). Setting to Reverse or both Note:
activates the fields Reverse Lookup Please consider that daylight saving times are an
Net and Reverse Lookup Netmask unreliable factor in cross-national networks. If you are
below. administering multiple systems situated in different time
zones with an optional Barracuda NG Control Center,
DNS Master IP This parameter takes a single or a
switching to UTC uniformly is recommended.
list of DNS servers, which the local
slave DNS service queries for this Set HW Clock Choose yes to set the hardware clock (aka CMOS or
zone. If specified, this setting to UTC BIOS clock) to UTC (Universal Time, Coordinated)
overrides the globally defined DNS (default: no). Reference time will be your system time.
Master IP. If left empty, the field is Running the hardware clock with UTC will immunize your
ignored. system against unexpected time lapses caused by
changes from or to daylight saving time (DST). We
Reverse Lookup These fields define network and
recommend to use this feature in combination with a
Net netmask the specified zone resides
prior synchronisation to an external reference clock
Reverse Lookup in.
(time server), as explained below.
Netmask
Transfer Source This parameter allows specifying List 313 Administrative Settings - TIME/NTPs section NTP Settings
Address which IP address to use as source
address when querying the Master Parameter Description
DNS server(s), thus overriding the NTP sync on If set to yes the box will try to obtain the correct time
globally defined value. The following Startup from an external reference clock whenever the network
settings are possible: is restarted.
Wildcard (default) - IP selection Note:
is accounted for dynamically Continuous time synchronisation may be achieved by
according to definitions in the running an NTP daemon on the system.
routing table. The box will use its primary box IP as source address
Query Source - This setting uses when contacting a time server. Consequently, a
the IP address of the client Barracuda NG Firewall system placed at the border of
initiating the query. your network will typically contact a time server
VIP (on CC administered boxes belonging to the protected LAN side.
only) - Uses the systems Virtual Event-IDs 2080/2081/2082 may be generated in
Management IP. conjunction with parameter Start NTPd set to yes
(System Information 5. List of Default Events,
MIP - Uses the systems
page 536).
management IP (Main Box IP).
Select checkbox Other to specify Note:
an IP address explicitly. Every synchronisation attempt with a time server will
be brought to your attention by eventing in NTPd has
been started. This is due to the fact that we consider
maintaining an appropriate time standard on the
system as a prerequisite for reliable system operation.
List 313 Administrative Settings - TIME/NTPs section NTP Settings 2.2.3.6 A small Digression into Linux Time
Parameter Description Management
Time Server IP Array of IP addresses of NTP protocol conform time
servers. (excerpted from "Linux-Clock HOWTO", v2.1, Nov. 2000 by
Try to specify as many independent server addresses
as possible. These addresses will be contacted in turn Ron Bean)
during every restart of the network subsystem for the
purpose of time synchronisation. The first successful The Linux "system clock" actually just counts the number
synchronisation will suppress further synchronisation of seconds past Jan. 1, 1970, and is always in UTC. UTC
attempts until the next restart occurs. For continuous
synchronisation you must run an NTP daemon on your
does not change as DST (Daylight Savings Time) comes
system (see comment below) or run ntpdate from a and goes what changes is the conversion between UTC
cronjob every so often. and local time. The translation to local time is done by
Note that the latter approach may incur backwards
time glitches causing the log and statistics daemons to library functions that are linked into the application
complain about clock skews. programs.
Note:
On a firewall system you may not bind to 0.0.0.0 and This has two consequences: First, any application that
youll need to specify the source address to be used by needs to know the local time also needs to know what time
ntpdate. You may do so by making use of our additional zone you're in, and whether DST is in effect or not. Second,
flag -A <IP>.
Note that the network consistency check logic will also there is no provision in the kernel to change either the
check whether or not these addresses are reachable system clock or the RTC (real time clock) as DST comes
(routes available) from the box with the box
management IP as source address. If you run the
and goes, because UTC doesn't change. Therefore,
system as a remote box (administration via a tunnel to machines that only run Linux should have the RTC set to
a management instance) then the source address is the UTC, not local time. Unfortunately, there are no flags in the
so-called virtual IP (VIP) instead.
RTC or the CMOS RAM to indicate standard time vs. DST.
Note:
If available, Barracuda Networks recommends using This means that, if the RTC has been set to local time, the
the Barracuda NG Control Center as time server. system must assume that the RTC always contains the
Start NTPd If set to yes the system will continuously aim for correct local time.
keeping its time in sync with the external references
specified above in order to improve the reliability of If Linux is running when the seasonal time change occurs,
your time standard. Note that the trade-off here is the system clock is unaffected and applications will make
increased UDP traffic from the box to those IPs. Your
Barracuda NG Firewall system in turn also becomes an the correct conversion. But if Linux has to be rebooted for
NTP time server that may be queried by clients on your any reason, the system clock will be set to the time in the
LAN. The addresses under which this service is made
available are the administrative IPs at UDP port 123.
RTC, which might be off by up to an hour since DST
Attention:
information is not stored in the RTC or CMOS RAM.
Be aware that running an NTP daemon on your
Barracuda NG Firewall system makes the system
Some other documents have stated that setting the RTC to
vulnerable to NTP specific exploits and UDP based UTC allows Linux to take care of DST properly. This is not
denial of service attacks. Never direct your Barracuda really wrong, but it doesn't tell the whole story as long as
NG Firewall system to not trusted reference time
servers or run a time server in a completely hostile you don't reboot, it does not matter which time is in the
environment. RTC (or even if the RTCs battery dies). Linux will maintain
Local Clock This setting configures the stratum value of the local the correct time either way, until the next reboot. In
Stratum clock for the NTP daemon. The time reference has a theory, if you only reboot once a year (which is not
fixed stratum value n and each subsequent computer in
the NTP chain has a stratum value n+1. The unreasonable for Linux), DST could come and go and you'd
preconfigured default value 10 should be set to 9 on never notice that the RTC had been wrong for several
the CC box to make clear that the CC box is the
preferred source.
months, because the system clock would have stayed
Event on NTPd Only relevant when Start NTPd is set to yes.
correct all along. But since you can't predict when you'll
You may configure the NTPD related conditions that want to reboot, it's better to have the RTC set to UTC if
trigger event notification (Event-IDs 2070-2073). You you're not running another OS that requires local time.
may choose from 4 different settings:
start-failure (default)
+stop-failure
++start-success
2.2.3.7 SMS Control
+++stop-success
The list is additive, which means items further down Fig. 319 Administrative Settings - SMS Control
the list automatically include all previous ones.
Events will as well be triggered when the NTP daemon
is restarted via the Control > Box tab in (Control
2.6 Box Tab, page 38):
Restart NTP button
In this scenario the control daemon induces NTPd to
restart.
Sync button
Synchronisation processes are triggered through
the script ctrltime. ctrltime stops NTPd and
then executes ntpdate on port 123.
Note:
You will not be notified when NTPd is killed manually or
just dies unexpectedly. The settings here only pertain
to NTPd behavior during controlled start or stop
sequences.
For gateways that have been equipped with the UMTS 2.2.3.8 SCEP
extension and a UMTS modem card that is compatible with
the adopted SMS implementation (see Inbound SMS
Note:
Handling, page 77) remote execution of four restorative
See Appendix 1.3 How to set up for SCEP, page 546 for more
maintenance tasks is possible.
detailed information.
Use the SMS Control Settings to define how to deal with
inbound SMS triggering command execution. List 317 Administrative Settings SCEP section BOX SCEP Settings
Parameter Description
List 314 Administrative Settings - SMS Control section SMS Control Settings
Enable SCEP Setting to yes (default: no) activates SCEP and enables
Parameter Description the corresponding configuration parameters below.
Remote Control Set this to yes (default: no) to allow for SMS triggered SCEP Settings Choose Set or Edit to set the SCEP parameters.
via SMS command execution. This feature will only work if an
appropriate GSM/UMTS card supporting it is installed. Fig. 320 Administrative Settings - SCEP
The following events are associated to this feature
when it is activated:
[135] Resource Limit Pending
Less than 50 % of maximum command value
remain.
[136] Resource Limit Exceeded
The maximum command counter has been reached
or has been exceeded.
[4111] Authentication Failure Warning
The ACL does not match.
[4112] Authentication Failure Alert
Password authentication failure and/or unsuccessful
command match.
[4126] Remote Command Execution Alert
Successful authentication and command is
accepted.
Note:
The keyword needs to start with a lower case letter.
Reboot Send reboot in a SMS followed by this string to enforce
a box reboot.
Restart Send restart in a SMS followed by this string to enforce
Services a restart of the NGFW Subsystem.
Reconnect Send reconnect in a SMS followed by this string to
Network enforce a restart of the network subsystem.
Rebuild Mgmt Send rebuild in a SMS followed by this string to enforce
Tunnel a restart of the MGMT tunnel.
List 318 Administrative Settings SCEP SCEP Settings section SCEP Server
Parameter Description
SCEP Server IP The IP address or hostname of the SCEP server where
or Hostname the SCEP requests will be sent to.
If a DNS hostname is used, make sure the DNS resolver
of the gateway has been configured and is able to
resolve it.
List 318 Administrative Settings SCEP SCEP Settings section SCEP Server List 321 Administrative Settings SCEP SCEP Settings section SCEP X509
Request Password
Parameter Description
SCEP server The TCP port number where the SCEP server listens to Parameter Description
port number requests. SCEP Password The path and text to look for on the CAs website when
The default value is 80, which generally suites for the URL Path the SCEP password policy option is set to
HTTP protocol (see below). SCEP Password Get-Password-From-Website.
SCEP server Choose between http or https Search Pattern
protocol
SCEP URL path The complete URL path on the SCEP server which must List 322 Administrative Settings SCEP SCEP Settings section Connection
be used to send the requests. Details
Refresh The certificate will be refreshed after this percent of Parameter Description
[% Lifetime] the certificate lifetime is reached (between 10 % and
90 %). Proxy Settings Choose Set or Edit to enter the configuration.
Parameter description see table 323.
Failure Retry The number of minutes to wait until the next retry.
Intervals SCEP HTTPS Click Ex/Import to import a key
[Minutes] Client Key
HTTP Choose Set or Edit to set the HTTP authentication. SCEP HTTPS Click Show to view the certificate or click Ex/Import
Authentication Parameter description see list 319. Client Cert. to import a certificate.
List 319 Administrative Settings SCEP SCEP Settings section SCEP Server List 323 Administrative Settings SCEP SCEP Settings section Connection
section SCEP HTTP Server Authentication Details section SCEP HTTP Proxy Settings
List 321 Administrative Settings SCEP SCEP Settings section SCEP X509
Request Password
Parameter Description
SCEP Password No-Password
Policy No challenge password will be included in the
certificate request.
Password-from-Configuration
The challenge password is statically configured on
the CC and will be included in the certificate request.
Enter-Password-at-Box
The challenge password will be prompted at the box
when the certificate request is created.
Get-Password-From-Website
The challenge password is fetched from a web site
(typically the CA itself)
SCEP Password Static challenge password, needed when the SCEP
password policy option is set to
Password-from-Configuration.
the box has been signed by the cluster server and contains 2.2.5 Network
the management IP address it has been contacted under.
To open the network configuration, double-click
Fig. 323 Output of a certificate at the command line interface
Network.
Certificate:
Data:
The following configuration entities are available:
Version: 3 (0x2) Issuer
Serial Number: 0 (0x0) Table 36 Classification of the available sections
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AT, O=Unknown, CN=Unknown, ST=Unknown, L=Unknown, Tab Icon Entry see
OU=Unknown/Email=office@barracudanetworks.com
Validity
Networks mandatory page 61
Subject = box
Not Before: Jan 1 00:00:01 1970 GMT Interfaces mandatory page 63
Not After: May 18 03:33:20 2033 GMT
Subject: C=AT, O=Unknown, CN=Unknown, ST=Unknown, L=Unknown, Virtual LANs optional page 65
OU=Unknown/Email=office@barracudanetworks.com
Subject Public Key Info: Management Access optional page 66
Public Key Algorithm: rsaEncryption
Network Routes mandatory page 68
RSA Public Key: (1024 bit)
Modulus (1024 bit): xDSL/ISDN/DHCP optional page 70
00:bf:95:46:c7:10:ee:a8:bf:06:8e:03:37:f1:e2:
NTE4MDMzMzIwWjCBiDELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1Vua25vd
BgNVBAMTB1Vua25vd24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB
This section is special in several ways:
d24xEDAOBgNVBAsTB1Vua25vd24xHzAdBgkqhkiG9w0BCQEWEG9mZmljZ
bi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL+VRscQ7qi/B z Only one single mandatory instance exists.
q9tWgDtpJjz3LmLGGEKzyglqCri3NvH9vyvX5DPnDk2jldHFCZ+ePZ+d/
Ime2+69MhN3o9R06YQ/4KAtwZR+yU1wob54Fm0VdavET3g8eCm0alR5dK z The specified IP address is pingable by default (ICMP
7tX+53P7/YZkq0P8pActB4YJAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAs
EpQijwqpFVC5CIECPY/zHx3fwkppX8uGXC5P2TMyUTr1KLTslpjWmxnXL echo).
T0Gm8qCMRzu0mxr6zaI2aGaW+RI9K2oo8rDaVPJ403lJXQU+ZfEVx5NPv
dQPNtQLXkN1RLS8lE3hJ7m25HxfrfzcHvs8= z This IP is used as source address by the box services to
-----END CERTIFICATE-----
contact an optional Barracuda NG Control Center
unless the box is classified as a remote box and has
assigned a VIP (see below). Common activities regarded
Note: would be renewal of license stamp or forwarding of
The shown certificate is generated by the box itself and events, and synchronisation with an NTP server.
is therefore self-signed. In the absence of a Barracuda
Networks trust center, the certificate is not signed by a Fig. 324 Box Network configuration
trusted authority. Authentication thus relies on
recognising the public key of the box. In this regard
single-box authentication works in a similar fashion as
SSH server authentication.
List 327 Network - Management Network section Device Name List 328 Network - Management Network section Management Network
Parameter Description Parameter Description
Hostname Note: Responds to Ping Governs whether ICMP echo
This parameter is only available in Advanced View requests will be replied to. The
mode. default setting is no.
The maximum length of this parameter is Management IP To have box services bound to this
25 characters. IP chose yes (default: no). If yes is
This is the box hostname without domain suffix. selected the Additional IP
Note: becomes Management IP
Entering a box hostname is obligatory (indicated by the supplementary to the Main Box IP.
icon ). The hostname is inserted into the file Bind NTPd Value yes causes NTPd to bind to
/etc/hosts. this address. The default setting is
no.
List 328 Network - Management Network section Management Network Note:
NTPd has to be activated
Parameter Description separately. (see Administrative
Management The principal IP address of the box. Settings, page 54).
IP (MIP) Barracuda NG Firewall systems do not have dedicated
administrative interfaces but rather use administrative Section Additional Local Networks
IP addresses. The existence of this IP is required for
access to the box via SSH and to the Barracuda NG This section is used to specify additional network
Firewall system via the administration console.
addresses of the box besides those in the primary box
Note:
Access to the MIP may be limited through specification
network. Transit networks, external networks, networks
in an ACL (at kernel level). describing demilitarized zones (DMZ) or secure server
Associated The mask (or extent in bits) of the network the MIP is networks (SSN) could be accounted for by such a section.
Netmask embedded in. You may choose the netmask from a IP addresses utilized in a private uplink network between
pull-down menu with 8 bits being the default.
HA partners must be inserted here as well (see 5.2.4.1
Note:
A netmask smaller than 2 bits does not really make Monitoring Setup, page 118).
sense.
In general, it is not advantageous to have additional box IP
Interface Name For convenience a small pull-down menu containing the
interfaces eth0, eth1, tr0, and tr1 is present. Select the addresses beyond the one required to administer the box.
check box labelled Other to declare another interface. As an alternative strategy you could use a combination of
Always remember that your choice is limited to pending direct routes and server IP addresses to grant the
interfaces on NICs for which you have requested driver
support. box access to additional networks.
Responds to Governs whether ICMP echo requests will be replied to Barracuda Networks recommends this latter approach as it
Ping or not for this address. The default setting is no.
leads to increased system security, especially when
Bind NTPd Value yes causes NTPd to bind to this address. The
default setting is no. connecting a system to an untrusted network.
Note:
NTPd has to be activated separately (see 2.2.3.5 Note:
TIME/NTP Tab, page 56). To a direct route is referred as pending if it cannot be
Interface This parameter determines what kind of IP address is to activated without the presence of a dynamically
Realm be counted by the firewall for traffic on this interface
(Licensing 5.5 Policy No. 5: General Case, page 540). activated IP address (for example a server IP) (see
The interface can be classified to one of the following: Network Routes, page 68).
unspec
internal (default) Like the primary box network, each additional network
dmz
external contains a subsection allowing the introduction of further
MTU Here the MTU (Maximum Transmission Unit) can be set. isolated additional IPs within the network (see Networks,
Packets above this value are being sent fragmented. page 61).
Note:
MTUs may also be set for NICs (list 329, page 63), To open the configuration dialog, click the Insert button.
virtual LANs (list 330, page 65), additional networks
(Networks, page 61) and standard routing Fig. 325 Additional Local Networks configuration
(2.2.5.5 Network Routes, page 68). The unwritten rule is
that the maximum accepted MTU of the next hop will be
used.
Advertise If set to yes (default: no) all routes will be advertised via
Route Routing Protocols, provided an OSPF or RIP router
service is active on the gateway.
Additional IP Note:
Addresses This parameter is only available in Advanced View
mode.
Optionally you may specify additional addresses to be
active within the primary box network.
In general there is no need to make use of this option.
Special circumstances may arise when doing so
becomes desirable.
Note:
We consider this an advanced option which is prone to
cause unexpected behavior when misused. Thus make
sure you understand the implications of the individual
options selected for the introduced additional IPs
entirely.
IP Address The address must be valid and
within the associated network. It
will be introduced as a stand alone
IP with mask 0.
2.2.5.2 Interfaces List 329 Box Network section Network Interface Configuration
Parameter Description
List 329 Box Network section Network Interface Configuration
Network Driver Note:
Parameter Description Interface Options This parameter is only available in
Cards Advanced View mode.
Appliance This pull-down menu contains all available pre-configured
Model appliances. Selecting the corresponding appliance sets the Used only in conjunction with module
Visible Interface Name to the name that is engraved on based driver support. Refer to the list of
the front of the appliance. supported NICs for more information on
this topic.
Note:
Options are typically used to set the ring
Each appliance model forces its typical corresponding set
speed for token ring interfaces or to
of interface names (naming eth<n>, port<n>, LAN<n>, ).
bypass media type auto negotiation for
This directly influences values shown below in parameter
ethernet interfaces. Note that several
group Physical Interfaces (page 64).
interface specific option strings may be
Note: specified, formatted as key=value1
Selecting the entry USER enables the section called Port valueN, with N being the number of
Labelling. interfaces.
Port Internal Note: Number of The number of interfaces (integer) of the
Labelling Interface This parameter is only available in Interfaces NIC or NICs that may be in simultaneous
Name Advanced View mode. use.
Visible This configuration section allows defining Note:
Interface alternative Visible Interface Names for The Number of Interfaces indicates the
Name each interface with a maximum of 5 number of ports and NOT the number of
alphanumeric characters. However, only cards of the particular type, for example
eth interfaces may be renamed. Interfaces one dual-port NIC counts as 2 interfaces,
like tap, ppp*, dhcp, loopback are but 1 combo-type card with support for
pre-defined and cannot be modified. three different connectors (for example
Note: BNC, AUI, RJ45) counts as 1, because only
The interface names that are defined one connection is active at one time.
within this section should also be used for You may set the number to zero. In this
configuration purpose to avoid "messy" case the respective module will not be
configurations. loaded.
Note: If more than seven cards (ports) are
Please consider that interfaces, which present, select the checkbox Other and
have been renamed cannot be enter the number of cards manually.
dynamically updated in the parameter Fallback Note:
group Physical Interfaces. Enabled This parameter is only available in
Network NIC Type Type of Network Interface Card; Advanced View mode.
Interface information required for logical With this parameter it is possible to
Cards consistency checks. In conjunction with activate an alternative NIC driver that is
the specified number of interfaces it defined via the entries Fallback Module
becomes possible to check whether a Name and Fallback Driver Options, both
particular interface may be referenced in mentioned below. This may be helpful
some of the other sections. during/after updating sequences. If the
Available NICs are: Ethernet primary driver does not work, this fallback
Driver Type Informs the system as whether the driver driver is used. In case the fallback driver
support is module or kernel based. Default as well does not work both drivers are
is Loadable_Module. If module based loaded.
driver support is not available select Fallback Note:
Compiled_In. This will automatically Module Name This parameter is only available in
deactivate several consistency checking Advanced View mode.
routines.
See Driver Module Name, page 63
Note:
Fallback Note:
When selecting Compiled_In please check
Driver This parameter is only available in
whether the systems current kernel
Options Advanced View mode.
provides the required support. Barracuda
Networks considers this an advanced See Driver Module Name, page 63
option whose utilisation requires a Ethernet When using an ethernet NIC (NIC Type,
profound understanding of the Barracuda MTU page 64), it is possible to set the MTU size
Networks adapted Linux OS. (Maximum Transmission Unit) through
Activate With this option the driver can be this field. Packets exceeding this value will
Driver activated/deactivated (default: yes). be sent fragmented.
Driver Youve got to instruct the system which Note:
Module Name driver to use for any given kind of The MTU specified in this place is used as
interface card. The selection offered default value for all existing interfaces. It
corresponds to those cards recommended can be adapted individually per interface
by Barracuda Networks. using parameter MTU in parameter group
Consult the list of supported NICs if you Physical Interfaces below (list 329).
wish to use another card. In this case you Note:
willve got to select the checkbox labelled MTUs may also be set for virtual LANs
Other and enter the module name (2.2.5.3 Virtual LANs, page 65), box
manually. network (2.2.5.1 Networks, page 61),
Attention: additional networks (Section Additional
If you are using a Marvel network adapter Local Networks, page 62) and standard
that requires the module sk98lin_cb.o, routing (Section Main Routing Table,
pay attention that interface naming has to page 68). The rule of thumb is that the
begin with eth1. Interface eth0 is NOT maximum accepted MTU of the next hop
supported will be used.
Note:Example 1: If you have a NIC with
MTU size 1500 and a Standard Route with
MTU size 2000, the valid MTU size will be
1500.
Example 2: If you have a NIC with MTU
size 2000 and a Standard Route with MTU
size 1500, the valid MTU size will be 1500.
List 329 Box Network section Network Interface Configuration List 329 Box Network section Network Interface Configuration
Parameter Description Parameter Description
Ethernet Name Note: Interface Note:
Trunks Following parameters are only available in Name This parameter is only available in Advanced View mode.
Advanced View mode. This is the name of the interface. Its labelling is triggered
The name of the trunk is a read-only field through Appliance Model selection (list 329, page 63).
(after introduction). It may contain up to 8
characters (digits, "-", the 26 characters
from the english alphabet).
2.2.5.3 Virtual LANs
Virtual The name the trunking interface is
Interface referred to. Legitimate names are bond0
and bond1. When using a single trunk
Note:
select bond0 as the name of the master
interface. In the case of two trunks make Configuration of this section is only of avail in
sure that the first trunk uses bond0 and combination with a properly configured 802.1q capable
the second trunk uses bond1. Any other
combination will cause the configuration switch.
to be rejected.
With a Virtual LAN, several LANs on one network
Trunked Select at least one ethernet interface
Interfaces (eth0, ,eth7) from the list. Note that any interface (but only one MAC address) can be simulated.
meaningful configuration should rely on The interface will behave as if it were several interfaces;
at least two (different) ethernet the switch will behave as if it were multiple switches.
interfaces. Keep in mind that these
interfaces are reserved for exclusive use
by the trunking interface. Do not explicitly Virtual LANs are needed if too few slots for PCI interfaces
reference the selected slave interfaces
anywhere else in the configuration. Use exist on the machine. By using virtual LANs it would be
button Insert to apply the values to the possible to run a firewall with only one network interface.
list.
Operation The following trunking modes are Note:
Mode available:
On Barracuda NG Firewalls, only the following NICs
In mode Fallback (active backup policy)
at least two interfaces are required supported by the listed drivers are capable of VLAN
with only a single slave interface being technology. Furthermore, Barracuda Networks
active at any one time. A prolonged recommends the usage of Intel NICs.
failure of the link check on the active
interface will trigger the activation of a
backup slave interface. Table 37 NICs supporting VLAN technology
In mode Bundle (round-robin policy) as Supported NIC Module
many configured slave interfaces as
possible are activated. The kernel will Intel 100 MBit Driver by Intel e100.o
distribute network traffic sent to the Intel 100 MBit Driver by Intel (certified by Compaq) e100compaq.o
master interface to all slave interfaces
Intel 100 MBit Driver eepro100.o
involved. In a similar fashion inbound
traffic to any of the slave interfaces is Intel 1000 MBit Driver by Intel e1000.o
directed to the master interface. Intel 1000 MBit Driver by Intel (certified by Compaq) e1000compaq.o
In mode Broadcast everything is Broadcom 1000 MBit Driver by Broadcom bcm57xx.o
transmitted on all slave interfaces.
Broadcom 1000 MBit Driver tg3.o
In mode XOR the same slaves are
selected for each destination MAC
address. To open the VLAN configuration dialog, click the Insert
Mode LinkAggregation button:
If this option is selected parameter
LACPDU Packet Rate becomes
configurable. Fig. 326 Virtual LAN configuration
List 330 Network - Virtual LANs Configuration section Virtual LAN z Specify a value for parameter Foreign IP Sufficient
Configuration
(page 69).
Parameter Description
MTU The Maximum Transmission Unit defines up to what Fig. 327 Direct route configuration for Virtual LAN
size packets are sent directly. Packet sizes over this
value are sent fragmented.
Note:
MTUs may also be set for NICs (2.2.5.1 Networks,
page 61), box network (list 329, page 63), additional
networks (Section Additional Local Networks, page 62)
and standard routing (Section Main Routing Table,
page 68).
The rule of thumb is that only MTUs smaller than the
one of the supporting interface make sense.
Header Ticking this checkbox causes tag reordering in the
Reordering Ethernet header of VLAN tagged packets so that the
VLAN interface appears as common Ethernet interface.
Header reordering might become necessary in rare
cases if external software components connecting to
the VLAN interface experience communication
problems.
Note:
Header reordering is disabled by default. Do NOT
change the default setting without explicit need.
Note:
The label of a network interface is put together by
interface name, VLAN-ID and server name, separated
from one another by punctuation marks. The label
construct looks alike the following: Step 3 Confirm the changes
interfacename.vlanid:servername (for example
eth0.99:foo). z Click the Send Changes and Activate buttons to
A label, including punctuation marks, must not be longer confirm your configuration changes.
than 15 characters.
Step 4 Activate the new network configuration
z Browse to Control > Box tab.
Configuring and activating VLANs
z Click the Activate New button and choose Failsafe to
Proceed as follows to configure and activate a virtual LAN activate the new network configuration.
in the network configuration:
z This action will introduce the VLAN interface and a
Step 1 Create the virtual interface in the VLANS tab pending direct route in the Control > Box tab
(Control 2.2.8.1 Handling of Routes by the Control
z Browse to Config > Box > Network > Virtual Daemon, page 33).
LANs.
z Specify the Hosting Interface. Therefore, either select Step 5 Activate the VLAN
the interface from the pull-down menu or select Depending on the intended use, introduce the VLANs IP
checkbox Other and enter the name of the interface address either in:
the VLAN should live on manually (for example eth0). z the Networks configuration area as Section Additional
z Specify the VLAN ID (for example 5). Local Networks ( Box > Network > Networks,
page 62).
z Optionally, adapt the MTU size.
z the Server configuration area as Server Address (see
Step 2 Create a direct route for the VLAN 3. Configuring a New Server, page 94 3.2.1 General,
page 95).
z Browse to Config > Box > Network > Network
Routes.
As soon as the VLANs IP address has been introduced, the
z Insert a route into the Section Main Routing Table inserted direct route will be activated.
field.
z Specify the address of the VLAN in the Target Network
2.2.5.4 Management Access
Address field (for example 192.168.8.10).
z Set the Route Type field to direct. Note:
z Insert the name of the virtual interface into the This section is only available on CC-administered boxes.
Interface Name field. Therefore, select checkbox Other Configuration is recommended for systems that are
and enter the interface name manually (for example managed over the Internet.
eth0.5).
List 331 Management Access section Remote Management Tunnel
Parameter Description
Enable Tunnel Setting to yes (default: no) activates remote control
options and enables the corresponding configuration
parameters below.
List 331 Management Access section Remote Management Tunnel List 333 Remote Management Access Tunnel Details section Management
Tunnel Configuration (CC-managed box)
Parameter Description
Virtual IP (VIP) The Virtual IP (VIP) is used for management access to Parameter Description
the Barracuda NG Firewall system. When specified, all Type of Proxy This option allows configuring the server type, in case
communication between Barracuda NG Control Center the management setup provides management tunnel
(CC) and box is processed through the VIP. The VIP may establishment through a Proxy server. By default
as well be addressed as Box Login address by client (setting: none), it is assumed that no Proxy server is
workstations administering the systems. Therefore, the used. Other Proxy server types are secure-http,
VIP must be defined uniquely and it must reside in a socks5 and socks4.
Box VIP Network Range (Barracuda NG Control Transport Choose TCP or UDP for VPN transports.
Center 6.3.10 Global Settings - Box VIP Network Protocol
Ranges, page 439).
Encryption Ciphers used for encryption. Choose AES, AES-256,
Tunnel Details Choose Set to set the Tunnel Details. Description Cipher CAST, Blowfish, DES or 3DES.
see list 333, page 67
VPN Local IP If a special source IP is required (e.g. for policy routing
purposes) the VPN local IP can be specified here. If this
Note: field is empty a source IP according to the routing table
is used.
This parameter group is only available in Advanced
VPN Interface Defines the interface that is to be used for VPN
View mode. connections (default: tap3).
Proxy Server IP In case the management setup provides a Proxy server,
List 332 Management Access section Serial Console specify its IP address in this field.
Parameter Description Proxy Server Enter the proxy server port here.
Port
Note:
See also 2.2.3.3 DNS, page 55. Proxy User If using secure-http enter a user name for
authentication on the proxy here.
To open the configuration dialog, click the Show
button. To delete current settings, click the Clear Proxy Password Enter the proxy users password here.
button. Target Enter the destination addresses that should be reached
PPP Remote IP This is the IP address connecting via the serial IP. Networks by the local box via the tunnel.
PPP Local IP This is the Box Management IP. If this field is empty, the Attention:
Box IP itself will be used. Minimum requirement: IP address of the Barracuda NG
Control Center.
Require PAP With this option active the connecting client is required
to authenticate itself to the Barracuda NG Firewall Reachable IPs To check the availability of the remote management
[possible users: root or support user]. tunnel the box periodically sends ICMP echo request
packets to the configured Reachable IPs. By default the
Server IP of the Barracuda NG Control Center is used
Tunnel Details CC-managed box as reachable IP. If the destination host does not
respond the box VPN client assumes that the remote
List 333 Remote Management Access Tunnel Details section Management management tunnel is broken and tries to re-establish
Tunnel Configuration (CC-managed box) the tunnel.
Parameter Description
List 334 Remote Management Access Tunnel Details section Connection
Used VPN Choose the appropriate protocol Monitoring
Protocol VPN2 (default) or
Parameter Description
legacy
No. of ICMP Number of ICMP echo packages that are sent via the
VPN Point of For establishing the remote management tunnel the
Probes VPN tunnel (default: 2).
Entry box VPN client uses the Point of Entry IP as a
destination IP. Thus the Point of Entry must be Waiting Period Number of seconds per probe while answering of the
reachable by routing to successfully establish a remote [s/probe] ping is awaited (e.g. probes=3 and waiting period=2
management tunnel. In most cases the Point of Entry results in 3x2 s waiting time; default: 1).
will be an external IP address (e.g. from an external Run Probes This parameter defines the time period in seconds for
firewall at the headquarters which redirects the VPN Every [s] ICMP probes (default: 15).
port to the CC server IP).
Failure Standoff If no connection is possible, this time period is waited
Note: [s] prior to a retry (default: 45).
Keep in mind that when the remote management
tunnel is established through a Proxy server, the VPN Alarm Period If this time limit is exceeded without establishing a
Point of Entry IP inherits the Proxy server's port [s] connection successfully, an alarm is set off (default:
information. To achieve correct mapping, a rule that 120).
translates port addresses in connection requests to the Key Time Limit rekey period
VPN Port (see below) has to be created in the [Minutes]
forwarding firewall of the gateway presenting the VPN Tunnel Probing Keep alive packets sent to the remote tunnel end.
Point of Entry. For translation of port addresses, use [Seconds]
action type Redirect.
Tunnel Timeout Tunnel is considered as down if no answer has been
VPN Port The VPN Port defines the destination port used by the [Seconds] received after specified time by the vpnc process.
box VPN client to establish a remote management Should be a smaller value than the one used for Tunnel
tunnel (default: 692). Probing.
2.2.5.5 Network Routes the box as such will never be directly accessible as a target
for malicious activity.
Section Main Routing Table Gateway routes now specify through which host within a
Before discussing this section in detail a short digression is directly attached network a particular remote network
required to explain the way in which routing is handled by may be reached.
Barracuda NG Firewall boxes.
Note:
We distinguish between two basic types of routes: Direct routes are a necessary prerequisite for the
z direct routes successful introduction of gateway routes since in the
first place you must be able to contact the next hop
z gateway routes address.
The latter comprises all routes which utilize a next hop We therefore realize that an active gateway route is
address. By default each introduced network (primary determined by five key parameters:
network and all additional networks) automatically effects
z Target network
a corresponding direct route.
z Target netmask
For example, if you have configured a network 10.0.0.8/24
on interface eth0 then the corresponding route will imply z Next hop address
that network 10.0.0.0 with mask 255.255.255.0 (and z Interface
broadcast 10.0.0.255) can be reached directly via interface
eth0. Furthermore the box would use address 10.0.0.8 as z Source address
its source address to which replies should be sent.
As far as its configuration is concerned only the first three
We thus realize that an active direct route is fully parameters are mandatory, as interface and source
determined by four key parameters: address are inherited from the direct route leading up to
z Target network the next hop or gateway address.
z Target netmask One of the advanced features of Barracuda NG Firewall
boxes is that you may configure so-called pending
z Interface
gateway routes. Their next hop addresses are only
z Source address reachable via a pending direct route. They will be hidden
from the operating system until the underlying required
Direct routes state how addresses in directly attached direct route becomes available. Yet once configured the
networks may be reached. Each network (BOX NETWORK status of both, pending direct routes and pending gateway
and each of the optional Additional Local Networks) routes, will always be visible from the control window.
corresponds to exactly one direct route.
To develop a better understanding consider the following
What about stand alone direct routes? example:
Assume you know that network 10.255.0.0/24 may also be Box "Sega" is a border firewall using three ethernet
reached directly via interface eth0 but you do not wish to interfaces:
introduce this network on your box. eth0: 10.0.0.8/24 internal network
eth1: 192.168.0.1/24 DMZ
Since you have not introduced a network the issue arises
eth2: external connection
as to which source address should the direct route adopt?
The operating system would automatically assign an
Assume that the box has been assigned a single
address from an already existing network on the same
internationally valid IP address 1.2.3.4 within the
interface. If several networks already exist you even have
provider's network 1.2.4.0/27. Its default gateway has
a choice of source address. The route dialog then allows
address 1.2.3.1.
you to explicitly specify the desired source. Picking the
right source address may be crucial under certain
We would now configure a pending direct route into the
circumstances, as it can be the key factor whether traffic is
provider's net:
routed back to the box or not.
1.2.3.0/27 via dev eth2
In case no network has been introduced on an interface the and a corresponding pending gateway route (which
Linux operating system would not allow you to introduce a means the default route)
direct route, since no valid source address is available. 0.0.0.0/0 via 1.2.3.1
One of the advanced features of Barracuda NG Firewall
boxes is that you may still configure so-called pending At boot time none of these would be activated. If we
direct routes, which will be hidden from the operating assign the firewall module address 1.2.3.4 as one of its
system until an appropriate source address becomes addresses, both routes will be activated by the control
available. In the context of firewalling this would allow you daemon as soon as the firewall module is activated. If
to configure a routing setup, which only becomes active the firewall is blocked both routes will be deactivated
when the firewall is active. The advantage of this is that again and the box is no longer accessible from the
Internet.
To open the configuration dialog, click the Insert button. List 335 Network section Main Routing Table
Parameter Description
Fig. 328 Main Routing configuration
Interface This parameter determines what kind of IP address is to
Realm be counted by the firewall for traffic on this interface
(Licensing 5.5 Policy No. 5: General Case, page 540).
- Only available with Route Type direct.
The interface can be classified to one of the following:
unspec (default), internal, dmz, external.
Route Direct routes do not generally need to be equipped with
Preference preference numbers. An exception worth mentioning
Number can be regarded as given if several routes to the same
target network exist. Preference numbers may then be
assigned to each direct route. Flag the preferred route
with a lower preference number. In case the gateway
becomes unreachable the route with the higher
preference number will be used as a backup option.
MTU Here the MTU (Maximum Transmission Unit) can be set.
Packets over this value are sent fragmented.
Note:
MTUs may also be set for NICs (2.2.5.2 Interfaces,
page 63), virtual LANs (list 330, page 65), box network
(2.2.5.1 Networks, page 61) and additional local networks
(Section Additional Local Networks, page 62). The rule
of thumb is that the maximum accepted MTU of the
next hop will be used.
Advertise If set to yes (default: no) all routes will be advertised via
Route Routing Protocols, provided an OSPF or RIP router
service is active on the gateway.
Reachable IPs Note:
This parameter is only available in Advanced View
List 335 Network section Main Routing Table
mode.
Parameter Description Insert the IP addresses of hosts into this field that
Target Network Network base address and netmask of the target should be reachable via this route.
Address network. Re-Reachable Note:
Route Type Type of route. Set to direct for a direct route. For a Command This parameter is only available in Advanced View
gateway route choose gateway. For usage of multiple mode.
gateways choose multipath. If using multipath further Insert commands that should be run Into this field when
values under Multipath Gateway (see below) must be formerly unreachable IPs become accessible again.
set.
Unreachable Note:
Gateway This field is only available with route type gateway and Command This parameter is only available in Advanced View
contains the address of the next hop or gateway. The mode.
gateway must be reachable by a direct route. This
Here insert commands that should be run when neither
means the gateway address must be within the bounds
gateway nor IP addresses that have been defined as
of one of the target networks of the box direct routes.
Reachable IPs (see above) are accessible.
Note:
The control daemon will disable the route for as long as
the gateway is not reachable. Section Policy Based Routing
Multipath This field is only available with route type multipath. As stated at the end of the preceding section policy routing
Gateway Multipath Next hop IP address of the is a way to implement more complex routing scenarios.
Gateway multipath route.
The implementation provided by your Barracuda NG
Weight Number Weight number of path (valid range
from 0 -10). Lower preference Firewall system only uses a subset of the functional scope
number means higher preference. of policy routing. We base the decision as to whether or
Assigned Source Source address of traffic associated not a certain routing table is consulted solely on the source
IP with the given multipath gateway. address used to establish a connection.
Note:
If one of the gateways is no longer available, the metric Since the firewall configuration (on a per rule basis) allows
is shifted automatically. you to specify the address with which an allowed
For further information and configuration examples connection is established, policy routing represents an
with route type multipath see Firewall
2.2.6.2 Barracuda NG Firewall Multipath Routing, extremely powerful instrument to manage firewalling in
page 155. topologically complex environments. Virtual private
Packet Load Set to yes to activate packet based load balancing over networks (VPN) and IP tunnels in general will routinely
Balancing multiple next hops.
need to make use of some sort of policy routing.
Foreign IP Set to yes (default) to bring up a pending route when
Sufficient any IP becomes available on the interface, even if it Policy routing is all about rules and routing tables. A rule
does not belong to the target network. Set to no to
activate a pending direct route only if a local IP
assigns an IP address range (source addresses) to a named
belonging to the target network is or becomes available. routing table. Rules are organized in an ordered list, which
Note: means each rule is associated with a preference number. A
The control daemon will always try to select the best routing decision by the operating system now involves a
match by definition.
walk through of the rule set, starting from the rule with
Interface You need to specify an existing interface (list 329,
Name page 63). When having VLANs, it is mandatory to add lowest preference number, until a match based on source
the VLAN ID (for example eth0.5; 2.2.5.3 Virtual LANs, address is attained. In this case the routing table the rule
page 65). points to is consulted. If a matching route to the
Source Optional entry allowing you to specify the used source destination address is found in the particular table it will be
Address address manually. This address must have been
configured in one of the preceding two sections. applied. Otherwise the remaining rules are consulted until
a match is found or if there are no more rules. In the latter
case the destination is said to be unreachable.
When introducing a new policy routing section you create a List 336 Network Routes - Policy Routing section Policy Source Matching
table and at least one rule at the very same time. More Parameter Description
precisely, the name of the table you create is the name of Source Array of source networks or single hosts for which this
the section; for every source (IP/mask pair) you specify Networks policy routing table is looked up.
IP/mask notation is expected. For a single host, you
you will create a rule (all with the same preference) must supply 0 as its netmask. (Getting Started
pointing to this table. 5. Inverted CIDR Notation, page 25)
Table Governs placement of the table.
On every Barracuda NG Firewall system at least the Placement You may choose between the default option postmain
following routing rules are always present: and the advanced option premain. Only seldom you
should need to introduce a table positioned before the
Table 38 Routing rules main table. You would use this option if you would wish
to create exceptions from the general routing
Rule Source Table framework (gateway routes) of table main for certain
0 0.0.0.0//0 local source addresses.
1 VIP vpn2mc Note:
Direct routes refer to routes to directly attached
2 VIP vpn2inet (prohibit) networks. Direct routes based on tunnel interfaces will
3 0.0.0.0/0 vpnlocal clearly not fall into this category.
10000 0.0.0.0/0 main In any case, direct routes automatically go into table
32767 0.0.0.0/0 default local, thus being omnipresent.
A postmain placement makes sense if you wish to
implement an alternative default route for certain
Table local will contain all routing information related to source addresses. In the majority of all cases you will
local addresses, directly attached networks (direct routes), probably want to use postmain.
and broadcast addresses. All routes introduced under List 337 Network Routes - Policy Routing section Policy Table Contents
Section Main Routing Table wind up in table main unless
Parameter Description
their target network is 0.0.0.0/0 in which case they are
Routes Note:
placed into table default. This parameter is only available in Advanced View
mode.
Table vpn2mc is defined but empty unless the box comes
Subsection containing the routing content of this table.
available via a VPN tunnel. Barracuda NG Firewall supports gateway routes only
since direct routes are already contained in table main.
Table vpn2inet is used for blocking additional route look In appearance the corresponding dialog is essentially
up. the same as the one for gateway routes within list 335,
page 69, with all direct route specific options removed.
Consequently, it will usually make a marked difference The parameter Route Type contains the additional
whether or not a rule is inserted before or after the one entry throw. This route type is special as a match is not
treated as a termination of the route lookup. Instead
pointing to table main (preference 10000). We thus have only the route lookup in the current table is terminated
made provisions to specify on a per table basis, if the table and the lookup continues with the remainder of the
is inserted before or after table main. Thus the routing structure.
provider by supplying a special username and password List 338 Network - xDSL configuration section Link Properties
combination. Parameter Description
xDSL links are special as they involve a dynamic Link Active If set to yes the link is taken into account for link
management, otherwise it is ignored.
component. The IP address assigned to you by your xDSL
Standby Mode If set to no (default) the link is supposed to be activated
provider will change every time the link is brought up. and monitored as a consequence of a network
Consequently, an xDSL link to the internet would not be activation. If set to yes, its activation and subsequent
monitoring needs to be triggered externally. Note that
convenient to grant others access to parts of your for a PPP multi-link bundle the setting of the respective
network. primary link is adopted for all links.
Enable PPP Note:
Note: Multilink This parameter is only available in Advanced View
Alternatively, you might try to coax your provider into mode.
assigning you your own fixed IP address. If set to yes the two entries below are activated and
the link will become part of a PPP multilink bundle
(note that the ISP providing the links needs to explicitly
Moreover, telecom providers are known to be in the habit support this feature).
of disconnecting your xDSL modem from the network after Primary Link Note:
a given period of time. This parameter is only available in Advanced View
mode.
For this reason, the xDSL link management automatically Selects the primary link of a PPP multilink bundle. A
introduces and deactivates routes, rules, and tables link becomes primary when its own name is selected
required by the xDSL link. It continuously monitors the link here.
status and the reachability of certain configurable Endpoint Optional entry that may be used to describe the local
Descriptor system in a unique fashion. It sets the endpoint
addresses. If required the link will be brought down and discriminator sent by the local machine to the peer
subsequently re-established. This ensures that if there is a during multilink negotiation to this value.
The default is to use the MAC address of the first
way to have the link up it will be up. ethernet interface on the system, if any, otherwise the
IPv4 address corresponding to the host-name, if any,
By selecting yes for the entry xDSL Enabled the other provided it is not in the multicast or locally-assigned IP
configuration areas for xDSL connections will be activated. address ranges, or the localhost address. The endpoint
discriminator can be the string null or of the form
The entry Standby Mode allows combining HA setups to type: value, where type is a decimal number or one of
achieve high available xDSL connections. Setting this the strings local, IP, MAC, magic, or phone.
The value is an IP address in dotted-decimal notation
parameter to yes implements two different working steps: for the IP type, or a string of bytes in hexadecimal,
separated by periods or colons for the other types. For
z The involved routes are set to pending state, and it is the MAC type, the value may also be the name of an
not checked whether they are established. ethernet or similar network.
Synchronous If set to yes PPP and the transport protocol daemons -
z The configuration is completely run through but the PPP as determined by the parameter below will initiate a
connection is not yet established. Connecting is connection in synchronous mode.
handled via a server-side script that is used for starting
This is usually of higher performance but requires
and stopping the connection with corresponding appropriate support by the opposite server end.
command lines: Connection Specifies the transport protocol for the PPP protocol.
connection start: Type Note that in case of PPP multilink bundles all links must
use the same connection types.
/etc/phion/dynconf/network/openxdsl start
<name> List 339 Network - xDSL configuration section PPTP Connection Details
connection stop:
Parameter Description
/etc/phion/dynconf/network/openxdsl stop
Modem IP Address of the xDSL modem or PPTP server to which a
<name> PPTP connection is supposed to be established.
This way it is guaranteed that as soon as the server is Local IP This parameter offers the following options:
up, the connection is established automatically, Selection Static
whereas when the server is to be deactivated, the Static is the standard one, where the local address is
specified
connection is stopped automatically. By doing so, it is
DHCP
possible to implement HA setups with broadband links. DHCP is the old get address from DHCP option
Dynamic
Attention: Dynamic is the option, it means that the device will
To avoid routing conflicts in multi-provider pick the one address that is provided by routing to
reach the PPTP server. This address is then reported
environments, be aware that every provider usually to the firewall engine for GRE registration.
assigns the same gateway to a dynamically assigned IP Required DHCP This field is only active with Local IP via DHCP set to
address. Do not configure multiple xDSL links managed Link yes. Name of the DHCP section this xDSL link relies
by the same provider, unless you are sure that the upon for providing a routing path to the configured
Modem IP address.
assigned addresses stem from distinctive IP pools and
Local IP Only needed with PPTP selected. Determines the Local
use clearly distinguishable gateways. IP address, which is used to establish a connection with
the Modem IP address. The local address must be an
To open the configuration dialog, set xDSL Enabled to yes already configured local IP address. The specified
and then click the Insert button. address is used for local GRE protocol registration with
the local firewall.
List 338 Network - xDSL configuration section Link Properties Note:
This option and the Local IP via DHCP option are
Parameter Description mutually exclusive.
Name This is the name of the xDSL link.
Note:
Only ciphers and characters from the Latin character
set excluding special characters are allowed in the link
name
List 339 Network - xDSL configuration section PPTP Connection Details List 341 Network - xDSL configuration section Authentication
Parameter Description Parameter Description
Gateway to Optional entry that may be used to handle scenarios Wildcard Setting this parameter to yes (as it
Modem IP where the xDSL Modem or PPTP server are not directly Support is per default) allows the resolution
attached to the gateway. Note that this option and the to sub-hostnames (regardless of the
Local IP via DHCP option are mutually exclusive. domain, the IP address pointed to is
Note: the same).
A gateway route will automatically be created for PPTP. MX Record This parameter specifies the mail
Max MTU/MRU default: 1492 handler (Mail eXchanger) for the
Size Possible values from 60 to 1492. given domain. MXs are used for
directing mail to other servers than
List 340 Network - xDSL configuration section PPPOE Connection Details the one the hostname points to.
List 342 Network - xDSL configuration section Routing and stopping the connection with corresponding
Parameter Description command lines:
Interface Realm This parameter determines what kind of IP address is connection start:
to be counted by the firewall for traffic on this interface /etc/phion/dynconf/network/dhcprestart
(Licensing 5.5 Policy No. 5: General Case, page 540).
The interface can be classified to one of the following:
connection stop: /etc/phion/bin/wipecable
unspec This way it is guaranteed that as soon as the server is
internal up, the connection is established automatically,
dmz
external (default) whereas when the server is shut down the connection is
Route Preference number or metric assigned to the routes to stopped automatically.
Preference the specified target networks. You will need to set this
Number parameter to a value larger than 0 if you wish to use To open the configuration dialog, set DHCP Enabled to
your xDSL uplink as a backup connection
(provider-failover) to the internet, for example. yes and then click the Insert button.
Clone Routes Note:
This parameter is only available in Advanced View List 344 Networks - DHCP configuration
mode. Parameter Description
Note: Name This is the name of the DHCP link.
If set to yes all routes will be cloned from the table
adslN to tables main or default (depending on the route Note:
target). This parameter is aiming at setups where Only numbers and characters from the Latin character
application based selection (explicit binding in a firewall set excluding special characters are allowed in the link
rule) of a traffic path is supposed to coexist with link name.
failover (proxy dynamic). Link Active If set to yes the link is taken into account for link
GRE with Note: management, otherwise it is ignored.
Assigned IP This parameter is only available in Advanced View Standby Mode If set to no (default) the link is supposed to be activated
mode. and monitored as a consequence of a network
Set this parameter to Yes to register the assigned IP activation. If set to yes, its activation and subsequent
for IP protocol 47. monitoring needs to be triggered externally.
DHCP Connect Timeout for connection attempts [s] from configured
List 343 Network - xDSL configuration section Connection Monitoring Timeout DHCP Links to unreachable interfaces or networks.
Parameter Description List 345 Networks - DHCP configuration section Connection Details
For configuration details, see 2.2.5.8 Connection
Monitoring of Dynamic Links, page 78. Parameter Description
DHCP Interface Name of the ethernet interface connected to the cable
Section DHCP Client Setup modem. This interface is reserved for exclusive use by
the cable link. No further IP addresses or networks may
The configuration allows the integration of a single cable reside on it. The interface is renamed to dhcp and will
accordingly be displayed in the control window.
connection (broadband or general assignment of
devmtu MTU setting of the selected DHCP interface.
addresses via a DHCP server). Cable connections are a
very popular medium performance alternative to leased List 346 Networks - DHCP configuration section DNS
lines.
Parameter Description
Cable connections are special in so far as they involve a Use Provider Set to yes (default: no) if you wish to use the DNS
dynamic component. The IP address is assigned via DHCP DNS server(s) assigned by your provider.
and will change from time to time. The Barracuda Use Dynamic Setting to yes (default: no) activates Dynamic DNS and
DNS enables Dynamic DNS Params configuration.
Networks implementation will only accept IP and gateway
Note:
addresses from the DHCP server. All other assigned To use this feature it is necessary to register with
parameters or any static routes are silently dropped. www.dyndns.org. Check with your provider whether
usage of dynamic DNS is advisable when using a static
Since certain pieces of information are unknown at address or an address that rarely changes. Note that
when using static or rarely changing addresses
configuration time, the system will only request filling in dynamic DNS might not be appropriate as the address
the interface that will serve for link establishment just like needs to change once a month.
for some routing information. An associated Barracuda Dynamic DNS This button provides the following parameters:
Networks cable link management will automatically Params
monitor the link and introduce routes, rules, and tables as Dyndns Name Here the dyndns name that was
registered at dyndns.org has to be
soon as the missing information becomes available or entered.
changes. The system continuously monitors the link status Secure Update This parameter defines whether
and the reachability of a set of user-defined addresses. If HTTP (no) or HTTPs (default: yes) is
required the link will be brought down and up again. This used for updating.
ensures that if there is a way to have the link up, it will be User Access ID User ID for accessing the server as
defined during registration at
up. dyndns.org.
By selecting yes for the entry DHCP Enabled the Access Password for accessing the server
Password as defined during registration at
configuration areas for DHCP connections are activated. dyndns.org.
The entry Standby Mode allows having high available Wildcard Setting this parameter to yes (as it
Support is per default) allows the resolution
DHCP/cable connections. Setting this parameter to yes to sub-hostnames (regardless of the
implements two different working steps: domain, the IP address pointed to is
the same).
z The affected routes are set to pending state and it is not MX Record This parameter specifies the mail
checked whether they are established. handler (Mail eXchanger) for the
given domain. MXs are used for
z The configuration is completely run through but the directing mail to other servers than
the one the hostname points to.
connection is not yet established. Connecting is
handled via a server-side script that is used for starting
List 346 Networks - DHCP configuration section DNS List 347 Networks - DHCP configuration section Routing
Parameter Description Parameter Description
Backup MX Setting this parameter to yes GRE with Note:
triggers that the configured MX Assigned IP This parameter is only available in Advanced View
Record works as a backup mail mode.
server. The registered Dyndns Name Set this parameter to Yes to register the assigned IP
will be used as primary mail server. for IP protocol 47.
Setting the parameter to no induces
that only the MX Record is used.
List 348 Networks - DHCP configuration section Connection Monitoring
Note:
It is not recommended to use the Parameter Description
MX parameters offered. If you For configuration details, see 2.2.5.8 Connection
nevertheless do so, then please Monitoring of Dynamic Links, page 78.
consult www.dyndns.org for detailed
information.
Section ISDN Setup
Retry Time Standoff time in minutes until a new
[mins] update try is started if the With this section it is possible to integrate a ISDN
preceding one has failed.
connection.
List 347 Networks - DHCP configuration section Routing
By selecting yes for the entry ISDN Enabled the
Parameter Description configuration areas for ISDN connections are activated.
Own Routing Note:
Table This parameter is only available in Advanced View The entry ISDN on Standby allows having high available
mode. ISDN connections. Setting this parameter to yes
If set to yes policy routing will be activated. In the implements two different working steps:
current context this means that a new table named
dhcp is introduced after the main routing table. All z The affected routes are set to pending state. It is not
routes involving the cable link (via interface dhcp) use
these policy routes.
checked whether they are established.
Note: z The configuration is completely run through but the
If this parameter is set to yes, the only available
Monitoring Method will be LCP.
connection is not yet established. Connecting is
Use Assigned Note:
handled via a server-side script that is used for starting
IP This parameter is only available in Advanced View and stopping the connection with corresponding
mode. command lines:
When set to yes the IP address dynamically assigned by connection start:
your Internet provider is used as source network for
policy routing. Initially, until the ISP has successfully /etc/phion/dynconf/network/isdnrestart
assigned an address, the rule will have 0.0.0.0 as a connection stop: /etc/phion/bin/wipeisdn
source address. The field is only active when Own
Routing Table is used.
This way it is guaranteed that as soon as the server is
Source Note:
Networks This parameter is only available in Advanced View up, the connection is established automatically,
mode. whereas when the server is shut down the connection is
Array of source networks or single hosts which point to stopped automatically.
the policy routing table DHCP. IP/mask notation is
expected. For a single host you supply "0" as its
netmask. (Getting Started 5. Inverted CIDR Notation, To open the configuration dialog, click the ISDN Settings >
page 25) Set button.
Create Default If set to yes (default) the default route assigned by the
Route provider is automatically introduced. List 349 Networks - ISDN configuration section Connection Details
Attention:
Parameter Description
When set to yes in an environment where multiple
dynamic links are available, configuring a Route Provider Phone Insert the phone number here that has been assigned
Preference Number (see below) is mandatory Number to you by your provider for connection establishment.
Target Target networks that are supposed to be reachable Dial Out Prefix If needed, insert a dial out prefix here (optional).
Networks through this link. ISDN MSN Compared to a normal telephone connection an ISDN
Advertise If set to yes (default: no) all routes will be advertised via connection can have more than one phone number -
Route Routing Protocols, provided an OSPF or RIP router each of these numbers is called MSN (Multiple
service is active on the gateway. Subscriber Number). If your provider has supplied you
with a MSN number fill it into this field.
Interface Realm This parameter determines what kind of IP address is
to be counted by the firewall for traffic on this interface ISDN Modem Select the name of the ISDN card you are using.
(Licensing 5.5 Policy No. 5: General Case, page 540). Card Note:
The interface can be classified to one of the following: Please contact Barracuda Networks if you are using an
unspec unsupported ISDN card, which is not in the list.
internal
dmz Encapsulation The following modes are available:
external (default) Mode SyncPPP (default)
bit oriented transfer protocol
Route Preference number or metric assigned to the routes to
Preference the specified target networks. You will need to set this RawIP
Number parameter to a value larger than 0 if you wish to use no PPP; IP addresses will are to be specified
your low-cost cable uplink as a backup connection manually (attention: static)
(provider-failover) to the internet, for example.
Clone Routes Note:
This parameter is only available in Advanced View
mode.
Note:
If set to yes all routes will be cloned from the table
dhcp to tables main or default (depending on the route
target). This parameter is aiming at setups where
application based selection (explicit binding in a firewall
rule) of a traffic path is supposed to coexist with link
failover (proxy dynamic).
List 349 Networks - ISDN configuration section Connection Details List 351 Networks - ISDN configuration section Authentication
Parameter Description Parameter Description
Dial Mode Dialling can be handled in two ways: User Access Insert an optional SUB-ID here if it has been assigned
Dial-On-Demand Sub-ID to you by your ISP. The User SUB-ID complements the
The ISDN subsystem connects itself to the provider User Access ID separated from it by a hash (#). Insert
only when there is traffic on the line. The connection the SUB-ID without the hash as it will automatically be
is detached after an adjustable Idle Hangup Time. prefixed to it.
The advantage of automatic dialling is that on Access Insert the password here that has been assigned to you
leased lines it may save money. The disadvantage on Password by your ISP.
the other hand is that users connecting to systems
Provider Name If required insert the name of your ISP here, which is
externally (system administrators for example)
supposed to be appended to your User Access ID.
cannot rely on the line being up all the time.
Authentication Select the method for authentication here.
Note:
Method Authentication protocols can be set to NONE, PAP,
Do not use Dial-On-Demand mode on boxes managed
CHAP or PAP_or_CHAP.
by a Barracuda NG Control Center. Box management
requires the link to be up incessantly. Use Provider Set to yes (default: no) if you wish to use the DNS
DNS server(s) assigned by your provider.
Always-On
The connection is initiated at startup of the box and Use Dynamic Setting to yes (default: no) activates Dynamic DNS and
is kept open all the time. DNS enables Dynamic DNS Params configuration.
Idle Hangup When the Dial Mode is set to Dial-On-Demand, this Note:
Time field is used to specify after how many seconds the line To use this feature it is necessary to register with
will be disconnected when being idle. www.dyndns.org. Check with your provider whether
usage of dynamic DNS is advisable when using a static
Use Channel If set to yes (default: no) the ISDN subsystem will open
address or an address that rarely changes. Note that
Bonding a second ISDN channel to the provider when the first
when using static or rarely changing addresses
line is saturated, therefore doubling the bandwidth.
dynamic DNS might not be appropriate as the address
After some time, when the traffic falls below a certain
needs to change once a month.
rate, the second line will be closed again.
Dynamic DNS Click the Set button to access the Dynamic DNS
Note:
Params Params configuration section:
Your provider has to support channel bonding (=mppp).
Service Type DynamicDNS (default)
Channel Use this section to adjust the way in on-demand
StaticDNS
Bonding bandwidth allocation works.
CustomDNS
Settings Transfer Rate Limit [Bytes/s] For additional information about
Limit for bringing up/down the slave channel available DynDNS Service Types
depending. See Slave Channel Policy for bringing visit
down the slave. Values range from 4000 Bytes/s to http://www.dyndns.com/services/
7999 Bytes/s.
Dyndns Name Here the dyndns name that was
Slave Channel Policy registered at dyndns.org has to be
Stay up policy for the slave channel, choose between entered.
Stay Only Up While Transfer Limit Exceeded and
Stay Permanently Up Till Hangup Timeout Secure Update This parameter defines whether
Reached HTTP (no) or HTTPs (default: yes) is
used for updating.
Minimum Slave Uptime [s]
Minimum time the slave channel once brought up User Access ID User ID for accessing the server as
will unconditionally stay up. Values range from 1 s to defined during registration at
3600 s. dyndns.org.
Dial Allowed Use these lists to specify a time interval within which Access Password for accessing the server
From/Dial an ISDN dial-in is permissible. One interval valid for all Password as defined during registration at
Allowed Until days of the week may be specified. Temporal dyndns.org.
granularity is limited to 30 minutes. Wildcard Setting this parameter to yes (as it
Dynamic When set to yes (default) the IP address/mask pair and Support is per default) allows the resolution
Address the gateway address will be provided by the ISP to sub-hostnames (regardless of the
Assignment dynamically. In case you are equipped with a static domain, the IP address pointed to is
addresses, set the value to no and fill in a Static the same).
IP/Mask and Static Gateway IP below. MX Record This parameter specifies the mail
Static IP/Mask If available define a static IP address/mask here. handler (Mail eXchanger) for the
given domain. MXs are used for
Static Gateway If a static IP/Mask is used define the gateway IP
directing mail to other servers than
IP address here.
the one the hostname points to.
List 350 Networks - ISDN configuration section Compression Backup MX Setting this parameter to yes
triggers that the configured MX
Parameter Description Record works as a backup mail
server. The registered Dyndns Name
In general you can leave the all compression settings
will be used as primary mail server.
off, which is the default. The ippp daemon will
Setting the parameter to no induces
negotiate these settings in accordance with the PPP
that only the MX Record is used.
partners capabilities anyway.
Note:
VJ TCP Header Negotiation of Van Jacobson style TCP/IP header
It is not recommended to use the
compression.
MX parameters offered. If you
VJ When set to off the connection-ID compression in Van nevertheless do so, then please
Connection-ID Jacobson style TCP/IP header is disabled. ipppd will consult www.dyndns.org for detailed
neither omit the connection-ID byte from Van information.
Jacobson compressed TCP/IP headers, nor ask the
Retry Time Standoff time in minutes until a new
peer to do so.
[mins] update try is started if the
Address Control Address/Control compression. preceding one has failed.
Protocol Field Protocol field compression.
BSD BSD-Compress scheme.
CCP Control Point to point compression protocol. Build upon the
Protocol LCP protocol (Link Control Protocol).
List 352 Networks - ISDN configuration section Routing List 353 Networks - ISDN configuration section Connection Monitoring
2.2.5.7 UMTS List 355 Networks - UMTS configuration section UMTS Connection Details
Parameter Description
UMTS (Universal Mobile Telecommunications System) PDP Context Click the Set button to access PDP Context
defines a mobile communication standard using the configuration. This section allows for a more fine
grained specification of the Packet Data Protocol (PDP)
3G specification in Europe. One UMTS card may be that is used for accessing the provider network.
included into the network configuration of a Barracuda NG Context Specify the numeric "Context
Firewall. Identifier Identifier" (CID).
PDP Type Specify the PDP Type (IP or PPP).
Note: Usually the default values of 1 and IP, respectively, will
The UMTS extension is available only for appliances suffice. If unsure, enquire with your provider.
directly supported by Barracuda Networks. Phone Number This is the number the modem has to dial.
Note:
List 354 Networks - UMTS configuration section UMTS (3G) Setup The dialled number always needs to end with a hash
(#), but this hash must not be inserted into this field.
Parameter Description Note:
UMTS Enabled Setting to yes (default: no) enables support for one The last digit in the phone number is used to set the
UMTS card. Context Identifier (see above). Note that when your
Standby Mode If set to no (default) the link is supposed to be activated provider does not assign you a number ending with "1",
and monitored as a result of network activation. If set youll need to adapt the setting in the PDP Context
to yes its activation and subsequent monitoring needs section accordingly.
to be triggered externally. Allow If set to yes the Barracuda NG Firewall box will agree to
Register in This option allows for the registration of the card in the Compression negotiate compression settings with the dial-in server.
Standby provider network even when Standby Mode is If set to no (default) compression is disabled.
selected. This allows for a faster dial-in process when
the link is fully activated. List 356 Networks - UMTS configuration section Authentication
Note: Parameter Description
Setting Inbound SMS Handling (see below) to yes will
also lead to an immediate registration in the network. Authentication Select the method for authentication here.
Method Authentication protocols can be set to PAP, CHAP
(default), PAP_or_CHAP or NONE.
List 355 Networks - UMTS configuration section UMTS Connection Details
User Access ID This is the principal account name (PPP user name)
Parameter Description assigned by the provider.
UMTS Modem Configure your UMTS card here. User Access Insert an optional SUB-ID here if it has been assigned
Card Sub-ID to you by your ISP. The User SUB-ID complements the
Modem This parameter specifies the terminal interface User Access ID separated from it by a hash (#). Insert
Interface associated with the UMTS Card. Typically, this is noz0 the SUB-ID without the hash as it will automatically be
for the card Option Globetrotter 3G+ - NZ and prefixed to it.
ttyUSB0 for the other cards. Select checkbox Other to Access This is the PPP password assigned by the ISP.
define another value. Password
Active 2nd Select Yes when you want to use the second modem Use Provider Set to yes if you wish to use the DNS server(s) assigned
Channel channel. DNS by your provider.
Radio Choose the way how the modem connects to the radio Use Dynamic This parameter activates (default setting: no) Dynamic
Preference network: DNS DNS and enables the configuration of Dynamic DNS
-- Not Applicable -- Params.
GPRS/EDGE Preferred Note:
3G/UMTS Preferred To use this feature it is necessary to register with
www.dyndns.org. Check with your provider whether
GPRS/EDGE Only usage of dynamic DNS is advisable when using a static
3G/UMTS Only address or an address that rarely changes. Note that
Inbound SMS When set to yes (default: no) the modem card will be when using static or rarely changing addresses
Handling polled at regular intervals for inbound SMS messages. dynamic DNS might not be appropriate as the address
needs to change once a month.
Depending on the settings in the SMS Control tab (see
2.2.3.7 SMS Control, page 57), the SMS is either deleted
right away or further processed. The respective log
output goes into the log file Auth > SMS.
Speed [baud] This is the UMTS cards connection speed. Select a
predefined default value from the pull-down menu or
select the checkbox Other to define an individual value.
Connect This value defines the period of time (in seconds) until
Timeout a connection attempt is expected to have succeeded.
Register The register timeout is the time in seconds that the box
Timeout will wait for the network registration to be completed
before actually dialling out.
Note:
Registration in standby will exactly avoid this waiting
period thus speeding up the dial-out.
Note:
The waiting period only applies to the first dial-out
after a network configuration activation, restart, or
boot. Subsequent dial-out will take place without a
prior registration.
SIM PIN This is the SIM card's Personal Identification Number
(PIN) usually consisting of four digits.
APN Name Insert the Access Point Name (APN) for GPRS into this
field.
List 356 Networks - UMTS configuration section Authentication List 357 Networks - UMTS configuration section Routing
Parameter Description Parameter Description
Dynamic DNS Click the Set button to access the Dynamic DNS Create Default If set to yes (default) the default route assigned by the
Params Params configuration section: Route provider is automatically introduced.
Service Type DynamicDNS (default) Attention:
StaticDNS When set to yes in an environment where multiple
CustomDNS dynamic links are available, configuring a Route
For additional information about Preference Number (see below) is mandatory.
available DynDNS Service Types Target Target networks that are supposed to be reachable
visit Networks through this link.
http://www.dyndns.com/services/
Remote Peer IP Use this override mechanism if your provider does not
Dyndns Name Here the dyndns name that was assign a remote gateway IP.
registered at dyndns.org has to be
entered. Advertise If set to yes (default: no) all routes will be advertised
Route via Routing Protocols, provided an OSPF or RIP router
Secure Update This parameter defines whether service is active on the gateway.
HTTP (no) or HTTPs (default: yes) is
used for updating. Interface Realm This parameter determines what kind of IP address is
to be counted by the firewall for traffic on this interface
User Access ID User ID for accessing the server as (Licensing 5.5 Policy No. 5: General Case, page 540).
defined during registration at The interface can be classified to one of the following:
dyndns.org.
unspec
Access Password for accessing the server
internal
Password as defined during registration at
dyndns.org. dmz
Wildcard Setting this parameter to yes (as it external (default)
Support is per default) allows the resolution Route Preference number or metric assigned to the routes to
to sub-hostnames (regardless of the Preference the specified target networks. You will need to set this
domain, the IP address pointed to is Number parameter to a value larger than 0 if you wish to use
the same). your UMTS uplink as a backup connection
MX Record This parameter specifies the mail (provider-failover) to the internet, for example.
handler (Mail eXchanger) for the Clone Routes Note:
given domain. MXs are used for This parameter is only available in Advanced View
directing mail to other servers than mode.
the one the hostname points to. Note:
Backup MX Setting this parameter to yes If set to yes all routes will be cloned from the table
triggers that the configured MX umts1 to tables main or default (depending on the route
Record works as a backup mail target). This parameter is aiming at setups where
server. The registered Dyndns application based selection (explicit binding in a firewall
Name will be used as primary mail rule) of a traffic path is supposed to coexist with link
server. failover (proxy dynamic).
Setting the parameter to no induces GRE with Note:
that only the MX Record is used. Assigned IP This parameter is only available in Advanced View
Note: mode.
It is not recommended to use the Set this parameter to Yes to register the assigned IP
MX parameters offered. If for IP protocol 47.
nevertheless used, please consult
www.dyndns.org for detailed
information. List 358 Networks - UMTS configuration section Connection Monitoring
List 359 Connection monitoring of dynamic links section Connection Monitoring systems a VPN tunnel will offer significant benefits as it is
Parameter Description attached to a server and not to a box.
Monitoring Selects the method adopted for link quality Moreover, if you wish to establish a tunnel hub (which
Method assessment.
By selecting ICMP the reachable IP addresses (set in
means a box sustaining many tunnels, each with a different
parameter Reachable IPs) are probed first. If there peer) a VPN server will turn out to be a much better
is no response the gateways are probed. choice.
If the Internet provider does not allow pings, the
monitoring method has to be set to LCP. The Dial-In To open the configuration dialog, click the Insert button.
daemon is then probed directly.
By selecting StrictLCP absolutely no ICMP probing Fig. 331 IP Tunnels configuration
occurs.
Note:
ICMP is not available when parameter Own Routing
Table is set to yes.
Note:
LCP checks are automatically performed by the pppd
according to the LCP parameterisation below.
Note:
The DHCP link monitoring method is ICMP by default
and therefore not customisable.
Note:
Regardless of the monitoring method which is set, the
monitoring of the gateway-IP is not affected (for
example: if LCP for monitoring method is chosen it
does not prevent the gateway-IP from being pinged).
Reachable IPs Probing target IP addresses that are pinged in order to
see whether the link is still functioning or not. At least
one single IP address that is meant to be accessible
only via the xDSL link has to be specified. Each of the
specified IPs is pinged every 20 seconds (2 ICMP
packets each). If none of the IPs responds the remote
end of the PPP-connection to the ISP is checked. In
case of no response the link is dismantled and it is
attempted to re-establish it.
LCP Check Time between two successive LCP echo checks.
Interval
No. of LCP Number of successive failed LCP echo checks before
Checks the PPP connection is terminated by the local pppd.
No. of ICMP Number of ICMP echo requests sent to each probing
Probes target IP address (maximum value: 9, default: 2).
Waiting Period Number of seconds per probe that a reply is waited for.
[s/probe]
Check Interval The time between two successive link state
[s] assessments.
Failure The time to wait immediately after a failed link List 360 Networks - IP Tunnels configuration section Tunnel Configuration
Standoff[s] establishment before trying to connect again. The idea
Parameter Description
here is that blunt retrying usually does not improve the
situation but rather leads to vast amounts of unwanted Encapsulation Choose the type of encapsulation. Default setting is
log output. Mode GRE(47) (Generic Routing Encapsulation).
Alternatively there is support for plain IP in IP
encapsulation (IPinIP(4)).
Note: Tunnel TTL This optional parameter allows setting the TTL for
For further information on monitoring mechanisms encapsulated tunnel traffic. Leaving this field blank
corresponds to the hitherto standard behavior of TTL
refer to 2.2.5.12 Further Reading: Probing Policies and inherit and Nopmtudisc (no path MTU discovery).
Mechanisms, page 81. Set Multicast If set to yes (default: no) the multicast flag will be set
Flag for the tunnel interface.
Source IP Type Select the type of source IP here. Available values are
2.2.5.9 IP Tunnelling ServerIP and BoxIP (default). If ServerIP is selected no
source IP has to be specified as the IP will be provided
by a server. If BoxIP is selected a local source IP
IP Tunnelling address has to be specified (see below).
Note:
Note: In absence of a local source IP the box itself cannot use
The following parameters are only available in the tunnel for local traffic.
Advanced View mode. Source IP Specify a routable source address if the box itself is
meant to use the tunnel. The IP is activated on the
tunnel interface.
This section allows the introduction of simple
Source Mask Enter the source IPs netmask here. A non-zero mask
point-to-point tunnels using generic routing or plain IP in specifies a local network.
IP encapsulation.
Note:
If you wish to establish a secure tunnel between two
firewalls you should rather make use of a VPN tunnel.
List 360 Networks - IP Tunnels configuration section Tunnel Configuration 2.2.5.10 Integrity Check
Parameter Description
Route Preference number of this route. Use only when two The Integrity check performs a logical test on the network
Preference routes to the same target exist. configuration.
Number Assigning a route preference number only makes sense
under the following premises. You do not wish to use
List 361 Integrity Check configuration section Integrity Check Settings
policy routing for tunnelling thus the respective tunnel
routes go either into table main or default (in the case Parameter Description
the target needs to be network 0.0.0.0/0). You wish to
use policy routing but plan to assign the routes to an Consistency (default: Always)
already existing table. In both cases the preference will Verification Box-Only
only have an effect if there exists another route to one Never
of the specified target networks. As mentioned in the Include Server (default: yes)
preceding section it is not sensible to introduce IPs no
redundant routes to a target net with a direct route
being the preferred path.
Remote End IP IP address of the remote tunnel end. Guarantee, that
the routing setup allows accessing this address from 2.2.5.11 Special Needs
the local tunnel end, which means with source address
as specified in Local End IP.
Note:
Check If set to yes (as it is by default) a check is performed
Reachability whether the remote tunnel end is directly reachable The following parameters are only available in
from the local end IP. If this check fails the tunnel is not Advanced View mode.
introduced, if verification is active already a Send
Changes will fail.
Setting this parameter to no disables this check. Select Section User Scripts
no when the remote tunnel end is only accessible via a
VPN route. The Special Needs section is provided to satisfy rare
Local End IP IP address of local tunnel end. network-related demands that are difficult to cover with
Note: standardized configuration settings. This part of the
This address must already exist. configuration clearly addresses the well-versed system
In particular it must correspond to one of the administrator. Section instances of this type allow
addresses introduced in a network related section.
specifying bash2-conform user-defined commands. The
Interface Realm This parameter determines what kind of IP address is
to be counted by the firewall for traffic on this interface integration of these command sections into the graphical
(Licensing 5.5 Policy No. 5: General Case, page 540). user interface has several significant advantages. There is
The interface can be classified to one of the following:
unspec (default)
no need to alter any of the standard utilities required to
internal bring up the networking subsystem thus software updates
dmz are not an issue. Modifications to the way in which
external
networking is brought up are kept track of and may not
Target Array of IP/mask pairs that are meant to be accessible
Networks through the tunnel. They are thus target networks of easily be forgotten.
routes that rely on the existence of the tunnel
interface. Each specified target will rely on a At the very same time such a user-interface has the
corresponding direct route. potential to wreak havoc on your system as all commands
Advertise If set to yes (default: no) all routes will be advertised are run with super user privileges. Therefore use only with
Route via Routing Protocols, provided an OSPF or RIP router due care.
service is active on the gateway.
Use Policy Select yes to activate a source filter for the tunnel
Note:
Routing routes. If set to yes the three policy routing related
entries below will be activated. Barracuda Networks recommends to input only
Table Controls placement of the table. Choose between the commands that have previously been tested on the
Placement default setting postmain, and the advanced options command line and which are guaranteed to produce the
premain and existing. The latter allows referencing an
already existing table. The rule preference of this table desired results.
will be inherited.
Please do not use this as a personal playground.
Use Table Note:
Only enabled when Table Placement has been set to
existing.
To open the configuration dialog, click the Insert button:
Allows you to specify an existing policy routing table to
Fig. 332 Special Needs configuration
which the tunnel routes are added. For each source
network defined an appropriate rule pointing to this
very table (with the table's original preference) is also
appended. Do not use the tables local, main or default
in this parameter.
Source Array of source networks or single hosts for which a
Networks yet to be defined policy routing table is looked up.
Note:
By default the name of the table would be identical to
the name of the tunnel section entry. You may however
assign the routes to another already existing table.
IP/mask notation is expected. For a single host you will
need to supply "0" as its netmask. (Getting Started
5. Inverted CIDR Notation, page 25)
Note that the full path must be given (for example List 362 The monitoring executable openxdsl and its commands
/usr/bin/, /sbin/, ) Command Operation Mode Description
In the section instance list the presence of a command will /epb/openxdsl signal Same as above but only
stop stops/starts/restarts the links
only be indicated by a string reading either -set- or -not /start/restart associated with the supplied
set-. This is due to the potentially significant length of the <names> section names.
individual commands. Note:
Names of non-primary multilink
members are no valid
arguments. You may only stop,
2.2.5.12 Further Reading: Probing Policies and start or restart the link as a
whole. Use the name or the
Mechanisms primary link member to do so.
/epb/xdsl[1-4] -> worker When invoked as xdsl[n] the
z Monitoring Method: ICMP /epb/openxdsl same executable openxdsl
Before probing actually commences the existence of a behaves differently, for
example as a worker starting
meaningful address assignment on the associated up a particular link or link
ppp-interface (ppp1-4) is checked for. If no meaningful bundle. The integer n denotes
assignment is found the link is deemed dead and no the list position of the link in
the list of xDSL section entries.
further probing is required. Note that this index also
Only if the address assignment appears correct the determines the used
ppp[n]-interface.
actual probing takes place. If ICMP has been chosen as
monitoring method the configured reachable IPs are Beyond this an auxiliary cleanup utility called
probed first. If at least one reachable IP has been /epb/wipexdsl is provided.
specified and an echo reply is received, then the link is
deemed functional. A process list output for a link bundle with two pptp
In case no reachable IPs have been specified (which is connections maintained by an xdsl1- worker:
not smart) or none of the addresses specified have
Fig. 333 Process list output for a link bundle
replied, the probing continues with the gateway address
assigned by the ISP. |-openxdsl(29801)-+-sleep(30144)
| `-xdsl1(29829)-+-sleep(30137)
If then this gateway address replies to an ICMP echo |
|-xdsl1(29876)---xdsl1(29881)---pppd_xdsl1.0(29882)---pptp_xdsl1.
request the link is deemed functional. 0(29883) [link handler]
If the gateway address does not reply then the link is |
`-xdsl1(30089)---xdsl1(30094)---pppd_xdsl1.1(30097)---pptp_xdsl1.
deemed inoperative and is shut down. 1(30098) link handler]
z Monitoring Method: LCP |-pptp_xdsl1.0(29885) [pptp call manager for primary link ]
For probing policy LCP the ICMP ISP gateway check
(which is performed as final step with ICMP selected as Note that each worker forks at least one link handler (with
monitoring method) is also carried out but its result is identical name) which in turn starts a pppd daemon. The
interpreted in a different way. If the gateway does not individual pppd-processes and their forked pptp or pppoe
respond no further check is attempted and the current transport handlers have distinct names which allow tracing
probing failure is ignored. However, if the gateway them back to the worker and link handler.
responds further regular probing is carried out. Should
one of these then fail in the future the link will be z File Locations
deemed inoperative and will be shut down. The xDSL implementation writes all volatile temporary
data (pid-files, state-files ) into
z Monitoring Engine Changes
The executable used to start and monitor all ADSL /var/phion/run/boxnet/xDSL. Data-files required at
connections is now called /epb/openxdsl. runtime which only change as a consequence of a full
The executable openxdsl has three distinctively network configuration activation are written into
different operation modes. These are called daemon, /var/phion/config/boxnet/xDSL. The idea behind
signal, and worker. this separation is to easily facilitate the migration to a
flash-RAM-based appliance platform, where
List 362 The monitoring executable openxdsl and its commands /var/phion/run may be linked against a directory in a
Command Operation Mode Description RAM-disk.
/epb/openxdsl daemon All configured links in
non-standby mode are Fig. 334 Listing of /var/phion/run/boxnet/xDSL
activated and monitored. The prw-r--r-- 1 root root 0 Aug 24 16:26 fifo_xdsl1.0
executable becomes a daemon prw-r--r-- 1 root root 0 Aug 24 16:05 fifo_xdsl1.1
and detaches from the lrwxrwxrwx 1 root root 14 Aug 19 11:48 pppd_xdsl1.0 ->
controlling terminal. The /usr/sbin/pppd
daemon starts a separate lrwxrwxrwx 1 root root 14 Aug 19 11:48 pptp_xdsl1.0 ->
worker process for each xDSL /usr/sbin/pptp
link or link bundle. -rw-r--r-- 1 root root 4 Aug 24 16:26 xdsl1.0.state
-rw-r--r-- 1 root root 4 Aug 24 16:24 xdsl1.1.state
/epb/openxdsl deamon Same as above but runs in lrwxrwxrwx 1 root root 38 Aug 10 13:23 xdsl1_master ->
void foreground, which means the /var/phion/run/boxnet/xDSL/xdsl1.0.pid
deamon does not detach.
/epb/openxdsl signal Instructs a running daemon
stop process to stop (= block), start
/start/restart or restart all running worker
processes (links or bundled
links).
Fig. 335 Listing of /var/phion/config/boxnet/xDSL Since the firewall rule set is only consulted during
-rwx------ 1 root root 1230 Aug 23 10:31 ip-up.xdsl1 session initiation we call the above classification static
lrwxrwxrwx 1 root root 44 Aug 23 10:31 xdsl1 -> classification. Once the session is initiated the
/var/phion/config/boxnet/xDSL/xdsl_PPTP_ppp1
-rw------- 1 root root 0 Aug 23 10:31 xdsl1_reachips classification performed by the rule set does not
-rw------- 1 root root 0 Aug 23 10:31 xdsl1_reachips.last change. In order to also handle dynamic parameters like
-rw------- 1 root root 100 Aug 23 10:31 xDSL.opconf
-rw------- 1 root root 100 Aug 23 10:31 xDSL.opconf.now daytime or download volume, which vary during the
-rw------- 1 root root 504 Aug 24 16:23 xdsl_PPTP_ppp1
session lifetime, we add an element called shaping
connector to the concept. These shaping connectors
(described in more detail later on) take the dynamic
2.2.6 Traffic Shaping parameters of a network session into account and allow
taking shaping decisions accordingly.
Note:
z Enforcement
Please have a look at the document Once traffic is classified, traffic shaping enforcement
HowTo: Traffic Shaping downloadable at the Myphion has to take place. The shaping enforcement is
area at www.phion.com in order to acquire in-depth performed by processing network data before it is
information on this feature. delivered to a network interface (outbound shaping)
or after it is received by a network interface (inbound
Note:
shaping). The enforcement is produced by delaying
Hardware based on i386 compatible CPUs does not (queuing) or even discarding network traffic according
provide the functions required for traffic shaping. Thus to the present bandwidth utilisation status using the
traffic shaping does not work on i386 kernels. Enter results of traffic classification. To implement this
rpm -q kernel --qf %{ARCH}\\n enforcement we make use of a tree of virtual
on the command line to find out which kernel is present. interfaces (virtual tree), which may be attached to
network interfaces indicating that traffic shaping is
intended.
2.2.6.1 Enterprise Shaping
Fig. 336 Enterprise Shaping Enforcement
This design satisfies the requirements necessary for
executing any of the following application schemes:
z Data Traffic Classification
Important traffic is distinguished from unimportant
data traffic.
z Prioritisation
Important traffic is given preferential treatment (either
more bandwidth and/or lower latency).
z Bandwidth Partition
Certain types of traffic are not allowed to exceed a z Virtual Interface
bandwidth limit. The active element of traffic shaping is called the
Virtual Interface. As its name implies, the virtual
z Network Overflow Protection interface involves a non-physical (abstract) network
Prohibits protocols not having a flow control adapter. Data is transmitted over a virtual interface and,
mechanism from congesting the network. depending on the settings, is systematically transmitted
z Dynamically Adjusted Shaping onward.
Shaping is adjusted according to dynamic parameters The most important characteristics of a virtual
like daytime or download volume. interface are:
z Shaping of VPN Transports a limiting bandwidth and
Shaping may not only be used for physical network a priority weighting (high, medium or low).
interfaces but also for VPN transports. The bandwidth limit specifies the maximum amount of
data rate available for the virtual interface. If the virtual
When implementing traffic shaping, one distinguishes interface is congested (more data arrives than the
between traffic classification and shaping enforcement: bandwidth limit allows), the priority weighting
The results of traffic classification are used as input for determines how the available bandwidth will be
shaping enforcement in order to implement a shaping partitioned according to individual priorities.
policy. Partitioning is never static. In other words, if all
available traffic has a low priority, it will be assigned the
z Static Classification
whole bandwidth. The Weighted Random Early Drop
Network traffic may be classified according to
(WRED) queue management algorithm is used for
configurable conditions. Since the firewall rule set is
prioritisation.
already used to classify network traffic regarding
security, we also use the rule set to classify network z Virtual Tree
traffic for traffic shaping. It is therefore possible to Virtual trees are constructed of a root virtual interface,
treat network traffic for certain services (for example which may be attached to a real network interface and
http, ftp, ) just like traffic originating from certain IP an arbitrary number of sub nodes forming a tree. The
source/destination addresses differently. output of any number of virtual interfaces can be fed
into the input of a super ordinate virtual interface. Each
z Dynamic Classification
and every virtual interface of a virtual tree can be reverse direction by traffic generated by the responder
configured individually. Virtual trees are built as (server). As shown in figure 337 we have four different
templates and will only operatively perform traffic traffic types. For each type shaping may be
shaping when they are referred to by a physical enabled/disabled or configured differently.
network interface.
This way the same virtual tree can be reused for several Fig. 337 Enterprise Shaping Firewall Rule Parameter
Example 1: Simple traffic prioritisation to 4 customers, where one should get 40 MBits and the
other three 20 bits each. The assigned bandwidth of each
Fig. 338 Enterprise Shaping Example 1: Simple traffic prioritisation customer should not be exceeded even if the total
bandwidth is not saturated.
z Multiprovider setup with a fallback ISDN line (bundled operate in Drop Mode. This way the ISDN line is
to 512 kbit). ISDN fallback is implemented with protected against unwanted web traffic.
redundant network routes.
Note:
Fig. 340 Enterprise Shaping Example 3: Advanced traffic shaping TCP traffic
The TCP protocol uses a flow control mechanism to
throttle the rate at which it is sending data. Since traffic
shaping interferes with the packet delivery (packet
delaying or discarding) it will affect the TCP flow control
mechanism. Ideally, the TCP flow control will reduce its
flow rate to an amount where the shaping mechanism is
no longer forced to discard packets. This is only possible
if the traffic shaping mechanism can delay packets long
enough that the TCP flow control "detects" a smaller
bandwidth by measuring longer RTTs (round trip times).
A longer delay involves larger queue sizes that should
be considered when configuring virtual interface nodes.
Also long delays result into larger latency values, which
might be unwanted for other protocols. Therefore, in
the case of mixed TCP and other protocol traffic, one
might consider using separate traffic shaping nodes for
TCP with different queue size settings.
It is also the TCP flow control mechanism which makes
the priority weights approximate values. Assume we
have 20 TCP sessions, where 10 are classified as high
and 10 are classified as medium priority, all trying to get
the maximum bandwidth possible. If we configured a
ratio of 1:2 for the two priorities we will indeed observe
this ratio when measuring the output for the two
priorities. But if we change to setup to 1 high priority
TCP session and 39 medium TCP sessions the result will
change. In fact we will see that the single TCP session
From this setup we expect the following:
gets less bandwidth than we expected. The reason is
z Low latency delivery for the VoIP application. This is simply that the flow control mechanism of the 39 TCP
achieved by feeding the VoIP traffic directly into the sessions generates more traffic while trying to find its
root node, whereas other traffic has to pass either the optimum rate than the single high priority session. So if
"B2B" or "Web" node first, where they are queued your know beforehand that you want to favour a small
(delayed) if bandwidth saturation occurs. This way the number of TCP sessions over a large number of
VoIP traffic may even overtake the traffic waiting in the unprivileged TCP sessions you should anticipate a
Web or B2B queues. larger ratio in order to get the wanted output ratio.
z A minimum of 40 % of the internet bandwidth for VPN Traffic Shaping Configuration:
traffic. By limiting the Web node to 60 % we guarantee
that the B2B node will get at least 40 % of the To configure virtual trees, go to the dialog Box > Traffic
available bandwidth (Assuming that the amount of VoIP Shaping > Virtual Shaping Trees, lower window:
traffic is negligible).
Fig. 341 Traffic Shaping Settings Virtual Shaping Trees
z High priority treatment for Web access form the
internet (Web Shop).
z Medium priority treatment for Web access from the
internal network to the internet.
z Low priority treatment for downloads from the internal
network which are larger than 10 MB.
z For ISDN Fallback operation (Provider Failure) deliver
only the VPN and the VoIP application traffic. This is
achieved by setting the Web node for the ISDN tree to
Command Description
Add new virtual tree Create a new virtual tree.
Add new virtual interface Create a new virtual interface for
the selected virtual tree.
Copy virtual tree Copy a selected virtual tree and
give it another name.
Remove virtual tree Delete a selected virtual tree
Table 39 Traffic Shaping Settings Virtual Tree commands List 365 Traffic Shaping configuration section Inbound (traffic received by
device)
Command Description
Remove virtual interface Delete a selected virtual interface. Parameter Description
Operation Mode Choose the operational mode from the following
The dialog box for creating a new virtual tree: possibilities:
As-Outbound
Fig. 342 Traffic Shaping Settings dialog box Virtual Device Shape: The virtual interface limits traffic according
to the settings.
Passthrough: Every packet received is immediately
passed to the next tree node or to the associated
network interface.
Drop: Every packet received is immediately
discarded.
Assumed Rate See section Outbound.
Priority See section Outbound.
Weights
Priority See section Outbound.
Adjustment
Queue Size See section Outbound.
(Bytes)
List 363 Traffic Shaping configuration
A new virtual interface can be created on the subordinate
Parameter Description
level of an existing virtual interface. Choose an existing
Tree Name The name of the virtual tree.
virtual interface (which means Virtual Tree Root Virtual
Device Name The name of the virtual interface.
Interface) and select Add new virtual interface.
List 364 Traffic Shaping configuration section Outbound (traffic sent over the
device)
The dialog box for creating a new virtual interface:
Parameter Description Fig. 343 Traffic Shaping Settings dialog box, new virtual interface
Operation Mode Choose the operational mode for the root virtual
interface from the following possibilities:
Shape The virtual interface limits traffic according
to the settings.
Passthrough Every packet received is immediately
passed to the next tree node or to the associated
network interface.
Drop Every packet received is immediately
discarded.
Priority: Every packet received is passed-through
the shaping tree without passing any queue.
Assumed Rate This is the limiting bandwidth for the virtual interface.
The rate is specified relatively in percent and becomes
an absolute value as soon as a physical interface is
assigned to a virtual tree. Note:
Note: For Parameter description see list 363, page 86,
Do not produce values lower than 512 kbit. With values
lower than 512 kbit the shaping engine may not provide list 364 and list 365.
acceptable results.
Note:
To assign a virtual tree to a physical interface, go to the
The assignment uses effective interface rates rather dialog Box > Traffic Shaping > Virtual Shaping Trees and
than physical line speeds. open the context menu.
Note:
When using decimals be sure to use a period (.) as The following commands are available:
separator.
Priority The relative weight of the three priorities high (H), Table 310 Traffic Shaping Settings Interface commands
Weights medium (M), low (L) or NoDelay. These weights specify
Command Description
the ratio of the traffic being propagated by a virtual
node assuming that the input traffic is evenly Add new interface/tunnel Assign a virtual tree to a physical
distributed among the three priorities. interface.
Priority When a datagram is passed to the next node in the tree Edit/Show Change an existing physical
Adjustment its priority may be adjusted before processing is interface assignment.
continued. This way packets may be treated with high Remove Interface/Tunnel Delete an existing physical interface
priority in one node and with medium or even low assignment.
priority in the next node.
Queue Size Size of the virtual interface's internal queue (in bytes).
(Bytes) If set at '0', a suitable value is calculated for the virtual
To configure a physical interface assignment, use the
interface rate. If not using the default value note that following dialog box:
small queue sizes imply low latencies and large queue
sizes imply better TCP handling. Fig. 344 Traffic Shaping Settings dialog box Device/Tunnel Tree Mapping
List 366 Device/Tunnel Tree Mapping To define and edit shaping connectors, choose dialog Box >
Parameter Description Traffic Shaping > Shaping Connectors, upper window.
Interface / Specify the name of the physical interface (for example
Tunnel Name eth1). Fig. 346 Traffic Shaping Settings Shaping Connectors
Assigned Specify the virtual tree which should be assigned to the
Virtual Tree network interface.
Outbound Rate Specify the effective outbound rate of the physical
interface.
Note:
This may differ from the rate the physical interface is
capable. (Internet provider access using a 100 Mbit
interface but only 10 Mbit are effectively available).
Inbound Rate Specify the effective inbound rate of the physical The following commands are available:
interface.
Table 311 Traffic Shaping Settings Shaping connector commands
For VPN transports, virtual trees are assigned in the TI
Command Description
settings of the VPN transport.
Add new connector Create a new shaping connector.
Fig. 345 Traffic Shaping Settings dialog box TINA Tunnel Remove connector Delete an existing shaping
connector and all its associated
rules.
Append new connector rule Add a new connector rule. The new
rule will be appended at the bottom
of the existing list of rules for the
selected shaping connector.
Remove connector rule Delete a connector rule from the list
of rules for the selected shaping
connector.
Move connector rule down Move the selected connector rule
back a position.
Move connector rule up Move the selected connector rule
forward a position.
Parameter Description
Priority Defines the data packet's priority (high, medium, low)
should the rule apply. This is the priority at which the
packet will eventually be fed into the virtual interface
List 368 Shape Connector Rule The traffic shaping file contains the configuration settings
Parameter Description for bandwidth management. Shaping is performed by
Virtual Device The name of the virtual interface into which the data classifying the traffic into one of the 8 available shaping
packet will be fed, should this rule apply. bands:
List 369 Shape Connector Rule section Condition z Band A to G
Parameter Description z System Traffic (Management Traffic)
A connector rule applies if all specified conditions
apply:
The firewall rules define to which band traffic is assigned.
TOS Indicates that the TOS in the IP header must match the
specified value.
The classification of the traffic can be monitored in the
Traffic Limit Indicates that network sessions must not exceed the
Status tab of the firewall service..
specified amount of data being sent.
Time Period Indicates an absolute time span during which this rule Attention:
applies. When planning the deployment of traffic shaping take
Weekday/Hour Defines the hours of the week during which this rule the CPU resources of the traffic shaping equipment into
applies. consideration. Especially on low-end machines the
shaping process on links with high utilisation can cause
Realtime Information
performance degradation, resulting in high CPU loads
Realtime information of the traffic shaping mechanism is and reduced network connectivity. Depending on the
shown in the operative firewall GUI (Shaping). The system configuration, Barracuda Networks recommends
provided information shows all physical interfaces or VPN a maximum interface shaping bandwidth of 10MBits/s on
transports with an assigned virtual tree. For each tree systems with a CPU clock of 800MHz or lower.
node traffic information is provided.
Fig. 350 Config Section - Traffic Shaping
Fig. 349 Realtime Information Shaping
List 371 Traffic Shaping configuration section Policy Definition In the configuration dialog of the Policy Definition,
Parameter Description bandwidth settings must be configured only for
Band A to G These seven bandwidth classes can be used to classify effective bands. Settings of ineffective bands will be
the network traffic of any given network individually. ignored until those bands are activated in a rule set.
The classification can be done by the firewall rule set or
manually in the "Status" tab of the firewall. The A-G z Calculation of Traffic Shaping quotas:
traffic bands share their bandwidth in the relation of
their bandwidth settings. A maximum setting may also
Two variants exist how Traffic Shaping quotas can be
be defined to limit the total traffic bandwidth of any calculated (in the example, an interface bandwidth of
band. The share that is not consumed by the A-G bands 1 Mbit/s is assumed):
is available to the managed traffic until its maximum
share limit is exhausted.
Bandwidth (%) The bandwidth defines the share of the total traffic 1. Calculation by ratio
that is available to a band. When there is still bandwidth This calculation method is the easiest way to keep
available after every band has claimed its share, then overview of the configured settings. In Variant 1 a
additional resources can be used until the link is fully
utilized. defined absolute share is first assigned to Management
Max. Bandwidth The maximum bandwidth defines an upper limit of Traffic, the remaining interface bandwidth is then
(%) traffic bandwidth that may be used by a band. Any assumed to match 100 %. In the example, 10 % of the
band is not allowed to exceed its limit.
total available interface bandwidth is assigned to
List 372 Traffic Shaping configuration section Devices Management Traffic. The settings of the other bands
(excluding Management Traffic settings) are then
Parameter Description
configured to equal 100 %. The bandwidth calculation is
The interfaces that are going to be used by the traffic
queuing must be listed here. The total bandwidth that thus based on a remaining total bandwidth of
is available for the inbound and outbound traffic has to 900 kbit/s instead of 1 Mbit/s.
be entered here.
Device This is the network interface that should be used for Table 314 Bandwidth calculation by ratio
application of the shaping policy. Only static interfaces
may be used (eth0, tr1, ). Network interfaces that Available
Bandwidth
establish the network connection dynamically (for Band Ratio Interface
Setting
example, ppp0) may not be entered here. In these Bandwidth
cases the symbolic names DYNAMIC_adsl should be Management 10 / 100 10 % of total interface 100 kbit/s
used for ADSL connections and DYNAMIC_isdn should Traffic bandwidth 1 Mbit/s
be used for ISDN connections Band A 40 / 100 40 % of total 360 kbit/s
Outbound The outbound bandwidth defines the maximum bandwidth remainder
Bandwidth bandwidth in kbit that may be utilized by network 900 kbit/s
(kbit) traffic. This can also be used for setting a maximum Band B 60 / 100 60 % of total 540 kbit/s
egress traffic limit on the given interface. bandwidth remainder
Policy The policy of the interface defines how the bands share 900 kbit/s
the available network bandwidth.
Enable Inbound If this option is set to yes the shaping mechanism is 2. Calculation by total percentage
Shaping also applied to inbound traffic. The same traffic policy,
which is used for outbound traffic, is then also used for The settings in Variant 2 lead to the same result. The
inbound traffic. sum of all bandwidth settings is configured not to
Inbound The inbound bandwidth defines the maximum inbound exceed 100 %. Keep in mind that the bandwidth setting
Bandwidth bandwidth in kbit that may be utilized by network for Management Traffic takes a special position, as it is
(kbit) traffic. This can also be used for setting a maximum
ingress traffic limit on the given interface. If this field is calculated as absolute share from the total available
left blank, the same bandwidth setting is used that was interface bandwidth.
defined in the entry Outbound Bandwidth (in kbit).
In the example, 10 % of the interface bandwidth are
Calculation of Bandwidth Settings assigned to Management Traffic, 36 % and 54 %
respectively are assigned to Bands A and B.
The main purpose of traffic shaping is to confine the
maximum available network bandwidth an application may Table 315 Bandwidth calculation by total percentage
utilize, in order to guarantee full functionality and Available
Bandwidth
availability of another application with higher priority. Band Ratio Interface
Setting
Bandwidth
Moreover, traffic shaping can be used to limit the speed of
Management 10 / 100 10 % of total interface 100 kbit/s
network connections. Traffic bandwidth 1 Mbit/s
Bandwidth Calculation Band A 36 / 100 36 % of total 360 kbit/s
bandwidth 1 Mbit/s
Regarding the interaction between traffic shaping Band B 54 / 100 54 % of total 540 kbit/s
parameters, the following applies: bandwidth 1 Mbit/s
Band A: 70 / 100
Note: Band A may use 70 % out of available 2048 kbit/s
In setups where only one traffic-shaping interface is downstream and 768 kbit/s upstream, that is
involved, both, inbound and outbound bandwidth, 1433.6 kbit/s and 537.6 kbit/s, respectively. If Band B
must be configured, as outbound traffic arrives at does not claim its share, it may use all available
the gateway without prioritisation. bandwidth up to 100 % of the total amount.
Step 4
1 Mbit/s
Define a shaping policy through parameter Policy
Definition. The following policy would suit the needs:
Table 316 Example 1 Policy Definition configuration Step 1
On Barracuda NG Firewalls 1 and 2 configure Forwarding
Parameter Description
Firewall Rule Sets allowing connections to the desired
Policy Name dslconnection
application such as Internet, file sharing, terminal
Management Ratio:
Traffic bandwidth 0 % / maximum bandwidth 0 % sessions and so on. Assign the same Band to all these
Band A 70 / 100 rule sets in the Parameter Section of the Edit/Create
Band B 30 / 100 Rule configuration window. In the example, usage of
Band C - Band G 0/0 Band A is assumed.
Box menu Software item Manager Operator Mail Security Audit Cleanup
Antivir - - - -
Update Pattern - - - -
Disable/Enable Pattern Update - - - -
Config - - -
Create a DHA box - - - - -
Create a PAR file - - - - -
Create a repository - - - - -
Create a server - - - - -
Create a service - - - - -
Kill configuration sessions - - - - -
HA synchronisation - - - -
Control - - -
Activate new network configuration - - - -
Block a server - - - -
Block a service - - - -
Time control - - - - -
Delete Wild Route - - - -
Import license - - - - -
Kill sessions - - - -
OS Restart - - - -
Reboot Box - - - -
Remove license - - - - -
Restart network configuration - - - -
Show license - - - -
Start a server - - - -
Stop a server - - - -
DHCP - - - -
GUI commands - - - -
Events -
Confirm events - - -
Delete events - - - -
Mark events as read - - -
Set events to silent - - -
Stop alarm - - -
Firewall - -
Access to trace tab - - - -
Remove entries from cache - - - -
Terminate connections - - -
Create dynamic rules - - -
Kill a process - - -
Modify connections - - -
Modify traces - - - -
Toggle traces - - - -
Box menu Software item Manager Operator Mail Security Audit Cleanup
View rules - - - -
Logs - -
Delete resource logs (box_) - - - -
Delete service logs - - - -
Read resource logs (box_) - -
Read service logs - -
Mail - - -
GUI commands - - - -
View Stripped Attachments - - -
Retrieve Stripped Attachments - - - -
Delete Stripped Attachments - - - -
Access Control
Service
Enable Commands - - - -
Block Sync - - - -
SSL-Proxy
Access Cache Management - - - -
Ticket Management - - - -
Cert Authorities Management - - - -
XML Services Management - - - -
Statistics - -
Delete resource logs (box_) - - - -
Delete service logs - - - -
Read resource logs (box_) - -
Read service logs - -
VPN - -
Disable VPN connections - - -
Disconnect VPN connections - - -
View Configuration - - - -
2.2.8 Box Licenses List 377 Advanced Configuration section License Configuration
Parameter Description
The configuration file Box Licenses is a container for all Licenses To import a Barracuda Networks license (.lic), click the
Import button and depending on how the license file
license data a system requires for non-demo mode has been delivered, select a suitable context menu
operation. Purchased licenses may be imported from entry from the list.
clipboard or directly from the license file. Licenses are
immediately active on the system after activation change.
Note:
Importing licenses within the Box Licenses node has the
same effect as making use of the license import facility
of the control daemon. This means that licenses, which
are imported or deleted from the box control licenses
view, will be inserted into or removed from the
configuration file Box Licenses. On a stand-alone
system, both approaches may be used interchangeably.
Gather information about the following before introducing z on CC-administered boxes (3.3 Server Configuration on
a server: CC-administered Boxes, page 96)
z How will the server be named?
The deviances between the configuration details are based
z Which IP addresses will it employ? on the interconnection between service availability and the
platform the Barracuda NG Firewall system is installed on
The introduction of servers and services is the first (Getting Started 2.5 Barracuda Networks Multi-Platform
action required after having installed a Barracuda NG Product Support, page 16).
Firewall system.
The opportunity to specify the Product Type when
Unless doing so, the box will stay without special functions. creating a server is given in order to avoid the possibility of
creating services later on that will not be executable on the
Fig. 354 Context-menu of the Servers directory
purchased system. The selection displayed in the product
type field is determined and narrowed by the specifications
appointed in the Box Properties (2.2.2 Box Properties,
page 52).
Consider the following example for understanding:
You have installed a single box using the installation tool
Barracuda NG Installer (Getting Started 2.2 Creating a
"standard" Kickstart Disk, page 10, and then Step
3 Defining Box Type settings) and have specified the
following values for the box configuration:
Table 321 Example Box configuration
Parameter Value
OS Platform Barracuda NG Firewall
Product Type sectorwall
Appliance Model standard-hardware
server "box". Choose a significant name instead. Note that servers cannot be moved to boxes set up
using another product type.
The data inserted into the server configuration dialog is
stored in the Server Properties file, which is a standard
component of each server branch of the tree.
Note:
Consult this instance to alter server/service
configuration settings, such as IP addresses.
3.2 Server Configuration on List 379 Server configuration - General settings on single boxes section Virtual
Server IP Addresses
Single Boxes Parameter Description
Additional IP Array of additional IPs that should be activated. Again
the parameter Reply to Ping controls whether an
3.2.1 General address will respond to ICMP echo requests.
Note:
Maximum entries that do not reply to a ping: 256
Fig. 355 Server configuration (single box) - General (including First-IP and Second-IP).
3.2.2 Monitoring
List 380 Server configuration (single box) - Monitoring settings section
Operation Mode
Parameter Description
Enable When Monitoring on Secondary is enabled (default
Monitoring on setting: yes), the activated HA partner will also disable
Secondary this server as soon as the monitored interfaces
respectively IPs are not available anymore from its own
position. Set to no,, the non-availability won't be
noticed and the server will continue to run.
Note:
Even when the server is running on the secondary box,
the probing conditions will be recognized.
This setting only influences the behavior of the server
if it is active on the secondary box and
the probing conditions do not match.
List 378 Server configuration - General settings on single boxes section Virtual List 381 Server configuration (single box) - Monitoring settings section IP
Server Definition Monitoring
Parameter Description Parameter Description
Server Name The server name is created the moment the server is IP Monitoring Here you may specify the monitoring policy. The
introduced and cannot be changed later on. The name Policy following policies are available:
may contain a maximum of eight characters (digits, "-",
no-monitoring (default)
and characters from the Latin character set excluding
special characters). all-OR-all-present
Expects the IPs from at least one IP pool to be
Description Provide a brief but significant description of your completely present. If you are monitoring multiple
server here. IPs in pool Monitor IPs I only, all these addresses
Product Type Each product type allocates a specific range of services must be available. If you are monitoring multiple IPs
(Getting Started 2.5 Barracuda Networks in both pools Monitor IPs I and Monitor IPs II, the
Multi-Platform Product Support, page 16). The product IP addresses of at least one of these pools must be
type chosen in this place determines, which services completely available.
will be available for creation. Choose the product type one-AND-one-present
matching the box(es) you are creating the server for. Expects one IP to be available from each pool used.
Active Box The box on which the service is meant to run has to be If you are monitoring multiple IPs in the pool
specified as Active Box. In high availability Monitor IPs I only, at least one IP from this pool has
(HA)-setups, two boxes can run active servers to be available. If you are monitoring multiple IPs in
alternating to achieve a load-balanced system (High both pools Monitor IPs I and Monitor IPs II, at least
Availability, page 399). When creating a server on a one IP address has to be available in each pool.
single box, the box itself has to be specified as active Monitor IPs I/ II Here you may specify IP addresses that must be
box. In HA-setups, where the configuration is always reachable via the ICMP protocol by the box hosting the
done on the primary box, the HA-partner has to be server in order for the server to stay up. Reachability is
specified as active box if it should run the server checked at 10 s intervals. In case no answer is received
actively. the IPs are probed every second for a 10 s period.
Note: Depending on the current monitoring settings, either if
When creating a server for the first time, the Active no response at all or no response from one of the IPs is
Box field cannot be edited. Nevertheless, the server will received, the server is deactivated. The server is
be allocated to it. reactivated as soon as subsequent probes at 10 s
intervals yield a positive result. The probing is carried
Backup Box In HA-setups (High Availability, page 399) this field
out by the control daemon (a box service).
expects definition of the HA-partner.
Encryption Set the encryption level to Full-Featured-Encryption
Level when installing a fully licensed system. Otherwise,
select Export-Restricted-Encryption when installing
a DEMO mode or export-restricted gateway.
List 379 Server configuration - General settings on single boxes section Virtual
Server IP Addresses
Parameter Description
First-IP [S1] This address is the primary address of the server. The
IP entered here usually reflects the internal side, which
means the primary box network.
Reply to Ping Controls whether the primary address of the server will
respond to an ICMP echo request (default: no).
Second-IP [S2] This address is the secondary address of the server.
Reply to Ping Controls whether the secondary address of the server
will respond to an ICMP echo request (default: no).
List 382 Server configuration (single box) - Monitoring settings section Interface List 384 Server configuration (CC) - General configuration section Virtual
Monitoring Server Definition
Parameter Description Parameter Description
Interface Here you may specify the interface monitoring policy. Secondary Box In HA-setups (High Availability, page 399) this field
Monitoring The following policies are available: expects definition of the HA-partner.
Policy no-monitoring (default)
all-OR-all-present
Expects the interfaces from at least one interface 3.3.1 Identity Tab
pool to be completely present. If you are monitoring
multiple interfaces in pool Monitor Devs I only, all
List 385 Server configuration - IDENTITY tab section Virtual Server Identity
these interfaces need to be available. If you are
monitoring multiple interfaces in both pools Monitor Parameter Description
Devs I and Monitor Devs II, the interfaces of at
least one of these pools must be completely Server Private On CC administered boxes a servers private key is
available. Key automatically generated when a server is created. In
conjunction with VPN this key is used to identify the
one-AND-one-present VPN servers against one another, which are located at
Expects one interface to be available from each the tunnels endpoints. Click on the New Key button
interface pool used. If you are monitoring multiple to generate a new 1024 bit long private RSA key. The
interfaces in the pool Monitor Devs I only, at least key is automatically updated in the view of the VPN GTI
one interface from this pool has to be available. If Editor.
you are monitoring multiple interfaces in both pools
Monitor Devs I and Monitor Devs II, at least one Server This is the servers master signed server certificate.
interfaces has to be available in each pool. Certificate
Monitor Here you may specify physical interfaces which must
Interfaces I / II have a link in order for the server to stay up. The link
status is checked on a regular basis.
Depending on the current monitoring settings, either if
3.3.2 GTI Networks
no link at all or no link on one of the interfaces is
recognized, the server is deactivated. The server is This configuration section is relevant in conjunction with
reactivated as soon as the link status of the monitored VPN GTI (Barracuda NG Control Center 15. VPN GTI,
interface is up again. The probing is carried out by the
control daemon (a box service). page 490).
List 386 Server configuration - NETWORKS tab section Virtual Server/GTI
Networks
3.2.3 Scripts
Parameter Description
List 383 Server configuration (single box) - Scripts configuration section Server Server/GTI If VPN tunnels have been configured with the VPN GTI
Scripts Networks Editor, all networks, which must be reachable behind
the tunnels endpoints, need to be entered here. These
Parameter Description reachable networks are displayed in read only view in
Start Script Free text area containing command sequences which the Server/Service Settings tab of the VPN service
are executed whenever the server is started up. Use configuration area (see 15.2.2.3 Defining VPN Service
7-bit ASCII characters and standard BASH (Version 2 Properties, page 494).
compliant) syntax.
Stop Script Free text area containing command sequences which
are executed whenever the server is shut down. Use
7-bit ACII characters and standard BASH (Version 2
compliant) syntax.
Attention:
Using phionctrl in the Start and Stop Server fields
might cause a deadlock. Do not use phionctrl in this
place.
A service name may contain a maximum of six characters List 389 Service Configuration - General section Available Server IPs
and must be unique. Services are either server-services or Parameter Description
box-services. Box services provide functionality required Server Address This list displays all IP addresses that are available in
to run the Barracuda NG Firewall system. They are factory Labels the Server Configuration file and may be used by the
defined and cannot be removed or introduced manually. service. First and Second Server IP are flagged with the
labels S1 and S2, respectively.
Administrators may only introduce server-services.
Server-services are made available under an adjustable
subset of IP addresses bound to the assigned server. 4.1.2 Statistics view
List 390 Service Configuration - Statistics section Statistics Settings
Note:
According to this structure, server deletion will Parameter Description
automatically result in concurrent deletion of assigned Generate This flag defines whether to generate statistical data for
Statistics the service (default: yes).
services. Create backups of your configuration before
Src Statistics This flag defines whether to generate IP source based
changing server and service settings (5.3 Creating PAR statistical data for the service (default: yes). Only
Files, page 119). volume over time but no correlation with temporal
evolution will be recorded.
Src Time- This flag defines whether to generate IP source based
4.1.1 General view Statistics statistical data for the service (default: yes). Both
volume and correlation with temporal evolution will be
recorded.
List 387 Service Configuration - General section Service Definition Dst Statistics This flag defines whether to generate IP destination
Parameter Description based statistical data for the service (default: yes). Only
volume over time but no correlation with temporal
Disable Service This parameter allows deactivating the service. By evolution will be recorded.
default this parameter is set to no, that means the
service will be active upon creation. Dst Time- This flag defines whether to generate IP destination
Statistics based statistical data for the service (default: yes). Both
Service Name The service's name supplied before. The name may volume and correlation with temporal evolution will be
contain up to 6 characters (digits, "-", and characters recorded.
from the Latin character set excluding special
characters). This is a read-only field, which means that Src-Dst This flag defines whether to generated IP
an existing service cannot be renamed. Statistics source/destination pair based statistical data for the
service (default: yes). Only volume over time but no
Description Provide a brief but significant description of your correlation with temporal evolution will be recorded.
service here.
Note:
Depending on the service, some statistics will
z be collected how they have been set in the configuration, yes or no: symbol
z will allways be collected, even if they are set to no in the configuration: symbol +
z will not be available: symbol
Table 322 Service configuration Statistics dependent or independent from the statistics settings
Service Generate Statistics Src Statistics Src Time Statistics Dst Statistics Dst Time Statistics Src Dst Statistics
DHCP Service
DHCP Relay
DNS
Firewall
FTP Gateway +
[a]
HTTP Proxy [a] [a] [a] [a] [a]
URL Filter
Mail-Gateway
OSPF/RIP Service
SNMPd +
SPAM Filter + + + + + +
SSH Proxy
Secure Web Proxy [a] [a] [a] [a] [a] [a]
Virus Scanner + + + + + +
VPN Service
Access Control Service +
4.1.3 Notification view List 391 Service Configuration - Notification section Access Notification
Parameter Description
List 391 Service Configuration - Notification section Access Notification Note:
Parameter Description The event User Unknown is generated when the Admin
ID is not known to the underlying Barracuda Networks
In this section you may specify the service specific authentication module. Event type Authentication
default level at which event based notification takes Failure is used when password or key do not match or
place in case of an attempted system access. the admin is not authorized to access the service (multi
Note: admin environment, only in conjunction with a
These settings are only meaningful for services that Barracuda NG Control Center).
allow administrative access.
Service Default Service specific default notification type in case of Fig. 357 Service directory
(Success) successful administrative access to the service (if
available). Barracuda NG Firewall applications generate
"NGFW Subsystem Login" notifications every time a
user has successfully logged into an application that
interacts with the graphical administration tool
Barracuda NG Admin (for example control, event,
statistics, config). The default setting is Notice.
Value Event type (ID)
Silent no event
Notice NGFW Subsystem Login Notice [2420]
Warning NGFW Subsystem Login Warning [2421]
Alert NGFW Subsystem Login Alert [2422]
Service Default Service specific notification type in case of an
(Failure) unsuccessful administrative access attempt (unknown
admin, insufficient authorisation, wrong authorisation
token) to the service (if available). The default setting is
Notice.
Value Event type (ID)
Silent no event Beside other module dependent configuration items, the
Notice Authentication Failure Notice [4110] or User file Service Properties will always be present upon
Unknown [4100]
creation of a service.
Warning Authentication Failure Warning [4111] or
User Unknown [4100]
Alert Authentication Failure Alert [4111] or User
Unknown [4100]
Parameter Description
ARP Src IP Define different restriction levels for announcing the
5.1 Box Settings Advanced Announcement local source IP address from IP packets in ARP requests
sent on an interface. This settings field uses the
Configuration arp_announce parameter, whose values have been
translated by Barracuda Networks to any (internal
value = 0), best (internal value = 1) and primary
(internal value = 2).
5.1.1 System Settings Note the following excerpt from the kernel
documentation:
This configuration instance addresses the seasoned Linux any (internal value = 0) - Use any local address,
expert. Normally there is no need to consult this file as the configured on any interface.
best (internal value = 1, default) - Try to avoid local
default settings have been chosen so as to comply with addresses that are not in the target's subnet for this
standard Barracuda NG Firewall system requirements. interface. This mode is useful when target hosts
reachable via this interface require the source IP
If you wish to use the Barracuda NG Firewall system as a address in ARP requests to be part of their logical
generic managed Linux platform you may come up against network configured on the receiving interface. When
we generate the request we will check all our
situations where modifications might be desirable. Most subnets that include the target IP and will preserve
people will, however, simply use this file to get an overview the source address if it is from such subnet. If there
as to what certain kernel relevant parameters are set to. is no such subnet we select source address
according to the rules for setting primary.
To open the system settings, double-click System primary (internal value = 2) - Always use the best
local address for this target. In this mode we ignore
Settings (Node Advanced Configuration). the source address in the IP packet and try to select
local address that we prefer for talks with the target
host. Such local address is selected by looking for
primary IP addresses on all our subnets on the
5.1.1.1 IPv4 Settings outgoing interface that include the target IP
address. If no suitable local address is found we
List 392 System Settings section General IP Settings select the first local address we have on the
outgoing interface or on all other interfaces, with
Parameter Description the hope we will receive reply for our request and
TCP ECN Active With TCP ECN Active (Explicit Congestion even sometimes no matter the source IP address we
Notification) set to Yes it is possible to reduce the TCP announce.
traffic when a router load is at a maximum and Note:
therefore packet loss is possible. Increasing the restriction level gives more chance for
Attention: receiving answer from the resolved target while
Do not activate this parameter when using Barracuda decreasing the level announces more valid sender's
NG Firewalls with Proxy or MailGW services configured. information and thus is prone to violate privacy
non-Barracuda NG Firewall systems and some requirements.
application filters may not be able to handle the ECN ARP Cache Size Defines the maximum number of entries allowed in the
header options. ARP cache (default: 8192).
When such external systems fetch the TCP header flags
a 2-bit mistake occurs because of the way the ECN
options are implemented into the TCP header. And this
causes that the Barracuda NG Firewall does not 5.1.1.3 Routing Cache
establish the connection due to the not correctly
answered SYN.
Note: Note:
For more detailed information concerning ECN have a
look at RFC 3168.
Garbage Collection is done regularly by the kernel, the
IP Dyn Address Only set this to yes if you are experiencing problems
entries shown here provide full access to all relevant
with network connections using dynamic IP address kernel parameters.
allocation (ADSL, cable modem). If the forwarding
interface changes socket (and packet) along with this List 394 System Settings - Routing Cache section Routing Cache Settings
parameter set to yes, the source address while in
SYN_SENT state gets rewritten ON Parameter Description
RETRANSMISSIONS. Max Routing Specifies the maximum number of entries in the
Cache Entries kernels routing cache (min: 8192, max: limited by the
available memory , default: 32768).
On systems with a large number of sessions and routed
IP addresses this value may need to be increased.
Note:
Increasing this parameter increases memory
consumption marginally, on small appliances value
8192 will most likely suffice).
List 395 System Settings - Routing Cache section Garbage Collection 5.1.1.5 Flash Memory
Parameter Description
GC Interval [s] This parameter is used by the kernel's regular GC loop Note:
and defines the loop time in seconds between two
regular GC events (min: 1, max: 120, default: 60). Flash settings will be ignored for all non-flash
GC Min Interval The minimum time in seconds between two garbage RAM-based appliances.
[s] collections (min: 1, max: 120, default: 60). This
parameter is provided since GC may either occur List 397 Box Tuning - Flash Memory section RAM Partition
throughout a regular GC loop (see above) or may be
triggered by a kernel event outside the regular loop. Parameter Description
This parameter warrants that in the latter case GC is Size (%) This is the percental size of the tmpfs RAM partition
not run too frequently. related to the total available RAM (default: 20).
Note: Clearing this field makes the Size (MB) field below
Both parameters above (GC Interval [s] and GC Min available, allowing specification of the the RAM
Interval [s]) may be decreased when the routing cache partition size in MB.
has a tendency of growing very quickly thereby Size (MB) This is the size of the tmpfs RAM partition specified in
running the risk of a cache overflow. Frequent and MB. This field only becomes available if the Size (%)
unnecessary GC events will however decrease the field above is cleared.
system performance.
GC Threshold A threshold value of cache entries which is used to List 398 Box Tuning - Flash Memory section Log Settings
determine the necessity of garbage collection and to
which extent (that is, how radical) entries need to be Parameter Description
removed (min: 1024, max: 65535, default: 8192). Size Settings This configuration section allows specifying the size
Note: settings for all log file types.
This parameter should always be significantly smaller
than the max number of cache entries. List 399 Box Tuning - Flash Memory section Flash Appliance Settings
GC Timeout [s] Time in seconds after which an inactive routing cache
Parameter Description
entry is removed from the cache. Note that active
entries may not be removed from the cache (min: 1, Force Non Flash Setting to yes (default: No) causes the box not to start
max: 300, default: 60). in flash RAM mode, regardless of the storage
architecture the flash RAM auto detection recognizes.
Note:
Decreasing this value will help in keeping the routing Attention:
cache smaller. If the same routing entry is typically Enabling this feature may cause hardware damage. Use
needed again shortly afterwards a full routing lookup with due care.
needs to be performed instead of a quick cache lookup. Force Flash Setting to yes (default: No) causes the box to start in
flash RAM mode, regardless of the storage architecture
the flash RAM auto detection recognizes.
5.1.1.4 I/0 Settings
to use the settings reserved for custom/manual kernel List 3101 Advanced Configuration - Bootloader section Header Settings
updates. Parameter Description
No matter whether you have just changed the boot Global Append Use this to enter different commands to the kernel.
Option Attention:
behavior or actually updated your kernel to a more recent
For experts only.
version: it is necessary to reboot your system for the
The options will be written to /etc/lilo.conf at the
changes to have any noticeable effect. The Box view of the end of the append dialog.
control window will always inform you of the current append="console=tty0
console=ttyS0,19200n8r *your option*"
kernel/bootloader status.
Note:
To open, select Advanced Configuration > If a Barracuda NG Firewall has more than 768 MB RAM
and ACPF memory parameters (see Firewall
Bootloader and double-click. Parameters below) are increased it could be necessary
to increase the so-called 'vmalloc' kernel parameter.
List 3100 Advanced Configuration - Bootloader section Kernel Updates To increase the memory available for 'vmalloc' add
"vmalloc=400M" here.
Parameter Description
Default Image By setting this value you can define a different default
Update Policy Governs the way in which the system deals with a Name boot image for loading the Barracuda NG Firewall
kernel update. The policies are: system. You are required to reference the name of the
automatic (default) "Boot Images" defined in "/etc/lilo.conf".
A freshly installed kernel is automatically set as Note:
default boot kernel. If you do not know what a boot image is, read the
noupdate online system manuals on LILO first.
When installing new kernels the update process of No ACPI Setting this option to yes will instruct the Linux kernel
the bootloader configuration is disabled. to disable ACPI when the box is booted. Use this when
Reconfiguration of the bootloader has to be the interrupt routing in the ACPI table is wrong and you
performed manually. want to fall back to standard interrupt routing or if
SMP Kernel Set this parameter to yes (default: no) when the ACPI functions in the BIOS cause problems.
multiprocessor systems are in use (used during
updates to find out which kernel is to be used).
To open, select Advanced Configuration > System As far as generic jobs are concerned you may make use of
Scheduler and double-click. almost the full extent of available crontab formatting
options.
z Schedule Parameters
Section containing key/value definitions of environment Fig. 358 Example: condensed excerpt from Paul Vixie's man page on crontab
variables. These variables are intended to be used in Commands are executed by cron(8) when the minute, hour,
conjunction with jobs. and month of year fields match the current time, and when
at least one of the two day fields (day of month, or day
Three variables are already pre-defined: of week) match the current time.
LOGCONF set to The day of a command's execution can be specified by
two fields -- day of month, and day of week. If both
/opt/phion/config/active/logstore.conf fields are restricted (ie, aren't *), the command will be
MAILTO (left empty) run when either field matches the current time. For example
``30 4 1,155'' would cause a command to be run at 4:30
SHELL set to /bin/bash. am on the 1st and 15th of each month, plus every Friday.
These three are directly interpreted by crond. Note that this means that non-existant times, such as
"missing hours" during daylight savings conversion, will
Note: never match, causing jobs scheduled during the "missing
times" not to be run. Similarly, times that occur more
Variables must be prepended with $ when referenced in than once (again, during daylight savings conversion) will
cause matching jobs to be run twice.
a cronjob entry.
z Daily Schedule cron(8) examines cron entries once every minute.
cronjobs which are run on a hourly and daily basis. The time and date fields are:
when logstor is run by the cron daemon is exclusively List 3103 Log Cycling - File Specific Settings section Log File Selection
specified here. Parameter Description
Range IDs Enter the desired ranges. An entry may either be a
List 3102 Advanced Configuration - Log Cycling section Common Settings single number, an interval, or literally void to denote no
Parameter Description range. Leave it empty if their are no ranges.
Verbose If set to yes the actions taken and the names of the
Logging affected files will be output to the specified log file. The Log Cycling Actions
default is no to reduce the amount of logged
information. Variable number of subsection each specifying a particular
action to be taken. The action is only applied to log files of
File Specific Settings the specified type.
Array of sections that describe the way in which certain To open the configuration dialog, click Insert.
types of log files are meant to be processed. It is advisable
List 3104 Log Cycling - File Specific Settings - section Log Cycling Actions
to create a separate section instance for each individual
log file category, for example box, server, misc,
List 3105 Box Misc - Log Cycling - File Specific Settings - section Log Cycling
Actions
Parameter Description
Action Predefined categories include rm (delete files), move
(move files to an archiving directory), and purge (a
more ruthless version of rm).
Storage Dir Only enabled when action move has been selected. It
determines the target directory for the move action.
Keep Log Only enabled when action move has been selected. It
Structure determines whether or not both the logs and the
logcache subdirectories of /var/phion are replicated
for the files to be moved. Leave set to the default of
yes.
To open the the configuration dialog, click the Insert Compression Only enabled when action move has been selected. If
set to yes the files to be moved will be piped through
button. gzip -6 and thus compressed. An extension ".gz" is
automatically appended.
List 3103 Log Cycling - File Specific Settings section Log File Selection Storage Time Enabled for actions move and rm. Determines the keep
Parameter Description (days) time of a file (with respect to its modification date)
before the specified action is applied to it.
Type of Logfile Predefined categories are:
Max Storage Enabled for action purge only. If a file is older (with
all - everything containing the string .log in its Time (days) respect to its modification date) than this number of
name, days it will be removed regardless of whether or not is
box - all logs whose names start with box_ and represents the sole file instance. This option is used for
contain string .log the removal of log files that are not maintained any
boxfw - all logs whose names start with boxfw_ and longer.
contain string .log Always Keep Enabled for actions move and rm only. The respective
fatal - all logs containing fatal and panic (File instances) action is not taken if not at least this number of
misc - all logs containing string .log in their names instances of this type of log file remain untouched. It
but not starting on box_ or srv_ thus overrules entry Storage Time.
server - all logs whose names start with srv_ and
contain string .log
user - user defined pattern match (see below).
Logfile Name Only enabled when type user has been selected. You
Patterns may enter a list of wild card expressions. Still only files
with the suffix .log will be affected.
Note:
Protect wildcards with single quotes.
5.1.6 Message Board As consequence the Barracuda Networks model makes use
of five notification schemes, which provide ability to link an
In this section you can configure the messages which are admin with a particular service specific notification setting:
displayed at login time via SSH, the Barracuda NG Admin
Table 323 Overview of the five notification schemes on Barracuda NG Firewall
GUI and on the console. Use only: systems
z Alphabetic characters Scheme Description
Multi-admin
option
z Numerics service default Default notification settings for all no
Barracuda Networks and system
z #!_,. services capable of allowing access
to the system. These settings are
Fig. 360 Configuration Dialog - Messages always in effect for user root. The
same applies to all system-only
users.
silent Automatically assigned to invisible no
users "ha" and "master". The
scheme suppresses notification in
case of successful access.
Unsuccessful attempts are treated
according to scheme "service
default".
type 1 Multi-admin option, freely yes
customisable
type 2 Multi-admin option, freely yes
customisable
type 3 Multi-admin option, freely yes
customisable
Parameter Description
Two simple scenarios may be distinguished: Event on SSH You may configure the SSHd related conditions that
trigger event notification (Events Daemon Startup
z Login is attempted with an unknown login ID thus Failed/Succeeded [2070/2071] and Daemon
triggering Event-ID 4100 User Unknown. Shutdown Failed/Succeeded [2072/2073]). Choose
from four different settings:
z The authentication process fails for some other reason start-failure (default)
creating Event-ID 4110 Authentication Failure Notice. +stop-failure
Authentication failure on the second login attempt ++start-success
generates Event-ID 4111 Authentication Failure +++stop-success
The list is additive, which means items further down
Warning. Finally, if the maximum number of the list automatically include all previous ones.
authentication attempts (usually 3) is exceeded Note:
notifications with Event-ID 4112 Authentication You will not be notified when SSHd is killed manually or
Failure Alert are generated. Note that the latter will just dies unexpectedly. The settings here only pertain
to SSHd behavior during controlled start or stop
only be possible if an internal system error has sequences.
occurred.
List 3107 Box Misc - SSH Basic Setup section General Settings List 3109 Box Misc - SSH Advanced Setup section Protocol Version 1 Options
z On the UNIX client, browse to the RSA Key. List 3110 Advanced Configuration - Software Update section Common Settings
Type the following at the command line interface: Parameter Description
Clear on Failure Should delete the rpm-file (the update-file) on failure
# openssl pkcs12 -in private_key.pfx update (default no).
-nocerts -out priv.key
List 3111 Advanced Configuration - Software Update section Release Check
procedure, so it has not to rely on the availability of these tests last longer than one minute the machine will be
potentially critical system resources. rebooted as well.
Note:
If the shutdown fails the system is hard-reset by the 5.1.10.3 Repair Logic
kernel. Since this is all about a software watchdog the
ability to reboot will always depend on the hardware A "last resort" repair system must remain sufficiently
state of the machines and its interrupts. simple to accomplish its task. If the checks or repair
routine try to be too smart the decision process becomes
error prone with the effect that appropriate reaction is
5.1.10.2 Tests and Monitored Resources delayed and the kernel will eventually force a hard-reset of
the system. The odd premature yet smooth reboot
Watchdog performs the following checks: represents a mere nuisance whilst a single unnecessary
hard reset can compromise system integrity. Still it is
Table 324 Overview of the checks watchdog runs
undesirable to have a system always reboot whenever the
Check whether Configurable Parameterisation Recovery slightest resource limit infringement occurs. We thus
process table is full no none immediate provide the administrator with a choice of four repair
reboot
policies by way of which watchdog's reaction to a problem
file table overflow no none repair policy
occurred dependent
may be influenced:
enough free yes as percentage of repair policy
memory available total RAM plus swap dependent Note:
load average yes separately for 1, 5 repair policy The maximum number of repair attempts applies to
exceeds a max value and 15 min. averages dependent each monitored entity separately. This means that file
a give process is still yes separate settings for repair policy table overflow, memory shortage, each is allotted a
running control and SSH dependent separate counter.
daemon
Note:
If any of these checks except for the process table check
fails, watchdog will invoke the repair binary Negative error codes designate special errors generated
(/usr/sbin/repair). If the process table is full the by the check routines of watchdog. All other errors
repair binary cannot be executed, therefore an immediate conform to the standard error coding scheme of Linux.
soft reset is the only available consequence. Should any of
Table 325 Listing of the four available error handling policies offered by the repair utility of the watchdog module
5.1.10.4 Repair Strategy Table 326 Error code to error origin assignment assumed by the repair utility
Error code Assumed system problem
Depending on the passed type of error the repair binary EMAXLOAD (-3) Maximum allowed system load average exceeded
will attempt to remedy the situation by appropriate ENOLOAD (-5)
counter measures. To this end we have assumed the ESRCH (3) Monitored process has died or its pid-file is missing
ENOENT (2)
following simple assignment of handed over error types to
system problems: z File table overflow
Table 326 Error code to error origin assignment assumed by the repair utility If a file table overflow occurs the repair binary will
increase the number of available file descriptors by
Error code Assumed system problem
10 %. If the error condition persists it will continue
ENFILE (23) Out of file descriptors (that is file table overflow)
increasing the number of available file descriptors until
ENOMEM (12) Low on memory
EINVMEM (-7) the maximum number of repair attempts has been
exhausted. The number of already undertaken repair
Note:
z Maximum load exceeded
Increasing the number of available file descriptors The NGFW Subsystem is shut down (/opt/phionctrl
will raise kernel memory consumption and may shutdown) and subsequently restarted
eventually lead to a memory shortage. (/opt/phionctrl startup). The number of such
already undertaken repair attempts is written to file
z Process termination /var/run/watchdog.state.load.
Watchdog will at most monitor two daemon processes,
the control daemon and the SSH daemon. It does so by Note:
checking whether the processes corresponding to the The repair counters just like the service indicator file
process ids given in /var/run/control.pid and are automatically reset during a reboot, since all
/var/run/sshd.pid are still running, respectively. contents of /var/run are automatically purged by
The strategy of the repair binary differs for the two the system. Furthermore, all counter files but not the
daemons. If the control daemon is down it will first be service file, are deleted when watchdog is restarted,
stopped (/opt/phionctrl box stop control) and that also means whenever the configuration is
subsequently started (/opt/phionctrl box start changed.
control). Immediately afterwards a check is
z Operational Events
performed to determine whether or not the restart
Errors the repair binary generates related to system
attempt has been successful. Only if the restart attempt
information are the events 34 [Critical System
has failed the repair counter is incremented and written
Condition], 510 [Invalid Argument], and 4202 [System
to file /var/run/watchdog.state.pid. Finally, if
Reboot] (see 5.2 Operational Events, page 537).
the maximum number of repair attempts has been
reached a last attempt to recover from the failure
condition is made by shutting down and restarting the 5.1.10.5 Watchdog GUI - Basic Setup
whole NGFW Subsystem (/opt/phionctrl
shutdown; /opt/phionctrl startup). If the error Select Advanced Configuration > Watchdog and
condition persists, which means controld is still not
double-click.
running, a reboot is requested.
List 3112 Advanced Configuration - Watchdog Basic Setup section Monitoring
If the SSH daemon is down an attempt to restart it is Policy
made by invoking /etc/rc.d/init.d/ssh Parameter Description
condrestart. The repair counter is never Run S.M.A.R.T This parameter (default: yes) creates an event if a
incremented thus allowing for an arbitrary number of critical condition occurs on a HD (Event-ID 34).
restart attempts. The idea here is that repeated failures Run Watchdog States whether or not watchdog is active. Default is no.
to activate SSHd are not deemed a sufficient condition List 3113 Advanced Configuration - Watchdog Basic Setup section Watchdog
to autonomously restart the system. Repair Policy
Parameter Description
Note:
Repair Mode Only active when RUN WATCHDOG is set to yes.
In order to facilitate system maintenance, for example Defines the way in which errors are dealt with by the
for software updates which involve a temporary repair utility. See explanation above. Default is
shutdown of either controld or sshd, the repair binary Repair_or_Ignore.
will ignore error code ESRCH, if a file Repair Number of repair attempts per checked entity
Attempts (default: 3). See explanation above.
/var/run/watchdog.state.service exists. The Barracuda
NG Firewall software update procedure will
automatically create and remove this file. If you interact 5.1.10.6 Watchdog GUI - Watchdog Details
with the system on the command line make sure to
touch and subsequently remove this file when shutting List 3114 Advanced Configuration - Watchdog Details section Watchdog
down or blocking controld. Alternatively, you may Operational Setup
shutdown [restart] watchdog by invoking: Parameter Description
/etc/rc.d/init.d/watchdog stop [start] Realtime Mode Set to yes (default) watchdog locks itself into memory,
so it does never get swapped out. On a system under
Due to the fact that Barracuda NG Firewalls are operated heavy load this setting minimizes the risk that the
daemon process possibly might not manage to write to
as dedicated systems resource problems are most likely the kernel device in due time (60 s).
caused by Barracuda NG Firewall service processes being Scheduler Sets the scheduler priority for operation in realtime
under too heavy load for the size of the system. To be on Priority mode. Leave this set to 1 unless you are a savvy Linux
the safe side memory shortages or excessive loads are expert with deep operating system knowledge.
Watchdog uses round-robin scheduling (SCHED_RR).
thus attributed to the operation of the NGFW Subsystem The larger the number the higher the priority of the
as a whole. process. Standard user-space processes are usually
assigned priority 0.
To block the watchdog-repair-routine it is necessary to Check Interval The interval in seconds between two writes to the
start the /etc/phion/bin/servicemode and enter the [sec] kernel device. The kernel drivers expects a write
operation at least once every 60 s. Each write is
required time in minutes. accompanied by a check on all monitored system
entities.
z Memory shortage
The NGFW Subsystem is shut down (/opt/phionctrl
shutdown) and subsequently restarted
(/opt/phionctrl startup). The number of such
Parameter Description
OCSP is not available for direct end user authentication
Verbose Set to yes for verbose mode. This mode will log status
but is used for online certificate verification by the VPN
Logging information to syslogd with facility LOG_LPR. Syslogd server.
will forwards this log traffic to the syslog interface
psyslogd which in turn will redirect the log stream into The internal mechanism is as follows:
log tree node Box > Watchdog > Monitor. Load average,
monitored process (pid) status, memory usage, and
alive time of watchdog are reported. Step 1 A service like vpn or proxy is configured to
Logtick Logtick allows adjustment of the number of intervals perform external user authentication. In its
skipped before a verbose log message is written to configuration it has to know a scheme to do that.
syslogd. The default value of 3 already reduces log
traffic and consequently disc space consumption by
66 %. Step 2 It gives the authentication request together
with the scheme name to the Barracuda Networks
List 3115 Advanced Configuration - Watchdog Details section Watchdog infrastructure daemon which tries to authenticate the
Monitored Entities
user according to the received scheme by itself.
Parameter Description To provide both, referential integrity and flexibility, there
Max Memory Sets an upper bound for memory usage before the are predefined schemes, which can be referenced by all
Used repair binary steps into action (default: 95 %).
services. Due to their underlying authentication facility
Note:
Both RAM and swap space are taken into account. they are called:
Check System Set to yes (default) in order to have watchdog monitor z MSNT (see 5.2.1.7 MSNT Authentication)
Load the average system load.
Max Load Maximum 1 min average system load. Default is 24. z Active Directory (see 5.2.1.1 MSAD Authentication,
[1min] page 111 and 5.2.1.2 MS-CHAP Authentication, page 112)
Max Load Maximum 5 mins average system load. Default is 18.
[5mins] z LDAP (see 5.2.1.3 LDAP Authentication, page 113)
Max Load Maximum 15 mins average system load. Default is 12.
[15mins]
z RADIUS (see 5.2.1.4 Radius Authentication, page 114)
Watch Control Set to yes to have watchdog monitor the process state z RSA ACE (see 5.2.1.5 RSA-ACE Authentication, page 114)
Daemon of control daemon. See the explanation above for
details. z OCSP (Online Certificate Status Protocol; see 5.2.1.8
Watch SSH Set to yes to have watchdog monitor the process state OCSP Authentication, page 115)
Daemon of SSH daemon. See the explanation above for details.
Note: Note:
Whenever the repair utility is invoked it will log the
error passed to it by watchdog and all actions taken by For testing your authentication schemes without
it into log tree node Box > Watchdog > Sysrepair. having/configuring proxy and VPN, Barracuda Networks
Moreover you will be actively notified by the event provides a tool called phibstest (located in
notification mechanism.
/opt/phion/bin). Use extension phibstest -h for
additional information concerning the usage of this tool.
5.2 Box Settings Infrastructure Furthermore, you can introduce more schemes to
authenticate users, but you are not allowed to give them
Services one of the names above. It is also forbidden to use the
name local since it is used by the services to use internal
authentication.
5.2.1 Authentication Service To open, select Infrastructure Services >
External user authentication for different services is Authentication Service and double-click.
provided by the Barracuda Networks infrastructure
daemon (aka phibsd).
5.2.1.1 MSAD Authentication
Fig. 364 Scheme for external authentication provided by the Barracuda Networks
infrastructure daemon Fig. 365 Configuration Dialog - MSAD Authentication
User /
Password RADIUS Attention:
Authentication MSAD RSA ACE Server
Scheme Server Server
If the Active Directory of the Windows 2003 Server
domain is running in Native mode, it is mandatory to
deactivate Kerberos pre-authentication for each user.
List 3120 Parameters for MS-CHAP Authentication List 3121 Parameters for LDAP Authentication section LDAP
Parameter Description Parameter Description
Domain This is the IP address of the domain controller. LDAP Base DN If set to yes (default: no) the corresponding
Controller Note: authentication processes are started and the
If you have additionally configured an MSAD configuration section LDAP Base DN is available.
authentication scheme (see 5.2.1.1 MSAD LDAP Base DN Distinguished name for user
Authentication) utilising the option Use MSAD-groups organisational unit.
with NTLM (see page 112), the Barracuda NG Firewall LDAP Server IP address the LDAP authenticator
must be able to resolve the DNS name of the Domain asks.
Controller.
LDAP Server Port of the LDAP server (default:
WINS Server This is the IP address of the domains Windows Internet Port 389).
Name Service (WINS) server.
LDAP User Name of the User field in the LDAP
Note: Field directory.
If you have additionally configured an MSAD
authentication scheme (see 5.2.1.1 MSAD LDAP Password Name of the Password field in the
Authentication) utilising the option Use MSAD-groups Field LDAP directory.
with NTLM (see page 112), the Barracuda NG Firewall LDAP Admin Name of an administrator who is
must be able to resolve the DNS name of the WINS DN authorized to perform requests.
server.
LDAP Admin Password of an administrator who is
User Info Helper Select one of the authentication schemes in the combo Password authorized to perform requests.
Scheme box if users group information should be gained from a
Group Attribute Name of the attribute field on the
different authentication scheme. For example, if the
LDAP server containing group
identity verification should use the radius scheme, but
information. Note that attribute
group information should be queried from a LDAP
fields on LDAP server are
directory, then configure "LDAP" as User Info Helper
customisable. If you are unsure
Scheme in the RADIUS scheme and use the RADIUS
about the required field name, the
scheme as authentication scheme for example in the
LDAP server administrator will be
VPN configuration.
able to provide the correct
Only authentication schemes of type MSAD or LDAP
information.
may be used as User Info Helper Scheme.
Note:
Number of Number of authentication processes that are launched
Services that process group
Processes to handle requests. Increase if you have slow
information (for example URL Filter,
authentication servers (default: 5).
see Affected Groups / Users,
Net Join Status This field is a read only informational field showing the page 363) require Group Attribute
status of the join to the Windows domain. specification. They will not be able
to match group conditions if the
attribute field is not or is specified
incorrectly.
5.2.1.3 LDAP Authentication
Use SSL When selected the authenticator
uses SSL for connections to the
List 3121 Parameters for LDAP Authentication section LDAP
authentication server.
Parameter Description Bind To When selected the authenticator
Activate If set to yes (default: no) the corresponding Authenticate directly logs on to the LDAP server
Scheme authentication processes are started and the for verification of user
configuration section LDAP Base DN is available. authentication data. Use this option,
when the LDAP server does not
Method Displays the selected method (read-only field). expose user passwords but instead
hides them even from an
administrator's view.
User Info Helper Select one of the authentication
Scheme schemes in the combo box if users
group information should be gained
from a different authentication
scheme. For example, if the identity
verification should use the radius
scheme, but group information
should be queried from a LDAP
directory, then configure "LDAP" as
User Info Helper Scheme in the
RADIUS scheme and use the
RADIUS scheme as authentication
scheme for example in the VPN
configuration.
Only authentication schemes of
type MSAD or LDAP may be used as
User Info Helper Scheme.
Number of Number of authentication
Processes processes that are launched to
handle requests. Increase if you
have slow authentication servers
(default: 5).
Parameter Description
Fig. 366 Configuration Dialog - Radius
Activate If set to yes the corresponding authentication
Scheme processes are started.
Method Displays the selected method (read-only field).
RSA Unique Displays the name of the RSA server (read-only field).
Name
RSA This parameter serves to import/export the
Configuration configuration file that is provided by the RSA SecurID
File server (sdconf.rec).
RSA Server IP This IP address is the one of the RSA Server.
RSA Optionally it is possible to enter a slave server in order
Slave-Server IP to maintain connectivity.
DNS Resolved This IP address indicates the one that is used to
IP connect to the RSA server. If this IP address does not
correspond to the configured client IP the server has,
List 3122 Parameters for Radius Authentication the connection will be refused.
Parameter Value User Info Helper Select one of the authentication schemes in the combo
Scheme box if users group information should be gained from a
Activate If set to yes the corresponding authentication different authentication scheme. For example if the
Scheme processes are started. identity verification should use the radius scheme, but
Method Displays the selected method (read-only field). group information should be queried from a LDAP
Radius Server IP address the RADIUS authenticator asks. directory, then configure "LDAP" as User Info Helper
Address Scheme in the RADIUS scheme and use the RADIUS
scheme as authentication scheme, for example in the
Radius Server Port of the RADIUS server (default: 1812). VPN configuration.
Port Only authentication schemes of type MSAD or LDAP
Radius Server Pre-shared secret to authorize the request. may be used as User Info Helper Scheme.
Key Attention: Number of Number of authentication processes that are launched
Do not use backslashes in your key. Processes to handle requests. Increase if you have slow
authentication servers (default: 5).
Group Attribute Due to the structure of RADIUS and its implementation
into Barracuda NG Firewall, the group information has
to be entered into Login-LAT-Group (as defined in this
read-only-field) in order to be processed. 5.2.1.6 TACACS+ Authentication
Group Attribute The delimiter divides groups and therefore allows you
Delimiter to use more than one group. The standard options are Fig. 368 Configuration Dialog - TACACS+
None (default) and Blank. By ticking the check box
Other it is possible to enter any character that
indicates a group info change.
Group Attribute Through this parameter you define the group
Usage information that is going to be used (for example,
CN=, OU=, DC=). The available options are All
(default), First and Last.
User Info Helper Select one of the authentication schemes in the combo
Scheme box if users group information should be gained from a
different authentication scheme. For example if the
identity verification should use the radius scheme, but
group information should be queried from a LDAP
directory, then configure "LDAP" as User Info Helper
Scheme in the RADIUS scheme and use the RADIUS
scheme as authentication scheme for example in the
VPN configuration. List 3124 Parameters for MSNT Authentication
Only authentication schemes of type MSAD or LDAP
Parameter Description
may be used as User Info Helper Scheme.
Activate Setting to yes (default: no) starts the corresponding
NAS-ID This is the NAS identifier.
Scheme authentication processes and makes the configuration
NAS IP Address Some radius server require NAS credentials to be set. section TAC+ IP Address available.
Define in this field the IP address.
Method This is the authentication method the scheme utilizes
NAS IP Port Some radius server require NAS credentials to be set. (read-only).
Define in this field the IP port.
TAC+ IP This is the host name of the system the authenticator
Number of Number of authentication processes that are launched Address asks. The host name has to be DNS-resolvable by the
Processes to handle requests. Increase if you have slow name server the Barracuda NG Firewall queries. Click
authentication servers (default: 5). the Insert button to enter the domain controller
configuration dialog.
TAC+ IP Address IP address of the TACACS+ server.
5.2.1.5 RSA-ACE Authentication TAC+ ID Port ID Port information. E.g.: tty10
TAC+ Server TCP port of the TACACS+ server.
Fig. 367 Configuration Dialog - RSA SECURID Port
TAC+ Key DES encryption key.
Timeout (s) Authentication timeout in seconds.
TAC+ Login Type TACACS+ login type (inbound).
Parameter Description
Fig. 369 Configuration Dialog - MSNT
Number of Number of authentication processes that are launched
Processes to handle requests. Increase if you have slow
authentication servers (default: 5).
List 3129 Parameters for Timeouts and Logging section Timeout Settings
Parameter Description
Request Define here authentication timeout.
Timeout (sec)
Challenge Define here the NTLM/MS-CHAP challenge timeout.
Timeout (sec)
List 3126 Parameters for OCSP Authentication RSA Next Token RSA/ACE timeout reset period.
Timeout (sec)
Parameter Description
Cache Timeout Timeout for negative authentication in seconds. A
Activate If set to yes (default: no) the corresponding (sec) negative authentication will be cached for the defined
Scheme authentication processes are started. period, thus rapid retries will not block the
Method Displays the selected method (read-only field). authentication worker.
Max. Validity Defines the time gap between Barracuda NG Firewall
Discrepancy and the OCSP server (default: 300 seconds). If the time List 3130 Parameters for Timeouts and Logging section Expert Settings
(sec.) difference exceeds this limit, requests are counted as
Parameter Description
not valid.
Client Codepage Defines the translation of characters between systems
Max. Status Specifies the maximum status age of requests (default:
that are using different Codepages.
Age (sec.) -1 that is unlimited). OCSP servers hold files containing
the current status and attach this value to the info
section. As soon as this threshold is exceeded the
request is counted as not valid.
5.2.2 Host Firewall Rules List 3132 Infrastructure Services - Syslog Streaming - Basic Setup section
System Identification & Authentication
List 3133 Infrastructure Services - Syslog Streaming - Logdata Filters section This section enables defining profiles specifying the
Affected Box Logdata
transfer / streaming destination of log messages.
Parameter Description
Take into consideration that this parameter group is List 3135 Infrastructure Services - Syslog Streaming - Logstream Destinations
Data Selection
only available if parameter Data Selector is set to section Destination Address
Selection. The following parameters are available for Parameter Description
configuration:
Remote Since a CC-administered box knows its corresponding
Log Groups This menu offers every log group for Loghost MCs IP address, a predefined destination Barracuda
selection that is available on a NG Control Center can be selected. When an external
Barracuda NG Firewall (For example, log host is used, the setting explicit IP (default)
Control, Event, Firewall, ). activates the parameter Loghost IP Address (see
Log Message This parameter is used for defining below) where the destination IP has to be entered.
Filter the affected log types: Loghost IP This parameter is only available if Remote Loghost has
Selection (activates parameter Address been set to explicit IP. In this case, the destination IP
Selected Message Types, see address of an external log host has to be entered here.
below)
All (default) Loghost Port This parameter defines the destination port for
All-but-Internal delivering syslog messages. The Barracuda Networks
Notice-and-Higher CC syslog service listens on port TCP 5143 for SSL
Warning-and-Higher connections and on TCP and UDP port 5144 for
Error-and-Higher unencrypted streaming. The default is to use
As can be seen the available options encryption for delivery, therefore port 5143 is
are "group selections". If one preconfigured.
explicit log type is required, choose Attention:
Selection and set the wanted type If you change the port assignment to another port,
in parameter Selected Message adjusting the local firewall rule set might become
Types, see below. necessary.
Selected - Selected Message Types
Message Types This parameter allows setting List 3136 Infrastructure Services - Syslog Streaming - Logstream Destinations
explicit log types to be affected by section Data Transfer Setup
syslogging. The following types are
available: Parameter Description
Panic Transmission This parameter allows selecting the transmission
Security Mode protocol (TCP or UDP - default; for SSL connections
Fatal TCP is automatically set).
Error
Sender IP Defines the IP address used for sending the log data.
Warning
Notice Use SSL This option may be turned off when the log stream is
Info Encapsulation transmitted to the CC and the box has a management
Internal tunnel to the CC. For CC transmission without box
tunnel activating this option is recommended. Note
List 3134 Infrastructure Services - Syslog Streaming - Logdata Filters section also that transmission to a non-Barracuda NG Firewall
Affected Service Logdata system should be SSL encapsulated for reasons of
privacy.
Parameter Description Peer SSL This parameter is only active if the destination system
Certificate is not a Barracuda NG Control Center. The Peer SSL
Certificate is needed when
Data Selector This parameter defines what kind of logs created by
verify_peer_with_locally_installed_certificate has
services are to be affected by the syslog daemon. The
been defined at parameter SSL Peer Authentication
following options are available: All (any kind of service
and parameter Use SSL Encapsulation has been set
log is affected), None (none is affected) and Selection
to yes.
(default; activates parameter group Data Selection,
see below). SSL Peer Defines the way in which a destination system is
Authentication authenticated when using SSL based authentication
Data Selection Take into consideration that this parameter group is
(authentication of the destination server by the box
only available if parameter Data Selector is set to
being a client). The list offers the following choices:
Selection.
verify_peer_with_locally_installed_certificate
Log Here you define server and service (default) - The destination system is verified against a
Server-Services where log messages are streamed locally stored certificate either in the respective
from. destination section or the MCs certificate. This setting
Log Message This parameter is used for defining is useful when log messages are delivered to a system
Filter the affected log types: outside the scope of Barracuda NG Control Centers.
Selection (activates parameter Note:
Selected Message Types, see For centrally administered Barracuda NG Firewalls this
below) is the only applicable option.
All (default) verify_peer_certificate - The destination system is
All-but-Internal verified against a locally stored CA certificate.
Notice-and-Higher no_peer_verification - The peer is considered as
Warning-and-Higher trusted without verification.
Error-and-Higher
Attention:
Selected This parameter allows setting For security reasons it is NOT recommended to use
Message Types explicit log types to be affected by no_peer_verification.
syslogging. The following types are
available: List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations
Panic section Log Data Tagging
Security
Fatal Parameter Description
Error
Override Node The log entities sent to an external log host contain the
Warning
Name name and structural information (range/cluster) of the
Notice
sending box and the name of the log file. With this
Info
parameter set to yes this information can be
Internal
overridden (default: no).
Explicit Node Only available if Override Node Name set to yes.
Name Setting this value an explicit node name can be set.
5.2.3.3 Logstream Destinations This node name is inserted into each log entity sent to
the external log host.
List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations List 3139 Infrastructure Services - Control - Monitoring Setup section
section Log Data Tagging Monitoring Parameters
Parameter Description Parameter Description
Prepend Only available if Override Node Name set to yes. Regular Poll This parameter defines the amount of time between
Hierarchy Info This parameter allows fine tuning of the prefix which is Interval [secs] the HA heartbeats. The smaller the values are, the
inserted into each log entity sent to the external log faster HA reaction can take place (default: 5 seconds).
host. The default value prevents too fast HA take-overs.
Add UTC Offset Log files generated on a box are stamped with the local When you are using the Firewall with transparent
box time. The UTC time offset compared to the local failover feel free to set this parameter to 1 second. But
time is recorded though, and can be examined in the take into consideration that the partner system reacts
TZ column in the log viewer (Log Viewer 2.3 View instantly with a take-over during server starts/stops or
Segment, page 308). The UTC time offset information network activation. In this case first block the server
is not included by default (setting: no) when log files before doing anything else.
are streamed to the Barracuda NG Control Center. Note:
Setting to yes adds the UTC time offset information to This parameter also affects the reaction time for
streamed log files, so that these files may be analyzed activating/deactivating routes and server (Monitor IPs).
uniformly in case the CC collects log files from multiple
boxes placed in various time zones. List 3140 Infrastructure Services - Control - Monitoring Setup section HA
Monitoring Parameters
Parameter Description
5.2.3.4 Logdata Streams Translated HA Translated HA For network setups providing a
IP IP private uplink between two HA
By configuring this section relations between log patterns Alternative HA boxes, it is possible to define a
and log destinations are established. Thus it is possible to IP translation table specifying the IP
address to use for communication
make a combination of each log pattern (a sort of filter) Usage Policy between the two HA partners. The
and log destination to allow fine granulated target Description Translated HA IP thereby identifies
a box primary Management IP as
selection. specified in the Box Network
configuration dialog (Management
Note: IP (MIP), page 62). The Alternative
With Barracuda CC Control selected as Remote HA IP is part of the private uplink
network defined through Section
Loghost the streamed log files will be stored under Additional Local Networks,
/phion0/mlogs/range/cluster/box on the CC. page 62,.
The parameter Usage allows
specifying, how to proceed if the
List 3138 Infrastructure Services - Syslog Streaming - Logdata Streams section alternative HA IP becomes
Stream Configuration unavailable.
Parameter Description Attention:
Active This parameter allows you to activate/deactivate the Take into consideration that the
selected log stream profile. By default, for example Alternative IP addresses must be
when creating a new profile, this parameter is set to added manually to the
yes. corresponding firewall rule
(inbound).
Log Here the available log destinations (defined in5.2.3.3
Destinations Logstream Destinations, page 117) can be selected. Note:
See High Availability 2. Setting
Log Filters Here the available log patterns (defined in5.2.3.2 up a HA System, page 402 for a
Logdata Filters, page 116) can be selected. configuration example using
Translated HA IPs in a private uplink
network.
5.2.4 Control List 3141 Infrastructure Services - Control - Monitoring Setup section ICMP
Gateway Monitoring Exemptions
Browse to Infrastructure Services > Control to open Parameter Description
the configuration area. The configuration options in this No Probing for This parameter allows excluding gateways that are
place amongst others allows you to define the limits Interfaces reachable via the offered interface items from regular
determining when the events High System Load (Event-ID ICMP-based probing.
The following interfaces are available:
30) and Excessive System Load (Event-ID 31) are UMTS-Link
generated. It as well allows you to customize the time xDSL-Link
DHCP-Link
interval, after which idle Barracuda NG Admin- and ISDN-Link
SSH-sessions are automatically terminated. SERIAL-Link
List 3145 Infrastructure Services - Control - CPU-Load Monitoring section PAR files are applicable for the following tasks:
CPU-Load Warning Thresholds
Parameter Description
z Restore box and Barracuda NG Control Center
Average 1/5/15 These three parameters define threshold values for
Configurations (see 5.4 Restoring/Importing from PAR
Mins generation of Event-ID High System Load [30]. File)
List 3146 Infrastructure Services - Control - CPU-Load Monitoring section CPU z Re-install a system with kickstart disk and PAR file
Load Error Thresholds (Getting Started 1.3 Installation with a Saved
Parameter Description Configuration, page 8)
Average 1/5/15 These three parameters define threshold values for
Mins generation of Event-ID Excessive System Load [31].
PAR files may be created from the following places in the
configuration tree:
5.2.5 Statistics Fig. 372 Creating a PAR file
5.2.6 Eventing
For a description of Eventing settings see Eventing,
page 321.
5.2.7 General Firewall Configuration On single boxes and on box level of Barracuda NG
Control Centers:
For a description of Firewall Settings see Firewall
2.1.1 General Firewall Configuration, page 134. z Right-click Box in the configuration tree and select
Create PAR file from the context menu.
z Right-click Box (accessible through Multi-Range > Restoring Barracuda NG Control Center configurations
<rangename> > <clustername> > Boxes) and Execute this task when restoring the backup of a complete
select Create PAR file for box from the context Barracuda NG Control Center tree.
menu. This action creates a PAR file of the specific box'
configuration only. Note:
If you are restoring the configuration of a CC that has
PAR files may either be saved as regular .par or as been installed freshly after crash recovery, do not forget
compressed .pgz files. to restore the box configuration of the CC as well.
Note:
Box configurations may not be restored on CC level. To
restore a functional backup of a misconfigured box,
delete the box in the Barracuda NG Control Center tree
and thereafter use Import Box from PAR instead (see
below).
6. Repository
To the Barracuda NG Firewall box configuration tree, a
further top level element may be added: the so-called
Repository. Repositories are available for each
configuration instance of the tree, for example Settings or
Cron. 6.1 Working with a Repository
Fig. 373 Way of Supplying a Box with a Repository
6.1.1 Creating a Repository
Click the Activate button in order to create a
Repository tree element. With the creation of a
repository, the options available for configuration nodes in
the context menu will be augmented by entries named
Copy to Repository and Copy From Repository. The new
items become visible by locking the corresponding node.
In order to obtain more information as to when or by whom
a node was created, modified or locked, the context menu
furthermore contains the Show History option.
Note:
Due to compatibility reasons, two nodes are structured
in a different way in the box repository tree than within
the box range tree configuration:
This may be of particular interest in combination with the
z Authentication Service is placed in Advanced usage of root aliases.
Configuration and not in Infrastructure Services
A freshly installed Barracuda NG Firewall always contains a
z System Settings is placed in Box and not in default box repository containing predefined data
Advanced Configuration consisting of the most widely used settings. For instance,
there is a default data set for appliances, and many more.
Note:
The destination file must only be locked if an existing
archive file is to be overwritten. If the file is not existing
yet, you may simply click on the directory in order to
create an input field at the bottom of the dialog. There
you may enter the new archive name for the node.
z Step 2:
Within the pop-up window, either select an existing
destination file or create a new one in order to store the
chosen node. Click OK when done:
z Step 2:
Fig. 376 Select Destination Select the desired node within the repository and click
OK:
6.1.4 Overriding Repository-Linked Once Override Entry has been activated, manipulation
of the entry is not disabled anymore but may be freely
Configuration Settings toggled instead:
z Step 1: Fig. 384 Now Locally Overridden Boolean Entry
Lock the desired configuration node.
z Step 2:
Right-click the node and select Override Link Data
from the context menu:
The other overriding mode, Strict Override (Copy), will Once Merge Override has been selected, the section
copy the repository data back to the box into the local entry becomes editable. In this example, a new
configuration: configuration item is added:
Fig. 396 Locally Stored Item and a Repository Stored Item within a Section
z Unoverriding an Entry
You may switch back to the data linked from the
repository by selecting Unoverride Entry. This works
on all types of overridden entries:
z Step 3:
A dialog will open allowing you to browse the contents
of the respective repository. Simply click on the file
containing the data you wish to be written into the
locked configuration instance. When done, click the OK
button.
z The configuration settings data stored within the
repository will now be written into the configuration
node.
7. Troubleshooting
The Barracuda NG Admin client is capable of sharing the Live Assist Entry Host name of the Barracuda Networks support service
Point Note:
currently displayed Barracuda NG Admin screen with
This is automatically filled in.
Barracuda Networks support personnel. This feature
SRQ Number of the Support Request. This ticket number
facilitates quick and effective troubleshooting with the will be assigned by the Barracuda Networks support
help of Barracuda Networks support without the need for a staff.
third party screen-sharing application like Webex or Block Remote If this checkbox is enabled, Barracuda Networks
Input(View Only) support staff is only able to view the current Barracuda
others. NG Admin screen.
If disabled, Barracuda Networks support has full
Unless otherwise explicitly configured, the remote control of the clients input devices within your client
connection will be fully SSL encrypted and can be application.
established through a proxy server. Enable File Enables the possibility to send or receive files to or
transfer from the Barracuda Networks support staff.
Attention: Use Proxy The connection to the Barracuda Networks support
To achieve a maximum of privacy, Barracuda Networks Server to service can be forwarded by a HTTP proxy server.
connect
support personnel is only able to view the current
User/password User credentials to authenticate at the HTTP proxy
Barracuda NG Admin administration screen. Any other server.
applications running at the client workstation will not be Proxy[:Port] Network address and Port of the HTTP proxy.
visible and usable to others. Also pop-up windows and Full Barracuda Shares the full Barracuda NG Admin client with the
the windows task bar is hidden to Barracuda Networks NG Admin Barracuda Networks support staff. The support
personnel is capable of navigating through the
support staff. complete Barracuda NG Admin client and its functions.
Box/CC only Only the currently connected Barracuda NG Control
Center or gateway will be visible to the Barracuda
Networks support personnel.
7.2 Initiate Support Calls There is no possibility for Barracuda Networks to
connect to other Barracuda NG Control Centers or
gateways.
A support call to the Barracuda Networks support Screen Any other windows of the desktop will be transmitted
Application too, but the content of these windows will be not visible
personnel using Live Assist is initiated by clicking the Protection for the Barracuda Networks support staff. See 7.4
Support button in the upper menu bar. From Our Supports Point of View, page 128
The connection status of Barracuda Live Assist is indicated Remote desktop sharing is always a delicate matter
in the top-left corner. regarding privacy and security. Therefor we want to
provide our customers and partners a look behind the
Fig. 3102 Live Assist Connection Status scenes of the Barracuda Networks support with the
Barracuda NG Admin Live Assist tool.
The screenshot is showing a distorted frame of a windows
application that is lying on top of the shared Barracuda NG
Admin screen.
Before a System Report will be generated, the Barracuda When collection of all necessary data is finished, Barracuda
NG Firewall administrator has to select the contents of the NG Admin client asks for a destination to save the System
report. Report file.
The System Report is saved in a *.tgz archive file and can
Fig. 3105 Choose the Contents of System Reports
so be easily transmitted to the Barracuda Networks
support team via e-mail.
Firewall
1. Overview
1.1 Firewall Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.2 Firewall Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
1.3 Firewall GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
2. Firewall Configuration
2.1 Global Parameters and Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
2.2 Rule Set Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
2.3 Advanced Options for Firewall Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
2.4 Delete, Copy and Paste within the Firewall Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
2.5 Cascaded Rule Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
3. Local Rules
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
3.2 Restrictions of Local Action and Connection Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
5. Example Configuration
5.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5.2 Advanced Settings in the Example Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
8. Log Files
8.1 Standard Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9. Bridging
9.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.2 Bridging Goals and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.3 Bridging Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.5 Implementation of Logical Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.6 Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
11. RPC
11.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
11.2 ONCRPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
11.3 DCERPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.4 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
1. Overview
The heart of the available Barracuda NG Firewall software Step 3 Introduce a firewall service on your system
modules is the firewall module. This chapter deals with the
configuration of the firewall module and with the tools, Note:
which allow the administrator to define the firewalls The forwarding firewall is only active either without any
behavior while it is active. license key or with a valid license including the firewall
module.
The chapter is basically divided into three parts:
To create a new rule, lock the affected rule set (either
z Overview
Local Rule Set or Forwarding Rule Set) and click the
z Detailed description of the configuration (including a context menu entry New.
real-world example)
Attention:
z Insights in the runtime steering of the firewall engine
Rule names may contain a maximum of 50 characters
and digits.
The Barracuda NG Firewall module handles any IP traffic
that is handled by the system. Basically it is divided into
four different types of traffic:
z Loopback
1.2 Firewall Notions
Traffic where source AND destination are local
addresses and processes The firewall module is able to handle two types of
transport mechanisms:
z Local In (Local rules - Inbound)
Traffic with a local destination address and process z stateful ACPF (Application Controlled Packet
Forwarding)
z Local Out (Local rules - Outbound)
Traffic with a local source address and process z TAP (Transparent Application Proxying)
2. Firewall Configuration
2.1 Global Parameters and The following global options are available:
Default Settings List 41 Box Services - General Firewall Configuration - Peer-to-Peer Detection
and Protocol Detection
Parameter Description
Beside the rule set there are several global parameters,
Enable Protocol Setting to yes (default: no) enables P2P-detection.
which steer the behavior of the firewall engine as a whole. Detection
Changing some of these parameters makes it necessary to Peer-To-Peer From the list select the handling policy for detected
restart the firewall service. Policy P2P traffic.
No-Detection
Attention: Detect-Only
All active connections will get lost during this procedure. Detects and reports P2P traffic in the firewall access
cache but takes no action.
The settings are divided into two parts: the first part Limit-Bandwidth
Limits the bandwidth for detected P2P traffic
regarding the firewall engine as a whole (see 2.1.1 General considering the limit value specified below.
Firewall Configuration, page 134), which is actually a box Drop-Traffic
service, and the part which is only valid for the service Blocks detected P2P traffic.
layer part and affects the forwarding and service Shape-Connectors
Assign Peer to Peer traffic to a Shape Connector.
infrastructure issues only (see 2.1.2 Firewall Forwarding
Peer-To-Peer This option is enabled by policy setting to
Settings, page 139). Bandwidth Limit-Bandwidth. It specifies the maximum bandwidth
(KBit/s) that should be allowed for P2P traffic.
Fig. 42 Tree locations of the general firewall settings Peer-To-Peer Assigns detected Peer-to-Peer traffic to a pre-defined
Shape Shape Connector.
Connector
General Firewall Configuration, All Game Enables or disables the detection of all known game
page 134 Protocols application protocols.
All VOIP Enables or disables the detection of all known Voice
Protocols over IP protocols.
All Tunnel Enables or disables the detection of all known
Rule Set Configuration, Protocols tunnelling protocols.
page 140 Explicitly Add A set of known protocols can be defined for a more
Protocols granulate detection.
Explicitly Skip A set of known protocols can be defined that should
Protocols not be detected.
Firewall Forwarding Settings,
page 139
Note:
Changes regarding Peer-to-Peer Detections need a
restart of the Barracuda NG Firewall ACPF.
2.1.1 General Firewall Configuration
Informations, how to restart ACPF, can be found in the
Barracuda Networks CLI Tools for Experts, chapter 3,
Note:
acpfctrl.
To activate changes made in this part of the
configuration, click button OS Restart (for further
information concerning effects of OS Restart see 2.6
2.1.1.2 Global Limits
Box Tab, page 38).
Note:
2.1.1.1 Protocol Detection After increasing Session Limits and Memory Settings
restarting the firewall service may fail if there is not
P2P-detection is assigned per firewall rule and can be used sufficient kernel address space available.
in the local just like in the forwarding firewall rule set. See
2.3.2 Peer to Peer Detection, page 161 for general information The default size of kernel address space that is reserved
and configuration details. for the firewall is 256 MB. The address space can be
extended by using the vmalloc kernel parameter. The
syntax of vmalloc is:
vmalloc=<Size>K|M|G List 44 General Firewall Configuration - Global Limits section Access Cache
Settings
<Size> is the new size of the kernel address space
reserved for storing the firewall data. Parameter Description
K, M or G is the unit of <Size> which is Kilobyte, Max. Drop min: 128; max: 8192; default: 2048
Entries
Megabyte or Gigabyte.
Max. Fail min: 128; max: 8192; default: 2048
Example: vmalloc=512M reserves 512 Megabytes for the Entries
firewall. Max. ARP min: 128; max: 8192; default: 2048
Entries
In order o increase the kernel address space, enter the Max. SIP Calls min: 64; max: 8192; default: 512; see 4. SIP, page 378
vmalloc parameter in Config > Box > Advanced for details
Max. SIP min: 64; max: 8192; default: 512; see 4. SIP, page 378
Configuration > Bootloader > Global Append Options. Transactions for details
Then activate the new settings and reboot the box. Max. SIP Media min: 64; max: 16384; default: 1024; see 4. SIP, page 378
for details
List 43 General Firewall Configuration - Global Limits section Session Limits
Max. DNS Maximum number of DNS queries triggered through
and Memory Settings
Entries creation of network objects of type Hostname (see
Parameter Description 2.2.4.1 Hostname (DNS Resolvable) Network Objects,
page 257) (default: 512).
ACPF Memory This parameter is read-only and displays the estimated 75 % of the configured value are reserved for use by
[MB] memory requirement according to the settings below. the forwarding, the remaining 25 % for use by the local
If the following settings are increased and the firewall rule set. The combination of maximum value
displayed read-only value exceeds 200 MB an and percentage determines the Index number of
additional bootloader parameter may be required. network objects that are visualized in the Firewall
Monitoring GUI (see 6.6 Dynamic Rules and Data,
On i686 boxes with more than 768MB RAM that require page 185).
additional vmalloc space to satisfy the increased
memory demand of non-default firewall settings we Attention:
recommend to increase the vmalloc area in steps of DNS queries will not be executed for network objects
128MB, starting at the 384MB. Reboot the box after exceeding the maximum values and consequently,
setting the parameter and wait if the firewall service firewall rules using these objects will never match.
successfully starts after the system boot. Do not use Note:
vmalloc areas bigger than 640MB. The vmalloc area is A network object that is used by forwarding and local
shared among several kernel subsystems. Therefore firewall at the same time will trigger two DNS queries
the exact size of the allocated vmalloc area that is and will be counted twice.
required to load the firewall cannot be predetermined.
List 45 General Firewall Configuration - Session Limits List 46 General Firewall Configuration - Operational
Parameter Description Parameter Description
Max Local-In Maximum number of UDP sessions per source IP Global Reverse The options of this parameter specify whether requests
UDP/Src (min: 1; max: -; default: 512). Device Policy and replies must use the same (outgoing) interface to
Note: be accepted (device-fixed; default) or not
With eventing activated (parameter UDP/Src Limit (device-may-change).
Exceeded set to yes), the event FW UDP Connection
per Source Limit Exceeded [4008] is generated when Firewall Firewall Firewall
OK
the limit is exceeded. OK
outgoing
Max Local-In Maximum number of ICMP Echo sessions per source IP
interfaces OK
Echo/Src (min: 1; max: -; default: 512).
Denied
Note:
With eventing activated (parameter Echo/Src Limit The figure shows: Request (left) - Reply for setting
Exceeded set to yes), the event FW ICMP-ECHO device-fixed (middle) - Reply for setting device-may
Connection per Source Limit Exceeded [4026] is change (right).
generated when the limit is exceeded.
Attention:
Max Local-In Maximum number of sessions of any IP protocol This parameter specifies the global policy. You may
Other/Src (except TCP, UDP, ICMP) per source IP (min: 1; max: -; change the policy per rule, though it is NOT
default: 128). recommended to do so.
Note: Allow Active-Active firewall operation mode is deactivated by
With eventing activated (parameter Other/Src Limit Active-Active default (setting: no). It has to be enabled in preparation
Exceeded set to yes), the event FW OTHER-IP Mode for operation of multiple active firewalls on one box
Connection per Source Limit Exceeded [4028] is with a load balancer connected upstream.
generated when the limit is exceeded.
Log Synced This setting determines logging of access cache
Inbound If the number of pending accepts exceeds the Sessions sessions, which have been synchronized between HA
Threshold (%) threshold, the firewall switches to inbound mode (min: partners (default: yes). Set to no to disable logging.
1; max: 100; default: 20).
Enable FW The setting of this parameter determines utilisation
Note: Compression ability of firewall compression in connection objects.
With eventing activated (parameter Pending Accepts Firewall compression is deactivated by default (default:
Critical set to yes), the event FW Activating No).
Perimeter Defence (inbound mode) [4004] is
Note:
generated when the limit is exceeded.
Firewall compression is only applicable between
SYN Cookie Percentage (of maximum pending inbounds) of pending firewalls operating on Barracuda NG Firewall. When
High Watermark inbound accepts to switch to SYN cookie usage for activated, option Enable FW Compression MUST be
(%) enhanced SYN flooding protection (min: 0; max: 100; set to yes on all systems participating in compressed
default: 20). traffic.
SYN Cookie Low Percentage (of maximum pending inbounds) of pending Attention:
Watermark (%) inbound accepts to go back to ordinary SYN handling Do not enable firewall compression on gateways
(min: 0; max: 100; default: 15). situated at the rim of untrustworthy networks in order
Max Pending Maximum number of pending accepts per source IP to avoid DoS attacks based on bulk sending of
Local (min: 5; max: 1024; default: 64). compressed data packets.
Accepts/Src An attacker might forward IPCOMP packet copies
originating from the compressed session to the
Max TAP (min: 5; max: 1024; default: 100). firewall, thus forcing it to load consuming
Worker decompression tasks.
Max Socks (min: 5; max: 1024; default: 20). If compressed traffic is required at the perimeter, make
Worker use of compressed VPN traffic. Authentication
mechanisms included in VPN technology prevent the
DoS exploit stated above (see 2.7.1.2 Traffic
Intelligence (TI), page 235).
2.1.1.4 Operational
Disable By default these Assembler Ciphers are enabled.
Assembler Due to the assembler implementation for
List 46 General Firewall Configuration - Operational Ciphers AES/SHA/MD5 the VPN performance has been
Parameter Description increased significantly.
Use Kernel Rule no: Kernel Rule Set not enabled VPN Rate Limit Limits the measure at which VPN traffic is encrypted
Set yes: Kernel Rule Set enabled (MBits/sec) and decrypted respectively. The default value 0 does
[default: no] accelerated: Kernel Rule Set in accelerated-mode not impose any restriction.
enabled Note:
If you experience excessive CPU load in an
Setting to yes or accelerated transfers the forwarding environment with many VPN tunnels, then change this
firewall rule set into kernel space. Opting for rule value.
matching directly within the operating system kernel Attention:
improves the performance of the firewall's connection If the value has been changed, a restart of the VPN
establishment rate. For achievable rates refer to the service is necessary in order to take effect.
documentation data sheets.
As a rule of thumb for about 1000 session/s the kernel VPN HW If you have installed and intend to use a crypto
rule set should be enabled for better firewall Modules hardware accelerator board for encryption load
performance. Additionally if many firewall objects splitting with VPN, select the hardware module, which
(> 200) are used the accelerated option is is required to load the corresponding functions.
recommended. Momentarily Barracuda NG Firewalls support the
Broadcom_582x module.
Note:
Activating this parameter deactivates the option to use Note:
Tracing conditions (6.8.2 Tracing of Connections When operating a hardware accelerator card the
Matching Defined Conditions, page 187). encryption engine may be chosen per tunnel (TINA
tunnels, see 2.7.1 Configuring TINA Tunnels
Global TCP Decides if Nagle algorithm is used by default. Can be (Firewall-to-Firewall Tunnels), page 233 and see 2.7.2
Delay Policy overruled for single connection objects (default: Configuring IPsec Tunnels, page 239)
NagleEnabled).
Rule Change Specifies whether an existing connection is terminated
Accept Policy Possible values are inbound or outbound. The value Behavior (Terminate-on-change; default) or
configured here is used as Server default value in the not(Keep-on-change) if the rule set changes and the
Accept Policy section of the rule creation/editing dialog session is no longer allowed by the new rule set.
(see 2.3.4.3 Accept Policies, page 166).
ARP Reverse Setting this parameter to yes causes that answers to
Route Check ARP requests are checked whether Source IP and
interface are correct.
List 46 General Firewall Configuration - Operational List 410 General Firewall Configuration - Audit and Reporting tab section
Connection Tracing
Parameter Description
Generic Traffic between networks inserted into this field will be Parameter Description
Forwarded excluded from firewall monitoring and will be Settings see list 414, page 138
Networks forwarded without source and destination
differentiation, even if no forwarding firewall is Section Eventing Settings
installed.
Attention: Fig. 43 Config Section - Eventing Settings
Local sessions are not reevaluated on rule change. This
parameter has only effect on forwarding session.
Workflow for enforcing changed local rules: manually
terminate local sessions in the Firewall Active tab.
Only make use of this feature, if you are operating your
Barracuda NG Firewall system for routing and NOT for
firewall purposes, as generic network forwarding might
cause severe security issues.
No Rule Update This option allows defining a time range during which
Time Range firewall rules may not be updated. Use international
time format, for example to disallow rule update from
14:00 through 22:00, insert 14-22.
Send TCP RST Firewall sends TCP RST packets to these networks if it
for OOS Pkts. detects packets not belonging to an active session. This
is useful to avoid timeouts on certain servers.
List 411 General Firewall Configuration - Eventing Settings List 413 Audit Information Generation Settings section Recorded Conditions
Section Connection Tracing List 416 Firewall Forwarding Settings - Firewall section Server Specific
Firewall Settings
To open the configuration dialog, click the Edit button.
Parameter Description
Fig. 44 Connection Tracing configuration Max. Maximum number of sessions of any IP protocol
Forwarding (except TCP, UDP, ICMP) per source IP (min: 1; max: -;
Other/Src default: 128).
Note:
With eventing activated (parameter Other/Src Limit
Exceeded set to yes, see page 246), the event FW
OTHER-IP Connection per Source Limit Exceeded
[4028] is generated when the limit is exceeded.
Maximum number of sessions of any IP protocol
(except TCP, UDP, ICMP) per source IP (min: 1; max: -;
default: 128).
List 415 General Firewall Configuration - Connection Tracing Note:
With eventing activated (parameter Other/Src Limit
Parameter Description Exceeded set to yes), the event FW OTHER-IP
Data Limit (kB) Max. size of trace per connection (min: 10; max: 4096; Connection per Source Limit Exceeded [4028] is
default: 256). generated when the limit is exceeded.
File Limit Max. number of files=traces (min: 10; max: 1024; Max. Pending Maximum number of pending accepts per source IP
default: 512). Forward (min: 5; max: 1024; default: 64).
Accepts/Src Note:
With eventing activated (parameter Accept Limit
2.1.2 Firewall Forwarding Settings Exceeded set to yes), the event FW Pending TCP
Connection Limit Reached [4006] is generated, when
this limit is exceeded.
2.1.2.1 Firewall
2.1.2.2 RPC
Fig. 45 Config Section - Firewall Forwarding Settings - Firewall
This section is used in conjunction with RPC. For a detailed
description, see 11.2.2.1 Configuring Active&Passive ONCRPC
(recommended), page 206.
2.1.2.3 Bridging
2.2 Rule Set Configuration establish it, then transferring the packet or the data
stream from the Source-Destination connection to the
Bind-Connection link. We speak of different types of rules,
There is a slight difference between managing a firewall
for example pass, redirecting, mapping, source-nat,
rule set locally or on a Barracuda NG Control Center. On a
destination-nat, , depending on how bind and connection
locally administered system, the rule sets are edited either
address are related to source and destination address.
via the firewall GUI or the boxconfig GUI. Nevertheless it is
the same rule set, whereas on the Barracuda NG Control The real core of the firewall configuration is the rule set. It
Center the rules are part of the data tree which holds all consists of an ordered set of rules, which interconnects a
configuration data of the boxes, servers and services. source-IP:source-port / destination-IP:destination-port
Therefore, rule administration via a Barracuda NG Control quadruple to a bind-IP:bind-port /
Center is strictly separated from the control and status connection-IP:connection-port. The firewall engine uses
overview of the firewall. the so-called first-match algorithm to decide which rule is
to be applied. This means the action taken by the firewall
Nevertheless, the firewall configuration GUI of the
engine is uniquely defined by source IP, destination IP,
configuration daemons is the same as the configuration
destination port.
part of the firewall GUI itself. Hence it is not described
separately. The Barracuda NG Firewall rule set knows two basic
entities to describe and fix the behavior of the firewall
Firewall configuration uses a set of notions which is
engine:
necessary to know. Firewalls in general are confronted
with a request of the following kind: z Action types (see 2.2.3.3 Action Section, page 144)
The action type first decides whether the firewall
Source-IP:Source-Port wants to connect to
should do anything at all, then describes the
Destination-IP:Destination-Port
relationship between destination and connection.
z Connection Elements (see 2.2.6 Connection Elements,
The rule set of the firewall now decides what should page 153)
happen with such a request. Generally, there are three The connection type describes the relation between
ways to handle a request: source and bind address.
z it can be blocked
z it can be allowed 2.2.1 General Characteristics of the
z it can be rewritten Firewall Graphical Interface
Note: It is desirable that data sets can be arranged in such a way
Depending on what kind of rule set is currently that the most wanted information catches the eye. Giving
created/modified, the following has to be taken into consideration to these needs, the Barracuda NG Firewall
consideration: GUI incorporates several sortation mechanisms.
Local FW: When introducing a new rule that blocks an
To simplify matters, the main characteristics regarding
established connection, the connection has to be
arrangement and ordering of data in the various windows
terminated manually in order to set the new rule and its
will be described together in this chapter. Characteristics
connection block active.
exceeding this description are positioned in the respective
Forwarding FW: When introducing a new rule that
chapter itself.
blocks an established connection, it can be configured
whether the active connection should be blocked.
Before describing the details of creating rules, we must 2.2.1.1 Title Bar(s)
look at the basics of establishing connections with a
Barracuda NG Firewall. z Changing the column sequence
Information situated in the main window of each
Fig. 46 Schematic of terms involved in establishing a network connection through a configuration window is captioned with a title bar. The
Barracuda NG Firewall data sets themselves are arranged in columns. The
column sequence may be adjusted to personal needs,
Destination address: 192.168.99.120:80
Connection address: either by using the standard context menu (see 4.2
172.31.1.110:80 Standard Context Menu, page 420) or by dragging and
Source address: dropping the respective column to another place.
192.168.0.56:2305
z Ordering data sets
In most windows, data sets may be arranged ascending
Bind address: 192.168.0.56:2305 or descending respectively by clicking into the column
labelling of the respective title bar.
z Right-clicking on a selected item in any configuration Table 43 Rule marks utilized in the rule overview window
window makes the same menu items available as shown Icon Action Indication to
in the navigation bar of the respective section displayed Block This icon is added to rule elements in the
on the left side. In each case, the items are valid for the column display, which have been configured
to BLOCK on Mismatch in the Rule
specific section only. Mismatch Policy section of the Advanced
settings dialog (see 2.3.4 Advanced Rule
z In some windows the context menu item Set Color Parameters, page 162).
allows flagging data sets with a user-specific color for Deny This icon is added to rule elements in the
the purpose of highlighting them. column display, which have been configured
to DENY on Mismatch in the Rule Mismatch
z In some windows the context menu item Show in Policy section of the Advanced settings
Groups allows switching between two views, the dialog (see 2.3.4 Advanced Rule
Parameters, page 162).
classical view, a continuous list, or a list combining
User This icon is added to the Name column if the
groups of elements. authentication rule requires user authentication due to
required configuration of the Authentication
parameter in the Advanced configuration
dialog (see 2.2.3.8 Authenticated User
2.2.1.3 The Object Viewer Section, page 147).
Timed This icon is added to the Name column if the
The Object Viewer is designed to assist in creating or rule has been configured as dynamic rule (see
modifying a rule set, by making distinct objects, such as 2.3.6 Dynamic Activation, page 168).
network, service, connection, ICMP, and time objects Time restricted This icon is added to the Name column if a
time restriction has been configured for the
quickly available. respective rule using a Time Object (see see
2.2.3.10 Time Objects, page 147) or the
Open a rule by double-clicking it and select the checkbox Time Restriction parameter (see see 2.3.4.2
Object Viewer in the rules navigation bar or select Rules > Time Restriction, page 165) in the Advanced
Object Viewer from the Configuration navigation bar to settings dialog.
open the Object Viewer. 2-way This icon is added to the Name column if a
rule has been configured to apply in both
When opened from the rule window the Object Viewer is directions.
opened sticking to the right of it. Grab the viewer and drag Content filter This icon is added to the Name column if a
set content filter has been configured in the rule
it to a place, where it does not disturb other configuration through parameter Content Filter in the
windows. Adjust the viewer to stay on top permanently by Content/IPS configuration dialog (see 2.3.1
Content Filter (Intrusion Prevention),
sticking the blue needle. page 159).
When opened directly from the rule creation/modification Source IP This icon is added to the Action column if
exposed connection type Client is set, which causes
dialog by ticking the checkbox Object Viewer in the the clients source IP to be exposed in a
navigation bar, a special function is available: Selecting a connection (see 2.2.6 Connection Elements,
specific tab in the viewer then immediately changes the page 153).
navigation bar items in the rule window. Selecting an Stream is This icon is added to the Action column if
forwarded Stream Forwarding is configured as data
object hence activates the specific menu items related to transfer Method in the TCP Policy section of
it. It is thus not only possible to configure existing objects the Advanced configuration dialog (see 2.3.4
in the rule set; new objects can additionally be created by Advanced Rule Parameters, page 162).
launching the object editing dialogs from the navigation Source This icon is used when the Source Interface
Interface is set has been set to Continue on Mismatch (see
bar. Furthermore, existing objects can be dragged from the to Continue on 2.2.3.9 Source Interface Section / Reverse
object viewer into the rule set directly, and be dropped at a Mismatch Interface Section, page 147).
place where they fit. Data flow is This icon is added to the Action column when
compressed the Connection Object the rule references to
has been configured with traffic compression
in either direction (see 2.2.6 Connection
2.2.1.4 Rule Markers Elements, page 153).
z the configuration area in the main window. List 417 Items of the Navigations Bars main element "Configuration"
Source Addresses
Destination Addresses
Service Addresses
Note:
The option Edit Multiple Rules is not available if the
view is set to Show in Sections and a section is
selected. Select real rules only.
z Edit Rulelist
This item allows the creation of subordinate rule lists, to
which specific items from the main rule list can be
cascaded (see 2.5.1 Cascaded Rule Lists, page 169 for a
detailed description).
Note:
Forwarding Firewall: The actions New Rulelist and
Remove Rulelist can be executed through the
context menu on the tabs of the rulelist(s).
List 421 Firewall configuration - Destination section z Failover: All IPs from the redirect list are tested and IPs
Icon Action Destination Additional parameters where no connection could be established are marked
Local Note: Create Activate if you want as unreachable. The process lists for how long the IP
Redirect Advanced Proxy ARP a Proxy ARP to be was unreachable (last time) and how often retries took
parameters and generated by the
timeouts of this firewall. If the IP is
place. As soon the retry time is smaller than the last
type behave like already in the list, time, the IP is considered as reachable and a new
in the local you do not need to connection attempt is started.
firewall. activate it, but it
does not bother z Load Sharing: The principle is the same as for failover,
anyway.
except for that the valid index for the connection
Attention:
Due to fact that establishment results from the SRC IPs.
using Proxy ARPs is
not without a risk,
please consult2.2.9 The available settings of this section are depending on the
Proxy ARPs, set Action type:
page 158, for
further information.
List 422 Firewall configuration - Redirection section
Local Traffic is
Redirect redirected to a Icon Action Parameter Description
Object network object. Block not available
Note:
Advanced
parameters and Deny not available
timeouts of this
type behave like
in the local Pass not available
firewall.
Broad- Traffic is Redirect Target List of targets that the clients should be
Multicast propagated to List redirected to (possible connection IPs).
multiple By entering a colon it is possible to
interfaces (only define the port.
needed with
Bridging,see 9. Attention:
Bridging, When entering a specific port be sure to
page 190). have the correct service selected.
Otherwise it will not work at all.
Cascade No traffic is yet Rule set list Defines the rule set
affected. It is a traffic is cascaded List of By default, the available/unavailable
jump into other to. Critical policy considers all ports of the allowed
parts of the rule Ports rule services. If a connection to such a
Cascade port fails the target is marked
Back set (see 2.5
Cascaded Rule unavailable and the rest of the targets
Sets, page 169). are used as the new list. If there are
entries in the critical ports list, only
Execute Redirects traffic failed connections to these ports lead to
to an executable a state change of the respective target
(std_in - incoming from available to unavailable.
traffic; std_out - Separate multiple critical port entries
outgoing traffic) with a space.
Redirect Target List of targets that the clients should be
Object List redirected to (possible connection IPs).
2.2.3.5 Redirection Section By entering a colon it is possible to
define the port.
Depending on the relative properties of the redirected IP Attention:
When entering a specific port, be sure to
Range and the target IP, there are four types of have the correct service selected.
redirecting: Otherwise it will not work at all.
List of By default, the available/unavailable
z The target IP range is as large as the redirected range Critical policy considers all ports of the allowed
(for example 10.0.0.128/28 to 192.168.32.0/28). The IP Ports rule services. If a connection to such a
addresses are mapped one to one. port fails, the target is marked
unavailable and the rest of the targets
z The target IP range is larger than the redirected range are used as the new list. If there are
entries in the critical ports list, only
(for example 10.0.0.128/28 to 192.168.32.0/24). The failed connections to these ports lead to
"most fitting" IP address is taken, for example 10.0.0.130 a state change of the respective target
from available to unavailable.
to 192.168.32.130. Separate multiple critical port entries
with a space.
z The target IP range is smaller than the redirected range
Map Real IP to be redirected (Destination IP)
(for example 192.168.32.0/24 to 10.0.0.128/28). The IP/Mask
larger range is mapped to the smaller range, for Reference Instead of explicit mapping you can also
example 192.168.32.2 and 192.168.32.130 to 10.0.0.130, d Map refer to a pre-defined connection object
and 192.168.32.30 to 10.0.0.142. of type translation map.
Local Local Local address the request is redirected
z One IP is redirected to several other IPs (for example Redirect Address to.
192.168.32.3 to [10.0.0.23 10.0.0.68]. Depending on the Note:
chosen policy (Fallback or Cycle) requests are Advanced parameters and timeouts of
this type behave like in the local firewall.
redirected to one of the target IPs.
Local Local Local address the network object is
Redirect Address redirected to.
Object Note:
Multiple Redirecting (Failover and/or Load Sharing)
Advanced parameters and timeouts of
this type behave like in the local firewall.
List 422 Firewall configuration - Redirection section 2.2.3.8 Authenticated User Section
Icon Action Parameter Description
Broad- not available This section is needed for Firewall Authentication (see 10.
Multicast Firewall Authentication, page 199) and defines the
Cascade not available user(s)/usergroup(s) affected by this rule.
You may select an already existing user/usergroup from
Cascade not available the menu or enter an explicit user/group.
Back
The configuration dialog in this place, is the same as
Execute not available
described under 2.2.7 User Groups, page 158.
If the rules requires user authentication at the firewall, the
rule is depicted with a icon in the Name column in the
2.2.3.6 Service Section rule overview window.
Parameter Description
Time Object Specify a name for the time object.
Name
Set allow Select to clear selected checkboxes.
Parameter Description
2.2.4 Network Objects Type Generic Network Objects may combine network
addresses of all types. All network objects that are
available on Barracuda NG Firewall systems by
The Firewall - Networks window assorts network objects default are configured as generic network objects.
that have been assigned with labels for easier recognition Single IP Address
Selecting this type allows inserting a single IP
and handling. Network objects are designed to be used for address into the IP / Ref list.
example in the following way: List of IP Addresses
Selecting this type allows inserting single IP
Instead of itemising single web servers running on the IPs addresses and/or references to other single IP
192.168.23.2, 192.168.23.21, 192.168.23.25, and address objects into the IP / Ref list.
192.168.23.32, all servers can be summed up in a network Single Network Address
Selecting this type allows inserting a single network
object called allwebservers. This network object can be address into the IP / Ref list.
used to define actions applying for all servers. Again, if a List of Network Addresses
further web server is created running on the IP address Selecting this type allows inserting multiple network
192.168.23.34, there is no need to create further rules addresses (networks and IP addresses) and/or
references to other network address objects into the
applying to it. The additional web server simply has to be IP / Ref list.
added to the network object allwebservers. It will thus Hostname (DNS Resolved)
inherit all properties from the existing object. Selecting this type allows specifying a DNS
resolvable host name as network address.
Fig. 411 Creating/editing a net object called allwebservers Attention:
Network objects of type Hostname come along with a
number of specialities and potential security issues
when applied wrongly. Pay regard to their attributes
with essential care. Seesee 2.2.4.1 Hostname (DNS
Resolvable) Network Objects, page 149 for a detailed
description of configuration options.
z In firewall rule sets that employ references to network Hostname network objects are available as from
objects instead of explicit IP addresses, rule netfence 3.6.3. Always use the correct Barracuda NG
configurations must not be edited when IP addresses Admin version when editing Hostname objects.
within objects change.
Attention:
z Network objects may be referenced in all generic Do not import rule sets containing Hostname network
configuration dialogs of the Barracuda NG Control objects on Barracuda NG Firewalls with version
Center configuration tree in places where IP addresses numbers 3.6.3 or lower.
or networks are to be inserted (IP/network address field
flagged with the icons), with the exception of DNS Firewall rule sets steer the processing of IP packets. As IP
zone configuration, Personal Firewall configuration, CC packets only know a destination IP address and not a host
administrator configuration, and the explicit tunnel name, the allocation of host names to appropriate
override dialogs provided by the VPN GTI. Click the IP addresses must be managed through the firewall.
icon to open the Network Objects window from
which the network object reference can be chosen. Network objects of type Hostname allow specifying DNS
Click the icon to delete the reference. This feature resolvable host names as network addresses, and in this
protects your from adverse side-effects that may arise way make the use of host names in firewall rules possible.
from incomplete address changes throughout multiple
Note:
configuration instances.
Note that only explicitly defined host names (for
Note: example www.barracudanetworks.com) but no
Creating references to network objects in generic comprehensive zone names may be used in network
configuration areas is only possible in the Barracuda objects.
NG Control Center configuration tree and not on
CC-administered or single boxes. Note:
A DNS Server must be specified in the DNS Server IP
field in the Box Settings file (2.2.3.3 DNS, page 55), in
order to use network objects of type Hostname.
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
150 | Firewall Configuration > Rule Set Configuration Firewall
Using DNS resolvable host names in firewall rule sets can List 428 Network Object - Type Hostname
cause problems because of the following: Parameter Description
IP addresses that are allocated to DNS host names DNS Lifetime The DNS Lifetime defines the interval after which to
(Sec) refresh DNS entries for network objects of type
might change. Hostname that are configured for use in currently
A DNS record might contain multiple IP addresses. effective firewall rules (default: 600 s). Setting to a
lower value than 30 seconds might cause problems in
network object lists containing a huge number of
Creating network objects of type Hostname Hostname objects. DNS entries may also be refreshed
manually in the Firewall Monitoring GUI > Dynamic tab
Hostname objects may be created in: > Dynamic Rules tab (6.6.1 Dynamic Rules,
page 185).
z the Local Firewall rule set Attention:
The DNS Lifetime has no effect on actively established
z the Forwarding Firewall rule set connections, even if the DNS resolution of a network
object that is currently used in a firewall rule changes.
z as Global, Range- or Cluster-specific firewall objects In this case to force a refresh terminate the active
session in order to enable new connection
establishment using the updated DNS entry.
Note:
Hostname objects may NOT be created as explicit List 429 Network Object - Type Hostname section Entry / Excluded Entry
source or destination objects in firewall rules.
Parameter Description
To create a network object of type Hostname, select The fields in the Entry and Excluded Entry sections
may be used to restrict a network object and to force a
Hostname (DNS resolved) from the Type list in the Net condition to match explicitly or to exclude it from being
Object window. Consider the following detail configuration part of it. For example, if a DNS host name entry
options: www.domain.com matches four DNS A-records pointing
to the IP addresses 10.0.6.1, 10.0.8.1, 10.0.8.2 and
10.0.8.3, and it is wanted that connection requests
Fig. 413 Network Object - Type Hostname (DNS Resolved) must always point to addresses residing in the
10.0.8.0/24 network, but must never be addressed to
the IP address 10.0.8.3, the following values need to be
configured in the corresponding fields:
Section Entry: IP 10.0.8.0/24
Section Excluded Entry: IP 10.0.8.3
Parameter Description
Type The Type defines specific object characteristics.
Network objects of type Hostname expect
specification of an explicit DNS resolvable host name in
the Name field below.
Note:
Once the object has been created its type cannot be
changed.
Name Into this field insert the DNS resolvable name the
object is to be created for.
Note:
The specified name is the name of the network object Using network objects of type Hostname
at the same time. The object name may be changed
retroactively. Hostname objects may be used as:
Description Into this field insert a significant object description.
z Source/Destination in rules within the Forwarding
Resolve The functionality of this button is purely informational.
Click it to execute a DNS query for the host name Firewall
inserted into the Name field. The result of the query is
displayed in the IP field in the Entry section. Note that z Source/Destination in rules within the Local Firewall
the query is executed using the DNS server(s) known to
the client running the graphical administration tool z Reference in the Entry list of Generic Network Objects
Barracuda NG Admin and NOT using the DNS server(s)
known to the Barracuda NG Firewall running the
firewall service.
z Hostname objects may NOT be used as reference in the succession of the individual sub-objects that build up a
Entry list of all other network object types. service object is important.
Attention:
The default rule set of the Barracuda NG Firewall has a
Hostname objects that cannot be resolved can never large list of predefined service objects. We will discuss the
match in a rule. Consequently, when a non resolvable principal structure of a service object by dealing with the
object is used in a rule, this rule cannot be processed TCP-ALL example.
correctly. Hostname objects will become non resolvable Fig. 415 Part of the predefined services for the Barracuda NG Firewall
not only if they refer to a non existent host name, but
also in case the DNS server queries are addressed to is
unavailable.
Attention:
Do NOT use Hostname network objects in rules with the
policy block.
Note:
When the firewall is (re)started, it may take up to
10 seconds until DNS resolution is provided for all
configured Hostname network objects. Because the
firewall is already active, it might happen that before the
actually desired rule becomes active another rule
matches a request.
The service object TCP-ALL (figure 415) consists of five
Note: elements, though one would think that TCP-ALL simply
Active sessions are not revaluated when DNS resolution means what the fifth element is: all ports for a TCP
changes, but only when the rule itself is modified. connection. There are two reasons for this. Two of them
Persistent sessions might are to be terminated manually (ftp and rcmd) have different settings in the parameter
in order to enable new connection establishment using section than TCP * has. The presence of HTTP+S and SMTP
the updated DNS entry. only have administrative functions.
Monitoring network objects of type Hostname If you want the statistics to resolve the services it
DNS queries addressed to the DNS server configured in the performs down to the lowest matching object. In this case
Box Settings are triggered as soon as a Hostname network this means that the statistics for a rule using TCP-ALL
objects is created. The result of these queries is visualized would resolve the traffic for the service objects FTP,
in the following places: RCMD, HTTP, HTTPS (because HTTP+S itself is a
composite of HTTP and HTTPS), SMTP and the rest of TCP.
Note:
Fig. 416 Service objects TCP-ALL and FTP
In all views but the Dynamic Rules tab, DNS resolution
is retrieved using the DNS server(s) known to the client
running the graphical administration tool Barracuda NG
Admin and NOT using the DNS server(s) known to the
Barracuda NG Firewall running the firewall service.
z In the Entries column in the Network Object list
(figure 412).
z In the Rule Object list when the Hostname object
configured in the rule is used.
z In the Source/Destination window querying the Rule
Object list when the Hostname object is currently used.
z In the Rule Tester.
z In the Dynamic Rules tab (see 6.6.1 Dynamic Rules,
page 185) of the Firewall Monitoring GUI.
2.2.5.1 Parameters of Services List 432 Firewall configuration - Service Objects parameters section General
Parameter Description
Fig. 417 Parameter section for TCP and UDP
Balanced Time in seconds a session-like connection established
Timeout through a non-connection oriented protocol (all
protocols except TCP) may remain idle until it is
terminated by the firewall (default values: UDP: 30;
ICMP: 10; all other protocols: 120). The balanced
timeout comes into effect, after the initial datagram
sent by the source has been answered and the
"session" has been established. Generally, the balanced
timeout should be shorter than the session timeout,
because it will otherwise be overridden by the session
timeout and never come into effect. The balanced
timeout allows for keeping non-connection oriented
"sessions" short and minimising the amount of
concurrent sessions. The larger initial session timeout
guarantees that late replies to initial datagrams are not
inevitably dropped.
Note:
This parameter is only executable in the forwarding
firewall. Setting this parameter in the local firewall
List 430 Firewall configuration - Service Objects parameters section TCP & takes no effect.
UDP
Plugin Name and parameters of the used plug-in (see 2.2.5.2
Parameter Description Plugin Modules, page 152).
Port Range Port or port range the service is running on.
Dyn. Service This parameter is required in conjunction with ONCRPC
(see 11. RPC, page 204). 2.2.5.2 Plugin Modules
Service Label Here you may enter certain labels. Leaving this
parameter blank causes that well-known service names There are some applications which do not use just simple
(available in /etc/services) are used. communication between two predefined IPs over one or a
Attention: few well defined ports.
It is highly recommended to use this parameter only for
defining service names that are not "well-known ones" A well known example is FTP: After an initial control dialog
(for example, Oracle521, ).
over port 21, the client and the server use another random
Client Port Port range the firewall uses to build up the connection
Used between itself and the destination. This port range is port from 1024 through 65535 to send and receive data.
only used if a dynamic port allocation is required, as f.e. The firewall has two possibilities to handle this: either it
for the proxy dynamic connection type. Selecting
Manual Entry enables the parameters From and To
opens all higher ports, which is not really suitable for a
below, where you may enter a custom port range. secure firewall, or it listens to the two FTP partners and
Note: opens the data channel just for this connection. In order to
This parameter does not state a condition for do this, you must use a so-called module.
rule-evaluation.
Table 44 Currently available modules
List 431 Firewall configuration - Service Objects parameters section ICMP
Echo Application/ Protocol Syntax with
Description
Protocol family parameters
Parameter Description
FTP TCP ftp
Max Ping Size Defines the maximum allowed ping size.
FTP TCP ftp samePort Indicates that no PAT (Port
Min Delay Defines the minimum allowed delay for pinging. Address Translation) is
Note: performed for ftp data
With eventing activated, the event FW Flood Ping sessions even if the firewall
Protection Activated [4002] is generated if this limit session is NATed. This way
is under-run (see Flood Ping, page 246). one can guarantee that the
source port for an active
List 432 Firewall configuration - Service Objects parameters section General FTP data session remains
port 20.
Parameter Description RSH TCP rsh Ensures that rsh works
Session Time in seconds a session may remain idle until it is properly
Timeout terminated by the firewall (default values: TCP: 86400; ICA Browser UDP ica Used for the ICA browser
UDP: 60; ICMP: 20; all other protocols: 120). This ip-address-1 application (mapping,
timeout applies as only value for all TCP connections ip-address-2 redirecting). The pairs of
thereby counting the time that has passed in a session ip-address-3 IPs are mapped IP/real IP. If
without traffic processing. Additionally, it applies as no NAT is involved, you
initial timeout for all session-like connections ip-address-n must declare the IPs as
established through non-connection oriented protocols pairs as well.
(for example, UDP or ICMP) thereby counting the time
Oracle TCP ora Needed when the Oracle
that has passed from the source's yet unanswered
SQL*Net hostname=ip SQL*Net application uses
initial datagram. As soon as this datagram has been
-address dynamic ports. Also used in
answered, the Balanced Timeout (see below) comes
the context of destination
into effect.
NAT (mapping, redirecting).
Note: The Oracle server usually
This parameter is only executable in the forwarding uses domain name
firewall. Setting this parameter in the local firewall resolution. Hence you must
takes no effect. give the IP/name pair to the
module.
Trivial FTP UDP tftp Attention:
Inherently insecure. Read
the explanation below.
ONCRPC UDP & TCP oncrpc Use only with port 111 (RPC
Port Mapper); in
conjunction with 11. RPC,
page 204.
Table 44 Currently available modules Since TNS structures can operate with different servers
Application/ Protocol Syntax with and hostnames you can use patterns for the hostname.
Description
Protocol family parameters Since the communication also involves a port change
DCERPC UDP & TCP dcerpc Use only with port 135 the plugin has to be used in any case. The
(Endpoint Mapper); in
conjunction with 11. RPC,
hostname2=hostname1 or hostname2=hostname1,IP1
page 204. part is mandatory and must not be omitted. If database
Skinny TCP --- The plugin monitors the farms are used, the hostname=IP or
skinny signalling hostname2=hostname1,IP entries must be a space
connection between phone
and Cisco call manager; use separated list.
only with port 2000
(default port for signalling);
for configuration details see
2. SCCP, page 374.
2.2.6 Connection Elements
SIP UDP sip For details hot ti use the SIP
plugin, see 4.3 Installing The connection element of a firewall rule defines the bind
SIP, page 378 address. This address is used by the firewall to connect to
the target computer.
z Trivial FTP module
The trivial ftp module can be used for all UDP There are essentially three ways of connecting the bind IP
applications, which maintain their connection on a to the original Source IP.
different port than their initial starting port; trivial FTP z Client - Source IP = Bind IP
is the most common example.
z Proxy - Fixed Bind IP for all Clients (also called
Fig. 418 Connection situation for a UDP connection of tftp kind Masquerading or Source NAT)
Fig. 419 Connection situation for a SQL client connecting to an Oracle server
The following options are available for configuration of a
standard connection object:
List 433 Firewall configuration - Service Objects - General settings
SQL Client Firewall Oracle Server
connects to hostname1; hostname2; 172.16.0.22 Parameter Description
192.168.10.2 Name Name of the connection object.
Description Significant connection object description.
In the situation shown in figure 419, the correct plug-in Connection Choose a color, in which you want the connection object to
Color be displayed in the Firewall - Connections window.
setting is ora hostname2=192.168.10.2.
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
154 | Firewall Configuration > Rule Set Configuration Firewall
List 433 Firewall configuration - Service Objects - General settings List 434 Firewall configuration - Service Objects - General settings section
Failover and Load Balancing
Parameter Description
Connection This general option for all connection types is the timeout Parameter Description
Timeout for trying to establish a connection. The default value is Policy This parameter allows you to specify what should
30 seconds. Increasing this value can be useful for very happen if the connection cannot be established.
protracted connection partners. Decreasing this value can Especially when having multiple providers and policy
be useful for faster failover mechanisms. routing this parameter comes handy because it allows
Address This parameter specifies the Bind IP. The following options you to specify which IP address/interface has to be
Selection are available: used for backup reasons. Otherwise, connecting via the
backup provider using the wrong IP address in
Proxy Reserved for future use to implement conjunction with the backup provider would make
Assigned policy routing based on administrative routing back quite impossible. Available policies are:
scope (organisational unit a host belongs
NONE (No Fallback or Source Address Cycling)
to).
[default setting]
Proxy First First IP address of server under which Selecting this option deactivates the fallback feature
firewall service is operating. Fallback (Fallback to alternative Source Addresses)
May be used to restrict the bind address or Causes use of the alternative IP
when policy routing is activated. addresses/interfaces specified below.
Proxy Second IP address of server under which SEQ (Sequentially Cycle Source Addresses)
Second firewall service is operating. Causes cycling of the IP addresses/interfaces
May be used to restrict the bind address or specified below.
when policy routing is activated.
RAND (Randomize Source Addresses)
Proxy Dynamically chosen according to firewall Causes randomized usage of the IP
Dynamic routing tables. This is a General purpose addresses/interfaces specified below.
(default) option.
Configuration examples related to multipath routing
Client IP Address of the Client. are described below in more detail (see 2.2.6.2
Source IP = Bind IP Barracuda NG Firewall Multipath Routing, page 155).
Explicit Explicitly specified IP address. May be used Alternative/Typ Here up to three Alternative IP addresses or interfaces
to restrict the bind address to a specific e can be configured for use with the selected policy.
address.
Selecting Explicit activates further options Note:
below and in section Firewall configuration Usage of alternative interfaces is recommended when
- Service Objects - General settings no permanently assigned IP address exists on an
section Failover and Load Balancing: interface.
Same Port Ticking this checkbox Weight Assigns a weight number to the IP address or interface.
enforces to use the same Lower numbers mean higher priority.
client port when
establishing the connection. List 435 Firewall configuration - Service Objects - General settings section VPN
Traffic Intelligence (TI) Settings
Explicit IP Here the specific IP address
is to be entered. Parameter Description
Create If the explicitly defined IP Settings configured in this section only apply to Traffic
Proxy ARP address does not exist Intelligence configuration in combination with TINA
locally, an appropriate tunnel VPN technology. See Traffic Intelligence (TI),
ProxyARP entry may be page 235 for details.
created by selecting this
checkbox
List 436 Firewall configuration - Service Objects - General settings section BOB
Interface Explicitly specified interface. May be used Settings
to restrict the bind address to a specific
interface. Selecting Interface activates Parameter Description
further options below and in section BOB Settings This setting specifies if traffic should be processed
Firewall configuration - Service Objects - compressed or not and in which direction to utilize
General settings section Failover and compression.
Load Balancing: To compress traffic, parameter Enable FW
Interface Here the name of the Compression has to be set to Yes (see page 244).
Name affected interface is to be Note:
entered. Firewall compression is only applicable between
Map Source NAT for a complete subnet. In order firewalls operating on Barracuda NG Firewall. When
to avoid dramatic misconfiguration, the activated, option Enable FW Compression (see
netmask is limited to up to 16 bits. page 244) MUST be set to yes on all systems
Otherwise, a Proxy ARP with 10.0.0.0/8 participating in compressed traffic.
would "blank out" the whole internal Attention:
network for example. Do not enable firewall compression on gateways
Attention: situated at the rim of untrustworthy networks in order
If you define a map, youve got to make to avoid DoS attacks based on bulk sending of
sure that the source range using this compressed data packets.
connection is equal or smaller than the An attacker might forward IPCOMP packet copies
map range. If not, the firewall will wrap the originating from the compressed session to the
larger source net into the smaller bind net. firewall, thus forcing it to load consuming
decompression tasks.
Map to Here the specific mapping
If compressed traffic is required at the perimeter, make
Network network is to be entered.
use of compressed VPN traffic. Authentication
Netmask Here the corresponding mechanisms included in VPN technology prevent the
netmask is to be entered. DoS exploit stated above (Traffic Intelligence (TI),
Proxy ARP This parameter is needed page 235).
by a router if the addresses
live in its local network (see
2.2.9 Proxy ARPs,
page 158).
Note:
The section Failover and Load Balancing is only
available with parameter Address Selection set to
Explicit or Interface.
List 436 Firewall configuration - Service Objects - General settings section BOB z Example Setup 2
Settings
The following situation does not afford traffic
Parameter Description compression from client to HTTP server but only vice
BOB Settings Note: versa, as the client rarely does anything else than
(continuation) Traffic compression only applies in the span from
firewall to firewall. The firewall automatically
requesting data. Compression is thus only needed in
uncompresses the traffic before forwarding it to the reverse direction.
actual destination. The following rules must be introduced to achieve the
Settings will be interpreted in the following way: wanted result:
No Compression
Traffic is always forwarded uncompressed (default). Table 46 Example Setup 2 Rule configuration firewalls A and B
Compression in FORWARD Direction
Traffic is compressed in direction from source to Rule configuration Firewall A Firewall B
destination address. Action Pass Pass
Compression in REVERSE Direction Source 10.0.0.2 10.0.0.2
Traffic is compressed in direction from destination
to source address. This compression mode thus Destination 10.1.1.5 10.1.1.5
only applies to traffic returned as response to a Service HTTP+S HTTP+S
connection request. Connection Client Client
Attention: Compression none Reverse
Be careful when creating rules using the "2-way"
option as this will only work when the destination
address is a firewall as well. Fig. 422 Standard Connections Example Setup 2
Note:
Have a look at the example setups below to understand HTTP
the mode of action of compression configuration. Client Firewall A Firewall B Server
Request
Fig. 421 Standard Connections Example Setup 1 Additionally, the firewall rule set is extended to allow
Source Address Cycling. This enables to configure rules
HTTP where the source IP for different sessions is cycled.
Client Firewall A Firewall B Server
Request The capabilities of Barracuda NG Firewall multipath routing
are noted below.
Answer
10.0.0.2 10.1.1.5 Linux Standard Multipath - How Linux Standard
Multipath routing is handled
Description: z Source IP Based balancing between Next Hops.
Client requesting a connection to a web server. Once the source destination combination is in the
Firewall A is configured to compress traffic in forward routing cache this combination will stay on the selected
direction, firewall B is configured to compress traffic in next hop IP
reverse direction. Data transmitted between client to
z No dead next hop detection
HTTP server will thus always be compressed.
z No per session packet balancing
Simple redundancy by next hop detection could be Source Address Fallback and Cycling - Policy
provided by adding multiple routing entries with different
z NONE
route preference numbers.
No fallback or source address cycling
Fig. 423 Simple redundancy through next hop detection z FALLBACK
Fallback to alternative source addresses
r
z SEQ - Sequentially cycle source addresses
ide
ov
Pr .2 for example,
82
1
1
first session - Explicit IP,
82
.2.3
.2 1 second session - Alternative #1;
1
1
1
third session - Alternative #2;
A
.2.3
.1
B
1
.2.3
.2 fourth session -Alternative #3
82 82 1
1
82
.2.3.1
C
Pr
ov
ide
r
1 82
.2.3
.12 3
4
2
2
fifth session - Explicit IP,
.3 .21 .3.2
.2 D 2 .2
82 82
Next Hop Cycling .32
z RAND
1
.2.3.3 .2.3
82 3 82
82
.2.3
.0/
24
.2.3
.2
3
1
4
2
1
4
Randomize source addresses
82 3 2
Session 1: Src 82.2.3.2 .12 4
1 .2.3 1
82 3 2
2 4
A
2 .2 .3.2 1
82 3 2
4
Examples:
.3.1 .3 2
82.2 B .2.3
3 82
.3 .11
2.2 C
8 4
8 2.2
.3 .21
.31
D
Next Hop Cycling
z Source Address Cycling
.2.3
82
.2.3
.0/
82
24
To create a new Connection Object change to the
Session 1: Src 82.2.3.2
Connections tab and add a new standard connection
Session 2: Src 82.2.3.12 Session Source IP Cycling
Session 3: Src 82.2.3.32
Session 4: Src 82.2.3.32 object by clicking the New Standard button.
Select Explicit IP Address and add the first IP.
Alternative IP Addresses are specified in the section
ACPF Assisted Multipath - How ACPF Assisted
Source Address Fallback and Cycling.
Multipath routing is handled
z Per packet balancing between Next Hops Fig. 425 Configuration example for Source Address Cycling
r
ide
ov
82
Pr 1
.2 1
.2.3
82
1
1
A
1
.1 .2
.2.3 B .2.3
82 82 1
1 .12
.3.1 r 3 2
82
.2 C ide 1 82
.2.3 4
ov
1 Pr 4
.3.2 D
82
.2 2
Dead Next Hop Detection
1 .32
.2 .3.3 .2.3
82 82
82
.2.3
.0/ 1 3
24 3 2
.2 4
.2.3 1
82 3 2
Session 1: Src 82.2.3.2 .12 4
1 .2.3
4 82
A 1
2 3 2
.1 .32 4
.2.3 .2.3
82 B
82
.3.11
2.2 C
8 3
.21
.2.3 D
82 Dead Next Hop Detection
.3 .31
82 8 2.2
.2.3
.0/
24
Assigned Source IP Together with the described source address cycling the
configuration shown above performs packed based load
Fig. 426 Configuration example for multipath routing (Packet Load balancing by
Balancing is set to "No")
a) Sequentially cycling the source addresses for each
session so that the first session gets the source IP 82.2.3.2
assigned, etc
b) ACPF Assisted Multipath routing perform packet based
load balancing for each session, so that the first datagram
of session one is routed via 82.2.3.1, the second datagram
of session one is routed via 82.2.3.11 and so on.
c) The first packet of session two is routed via 82.2.3.1, the
second packet via 82.2.3.11 and so on.
d) Furthermore ACPF Assisted Multipath routing performs
dead Next Hop Detection by detecting missing ARP replies
from the next hop IP address.
If for example the next hop with the IP address 82.2.3.21
does not respond to ARP requests anymore further
datagrams are cycled through the next hops 82.2.3.1,
82.2.3.11 and 82.2.3.31. The Source Address 82.2.3.22 is not
used anymore for new session requests.
The object created in figure 428 defines source NAT z RAM, ADSL, DHCP, ISDN, SERIAL, UMTS
translation of the IP address 10.8.0.201 to 172.31.1.15 and of Explicitly restricts rule processing to the specified
IP address 10.8.0.28 (from a 3-Bit network sub-class) to the dynamic network interface (if installed and configured).
address 172.31.1.8 (from a 3-Bit network sub-class).
z Continue on Mismatch checkbox
As soon as this translation map is interpreted as Select this checkbox, if you want rule processing to
destination NAT map it will be read in reverse order, thus a continue even if no matching interface can be found.
request to the IP address 172.31.1.15 will be redirected to The next rule in succession will then be "tried".
the real destination address 10.8.0.201.
z Disable Interface Check checkbox
Select this checkbox, if you want to disable interface
2.2.7 User Groups check (only available for rules applying both ways).
Attention:
This tab is used in conjunction with Firewall
Checkbox Disable Interface Check affects both
Authentication. For a detailed description, please have a
sections, source AND reverse, and disables the
look at 10.1.2.1 Firewall - User Window, page 200.
settings of parameter Send TCP RST for OOS Pkts.
(see 2.1.1.4 Operational).
2.2.8 Interface Groups
Processing of a rule does not necessarily need to be 2.2.9 Proxy ARPs
invariantly associated with the physical network
environment on a box, which is configured on box level. On The Address Resolution Protocol (ARP) is primarily used to
machines equipped with multiple network interfaces, map IP addresses to MAC addresses. ARP takes an IP
usage of a specific interface may be explicitly defined address as input, and by propagating this address it tries to
when a rule comes into action. retrieve the MAC address of the interface featuring it. ARP
requests are broadcasted and can only be understood by
For each rule an interface may be assigned to origin and hosts placed within the same subnet class.
destination of the connection request. The Source
Interface specifies the interface, the source address is Proxy ARP is a technique utilising the nature of the
allowed to use. The Reverse Interface specifies the Address Resolution Protocol in order to connect two
interface, which the destination address is allowed to use. physically separated networks. The Barracuda NG Firewall
Latter is only available for passing and mapping actions may be configured to answer ARP requests on behalf of
with selected checkbox 2-Way. the requested interface itself, accept packets and thus
overtake responsibility for forwarding them to the actual
The following predefined network interface objects are destination correctly. This configuration is done via Proxy
available for selection: ARP objects. Proxy ARPs can thus be regarded as
z Any additional IP addresses the firewall responds to when it
With this setting the first interface matching the receives an ARP request.
request is utilized for the connection in accordance with Proxy ARP addresses may be utilized for redirecting and
routing configuration. The packet source is not verified. mapping in firewall rule sets, if they are in the same
Reply packets might be forwarded through another address space as
interface, if multiple interfaces capable of doing so are
available. Not to check the physical source of packets the source of a connection request. Additionally, Proxy
might sometimes be needed in very special ARP objects are utilized in bridging setups (9. Bridging,
configurations with combinations of screened host and page 190).
multi-homed topologies.
Note:
Attention: You may define up to 256 Proxy ARP entries per box.
For security reasons do not use this setting without This limitation exists for the numbers of entries, not for
explicit need. the number of IP addresses.
Fig. 429 Proxy ARPs tab of the firewall configuration window List 437 Proxy ARP object configuration values
Parameter Description
Primary This field specifies the interface, which is going to be
Network utilized when responding to an ARP request. The
Interface following predefined choice is available:
pull-down menu match (default)
ARP requests will be answered via the interface that
hosts the network.
any
ARP requests will be answered via any interface.
noext
If an ARP request arrives from an external interface,
it will not be answered.
Alternatively, a specific network interface may be
entered into the field (for example eth1).
Additional Through this field additional interfaces may be
Interfaces field specified, which should respond to ARP requests. Be
careful only to specify interfaces, which cannot conflict
with the primary network interface. Separate multiple
entries with space.
In most cases proxy ARPs will be created, when the
Exclude If a complete network has been specified in the
checkbox Proxy ARP/Create Proxy ARP has been Networks field Network Address field (see above), specific network
selected next to a specific configuration parameters addresses may now be excluded from proxy ARP
properties in other configuration areas (rule configuration creation. Separate multiple entries with space.
window, connection object dialog, ). These proxy ARPs Source Address This field limits responding to an ARP request to the
Restriction field network addresses entered in this place. Separate
may not exist without concurrent existence of the objects multiple entries with space.
they have been created for, and will be deleted, as soon as Introduce Route This value is dependant on bridging configuration and
the object referring to them is deleted. on Interface only filled (read only) if a bridging interface route is
read-only field created (9. Bridging, page 190).
Attention: Send Activating this checkbox causes that the firewall does
Unsolicited not only answer ARP requests but also propagates the
If you are additionally using referenced proxy ARPs for ARP checkbox specified IP addresses through ARPs unsolicitedly
another purpose than the one they have been created (checkbox selected by default).
for, select the Standalone checkbox in the Proxy ARP Note:
object window. The proxy ARP object will then remain Unsolicited ARPs can only be sent if the corresponding
network interface has an active IP address. The
functional, even if the originally referring object is evaluation of the interface's IP address happens only
deleted. on startup of the forwarding firewall, in case of a HA
takeover or when the firewall rule set changes.
Nonetheless, you might sometimes want to create proxy No automatic evaluation is performed if the network
interface changes into state "up" or if a pending route
ARPs that are not dependent on rules or NAT tables, for becomes active (example: in case of a newly introduced
example for "filling up" a net to prevent someone else server-IP). In this case only the ProxyARP is introduced
from taking a local address. In this case make use of the to answer incoming ARP requests.
Detected network attacks are logged in the Fig. 433 Creating/editing filter a pattern
<fw>_Content log file for later review. The source and
destination address and the associated network interfaces
or firewall rule actions are stored in the corresponding
filter log (for example [sqlslammer]).
Parameter Description
Name Enter a filter name into this field.
Direction This parameter defines whether the affected
traffic/stream goes To Server (incoming) or To Client
(outgoing).
Description Enter a significant description of the content filter in
this place.
Pattern Via this field the search pattern is defined. What kind of
pattern has to be entered depends on the object the
stream is scanned for.
Type This defines what kind of pattern is used. The following
two types are available:
Binary Pattern
The content filter configuration sequence consists of 3 list of hexadecimal digit pairs separated with a space
steps:
Figure 433 displays an example for binary pattern
(SQL slammer)
Step 1 Creating a filter ASCII Pattern + Wildcards(*,?,[])
see 2.3.1.1 Creating/Editing Filters, page 160 * - represents a variable number of characters
including an empty string (space)
? - matches exactly one character
Step 2 Creating a filter group [] - matches only the characters that are enclosed
see 2.3.1.2 Creating/Editing Filter Groups, page 160 within the brackets
Example pattern: [123]??attack*##
To delete an entry, select it from the list and click the upcoming Barracuda NG Firewall release will allow more
Delete button. granulated rules for individual categories or applications.
Parameter Description
Content Filter List of all defined Filer Groups within the Content Filter
section.
See 2.3.1 Content Filter (Intrusion Prevention),
page 159
List 439 Port Protocol Protection Policies List 440 Port Protocol Protection Policies
Note:
Because of a limited set of known protocols not all
potentially unwanted protocols can be covered by a Port
Protocol Protection Policy.
In this case, select Block on (Source) Mismatch in the List 442 Firewall configuration - Advanced Rule Parameters section TCP Policy
Rule Mismatch Policy section of the Advanced Rule Parameter Description
Parameters window. Method Packet The firewall engine is capable of two
Forwarding TCP forwarding methods.
Clicking Advanced in the navigation bar of the rule window (Application If you want to avoid any direct TCP
opens the following dialog: Controlled connection between two
Packet TCP-partners transversing the
Forwarding) firewall you will use stream
Note: forwarding which actually builds
Stream
The following icon is displayed in the rule view of the Forwarding two distinct TCP connections and
(Transparent hence the destination will not get
rule configuration window as soon as the default data any packet which is not generated
Application
has been modified. Changed values are highlighted in Proxying; yellow by the firewall TCP stack itself.
yellow. background) Since the ACPF engine filters any
malformed packet too, the security
advantage of stream forwarding is
Fig. 438 Advanced Rule Parameters not that important as it was years
ago when the filtering engines were
not that powerful.
Note:
With Stream Forwarding the
performance of the firewall is
significantly reduced
(400-500 MBit maximum). For
detailed performance data contact
Barracuda Networks support.
Note:
The icon is added to the Action
column of the rule set overview
window, if Stream Forwarding is
configured as data transfer Method
Syn Flood Note:
Protection For a description of access policy handling see 2.3.4.3
(Forward) Accept Policies, page 166.
Server Default The value configured in see 2.1.1.4
Operational, page 136 is used as
default.
Outbound The firewall immediately tries to
establish a connection to the
List 441 Firewall configuration - Advanced Rule Parameters section Rule requested destination. If successful,
Mismatch Policy it then establishes the connection
between itself and the client.
Parameter Description Inbound The firewall first tries to establish a
Source / Defines the behavior on mismatch. The following connection to the requesting source
Service / options are available: and then establishes the connection
Destination / CONTINUE on Mismatch - processes the between itself and the requested
User / Mac subsequent rule destination.
BLOCK on Mismatch - see 2.2.3.3 Action Section, Syn Flood Only activated if option "2-way" has been chosen in
page 144 Protection section Action.
(Reverse) Note:
DENY on Mismatch - see 2.2.3.3 Action Section,
page 144 For a description of access policy handling see 2.3.4.3
Accept Policies, page 166.
Attention:
The effect of these options is cumulative. If you check Outbound Same as above. Policy applies for
two options you blank out the remaining values for all the reverse connection direction.
subsequent rules. If you check all three options, this Inbound Same as above. Policy applies for
rule is the effective end of your rule set. the reverse connection direction.
Persistence If set to yes, the session is not revaluated when rule set Accept Timeout Time the firewall waits until the destination has to
or authentication settings change (default: No). (s) answer. After this timeout the firewall sends a TCP RST
packet to both partners (default: 10).
Last ACK Time the firewall waits after an ACK until the
Timeout (s) connection is terminated (default: 10).
Retransmission Time the firewall waits until the source has to
Timeout (s) retransmit packets before the firewall registers this as a
hijacking attempt (default: 300).
Halfside Close Time the firewall waits after conscious termination of
Timeout (s) the connection until the socket is closed (default: 30).
Disable Nagle This parameter enables/disables the Nagle Algorithm.
Algorithm (No This option is only available when using Stream
Delayed ACK) Forwarding.
Force MSS When setting a MSS TCP in a rule the SYN and SYN-ACK
(Maximum TCP packets are checked for a MSS larger than the
Segment Size) configured one. If the MSS TCP attribute is smaller, the
packet is rewritten with the configured MSS. Use the
feature for VPN to force a TCP MSS that fits the MTU of
the VPN tunnel device.
List 443 Firewall configuration - Advanced Rule Parameters section Resource List 445 Firewall configuration - Advanced Rule Parameters section
Protection Miscellaneous
Parameter Description Parameter Description
Max. Number of Maximum accepted concurrent connections for this Policy Default Policy This option is the default one and
Sessions rule on a global basis. takes the interface realm settings
Note: into consideration that are assigned
With eventing activated (parameter Rule Limit in the network configuration for the
Exceeded (see page 245), the event FW Rule local networks and interface routes
Connection Limit Exceeded [4016] is generated when (see 2.2.5.5 Network Routes,
the limit is exceeded. page 68). Depending on the
specified realm, the Source or
Max. Number of Maximum accepted concurrent connections for this Destination IP counts.
Sessions per rule on a per source address basis (default: 0 =
Source unlimited). Count Source IP These two parameters allow you to
specify explicitly what type of IP
Attention: Count address is counted (see 5.2 Policy
Choosing these values too small can have unexpected Destination IP No. 2: Rule Explicit, page 539).
effects. Use this parameters only if you are a preferred
victim of Denial of Service (DoS) attacks. Time Note:
Restriction Use this parameter to apply a time restriction to rules
Note: configured with a feature level lower or equal 3.2.
With eventing activated (parameter Source/Rule Limit
Exceeded, the event FW Rule Connection per Source For a description of the time restriction dialog see see
Limit Exceeded [4018] is generated when the limit is 2.3.4.2 Time Restriction, page 165 below.
exceeded. Clear DF Bit The DF (Don't Fragment) bit is a bit within an IP header
Session Allows setting a maximum keep alive time for an that determines whether a packet may be fragmented
Duration Limit established session. The value 0 means unlimited, that or not (0 = fragmentation allowed, 1 = do not fragment).
(s) means the session never dies. In networks where packet size is limited to a Maximum
Transmission Unit (MTU), packet fragmentation may
Note: become vital when packets sent to this network exceed
This parameter is only executable in the forwarding the MTU (for example, as may frequently occur with
firewall. Setting this parameter in the local firewall SAP applications).
takes no effect. This parameter determines if the original DF bit setting
in an IP header may be overridden. When set to no
List 444 Firewall configuration - Advanced Rule Parameters section Counting / (default) the packet's specification is observed.
Eventing / Audit Trail Normally, the sending clients determine if
fragmentation is required. When the DF bit is set and
Parameter Description the target network's MTU specification requires
Defines whether such events should be logged, written fragmentation, the firewall responds with an ICMP
to the access cache, Destination Unreachable message (Code 4: Packet too
large. Fragmentation required but DF bit in the IP
Access Cache Set to yes (default) to obtain access cache entries.
header is set). As the firewall may not override the DF
Entry
bit setting, fragmentation is up to the client. If the
Log File Entry Set to yes (default) to obtain log file entries. client for any reasons does not understand the answer
Transparent Setting to yes (default) causes that a session that is code, data transmission will fail and data loss might
Failover State controlled by this rule is synchronized on a HA system occur in network transports where packet sizes exceed
Sync (see 1. Overview, page 400). the MTU of the network.
Statistics Entry Set to yes (default) to obtain statistics files. Clear DF Bit When set to yes, the DF bit will be cleared from the IP
(continuation) header and packets will be fragmented if necessary
Note: regardless of the setting in the packet's IP header. Note
Set to no causes that also no global firewall statistics that fragmentation and packet reassembling process
will be generated. might lead to significant performance loss at high
Log Session Set to yes (default: no) to log changes of session states. traffic rates.
State Change Note:
Own Log File If set to yes (default: no) All log events belonging to Appropriate handling of this parameter is essential in
this rule are logged into an extra log file. conjunction with VPN tunnels, as encapsulating
Service Set to yes (default: no) to generate service statistics packets reduces the available MTU size. The DF bit is
Statistics for this rule. automatically cleared from traffic, which is forwarded
towards a VPN interface.
Eventing Specify a severity level for generation of event log
entries every time a request matches the rule. Possible Note:
settings generating the corresponding events are: It is recommended only to change the default setting
when experiencing transport problems clearly
None (default) - no event generation associated with packet size restrictions.
Normal - FW Rule Notice [4020]
Set TOS Value In networks the Type of Service (ToS) information may
Notice - FW Rule Warning [4021] be utilized to define the handling of the datagram
Alert - FW Rule Alert [4022] during transport. The TOS Value thus specifies how to
deal with the ToS information in packets IP headers for
Within the event settings (see 2. Event Configuration, all traffic forwarded by the particular rule. By default
page 322) each of these events can be assigned with the value is set to 0 (TOS unchanged). Another fixed
different actions. size may be specified instead even if originally the ToS
Note: flag has not been set.
Local rules are not affected by the rules advanced Prefer Routing This parameter controls routing behavior of bridges
'eventing' setting. The behavior is fixed to "none". over Bridging that are configured as Routed Transparent Layer2
Bridges (see), and thus act as routers and bridges at
List 445 Firewall configuration - Advanced Rule Parameters section the same time. When set to yes (default: no), traffic is
Miscellaneous routed that by configuration would actually traverse
the bridges, which are available on a Barracuda NG
Parameter Description Firewall directly. Use this setting in scenarios, where an
Authentication Via this menu the required user authentication for external router connects bridges that are configured
HTTP and HTTPS connections (Inline Authentication) on a Barracuda NG Firewall, and where it should be
can be defined (see 10. Firewall Authentication, avoided that traffic is directed to the router. When
page 199). The following options are available: directed to the external router first, traffic would
attempt to pass the gateway twice and be rejected by
No Inline Authentication (default) the firewall. When activated, the routing functionality
Login+Password Authentication of the bridge itself is used.
X509 Certificate Authentication Color Allows defining a color in which the rule is displayed in
X509 Certificate & Login+Password the rule set overview window.
Authentication
List 446 Firewall configuration - Advanced Rule Parameters section Quarantine particular rule, it is highlighted in red, leaving the field with
Policy
the parameter value empty.
Parameter Description
LAN Rule Policy Matching Policy for a session to be evaluated destined Fig. 439 Advanced Rule Parameters - Multiple Rules Editing
or originated from a non Quarantine net.
Match: The rule matches
Block: The rule blocks the request
Deny: The rule denies the request
Continue: Rule evaluation continues with next rule
in ruleset
Quarantine Matching Policy for a session to be evaluated destined
Class 1 Rule or originated from a Quarantine class 1 net.
Policy Match: The rule matches
Block: The rule blocks the request
Deny: The rule denies the request
Continue: Rule evaluation continues with next rule
in ruleset
Quarantine Matching Policy for a session to be evaluated destined
Class 2 Rule or originated from a Quarantine class 2 net.
Policy Match: The rule matches
Block: The rule blocks the request
Deny: The rule denies the request
Continue: Rule evaluation continues with next rule
in ruleset
Quarantine Matching Policy for a session to be evaluated destined
Class 3Rule or originated from a Quarantine class 3 net. Attention:
Policy Match: The rule matches Use this feature with great care. Editing of multiple rules
Block: The rule blocks the request
without the necessary wariness can cause severe
Deny: The rule denies the request
misconfiguration.
Continue: Rule evaluation continues with next rule
in ruleset
Note:
Multiple rules editing as well applies to Content Filter
2.3.4.1 Multiple Rules Editing and ICMP Handling characteristics. Rules cannot be
edited together in the rule view, though.
When feature level 3.4.0, 3.6.0, 4.0.0 or 4.2.0 applies, it is
possible to select multiple rules for editing. Select the rules
you want to edit together and click Edit in the main 2.3.4.2 Time Restriction
navigation bar or Edit Multiple Rules in the right-click
context menu to open the rules for modification. Using the Always button in the Advanced rule parameters
window, each rule configured within a feature level equal
Note:
or lower than 3.2 can be equipped with a time restriction.
The option Edit Multiple Rules is not available if the
view is set to Show in Sections and a section is Clicking the button opens the Time Interval configuration
selected. Select real rules only. window. If time restriction applies to a rule, the label of the
button changes to Restricted!
The rule window opens displaying the advanced
parameters view. The granularity of time restriction is 1 hour on a weekly
base.
Note:
Fig. 440 Time restriction dialog
The register of available configuration parameters has
been expanded compared to the one in single rule
editing mode (see list 438, page 270).
The following values have been added to the listing:
List 447 Firewall configuration - Enhanced Advanced Rule Parameters section
Rule Settings
Parameter Description
Timed see 2.3.6 Dynamic Activation, page 168
Inactive see inactive checkbox, page 252
Time Object see 2.2.3.10 Time Objects, page 147
Band see Forward Band, page 252
Authenticated see 2.2.3.8 Authenticated User Section, page 147
User
A rule is allowed at all times by default, which means all
Again, modified default values are displayed highlighted in checkboxes in the Time Interval dialog window are
yellow when they have been changed uniformly. As soon as unchecked. Checking a box denies a rule for the given time.
the parameter has been configured differently in each Figure 438 shows a time interval setting for a rule which
has been set to disallowed on Monday and on Thursday List 450 Firewall configuration - Accept Policy section section Firewall
configuration - Advanced Rule Parameters section TCP Policy
from 08:00 to 16:00.
Parameter Description
List 448 Firewall configuration - Time Restriction Syn Flood see list 438, page 270
Parameter Description Protection
(Forward)
Continue if Process rule set even if time restriction denies it.
mismatch Syn Flood
(default) Protection
(Reverse)
Block if Do not allow connection if time restriction denies it.
mismatch
The scenario depicted in the figures below explains how
Terminate If checked an active session is terminated as soon as
existing time restriction applies. SYN flooding and protection by the Barracuda NG Firewall
Select to clear selected checkboxes.
work:
Set allow
Set deny Select to select checkboxes as disallowed time Fig. 441 Building up a connection with outbound accept policy.
intervals.
Set Invert Select to configure allowed and disallowed time SYN
intervals simultaneously.
Client Firewall Server
Fig. 442 Simple SYN flooding attack with faked IP addresses on a firewall with 2.3.5.1 Theory
outbound accept policy
Fig. 444 Simple SYN flooding attack with faked IP addresses on a firewall with
inbound accept policy
SYN (many)
Client Firewall Server (not even
noticing the attack)
2.3.5.2 Configuration
Note:
ICMP handling policy is configurable per rule. The following
A SYN request matching a rule with inbound policy is options are available:
neither logged nor appears in real time status nor in the Fig. 448 ICMP Handling parameters
access cache until it is validated as a real request. That
means that SYN flooding attacks do not affect resources
of the firewall system. As soon as a SYN flooding attack
is detected a cumulative log entry and the event FW
Potential IP Spoofing Attempt [4015] are generated.
Note:
To configure a policy template select New ICMP Param
Object in the ICMP tab of the Object Viewer.
2.3.5.3 Example
2.4 Delete, Copy and Paste Cascaded rule lists are included into a rule set. They share
the rule set's properties, such as network objects and
within the Firewall service objects, and are stored in one file together with the
Configuration rule set.
Cascaded rule sets, just like ordinary rule sets, are directly
Since the rule set is built up of objects which can refer to related to specific objects they own. Each cascaded rule
each other, the data transfer actions like copy, paste, and set is saved to a separate file. To work together, these files
delete are not as simple as they usually are. Several are put together later on the operative system. Since
actions are forbidden to maintain consistency to the rule cascaded rule sets are saved to distinct files, they can be
set as a whole. assigned with specific administrative rights. With
repository technology it is furthermore possible to share
parts of the rule set with multiple firewall services.
2.4.1 Deleting
For details of that concept consult 6.5.1.2 Creating a Shared
It is not permitted to delete an object which is referenced Service, page 443 and 6.11 Supplement - Configuring the Cascaded
by another object. Otherwise, the other object would Firewall (Distributed-Firewall), page 449.
become invalid. If you try to delete a referenced object, the There are two action types called Cascade and Cascade
following window will appear. Back.
Fig. 451 Warning dialog when trying to delete a referenced object The process of applying a cascaded rule set is the
following: the firewall starts to go through the master rule
set. If a rule with Cascade action matches, it hands the
request over to the rule set where the cascade rule points
to. With the Cascade Back action it is just the other way
around.
Attention:
Use cascading with diligence and caution. Cascading can
2.5 Cascaded Rule Sets simplify your rule set. If applied wrong it will mess it up.
Cascading of rules is allowed in the following places:
The Barracuda NG Firewall comprises the unique feature of
so-called cascaded rule sets. Usage of cascaded rule sets z Forwarding Firewall:
can contribute to improved rule management. The in the main rule set between the main rule list and
following two cascading methods exist: its sublists.
z Cascaded Rule Lists Note:
z Cascaded Rule Sets Cascading is not allowed from a rule-sublist to the
other.
z Cascaded Firewall the master rule set with the three subsets called alpha,
in the Global Rule Set between the main rule list and beta, and gamma.
its sublists.
Fig. 453 Rule for cascading into a rule-sublist
from the Global Rule Set to Local Rule Set and
Special Rule Set (6.11 Supplement - Configuring the
Cascaded Firewall (Distributed-Firewall), page 449).
2.5.2.1 View
The cascaded rule sets are shown by own top tabs in the
firewall window next to the Main Rules tab. Here we have
3. Local Rules
Fig. 454 Local rules Many features of the forwarding rule set are not needed
for local traffic or are not applicable at all. The most
important restrictions regard the Action and Connection
types.
Available action types (2.2.3.3 Action Section, page 144):
z Block
z Deny
z Pass
Note:
Test Reports are only saved temporarily. If you want to
save them permanently, click Send Changes and
Activate in the Test Report window.
5. Example Configuration
z Source address is the same as the bind address, webservers via http, the internal destination is
whereas the destination address is translated to the completely different (Service dependent NAT).
internal IP of the FTP server.
Fig. 464 Network situation for remote web server support
Fig. 460 Network situation for a ftp connection to our FTP server.
Destination address: 105.8.23.65:22 Connection address:
Destination address: 105.8.23.66:21 Connection address: FW 172.16.0.2:22
FW 172.16.0.50:21 Source address:
Source address: 194.93.77.21:4568
202.32.15.48:2305 Bind address: 194.93.77.21:4568
Bind address: 202.32.15.48:2305
Fig. 463 Network situation for a client connection to our webserver farm
Step 2 The rule for external support for the Fig. 468 Rule which maps the ftp server to the internet
webservers is almost the same.
Instead of defining the IPs explicitly in the rule
Therefore, we will go on to the next interesting rule, the dialog, we could have referred to a predefined
redirection of an external IP to the web server farm connection object, a translation map.
(figure 463, page 175).
HTTP access to one IP, namely 105.8.23.65, is redirected to
four other IPs. The redirection algorithm is the following:
the client address in binary form is divided by the number
of redirection targets. The remainder now decides to which
target the client is redirected (0 to the first, 1 to the
second, 2 to the third, ). Since the IP address space is
approximately equally distributed, this method provides
almost perfect load balancing for all practical purposes.
Introduce two rules of the following type:
Table 411 Exemplary rule configuration in comparison
Connection
Source Service Action Destination
type
World ftp Redirect Client 105.8.23.66
redirected to
172.16.0.50
172.16.0.50 ftp Pass Proxy World
explicit:
Step 3 The last rules to be created are the one from
105.8.23.66 LAN to DMZs and internet (figure 459, page 174).
We use the action Pass, because the destination IP is
These two rules do not seem to have much in common. But identical to the connection IP.
if we have a look at figure 460 and figure 461, it becomes
clear that the rules are just mirrors of each other. Since Note:
this is a frequent situation in networking life, the Allowing access to the world includes access to the
Barracuda NG Firewall has a single action to handle this - DMZs. If you want to give DMZ access to selected nodes
Map. only, then you must insert a rule which blocks access
from the LAN to the DMZs. This rule has to be placed
One key advantage of mapping is that it can be applied in after the rules which allow access for the selected nodes
both ways. Just like in the case of the FTP server. and before allowing access to the world.
Fig. 467 Rule which implements load balancing for the web server farm
Fig. 469 Rule for LAN access to the whole world
In this map, we define which source IP should get which 5.2 Advanced Settings in the
bind IP if the rule uses this connection object.
Example Setup
Fig. 470 Network situation for a typical LAN to Internet connection
Fig. 472 Rule dialog for the news access rule via explicit source NAT
Note:
To activate the defined view it is necessary to click
Update List.
displays the incoming traffic on the box firewall Connection established (TCP) - Both way traffic (all
z Local Out other)
displays the outgoing traffic from the box firewall Connection could not be established
Closing connection
z Loopback
traffic over the loopback interface z Band
Traffic band (SYS, A, B, C, D, E, F, G)
Status of active connections Table 413 Status types and their origin
Status name Origin Description
Note:
PXY-NEW TCP Session is validated by the firewall rule
Connections can be terminated by using Terminate Stream set, no traffic was forwarded so far.
Session from the right mouse-button context menu. Forwarding
Outbound
Do not use this feature for fun.
PXY-CONN TCP A socket connection to the destination
Stream is in progress of being established
The following status types exist: Forwarding
Outbound
Table 413 Status types and their origin
PXY-ACC TCP A socket connection to the source is in
Status name Origin Description Stream progress of being accepted.
Forwarding
FWD-NEW TCP Packet Session is validated by the firewall rule
Outbound
Forwarding set, no traffic was forwarded so far.
Outbound PXY-EST TCP Two established TCP socket
Stream connection to the source and
FWD-FSYN-RCV TCP Packet The initial SYN packet received from
Forwarding destination exist.
Forwarding the session source was forwarded
Outbound
Outbound
PXY-SRC-CLO TCP The socket to the source is closed or is
FWD-RSYN-RS TCP Packet The session destination answered the
Stream in the closing process.
V Forwarding SYN with a SYN/ACK packet
Forwarding
Outbound
Outbound
FWD-EST TCP Packet The SYN/ACK packet was acknowledge
PXY-DST-CLO TCP The socket to the destination is closed
Forwarding by the session source. The TCP session
Stream or is in the closing process.
Outbound is established.
Forwarding
FWD-RET TCP Packet Either source or destination are re Outbound
Forwarding transmitting packets. The connection
PXY-SD-CLO TCP The source and the destination socket
Outbound might be disfunctional.
Stream are closed or in the closing process
FWD-FFIN-RCV TCP Packet The session source sent a FIN Forwarding
Forwarding datagram indicating to terminate the Outbound
Outbound session
PXY-TERM TCP The session is terminated and will
FWD-RLACK TCP Packet The session destination answered the Stream shortly be removed from the session
Forwarding FIN packet with a FIN reply and awaits Forwarding list.
Outbound the last acknowledgement for this Outbound
packet
IPXY-NEW TCP Session is validated by the firewall rule
FWD-RFIN-RCV TCP Packet The session destination sent a FIN Stream set, no traffic was forwarded so far.
Forwarding datagram indicating to terminate the Forwarding
Outbound session Inbound
FWD-FLACK TCP Packet The session source answered the FIN IPXY-ACC TCP A socket connection to the source is in
Forwarding packet with a FIN reply and awaits the Stream progress of being accepted.
Outbound last acknowledgement for this packet Forwarding
FWD-WAIT TCP Packet The session was reset by one of the Inbound
Forwarding two participants by sending a RST IPXY-CONN TCP A socket connection to the destination
Outbound packet. A wait period of 5 seconds will Stream is in progress of being established
silently discard all packet belonging to Forwarding
that session Inbound
FWD-TERM TCP Packet The session is terminated and will IPXY-EST TCP Two established TCP socket
Forwarding shortly be removed from the session Stream connection to the source and
Outbound list. Forwarding destination exist.
IFWD-NEW TCP Packet Session is validated by the firewall rule Inbound
Forwarding set, no traffic was forwarded so IPXY-SRC-CLO TCP The socket to the source is closed or is
Inbound Stream in the closing process.
IFWD-SYN-SND TCP Packet A SYN packet was sent to the Forwarding
Forwarding destination initiating the session (Note Inbound
Inbound that the session with the source is IPXY-DST-CLO TCP The socket to the destination is closed
already established) Stream or is in the closing process.
IFWD-EST TCP Packet The destination replied the SYN with a Forwarding
Forwarding SYN/ACK. The session is established. Inbound
Inbound IPXY-SD-CLO TCP The source and the destination socket
IFWD-RET TCP Packet Either source or destination are re Stream are closed or in the closing process
Forwarding transmitting packets. The connection Forwarding
Inbound might be disfunctional. Inbound
IFWD-FFIN-RCV TCP Packet The session source sent a FIN IPXY-TERM TCP The session is terminated and will
Forwarding datagram indicating to terminate the Stream shortly be removed from the session
Inbound session Forwarding list.
Inbound
IFWD-RLACK TCP Packet The session destination answered the
Forwarding FIN packet with a FIN reply and awaits UDP-NEW UDP Session is validated by the firewall rule
Inbound the last acknowledgement for this Forwarding set, no traffic was forwarded so far.
packet UDP-RECV UDP Traffic has been received from the
IFWD-RFIN-RCV TCP Packet The session destination sent a FIN Forwarding source and was forwarded to the
Forwarding datagram indicating to terminate the destination
Inbound session UDP-REPL UDP The destination replied to the traffic
IFWD-FLACK TCP Packet The session source answered the FIN Forwarding sent by the source
Forwarding packet with a FIN reply and awaits the UDP-SENT UDP The source transmitted further traffic
Inbound last acknowledgement for this packet Forwarding after having received a reply from the
IFWD-WAIT TCP Packet The session was reset by one of the destination
Forwarding two participants by sending a RST UDP-FAIL UDP The destination or a network
Inbound packet. A wait period of 5 seconds will Forwarding component on the path to the
silently discard all packet belonging to destination sent an ICMP indicating
that session that the desired request cannot be
IFWD-TERM TCP Packet The session is terminated and will serviced.
Forwarding shortly be removed from the session ECHO-NEW ECHO Session is validated by the firewall rule
Inbound list. Forwarding set, no traffic was forwarded so far.
Table 413 Status types and their origin Table 414 Overview of possible access cache entries
z Policy The entry on the right of the Kill Selected button shows
The following entries are possible: the status of the synchronisation in case of active
Transparent Failover (High Availability, page 399) and
Table 414 Overview of possible access cache entries consists of the following possible states:
Entry Description
z Active Sync (UP)
NO_MATCH_IIF Received packet (Forward Direction) must NOT
match initial input interface
shown on active HA partner; synchronisation works
NO_MATCH_OIF Received packet (Reverse Direction) must NOT z Active Sync (DOWN)
match initial output interface
shown on active HA partner; sync would work, but
INBOUND Session is set to accept policy Inbound (Firewall
2.3.4.3 Accept Policies, page 166)
BoxFW is down
FWD_FILTER Content filter is applied for forward traffic z Passive Sync (UP)
REV_FILTER Content filter is applied for reverse traffic shown on passive HA partner; synchronisation works
TRACE Session is being traced
z Passive Sync (DOWN)
shown on passive HA partner; sync would work, but The access cache is the most powerful tool for
BoxFW is down troubleshooting.
The window provides the following information about the Fig. 476 Access Cache
processes:
z PID
System process ID
z Connections
Number of connections handled by worker
z bps
bytes per second (during the last second)
z Heartbeat 6.4.1 Available Filter Options
Time in seconds the process stopped to answer, should
never be more than 2.
z PID
6.4.1.1 Global Viewing Options
System process ID; allows view on PID and full extended
The area on the top left side of the Access Cache tab is
description column
used to define viewing preferences.
z Description
Use the pull-down menu on the top to set the maximum to
Role description of worker
be shown cache entries.
Activate the checkbox Show Hostnames, if you want
6.3.4 Traffic Meter source and destination IPs to be translated to hostnames
as far as possible.
In the lower right of the Status tab a traffic meter is
integrated. Note:
IP addresses will only be resolved to hostnames, if this
The firewall engine samples the amount of traffic over
function has been enabled in the firewall settings (see
10 seconds and the traffic meter shows it either based on
Resolve Access Cache IPs, page 137).
bands (SYS, A to G) or on traffic origin (Forward,
Loopback, Local, Total).
Note:
Both traffics are available as Bytes/sec or Packets/sec. Click Update List to activate any newly defined view.
displays all connections matching the Fail Reasons, Access ID including an icon for blocked connections ( ),
page 185. an icon for established connections ( ) and consecutive
z ARP numbering for both blocked and established
displays all ARP requests connections. The AID contains also the letter B to
indicate blocked connection.
z Scan
displays all SCAN tasks z Org (Origin)
LIN: Local In; incoming traffic on the box firewall
LOUT: Local Out; outgoing traffic from the box firewall
6.4.1.3 Cache Filter LB: Loopback; traffic via the loopback interface
FWD: Forwarding; outbound traffic via the forwarding
The tab Cache Filter allows you to constrain the view firewall
to very specific properties. IFWD: Inbound Forwarding; inbound traffic to the
firewall
z Rule
PXY: Proxy; outbound traffic via the proxy
allows setting a filter for a specific rule
IPXY: Inbound Proxy; inbound traffic via the proxy
z Proto. TAP: Transparent Application Proxying; traffic via
allows setting a filter for a specific protocol virtual interface
LRD: Local Redirect; redirect traffic configured in
z Source
forwarding rule set
allows setting a filter for a specific source IP
address/range z Interface
Incoming interface
z Dest.
allows setting a filter for a specific destination IP z Source
address/range Source IP of the requesting client
z Interface z Destination
allows setting a filter for a specific interface (for IP of the requested destination
example eth0)
z Proto
z Addr. Used protocol; for example TCP, UDP, ICMP
allows to setting a filter for a specific IP address
z Port
z Srv. Port of the requested destination
allows setting a filter for a specific service
z Service
z Port Assigned (dynamic) service
allows setting a filter for a specific port
z Count
z Src-Interface Number of tries
allows setting a filter for a specific source interface
z Last
z Dest-Interface Time passed since last try
allows setting a filter for a specific destination interface
z Rule
Name of the matching rule
By ticking the corresponding checkboxes it is possible to
z Info
combine multiple fields in order to improve the filter
Reason why things happen (see 6.4.3 Reasons,
sequence.
page 184).
Note:
Note:
All fields except the pull-down menu Proto. allow the
Entry TF-sync means that the session is synced
use of the * and ? wild cards.
(shows up on the backup machine where the firewall
The size of the caches is configured in the Firewall Settings service is on standby).
and requires a service restart.
z MAC
MAC address of the interface
6.4.2 Access Cache List z Bind
Bind address
Note: z Conn
Double-clicking an entry opens a window called Details IP of the connection address
that contains all information concerning the entry in
one view. z Out-IF
Outgoing interface; tunnel and transport is visualized.
The list itself consists of the following columns: z OutRoute
unicast or local
z AID
z Next Hop
Data regarding use of dynamic rules is arranged in the Clicking the Update List button reloads the display.
following columns in the upper section of the tab:
To the right of the Update List button, general info
Table 419 Columns available in the upper section of the Dynamic Rules tab concerning the license of your Barracuda NG Firewall is
shown.
Column Description
Rule Icon visualising the rule status (inactive ; active ) The following columns are available:
and the name of the dynamic rule.
Table 421 Columns in the protected IPs tab
Status Current state of the rule (Disabled - inactive; Enabled -
active). Column Description
Expires Interval until the current state expires. ID Icon visualising the protected IP status (obsolete ;
Expire Action Action that is taken as soon as the dynamic activation
expires. licensed ) and a progressional ID number.
Status Status of each protected IP address (licensed or
obsolete).
Data regarding Hostname network objects is arranged in
Last Expired time since the IP address was counted the last
the following columns in the lower section of the tab: time.
Table 420 Columns available in the lower section of the Dynamic Rules tab Address Address of the protected IP.
Column Description
Index Progressional ID number of the Hostname network
object. The Index number is determined by the
6.6.3 Dynamic Services
combination of the Max. DNS Entries value (page 135)
and the percental breakdown of DNS queries allowed This tab provides information concerning protected IPs
for network objects in use by the local and forwarding
firewall rule sets. Index numbers start with 0 for
and is used in conjunction with ONCRPC (see 11. RPC,
network objects used by the forwarding firewall. The page 204 and 11.4 Monitoring, page 209).
initial index number for network objects used in the
local firewall is 75 % of the Max. DNS Entries value,
that is 384 with the default of 512 Max. DNS Entries
configured. 6.6.4 Redirect Availability
Note:
Keep in mind that CC-administered boxes inherit global, Redirecting an address to many others on a cycle or
cluster- and range-specific Hostname objects. These
objects are automatically added to the memory space
fallback policy is a dynamic process. The firewall decides
of the forwarding firewall rule set. on the fly what to do if one or more target addresses are
DNS Name DNS resolvable host name configured in the network not available.
object.
Status Current state of the network object. The following
The state of such rules is displayed here and uses the
states are available: New, Pending, Resolved. following columns:.
Addresses Result of the DSN query.
Table 422 Rule state overview
Last Update Time that has passed since the currently active DNS
entry was last retrieved by the Barracuda NG Firewall. Column Description
Lifetime Lifetime that is configured in the network object. Rule Name of the rule.
Address Target Address.
Note: Used Number of connection requests re-directed to target
address.
To update the DNS resolution of currently used network
Unreach Since Time since the target is unavailable.
objects manually, select one or multiple list entries, then
Last Retry Time since last retry.
right-click and then click Refresh selected DNS entries
Count Retry Number of retries since target was marked unavailable.
in the context menu.
Bad Port Unreachable port; important when the rule is sensitive
on more than one critical port.
z A current connection may be selected in the Status tab Destination Port Port of the destination address.
of the firewall monitoring GUI and monitored from the Maximum Only the first n packets are recorded.
Counts 0 is the service default, which can be set in the firewall
moment tracing is activated. service parameters. The default is 512.
z Tracing conditions may be defined in the Conditions Maximum Bytes Only the first n kilobytes are recorded.
0 is the service default, which can be set in the firewall
section within the Trace tab of the firewall monitoring service parameters. The default is 256 KB.
GUI and monitored from the moment a corresponding Active You can keep a list of predefined trace conditions and
connection is initiated. switch them on/off by settings this flag.
In the Status tab of the firewall control window you can On the left side is the list of all available tracing sessions.
select a set of active connections and press the right The notion is
mouse button and select Toggle Trace. From that moment rule_sourceIP_sourcePORT_destIP_destPORT.dbg.
on the selected connections are traced and you will be able The corresponding files are located in
to see all data transferred within these connections in the /var/phion/debug/trans.
trace view.
The maximum number of recorded tracing sessions can be
The traced connections get an additional -Trace entry in set in the firewall basic configuration. The default is 512.
the Org column.
Double-clicking on a trace session opens the session in the
To stop tracing simply select the traced connections and right hand side. The connection traffic is depicted in the
press the right mouse button and select Toggle Trace following style:
again.
z Green: Data sent by source
z Blue: Data sent by destination
6.8.2 Tracing of Connections Matching
z Yellow: Messages from firewall (closing of connections)
Defined Conditions
The following checkboxes are used for filtering the view:
In the upper left part of the trace view window precise
conditions can be defined under which a connection will be z Binary
traced. Show traffic in binary notation
z Text
Attention:
Show traffic in text notation
If you choose the tracing conditions too general, you will
suffer a decrease in performance . Furthermore, it will z Source
be very difficult to find the connection you actually need Show traffic generated by source
to trace.
z Destination
Show traffic generated by destination
Note:
Tracing conditions are only evaluated if the so-called z Header
User space rule set is used. Thus tracing conditions are Show traffic header
only available if the parameter Use Kernel Rule Set is z Header Info
set to no, see 2.1.1.4 Operational, page 136).
Note:
The depicted time stamp is that of the firewall system
time in the time zone of the Barracuda NG Admin
computer. If, for example, the firewall is on UTC and your
workstation is on Central European Summer Time you
will get the system time of the firewall +2 hours.
8. Log Files
The firewall service generates several log files in 8.1 Standard Log Files
/var/phion/logs.
As the firewall engine operates as a box service, it logs into z box_Firewall.log
the box part of the log tree. This is the main log file. Main log file. All log entries are in this file. information
about tunnel and transport is only visualized on active
In addition, it logs all to forwarding traffic related entries
kernel rule set.
into a service specific log file.
z srv_servername_servicename.log
All standard logs are in the main log file. Additionally
Service log file. All forwarding rules related entries are
administrative logs and logs regarding changes of the rule
in this file.
set are logged twice in separate log files.
z srv_servicename_rulename.log
9. Bridging
The Barracuda NG Firewall bridging concept particularly z All network traffic is delivered using Layer 2 lookups.
aims at easy setup and configuration. One of its demands z Bridging is Layer 2 transparent, which means that the
is to achieve stealth mode, that means nodes should not be source MAC is propagated in connection requests.
aware of any active bridging involved.
z The bridged network nodes cannot locally communicate
The following are the main benefits of Barracuda NG with the interface.
Firewall bridging:
z A Transparent Layer2 Bridge requires a separate
z Bridging allows for physical segmentation of network interface making it accessible for configuration.
nodes within a logical network.
Fig. 478 Network segmentation in a Transparent Layer2 bridged environment
z There is no need for client configuration change.
Logical Network 10.0.8.0/24
z Full network transparency (down to Layer 2) can be
achieved. Default LAN 3 Bridge LAN 1
Gateway
z Firewalling can be implemented between LAN 10.0.8.1
10.0.8.10 10.0.8.12
segments.
10.0.8.31 172.31.1.1
LAN 2
Router
The configuration example is described in detail at the end
of this chapter (see 9.6.2.1 Using Transparent Layer2
Bridging, page 195).
z Bridging is Layer 2 transparent, which means that the Figure 480 shows a common situation in which
source MAP is propagated in connection requests. implementation of Non Transparent Translational Bridging
would be appropriate.
z Unknown destinations are actively "ARPed".
z Traffic between routed and bridged destinations is Fig. 480 Flat network structure
forwarded.
LAN PC LAN PC LAN PC LAN PC
z Bridged network nodes may (if allowed) locally
communicate with the interface, which means that
beside bridging other Barracuda NG Firewall services
may be utilized simultaneously. 10.0.8.0/24
10.0.8.31 172.31.1.1
LAN 2
implementation full security can be provided even in a flat
network architecture, with only the need to change
The configuration example is described in detail at the end network settings on the client, which is to be separated.
of this chapter (see 9.6.2.3 Using Routed Transparent
Fig. 481 Non Transparent Translational Bridging
Layer2 Bridging - Example 2, page 196).
LAN2 PC Bridge with LAN PC LAN PC LAN PC
9.3.3 Layer3 Bridging Routing
Functionality
Table 424 Bridging characteristics in comparison MAC addresses for a session are then fixated upon
Routed session creation and enforced until session end.
Transparent
Transparent Layer3
Layer2
Bridging
Layer2 Bridging Fig. 482 Destination MAC spoofing prevention
Bridging
Broad-Multicast LAN 2
Propagation 10.0.8.12
High Availability Bridge 3 MAC-A
10.0.8.10
VLAN capable
LAN 1 x MAC-B
10.0.8.20
Bridging heavily depends on broadcasts for the purpose of Second Packet: Dest. MAC: MAC-B, Dest. IP: 10.0.8.10
establishing connectivity. This behavior leads to a few
weak points to be considered carefully in order to
implement bridging in a secure manner. In the situation depicted in figure 482, a client from LAN 1
Apart from the factor that broadcasts in huge tries to enforce a connection grant to a client in LAN 3. To
environments consume a lot of bandwidth, regard must be do so, it sends a first packet to the client in LAN 2 using
paid to the aspect that bridging is inherently insecure and MAC-A as destination MAC and the IP address 10.0.8.10 as
therefore requires a trusted environment. destination IP. After the session has been granted through
the bridge and communication has been allowed, it sends a
Barracuda NG Firewall offers methods which allow holding second packet to the client in LAN 3 using MAC-B as
the most common attacks. destination MAC and again IP address 10.0.8.10 as
destination IP. It thus tries to spoof the destination MAC of
its connection request. If MAC enforcement is configured,
9.4.1 IP or ARP Spoofing the communication to the client in LAN 3 will not be
granted.
Network nodes may for example use IP addresses of fake
ARP responses in order to fake network traffic with
arbitrary IP addresses. Since the firewall security
enforcement is performed on layer 3 this would equal 9.5 Implementation of Logical
bypassing of the security policy. These issues can be
solved by taking the following measures: Entities
z Segment Access Control Lists (Bridging Interface Table 425 Structural breakdown of bridging units
ACLs)
Bridging Bridging
Specify allowed IP addresses on a segment explicitly. Bridging ARPs
Groups Interfaces
Note:
A bridging interface can only be member of one bridging
group.
A bridging ARP entry (BARP) stores the information on Dynamic BARPs are build up during run time by analysing
which bridge interface a certain MAC address resides. network traffic. Whenever a packet is received on an
Additionally, associated IP addresses are stored along with interface, dynamic BARPs are generated or updated. This
the BARP entry. way the firewall "learns", which MAC address resides on
which bridging interface. When analysing ARP packets the
Note: Layer 3 IP information is added to the BARP entry by
The IP address is only used for visualisation purposes. adding the IP address.
Dynamic BARPs are characterized by the following
activities:
z MAC-Interface relationship learned by any IP traffic
z MAC-Interface-IP relationship learned by ARP traffic
Servers > Assigned Services > Firewall > Use IP This parameter controls generation of IP entries
BARP for all bridging ARP entries within a Bridging
Firewall Forwarding Settings > Bridging tab Entries Group. When set to yes (default), the Barracuda
NG Firewall does not only learn the allocation of
z On CC administered boxes in the MCs respective MAC addresses to ports from processed IP and
repository. ARP traffic, but also records IP addresses that
are assigned to a specific MAC address in a
separate table. Set to no, if a huge number of IP
addresses within a specific network segment
might cause an ARP table overrun.
List 451 Firewall Forwarding Settings - Bridging section Layer2 Bridging The realisation of Transparent Layer2 Bridging as depicted
Parameter Description in the example above requires the following configuration
Static This configuration area may be used for statical MAC/IP settings:
Bridge address combination to minimize the risk of IP/ARP or
MAC Destination MAC Spoofing (see above). In Firewall Forwarding Settings > Bridging:
Static The expected MAC address of the external
Bridge interface is set here. Fig. 484 Bridging Group Setup for Transparent Layer2 Bridging
MAC
Device This is the name of the bridging interface
through which the connection request is
expected to be handled.
IP This is the IP address of the external interface
Address bound to the Static Bridge MAC specified
before.
Comment Entering a comment is optional but useful for
quicker orientation when many statical entries
are in use.
Bridging This parameter controls the bridge's handling of the TTL field
TTL in the header of an IP packet. The following options are
Policy available:
Decrease-TTL (default)
The TTL value is decreased by 1 every time a packet
arrives anew. When the TTL value reaches 0, the packet is
dropped.
Do-NOT-Decrease-TTL
The TTL value remains unchanged.
List 452 Firewall Forwarding Settings - Bridging section Quarantine Bridging z Define a Bridging Group.
Parameter Description z Add the Bridging Devices eth1, eth2, and eth3 to the
Quarantine To edit an already existing entry, select it and click Bridging Group.
Group Edit. To create a new entry, click Insert. To remove
an existing entry, select it and click Delete. z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and
See list 453 for parameter description. 10.0.8.12 individually to the Allowed Networks
List 453 Firewall Forwarding Settings - Bridging section Quarantine Bridging-
parameter of Bridging Device eth1.
Quarantine Group
z Add network 10.0.8.0/24 or the client 10.0.8.20
Parameter Description individually to the Allowed Networks parameter of
Disable Disables this quarantine group. Use this to quickly Bridging Device eth2.
Quarantine deactivate a fully configured quarantine group.
Group z Add the default gateway 10.0.8.1 to the Allowed
Quarantine Specifies one interface, where all quarantine class 1 Networks parameter of Bridging Device eth3.
Class 1 clients will be located. This interface must not already
Interface be member of any other quarantine group. z If you desire the client 173.31.1.25 to be reachable from
Quarantine Specifies one interface, where all quarantine class 2 clients in LAN1, add it to the Allowed Networks
Class 2 clients will be located. This interface must not already
Interface be member of any other quarantine group.
parameter of Bridging Device eth2. No further
Quarantine Specifies one interface, where all quarantine class 3
configuration is necessary to guarantee reachability
Class 3 clients will be located. This interface must not already between the clients 10.0.8.0.20 and 172.31.1.25.
Interface be member of any other quarantine group.
LAN Interfaces A list of interfaces where clients live. These clients may
z The Device IP Address of the Bridging Group is not to
change their state to a quarantine class which is be configured, as an external router (Default Gateway
located on one of the above quarantine class 10.0.8.1) already exists.
interfaces.
10.0.8.31 172.31.1.1
LAN 2
10.0.8.31 172.31.1.1
LAN 2
In figure 485 a similar network setup has been created
like in figure 483, page 195 with one main difference,
though - the bridge has been set up with routing In the configuration example depicted in figure 487
functionality. Clients in LAN1 and LAN2 may now profit introduction of a Device IP address is a must as not further
from being able to locally communicate with the bridging router exists. The realisation of the setup requires the
devices. following configuration settings:
The realisation of Routed Transparent Layer2 Bridging as In Firewall Forwarding Settings > Bridging:
depicted in the example above requires the following
configuration settings: Fig. 488 Bridging Group Setup for Routed Transparent Layer2 Bridging
Fig. 486 Bridging Group Setup for Routed Transparent Layer2 Bridging - Example
1
z Define a Bridging Group. z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and
10.0.8.12 individually to the Allowed Networks
z Add the Bridging Devices eth1 and eth2 to the Bridging parameter of Bridging Device eth1.
Group.
z Add network 10.0.8.0/24 or the client 10.0.8.20
z Add network 10.0.8.0/24 or the two clients 10.0.8.10 and individually to the Allowed Networks parameter of
10.0.8.12 individually to the Allowed Networks Bridging Device eth2.
parameter of Bridging Device eth1.
z If you desire the client 173.31.1.25 to be reachable from
z Add network 10.0.8.0/24 or the client 10.0.8.20 clients in LAN1, add it to the Allowed Networks
individually to the Allowed Networks parameter of parameter of Bridging Device eth2. No further
Bridging Device eth2. configuration is necessary to guarantee reachability
z If you desire the client 173.31.1.25 to be reachable from between the clients 10.0.8.0.20 and 172.31.1.25.
clients in LAN1, add it to the Allowed Networks z Add the default gateway 10.0.8.2 to the Allowed
parameter of Bridging Device eth2. No further Networks parameter of Bridging Device eth3
configuration is necessary to guarantee reachability
between the clients 10.0.8.0.20 and 172.31.1.25. z Configure the Default Gateway address 10.0.8.1 as
Device IP Address of the Bridging Group.
z Configure the Default Gateway address 10.0.8.1 as
Device IP Address of the Bridging Group.
9.6.2.4 Using Layer3 Bridging
9.6.2.3 Using Routed Transparent Layer2 Fig. 489 Configuration of Non Transparent Translational Bridging
Bridging - Example 2
LAN2 PC Bridge with LAN PC LAN PC LAN PC
Fig. 487 Configuration of Routed Transparent Layer2 Bridging Routing
Functionality
Logical Network 10.0.8.0/24
Bridge with
Default Gateway 10.0.8.1 Routing
Functionality LAN 1
10.0.8.1 10.0.8.10 10.0.8.12 10.0.8.162 eth1: eth0: 10.0.8.0/24
eth1
10.0.8.31 172.31.1.1
LAN 2
The realisation of non transparent translational bridging as viewed in the Proxy ARPs tab of the Rules
depicted in the example above requires the following configuration area:
configuration settings:
Fig. 492 Proxy ARP Object - Bridging Parent Network
In the Networks tab of the Rules configuration area of the
Forwarding Firewall:
z Create a new Net Object for LAN2 PC. Enter LAN2 PCs
IP address 10.0.8.162 into the IP/Ref field of this Net
Object.
z Set parameter Bridging to Bridging ENABLED For further information on Proxy ARP Objects see 2.2.9
(Advanced Settings). Proxy ARPs, page 158.
Note:
See List 425 Net Object configuration parameters, 9.6.3 Visualisation
section Net Object configuration parameters
section Bridging, page 149 for parameter Fig. 494 Firewall > Dynamic > Bridging ARPs tab
configuration details.
Column Description
MAC This column displays the MAC address of the external
interface which has established a connection to the
bridging interface.
Table 426 Overview of bridging operational information in the Bridging ARPs tab 9.6.4 Configuring Broadcast and
Column Description Multicast Propagation over
Interface This is the bridging interface through which the
connection has been established. Bridging Interfaces
Group The is the name of the Bridging Group the interface
belongs to. Fig. 495 Utilising action type Broad-Multicast for Bridging Groups
IPs The IPs recorded here belong to the MAC address
displayed in the first column.
Type The IPs bound to a MAC address are dynamic if they
have been learned dynamically through proxy ARPing.
The type is static, if the MAC/IP combination
documented through the other columns has been
configured statically through the parameter Static
Bridge MAC (list 451, page 194).
Timer This is the time interval, which has passed, since the
connection establishment has been recorded.
Clicking the label in the title row of each column sorts the
entries ascending or descending by name.
Right-clicking a selected entry makes the following actions
available in a context menu:
z Remove Selected MACs
Deletes the selected MAC address(es) from the list.
z Remove IPs from Selected MAC
Deletes IP addresses from a specific MAC, which have
been saved during a bridged connection establishment, Propagation of, for example, shared network interfaces is
without removing the MAC address itself from the list. achieved through distribution of broadcast messages. If
interface sharing is needed in bridged network setups, a
rule allowing for this has to be introduced. Use the firewall
action type Broad-Multicast to enable propagation of
broadcast and multicast messages. Configure values in the
following way:
Table 427 Broad-Multicast action type rule configuration
Description
Source the network the shared interface resides in
Destination the source network's broadcast address
Propagation the name of the bridging group responsible for bridge
List traffic forwarding (phbr-<group_name>)
each condition is fulfilled. Since the firewall engine can fwauthd (firewall
authentication daemon)
only process IP addresses, a user - IP address mapping is
being performed. Browser
Attention:
Client Firewall Server
Due to the user - IP address mapping it is mandatory to
have unique IP addresses for all users, which ought to be Step 2:
authenticated by the firewall. Authentication data OK and connection establishment
fwauthd (firewall
Barracuda Networks offers two types of firewall authentication daemon)
authentication:
Browser
z Inline Authentication
works only in conjunction with HTTP and HTTPS; This Client
POP3
Firewall Server
way of authentication injects the authentication
request into the data stream. The authentication is
done via a pop-up window in the clients browser. The
firewall redirects the HTTP/S request to an internal
authentication server. This server generates the 10.1 Configuring Firewall
authentication request within the browser window by Authentication
sending a HTTP 401 status code (Server Auth) to the
clients browser.
Step 1:
The fwauth daemon (required for Offline Authentication,
HTTP+S connection request and verification of authentication data see above) is configured via the following parts of the
fwauthd (firewall Firewall Forwarding Settings ( Config > Box >
authentication daemon)
Virtual Servers > <servername> > Assigned
Services > <servicename>).
HTTP+S
List 454 Firewall configuration - Authentication parameters section FW 10.1.1.3 WWW tab
Authentication Server
Parameter Description This tab acts as a kind of simple upload tool for the
Authentication The HTML page specified here is integrated Barracuda NG Firewall web server that is used
logout page shown after a successful firewall
[logout.html] authentication logout. Take into during Offline Authentication, for either HTML code or
consideration that is relative to binaries.
WWW root (see above).
Authentication The HTML page specified here is A possible task would be to place the proxy.pac in the
index page used as login page. Take into configured root directory (parameter WWW root, see
[index.html] consideration that is relative to 10.1.1.1 Authentication, page 199) of the integrated web
WWW root (see above).
server.
Max size of a Files that exceed this value will not
file to cache be cached but loaded from disk.
(kb) Note:
[2048] Do not customize default html files (see list 454,
Max files to Here the maximum number of files page 199).
cache is specified that are cached
[20] simultaneously. Consequences of customization:
Refresh auth This parameter defines after how z Dirty Release status (see Control 2.5.1 Section
every min long (in minutes) authentication is
[5] refreshed. If the authentication Version Status, page 37).
information cannot be retrieved (for
example because of a closed z The customized files will potentially be overwritten
authentication browser window) the when installing patches or updates.
connection is terminated.
Refresh auth The authentication is automatically
tolerance min refreshed (without prompting) if
[1] peer reconnects after <Refresh 10.1.2 Introducing User-specific Rules
auth every min + Refresh
auth tolerance min>.
For this purpose the Create Rule dialog provides the
Root Here the root certificate for verification of browser
certificates peer certificates is handled.
Authenticated User Section, where you can select an
Default HTTPS The default key generated/imported here will be used
existing user object (see 10.1.2.1 Firewall - User Window) or
Private Key / for offline authentication via SSL connections (see 10. set an user explicitly. The available parameters for user
Default HTTPS Firewall Authentication, page 199). Take into configuration are the same for both ways of configuring.
Certificate consideration that default certificate AND default key
must match for successful connection establishment.
Destination-spe Via this field you may define certain certificates and
cific keys that used for SSL connections to explicit IP 10.1.2.1 Firewall - User Window
SSL-Settings addresses.
This window is used for defining user specific rules. Such
rules are required when using the Firewall Authentication
10.1.1.2 Phibs feature. In order to open the configuration dialog for a new
user/user group click New in the Edit User navigation
The following parameters are available for specifying Phibs
bar of the Firewall - User Groups window of the Rules tab.
behavior:
Now enter a name for this user/user group data set and,
List 455 Firewall configuration - PHIBS settings section Phibs Authentication optionally, a describing text. By clicking New , the next
Settings configuration dialog for defining the user conditions is
Parameter Description opened. This dialog provides the following parameters:
PHIBS A pull-down menu gives five different schemes to
Authentication choose from: Note:
Scheme MSNT, RADIUS, LDAP, MSAD, RSAACE Take into consideration that combining fields is also
Note: possible. For example, for enforcing a VPN connection
The authentication schemes are activated and
configured in the box configuration (Configuration (by entering required VPN User Patterns) AND a
Service 5.2.1 Authentication Service, page 111). matching X.509 certificate installed in the browser
PHIBS Listen IP Defines the IP address of the box where the application (by entering required X509 Certificate
PHIBS-authentication daemon is running on. Patterns).
PHIBS Timeout Specifies the response timeout (in minutes) for the
authentication server.
Fig. 498 Configuration dialogs - User Object & User Condition
User List Policy The option deny-explicit means that all domain-users
who are listed in the user list are not allowed to use the
proxy service.
The option allow-explicit means that only domain
users being listed in the user list are allowed to use the
proxy service. This does not mean that they do not
require authentication.
User List List of usernames that are used for the User List
Policy.
List 456 Firewall configuration - Rules - User Groups section Authentication List 459 Firewall configuration - Rules - User Groups section VPN User Pattern
Pattern
Parameter Description
Parameter Description VPN Name / Parameter VPN Name holds the required VPN login
Login Name This parameter serves for defining the required login VPN Group name.
name. Take into consideration that using wildcards (? Parameter VPN Group holds the required VPN group
and *) is also possible (?* requires at least one policy the user has to be assigned to.
character as login name). Note:
Group Patterns This field allows specifying the required group When using Offline Authentication ensure that
assignment(s) according to the affected external user-specific rules are sequenced after the fwauth rule
authentication scheme (MSAD, LDAP or RADIUS). (see 10.1.4 Activate Offline Firewall Authentication).
The following buttons are available:
Add - adding a new entry List 460 Firewall configuration - Rules - User Groups section Authentication
Edit - modifying an existing entry Method
Delete - removing a marked entry
Note: Parameter Description
Take into consideration that combining fields is also Origin This parameter is used for defining the type of
possible, for example, for enforcing a VPN connection originator. The following originators are available:
(by entering required VPN User Patterns) AND a VPNP (PersonalVPN)
matching X.509 certificate installed in the browser VPNG (GroupVPN)
application (by entering required X509 Certificate VPNT (Tunnel)
Patterns). HTTP (Browser login)
For information concerning how to gather such group Proxy (Login via proxy)
patterns, have a look at Appendix 1.1 How to gather Server / These parameters allow enforcing authentication on a
Group Information, page 544. Service / Box certain server/service/box.
List 457 Firewall configuration - Rules - User Groups section Policy Roles
Patterns
10.1.3 Activate Inline Firewall
Parameter Description
Selector This field allows specifying the required group
Authentication
assignment(s) according to the affected external
authentication scheme (MSAD, LDAP or RADIUS). In order to activate Inline Firewall Authentication, simply
The following buttons are available:
Add - adding a new entry
enter the Advanced Rule Parameters dialog of the
Edit - modifying an existing entry affected rule and set the parameter Authentication to the
Delete - removing a marked entry required authentication mode. The following modes are
available:
List 458 Firewall configuration - Rules - User Groups section X509 Certificate
Pattern z No Inline Authentication (default)
Parameter Description
z Login+Password Authentication
Subject Here the subject of the affected X.509 certificate is to
be entered. By clicking Edit the dialog Certificate z X509 Certificate Authentication
Condition is opened, where the required subject has to
be configured. z X509 Certificate & Login+Password Authentication
If multiple subject parts (key value pairs) are required
separate them with / (for example, OU=test1 and
OU=test2 are required, select OU and enter
test1/test2). 10.1.4 Activate Offline Firewall
Note:
Take into consideration that combining fields is also
Authentication
possible, for example, for enforcing a VPN connection
(by entering required VPN User Patterns) AND a
matching X.509 certificate installed in the browser
application (by entering required X509 Certificate 10.1.4.1 Introducing Redirect Rule for fwauthd
Patterns).
Using wildcards (?, *) is possible. fwauthd listens on the following ports of the local loopback
Attention: (127.0.0.1) adapter:
Take into consideration that order is mandatory.
Issuer Here the issuer of the affected X.509 certificate is to z 443 - listening for HTTPS connections (authentication
be entered. By clicking Edit the dialog Certificate via user & pw)
Condition is opened, where the required issuing
instance has to be configured. z 444 - listening for connections using X.509 certificates
If multiple subject parts (key value pairs) are required
separate them with / (for example, OU=test1 and for authentication
OU=test2 are required, select OU and enter
test1/test2). z 445 - listening for connections using X.509 certificates
Note: and user/pw for authentication
Take into consideration that combining fields is also
possible. For example for enforcing a VPN connection z 80 - listening for HTTP connections (authentication via
(by entering required VPN User Patterns) AND a user & pw)
matching X.509 certificate installed in the browser
application (by entering required X509 Certificate
Patterns). To introduce a redirect rule for fwauthd, it is necessary to
Using wildcards (?, *) is possible. redirect the IP address, where the users connect to for
Attention: authentication matters.
Take into consideration that order is mandatory.
Policy Here the ISO number according to the used X.509 Attention:
certificate may be entered.
Correlation between used authentication method and
AltName Here the SubjectAltName according to the used X.509
certificate may be entered. used port is mandatory for authentication success.
Step 1 Create a fwauth rule When firewall authentication has been configured, the user
authenticates himself using a browser. In the example
Step 2 Action: Select Local Redirect below the firewall authentication login screen is opened on
http://10.0.8.112 using Microsoft Internet Explorer.
Step 3 Destination: Enter the IP address to be
Fig. 4101 Firewall Authentication login screen
accessed by users in order to authenticate themselves
Note:
After introducing ensure that the just created fwauth
rule is on top of the user specific rules.
Note:
Having logged in, do not close the browser window, until
firewall authentication is no longer needed. Closing the
browser window terminates the active firewall
authentication session.
Note:
The Barracuda NG Authentication Client is available to
automate and facilitate firewall authentication
procedure (10.2 Barracuda NG Authentication Client,
page 202).
handling of Offline Firewall Authentication. The client is an Monitoring takes place in the AuthUser tab of the
optional tool, which can be installed if it is desirable to Firewall box menu entry.
avoid circumstantial browser window operation.
The button Update List on top of this tab allows starting
Only one parameter has to be provided explicitly during the updating sequence manually.
installation:
The following columns are used for displaying all
z Home Page necessary information:
This is the URL of the firewall authentication login
interface. With regard to the example described in 10.1.4 Table 428 Monitoring parameters overview
Activate Offline Firewall Authentication, the homepage Column Description
would be entered as http://10.0.8.112. Peer This columns contains the IP address used to establish
the connection and an icon for each auth-connection
type:
Note:
VPNT - VPN Tunnel
The homepage URL can always be changed with
hindsight in the configuration options of the tool itself. VPNP - Personal VPN
VPNG - Group VPN
Note: HTTP - via browser
During installation the Barracuda NG Authentication Timeout Displays time until authentication expires
Client adopts the connection settings provided in the Origin Displays the type of connection for authentication. The
Internet Explorer settings. If proxy settings are to be following entries are possible:
VPNT - VPN Tunnel
adjusted for Barracuda NG Authentication Client usage, VPNP - Personal VPN
settings always must be changed directly in Internet VPNG - Group VPN
Explorer and not in the tool itself. HTTP - via browser
Server Displays the server/service/box that was used for
The Barracuda NG Authentication Client is automatically Service authentication purpose
started with Microsoft Windows (Registry entry Box
HKLM\SOFTWARE\Microsoft\Windows\ User Shows the login name.
CurrentVersion\Run\phionauth.exe). Groups Displays the authentication group the user is assigned
to
You may manually start the client from the Start menu by VPN Name Shows the name of the VPN tunnel
browsing to Start > Barracuda Networks > Barracuda NG VPN Group Displays the group policy the user is assigned to
Firewall Authentication > Barracuda NG Authentication X509 Subject These columns show information obtained from the
Client. X509 Issuer X.509 certificate that was used for authentication.
A browser-like window opens asking for the specific login X509 Policy
data. Enter the user information you have been applied X509 AltName
with and login to the firewall.
You may now close the window again. The client withdraws
to an icon in the status bar. It may be opened from the
status bar, either to log out from the firewall or to be
closed.
Note:
Exiting from the client leads to a timeout on the firewall
and thus terminates an active firewall authentication
connection.
10.3 Monitoring
11. RPC
Step 2 Creating a rule for the required service (for The following parameters are available for configuration:
example NFS)
List 461 Firewall configuration - Forwarding Firewall - RPC tab section RPC
Again, as mentioned in Step 1, the settings for the service Settings
object are of interest. Select the required protocol (either
Parameter Description
UDP or TCP) and use parameter Dyn. Service for defining
Default Poll Here the interval for requesting RPC information from
the service information (which means Time (secs) the RPC server is defined.
servicename:serviceID; in our example this would be [default: 300]
ONCRPC:100003, see figure 4104).
List 462 Firewall configuration - Forwarding Firewall - RPC tab section
Fig. 4104 Service Object needed for enabling nfs usage via a portmapper ONCRPC Servers / DCERPC Servers
Parameter Description
Name This is the describing name of the ONCRPC Server
specified at creation time.
IP Address Here the IP address of the considered RPC server is to
be entered.
Portmapper This parameter defines the port where portmapper is
Port listening on.
[111] Attention:
Take into consideration that the service object for the
portmapper rule (created in Step 2, page 205) has to
match this port.
Optional Bind IP This parameter allows you to define an explicit IP
[0.0.0.0] address that is used when connecting to the RPC
server. This comes handy as soon you are using policy
routing.
The default value of 0.0.0.0 deactivates this parameter
and the correct Bind IP address will be specified via the
routing table.
Polling Time Here the interval for requesting RPC information from
(secs) the RPC server is defined.
[300]
Additional If you want to use NAT, enter the corresponding
Step 3 Checking rule set hierarchy Addresses addresses in this section.
For successful usage of dynamic services it is mandatory (NAT)
to have the general rule (created during Step 1, page 204)
situated above the service rules (created during Step 2, Step 2 Enabling access to the portmapper
page 205). Create a pass rule for portmapper access using a
corresponding service object. When configuring the
service entry, select either UDP or TCP as protocol and set
11.2.2 Configuring Active ONCRPC the parameter Port Range to port 111 (see figure 4106).
Step 3 Creating a rule for the required service (for section of the Service Entry Parameters dialog (see
example NFS) figure 4108).
Again, as mentioned in Step 1, the settings for the service
object are of interest. Select the required protocol (either Fig. 4108 General Service Object needed for creating a pass rule to enable
active&passive ONCRPC
UDP or TCP) and use parameter Dyn. Service for defining
the service information (servicename:serviceID; in
our example this would be nfs:100003, see figure 4107).
Fig. 4107 Service Object needed for enabling nfs usage via a portmapper
Note:
The parameter Dyn. Service can be configured to utilize
all available services by just entering DCERPC into the
Dyn. Service field.
Note:
11.3.1 Configuring DCERPC
In addition to explicit creation of new Service Objects
you may as well make use of the already existing Note:
predefined Service Objects (for example, Service Please consider the following configuration options
Objects bound to Microsoft Exchange usage). Please regarding the parameter Dyn. Service when reading
consider, though, that you might possibly need to adapt the guidance below as it applies to all available
the preconfigured objects due to potential requirement methods:
changes of the software.
z The parameter Dyn. Service can be configured to
utilize all available services by just entering DCERPC
into the Dyn. Service field.
11.3 DCERPC
z In addition to explicit creation of new Service Objects
you may as well make use of the already existing
The OSF Distributed Computing Environment (DCE) is a
predefined Service Objects (for example, Service
protocol standardized by the Open Group
Objects bound to Microsoft Exchange usage). Please
(www.opengroup.org/dce). Analogous to the ONCRPC
consider, though, that you might possibly need to adapt
protocol (see 11.2 ONCRPC, page 204), DCERPC allows
the preconfigured objects due to potential requirement
services to register on a server which then provides these
changes of the software.
services on dynamic TCP/UDP ports.
The most widespread application depending on DCERPC is
possibly Microsoft Exchange. Besides other Microsoft 11.3.1.1 Configuring Passive DCERPC
products, DCERPC for example is as well used by HP Open
View. Note:
Since the so-called end point mapper knows which service For the advantages and disadvantages of passive and
requires which port and protocol, the client application active configuration see 11.1 General, page 204.
first sends a request to the end point mapper to determine
the dynamically assigned ports. Step 1 Enabling access to the end point mapper
Creating a pass rule for end point mapper access using a
The endpoint mapper listens on TCP/UDP port 135.
corresponding service object (default service object:
Whats the difference to ONCRPC? DCERPC135). When configuring the service entry, select
z Portmapper is called Endpoint Mapper and uses either UDP or TCP as protocol and set the parameter Port
TCP/UDP port 135 instead of UDP/TCP 111 Range to port 135. Last but not least, you need to enter
the PlugIn DCERPC in the General section of the Service
z Service identification via UUID instead of program Entry Parameters dialog (see figure 4110).
numbers
Fig. 4110 General Service Object needed for creating a pass rule to enable passive
z Multiple services per port possible DCERPC
Having multiple services on one TCP port a
"pre-validation" by the firewall is required. This
pre-validation checks whether at least one service
offered by this port is granted by the rule set:
NO block
YES session is granted using service name
DCERPC:ANY and is subsequently analyzed further. As
soon as the service is selected, the rule set is checked
again whether exactly this service is permitted or not. If
granted, the service name changes to the now-known
name and session is active (first matching rule is used).
If the service is not permitted the session is terminated.
z One service can be offered on multiple ports
z Using UDP DCERPC offers an additional function in
order to avoid arbitrary spoofed request to the RPC
server
z Service can change within a session
Step 2 Creating a rule for the required service (for 11.3.1.2 Configuring Active DCERPC
example MS Exchange)
Again, as mentioned in Step 1, the settings for the service Note:
object are of interest. Select the required protocol (either For the advantages and disadvantages of passive and
UDP or TCP) and use parameter Dyn. Service for defining active configuration see 11.1 General, page 204.
the service information (servicename:UUID; see
figure 4111).
Step 1 Configuring the RPC server information
Fig. 4111 Service Object needed for enabling MS-File Replication Service usage The RPC server information is configured via the RPC tab
via an end point mapper of the Firewall Forwarding Settings ( Config > Box
> Virtual Servers > <servername> > Assigned
Services > <servicename>). The configuration is
analogue to the one mentioned under 11.2.2 Configuring
Active ONCRPC, Step 1, page 205, except that the port 135
has to be entered (instead of port 111).
Fig. 4112 General Service Object needed for creating a pass rule to enable active
DCERPC
Note:
If you have specified an alternative port in the server
configuration, do not forget to define this alternative
port instead of the default port here.
Note:
Do not fill in the PlugIn field when configuring Active
DCERPC.
VPN
1. Overview
1.1 Client Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
1.2 Site to Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
1.3 Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
1.4 Authentication, GroupVPN, Encryption and Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
3. SSL-VPN
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
3.2 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
3.3 Setup Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
3.4 Hints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
4. Monitoring
4.1 Active Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
4.2 Status Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
4.3 Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
1. Overview
Virtual Private Networks offer an efficient and cost-saving 1.1.1 Direct Connection
way to use the internet as a transport alternative to
dedicated lines or dial-up RAS overcoming security risks of Fig. 51 General Scheme of Remote Access VPN
internet communications.
There are two well-established technologies for data
encryption: IPSec and SSL (Secure Socket Layer). Corporate internet link
Most VPN implementations rely solely on IPSec, which has Corporate network Remote
VPN
several disadvantages (for example problems with NAT, client
NAPT, filtering interfaces, etc.) in modern network
VPN server
topologies. Barracuda NG Firewall VPN has incorporated
both technology standards, hence it substantially improves
Secure
VPN connectivity. encrypted Local ISP - POP
tunnel
1.1 Client Remote Access A necessary condition in order to get working direct
connections is routing the client IP just like the server IP
throughout the whole connection. Due to security and
Mobile workers often need secure access to corporate
flexibility reasons, most corporate networks use private
information resources. This may either be achieved by
addresses (often called RFC1918 addresses). These
using dial-up Remote Access Servers (RAS) or by using
addresses are not routed within the internet itself.
VPN technologies. RAS implementations suffer from
Moreover, some corporate networks do not route other IP
several limitations, such as bandwidth, scalability, and
addresses than their own. This leads to severe problems in
manageability. Due to the spreading availability of
VPN client deployment. Raw IPSec protocol based VPNs
broadband access via cable and xDSL VPN provides a
cannot provide a proper solution for such situations.
superior solution for the remote access challenge.
The client simply connects itself to the VPN server on
Client-server communications may be established in three
port 691.
archetypical ways:
Optionally, the client could also use port 443.
z Direct Connection (1.1.1 Direct Connection, page 212)
z Connection through a firewall with or without NAT
(1.1.2 Connection through a Firewall, page 212) 1.1.2 Connection through a Firewall
z Connections via proxy or SOCKS server Fig. 52 Remote Access with the Client Placed Behind a Firewall
(1.1.3 Connections via Proxy / SOCKS Server, page 213)
Conditions Solutions As the client does not use IPSec-ESP or another non-TCP
Client IP Server IP Transparent Transparent HTTPS protocol as transport facility, the firewall administrator
routed routed transport transport proxy / must provide access to the connection:
through through without with source SOCKS 4-5
Internet client source NAT NAT z client: (client-port) -> VPN Server: port 691
network
or
yes yes yes yes yes
no yes no yes yes z client: (client-port) -> VPN Server: port 443
yes no no no yes
no no no no yes Whether the firewall performs NAT (destination or source)
does not have any impacts on the VPN connections
functionality.
Connecting two corporate locations using VPN can be even The Barracuda Networks VPN implementation supports a
more dramatic cost saving than remote access. Saving range of authentication, encryption, and transport
costs for bandwidth limited dedicated lines, you can easily methods. The default settings fit for most practical
connect as many locations as necessary into one large purposes. However, there is a number of special situations
corporate network without even losing performance and in todays networking reality that need special solutions.
manageability or weakening cost control.
The Barracuda NG Firewall establishes strongly encrypted 1.4.2 Authentication
(using DES, 3DES, AES-128, AES-256, etc.) VPN tunnels
between two Barracuda NG Firewalls. It supports active
and passive tunnel initiation and provides maximum 1.4.2.1 Client to Site VPN
flexibility.
There are several different possible ways of authentication
Furthermore it is capable of establishing VPN connections
for VPN connections:
to IPSec based systems.
z phion x.509 Certificate
Fig. 54 Two Corporate Networks Linked Together via VPN Tunnel A phion x.509 certificate and the corresponding
private/public key pair is provided within a password
protected file.
z User and Password
Corporate network Corporate network For this authentication method, the user has to enter
username and password.
It is capable of VPN groups. For more information see
VPN server VPN server 1.4.3 VPN Groups, page 214.
z External x.509 Certificate
Secure
encrypted Corporate internet links
This method requires only an external (third-party),
tunnel root-signed x.509 certificate from a CA (PKI).
It is capable of VPN groups. For more information see
1.4.3 VPN Groups, page 214.
z External x.509 Certificate with User and Password
Request
This authentication method consists of an external
(third-party), root-signed x.509 certificate from a CA
(PKI) and requires manual username and password
entry.
It is capable of VPN groups. For more information see
1.4.3 VPN Groups, page 214.
z External x.509 Certificate with Password Request This method is used if no CA/PKI (Public Key
This method consists of an external (third-party), Infrastructure) is available.
root-signed x.509 certificate from a CA (PKI) and
requires manual user and password entry. The 1.4.3 VPN Groups
username must match the one contained within the
x.509 certificate. When having lots of VPN clients, it can become very
The method is capable of VPN groups. For more annoying to configure every client one after another. In
information see 1.4.3 VPN Groups, page 214. order to make configurating work more comfortable and
faster, some authentication methods provide the
Note: possibility of working with so-called VPN groups.
For authentication methods requiring a x.509
certificate, the certificate and the private/public key pair These groups are not necessarily identical with the one for
may be provided on a smart card. This offers increased LDAP authentication for example. This fact implies
security since the private key is not extractable. 1-to-n mapping.
HQ LAN
Policy 1
1.4.2.3 VPN Site-to-Site
User 1 User 2 VPN
The following encryption algorithms are available for VPN The Barracuda Networks VPN server uses the built-in
connections: certificate authority and / or external root certificates to
guarantee the authenticity of both communication
z DES
partners. After exchanging the certificates, the
Digital Encryption Standard
communication uses RSA 1024 bit encryption to build up a
z 3DES secure connection to exchange session keys. The
Triple DES connection then is strongly encrypted with a key renewing
every 30 minutes.
z AES-128
Advanced Encryption Standard with up to 128 bit
encryption 1.4.5.2 Tunnel Connections
z AES-256
Advanced Encryption Standard with up to 256 bit The Barracuda Networks VPN servers need to exchange
encryption their respective public keys in order to build up the trusted
relationship. After exchanging public RSA keys, the
z Blowfish
communication uses RSA 1024 bit encryption for the
by Bruce Schneier
secure connection. This connection is then strongly
z CAST encrypted with a session key renewing every 10 minutes.
by Carlisle Adams and Stafford Tavares The time between the key renewings is configurable and
can also be dependent on the amount of traffic being
z Null
encrypted with the same key.
Not encrypted
For details see the book "Kryptografie" by Klaus Schmeh,
Attention: ISBN 3-932588-90-8 (german)
It is highly recommended not to use DES or Null
encryption for VPN connections, since these algorithms
are unsafe. 1.4.6 Excursion: Description of VPN
NoHash Security Issues
1.4.5 Transport Standard ESP
There are four different transport modes available for The ESP protocol provides packet authentication and
Barracuda Networks VPN connections: packet encryption. Packet authentication is performed
using a hashing algorithm (MD5, SHA, etc.) which is used to
z UDP hash the packet spanning the ESP header, the encrypted
Tunnel uses UDP port 691. This connection type fits ESP payload (the tunnelled IP packet) and the payload
best for response optimized tunnels. padding (see figure 57, page 216). Packet encryption only
z TCP spans the encrypted ESP payload and the payload padding
Tunnel uses TCP connections on port 691 or 443 (if and not the ESP header.
HTTP proxies are used). This mode is necessary for An ESP packet is only valid if the following checks are
connections through SOCKS 4 or HTTP proxies. passed (the order is important):
z UDP & TCP z 1. Is the authentication using the hashing algorithm
Tunnel uses both TCP and UDP connections. The tunnel correct?
engine uses the TCP connection for UDP requests and
the UDP connection for TCP and ICMP based z 2. Is the sequence number larger than all sequence
applications. numbers of all received valid ESP packets (replay
protection)?
z ESP
Tunnel uses ESP (IP protocol 50). This connection type z 3. Is the encryption of the ESP payload successful
fits best for performance optimized tunnels. (performed by a padding check)?
Note: This method was used already 10 years ago when hashing
DO NOT use ESP if there are filtering or NAT algorithms were much faster than encryption algorithms.
interfaces in between. The intention was to authenticate the packet prior to
decryption in order to avoid an expensive decryption for
Table 52 Comparison of Different Tunnel Transport Modes unauthentic packets. With AES, this assumption is no
Proxy/ longer true. In fact, AES is even faster than SHA.
NAT
Transport SOCKS Response Transport
Mode Compati-
Compati-
Time Reliability The NoHash method is based on the following
bility
bility consideration:
UDP no yes fast normal
Encryption may be used as authentication since only the
TCP yes yes normal complete
VPN partner holding the same encryption session key may
UDP&TCP no yes fast complete
construct an ESP packet which will then be correctly
ESP no no fast normal
decrypted. The only problem appearing after simply
turning off the authentication would be that packets might
be replayed using old (captured) ESP packets in a way that
No
Configure Personal Networks The corresponding gateway routes for the configured
personal network (both local and routed) are assigned
Fig. 510 VPN Configuration Block Diagram - Configure VPN server to the VPN client automatically when connecting.
Requirements No
Introduce & configure:
Box
List 51 VPN Configuration - Personal Network Network Section
for personal Server
remote access Firewall
met? VPN Service Parameter Description
Yes
Advertise via When activated, the personal network is advertised via
OSPF OSPF.
Name The network name.
Configure VPN server:
Install keys/server & Network The network address.
root certificates
Configure personal Address
networks
Network Mask Use inverted CIDR notation (Getting Started
5. Inverted CIDR Notation, page 25).
Configure
personal VPN Gateway The clients gateway address.
Type Type of VPN network used. Available types are:
routed (Static Route) (virtual network/DMZ)
VPN groups Yes Get group names For an illustrated example see figure 512.
required? (DC, OU, )
A separate net is offered. A static route leads to the
No local network via the VPN server. VPN client
Configure VPN group
addresses can be distributed through DHCP as fixed
policies
or dynamic address.
local (Proxy ARP)
Configure VPN group
For an illustrated example see figure 513, page 218.
Configure VPN tunnel
settings settings A part of the local network is offered via VPN.
The defined addresses are entered as Proxy ARP on
the VPN Server (see figure 512).
VPN is ready
to use
VPN client addresses can be distributed through
DHCP as fixed or dynamic ones.
The following two values are to be defined
additionally:
Normally, the Barracuda NG Firewall is delivered with one IP Range Base - defines the starting point of the
personal and unlimited firewall-to-firewall VPN license. All offered addresses from the local network
other licenses must be ordered from Barracuda Networks IP Range Mask - defines the scope of the offered
addresses
separately. For more detailed information about license
Quarantine Quarantine networks may be defined in order to assort
activation see Licensing, page 529. clients accessing a VPN tunnel into separate network
classes. This configuration parameter has been
Additional personal licenses must be available as a file introduced in preparation for Barracuda NG VPN Client.
(*.lic files) on floppy, harddisk, or as e-mail. It will not work with the current VPN client release R7
or older versions.
Configuring the server settings is done by clicking VPN The recommended setting for all Barracuda NG Firewall
versions is to leave the setting at the default value
Settings (accessible through Config > Box > Regular Personal Network when creating a new
Virtual Servers > <servername> > Assigned Personal Network. Quarantine Network Classes will at
this time not be effective.
Services > <servicename> (vpnserver)) within the VPN
configuration tree. Fig. 512 VPN Configuration with Routed Network (Static Route; Virtual Network /
DMZ)
In order to create a VPN Personal network, lock the VPN client Local network
configuration dialog, open the context menu and select 192.168.6.123 (10.0.0.0/24)
New VPN Network This will open the following Static route
via VPN server
configuration dialog.
Secure
encrypted
Fig. 511 Personal Network Configuration Dialog tunnel Local DMZ: 10.0.0.0/24
VPN server
FW server
Note:
The maximum number of personal networks is 256.
2.3.2 Server Key/Settings Tab List 53 VPN Configuration - Server Certificates - General Server Configuration
Section
configuration dialog. Global Replay The Replay Window Size is designed for sequence
Window Size integrity assurance and avoidance of IP packet
[0] "replaying", if due to ToS policies assigned to VPN
tunnels and/or transports packets are not forwarded
2.3.2.1 Server Certificates instantly according to their sequence number. The
window size specifies a maximum number of IP packets
that may be on hold, until it is assumed that packets
To open the Server Certificates window, click the Click have been sent repeatedly and sequence integrity has
here for Server Settings link on top of the Server been violated. Individual window size settings (see
Replay Window Size, page 239) are configurable per
Key/Settings tab: tunnel and transport, overriding the global policy
settings. Setting this to 0 (default) defines that these
Fig. 514 Server Certificates Configuration tunnel/transport specific settings should be used. ToS
details are described in VPN Envelope Policy,
page 238. The effective Replay Window Size is
visualized in the Transport Details window (Attribute:
transport_replayWindow), which can be accessed by
double-clicking the tunnel in the VPN Monitoring
GUI > Active tab (see 4. Monitoring, page 252).
Use Site to Site Typically, a tunnel registers itself at the firewall causing
Tunnels for an auth.db entry with the tunnel network and the
Authentication tunnel credentials. This can be used to build a firewall
[Yes] rule having the tunnel name or credentials as
condition. This feature is rarely used (maybe not at all).
Pending Session buildup is limited that, once a buildup of
Session 5 sessions is detected, any further session request will
Limitation be dropped until one of the already initiated sessions is
[Yes] completed.
Prebuild Typically, cookies are built on demand. For many tunnel
Cookies on building up simultaneously it is better to have the
Startup cookie already precalculated. This causes a slower VPN
[No] service startup but a faster tunnel buildup afterward.
Tunnel HA Sync In case of a HA takeover, the initialisation of all VPN
tunnels/transports requires a very CPU-intensive RSA
handshake procedure. As long as less than
approximately 200 tunnels/transports
are terminated, this initialisation happens very fast and
does not decrease overall system performance.
Due to realtime synchronisation to the HA partner box,
the system load during a takeover can be decreased,
hence providing faster tunnel reestablishment.
Note:
Synchronisation is only provided for TINA
tunnels/transports using either UDP or ESP.
Tab General: Synchronisation of hybrid, TCP or IPSec tunnels is not
available.
List 52 VPN Vonfiguration - Server Certificates - General Access Control Service Note:
Section The default setting for this function is off. It may be
Parameter Description activated using Tunnel HA Sync through the VPN
Server Settings. Barracuda Networks recommends to
IP Addresses IP address of the Access Control Service to use. activate this setting only when using more than 200
Sync Set to yes if authentication information should be ESP or UDP TINA tunnels.
Authentication propagated to the other boxes in the same . Maximum Sum of concurrent client-to-site and site-to-site tunnels
to Set to no to disable authentication synchronisation. Number of accepted by the VPN service.
Tunnels Note:
List 53 VPN Configuration - Server Certificates - General Server Configuration Barracuda Networks recommends to keep this value
Section below 8192 to avoid high system load produced by the
Parameter Description VPN service.
CRL Poll Time Time interval (in minutes) for fetching the Certificate Note:
Revocation List. L2TP/IPSEC require server certificates with
SubAltNames.
Note:
Setting this parameter to 0 results in a poll time of Default Key If the VPN server demands a key but the key is not
15 minutes. stated explicitly, it may be generated by clicking the
Ex/Import button and selecting a suitable option.
Global TOS Globally defines the ToS (Type of Service) flag for Site
Copy to Site tunnels. Global employment of the ToS flag is
[Off] disabled by default (setting: Off). Effects of ToS Note:
settings are described in detail in VPN Envelope
Policy (applying to TINA Tunnels, page 238) and
It is mandatory to define a default server certificate for
list 557, page 241 (applying to IPSec Tunnels, a successful client-to-site connection.
page 241). Individual tunnel ToS policies override the
global policy settings.
List 56 VPN configuration - Server Certificates - Advanced section IKE Parameter Description
Parameters This section defines actions to be taken in case a
certificate referred within the Certificate Revocation
Parameter Description List (CRL) is unavailable.
The IKE (Internet Key Exchange) Parameters section is Timeout (min.) If all URIs of the root certificate fail, then the fetching
globally applicable to all configured IPSEC tunnels. process is started again after this time period. If the
Exchange This value defines the maximum period to wait until the CRL is still not available, the fetching process is
Timeout (s) request for IPsec tunnel connection establishment has stopped and parameter Action (see below) is activated.
to be approved by the remote peer (default: Action The following actions are available if CRL fetching is
30 seconds). not possible:
Tunnel Check This value defines the interval in which to query if a Terminate all sessions
Interval (s) valid exchange is assignable to an IPsec tunnel (default: Every VPN session relating to this root certificate is
5 seconds). In case a tunnel configured with direction terminated.
assignment Active has been terminated, it will be
Do not allow new sessions
re-established automatically as soon as the check
New VPN session relating to this root certificate are
interval has expired. In case a tunnel configured with
not allowed.
direction assignment Passive has been terminated, a
corresponding status message will be triggered Ignore
causing a GUI update in the VPN monitoring view This option creates a log entry, but does not have
(4. Monitoring, page 252). any affect to VPN connections relating to this root
certificate.
Dead Peer This value defines the interval in which to execute keep
Detection alive checks on the remote peer (default: 5 seconds).
Interval (s)
Use IPSec Set to Yes if the the service is connected to the 2.3.3.2 Certificate Revocation Tab
dynamic IP internet via dynamic link (dynamic IP address). In this
case the server IP address is not yet known at Fig. 515 Certificate Revocation Tab
configuration time and IKE then listens to all local IP
addresses.
IPSec Log Level Defines the debug log level of IKE.
Note:
Debug log may be very noisy. Avoid a log level
greater than 0 if not required for solving an issue.
If a CRL is already included within the certificate, import List 514 VPN Configuration- Root Certificates - OCSP Tab OCSP Server Tab
the CRL URI by clicking the Load paths from certificate Parameter Description
button. Phibs Scheme Allows selection of an OCSP scheme (default: ocsp).
To add a CRL URI manually, insert the CRL details into the List 515 VPN Configuration- Root Certificates - OCSP Tab OCSP Server
fields available in the URI, Login and Proxy sections and IdentificationTab
then click the Add button. Parameter Description
List 511 VPN Configuration - Root Certificates - Certificate Revocation Tab URI CA Root Specifies how the OCSP server is verified. The
Section following options are available:
This root certificate - The OCSP server certificate
Parameter Description signing the OCSP answer was issued by this root
certificate.
Protocol From this list, select the needed connection protocol.
Other root certificate - The OCSP server certificate
The following protocols are available:
signing the OCSP answer was issued by another root
Protocol Default port Comment certificate. This other root certificate has to imported
LDAP 389 DNS resolvable via parameter Other root (see below).
LDAPS 636 Note:
Take into consideration that the extended certificate
HTTP 80 usage is set to OCSP signing in the OCSP-server
HTTPS 443 certificate when using This root certificate or
Note: Other root certificate.
In LDAP directories, valid CRL file types are restricted Explicit Server certificate - The OCSP server
to .pem and .crt files. certificate signing the OCSP answer may be self-signed
Host DNS resolvable host name or IP address of the server or another certificate. This X.509 certificate has to
that makes the CRL available. imported via parameter Explicit X.509 (see below).
URL-Path Path to the Certificate Revocation List (CRL) (for Other root If CA Root is set to Other root certificate, this
example certificate has to be imported via the Ex/Import
cn=vpnroot,ou=country,ou=company,dc=com button (either in PEM or PKCS12 format).
?cn=*). Explicit X509 If CA Root parameter is set to
Note: Explicit Server certificate, this certificate has to be
When the CRL is made available through SSL imported via the Ex/Import button (either in PEM or
encrypted LDAP (LDAPS) take the following into PKCS12 format).
consideration:
To enable connection establishment, the CRL has to be
referred to by using the fully qualified domain name
(that is the resolvable host name) in the CN subject. For
2.3.4 Server Certificates Tab
example, if a server's host name is
server.domain.com it has to be stated in the This tab displays the available server certificates.
URL-path as follows:
cn=vpnroot,ou=country,ou=company,dc=com, Fig. 516 Server Certificates with Open Context Menu
cn=server.domain.com.
Note:
The A-Trust LDAP server requires that a CRL
distribution point referring to it MUST terminate with a
CN subject. Therefore, as from Barracuda NG Firewall
3.6.3 when loading the CRL from a certificate, the
search string "?cn=*" will automatically be appended,
if the CRL is referring to an LDAP server and if a search
string (CN subject) is not available in the search path
by default. Note that existing configurations will remain
unchanged and that the wildcard CN subject does not
conflict with other LDAP servers.
Tunnel Interface (GTI) is described in Barracuda NG Control List 517 VPN Configuration- VPN GTI Settings Proxy Section
Center 15. VPN GTI, page 490. Parameter Description
Accept Defines the identification type required for VPN access.
Note: Identification The following authentication methods may be used:
Merging of local VPN GTI Settings (as configured Type Public Key
through the parameters below on each box) and global X509 Certificate (CA signed)
VPN Settings (applying for a specific VPN group, see X509 Certificate (explicit)
15.2.2 Defining Global Settings for a VPN Group, Box SCEP Certificate (CA signed).
Fig. 517 Configuration Dialog for L2TP List 520 VPN Configuration - L2TP/PPTP Settings - PPTP PPTP Settings
Section
Parameter Description
Idle Timeout If this value (in seconds; default: 300) is exceeded
without having traffic over the VPN tunnel, the
connection is terminated.
User Choose a user authentification: Local-use-database or
Authentication Remote MS-CHAP-v2.
Note: Requirements No
Introduce & configure:
Box
for personal Server
PPTP is not enabled by default. Set PPTP Enable to yes remote access
met?
Firewall
VPN Service
Timeout [s] 10). A rule of thumb: the faster the connection, the
shorter this timeout can be set.
Local Tunnel IP Server-side IP address of the tunnel. VPN groups Yes Get group_name
required? (DC, OU, )
Pool IP-Begin Starting IP address for the IP-address pool available to
clients. No
Failure / LCP lost echoes and the time period a echo reply may last
Echo Interval (default for both parameters: 0).
The Client to Site item (accessible through Config > The Pool License Certificate appears after submission and
Virtual Servers > Assigned Services > confirmation of the password defined at purchase.
<servicename> (vpnserver)) is used for configuring Fig. 521 Pool License Certificate
remote VPN connections between a Barracuda NG Firewall
and the Barracuda NG VPN Client with usage of Barracuda
Networks certificates and private-public key pairs (no
groups) (see 1.4.2.1 Client to Site VPN, phion x.509
Certificate, page 213).
Password
Personal ******
license certificate
Pool
license
Personal
license certificate
Public key pool
Password
******
VPN
server license
Note:
VPN pool licenses must be imported into the Personal
VPN section of the VPN server. Do not treat VPN pool
licenses like box licenses and do not import them into
the pool license section of the global CC Identity
settings.
To install a VPN pool license, right-click into the main
window of the Pool Licenses tab and select whether to
import from file or from clipboard.
If the Pool license has been delivered to you in a .lic file,
import it by selecting Insert License from File from the
context menu.
Fig. 522 Pool License in Plain Text Format The following personal licenses configuration window
opens:
List 522 VPN Configuration - Client to Site - VPN CA Tab - Personal License
Creation
Parameter Description
Note: License is Sets either the license to disabled state or not.
disabled
The plain text certificate may be transformed into a checkbox
Barracuda Networks license (.lic) file, by saving its License field Name of the license - read-only; used syntax:
content to a text file and changing the file ending to .lic. poollicensename-IndexNo
Used by field Name of the user the license is assigned to.
As soon as pool licenses have been installed and herewith
Stat. Name field Name of the license to be shown in statistics.
activated, personal licenses can be distributed.
Note:
To create a personal VPN license, mark the responsible In case multiple licenses are existing, it might be
sometimes useful to create cumulative statistics.
pool license, right-click into the bottom part of the Pool
Licenses tab main window and select New personal List 523 VPN Configuration - Client to Site - VPN CA Tab - Personal License
license from the context menu. Creation IP Address & Networking Section
Parameter Description
Network Personal VPN network (defined in the server settings
pull-down menu Personal Networks Tab, page 218).
Nr. pull-down IP, taken out of the VPN pool, to be assigned to the
menu client. Setting this value to dyn allows dynamic
allocation.
Use Template Template, if templates are in use. Otherwise click on
pull-down menu Parameters
Parameters Network settings, if no templates are used (figure 524,
button page 226).
ENA pull-down Defines whether ENA (Exclusive Network Access) is
menu activated for this license. Active ENA disables any
access to other networks the client is connected to.
List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License
Creation Password and Peer Restriction Section
Parameter Description
Scheme Authentication scheme used for user authentication.
pull-down menu
User ID field User name required for authentication.
List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License In order to create a new template, lock the dialog, and click
Creation Password and Peer Restriction Section
New Template within the context menu.
Parameter Description
VPN-Type Select the appropriate option: Fig. 524 Template Configuration
Personal + SSL
Personal Only or
SSL Only
Note:
This parameter takes effect when connecting via
SSL-VPN the authentication scheme Local is selected.
Change Server Password needed for connection to the VPN server.
Password
button
ACL list Access control list for VPN connections. The client is
only allowed to connect to the VPN server from one of
these IP addresses or address ranges.
List 525 VPN configuration - Client to Site - VPN CA Tab - Personal License
Creation Active Certificate / Obsolete Certificate Section
Parameter Description
Note:
The Usage listing to the right defines whether only the
active key is permitted or both active AND obsolete
key.
License Type Type of license; File or Certificate Store based.
pull-down menu
Server Key Pre-defined server private key.
pull-down menu
Edit Information within the VPN certificate.
Certificate
button List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation
Create New Key New user private key. Parameter Description
button
Name Name of the template (for example, the name of the
Import Key Import a user private key either from clipboard or from user the template will be assigned to).
button file.
DNS IP address of the DNS server assigned to the client.
Copy to Copy the current certificate to obsolete. This way it is
Obsolete button possible to create a new certificate without losing the WINS IP address of the WINS server assigned to the client.
information of the old one. Domain DNS domain assigned to the client.
Usage Selects whether the user can only log in with the active VPN Rules From this list, a rule set may be selected and therewith
pull-down menu certificate or also with a certificate that is set to assigned to a VPN clients Barracuda NG Personal
obsolete status. Firewall during an active VPN connection
Export to Export the certificate to the clipboard. Clicking the (6. Configuring the Personal Firewall, page 257).
Clipboard button opens a dialog where you can additionally Offline Rules From this list, a rule set may be selected and therewith
button protect the certificate with a password. assigned to a VPN clients Barracuda NG Personal
Export to File Export the certificate to a file. Youve got to choose Firewall. The offline rule set is applicable while the
button whether you want to protect the certificate with a client is not connected to a VPN server. Note that the
password or not. Offline Rule Set overwrites a possibly existing user
customized rule local set defined in the Barracuda NG
Export Issuer Exports the issuer certificate to a .cer-file. Personal Firewall on the client itself (6. Configuring the
Cert button Personal Firewall, page 257).
Certificate Opens the Crypto Provider Frame. Message From this list, a predefined welcome message (see
Mgmt button 2.6.3 Messages Tab, page 232) may be selected and
therewith assigned to a VPN client.
Bitmap From this list, a predefined bitmap (see 2.6.4 Pictures
2.6.1.2 Templates Tab Tab, page 232) may be selected and therewith assigned
to a VPN client.
This tab lists all templates that have been introduced on Key Time Limit Defines the period of time after which the re-keying
this VPN server. process is started. Possible settings are 5, 10 (default),
30 and 60 minutes.
Templates contain sets of parameters (DNS server IP, Key Traffic Defines the amount of traffic after which the re-keying
WINS server IP, ) needed for personal VPN access. Define Limit process is started. Possible settings are:
templates with pre filled-in frequently used data content, No Limit
50 MB
to facilitate VPN client profile administration.
10 MB (default)
5 MB
1 MB
Tunnel Probing Defines the interval of sent probes. If such a probe is
not answered correctly, the parameter Tunnel Timeout
(see below) will be in charge.
Available pre-defined time values (in seconds) are:
- silent (no probes are sent; disables the parameter)
- 10 secs
- 20 secs
- 30 secs (default)
- 60 secs
List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation 2.6.2.2 Gathering Group Names
Parameter Description
Tunnel Timeout If, for any reason whatsoever, the enveloping In order to have a working group VPN, youve got to know
connection breaks down, the tunnel needs to be the proper group names. The corresponding group names
re-initialized. This is extremely important for setups
with redundant possibilities in order to build the
can be obtained from your assigned administrator.
enveloping connection.
The parameter defines the period of time after which Note:
the tunnel is terminated. If MSAD or LDAP is used, the distinguished names are
The pre-defined available values (in seconds) are:
- 10 secs used for group_name; please have a look at Appendix
- 20 secs (default) 1.1 How to gather Group Information, page 544.
- 30 secs
- 60 secs
Note:
The choice of the ideal timeout parameter strongly 2.6.2.3 Configure VPN Group Policies
depends on the availability and stability of the
connection. Barracuda Networks recommends setting
the timeout to 30 seconds for internet connections In order to create VPN policies, enter the External CA tab,
and to 10 seconds for intranet connections or lock the configuration dialog and enter the required
connections over a dedicated line. information into the tabs described in the following.
Network Routes Routes assigned to the client when connecting to the
VPN server.
Note:
Note:
Up to 63 network routes may be defined.
As the configurations of Rules and Policies are
Accepted Encryption method allowed for users of this template
interdependent on settings configured within the other
Ciphers when connecting to the VPN server. tabs Common, Barracuda and IPSec, the following
configuration sections are described right-to-left
beginning with a description of tab IPSec.
2.6.2 External CA Tab
2.6.2.5 Barracuda Tab List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab
Barracuda Section
List 530 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab
Accepted Ciphers Section
List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Parameter Description
Barracuda Section
This section specifies the encryption algorithm(s) to be
Parameter Description accepted from the client at connection time. If the
Name field Name of the dataset. By ticking the checkbox Disabled, client tries to establish a tunnel using a cipher type not
the settings are disabled. specified here, then it will not be able to connect.
List 531 VPN Configuration - Client to Site - External CA Tab > Common Tab 2.6.2.8 Configure VPN Group Rules
Common Section
Parameter Description The VPN group rules specify the global settings for VPN
Statistic Name Name to be displayed within the statistics. personal tunnels using an external x.509 certificate and
field
group configurations, such as which kind of certificate is to
Assigned The defined networks (see 2.3.1 Personal Networks Tab,
Network page 218) are available for selection here. be used, or the type of authentication scheme.
pull-down menu
The configuration consists of two separate instances:
DNS field IP address of an optional DNS server.
WINS field IP address of an optional WINS server. z General settings, available via the link on top of the tab
(alternately, the context menu entry Group Match
List 532 VPN Configuration - Client to Site - External CA Tab > Common Tab Settings )
Network Routes Section
Parameter Description z Group policy conditions, available via the context menu
This section is used to define network routes. Enter an entry New Rule
IP address and click Add to add the entry to the listing
on the right side. Note:
Note: Take into consideration that it might be necessary to
You may define up to 63 network routes.
move the available group policies up and down in the list
List 533 VPN Configuration - Client to Site - External CA Tab > Common Tab due to the sequential processing order. This movement
ACL Section is done by first selecting a policy item and then using
Parameter Description the context menu entries Up or Down.
This section is used to define the ACL (Access Control
List). Enter an IP address and click Add in order to add
the entry to the listing on the right side.
2.6.2.9 Change Group VPN Settings
Fig. 529 Change Group Match Settings
2.6.2.7 Policy Tab
List 534 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Match Settings X.509 Client Security Section
Parameter Description
Mandatory Specifies the certificate to be used:
Client X.509 Certificate - enforces authentication via
Credentials certificate.
External Authentication - enforces authentication via
username / password.
Concurrent activation of both options forces both,
certificate AND username / password authentication.
Certificate Specifies whether the alternative name in the
Login Matching certificate has to match the user login for successful
authentication. Therefore, subjectAltName must
contain an email type value and the user part of the
If settings at the tabs Common, Barracuda and IPSec have e-mail address must match the login name (see 1.4.2
Authentication, External x.509 Certificate with
not yet been configured and therefore cant be selected Password Request, page 214, and/or, if not selected,
within the corresponding tabs as described here, then you External x.509 Certificate with User and Password
may generate a new data set using the New button. Request, page 213).
Furthermore, an existing data set may be modified by
selecting it and subsequently clicking Edit
List 535 VPN Configuration - Client to Site - External CA Tab > Rules Tab > List 537 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Match Settings Server Section Group VPN Settings > Preauthentication Details
Parameter Description Parameter Description
Authentication Authentication scheme to be used. The following LDAP Name of the attribute within the LDAP compatible
Scheme values are available: Authentication directory service / MSAD wherein the name of the
ldap Selector Field authentication scheme is enclosed.
Therewith, it is possible to assign a different
msnt
authentication scheme to every user.
msad The identifiers are the same as in the authentication
radius service, e.g. MSAD. If there is an additional MSAD
rsaace authentication scheme configured, the identifiers are
user-specific, e.g. MSAD-HQ, RADIUS, etc.
Server All available server certificates (see 2.3.4 Server The values of the attribute can be transformed by
Certificate Certificates Tab, page 221). When selecting right-clicking into the field beneath. For the attribute
-Use-Default-, the default server certificate is used authScheme, e.g., enter the value pattern HQ and the
(see 2.3.3 Root Certificates Tab, page 220). scheme name msad2. The authentication service
Server Protocol The key to be used. The entry -From-Server-Cert- msad2 will then be used for the final authentication.
Key causes the server certificate key to be used. Note:
Alternatively, any readily configured key that had been The authentication scheme defined within the
created within the VPN Server Settings (see 2.3.2 Group VPN Settings will be deactivated as soon as
Server Key/Settings Tab, page 219) may be activated. this field is used.
Used Root The root certificate to be used to verify this VPN LDAP Name of the attribute containing an alternative login
Certificates partner. The entry -Use-All-Known- allows all available Alternative name.
root certificates to be used for the partner verification Login Name If users need to use different login names for
process. Alternatively, an explicit root certificate may Field authentication at the authentication server, this
be selected. different login names may be defined on the
LDAP IP Name of the attribute containing the IP address to be pre-authentication server.
Attribute assigned to a VPN user. LDAP Group Defines whether the group information of the
Only IP addresses from one of the personal networks Information pre-authentication server or the one of the
configured within the VPN settings are allowed. authentication server will be assigned to VPN users.
LDAP VPN Name of the attribute containing the name of the
Group Attribute group policy to be assigned to a VPN user. Group Policy Condition:
The rules within the assigned policy overrule other
existing group policy rules. This section displays all configured VPN group policies.
There will be no connection possible if this attribute
contains a nonexistent policy name. Right-click into the tabs main window and select New Rule
X509 Login Name of the attribute within the certificate containing from the context menu in order to create a new group
Extraction Field the username.
The VPN server requires a username of the VPN user policy or mark an existing policy. Subsequently, select
for successful pre-authentication. If authentication Show/Edit to view or edit the settings.
takes place only using x.509 certificates, the VPN
server needs to extract the username out of the x.509
Fig. 531 Configuration Dialog - Group Policy Condition
certificate.
CN (Common Name)
altName (Alternative Name)
emailAddress (EmailAddress)
List 536 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Match Settings section Preauthentication
Parameter Description
Pre- Pre-authentication scheme to be used. The following
authentication values are available:
Scheme ldap
msad
tacplus
Preauthentication Details:
If an LDAP compliant directory server has been chosen to List 539 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Policy Condition > AD Lookup > AD Lookup Advanced Settings
be used for external authentication, clicking the Lookup
button within External Group Condition (from external Parameter Description
authentication) will open a dialog window allowing for Timeout Number of seconds the client will wait for the server to
return the result.
more specified condition filtering within user or group data
Login DN Authentication characteristics of the defined directory
received from the MSAD: server.
Port Port of the directory server.
Fig. 532 AD Lookup Dialog
Use SSL Selects whether to use Secure Socket Layer or not.
Group Applies the match pattern defined within Object Filter
to group data.
User Applies the match pattern defined within Object Filter
to user data.
Object Filter Pattern string to be validated for matching.
2.6.2.10 Security
List 540 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Policy Condition
Parameter Description
Assigned VPN This list contains the available VPN group policies (see
Group Policy 2.6.2.3 Configure VPN Group Policies, page 227).
List 541 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Policy Condition X509 Certificate Conditions Section
Parameter Description
Subject Type of group information to be taken into
consideration. Clicking Edit/Show will open the
Certificate Condition dialog (figure 533).
Choose whether to use the current AD connection by This field uses pattern matching. If e.g. multiple OUs
are required, they need to be separated using the /
checking or unchecking the Use Current AD connection (slash) character. E.g., entering FOO*/COMPANY will
checkbox. If unchecked, connection details may be set result in a match for all subjects containing OU=FOO*
within the Connection section of the dialog. just like OU=COMPANY.
Note:
The Advanced... button leads to another dialog with For in-depth details about group information within
advanced settings, allowing the definition of certain MSAD or LDAP authentication schemes, see
Appendix 1.1 How to gather Group Information,
timeout values. page 544.
The Object Filter field below accepts the entry of a string Certificate Required value of the certificate policy field (e.g. OID:
Policy 2.5.29.32).
pattern needed for a match. Either Group or User data will
Generic OID v3-extension field per OID number.
be used as matching criteria by selecting the appropriate
Content Required content/value of the Generic OID field.
radio button.
List 542 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
The lower half of the dialog, titled Lookup Results, allows Group Policy Condition External Group Condition Section
for querying the AD and testing match patterns as a help
Parameter Description
while assembling the object filter pattern.
Group Pattern Pattern to match (case insensitive) for groups from an
List 538 VPN Configuration - Client to Site - External CA Tab > Rules Tab > external authentication method (e.g.
Group Policy Condition > AD Lookup OU=Department1*).
Parameter Description List 543 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Use Current AD Selects whether to use the current connection or not. If Group Policy Condition Peer Condition Section
connection this checkbox is active, the values defined within
Connection will not be used. Parameter Description
Defined Dropdown to select a predefined connection. Barracuda Methods to be used by the VPN partners to allow the
Connections Client / IPSec VPN tunnel establishment.
Client
Host Name or The directory servers URI.
IP Address Peer Address / ACL containing networks (address/mask) defining the
Network allowed peer IPs. By clicking Add, a value is entered
Login DN Authentication characteristics of the defined directory into the list to the left of this field. By selecting an
server. entry in the list and clicking Delete, the entry in
Port Port of the directory server. question can be removed.
Use SSL Selects whether to use Secure Socket Layer or not.
Fig. 533 Certificate Conditions Configuration
Group Applies the match pattern defined within Object Filter
to group data.
User Applies the match pattern defined within Object Filter
to user data.
Object Filter Pattern string to be validated for matching.
List 539 VPN Configuration - Client to Site - External CA Tab > Rules Tab >
Group Policy Condition > AD Lookup > AD Lookup Advanced Settings
Parameter Description
Time Limit Number of seconds the server waits for a search to
complete.
Paged Time Number of seconds the server should wait for a page of
Limit search results.
VPN is ready
to use
Note:
2.6.5.1 Security
You may define up to 2048 VPN tunnels (sum of
List 544 VPN Configuration - Client to Site - Registry Tab > New Registry Rule client-to-site and site-to-site tunnels).
Set Registry Entry Section
In order to access the configuration dialogs, double-click
Parameter Description
Path Enter the path to the registry entry that is to be
Site to Site (accessible through Config > Virtual
checked. Servers > Assigned Services > <servicename>
Value Enter the value for the required readout. (vpnserver)).
Action Specify the next to take action on value mismatch.
Possible actions are termination of the connection The main task in building a Virtual Private Network is the
(default) or generation of a warning message. creation of IP tunnels. The basics of IP tunnelling are
rather simple.
The goal is to get a transparent connection from a host Step 3 Set the general tunnel settings
within a local network to another host within a partner
network. Fig. 537 Tunnel Configuration
Note:
Tunnel parameters
Barracuda Networks provides a tool called
vpnadminclt (/opt/phion/bin/) for direct access
on the VPN server for the "root" user.
Usage of this tool:
/opt/phion/bin/vpnadminclt
<server>_<service> <protocol command>
Available commands:
z kill <name> (example: kill FW2FW-2hq1) -
terminates a Site-To-Site tunnel 2.7.1.1 Security
z ipsechardkill <name> - terminates IPsec site-to-site List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Tunnel General Tunnel Settings Section
tunnels
Parameter Description
z init <name> (example: init FW2FW-2hq1) - Name Tunnel name, needed for informational and partner
establishes a tunnel identification purposes.
Note:
z disable <num> <name> (example: disable 0 The maximum length of this parameter is
FW2FW-hq1) - disables (num is 0) or enables a tunnel 64 characters.
permanently (num is -1), or enables a tunnel with a Disabled Disables the tunnel manually.
time limit of x seconds (num is greater than 0) checkbox
Direction Operational mode of the tunnel.
Fig. 536 Scheme with the Basic Notations of VPN Tunnelling Each tunnel may be operated in one of the following
modes:
Active
An active VPN server accepts tunnel requests and it
tries to initiate the tunnel connection. When the
tunnel is down for a defined time (see Tunnel
Local network Partner network Timeout, page 234), it will clean its state to accept
retries from its partner. Furthermore, it will try to
initiate the connection by itself.
Passive
VPN server 1 VPN server 2 A passive VPN server does not build up the tunnel, it
(Partner server) merely accepts requests from its partner. If the
tunnel is down for a defined time (see Tunnel
Secure Timeout, page 234), it will clean its state to accept
encrypted IP used for Peer IP retries from its partner.
tunnel tunnel Note:
Do not try to establish a tunnel between two passive
VPN servers as both would wait for the other to
initiate the tunnel.
OnDemand
2.7.1 Configuring TINA Tunnels This direction type is only of interest in combination
(Firewall-to-Firewall Tunnels) with traffic intelligence configuration (see 2.7.1.2
Traffic Intelligence (TI), page 235). A VPN server set
to direction mode OnDemand will actively build up a
Step 1 Enter config tree entry Site to Site > TINA connection and will then terminate it again as soon
as the connection times out. This timeout is
Tunnels tab and lock the configuration dialog configured through the On Demand Transport
Timeout (page 239) parameter.
Note:
Step 2 Create a new tunnel object It is possible to set both VPN servers to OnDemand
Access the tunnel configuration dialog via the context in the GTI editor (Barracuda NG Control Center
menu entry New TINA tunnel 15.2.2.4 Defining Tunnel Properties, page 495).
List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Tunnel General Tunnel Settings Section Tunnel General Tunnel Settings Section
Parameter Description Parameter Description
Transport Transport mode of the tunnel; only accessible if Tunnel Probing The probing parameter defines the interval of sent
Direction is set to active. probes. If such a probe is not answered correctly, the
Four options are available: parameter Tunnel Timeout (see below) is in charge.
UDP Available time values (in seconds):
Tunnel uses UDP port 691 to communicate. This silent (send no probes; this disables the parameter)
connection type is suited best for response 10 secs
optimized tunnels.
20 secs
TCP
30 secs (default)
Tunnel uses TCP connection on port 691 or 443 (for
HTTP proxies). This mode is required for connection 60 secs
over SOCKS4 or HTTP proxies. Tunnel Timeout If, for some reason, the enveloping connection breaks
UDP&TCP down, the tunnel has to be re-initialized. This is
Tunnel uses TCP AND UDP connections. The tunnel extremely important within setups with redundant
engine uses the TCP connection for UDP requests possibilities to build the enveloping connection.
and the UDP connection for TCP requests and The parameter defines the period of time after which
ICMP-based applications. the tunnel is terminated.
ESP Available time values (in seconds):
Tunnel uses ESP (IP protocol 50) to communicate. 10 secs
This connection type is best suited for performance 20 secs (default)
optimized tunnels. 30 secs
Note: 60 secs
Do not use ESP if there are filtering or NAT interfaces
in between. Note:
The choice of the ideal timeout parameter strongly
Routing depends on the availability and stability of the
Attention: connection. Barracuda Networks recommends setting
Unencrypted data. the timeout to 30 seconds for internet connections
and to 10 seconds for intranet connections or
This transport type is only of interest in combination
connections over a dedicated line.
with traffic intelligence configuration (see 2.7.1.2
Traffic Intelligence (TI), page 235). Specifying Authentication Algorithm used for authentication.
routing as transport disables data payload Available methods:
encryption within the tunnel. This transport method MD5
should only be used for uncritical bulk traffic. Message Digest 5. Hash length is 128 bit.
Transport type Routing activates parameter SHA
Routing Next-Hop within the VPN Configuration - Secure Hash Algorithm. Hash length is 160 bit.
Site to Site - TINA Tunnels Tab > New TINA Tunnel
TI Transport Classification Section List 546 NOHASH
(page 236), where the next-hop address for the See 1.4.6 Excursion: Description of VPN NoHash
routed data packets is to be specified. Security Issues, page 215.
RIPEMD160
Encryption Encryption mode the tunnel wants to establish as the
RACE Integrity Primitives Evaluation Message
active part. Tunnels work by utilising various
Digest. Hash length is 160 bit.
encryption algorithms. The initialising partner tries to
establish the encrypted connection by offering only SHA256
one of the following methods. Secure Hash Algorithm. Hash length is 256 bit.
AES SHA512
Advanced Encryption Standard; default; capable of Secure Hash Algorithm. Hash length is 512 bit.
128/256 bit key length Key Traffic Amount of traffic after which the re-keying process is
3DES Limit started.
Further developed DES encryption; three keys with Available values:
each 56 bit length are used one after the other No Limit
resulting in a key length of 168 bit. 50 MB
CAST 10 MB (default)
by Carlisle Adams and Stafford Tavares; algorithm
similar to DES with a key length of 128 bit. 5 MB
Blowfish 1 MB
works with a variable key length (up to 128 bit)
DES Step 4 Set the tunnel parameters
Digital Encryption Standard; since DES is only The tunnel parameters section is split into the following
capable of a 56 bit key length, it cannot be
considered as safe any longer. tabs:
Attention: z Identify tab
Never use DES with strictly confidential data.
This defines the identification type (Public Key, X509
Key Time Limit Period of time after which the re-keying process is
started. Possible settings are 5, 10 (default), 30 and Certificate (CA signed) or X509 Certificate (explicit),
60 minutes. Box SCEP Certificate (CA signed)).
HW Selecs the preferred encryption engine that is the
Acceleration CPU or a hardware accelerator if present. This allows z Partner tab
for load balancing between CPU and an optional crypto Depending on whether the tunnel direction is passive or
card with more than one tunnel in use. active, the partner server may be a whole subnet
Use Acceleration Card (if present) (default)
To be used if a crypto accelerator hardware board is
(passive mode) or needs to be defined by single IPs
in use. Note that the corresponding module (active and bi-directional mode). The usage of more IPs
supporting the card has to be loaded within the local for redundant tunnel enveloping connections is
firewall settings (see VPN HW Modules, page 136).
described in 5.4 Redundant VPN Tunnels, page 255.
Use CPU
Use CPU acceleration. Import the public key of the tunnel partner via
clipboard or file. Principally, the public key is not
needed. However, it is strongly recommended to use
strong authentication to build up the tunnel enveloping
connection.
If you have two different tunnel connections configured Intelligence (TI)). See the TI tab description below
between the same two peers, the keys are mandatory. (page 238).
The Accepted Ciphers section is used for defining the
accepted encryption methods.
2.7.1.2 Traffic Intelligence (TI)
z Partner Networks tab
The VPN tunnel makes partner networks accessible The aim of VPN traffic intelligence employment is to offer
through the assigned VPN interfaces. a multi-transport construct within a VPN tunnel allowing
Insert the address(es) of the partner network(s) into for reliable and failsafe network connectivity. The
the Addr/Mask list. multi-transport TI implementation within the Barracuda NG
Firewall accommodates the following needs:
The tunnel is fed through vpn0 by default. You may use
another VPN interface by adjusting the VPN Device z Transports can be identified and classified. Transport
Index. classes are broken down into Quality, Bulk and
Fallback traffic.
Note:
z Multiple transport methods (TCP, UDP, ESP, IP
Youve got to create indexed VPN interfaces first if addresses, Cipher, Hash, Compression, ) may be used
you want to use this option (2.3.2 Server in one tunnel at the same time.
Key/Settings Tab, Device Index, page 220).
z Transports may either be used simultaneously or on
Select the Advertise Route checkbox to propagate demand.
routes to the partner networks using OSPF/RIP.
z Transport selection policies may be defined to steer
z Local Networks tab network traffic.
The local networks that should be able to reach the
partner networks. This may be a list of networks or z Standard routing may be used for uncritical traffic.
single IP addresses. Since this setting is typically
shared by several tunnels, it may be defined within the The diagram below shows the usage of different lines for
menu item Local Networks and referenced within different transport classes, e.g. provider lines for bulk
the single tunnel configurations. transport (top), a frame relay for quality transport
(middle), and UMTS (bottom) for fallback transport:
z Parameter tab
Use this tab to define the connection type. Fig. 538 Traffic Intelligence (TI)
See figure 539 to understand the mechanism of transport First of all, the values in list 546 must be defined:
selection policy:
List 546 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA
Fig. 539 Transport Selection Policy Tunnel TI Transport Classification Section
Parameter Description
Cheap Expensive
TI This setting divides the transport rating into
Classification Bulk
Exclusion Exclusion Exclusion TI exclusion
Quality and
Bulk Quality Fallback TI class
Fallback
XX X X X X X X X X X X XX TI status
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 TI ID traffic. Each transport inherits the identification type
from its parent. Thus, keys and certificates may be
shared among multiple transports. Transports may be
equipped with unique keys and certificates though.
Secondary Preferred TI-ID A Traffic Intelligence ID must be assigned to each
transport transport added transport class in order to determine the
transport selection policy succession. The values 0-7
Transport selection policy: are available, whereas lower numbers mean lower cost.
First try cheaper then try expensive The primarily created tunnel, being the first tunnel
transport, is automatically regarded as Bulk transport
with TI-ID 0. Each combination of
Multiple transport classes have been created for a TINA transport classification and ID is unique in order to
guarantee a consistent routing rule set. See figure 539
tunnel. As shown in figure 539, the following transports for a description of transport quality handling.
are available: Quality transport (TI-IDs 0, 2, 3, 5, 7), Bulk Compression Compression support may be provided by the
transport (TI-IDs 0, 1, 3, 7), Fallback transport (TI-IDs 0, 1, 3, VPN engine for VPN client connections using
5, 6). Barracuda NG VPN Client. Generally, compression can
be requested by the user. The server may or may not
A connection object has been configured to use Quality accept to serve the request depending on both its
configuration and the license type assigned to the VPN
transport with TI-ID 5 (Q5) as preferred transport and Bulk client. Client compression is only available to those
transport with TI-ID 3 (B3) as secondary transport. If both clients with a secure connector license assigned.
transport mechanisms fail, at first the cheaper, The following settings are available:
No (default)
subsequently the more expensive transport is to be used. Denies VPN client compression requests.
This policy will have the following effect, if a firewall rule Packet Compression (Low Latency)
This setting may be used for compression of all
refers to the connection object: transport types.
z Q5 will be tried first. Stream Compression (Large Latency)
This setting may only be used for compression of
z If the line is not available, then B3 will be tried next. TCP based data streams. The attainable
compression rate will be higher than can be
z If this line is also not available, then the next transport achieved with packet compression.
class with TI-ID smaller than the preferred transports Note:
The gateway hosting the VPN server must have a valid
will be tried. For this example, this is Q3. The succession BOB license to use this feature. Refer to the product
to the cheaper end would now proceed towards Q2, Q0, guide for license details. Whether your system is
licensed for compression usage can be verified in the
B7, B3, B1, and B0.
License Values field within the Control > Licenses
z If none of these lines are available, tries will proceed tab (Control 2.5 Licenses Tab, page 37).
towards the more expensive direction, resulting in Note:
In order to activate compression operability, the VPN
trying the next higher class to the preferred transport service has to be restarted after BOB license
Q7. The succession would afterwards reach further from installation.
F0, F1, F3, Routing This parameter is only available when Routing is
Next-Hop selected as Transport type (page 234). The direction
must be set to Active to enable modification of the
Note:
transport type. If the Transport type has been set to
Transport classification is a prerequisite to traffic Routing, then you may change the direction to Passive
classification. See below for a detailed description of again.
Enter the next-hop address for forwarding of
available configuration values. unencrypted data payload. Note that a next-hop IP
address must be configured for both the active and the
passive VPN partner.
Step 5 Configure Transport Classification
A new transport mode is initially added to a tunnel through
selecting the tunnel in the TINA Tunnels tab and choosing Note:
Add Transport from the context menu. This opens the For each transport, general tunnel settings and tunnel
TINA Tunnel configuration window with the Partner tab parameters may as well be specified individually.
(see above) pre-selected.
Confirming the changed settings by clicking the OK button
at the bottom of the configuration window will then insert
a new data set into the TINA Tunnel tab.
TI transport modes of a TINA tunnel are flagged with the List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport
Selection Section
icon within the listing. Additionally, the specified transport
mode and TI-ID are displayed within the Enabled column Parameter Description
whereas B stands for Bulk, Q for Quality and F for Fallback TI Learning This parameter setting determines general VPN tunnel
Policy endpoint firewall behavior this connection object is
transport. utilized in. Generally, it is reasonable to configure
connection objects on both firewalls synchronously. TI
Note: Learning Policy Settings apply per connection session.
The following configuration options are offered:
It is not possible to modify the TI classification setting
Slave (learn TI settings from partner)
retroactively. This way, the connection object adapts settings from
the partner connection object when answering a
Before proceeding to traffic classification in the TINA request.
tunnel transport classes themselves, let us have a look at Master (propagate TI settings to partner)
This way, the connection object propagates TI
the configuration of connection objects. settings to the partner, thus forcing it to override its
own configuration when answering a request.
Step 6 Configure Connection Objects for use with Note:
Traffic Intelligence Set these values with deliberation. Both partner
objects set to Master might lead to unwanted
For transport and traffic classifications to become transport effects; both set to Slave will miss
effective, connection objects defining utilisation of information trim. Have a look at the process workflow
transport and traffic mechanisms must be inserted into in the Example for TI Learning Policy below.
rule sets. Connection objects are described in detail in Allow Bulk/ Generally enables or disables transport classes for this
Quality/ connection object. By excluding expensive transports,
Firewall 2.2.6 Connection Elements, page 153. Values of Fallback this feature offers protection from unwanted transport
interest for TI are the VPN Traffic Intelligence (TI) Transports utilisation.
Settings described below. Click Edit/Show to open the
List 548 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Traffic
TI Settings window: Prioritisation Section
List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport Parameter Description
Selection Section Only relevant if VPN transport is bandwidth protected.
Parameter Description When using Sets traffic priority assignment.
BULK Note:
Preferred These multiple parameters define the first transport
transports/ For this to work, the Bandwidth Protection settings
Transport class and ID to use when the connection object is
When using are to be configured within the TI tab (see Step 7
Class/ processed in a rule set. Available transport classes are
QUALITY below) of the corresponding transport.
ID Bulk transports
Quality and
Fallback (On Demand) Example for TI Learning Policy:
wherein each transport class may have a transport ID
Fig. 541 TI Learning Policy Scheme
ranging from 0-7.
Second Try These multiple parameters define the second transport
Transport class and ID to use when the connection object is Master Slave
Class/ processed in a rule set in case the first transport fails. FW1 VPN1 VPN2 FW2
ID Again, available transport classes are Q1
Bulk
Quality and B0
Fallback (On Demand)
each with transport ID from 0-7 possible. If no further
transport attempt is desired Table 55 Example for TI Learning Policy
None (Not Used) Connection Object1 Connection Object2
can be chosen as configuration value. If only one
Preferred Transport B0 Q1
transport is in use (B0), you may leave the default
Class/ID
values here.
Secondary Transport Q1 B0
Further Tries This section defines further transport attempts in case
Class/ID
Transport first and the second transport class fail. Configurable
Selection Policy values are: TI Learning Policy Master Slave
First try Cheaper then try Expensive
Only try Cheaper In the setup displayed in figure 541 firewall rules have
First try Expensive then try Cheaper been introduced allowing traffic from VPN1 to VPN2 and
Only try Expensive vice versa. Connection objects on both tunnel endpoints
Stay on Transport (No further tries)
Configuring this section is important because it allows
have initially been configured identically, but now the
an exact specification of when to abort the transport. master connection object on FW1 has changed and been
Correctly configured, it protects from processing less configured with B0 as preferred transport class / ID and Q1
important traffic over expensive lines (figure 539,
page 236 for better understanding). as secondary transport class / ID. Traffic processing is now
Balance Select Yes or No. attempted from master to slave. The master propagates its
Preferred and Note: settings to the slave. The slave adapts the information and
Second Session-based load balancing does not balance packets
from one single connection but instead dispatches
multiple connections to one of the defined transports.
answers the connection request on B0, though this is not bandwidth method operates using a static maximum for
its own preferred transport. the available bandwidth according to the value specified
within the Estimated Bandwidth parameter.
Note:
The TI Settings window can be accessed from the In the default setting, 60 % of the maximum bandwidth are
Status tab in the Firewall Operative GUI (Firewall assigned as Low Priority Upper Limit and 20 % as Low
6.3.2 Status List, page 179) through right-clicking an Priority Lower Limit. This means:
active transport session and selecting z Low priority traffic may utilize up to 60 % of the
Change TI Settings from the context menu. Changes bandwidth as long as high priority traffic does not claim
apply for the active session only. any bandwidth.
z The Low Priority Lower Limit of 20 % applies as soon
Step 7 Configure Traffic Classification as the sum of high and low priority traffic rises above
In addition to classification of transports, traffic may be the Low Priority Upper Limit of 60 %. Low priority
categorized to enable individual handling for specific traffic wont be processed any further if it already
purposes. consumes 20 % of the bandwidth. It will be discarded
To configure traffic classification settings for a transport, even if more bandwidth still would be available.
open the corresponding data set in the TINA Tunnel The available bandwidth may be consumed by up to
window and select the TI tab in the tunnel parameters 80 % high and 20 % low priority traffic. When high
section. priority traffic requires capacity beyond this point, then
low priority traffic is retented because high priority
Differentiated traffic classification options are available in
traffic is always privileged. Therefore, it might happen
the following:
in the worst case, that, at times, low priority traffic is
Bandwidth Protection discarded completely.
List 549 VPN configuration - Site to Site - TINA Tunnels Tab > New TINA Note:
Tunnel > TI Tab - Bandwidth Protection Section
The Low Priority Lower Limit setting does not
Parameter Description imply a guaranteed bandwidth reservation. It can be
Note: rather looked upon as a measure to prevent
Bandwidth protection within a transport relies upon a
connection object being classified as low or high immediate low priority traffic discarding at peak
priority traffic. Configure this in the connection object traffic times.
itself (list 548, page 237).
Bandwidth These settings specify how much of the available VPN Envelope Policy
Policy bandwidth traffic may "grab" within a transport. The
following settings are available: List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA
Best Effort (No Protection) Tunnel > TI tab section VPN Envelope Policy
In this mode, all traffic is processed through the
transport with equal rights. An objects classification Parameter Description
into low or high priority traffic is ignored. Full TOS Policy Policy defining how to deal with the Type of Service
transport capacity might lead to bad response times (ToS) information within a packets IP header. In
and data loss. networks, the ToS may be utilized to define the
Dynamic Bandwidth (TCP Transport only) handling of the datagram during transport. If the ToS is
This setting is only available with parameter enveloped, this information is lost. The following
transport set to TCP, as this is the only transport settings are available:
mode allowing for dynamical bandwidth assignment. Copy TOS From Payload to Envelope
Note: Note:
When using TCP, this is the recommended policy. This setting can only be used with non TCP transports.
Nonetheless, limits for Low Priority traffic must be In this mode, the packets original ToS information is
specified, as it is otherwise going to be discarded copied to the envelope. Thus, it remains available for
completely when it cannot allocate any bandwidth at utilisation.
traffic peak times. Default values are 60 % for the Fixed Envelope TOS
Upper Limit and 20 % for the Lower Limit. See below In this mode, ToS information is masked by
for a description of how limits are calculated. enveloping it without consideration. This setting
Attention: activates the parameter Envelope TOS Value
Undercutting the lower limit of 20 % will cause the (default: 0) where a fixed ToS value must be
discarding of low priority traffic. specified. All packets will then be assigned the same
Fixed Bandwidth ToS information.
A fixed bandwidth must be specified for all non-TCP
transports, as for these, the bandwidth needs
cannot be calculated dynamically. A disadvantage of
this method is the initial bandwidth already being
subject to a limitation. A rule of thumb is required to
set the value correctly.
The fixed bandwidth (in kbit/s) needs to be defined
through the Estimated Bandwidth parameter.
Again, values for Low Priority Upper and
Lower Limit must be specified. See below a
description of how limits are calculated.
Attention:
Undercutting the lower limit of 20 % will cause the
dicarding of low priority traffic.
List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA confidentiality and replay protection are transparent to
Tunnel > TI tab section VPN Envelope Policy
any application operating on a higher layer than IP.
Parameter Description
Band Policy Note: Note:
Traffic shaping (Configuration Service 2.2.6 Traffic For general information concerning IPsec, see
Shaping, page 82) must be configured for band policy
settings to apply. Band policy settings work www.netbsd.org/Documentation/network/ipsec/
independently from bandwidth protection settings (see
above). IPsec consists out of three standards, namely:
Band policy settings rely on connection objects being
allotted to Bands in firewall rule sets. These settings z ESP (Encapsulating Security Payload)
specify the assignment of bandwidth to transports as a
whole. Multiple transports may share a single band Note:
when processed through the same interface. The
following settings determine the behavior: Since ESP provides everything AH is capable of, but
Use Band According to Rule Set also provides data confidentiality and limited traffic
This setting uses the band from the firewall rule flow confidentiality, we do not support AH yet.
allowing traffic between the tunnel endpoints.
Copy Band From Payload To Envelope z AH (Authentication Header)
This setting uses the band from the firewall rule
redirecting traffic to the VPN tunnel entry point. The z ISAKMP (Internet Security Association and Key
band setting for the rule configuring traffic between
the tunnel endpoints is then ignored.
Management Protocol)
Fixed Envelope Band consists of two Steps:
This setting specifies a band statically. It activates - Phase 1 (Main-Mode)
the Envelope Band Value parameter below, where - Phase 2 (Quick-Mode)
one of the available bands (System or Band A to
Band G) must be selected.
Replay Window The Replay Window Size is designed to assure Establishing an IPsec Tunnel usually consists of the
Size sequence integrity and to avoid IP packet "replaying" in following steps:
cases where, due to ToS policies assigned to VPN
tunnels and/or transports, packets are not forwarded
instantly according to their sequence number. Step 1 The "active" IPsec peer establishes an UDP
The window size specifies a maximum number of IP Port 500 connection to the "passive" one.
packets that may be on hold until it is assumed that
packets have been sent repeatedly and therefore After that, both peers negotiate a main mode
sequence integrity has been violated. This value may security association using their pre-shared secret. This is
also be defined globally (see Global Replay Window done in order to verify data integrity and confidentiality.
Size, page 219). If it is not set, and also no global value
had been defined, then the default value of 32 packets
is used. If a global value is set, then the global value is Step 2 Various quick-mode security associations are
used.
The effective replay window size is visualized within
established on top of the existing phase 1 (main mode)
the Transport Details window (attribute: security association. These provide keying and
transport_replayWindow). This may be accessed by configuration material for the next step.
double-clicking the tunnel within the VPN
monitoring GUI > Active tab (see 4. Monitoring,
page 252). Step 3 Any IP packet matching a security
association established prior to it will be encrypted and
List 551 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA authenticated using the keying and configuration material
Tunnel > TI Tab Transport (complement) Section
found in the corresponding phase 2 security association.
Parameter Description
On Demand Only available with Direction mode OnDemand
Transport (page 233). It specifies the period of inactivity after
Timeout which to terminate the tunnel (default: 60 seconds).
Delay Only available with Direction mode OnDemand
(page 233). When set, traffic is not processed the
moment it arrives. Instead, it is delayed for the
specified time span until more traffic has accumulated
(default: 0 seconds, no delay).
Note:
For further information concerning the configuration of
IPsec with Barracuda NG Firewall and for third-party
appliances have a look at the documentation phion
netfence IPsec Configuration.
2.7.2.1 Overview
2.7.2.2 Configuring List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section
List 554 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
Tunnel > Base Configuration Tab Networks Section
Parameter Description
Local Networks The local networks.
Remote The remote networks.
Networks
Note:
For successful parameter negotiation, the parameters
List 552 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
for phase 1 and phase 2 must meet the requirements of
Tunnel > Base Configuration Tab the remote peer.
Parameter Description
The IPSec specification allows two possible values for
Name Tunnel name, needed for informational and partner
the Local Networks and Remote Networks parameters
identification purposes. if the local or the remote network consist of only a
Note: single IP address.
IPsec tunnel names may contain a maximum of 26 Most of the IPsec implementations Barracuda Networks
characters.
is currently aware of represent a single IP address as
Local Address Local IP address.
network address in combination with a subnet mask
Note:
Use 0.0.0.0/0 as local address when working with (255.255.255.255).
dynamic IPs. The IKE protocol is difficult to debug. Therefore,
Remote Remote IP address. Barracuda NG Admin displays a warning message if
Address IPsec networks contain single IP addresses.
Direction Defines whether the tunnel is Active or Passive It may happen that an IPSec connection cannot be
(default is Passive).
established and the following error is shown:
Note:
Direction Active implies accepting (Passive), too. no compatible proposals chosen
In this case, you should first verify whether both IPSec
List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec peers are using the same IPSec parameters (e.g.
Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section
encryption, hash method, lifetime periods,
Parameter Description Diffie-Hellman Group, etc.).
Encryption Type of encryption to use. If all parameters are identical, but the tunnel still fails to
Available algorithms for Phase 1 are: 3DES (default),
DES and CAST. establish, you may try to use network addresses (using
Available algorithms for Phase 2 are: AES, 3DES netmask 255.255.255.252) for local and remote
(default), CAST, Blowfish and DES. network parameters.
Hash Meth. Hash algorithm to use. If the tunnel can properly be established then, the
Available algorithms are MD5 (default) and SHA.
involved IPSec implementations are not compatible for
DH-Group The Diffie-Hellman Group parameter defines the type
of key exchange. Available options for this parameter the use of single IP addresses. In this case it is required
are Group1 (default; 768-bit modulus), Group2 to reserve a whole network range for the IPSec tunnel.
(1024-bit modulus), and Group5 (1536-bit modulus).
Fig. 543 IPSec Tunnel Configuration > Authentication Tab List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
tunnel > Authentication Tab Parameters Section
Parameter Description
Band Policy Note:
Traffic shaping (Configuration Service 2.2.6 Traffic
Shaping, page 82) must be configured for band policy
settings to apply. Band policy settings work
independently from bandwidth protection settings (see
above).
Band Policy settings rely on connection objects being
allotted to bands in firewall rule sets. These settings
specify bandwidth assignment to transports as a
whole. Multiple transports may share a single band if
they are processed by the same interface. The
following settings determine the behavior:
Use Band According to Rule Set
Use the band from the firewall rule, allowing traffic
between the tunnel endpoints.
Copy Band From Payload To Envelope
Use the band from the firewall rule, redirecting
traffic to the VPN tunnel entry point.
The band setting for the rule that configures traffic
between the tunnel endpoints will be ignored if this
is activated.
Fixed Envelope Band
Specifies a static band. This activates the parameter
Envelope Band Value below, wherein one of the
available bands (System, Band A to Band G) must
be selected.
Replay Window The Replay Window Size is designed to assure
Size sequence integrity and to avoid IP packet "replaying" in
cases where, due to ToS policies assigned to VPN
tunnels and/or transports, packets are not forwarded
instantly according to their sequence number.
List 555 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec
The window size specifies a maximum number of IP
tunnel > Authentication Tab
packets that may be on hold until it is assumed that
Parameter Description packets have been sent repeatedly and therefore
sequence integrity has been violated. This value may
Identification The following identification types are available for also be defined globally (see Global Replay Window
Type configuration: Size, page 219). If it is not set, and also no global value
Shared Passphrase had been defined, then the default value of 32 packets
X509 Certificate (CA signed) is used. If a global value is set, then the global value is
X509 Certificate (explicit) used.
The effective replay window size is visualized within
Box SCEP Certificate (CA signed) the Transport Details window (attribute:
transport_replayWindow). This may be accessed by
List 556 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec double-clicking the tunnel within the VPN
tunnel > Authentication Tab Partner Identification Section monitoring GUI > Active tab (see 4. Monitoring,
page 252).
Parameter Description
Advanced RAW Additional, optional parameters for establishing IPsec
Depending on the configured identification type,
ISAKMP tunnels. When appending such an additional parameter,
different fields will become unlocked within the
settings start out by entering the section the parameter is
Partner Identification section (see 1.4.2
assigned to. The next line then contains the new
Authentication, page 213).
parameter itself (one single value per line!).
Example:
List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec [Section]
tunnel > Authentication Tab Parameters Section key=value
Parameter Description
Herewith defined new sections are added to the end of
TOS Policy This policy setting specifies the way to deal with the the isakmpd.conf file. New parameters, however, are
Type of Service (ToS) information contained within a added on top of the according section.
packets IP header. In networks, the ToS may be utilized
Note:
to define the handling of the datagram during
For detailed information concerning the syntax to be
transport. If the ToS is enveloped, this information is
used within this field, please consult
lost. The following settings are available:
www.openbsd.org/cgi-bin/man.cgi (man page:
Copy TOS From Payload to Envelope isakmpd.conf).
Note:
This setting can only be used with non-TCP transports.
The packets original ToS information will be copied
onto the envelope; this way, it stays available for
utilisation.
Fixed Envelope TOS
ToS information is masked by enveloping it without
consideration. This setting activates parameter
Envelope TOS Value (default: 0), wherein a fixed
ToS value must be specified. The same ToS
information will then be assigned to all packets.
3. SSL-VPN
Note:
The Bind IPs need to be defined at the virtual server.
Fig. 545 SSL-VPN web portal
SSL-VPN service and VPN service must use different
Bind IPs and port 443 has to be idle, otherwise the
SSL-VPN service is not able to start.
3.2.1.2 Service Identification List 560 VPN configuration - SSL-VPN Authentication & Login section User
Authentication
List 559 VPN configuration - SSL-VPN Basic Setup section Service Parameter Description
Identification
Browser Set to yes if the browser should be cleaned up, after
Parameter Description Cleanup the SSL-VPN session has been terminated with the
Sign Out button.
Use Self-Signed yes for self-signed certificate.
Certificate no for external-signed certificate.
Browser Cleanup with Mozilla Firefox:
Self-Signed Create or export a self-signed private key. All global history pages of the SSL-VPN client
Private Key
Downloaded files in the download manager
Self-Signed Edit to create a new self-signed certificate.
All cache entries
Certificate Show to view an existing self-signed certificate.
Cookies of the SSL-VPN
External-Signed Create or export an external-signed private key.
Private Key Form history (search bar)
Passwords of the SSL-VPN
External-Signed Edit to create a new external-signed certificate.
Certificate Show to view an existing external-signed certificate. Note:
Cleanup process will be initiated after agreeing to a
browser enquiry.
Note:
Browser Cleanup with MS Internet Explorer:
When using self-signed certificates, be aware that the All (!) entries in the browser history
client browser shows a warning page, that the All (!) passwords
certificate is not issued by a trusted certificate Navigation
authority. Internet cache
Registry history
Note:
3.2.2 Authentication & Login Cleanup process will be initiated after agreeing to a
browser enquiry.
Note:
3.2.2.1 User Authentication
Browser cleanup is available for the following web
List 560 VPN configuration - SSL-VPN Authentication & Login section User browsers:
Authentication
z Microsoft Internet Explorer 6 and 7
Parameter Description
Authentication Scheme that is used by the SSL-VPN service to
ActiveX must be enabled
Scheme authenticate users: Needs an internet connection
MSNT
MS_ACTIVE_DIRECTORY z Mozilla Firefox 2 and 3
LDAP
RADIUS Barracuda Networks recommends the usage of Mozilla
RSA_SECUREID Firefox because of the less aggressive browser cleanup
Use Group Enables or disables the usage of Allowed User Groups function.
Policies and Blocked User Groups.
Allowed User List of user groups, that have access to the SSL-VPN
Groups service. Group information is gained via authentication
at directory services. For example Radius, MS Active 3.2.2.2 Corporate ID
Directory,...
List 561 VPN configuration - SSL-VPN Authentication & Login section
Note:
Corporate ID
If local authentication and external authentication are
used, the usernames of local users comply with group Parameter Description
names of external authentication. Therefore those
usernames has to be entered into Allowed User Logo Export or import of the greeting logo.
Groups to get access to the SSL-VPN. (recommended resolution is 200*66 pixel)
Blocked User List of user groups, that have NO access the SSL-VPN Login Message This text is displayed after a successful login.
Groups service. Help Text (html) HTML help text that is provided to the logged in users.
Note:
Allowed User Groups and Blocked User Groups have
the following preferences:
3.2.3 Barracuda NG Network Access
Blocked User Groups overrules Allowed User
Groups Client Access Control
Having a user in both groups, causes a block
Leaving both fields empty results an allow all
Use Max. Enables or disables the usage of Max. Tunnels. 3.2.3.1 Barracuda NG Network Access Client
Tunnels
Access Control Setup
Max. Tunnels Maximum number of concurrent SSL tunnels.
Cookie Timeout Validity period of the session cookie List 562 VPN configuration - SSL-VPN Barracuda NG Network Access Client
(Min.) Range: 5 to 180 minutes Access Control section Barracuda NG Network Access Client Access Control Setup
After expiration of the validity period, the client will Parameter Description
be redirected to the SSL-VPN login page
Active Activates the client health check.
Policy Server IP IP address of the policy server.
User Groups User groups that need a health check to get access to
the SSL-VPN.
3.2.4 Barracuda NG SSL-VPN Client List 564 Barracuda NG SSL-VPN Client section Access Authorization
Parameter Description
Barracuda NG SSL-VPN Client is a powerful VPN client that Allowed User Allowed User Groups act as a Access Control List, to
offers the opportunity to establish transparent network Groups restrict transparent network access to defined user
groups only.
access (Layer 3) to internal company network
infrastructures. The client is fully integrated into the If the Barracuda NG SSL-VPN Client network access is to
SSL-VPN Portal and can be executed by starting the be realized in combination with Barracuda NG Group VPN,
my Network JAVA applet. be aware that the Group Policy Condition also includes
Barracuda NG SSL-VPN Client supports the following the Barracuda NG SSL-VPN Client as Peer Condition,
authentication schemes: otherwise the VPN policy will not be assigned to SSL-VPN
user.
z X.509 certificate
Fig. 547 SSL-VPN web portal my Network
z user/password
z X.509 certificate & user/password
z license file
Note:
List 564 Barracuda NG SSL-VPN Client section Access Authorization Fig. 548 SSL-VPN web portal my Network
Parameter Description
Active Enables the my Network link inside the SSL-VPN
Web-Portal, to get fully transparent network access.
This feature uses the Barracuda NG SSL-VPN Client The first time a user accesses my Network, the Barracuda
applet to establish a Client to Site connection to a
Barracuda Networks VPN service, using the SSL-VPN NG SSL-VPN Client VPN client binary will be downloaded
Web-Portal. This requires an configured and running and installed on the client computer.
VPN service and Client to Site access.
VPN-Server default: uses the configured listen IP address of the Note:
Listen IPs VPN service, defined in the Bind Type field of the VPN
Service Properties. For installation and removing of the Barracuda NG
SSL-VPN Client client software, administrative rights on
First-IP
Uses the configured First IP address of the VPN the client operating system are needed.
Service, defined in the Bind Type field of the VPN Once the client is installed, users do not need to have
Service Properties.
administrative rights to run the VPN client application.
Second-IP
Uses the configured Second IP address of the VPN
Service, defined in the Bind Type field of the VPN Fig. 549 Barracuda NG SSL-VPN Client installation
Service Properties.
First+Second
Uses the configured First IP or Second IP address
of the VPN Service, defined in the Bind Type field of
the VPN Service Properties.
explicit
Uses the IP address(es) defined in the
Explicit Listen IPs field.
Explicit Listen List of IP addresses the VPN-Server is listening.
IPs
Advanced If needed, advanced options can be entered. 3.2.4.3 Running the Barracuda NG SSL-VPN
Options
Connection Choose between External CA (provides single sign-on
Client
Type to SSL-VPN users) or VPN CA as Client to Site
connection type. Once the Barracuda NG SSL-VPN Client has been installed
Must Be When this checkbox is enabled, the connected user has successfully and a user tries to access the my Network
Healthy to perform a health-check before the transparent
network access is granted.
area to establish a connection to a company network
infrastructure, the Barracuda NG SSL-VPN Client will
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
246 | SSL-VPN > Parameters VPN
3.2.4.4 Barracuda NG SSL-VPN Client Login 3.2.4.6 X.509 Form Based Authentication
Mask
The X.509 certificate subject string (inclusive wildcards)
If a connection to the configured VPN server fails or no stated in a X.509 certificate can be used in the Allowed
single sign-on functionality should be used, the Barracuda User Group sections to regulate link visibility for each
NG SSL-VPN Client will automatically open the client to site authenticated SSL-VPN user.
login screen and the user will be prompted to insert the
user credentials to establish a connection. Note:
In order to match the e-mail pattern of a X.509
Fig. 550 Barracuda NG SSL-VPN Client login prompt
certificate, type emailAddress= in the Allowed user
Groups sections.
List 566 Barracuda NG SSL-VPN Client Transport Properties 3.2.6 Outlook Web Access
Parameter Description
Tunnel Mode Transport mode for the client to site VPN Tunnel.
Optimized(Hybrid) 3.2.6.1 Outlook Web Access Authorization
Reliability(TCP)
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook
Response(UDP)
Web Access Authorization
Use a proxy Enable this checkbox if the connection will be
server to established over a proxy server. Parameter Description
connect Active Enables or disables the link shown in the web portal.
User/Password User credentials for the proxy server. Visible Name Visible link name of the Outlook Web Access resource.
Proxy[:port] IP address and port of the proxy server. OWA URL Enter the Outlook Web Access URL.
Simulate SSL Simulates an SSL connection to the web proxy. e.g.: https://<ip>/exchange/
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook List 572 VPN configuration - SSL-VPN Application Tunneling section
Web Access Authorization Application Tunneling Configuration
Parameter Description Parameter Description
Enable Public In order to view configured public folders on MS Generic Insert to create a new generic application tunneling
Folder Windows Exchange 2003, this checkbox has to be Application resource.
activated. With MS Windows Exchange 2007 activation Tunneling Delete to remove an existing generic application
is not neccessary. tunneling resource.
Note: Edit to modify an existing generic application
Public Folders on MS Windows Exchange 2007 can only tunneling resource.
be viewed with MS Internet Explorer.
List 573 Application Tunneling Configuration Service Configuration section
Must Be Access to the Outlook Web Access is only granted after
Application Access Authorization
Healthy a positive Barracuda NG Access Monitor check.
Allowed User List of user groups that have access to Outlook Web Parameter Description
Groups Access. Active Enables or disables the link shown in the SSL-VPN
portal.
Visible Name Visible link name of the resource.
Note:
Link Description text of the application tunnel resource.
Forms-Based Authentication and SSL encryption needs Description
to be activated at MS Exchange server. Application IP address of the application server.
Server IP
Application Protocol type of the tunnelled application. Choose
Protocol between: RDP, VNC, SSH, Telnet, SMTP, POP3,
IMAP4, SMB
Note:
When using VNC, make sure that VNC does not require
MS Logon for authentication.
Application TCP Connection port of the application server.
Port
3.2.7 WebDAV / Sharepoint RDP Path to the application that should be launched by the
Application RDP applet. This applet is used, if only a single
Path application should be provided to the user.
Note:
3.2.7.1 WebDAV Resource Configuration This parameter is only enabled if Application Protocol
> RDP is specified. When using this option no client
List 570 VPN configuration - SSL-VPN WebDAV/Sharepoint section WebDAV program is possible.
Resource Configuration
SMB Path Path to a Samba share.
Parameter Description Note:
WebDAV Insert to create a new WebDAV/Sharepoint resource. This parameter is only enabled if Application Protocol
Resources Delete to remove an existing WebDAV/Sharepoint > SMB is specified.
resource. Tunnel Client This parameter activates an additional link to a port
Edit to modify an existing WebDAV/Sharepoint Application forwarding applet. This applet opens a listening socket
resource. on the loopback address at the client, that is listening
for incoming connections at a specific port.
List 571 WebDAV Resources section WebDAV Resource Access Authorization Note:
This parameter is only enabled if RDP, VNC, SSH,
Parameter Description
Telnet or SMB is configured at Application Protocol.
Active Enables or disables the link shown in the SSL-VPN For SMTP, POP3 or IMAP4 this parameter is disabled
portal. and set to yes.
Visible Name Visible link name of the WebDAV resource. Client Loopback Listening port of the port forwarding applet.
Link Description text of the WebDAV resource. TCP Port
Description Must Be Access to the application tunnel resource is only
WEbDAV IP address of the WebDAV resource. Healthy granted after a positive health check.
Address Allowed User List of user groups that have access to the application
WEbDAV Name of the desired share. Groups tunnel.
Sharename
Must Be Access to the WebDAV share is only granted after a List 574 Application Tunneling Configuration Generic Application Tunneling
Healthy positive health check. section Generic Application Tunneling Authorization
Allowed User List of user groups that have access to the WebDAV Parameter Description
Groups shares. Active Enables or disables the link shown in the SSL-VPN
portal.
Visible Name Visible link name of the resource.
3.2.8 Application Tunneling Link Description text of the generic application tunnel
Description resource.
Kind of Other
Application
3.2.8.1 Application Tunneling Configuration Mail
Web
List 572 VPN configuration - SSL-VPN Application Tunneling section Protocol Type HTTP
Application Tunneling Configuration HTTPS
Parameter Description Only active if Kind of Application is set to Mail or Web
Service Insert to create a new application tunneling resource. SSL Tunnels Insert to create a new SSL tunnel.
Configuration Delete to remove an existing application tunneling Delete to remove an existing SSL tunnel.
resource. Edit to modify an existing SSL tunnel.
Edit to modify an existing application tunneling Must Be Access to the generic application tunnel resource is
resource. Healthy only granted after a positive health check.
Allowed User List of user groups that have access to the generic
Groups application tunnel.
List 575 Generic Application Tunneling Authorization SSL Tunnels section SSL z Set Enable SSL-VPN to Yes
Tunnel Configuration
z Define the Bind IPs for the SSL-VPN service
Parameter Description
Server IP Server IP address of the tunneled application.
Note:
Client Loopback Listening port of the port forwarding applet.
TCP Port
Be sure not to use a bind IP of the VPN service.
Application TCP Listening port of the of the server application.
Otherwise the SSL-VPN service can not be started.
Port
To test if SSL-VPN is running, open
https://<bind IP>/
3.2.9 Dynamic Firewall Rules in your web browser.
Note:
3.3.2.2 Corporate ID
A user group query is not possible, if RADIUS is used as
external directory service.
It is possible to customize the SSL-VPN point-of-entry. (see
Corporate ID, page 244) with the following parameters:
z Logo
3.3 Setup Examples z Login Message
To realize the following example setups, SSL-VPN needs z Help Text (html)
some basic configuration steps.
Note:
3.3.3 Barracuda NG Network Access
A running VPN service is needed to provide the Clients Access Control
functionality of the SSL-VPN service.
Barracuda NG Network Access Clients Access Control can
determine the health state of a SSL-VPN client. Based on
3.3.1 Basic Setup the health state, client access to sensitive resources is
granted or not.
z Set Active to Yes
3.3.1.1 General Service Settings
z Enter the Policy Server IP
z In User Groups, enter the groups that should be 3.3.6 Example 3: Application Tunneling
checked
Note:
3.3.6.1 Windows Terminal Service
Configurations according to Barracuda NG Network
Access Client Access Control must be done inside the z Open Config > Box > Virtual Servers > <server> >
policy server. Assigned Services > <service> (vpnserver) > SSL_VPN
> Application Tunneling
3.3.4 Example 1: Web Resources z Service Configuration: click Insert and assign the
name Windows terminal service
In this example, access to an internal web resource with z Active: select this checkbox to enable the link
the SSL-VPN will be realized.
z Visible Name: Windows RDP
z Open Config > Box > Virtual Servers > <server> >
Assigned Services > <service> (vpnserver) > SSL_VPN z Link Description: Company terminal server
> Web Resources z Application Server IP: enter the address of the
z Service Configuration: click Insert and assign the Windows terminal server
name Company web server z Application Protocol: select RDP
z Active: select this checkbox to enable the link z Application TCP Port: no changes are necessary if
z Visible Name: Our internal website port 3389 is configured at the terminal server. If not,
select Other and enter the appropriate port number
Note: z RDP Application Path: leave empty
Every resource has a Name (see parameter Web
Resources) and a Visible Name. The name of the z Tunnel Client Application: select yes because
resource should differ from name that the user portforwarding should be used
knows (For example server name sales-portal z Client Loopback TCP Port: 3390
and the users would know it as intranet).
z Allowed User Groups: delete the asterisk (*) and enter
z Link Description: This is the internal website the assigned MSAD group name. For example
of our company CN=accounting*
z URL: URL of the web resource
z Active Content Rewrite: selected by default 3.3.6.2 SAP Application
(For parameter description see parameter Active
Content Rewrite, page 246.) We want to establish a SSL-VPN access for all sales staff
members to the SAP application at the sales terminal
z Allowed User Groups: to enable access for all users,
server. It should only be possible to execute the SAP
leave the default asterisk (*)
application.
z Open Config > Box > Virtual Servers > <server> >
3.3.5 Example 2: WebDAV / Sharepoint Assigned Services > <service> (vpnserver) > SSL_VPN
> Application Tunneling
In this example, a connection to the company file server
z Service Configuration: click Insert and assign the
will be created. To minimize the risk of virus infiltration,
name terminalsales
the usage of Barracuda NG Access Monitor health check is
recommended. z Active: select this checkbox to enable the link
z Open Config > Box > Virtual Servers > <server> > z Visible Name: SAP
Assigned Services > <service> (vpnserver) > SSL_VPN
z Link Description: This is the SAP
> WebDAV/Sharepoint
appliclication of the Sales Department
z Service Configuration: click Insert and assign the
z Application Server IP: 192.168.10.10
name WebDAV share
z Application Protocol: select RDP
z Active: mark this checkbox to enable this link
z RDP Application Path: enter C:/SAP/sap.exe or
z Link Description: Company file server
C://SAP//sap.exe
z WebDAV Address: enter the address of the WebDAV
z Allowed User Groups: delete the asterisk (*) and enter
share
the MSAD group name of the Sales Department, for
z WebDAV Sharename: enter the WebDAV share name example CN=sales*
z Must Be Healthy: select this checkbox to initiate a Note:
health check on the client
z Directory names must not contain spaces.
z Allowed User Groups: delete the asterisk (*) and enter
the MSAD group name. For example CN=sales* z Only *.exe files can be executed.
z Directories must be separated by a slash or double
slash ( / or //). Backslash (\) is not allowed.
Due to the fact that application browsing is based on UDP, z intranet address: 172.0.0.0
this task can not be solved only with SSL-VPN. So, the
applications must be configured.
3.3.8.1 Required Settings
z Open Config > Box > Virtual Servers > <server> >
Assigned Services > <service> (vpnserver) > SSL_VPN z Create a dynamic rule in the forwarding firewall and call
> Generic Application Tunneling it ftp-dynamic
z Generic Application Tunneling: click Insert and assign Source: 172.0.0.0
the name Citrix Service: FTP (TCP 21 ftp)
z Active: select this checkbox to enable the link Destination: 0.0.0.0
z Visible Name: Company Citrix server z Browse in the SSL-VPN settings to the Dynamic
Firewall Rules
z Link Description: enter an appropriate description for
your users z Firewall Rule Activation: click Insert and assign the
name FTP
z SSL Tunnels: insert the required connections, in this
example all TCP ports. Click Insert and assign the z Active: select this checkbox to enable the link
following SSL tunnels. z Visible Name: Company FTP server
Table 56 SSL tunnels z Link Description: enter an appropriate description for
Client
your users, for example Here you can activate
Application the dynamic firewall rule ftp-dynamic
Name Server IP Loopback TCP
TCP Port
Port
ICA 10.0.0.112 1494 1494
z Dynamic Rule Selector: delete the asterisk (*) and
IMA 10.0.0.112 2512 2512
enter ftp-dynamic
SSL 10.0.0.112 443 443 z Allowed User Groups: delete the asterisk (*) and enter
STA(ISS) 10.0.0.112 80 80 the MSAD group name of the Administrators, for
Citrix License 10.0.0.112 8082 8082 example CN=admins*
Management
Console
Fig. 551 SSL-VPN web portal dynamic firewall rules
Presentation 10.0.0.112 27000 27000
Server
Licensing
ICA session w/ 10.0.0.112 2598 2598
Session
Reliability
enabled
Access Gateway 10.0.0.112 9001 9001
Standard and 9002 9002
Advanced
Editions 9005 9005
Manager 10.0.0.112 2897 2897
service daemon
server Note:
When enabling a dynamic firewall rule for a specific
z Must Be Healthy: select this checkbox to initiate a time period in the SSL-VPN Web-GUI, be sure to enter
health check on the clients numeric values in minutes.
If the firewall rule should be permanently active, leave
z Allowed User Groups: leave the asterisk (*) so all staff
this field empty.
members have access
z Configure the connections of the client software to the
loopback address
4. Monitoring
Last information concerning the connection (e.g. Certificate not yet valid The Barracuda Networks
certificate has not yet obtained
Access Granted, Disconnect, etc.). validity.
Status Description
Granted The connecting process was
successful. If an already uploaded file has become obsolete, select
Already connected it and click the Delete button to remove the file from
Access Denied (No License The connection was denied due the VPN client Downloads list.
or invalid peer) to a missing license or a wrong
client address.
Invalid Password
Root certificate not valid
Certificate did not verify The Barracuda Networks
certificate did not correspond to
its counterpart on the server.
Certificate signature did The digital Barracuda Networks
not verify certificate shelf mark did not
correspond to its counterpart on
the server.
Note:
10.0.20.0/24 10.0.21.0/24
The stealth tunnel shown in figure 555 masks the
network on the left side from the network on the right
VPN server 1 VPN server 2 side. Thus, appropriate firewall settings become crucial
(partner server) for functioning.
Secure
encrypted 192.168.3.1 192.168.3.101 Fig. 555 Stealth Tunnel
tunnel
Firewall configuration on VPN server 1: routed through the headquarters, thus reducing the
number of tunnels to be managed.
Rules meant to redirect traffic into the tunnel must use the
connection type Explicit: 10.0.35.32. Fig. 556 Star-Shaped Topology with One HQ and Two Outposts
5.4.1 Overview
Redundant VPN tunnels contribute to the maintenance of
non-intermittent connectivity between Barracuda NG
Firewall gateways (e.g. HQ and branch). They help
minimising the menaces of hardware crashes and
interruptions of internet connections. They are the ne plus
ultra when it comes to reliability and stability of VPN
tunnels over the internet. In addition, they might eliminate
the need for upgrading existing infrastructure (frame
relay, dedicated line) when the load exceeds the limits but
upgrading is out of question due to high costs.
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
256 | Examples for VPN Tunnels > Redundant VPN Tunnels VPN
Barracuda NG Firewall decides about which type of traffic In order to configure the example shown above, enter the
is to be sent through which tunnel by a service object VPN tunnel configuration (through Config > Box >
utilized within a firewall rule. This way, response-critical Virtual Servers > <servername> > Assigned
traffic (e.g. SSH, Telnet, Citrix, etc.) can be directed to the
Services > <servicename> (vpnserver) > Site to Site >
tunnel using dedicated line/frame relay (usually offering
TINA Tunnels tab).
shorter delay times), while bulk traffic (e.g. SQL server
replication, Lotus Notes replication, etc.) can be directed to Lock the configuration dialog and select
the internet tunnel. New TINA tunnel from the context menu.
However, the aim is having all traffic appearing with the
Step 2 Configuring the Tunnels
original source IP address, regardless of the tunnel and the
Configure the tunnels as described in 2.7 Configuring VPN
direction used.
Tunnel Settings, page 232.
The following values must be supplied for the example
5.4.2 Configuring Redundant VPN setup:
Tunnels Table 514 Redundant VPN Tunnel Example Parameter Settings
Fig. 557 Configuring Redundant VPN Tunnels - Example Environment Parameter HQ Branch
Tunnel Direction passive active
Peer IP 172.16.0.2, 172.16.0.1,
212.86.0.2 212.86.0.1
Tunnel IP 172.16.0.1, 172.16.0.2,
212.86.0.1 212.86.0.2
10.0.1.0/24 10.0.2.0/24 Partner Network 10.0.2.0/24 10.0.1.0/24
Local Network 10.0.1.0/24 10.0.2.0/24
HQ Branch
Step 3 Configuring the Routing
The default routes for establishing the VPN tunnels are
eth1: eth1:
212.86.0.1 212.86.0.2 configured within the Section Main Routing Table
eth2: eth2: (Configuration Service 2.2.5 Network, page 61).
172.16.0.1 172.16.0.2
The following values must be supplied for the example
setup:
Figure 557 illustrates a redundant VPN tunnel setup
Table 515 Redundant VPN Tunnel Direct Routes for VPN Server 1
having two links on each side of the tunnel. This setup
results in four possible ways to build up the tunnel Parameter 1 2
enveloping connection. Target Network 212.86.0.0/24 172.16.0.0/24
Address
The algorithm determining the succession of retries works Type direct_route direct_route
as follows: Interfacename eth1 eth2
z First local IP to first peer IP Table 516 Redundant VPN tunnel Direct Routes for VPN server 2
z First local IP to second peer IP Parameter 1 2
z Second local IP to first peer IP Target Network 212.86.0.0/24 172.16.0.0/24
Address
z Second local IP to second peer IP Type direct_route direct_route
Interfacename eth1 eth2
6.1 General
The Personal Firewall Configuration determines the
behavior of the Barracuda NG VPN clients Personal Note:
Firewall when connected via VPN. Barracuda NG For further information on the personal firewall see the
Firewall gateway 4.2 supports the Barracuda NG VPN appropriate documentation named Barracuda NG
Client and Barracuda NG Personal Firewall clients, just like Network Access Protection Administrators Guide.
the Barracuda NG VPN Client versions R6 and R7. It is contained on your Application & Documentation
flash USB stick.
Mail Gateway
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
2. Installation
2.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
3. Configuration
3.1 Service Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
3.2 MailGW Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
3.2.1 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
3.2.2 Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
3.2.3 POP3 Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
3.2.4 Advanced Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
3.2.5 Content Adaptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
3.2.6 Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
3.2.7 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
4. Spam Filtering
4.1 Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
4.2.1 Configuring the Spam Filter Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
4.2.2 Configuring the Spam Filter Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
4.2.3 Configuring the Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
4.2.4 Archiving and Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
1. Overview
2. Installation
2.1 Procedure The mail gateway service generates three log files, which
can be viewed in the Logs GUI (Log Viewer, page 305) of the
graphical administration tool Barracuda NG Admin:
To install the Barracuda NG Firewall mail gateway service
you already need to have installed a server on your box. z servicename
This file contains the general logging data of the mail
Choose Create Service in the context menu of the gateway service.
corresponding server and select a name for this service
(for example mailgw). z pop3
This file belongs to the POP3 scanner and is only
Configure the service definition settings (Service Name, generated when POP3 scanning is set to enabled (Use
Description, Software Module) of the mail gateway POP3, page 265).
service in the following window.
z qspool
Select Mail-Gateway as software module. Click OK to This file records transactions processed between the
create the service. Now you can activate the changes by configuration and monitoring areas of the mail gateway
clicking Activate, and your newly installed mail gateway service and the graphical administration tool Barracuda
service is ready for configuration. NG Admin.
3. Configuration
The config tree of your box provides all configuration General - section Service Definition:
options for your mail gateway service and contains the
The fields Service Name and Software Module are
following entries (listed according to their sequence of
read-only fields displaying the settings made when the
usage):
service was created.
z Service Properties
Note:
z MailGW Settings, Page 262 Due to software module Mail-Gateway the fields Bind
Type and Explicit Bind IPs are not available.
Note:
3.1 Service Properties If there is only one (or even no) bind IP configured in
your server configuration, an error message Cannot
To enter the configuration, select the Service bind to IP will be displayed in Logs (see 5.9 Logs,
Properties entry in the config tree. Statistics, Events, page 284).
It is strongly recommended that your official IP
addresses are reverse DNS resolvable. You might
otherwise experience problems concerning your mail
gateway. For example, other mail servers might deny
communicating with it.
List 64 MailGW Settings section Extended Domain Setup List 65 MailGW Settings section Extended Domain Setup Domains
Parameter Description Parameter Description
Default Internal You can specify one ore more default internal mail Delivery This parameter determines the handling of incoming
Mail Server servers in this field. Incoming mail will be redirected to Policy e-mails addressed to the specified recipient domain. The
this default mail server. If you specify more mail following setting options define the mail gateways e-mail
servers, the mail gateway will try them subsequently forwarding mechanism:
until delivery is successful (for example, if the first MX (default)
default mail server is unreachable, ). Enter the IP The mail gateway tries to resolve a DNS MX (mail
address and select Insert and to add it to the list of exchange) record for the specific domain.
default mail servers.
Default_Internal
The mail gateway redirects incoming mail for a trusted
Domains: domain to the respective default mail server as outlined
on page 264 (Default Internal Mail Server).
Select Insert to insert a new trusted domain and enter the Default_MX
domain name into the Name field. The mail gateway redirects incoming mail for a trusted
domain to a MX-resolvable domain as outlined on
The following parameters are available for configuration: page 263 (Default Internal MX).
Explicit_Peer_IP
List 65 MailGW Settings section Extended Domain Setup Domains Activates the field Delivery IPs where one or more IP
addresses can be entered (parameter Delivery IPs, see
Parameter Description below). The mail gateway redirects matching incoming
Additional If your trusted domain has additional patterns (for example mail to the specified IP address.
Domain several top level domains such as .com or .net ) you can Explicit_MX_Domain
Pattern add the additional pattern to the list. For the additional The mail gateway redirects responsibility for e-mail
pattern, it is also possible to enter wild cards such as * or ? forwarding to another MX-resolvable domain. Enter the
(like sample.*). MX domain into the Delivery IPs field below. E-mail
Protection Protection profiles determine a mail domain's trust scope. distribution to the final recipients will then be handled
Profile Domains impersonating the highest trust level may only be by the other domains mail servers. This option can be
forwarded by a gateway's internal listen IP, domains with used when multiple internal mail servers are in use.
the lowest trust level may be used to communicate outside
the company LAN only. Delivery IPs This field only expects input if Delivery Policy has been
Have a look at figure 62, page 262 to understand the set to Explicit_Peer_IP or Explicit_MX_Domain. If having
impacts of protection profile configuration. The following done so specify delivery IP address(es) or MX domain(s)
trusted domain definitions apply: explicitly in this place.
Local This parameter should be used when having multiple
strictly_internal Deliver IP Listen IPs because it allows selecting one of the available
E-mail senders using a domain defined as strictly IPs as binding one.
internal are only accepted from within the company
network at the mail gateway's internal listen IP. This Allow This setting specifies which peers are allowed to use the
configuration offers the highest protection level against Relaying specified domain as sender domains. There are three
fake e-mail addresses, as it is not possible to forward from different accept policies:
e-mails through any external, Internet-accessible mail Any_Peer
relay. The specified domain can be used by any peer
internal Basic_Relaying_Setup
E-mail senders using a domain defined as internal are The specified domain can only be used by peers
accepted from within the company network at the mail specified in parameter Allow Relaying from.
gateway's internal listen IP and as well from outside the Explicit_ACL
company network at the mail gateway's external listen Activates the field ACL where ACL IPs can be entered.
IP. This configuration is of interest for mobile workers Specified domains can only be used by these peers.
wishing to send e-mails with official company addresses
ACL Explicit access list (allowed peer IPs)
when they are connected to the Internet via any ISP.
foreign Recipient This parameter allows verifying each mail recipient in a
E-mail senders using a domain defined as foreign are Lookup database. If the recipient cannot be found in the database
accepted at both listening interfaces. Foreign domains the mail is dropped. The following options are available:
can be defined if some of your clients want to use an Disabled (default)
external mail account (like a web mail account) Deactivates the parameter, that means no verification is
company-wide and from the Internet. As foreign carried out.
domains are accepted as senders and recipients on both Default_DB
listening interfaces on the mail gateway, it makes sense Uses the database configured in parameter Default
to specify allowed clients explicitly (parameter Allow Recipient DB (see Section Global Domain Parameters,
Relying from > Explicit ACL), so the foreign domain page 263).
setting is only valid for these clients and not for the
Explicit
whole internal client network.
In case the sum of queried users in the Default_DB
strictly_foreign causes performance problems, it is sensible to specify
E-mail senders using a domain defined as strictly an individual Recipient DB for each domain.
foreign are only allowed at the mail gateway's external
listening interface.
Rules controlling mail traffic
strictly_ strictly_
internal foreign
internal foreign
Allow as pass pass pass DENY
sender on
internal
Allow as DENY pass pass pass
sender on
external
Allow as pass pass pass pass
recipient on
internal
Allow as pass pass DENY DENY
recipient on
external
List 66 MailGW Settings - Pop3 Setup section POP3 Setup List 67 MailGW Settings - Advanced Setup section Operational Settings
Parameter Description Parameter Description
Timeout (s) This is the time span after which connection between Spool Queue This parameter activates/deactivates the
e-mail client and mail gateway times out. Sync synchronisation of mails between a HA pair. When
This value is of importance because too long activated, the active mail gateway sends mail-bundles
processing times caused by communication or to the passive mail gateway for synchronisation each
connectivity problems between mail gateway and 10 sec.
POP3 server can lead to connection loss between mail Note:
gateway and e-mail client. You may leave the default Enabling this parameter requires a restart of the mail
setting at 30 seconds if you are not experiencing any gateway service due to the HA specific startup
problems. procedure. Disabling works without restart.
Check Spam Set to yes (default: no) to activate spam checking of Attention:
e-mails retrieved via POP3. Having this option activated may cause extensive load
Note: during synchronisation.
In order to perform a spam check the Spam filter DSN Mails in Select yes to send DSN messages in MIME format,
service has to be installed (4. Spam Filtering, MIME-Format according to RFC1891 (SMTP Service Extension for
page 273). Delivery Status Notifications; for details see
Template When the virus scanner finds a virus, it immediately www.ietf.org/rfc/rfc1891.txt).
drops the e-mail and attempts forwarding an Due to a variety of reasons (for example a target server
MTA Retry
informational message to the e-mail's recipient instead is unreachable), an e-mail might possibly not be
of the original e-mail. Sequence
delivered at once. If this is the case, the mail gateway
Use the Template field to define a global template for service starts a further delivery attempt after a certain
these notifications. Variable parameters such as e-mail period specified through this field. Multiple retry
address, virus information, mail subject are inserted attempts can be entered in a space separated list. The
into the template when the notification is generated. following characters may be used:
Valid variable parameters are:
Digits
%USERNAME % - name of the user
m = minute(s)
%VIRUSNAME % - virus information
h = hour(s)
%MAILFROM % - sender e-mail address
d = day(s)
%MAILTO % - recipient e-mail address
%MAILDATE % - date of the e-mail Adding the character w to a time parameter in the list
%SUBJECT % - mail subject causes generation of DSN (Delivery Status
Notification) messages addressed to the original
Subject This string is inserted into the alert e-mails subject
e-mail's sender. As long as further retry attempts still
header (default value: [VIRUS found]).
are to follow, a delay message is generated. The last
Delete Infected Virus infected e-mails are immediately deleted and not message of the retry sequence is a delivery failure
Mails stored on the Barracuda NG Firewall when this option is notification.
set to yes (default: no). E-mails are saved to the path
/var/phion/run/mailgw/<servername>_<servi Example messages for the MTA retry sequence: '1m 5m
cename>/root/virus-rejected. 10m 1hw 1dw':
Use HTML Tag Set to yes (default: no) to enable HTML tag removal.
Removal For a short description of HTML tag removal see Delay message generated after 1 hour:
Section HTML Tag Removal (page 270). Your Message to the following recipients
<recipient@sample.com> (reason: [reason for
delivery delay])has been delayed.
You do NOT need to resend your message!!!
3.2.4 Advanced Setup The mail server will keep trying to deliver your
message and you will be notified if delivery is
impossible.
Received: from [IP] ([hostname]) by [mail
The following parameters define the mail gateways gateway] id [JOB ID Number]; [Day Date Time]
general behavior: From: "Sender" <sender@sample.com>
Subject: [Subject of mail message]
List 67 MailGW Settings - Advanced Setup section Operational Settings Delivery failure notification generated after 1 day:
Your Message to the following recipients
Parameter Description <recipient@sample.com> (reason: [reason for
Mail Transfer Mail transfer agents are service processes that deliver delivery failure])- maximum retries reached
Agents (MTAs) mails received from a client to other mail servers (see -could not be delivered.
5.1 MailGW Operation via GUI, page 279). You can Received: from [IP]([hostname]) by [mail
gateway] id [JOB ID Number]; [Day Date Time]
specify the maximum number of MTAs here (default: 5) From: "Sender" <sender@sample.com>
Attention: Subject: [Subject of mail message]
This number must not be 0). Priority Switch The Barracuda NG Firewall mail gateway schedules all
MTA processes are only started when the mail gateway after (minutes) mail jobs received from the clients (for more
system needs them for mail delivery. They are after information on the scheduling mechanism see 5.1
delivery has succeeded. MailGW Operation via GUI, page 279). This setting
MTAs for This parameter defines the number of MTAs that are specifies the period of time (default: 60 minutes) after
Urgent Mail reserved for mail classified as urgent (default: 1). The which the mail gateway automatically changes
definition what kind of mails have the scheduling scheduling priority to the next higher level.
priority urgent is made within the Section Expert Note:
Settings (use with care) (page 267). This setting has nothing to do with the priority flag you
Admin This is the maximum number of GUI connections can set in your e-mail client software; this priority flag
Connections allowed to the box where the mail gateway service is concerns the mail application only.
installed (default: 5).
List 68 MailGW Settings - Advanced Setup section Allowed Relaying
DNS Query The local box firewall blocks DNS reply packets from
slow DNS servers because the mail gateway already Parameter Description
received an answer from a fast DNS server (when
selecting option parallel; default). The option Internal These internal IP addresses are allowed to forward mail
sequential causes that DNS servers are queried one IP-Addresses traffic.
after the other. Attention:
Use this parameter with great care as incorrect
settings may cause security violation.
Usage: RETURN
IF (<test-expression(s)>) THEN The return command exits the current level function, so
<statement>;
ENDIF subsequent instructions will no longer be performed.
Usage: RETURN ;
Example:
Note:
IF (fromdomain = "sample.com") OR
(fromuser = "spammer") THEN Lines with ACTION and RETURN commands require a
ACTION ("deny", "Banned Sender"); semicolon (;) at the end of the line; expressions with
ENDIF
ACTION/RETURN command are space separated (this is
also valid for the semicolon after the RETURN command
ACTION
as shown above).
This command is used to let the mail gateway service
perform various actions. Examples for expert settings
Example 1
Table 67 Actions used in the Expert Settings section
Mail delivery from mail servers that send "spam" as
Action Level Parameter Description
greeting name should be denied. Insert the following rule
ruledebug all view rule debug messages in
logs
language code into the Helo field of Pre or Post Settings:
smtpdebug all view SMTP debug messages in IF (helo = "spam") THEN
logs ACTION ("quit", "");
RETURN;
deliverdirect >2 target IP when specified in level 3 it has ENDIF
address an effect on the whole mail
objects, else on current rcpt
Bind >2 extern when specified in level 3 it has Example 2
intern an effect on the whole mail Priority of e-mails arriving from a specific address should
bind IP objects, else on current rcpt
[inbound-flag] extern: use first configured be changed to "high". Insert the following rule language
external bind IP code into the Sender field of Pre or Post Settings:
intern: use first configured
internal bind IP IF (from = "boss@company.com") THEN
ACTION ("priority", "HIGH");
specify an explicit bind IP
ENDIF
[inbound-flag is either 0
(default, outbound) or 1
(inbound)] Example 3
Quit all close connection
E-mails arriving from a specific address should be cloned
Deny >2 description deny mail delivery of current
mail and distributed to multiple recipients. Insert the following
Drop 4 drop current recipient rule language code into the Recipient field of Pre or Post
rewrite >2 mailbox if specified in level 3 re-write Settings:
rewriteuser localparts sender (-part), else re-write IF (from = "sender@company.com") THEN
rewritedomain domains current recipient (-part) ACTION ("clone", "rcp1@company.com,
clone 4 list of clone current recipient (-part) rcp2@company.com,rcp3@company.com");
ENDIF
cloneuser mailboxes,
clonedomain local-parts or
domains
Example 4
Priority >2 priority scheduling priority; allowed
values: low, normal, high, Spam e-mails should be redirected. The following rule
urgent language code can be entered in any expert pre settings.
Event all event-type, trigger an event The following syntax applies:
description allowed values: 0=info,
1=notice, 2=error ACTION ("redirect", "<program>,[<optional_params>]");
description of event: will be
displayed in Events if event
triggered A corresponding configuration entry could read as follows:
None all do nothing ACTION ("redirect", "/opt/phion/bin/spam_redirect.sh");
Usage:
The script itself that is required for e-mail redirection
ACTION ("<action>", "<parameter(s)>");
(spam_redirect.sh in the example) could read as
follows:
If there is no parameter required (this is the case when #!/bin/bash
quit action is used), you need to enter the quotation # $1 ... path to mail files
# $2 ... spoolid
marks anyway, like for example ACTION ("quit, "");. ## this script redirects mails with "[SPAM]" within subject
# to an archive mail account
DSTMAILBOX=mailboxname
DSTDOMAIN=domainname
DSTIP=serverip
BODY_FILE=$1$2".body"
ENV_FILE=$1$2".env"
TMP_FILE="/tmp/"$2".env" List 610 MailGW Settings - Content Filter - Attachment Stripping section
SUBJECT=`cat $BODY_FILE | formail -c -x subject | grep "[SPAM]" | Advanced Attachment Options
sed -e 's/.*\[SPAM\].*/[SPAM]/g'`
Parameter Description
if [ "_$SUBJECT" = "_[SPAM]" ]; then
# redirect to spam mail box MIME-Type This parameter determines to strip all attachments
# 1. remove lines that start with "rcpt" belonging to a specific MIME-Type. For MIME-Type
# 2. insert infos for delivery to spam archive specification, the following syntax applies (wildcards (*)
# (assumption: $DSTIP is an internalmailserver) are allowed) : MIME-Type/MIME-Subtype (for example,
mv $ENV_FILE $TMP_FILE */*, application/*, application/activemessage). For
cat $TMP_FILE | grep -v -e "^rcpt" -e"^recipient" -e"^numrcpts" >
$ENV_FILE
an authoritative listing of all MIME-Types, refer to
echo "numrcpts 1" >> $ENV_FILE http://www.iana.org/assignments/media-typ
echo "recipient" >> $ENV_FILE es/.
echo "rcpt id 0" >> $ENV_FILE Note:
echo "rcpt user $DSTMAILBOX" >> $ENV_FILE
echo "rcpt domain $DSTDOMAIN" >> $ENV_FILE
If wildcards are applicable the MIME-Type Exceptions
echo "rcpt status 0" >> $ENV_FILE parameter below allows you to exclude specific
echo "rcpt deliverdirect $DSTIP" >> $ENV_FILE subtypes from attachment stripping.
echo "rcpt bindtype 1" >> $ENV_FILE MIME-Type Specify MIME-Subtypes in this list that should be
echo "rcpt bind intern" >> $ENV_FILE
rm -f $TMP_FILE
Exceptions excluded from attachment stripping, in case the
fi MIME-Type parameter above has been defined globally
echo "0" employing wildcards.
For MIME-Subtype specification, the following syntax
applies (wildcards (*) are allowed):
Note:
MIME-Type/MIME-Subtype (for example
The script has to be made executable. Enter application/pdf, image/*).
chmod 777 /opt/phion/bin/spam_redirect.sh Automatically Setting to yes (default) triggers use of the UNIX file
in this example) Detect command to detect a file's MIME-Type automatically. If
MIME-Type set to no, the MIME-Type propagated by the sender's
e-mail client applies for determination of attachment
stripping conditions. It is recommended not to change
3.2.5 Content Adaptions the default setting.
File Extension Determines files with a specific ending to be stripped
Filter off e-mails. If the desired file type is not in the list,
Section Spam Detection select checkbox Other and specify the ending
explicitly.
Through this section the SPAM Filter client is configured.
Message to Supply a message in this place informing the e-mails
For detailed information about configuring see 4.2.1 Recipient recipient that file attachments have been cut from the
Configuring the Spam Filter Client, page 274. original e-mail. This message is inserted into the e-mail
before it is forwarded to the actual recipient.
Section Virus Protection
Section Grey Listing
This section is used for integrating the virus scanner into
the mail gateway. See 1.7.3 Mail Gateway Integration, List is a feature allowing for reduction of unsolicited
Grey listing
1722 MailGWSettings - Virus Scanning section Virus SPAM e-mail. Grey listing works by rejecting the first
Protection, page 396 for a description of the available arrival of a new message and telling the remote site to try
configuration parameters and integration into a mail again. Grey listing relies upon correctly configured
gateway. legitimate mail transfer agents, attempting at least one
further delivery try. Non RFC conformant mail servers
Section Attachment Stripping
ignore error reports and do not try re-sending their mails.
This section allows configuring file attachments to be cut As spam is most frequently delivered through such
from e-mails before forwarding the e-mail to its recipient. servers, grey listing reduces acceptance of unwanted
Filters can be set by senders and/or recipients e-mail messages.
addresses and domains, and by file type.
When a new message, comprising an unknown
To access the configuration dialog, set Enable sender-recipient pair, arrives, the grey lister rejects mail
Attachment Stripping to yes (default: no) and then click acceptance, passes a rejection notice to the sending mail
the Set button to the right of the Advanced Attachments server and places the sender-recipient pair into its grey
Options. The following parameters define attachment list. This list is visualized in 5.8 Grey Listing Tab, page 283.
stripping behavior in detail: If the mail has been delivered by a legitimate MTA, it will be
resent most likely. The second delivery attempt is
List 610 MailGW Settings - Content Filter - Attachment Stripping section
Advanced Attachment Options accepted by the grey lister and the e-mail is delivered.
Parameter Description Two side effects of grey listing are to be taken into
Cut Whitelists Sender/Re E-mail addresses and domain patterns account:
cipient inserted into this list are excluded from
Whitelist Attachment Stripping execution. Senders z Depending on the sending MTAs configuration, the
and recipients may either be inserted e-mail sender might be issued a report about the initial
with their full addresses or wildcards may
be used (like user@barracuda.com, delivery failure.
@barracuda.com, barracuda.com).
The Sender Whitelist is processed before z As e-mails are temporarily rejected, they experience a
the Recipient Whitelist. An incoming slight delivery delay.
e-mail will thus first be scanned for its
sender. If the sender is in the whitelist, z Wanted e-mails might not be delivered due to
the e-mail will be forwarded untrimmed. incorrectly configured MTAs on the sender's side. This
If the sender is not in the whitelist, the
e-mail will be scanned for its recipient(s). misconfiguration may be corrected through the White
If the e-mail is addressed to multiple List Peers and Senders parameters (see below).
recipients, it will only be forwarded
untrimmed, if all its recipients reside in
the Recipient Whitelist. Attachments will To access the configuration dialog, set Enable Grey
otherwise be cut. Listing to yes (default: no) and then click the Edit button
to the right of the Advanced Grey Listing Options. The of option Blacklists. The following parameters define
following parameters define grey listing behavior in detail: blacklist behavior in detail:
List 611 MailGW Settings - Content Filter - Grey Listing section Advanced Grey Fig. 64 Blacklist configuration
Listing Options
Parameter Description
Grey Listing This is the time (in minutes) expected to have passed
Time (Min) between the first and the second SMTP delivery
attempt (default: 1). Higher values increase message
delivery delay.
White List Grey listing does not apply to the MTAs defined here.
Peers Use this parameter to exclude known peers from grey
listing explicitly, in order not to interfere with
immediate mail delivery. A peer may be defined with its
full IP address or domain name. Wildcards may be used
(like host.mailsrv.com, *.mailsrv.com, 172.16.1.*).
Note:
Do not enter network address ranges.
White List Grey listing does not apply to the sender addresses
Senders defined here. Use this parameter to exclude known
senders from grey listing explicitly, in order not to
interfere with immediate mail delivery. A sender may
be defined with his full e-mail address. Wildcards may
be used (like *@barracuda.com).
Auto White List When set to yes (default: no) a sender is automatically
(Senders) added to the sender's white list, after a successful mail
transfer. The sender-recipient pair is stored in the white
list for a maximum of days as configured through
parameter Remove from White List after (d) (see
below) and is thereafter deleted. Manual deletion of
white list entries is possible in the visualized list (see List 612 MailGW Settings - Content Filter - Blacklists
5.8 Grey Listing Tab, page 283).
Remove from Sender-recipient pairs, which have been added to the Parameter Description
Grey List after Grey List (see 5.8 Grey Listing Tab, page 283), are Subject / Unwanted subjects / senders / recipients can be banned
(h) automatically removed from the list after the number Sender / using these fields. The mail gateway will deny e-mails each
of hours specified here (default: 24). Recipient matching with one of the phrases specified.
Remove from Sender-recipient pairs, which have been added to the Blacklist Note:
White List after Auto White List (Senders), are automatically removed To ban subjects that are composed of multiple items
(d) from the list after the amount of days specified here including space characters consider the following case
(default: 30). insensitive syntax rules to allow for correct interpretation of
Daily Report Specify a recipient for a daily report e-mail regarding the banned subject:
Mail to grey listing utilisation in this place. By default, reports ? Use a question mark to identify space.
are sent to Postmaster (see Postmaster Mail-Address). * Use an asterisk to identify an arbitrary number of phrases.
With Nobody selected no report mails are generated. If Space can be identified by an asterisk, too.
any other report recipient is desired, select the Use quotation marks to identify a complete phrase.
checkbox Other and specify an e-mail address. Multiple See below for a banned subjects interpretation example:
recipients must be entered in a space separated list.
Phrase to Syntax of banned
Interpretation
be banned subject
Section Blacklists your your password The filter will be ignored,
password because there is no
This section represents a sort of "emergency-off-button", applicable rule.
which means the administrator of the mail gateway is able your?password All e-mails with the exact
to block certain hosts, subjects, sender, or recipients subject your password
will be blocked.
explicitly very fast (for example, virus warning: known
*your?password* All e-mails with your
subjects of the virus may be entered in order to block password being a part of
before even receiving). the subject phrase will be
blocked regardless of the
Note: other phrases
content(s).
This is a very static way of defining the behavior of the
*your*password* All e-mails with the
mail gateway on certain mail. Therefore it should not be words your and password
used as a spam filter in general but for such in the given succession
will be blocked
"emergency-overrides" as mentioned above. regardless of other
However, if you want to configure a spam filter, have a phrases contents before,
look at 4. Spam Filtering, page 273. between, or behind these
two words.
To access the configuration dialog, set Enable Blacklist to IP Mail delivery coming from the host(s) inserted here will be
Blacklist refused. Multiple IP addresses can be specified.
yes (default: no) and then click the Edit button to the right
Section HTML Tag Removal
To protect your network from HTML e-mails with annoying
or potentially dangerous content, such as hyperlinks
leading to faked websites, images with objectionable
content, the mail gateway may be configured to alter
HTML tags in e-mails, so that the tags lose their function.
Links thus lose their link characteristic and images can no
longer be loaded from the servers they are lying on. By this
means users can be prevented from clicking on links List 615 MailGW Settings - Limits section Mail Gateway Limits
unintentionally or thoughtlessly. Parameter Description
DSN for Max Set to yes (default: no) if you want the mail gateway to
Note: Data Size create an extended Delivery Status Notification (DSN)
Keep in mind that HTML tag removal applies for Excess mail, when an e-mail has exceeded the max. allowed
size.
incoming and outgoing e-mails likewise.
Maximum This setting reflects the maximum number of recipients
Number of of a mail. Since RFC2821 requires at least 100 possible
List 613 MailGW Settings - Content Filter - HTML-Tag Removal Recipients recipients of a mail, this setting cannot be smaller than
the required value (default: 200).
Parameter Description
DSN for Max Set to yes (default: no) if you want the mail gateway to
Remove HTML Set to yes (default: no) to enable HTML tag altering.
Recipients create an extended Delivery Status Notification (DSN)
Tags
Excess mail, when an e-mail has been forwarded to more
Remove HTML When set to yes (as by default), link (a href) tags in recipients than allowed.
Link Tag HTML e-mails are altered, so that the link uses its
Refuse Empty Defines whether e-mails with empty sender
function. The string of the link itself, though, remains
Mail from information are rejected.
unchanged. The linked destination can be viewed by
By default (no) the SMTP server accepts every
copying the link from the e-mail and pasting it into the
incoming e-mail.
address field of the browser.
Accept Loose Domain names may only exist of the following
Remove HTML When set to yes (default: no) image source (img src)
Domain Name characters:
Img Src Tag tags in HTML e-mails are altered so that they lose their
[-.0-9A-Za-z].
function. Linked images will no longer be loaded from
Via this parameter incorrect domain names may be
the servers they are placed on. Keep in mind that this
accepted:
function destroys the design of HTML e-mails (like in
no - an incorrect domain name causes that the e-mail is
newsletters), outgoing, and incoming likewise.
rejected
yes - domain names are not checked, that means
Section Misc e-mails with incorrect domain names will be delivered.
Max. Defines the maximum number of to-be-scanned
List 614 MailGW Settings - Content Filter - Misc Attachments attachments per MIME e-mail.
Parameter Description Drop Mails over Defines whether e-mails contain too many attachments
Attachment (as defined in parameter Max. Attachments) are
Strip Received Every SMTP server or relay registers itself within the Limit rejected.
Lines mail header (Received Lines). These entries typically
reflect the company-internal mail infrastructure. Drop Defines whether malformed/damaged e-mails are
Setting this parameter to yes (default: no) causes that Fragmented rejected.
this internal and confidential information is stripped Mails
from the mail header. The number of "received" lines in Max Age of A mail in the "crashed" directory stays for this amount
the header stays the same but the content is replaced crashed Mails of days.
by dummy entries and thus no longer contains security (d)
critical information. Max. SMTP Line Enter the maximum line length. Barracuda Networks
Note: Length recommends, like RFC defines, a maximum length of
Be aware that mail header modification makes mail 1000 characters.
loop detection less efficient.
Strip Received The text entered here replaces the original text List 616 MailGW Settings - Limits section DoS Protection
Lines Text stripped from the e-mail header.
Parameter Description
Remove When activated this parameter removes the Barracuda
Barracuda Networks ID from the mail header of dispatched Parallel Inbound These fields specify how many parallel inbound or
Networks ID e-mails. Aim of this setting is security enhancement / Outbound outbound connections for receiving mail to the server
through mail gateway identity concealment and Connections are allowed in total (default: 5). If your mail gateway
decreased software traceability. has to handle a lot of mail traffic, you may need to
increase this value.
Note:
This value must not be 0.
3.2.6 Limits Parallel Inbound These fields specify how many parallel TCP
/ Outbound connections from a single inbound or outbound source
This section allows for configuration of various mail Conn. per Peer IP address are allowed (default: 25). This provides an
effective protection against DoS (Denial of Service)
gateway service limits. attacks.
Note:
List 615 MailGW Settings - Limits section Mail Gateway Limits
This value must not be 0.
Parameter Description Note:
Limit Mail Data This option activates/deactivates mail data The value of maximum parallel connections per peer
(attachments) size limit (default setting: yes). The may not be greater than the maximum number of
Size
attachment size limit is specified in the Mail Data Size parallel connections.
(MB) field below. Note:
Mail Data Size Enter a value > 0 (default: 20). If mail size exceeds the With parameter Parallel Connection Limit (see
(MB) specified value, the mail gateway refuses delivery and page 272) set to yes, the event Resource Limit
returns an error message to the sender. Exceeded: Max connections (per Peer) [136] is
triggered when the limit values are exceeded.
Note:
This parameter reflects the actual mail body size
because SMTP applies transfer encoding. The actual
mail size may be greater than the physical size of the
attachment. For example, if you add an attachment of
about 5MB size, the total mail size could be up to about
6.5MB.
4. Spam Filtering
Barracuda NG Firewall provides spam filtering by placing SpamAssassin applies a variety of tests to determine the
the mail filter SpamAssassin at the disposal. probability that an e-mail is spam: It examines the e-mails
SpamAssassin identifies spam by using mechanisms header and body locally, runs through the configured rule
such as text analysis, Bayesian filtering, DNS blocklists, set (list 623, page 277) and a Bayesian filter. Each single
and collaborative filtering databases. rule adds a value to the overall spam value of the e-mail. If
the complete score exceeds a certain threshold
Note: (default: 5), the e-mail is regarded as spam.
The complete SpamAssassin documentation is
Note:
available at www.spamassassin.org.
As a rule of thumb it can be said that the higher an
Spam filter settings are defined in two configuration areas: e-mails score is, the higher is the probability that it will
be classified as spam. For detailed information
z Spam Filter Client - see 4.2.1 Configuring the Spam concerning filtering mechanisms, please refer to
Filter Client, page 274 http://spamassassin.apache.org/tests_3_1_
z Spam Filter Service - see 4.2.2 Configuring the Spam x.html.
Filter Server, page 275
The SPAM Filter adds a tag to the mail header according to
an e-mails classification as SPAM or HAM (no SPAM).
Optionally, a training environment may be introduced to
improve the filtering result (4.2.3 Configuring the Training, z for SPAM mail: X-SPAM-STATUS: Yes
page 277). X-SPAM-FLAG:YES
Follow the instructions available in Configuration Service z for HAM mail: X-SPAM-STATUS: No
4. Introducing a New Service, page 97 to set up the SPAM
Filter service, and select SPAM Filter as Software Module.
Additionally, it adds the results of the triggered tests to the
e-mailss body.
environment
3 5
As spam filtering is merely based on statistics it may
happen that e-mails are tagged wrongly. To minimize the Mail Client
or 4 Training Environment
risk for such incidents, training the SPAM Filter is highly Mail gateway Mail Server
recommended.
Training means sorting out misclassified e-mails, re-sorting
them into SPAM, HAM and FORGET mailboxes (list 626,
Yes No
page 277), and providing them to SpamAssassin for Spam analysis Internal
enabled? mail?
filter mechanisms improvement.
No Yes
Step 5 Spam filter server update
SpamAssassin periodically fetches e-mails from the
No Analyse Yes
training environment and thus adapts its tests to improve internal mails?
future e-mail classification.
Yes Timeout
exceeded?
No
Yes Maximum
Mail gateway Size exceeded?
No
Enable the SPAM Filter through setting Enable Spam List 619 MailGW Settings - Spam Analysis
Analysis to yes, and click the Set button to open the Parameter Description
Advanced Spam Options configuration window: Domain Action This field only has to be configured, if domain checking
(see above) has been enabled. Domain check failure
results in one of the following actions:
Fig. 68 Spam Analysis configuration
logging - the e-mail is delivered and a corresponding
log entry is created
deny - the e-mail is not delivered and a
corresponding log entry is created
Domain This field takes a list of trusted domains, which should
Whitelist be excluded from spam filtering. This list is consulted
before the SPAM Filter is applied. Top-level and
sub-domains may be defined (like barracuda.com
and *.barracuda.com).
Step 2 Configuring the service List 621 Spamfilter Config section WHITE/BLACK LISTS
List 623 Spamfilter Config section RULES Ticking the check box Enable Training activates the
Parameter Description training options.
Rules This section allows manual overriding of specific
testing sequences. To disable a given test set its score List 626 Spamfilter Config section TRAINING OPTIONS
to 0. Especially when a test is known to deliver "wrong" Parameter Description
results, adapting the sequence options to one's needs
is a vital measure. Enable Training Ticking the checkbox activates SPAM Filter training.
Note: Mailserver This parameter specifies the IP address/name of the
For a complete list of available rules, have a look at (IMAP) external mail server.
http://spamassassin.apache.org/tests_3_1_ Note:
x.html. The mail server has to be capable of IMAP.
Account In this field the user name/account name has to be
List 624 Spamfilter Config section TRAINING OPTIONS entered.
Parameter Description Password This field takes the the mail accounts password.
see list 626, page 277 Note:
Take into consideration to use english characters and
digits only and to avoid blanks in the password. For
security reasons this password must be entered twice
4.2.2.2 Advanced Network Settings View (field Confirm).
Mailbox SPAM SPAM mail that was delivered without being tagged as
List 625 Spamfilter Config - Advanced Network Settings SPAM has to be put into this mailbox.
Parameter Description Mailbox HAM HAM mail that was wrongly tagged as SPAM has to be
put into this mailbox.
Listening Port The value in this field specifies the port the service is
listening on. Mailbox Mail, which should not be classified as either SPAM or
FORGET HAM, has to be put into this mailbox.
IPs Allowed To This field determines the SPAM Filter clients, which are
Connect (ACL) allowed to connect to the SPAM Filter service. The Note:
default IP 127.0.0.1 specifies the internal loopback For the correct path for the three mail boxes please
interface of the Barracuda NG Firewall. This interface consult your mail server administrator. Depending on
has to be used when mail gateway and SPAM Filter the directory structure it might be necessary to enter a
reside on the same system. name space (for example ~/mail/SPAM). By default, if
the folder names are simply specified as SPAM, HAM
and FORGET, the users home directory in
(/home/<username>) will be queried.
4.2.3 Configuring the Training Keep Mails In Select this checkbox, if for some reason (especially
Mailbox when using multiple SPAM Filter servers), it is
Because spam filtering is merely based on an e-mails necessary to keep the e-mails in the mailbox in order to
provide something to learn for the other servers.
classification according to specific iterative attributes,
Note:
SpamAssassin will most possibly fail in detecting all The mail boxs content, however, is trained only once.
This means, when you add new e-mails to a bundle of
SPAM, and eventually tag non-SPAM e-mails as SPAM. This e-mails in a mailbox, which have already been
efficiency factor is utterly normal. The filter has to be processed, only the added e-mails will be trained.
trained, to improve filtering mechanisms. Time (h)/Time Defines the time of day for SPAM Filter training. For
(min) example entering Time (h) 4 means 4 am, whereas 16
Training is done by sorting out misclassified e-mails and indicates 4 pm. At the set time the SPAM Filter collects
providing them to SpamAssassin in SPAM, HAM and mail from the SPAM, HAM, and FORGET mailboxes and
processes the retrieved e-mails for training.
FORGET mailboxes for collection.
Attention:
4.2.3.1 Setting up the Training Environment
Create a separate mail account for testing. If you use a
real mail account, it will be classified as spamming one.
Note:
Note:
Spam filter training can only be configured with a mail
The SPAM Filter training environment has to be server capable of IMAP.
configured on the mail server, not on the Barracuda NG
Firewall. The training environment consists of an IMAP mail server
and e-mail clients, which can directly access the mail
SpamAssassin modifies several ratings of the filter servers folder structure (like Microsoft Outlook, Mozilla,
mechanisms in order to improve the chance of recognising Evolution, ). All that has to be done, is to create three
spam e-mails. mailboxes on the mail server (one each for HAM, SPAM,
and FORGET e-mails), either for all mail server users in
SpamAssassin bases on statistical evaluations that are whole (if their judgement is reliable) or for each mail user
to react very stable on outliers. To guarantee such a separately.
behavior, SpamAssassin adapts its filter mechanisms in
Attention:
small steps. Therefore, each learned spam e-mail increases
the chance of recognising this e-mail as SPAM, but does Connectivity between IMAP server and Barracuda NG
not guarantee that the e-mail is considered a SPAM when Firewall is stringently required. To test connectivity,
re-sending it. enter the following commands at the command line
interface:
The configuration takes place in the Spamfilter telnet IMAPServer imap2 (tests the connection
Settings within the introduced SPAM Filter service. itself)
A001 CAPABILITY
A002 LOGIN username pwd (verifies the user and
password)
z All users have access to the "training area" on the mail because the service does not need to be stopped and
server and file their mis-tagged mails into the restarted for archiving - the database takes care of the
corresponding directories. updating/restoring procedure.
Note:
To maintain privacy on this "public" file structure, you 4.2.4.2 Updating the Database on the HA Partner
may configure user access rights, so that each user only
sees his own e-mails. For updating purposes copy the contents of the folder
/var/phion/preserve/spamd/<server_servicenam
z Each user has his own HAM-SPAM-FORGET folder e>/root from the primary box to the HA box.
structure and sorts the mis-tagged mails accordingly.
E-mails for training area update are collected from
these folders with a script (figure 611, page 278).
Training environment suitable for UNRELIABLE users:
All users share a HAM-SPAM-FORGET folder structure,
which is detached from the training environment, and sort
their mis-tagged mails accordingly. The mail server
administrator has to check the folder contents for correct
classification before moving the e-mails to the training
environment.
This approach may be additional work for the
administrator but it guarantees a "clean" training
environment because poisoning of the database with
incorrect entries can be avoided.
TARGETDIR=/tmp/
for a in $SPAM; do
cat $a >> $TARGETDIR/SPAM
done
for a in $HAM; do
cat $a >> $TARGETDIR/HAM
done
Note:
Because of the highly dynamic behavior of
SpamAssassin it is not recommended to restore the
archived database, for example crash recovery.
5.1 MailGW Operation via GUI using the standard context menu (see 4.2 Standard
Context Menu, page 420) or by dragging and dropping
the respective column to another place.
To administer operative processes on the mail gateway,
log on the box hosting the mail gateway service. As well on
CC administered boxes, log on the box itself and not on the z Ordering data sets
Data sets may be arranged ascending or descending
Barracuda NG Control Center. Access the administration
respectively by clicking into the column labelling of the
GUI by clicking MailGW in the box menu.
respective title bar. The information may not only be
sorted alphabetically, but also with regard to a specific
Note:
status.
The following mail gateway operation windows are only
available after a minimum of values has been specified
in the MailGW Settings configuration (Minimum 5.2.3 Context Menu Entries
configuration, Page 272).
z Right-clicking into any configuration area without
The following tabs are available for operational purposes:
selected item, makes the standard context menu
z Mail Queue Tab, see 5.3 Mail Queue Tab available through the menu item Tools (see 4.2
z Access Tab, see 5.4 Access Tab Standard Context Menu, page 420).
z Spam Tab, see 5.5 Spam Tab z A menu item Show in Sections is included in most
operational tabs. It allows switching between two views,
z Processes Tab, see 5.6 Processes Tab the classical view, a continuous list, or a list combining
z Attachments Tab, see 5.7 Attachments Tab groups of elements. In the section view, each section is
topped by a section header.
z Grey Listing Tab, see 5.8 Grey Listing Tab
Note:
The columns building the spam list/spam tab can be
interpreted in the same way like the ones used in the
Mail Queue Tab (page 279) and Access Tab (page 281).
z Peer column z To
Shows peer IP and port handled by a SMTP or qspool Shows the recipient(s) address(es).
worker. z Subject
z Spool ID column Shows the mail object's subject.
Shows the spool ID of the mail being processed by a z Receive Time
Mail Transfer Agent (MTA). Shows the time the message has been arrived at the
mail gateway.
z Maildata
5.9 Logs, Statistics, Events These statistics visualize only bulk mail data without
the SMTP protocol overhead.
There are three subtypes:
5.9.1 Logs Inbound - successful inbound MTA delivery of a pair
(sender, recipient)
Outbound - successful outbound MTA delivery of a pair
Note:
(sender, recipient)
For general information on the Logs feature of
Fail - failed MTA delivery
Barracuda NG Firewall Barracuda NG Admin see Log
Viewer, page 305. z Traffic
These statistics visualize total mail traffic with SMTP
Select Logs on the Barracuda NG Admin toolbar and protocol overhead.
select the server your mail gateway service is installed on. There are several subtypes:
Then double-click the mail gateway service name. Now you Receive-In - Inbound SMTP receive traffic (SMTP
can access the logs of the mail gateway service. Worker Processes)
Receive-Out - Outbound SMTP receive traffic (SMTP
Worker Processes)
Send-In - Inbound MTA traffic
Send-Out - Outbound MTA traffic
byte (Time) and conn (Time) reflect total mail traffic
without separation of peer/sender/server.
Maildata > Outbound > Conn (Top Src) > select outlined in Section Event Settings (page 272). Triggered
instances from top list events are shown in the Events window.
5.9.3 Events
Note:
For general information on the events feature of
Barracuda NG Admin see Eventing, page 321.
DHCP
1. DHCP Enterprise
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
1.2 Working Principles & Process Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
1.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.1 Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.2 Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
1.3.3 Known Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
1.3.4 DHCP Option Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
1.3.5 Parameter Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
1.3.6 Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.7 Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.8 GUI as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.3.9 Text Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
1.4 Realtime Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
1.5 Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
2. "Regular" DHCP
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2.1 DHCP Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
2.2.2 Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.3 IP-Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.4 Special Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.2.5 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
2.3 Real Time Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
1. DHCP Enterprise
Note:
The selection depends on the client configuration, but
usually the lease received first is selected.
Now the client sends a request for the lease to the DHCP
server that offered it.
Step 4 Acknowledgement
When the lease is still available the DHCP server sends an
ACK to the client and the client activates the settings of
the lease.
1.3 Configuration List 71 DHCP Enterprise Configuration - Operational Setup section Service
Availability
Parameter Description
Configuring DHCP Enterprise on a Barracuda NG Firewall
Server Is When the DHCP server receives a DHCPREQUEST
starts with introducing a corresponding DHCP service. Authoritative message from a DHCP client requesting a specific IP
Therefore select Config from the box menu and address, the DHCP protocol requires that the server
determines whether the IP address is valid for the
introduce the service by selecting Create Service from network to which the client is attached or not. If the
the context menu of Assigned Services. address is not valid, the DHCP server should respond
with a DHCPNAK message, forcing the client to
acquire a new IP address.
Note: To make this determination for IP addresses on a
Please see Configuration Service 4. Introducing a New particular network segment, the DHCP server must
Service, page 97, for detailed information concerning have complete configuration information for that
network segment. Unfortunately, it is not safe to
the procedure and available options. assume that DHCP servers are configured with
complete information. Therefore, the DHCP server
After the service has been created, the following two normally assumes that it does not have complete
configuration entries are available in the config tree: information, and thus is not sufficiently authoritative
to safely send DHCPNAK messages as required by the
protocol.
z Dhcp Enterprise Configuration - see below
List 72 DHCP Enterprise Configuration - Operational Setup section HA
z Service Properties - settings made during the Synchronisation Setup
introduction of the service
Parameter Description
HA Setting this parameter to yes causes the periodical
Enter the configuration dialog via Config > Box > Synchronisa- synchronisation of the DHCP database between the HA
Virtual Servers > <servername> > Assigned tion pair (default: no).
Time Interval This parameter defines the period between
Services > <servicename> (dhcpe) > DHCP [s] synchronisation tasks (default: 300)
Enterprise Configuration.
List 74 DHCP Enterprise - Address Pool Configuration section Subnets List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet
Configuration
Parameter Description
Subnet Type Defines the type of subnet. The following options are Parameter Description
available: Shared Here the parameters for the shared network device can
local (default) - activates parameter Used Subnet for Parameters be choosen. The available parameters are configured
selecting the required subnet within Parameter Templates (see 1.3.5 Parameter
relayed / explicit - activates parameters Network Templates, page 293)
Address and Netmask for entering the required Shared DHCP Here the options for the shared network device can be
network. Options choosen. The available options are configured within
Used Subnet Here the required subnet has to be selected. DHCP Option Templates (see 1.3.4 DHCP Option
Templates, page 292)
Network Here the network address has to be entered.
Further see list 77
Address
Subnets
Netmask Here the network mask has to be entered.
Server IP This parameter can be used to define the value that is List 76 DHCP Enterprise Configuration - SUBNETS tab section Address Pools
sent for a given scope. The value specified must be an
Parameter Description
IP address for the DHCP server and must be reachable
by all clients served by a particular scope. Pool description description of the pool
The usual case where the Server IP needs to be sent is Range DHCP defines DHCP options available for the range
when a physical interface has more than one IP Options
address, and the one being sent by default isn't
appropriate for some or all clients served by that IP Begin start IP of the range
interface. Another common case is when an alias is IP End end IP of the range
defined for the purpose of having a consistent IP All Clients defines the policy that is to be used;
address for the DHCP server, and it is desired that the Policy
clients use this IP address when contacting the server. none - no global policy is used; enforces usage of
[default: none] policy defined in parameters Known Clients,
Server Is Note: Unknown Clients, Allowed Classes, and Denied
Authoritative This parameter is only available in Advanced View Classes
mode.
allow - all pool-matching policies are set to allow
When the DHCP server receives a DHCPREQUEST (valid for all clients, that are known and unknown)
message from a DHCP client requesting a specific IP deny - all pool-matching policies are set to deny
address, the DHCP protocol requires that the server (valid for all clients, that are known and unknown)
determine whether the IP address is valid for the
network to which the client is attached. If the address is Barracuda NG defines the policy that is to be used;
not valid, the DHCP server should respond with a Network Access enforces usage of policy defined in parameters Known
DHCPNAK message, forcing the client to acquire a Clients Policy Clients and Unknown Clients (see below
new IP address. [none] none - no Barracuda NG Network Access Clients Policy
To make this determination for IP addresses on a is used; )
particular network segment, the DHCP server must Barracuda NG Network Access Clients the
have complete configuration information for that -NAP-clients receive a IP address from the pool
network segment. Unfortunately, it is not safe to guests - NAP-clients are excluded from this pool;
assume that DHCP servers are configured with Allowed Classes defines the classes that are allowed to get leases from
complete information. Therefore, the DHCP server this pool; see 1.3.6 Classes, page 294
normally assumes that it does not have complete
Denied Classes defines the classes that are NOT allowed to get leases
information, and thus is not sufficiently authoritative
from this pool; see 1.3.6 Classes, page 294
to safely send DHCPNAK messages as required by the
protocol. Known Clients allow - known clients may obtain a lease from this pool
[allow] deny - known clients may NOT obtain a lease from this
Perform DDNS Note:
pool
Updates This parameter is only available in Advanced View
not-set - deactivates the parameter
mode.
Unknown allow - unknown clients may obtain a lease from this
This parameter offers the following options:
Clients pool
true - activates DNS parameter updates for subnets [deny] deny - unknown clients may NOT obtain a lease from
(parameter DNS Zone is activated) this pool
false - deactivates DNS parameter updates for not-set - deactivates the parameter
subnets BOOTP Clients Use the dynamic-bootp flag to tell the DHCP server to
not-set (default) - enforces global DNS parameter to Policy dynamically assign addresses to bootp clients or to not
be used for subnets [deny_dynamic] do so.
DNS Zone Note: allow_dynamic - dynamic BOOTP for IP addresses
This parameter is only available in Advanced View allowed
mode. deny_dynamic - dynamic BOOTP for IP addresses
denied
If parameter Perform DDNS Updates is set to true, not-set - deactivates the parameter
here the updating DNS zones (configured within
Dynamic DNS, see 1.3.7 Dynamic DNS, page 294) are
defined. List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets
Subnet Here the parameters for these subnets can be choosen. Parameter Description
Parameters The available parameters are configured within This parameter is only available if parameter Shared
Parameter Templates (see 1.3.5 Parameter Templates, Network Device (see above) is set to yes and allows
page 293). determination of subnets using this interface. This way
Subnet DHCP Here the options for these subnets can be choosen. it is possible to have multiple subnets on ONE interface.
Options The available options are configured within DHCP Subnet Description of the subnet
Option Templates (see 1.3.4 DHCP Option Templates, Description
page 292).
Subnet Type Defines the type of subnet. The following options are
Address Pools see list 76 [default: local] available:
local (default) - activates parameter Used Subnet for
List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet selecting the required subnet
Configuration relayed / explicit - activates parameters Network
Address and Netmask for entering the required
Parameter Description network
Note: Used Subnet Here the required subnet has to be selected.
This parameter set is only available in Advanced View
mode. Network Here the network address has to be entered.
Address
Shared Network Set this to yes if the determination of subnets should
Device be used. This way it is possible to have multiple subnets Netmask Here the network mask has to be entered.
on one device. [8-bit]
List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets Section Client Group Members
Parameter Description
List 79 DHCP Enterprise - Known Clients - Client Group Member section Client
Server IP This parameter can be used to define the value that is Description
sent for a given scope. The value specified must be an
IP address for the DHCP server, and must be reachable Parameter Description
by all clients served by a particular scope. Client description of the client
The usual case where the Server IP needs to be sent is Description
when a physical interface has more than one IP
address, and the one being sent by default isn't
appropriate for some or all clients served by that List 710 DHCP Enterprise - Known Clients - Client Group Member section
interface. Another common case is when an alias is Client Match & Address Assignment
defined for the purpose of having a consistent IP Parameter Description
address for the DHCP server, and it is desired that the
clients use this IP address when contacting the server. DHCP Client Host declarations are matched to actual DHCP or
Identifier BOOTP clients by matching the dhcp-client-identifier
Server Is When the DHCP server receives a DHCPREQUEST option specified in the host declaration to the one
Authoritative message from a DHCP client requesting a specific IP supplied by the client, or, if the host declaration or the
[yes] address, the DHCP protocol requires that the server client does not provide a DHCP Client Identifier option,
determines whether the IP address is valid for the by matching the hardware parameter in the host
network to which the client is attached. If the address is declaration to the network hardware address supplied
not valid, the DHCP server should respond with a by the client. BOOTP clients do not normally provide a
DHCPNAK message, forcing the client to acquire a dhcp-client-identifier, so the hardware address must be
new IP address. used for all clients that may boot using the BOOTP
To make this determination for IP addresses on a protocol.
particular network segment, the DHCP server must Be aware that only DHCP Client Identifier option and
have complete configuration information for that hardware address can be used to match a host
network segment. Unfortunately, it is not safe to declaration. For example, it is not possible to match a
assume that DHCP servers are configured with host declaration to a host-name option. This is because
complete information. Therefore, the DHCP server the host-name option cannot be guaranteed to be
normally assumes that it does not have complete unique for any given client, whereas both, hardware
information, and thus is not sufficiently authoritative address and DHCP Client Identifier option, are at least
to safely send DHCPNAK messages as required by the theoretically guaranteed to be unique to a given client.
protocol.
MAC Address defines the MAC address of the client required for
Perform DDNS This parameter offers the following options: [ff:ff:ff:ff:ff:ff] identification
Updates true - activates DNS parameter updates for subnets
[not-set] (parameter DNS Zone is activated) MAC Type defines the type of network card requesting a lease
false - deactivates DNS parameter updates for subnets [ethernet] (either ethernet or tokenring)
not-set (default) - enforces global DNS parameter to be Fixed IP defines, if required, a static IP address that is sent to
used for subnets Address the client
Subnet Here the parameters for these subnets can be choosen.
Parameters The available parameters are configured within List 711 DHCP Enterprise - Known Clients - Client Group Member section
Parameter Templates (see 1.3.5 Parameter Templates, Advanced Client Assignments
page 293).
Parameter Description
Subnet DHCP Here the options for these subnets can be choosen.
Options The available options are configured within DHCP Note:
Option Templates (see 1.3.4 DHCP Option Templates, This parameter set is only available in Advanced View
page 292). mode.
Client DHCP defines DHCP options available for the client
Options
1.3.3 Known Clients Client defines DHCP parameters available for the client
Parameters
Fig. 74 DHCP Enterprise Configuration - Known Clients Allowed DHCP and BOOTP protocols both require DHCP and
Broadcast BOOTP clients to set the broadcast bit in the flags field
Reply of the BOOTP message header. Unfortunately, some
[not-set] DHCP and BOOTP clients do not do this, and therefore
may not receive responses from the DHCP server. The
DHCP server can be configured to always broadcast its
responses to clients by setting this flag to yes for the
relevant scope; relevant scopes would be inside a
conditional statement, as a parameter for a class, or as
a parameter for a host declaration. In order to avoid
creating excessive broadcast traffic on your network,
Barracuda Networks recommends to restrict the use of
this option to as few clients as possible.
Duplicates Choose between one of the settings allow and deny in
Policy this place.
[allow] Host declarations can match client messages based on
the DHCP Client Identifier option or based on the
client's network hardware type and MAC address. If the
MAC address is used, the host declaration will match
List 78 DHCP Enterprise Configuration - Known Clients section Group Based any client with that MAC address even clients with
Assignment different client identifiers. This doesn't normally
happen, but is possible when one computer has more
Parameter Description than one operating system installed on it for example,
Group May hold a further description concerning the group. Microsoft Windows and NetBSD or Linux.
Description
This parameter tells the DHCP server that if a request
Group DHCP Defines the DHCP options that are available for this is received from a client matching the MAC address of a
Options group. host declaration or any other lease matching that MAC
Group Defines the DHCP parameters that are available for this address should be discarded by the server, even if the
Parameters group. UID is not the same. This is a violation of the DHCP
Automatic If this parameter is set to true (default: false) then for protocol, but can prevent clients whose client
Hostname every host declaration of this group of known clients, identifiers change regularly from holding many leases
Assignment the name provided for host declaration will be supplied at the same time.
to the client as its hostname. Client If a name is entered, the statement within a host
Known Clients see list 79 Hostname declaration will override the use of the name in the
host declaration.
List 711 DHCP Enterprise - Known Clients - Client Group Member section List 715 DHCP Enterprise - DHCP Option Templates section Extended Options
Advanced Client Assignments
Parameter Description
Parameter Description Netbios Node Note:
DDNS Defines the hostname that will be used in setting up Type [46] When using a Linux client this parameter is obsolete
Hostname the client's A and PTR records; if no DDNS hostname is and has to left empty.
specified the server will derive the hostname This entry allows NetBIOS to configure TCP/IP clients.
automatically, using an algorithm that varies for each The following values are available (with their
of the different update methods. indication):
not-set (default)
b-node broadcast; like clients use broadcast for name
1.3.4 DHCP Option Templates registration/resolution
p-node point; like client registers itself at the netbios
server (point-to-point)
List 712 DHCP Enterprise - DHCP Option Templates section Template m-node multi; like client first uses b-node, if it fails
Description p-node is used
Parameter Description Note:
Description May hold a describing text. However, b- and m-nodes should not be used with large
networks because the broadcasts use lots of
bandwidth.
List 713 DHCP Enterprise - DHCP Option Templates section Basic Options
h-node hybrid; like m-node, but uses p-node first and
Parameter Description then b-node (as a last resort)
Subnetmask [1] Here the required subnet mask has to be selected Netbios Scope Note:
(default: not-set). Id [47] When using a Linux client, this parameter is obsolete
Router [3] Here the default address(es) of the default gateway(s) and must be empty.
are to be entered. When using NetBIOS Scope IDs (for example, for
DNS Servers Here the IP address(es) of the DNS servers are to be isolating NetBIOS traffic or for giving the same name to
[6] entered. different computers), here this ID is to be entered.
Domain Name Here the domain name is to be entered. Note:
[15] The NetBIOS Scope ID is case-sensitive.
LPR Server [9] When using this printing protocol for Unix systems,
List 714 DHCP Enterprise - DHCP Option Templates section Barracuda NG here the IP address of the printer has to be entered.
Network Access Clients Access Control Service Options Log Server [7] In case of a stand-alone log server, here the IP address
of the server has to be entered.
Parameter Description
Time Server [4] In case of a time server according to RFC868, here the
Access Control In order for a client to receive valid policy server IP address of this server has to be entered.
Service information, either a vendor ID OR a policy server IP or
IPs/Names a DNS-resolvable policy server name is to be entered Time Offset [2] This field defines the client's time offset (in seconds)
here. from UTC.
This field only has effect, if the Barracuda NG Network IEN Name In case of a IEN name server, here the IP address of this
Access Clients Policy of an Address Pool has been Server [5] server has to be entered.
set to Barracuda NG Network Access Clients- or
Cookie Server When using a stand-alone cookie server, here the IP
guests.
[8] address of this server has to be entered.
Note:
Swap Server When using a separate swap server, here the IP address
If the Barracuda NG Network Access Clients Policy
[16] of this server has to be entered.
field is set to none, the Access Control Service
IPs/Names will be ignored. Local Subnets In case of local subnets, they are selected in this field
[27] (default: not-set).
Impress Server This field defines the IP address of an optional image
Note: [10] impress server.
Setting both options is not valid. The client would not Resource This option specifies a list of RFC 887 Resource
receive any policy server information. Only one of the Location Server Location servers available to the client. Servers should
[11] be listed in order of preference.
both options must be set.
Perform Mask Note:
Discovery [29] When using a Linux client, this parameter is not
List 715 DHCP Enterprise - DHCP Option Templates section Extended Options supported.
Parameter Description This field defines whether a subnet mask discovery is
carried out or not. The following settings are available:
Vendor [43] This parameter is used to exchange vendor-specific
true - Client uses ICMP for subnet mask discovery
information. The definition of this information is
false - No subnet mask discovery is to be performed
vendor-specific.
not-set (default) - deactivates the parameter
It is possible to either enter only one vendor ID or a
semicolon-separated list of two or more vendor IDs. Perform Router Note:
Discovery [31] When using a Linux client, this parameter is not
Broadcast Here the Broadcast Address can be entered.
supported.
Address [28]
This field defines whether a router discovery is carried
NIS Domain Enter the domain of the Network Information System
out or not. The following settings are available:
Name [40] in this field.
true - Client performs ICMP router discovery
NIS Server [41] Here the IP address(es) of the NIS server(s) are (according to RFC1256)
entered. false - No router discovery is to be performed
NTP Server To enable synchronized times, here the IP address(es) not-set (default) - deactivates the parameter
[42] of the NTP server(s) are entered. Static Route Specify a list of static routes that the client should
WINS Server When using a WINS server, here the IP address(es) of Net [33] install in its routing cache. If there are multiple routes
[44] the server(s) are entered. to the same destination, you should list them in
descending order of priority.
NBDD Server When using a NBDD server, here the IP address(es) of The routes are made up of IP address pairs. The first
[45] the server(s) are entered. address is the destination address; the second address
is the router for the destination.
The default route (0.0.0.0) is an illegal destination for a
static route. Use the Router [3] parameter to specify
the default route.
The following options are available:
Static Route Net [33]
Static Route GW [33]
TFTP Server Used to identify a TFTP server when the "sname" field
Name [66] in the DHCP header has been used for DHCP options.
List 715 DHCP Enterprise - DHCP Option Templates section Extended Options List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS
Parameters
Parameter Description
TFTP Server IP TFTP Server IP Addresses for Cisco CallManager Parameter Description
Address [150] Devices. It is possible to enter a comma-separated list DDNS Defines the domain name that will be appended to the
of IP addresses. Domainname client's hostname to form a FQDN (Fully Qualified
Boot File Name Used to identify a boot file when the "file" field in the Domain Name).
[67] DHCP header has been used for DHCP options. Rev DDNS Defines the domain name that will be appended to the
Domainname client's reversed IP address to produce a name for use
in the client's PTR record. By default, this is
1.3.5 Parameter Templates "in-addr.arpa.", but the default can be overridden here.
The reversed IP address to which this domain name is
appended is always the IP address of the client, in
List 716 DHCP Enterprise - Parameter Templates section Template Description dotted quad notation, reversed for example, if the IP
address assigned to the client is 10.17.92.74, then the
Parameter Description reversed IP address is 74.92.17.10. So a client with that
Description Holds describing text. IP address would, by default, be given a PTR record of
10.17.92.74.in-addr.arpa.
List 717 DHCP Enterprise - Parameter Templates section Lease Constraints Dynamic Used for setting the length of leases dynamically
BOOTP Lease assigned to BOOTP clients. At some sites, it may be
Parameter Description Time [s] possible to assume that a lease is no longer in use if its
Max Lease Time Maximum length in seconds that will be assigned to a holder has not used BOOTP or DHCP to get its address
[s] lease. The only exception to this is that Dynamic within a certain time period. The period is specified in
BOOTP lease lengths, which are not specified by the length as a number of seconds. If a client reboots using
client, are not limited by this maximum. BOOTP during the timeout period, the lease duration is
reset to length, so a BOOTP client that boots frequently
Def Lease Time Default length in seconds that will be assigned to a
enough will never lose its lease. Needless to say, this
[s] lease.
parameter should be adjusted with extreme caution.
Min Lease Time Minimum length in seconds that will be assigned to a
Boot File Server Specify the host address of the server from which the
[s] lease.
initial boot file (specified in the filename statement) is
Reply Delay [s] Minimum number of seconds since a client began to be loaded. Boot File Server should be a numeric IP
trying to acquire a new lease before the DHCP server address. If no Boot File Server parameter applies to a
will respond to its request. The number of seconds is given client, the DHCP server's IP address is used.
based on what the client reports, and the maximum
Boot File Used to optionally specify the name of the initial boot
value that the client can report is 255 seconds.
file which is to be loaded by a client. The filename
Generally, setting this to one will result in the DHCP
should be a filename recognizable to whatever file
server not responding to the client's first request but
transfer protocol the client can be expected to use to
always responding to its second request.
load the file.
This parameter can be used to set up a secondary
DHCP server which never offers an address to a client
until the primary server has been given a chance to do List 719 DHCP Enterprise - Parameter Templates section Miscellaneous
so. If the primary server is down, the client will bind to Parameters
the secondary server, but otherwise clients should
Parameter Description
always bind to the primary.
Boot Unknown true / not-set clients without host declarations will
Note:
Clients be allowed to obtain IP addresses, as long as those
This does not, by itself, permit a primary server and a
addresses are not restricted by allow and deny
secondary server to share a pool of
statements within their pool declarations
dynamically-allocatable addresses.
false clients for whom there is no host declaration
will not be allowed to obtain IP addresses
List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS
Parameters RFC1048 Some BOOTP clients expect RFC1048-style responses,
Conformance but do not follow RFC1048 when sending their
Parameter Description requests. You can tell that a client is having this
problem if it is not getting the options you have
Do Fwd Updates Instructs the DHCP server whether it should attempt to
configured for it and if you see in the server log the
update a DHCP client's A record if the client acquires or
message "(non-rfc1048)" printed with each
renews a lease. This statement has no effect unless
BOOTREQUEST that is logged.
DNS updates are enabled and ddns-update is set to
If you want to send RFC1048 options to such a client,
interim. If this statement is used to disable forward
you can set the always-reply-rfc1048 option in that
updates, the DHCP server will never attempt to update
client's host declaration, and the DHCP server will
the client's A record, and will only ever attempt to
respond with an RFC-1048-style vendor options field.
update the client's PTR record if the client supplies an
This flag can be set in any scope, and will affect all
FQDN (Fully Qualified Domain Name) that should be
clients covered by that scope.
placed in the PTR record using the fqdn option. If
true - response in RFC1048-style
forward updates are enabled, the DHCP server will still
false - response NOT in RFC148-style
honour the setting of the client-updates flag (default:
not-set (default) - deactivates the parameter
not-set).
Hostname via This parameter is used for telling DHCP whether or not
Optimized If this parameter is false for a given client, the server
Rev-DNS to look up the domain name corresponding to the IP
Updates will attempt a DNS update for that client each time the
address of each address in the lease pool and use that
client renews its lease, rather than only attempting an
address for the DHCP hostname option.
update when it appears to be necessary. This will allow
true - lookup is done for all addresses in the current
the DNS to heal from database inconsistencies more
scope
easily, but the cost is that the DHCP server must do
false - no lookups are done
many more DNS updates. If this parameter is true, the
not-set (default) - deactivates the parameter
DHCP server will only update when the client
information changes, the client gets a different lease, Ping Check If the DHCP server is considering dynamically
or the client's lease expires (default: false). allocating an IP address to a client, it first sends an
ICMP Echo request (a ping) to the address being
Update Static If set to true, causes the DHCP server to do DNS
assigned. It waits for a second, and if no ICMP Echo
Leases updates for clients even if those clients are being
response has been heard, it assigns the address. If a
assigned their IP address using a fixed-address
response is heard, the lease is abandoned, and the
statement - that is, the client is being given a static
server does not respond to the client.
assignment. This can only work with the interim DNS
This parameter introduces a default one-second delay
update scheme. It is not recommended because the
in responding to DHCPDISCOVER messages, which can
DHCP server has no way to tell that the update has
be a problem for some clients. The default delay of one
been done, and therefore will not delete the record
second is configured using parameter Ping Timeout
when it is not in use. Also, the server must attempt the
[s] (see below). The ping-check configuration
update each time the client renews its lease, which
parameter can be used to control checking - if its value
could have a significant performance impact in
is false or not-set (default), no ping check is done.
environments that place heavy demands on the DHCP
server (default: false).
List 719 DHCP Enterprise - Parameter Templates section Miscellaneous List 721 DHCP Enterprise - Dynamic DNS section DNS Update Configuration
Parameters
Parameter Description
Parameter Description Note:
Ping Timeout If the DHCP server determined that it should send an This parameter set is only available in Advanced View
[s] ICMP echo request (a ping) because the ping-check mode.
statement is true, this parameter allows configuring DNS Update Define the DNS Update Scheme with this parameter.
how many seconds the DHCP server should wait for an Scheme Two options are available:
ICMP Echo response. If no ICMP Echo response has
been received before the timeout expires, it assigns the none (default)
address. If a response is heard, the lease is abandoned, interim
and the server does not respond to the client.
The ddns-update-style statement is only meaningful in
the outer scope - it is evaluated once after reading the
dhcpd.conf file, rather than each time a client is
1.3.6 Classes assigned an IP address, so there is no way to use
different DNS update styles for different clients.
Client Updates The first point to understand about this style interim of
Note: DNS update is that the DHCP server does not
This parameter set is only available in Advanced View necessarily always update both, the A and the PTR
mode. records. The FQDN (fully qualified domain name) option
includes a flag which, when sent by the client, indicates
that the client wishes to update its own A record. In
List 720 DHCP Enterprise - Classes section Class Configuration that case, the server can be configured either to
honour the client's intentions or ignore them. This is
Parameter Description done with the statement allow client-updates; or the
Spawn If there are spawn subclasses (default: no) they must be statement ignore client-updates. By default, client
Subclasses specified here. updates are ignored.
Spawn In case of spawn subclasses (default: n) their parameter
Parameter are configured via this parameter. List 722 DHCP Enterprise - Dynamic DNS section DNS Authentication
Lease Limit This parameter defines the maximum number of Parameter Description
parallel active leases.
Zone Keys Here the HMAC-MD5 Key for the dns zone has to be
Match Match Parameter (default: dhcp-user-class) entered.
Parameter Match Type (default: exact) - defines the number
matching values; that means exact indicates ONE DNS Zones Zone Type Choose between Forward (default),
client, list allows multiple client that must be entered Reverse and Both.
in parameter Match Value List. DNS Server IP Enter the DNS Server IP here.
Match Value - defines the value that has to match (for Forward Zone Holds the network of the forward
example, MAC, store agent ID, ) Name lookup.
Match Value List
Reverse Lookup Holds the network of the reverse
Note: Net lookup.
The way MAC addresses are entered depends on the
used type of interface: Reverse Lookup Holds the netmask of the reverse
ethernet requires a 1: prior to the MAC address (for Netmask lookup.
example 1:00:01:f3:34:44:2g) Authentication Used for selecting a preconfigured
tokenring requires a 6: prior to the MAC address (for Key (in parameter Zone Keys) key,
example 6:00:01:f3:34:44:2g) configured in Zone Keys.
Parameter Description
Show GUI as Activating this parameter causes that the configuration
Text file sent to the DHCP server is displayed (default: no).
GUI Displays the configuration file of the DHCP server as
Corresponding read-only.
Text
Note:
This parameter set is only available in Advanced View
mode.
Parameter Description
Note: Use Free Activating this parameter enables manual
Format configuration of the DHCP server (default: no).
This parameter set is only available in Advanced View
Attention:
mode. Setting this parameter to yes disables every settings
made in the user interface. However, deactivating
causes that the settings in the user interface are valid
again.
List 724 DHCP Enterprise - Text Based Configuration z IP-Address - displays the assigned IP address;
Parameter Description additionally the status of the client is displayed by using
Free Format Here you can write the configuration file. the following icons:
Text indicating that client is up and running (ARPable)
indicating that client is relayed (not ARPable)
indicating that no client is listening on this IP
1.4 Realtime Information z State - displays the state of the lease.
The real time information for the configured DHCP server z Start - displays time of lease assignment; used format:
yyyy/mm/dd hh:mm:ss
can be accessed via the box menu entry DHCP.
z End - displays when the client has to renew its lease;
Fig. 76 Real Time Information - DHCP used format: yyyy/mm/dd hh:mm:ss
z Hostname - if available, this column displays the
configured hostname the client is assigned to
z Relay-ID - if available, this column provides the clients
relaying interface
z Hardware-Address - displays the clients MAC address
z Hardware-Type - displays the clients interface type
(ethernet or token ring)
Parameter Value
Subnet Type explicit
Network Address 10.0.4.0
Netmask 8-bit
Parameter Value
MAC Address 00:01:f3:34:44:2g
Fixed IP Address 10.0.4.31 (optionally)
Parameter Value
MAC Address 00:01:f3:34:44:2e
Fixed IP Address 10.0.4.32 (optionally)
2. "Regular" DHCP
Note:
z Service Configuration - settings made during the
DHCP and the DHCP Relay Agent was implemented introduction of the service
according to the following RFCs:
Note:
- RFC 1497 (RFC 951)
- RFC 2131 When configuring the Service itself ( Service
- RFC 2132 Configuration) take into consideration that only certain
- RFC 3046 settings are allowed:
Bind TypeFirst-IP or
The work flow consists of the following steps: Second-IP or
Explicit (only if just one explicit IP is specified)
Step 1 Discover First+Second-IP (only First IP will be used)
As soon as a client connects to the network to contact any
reachable DHCP server (source IP: 0.0.0.0; destination IP: Attention:
255.255.255.255). This message includes the MAC address Currently the usage of only ONE subnet is supported.
of the client. Thus the server(s) know where the request is But you may define several IP ranges (see below) within
coming from. this one subnet.
Step 2 Offer
After receiving the discover message, the server(s) offer a 2.2.1 DHCP Server Settings
lease to the client.
Fig. 710 DHCP Server Settings with pre-configured settings
The lease consists of:
z IP address
- The client gets an IP address out of a defined available
IP range (see 2.2.3 IP-Ranges, page 299)
- When the clients MAC address is defined within the
special client configuration (2.2.4 Special Clients,
page 299) this explicit IP address will be used
z Options
The options define the subnetmask, the gateway, (see
2.2.5 Options, page 299)
Note:
The selection depends on the client configuration, but The sections IP-RANGES, SPECIAL-CLIENTS, and
usually the lease received first is selected. OPTIONS are defined via datasets (consisting of multiple
parameters). Therefore it is necessary to click Insert to
Now the client sends a request for the lease to the DHCP
get to the configuration dialog for a new data set.
server that offered it.
However, if you want to modify an already existing data
set, select the entry and click Edit instead.
2.2.3 IP-Ranges Router [3] Here the IP address(es) of the default gateway(s) are to
be entered.
DNS Server [6] Here the IP address(es) of the DNS server(s) are to be
Fig. 711 Configuration - IP RANGES
entered.
Domain Name Here the domain name is to be entered.
[15]
Lease Time [51] This field is used for defining the maximum period of
time (in minutes) that an IP address may be leased.
Renew Time This field is used for defining the expired period of time
[58] after which the client sends a request (Unicast) to the
server, it got the lease from, in order to extend its lease.
The default value for this field is 0.5 x Lease Time.
Rebind Time This field is used for defining the expired period of time
[59] after which the client sends a request (Broadcast) to
List 726 DHCP Server Settings - section Option Section and IP RANGES ANY server to extend its lease. A reasonable value for
this field is 0.875 x Lease Time.
Parameter Description
Note:
Option Section This field defines what kind of configured options (see
When configuring the parameters Lease Time, Renew
2.2.5 Options, page 299) should be used within this IP
Time and Rebind Time use the following rule of thumb
range.
to determine the values:
IP-Begin This field indicates the begin of the IP range including Lease Time > Rebind Time > Renew Time
this IP address.
IP-End This field indicates the end of the IP range including List 729 DHCP Server Settings section EXTENDED OPTIONS
this IP address.
Parameter Description
Broadcast Here the Broadcast Address can be entered.
Address [28]
2.2.4 Special Clients NIS Domain Enter the domain of the Network Information System
Name [40] in this field.
Fig. 712 Configuration - SPECIAL CLIENTS
NIS Server [41] Here the IP address(es) of the NIS server(s) are
entered.
Host Name [12] Here the host name of the client can be entered.
NTP Server To enable synchronized times, here the IP address(es)
[42] of the NTP server(s) are entered.
WINS Server When using a WINS server, here the IP address(es) of
[44] the server(s) are entered.
NBDD Server When using a NBDD server, here the IP address(es) of
[45] the server(s) are entered.
List 729 DHCP Server Settings section EXTENDED OPTIONS 2.3 Real Time Information
Parameter Description
Netbios Node Note: The real time information for the configured DHCP server
Type [46] When using a Linux client, this parameter is obsolete
and has to be left empty. can be accessed via the box menu entry DHCP.
This entry allows NetBIOS to configure TCP/IP clients.
The following values are available (with their Fig. 714 Real Time Information - DHCP
indication):
1 b-node - broadcast; which means clients use Number of total available
broadcast for name registration/resolution leases
2 p-node - point; which means client registers itself at Lease-O-meter
the netbios server (point-to-point)
4 m-node - multi; which means client first uses b-node,
if it fails p-node is used.
Note:
Number of
However, b- and m-nodes should not be used with large used leases
networks because the broadcasts use lots of
bandwidth.
8 h-nodehybrid; which means like m-node, but uses
p-node first and then b-node (as a last resort)
Netbios Scope Note:
Id [47] When using a Linux client, this parameter is obsolete
and has to be left empty.
When using NetBIOS Scope IDs (like to isolate NetBIOS
traffic or to give the same name to different
computers), here this ID is to be entered. By using the Delete button (top left corner) it is possible to
Note: delete active leases manually.
The NetBIOS Scope ID is case-sensitive.
LPR Server [9] When using this printing protocol for Unix systems, Attention:
here the IP address of the printer has to be entered. To avoid duplicate IPs after deleting a lease, the lease is
Log Server [7] In case of a stand-alone log server, here the IP address not put back into the list of available IP addresses until
of the server has to be entered.
the service is restarted.
Time Server [4] In case of a time server according to RFC868, here the
IP address of this server has to be entered. The Refresh button (right to Delete button) is used for
Time Offset [2] This field defines the clients time offset (in seconds) refreshing the display.
from UTC.
IEN Name In case of a IEN name server, here the IP address of this The so-called Lease-O-meter in the middle of the user
Server [5] server has to be entered. interface indicates the level of lease usage.
Cookie Server When using a stand-alone cookie server, here the IP
[8] address of this server has to be entered. z MAC
Swap Server When using a separate swap server, here the IP address This column displays the client MAC address for each
[16] of this server has to be entered. lease that is currently used.
Local Subnets In case of local subnets, they are entered in this field.
[27] z IP
Impress Server This field defines the IP address of an optional Imagen This column displays corresponding client IP address.
[10] Impress server.
Resource This field defines the IP address of an optional resource z Leased or Offered
Location Server location server (according to RFC887). The state of a lease is displayed in this column. Possible
[11] values are Leased and Offered:
Perform Mask Note:
Discovery [29] When using a Linux client, this parameter is not Leased - indicates used IP addresses
supported. Offered - indicates leases that are currently offered
This field defines whether a subnet mask discovery is but not yet taken
carried out or not. The following settings are available:
1 - Client uses ICMP for subnet mask discovery z Lease Time
0 - No subnet mask discovery is to be performed
Shows the amount time until the lease expires.
Perform Router Note:
Discovery [31] When using a Linux client, this parameter is not z Online/Offline/Duplicated
supported.
The DHCP sends ARP requests throughout the network.
This field defines whether a router discovery is carried
out or not. The following settings are available: Depending on the response, the following states are
1 - Client performs ICMP router discovery (according to possible:
RFC1256)
0 - No router discovery is to be performed Online - the IP address answers the ARP request
Static Route This field is used for entering the static routes of the Offline - the IP address does not answer the ARP
[33] client. request
Note:
When using a Windows client, this parameter is not
Duplicate - multiple IP addresses answer the ARP
supported. request
TFTP Server Here a TFTP server may be defined.
Name [66]
Boot File Name This field allows entering a boot file name.
[67]
z Range/Specific
This column shows what kind of IP address is used in
this lease:
Range - The IP address is defined through the
IP-Ranges field (see 2.2.3 IP-Ranges, page 299)
Specific - The IP address is defined through the
Special Clients field (see 2.2.4 Special Clients,
page 299)
z Option
This column shows the name of the options used by this
lease.
eth0 eth1
long as these services do not use the same interface. AID Relay This parameter defines how to deal with DHCP packets
Policy already flagged by an AID. The following options are
available:
By introducing a DHCP relay, the following configuration Append (default) - Attaches my agents's ID to the
items are added to the configuration tree: existing one leaving it intact.
Replace - Replaces the existing AID with my agent's ID.
z Dhcp Relay Settings - see 3.1 DHCP Relay Settings, Forward - Passes DHCP packets without any
modification.
page 302 Discard - Discards DHCP packets which are already
flagged by an another agent's ID.
z Service Properties - settings made during the
Reply AID The relay agent scans packets it receives from the
introduction of the service Mismatch DHCP server for the servers IP address before
Policy forwarding them to the client. If it finds the IP address
in the header, it forwards the packet to the client. If it
cannot find it, the relay acts on the directive defined by
the following parameter:
Discard (default) - Discards the DHCP packet.
Forward - Forwards the DHCP packet regardless.
Note:
The Reply AID Mismatch Policy parameter is of
special importance when multiple relay agents serve
the DHCP server.
Packet Hop Limit the hop count (default: 10) with this parameter to
Count avoid infinite packet loops.
Note:
Actually, the DHCP Relay Agent is not designed for
cascaded use. However, if there is demand to configure
multiple relay agents in a cascaded environment,
consider that you must not specify the server-side
interface of the cascaded ("border") relay agent in the
configuration, as this will lead to conflicts.
Attention:
Cascading DHCP relay agents are to be used only, if a
client subnet is connected to the server-side DHCP
Relay Agent.
Client Subnet
DHCP Clients
Log Viewer
1. Overview
1.1 LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
1. Overview
Fig. 81 LogGUI
View segment
z Services
This part deals with log file types that deal with server The button Live Update enables an update of the view
support. These types of legalizes are documented with segment, if the log file concerned got any new entries.
the prefix srv_. From case to case, long lasting presentation options or
long processing filtering tasks can be terminated by using
the Abort button.
Within the Box branch the log files are grouped by
operative themes, for example, Auth contains
authentication log files.
For a detailed view of a specific log out of these categories
select it by double-click.
In the selection segment it is possible to delete selected log
entries. Therefore, select Delete Log in the context menu
of the corresponding log entry. For deleting the log cache
select Clear Log Cache. This way the database is build
from ground up.
2.3 View Segment Event content (bold message text portion above) enclosed
in brackets, ( and ) contains the following pipe | separated
After a log has been selected and the navigation options fields:
(which can be time, date, type, and filter) have been set, The log message text arranged as follows
the log entries are displayed in the view segment after
having pressed one of the navigation arrows. (D|2|mgwext_mail|3|Mailgw-Rule|4506|Drop
Recipient<e.example@barracuda.com>|bart_111)
The view segment window is divided into three categories:
z Time is built up of the following elements:
This is the time when an event has taken place. The
time indicator marks individual log entries. (Internal flag|Layer[1-3]|Layer
description|Class ID [1-3]|Class
z Type description|Type (Event ID) |Layer
Shows the type of log entry Description|Full box name)
z TZ
This column displays the UTC time zone offset Layer and Class are hidden fields, which have originally
compared to the local box time. been part of the event specification. However, the two
z Message parameters have no particular meaning, which could be
Short description of the entry used for filtering and extraction purposes by a security
event management tool.
Layer description denotes the originator of the event on
the Barracuda NG Firewall system. In the example above
2.4 Types of Log Entries the event has been generated by a service named
mgwext_mail.
A certain symbol is given to every log entry depending on
the type of the entry. Info and Internal describe normal Class description denotes a subcomponent of the
events, which are not associated with a symbol. Table 82 originator, in the example above the event was triggered
summarizes the individual types and their respective due to a mail gateway rule having handled a particular
symbols. mail.
Suitable filtering criteria are layer description, type
Table 82 Log Entry types
identifier, class description, and full box name.
Icon Type Description
Warning Uncritical event (for example login)
recording of sequence pairs in the log file, which show the 2.6.1.2 Log File Entries related to Clock Skew
same time stamp. Detection
For this reason if you start to browse the log from an
Table 85 Log file entries related to clock skew detection
inconsistent starting point (log query start date B, see the
question mark in figure 83) it is ambiguous, which starting Corresponding
Log content of
point is meant. Reason
(Type/Message) BerkeleyDB-
Header
Hence a popup window will appear that lets you decide to
"Info / MAIN no LastRun 0, A clock skew cannot be detected
chose the log query start date in order of the chronological clock skew LastStart 0 because it is assumed that dstatm is
occurrence of the clock skew entries in the corresponding detection either running for the first time or it
(initial)" has never run successfully.
log.
"Error / *** LastRun HASync is active. The current
Unresolvable <timestamp>, system time is behind the time of
clock skew today the LastRun header field in the
2.6.1.1 Analysing Clock Skew Entries in Log detected ***" <timestamp> BerkeleyDB. A clock skew detection
fails because of inconsistencies in
Files time settings.
HASync is not active. The current
This overview is meant to explain the cause of the most system time is either behind or
frequent clock skew entries produced by dstats/dstatm. more than two days ahead the time
of the LastRun header field in the
Particular regard is paid to those messages generated in BerkeleyDB. A clock skew detection
dirty situations. fails because of inconsistencies in
time settings.
Dstats and dstatm search for clock skews on every daily
start-up of the service. The log file entries they produce
will be related to the following processes: 2.6.1.3 Log File Entries related to
z clock skew detection Synchronisation of Polling List and
Database
z synchronisation of actively configured polling list and
database Table 86 Log file entries related to synchronisation of polling list and database
Table 88 Log file entries related to synchronisation between HA-databases - In case the synchronisation is not successful, the current
Scenarios which will stop task MAIN
try is given up and the MAIN task is reset to 'sync_await'.
Log (Type/Message) Reason When the maximum allowed number of retries is exceeded,
"Info / MAIN ha state db not HASync is active but the database the main status changes to 'await_daybreak'. The database
available, assuming initial" of the HA-partner is not available. It
is assumed that the HA-partner has will not be synchronized with the HA-partner. Manual
never been active and thus has no action will be necessary to solve the problem.
"state", which it could have
negotiated during the HASync. The Table 89 Log file entries related to synchronisation between HA-databases -
database of the HA-partner will Scenarios which will not stop task MAIN
contain the comment entry "no
state present, assuming initial". Log (Type/Message) Reason
"Error / MAIN cannot load HA state HASync is active but the database "Error / MAIN local compression Cooking of statistics files could not
db: <specific error message>" of the HA-partner is though cooking done with error %d, going be completed.
available not readable. to stop!", "Error / MainLoop - main
"Error / MAIN HA state db out of HASync is active and the database task cook_pending"
date" of the HA-partner is available. There "Error / MAIN cannot write HA sync The HA sync file could not be
are time inconsistencies in the file", "Error / MainLoop - main task written. Check for a previously
LastStart header fields of the sync_pending" created HA sync file which possibly
BerkeleyDBs though, which means could not be overwritten. Check for
the LastStart header field in the HDD errors. Restart dstatm.
own BerkeleyDB is younger than the
"Error / MAIN HA sync done with The sync-process cannot be started.
one in the HA-partner's DB.
error <error_num>", "Comment /
Furthermore the DB header field
MAIN could not start sync process"
LastRun does not reflect the
current day. "Error / MAIN HA sync unsuccessful The HA synchronisation has failed.
(try <retry_count>)" Prior error messages are to be
The database of the HA-partner is
analyzed to solve this problem.
obsolete. A data inconsistency is
most likely. As an automated
troubleshooting is not possible in
this case, a manual check has to be
undertaken.
2.6.2 Dirty Block
Possible scenario: The active
HA-partner has crashed during It is possible that corrupt entries are taken to a log.
HA-synchronisation. The following
log entry could be expected in this
"Corrupt" in this case means that the log entry does not
case (see next entry below): conform with the expected log entry format. These entries
"Info / MAIN HA state db out of HASync is active but the are called dirty blocks.
date? Assuming block and restart ActivityState of the HA-Partner is
scenario" DISABLED. There are different circumstances which can lead to dirty
"Warning / MAIN HA sync enabled HASync is active but the block entries. Examples could be unsuitable timestamp
although HA box is disabled" ActivityState of the HA-Partner is formats due to a wrong version of the network time
DISABLED.
protocol daemon (ntpd) or the recording of binary data,
"Fatal / AIN HA takeover in HaSync is active but the HA-partner
inconsistent state!" is not in state CLEAN. where a timestamp is completely missing. Such entries are
"Warning / MAIN ha entry: activity HaSync is not active but the indicated and shown as dirty blocks in the view segment
state changed to disabled" HA-partner state is not DISABLED. area.
"Error / MAIN session state The state of MAIN could not be
unknown, going to stop!", "Error / determined during start-up.
MainLoop - main task UNKNOWN"
2.6.3 Digression: logwrapd
"Error / MAIN cannot sync poll Synchronisation of configured
state, going to stop!", "Error / polling list and database is not
MainLoop - main task poll_pending" possible (compare to 2.6.1.3 Log File The directories relevant for recording events can be found
Entries related to Synchronisation in /var/phion/logs/ and /var/phion/logcache/ on
of Polling List and Database).
the box level. In addition, there are directories for every
"Error / MAIN internal error A system related error has occurred
<error_num>", "Error / MainLoop - during polling (for example missing segment (Range), named after the client number.
main task poll_pending" system resources)
The files found in the directory /var/phion/logcache/
Scenarios which will not stop the task MAIN with the extension LAF (Log Access File), are structure
authorities that are produced in a cycle and continually
The errors described below will not stop task MAIN updated. They are used to raise log file interrogation
because there will be no indication that data on the (local) performance.
MAIN has been damaged. Take into consideration that on
the other hand data on the HA-partner could be in an The box daemon logwrapd is responsible for handling logs
inconsistent mode. and LAF structures just like log cycling, detection of clock
skews, and dirty blocks.
Attention:
Logs and LAF-structures in the above mentioned
directories are not to be renamed, erased or
manipulated.
Statistics
1. Overview
1.1 Box Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
1.2 Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
3. Configuration
3.1 Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
4. Advanced Topics
4.1 Cooking of Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
4.2 Dealing with a Box in the "Future" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
4.2.1 Self-healing for Quantitative Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
4.2.2 Manual Correction for Time Preference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
4.2.3 Further Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
1. Overview
The Barracuda NG Firewall statistics module raises a As shown in figure 91, the statistics window user interface
multitude of statistical data reflecting box and server is divided into two areas, a Control and a Viewing field.
processes, such as disk utilisation, processor load, and
In the Control field, statistics file and various display
traffic generation.
options may be selected for display in the Viewing field.
The following services are responsible for handling of Double-click a folder to expand the statistics file list.
statistics data: Double-click a statistics file to select it for display.
Table 91 Services responsible for statistics files handling Note:
Service Responsibility Always click the Show button after having defined
cstatd Collection of statistics files. viewing options in order to display the statistics file
Handling of statistics queries, like display of statistics analysis.
qstatd
files contents in the statistics viewer.
Validation and "cooking" (which means compression) To delete statistics files, select a folder in the Statistics file
dstats
of statistics files. Utility run by cron as daily job. list, then right-click and then select Delete Statistics from
Recognizes corrupted statistics files and prevents their
(statcook
collection by cstatd and dstatm. Available on both,
the context menu.
daemon)
self-managed systems and Barracuda NG Control
Centers.
Generally, data originates from two sources:
CC specific service. Collection of statistics files from z System resources
dstatm CC-administered boxes (Barracuda NG Control
Center 9. CC Statistics, page 461). z Operative service data
CC specific service. Handling of statistics queries,
display of statistics files contents in the statistics
qstatm viewer on the Barracuda NG Control Center
The statistical raw data is registered according to time,
(Barracuda NG Control Center 9. CC Statistics, connection, or a combination of both. Statistical data
page 461). containing time information is defined as time data (which
means timed statistics), whereas connection based data is
To access the Statistics viewer, click Statistics in the defined as top data or top statistic.
box menu of the graphical administration tool Barracuda
NG Admin. Fig. 92 Tree structure of the Statistics module
Note:
Collection of statistics by cstatd is not included in all
licenses. If statistics records are unavailable, check your
licenses coverage.
Control field
2.1 Time Statistics List 91 Control field for type Curve with time axis section Options
Parameter Description
Statistics Type Defines the display mode of the graph. Available
2.1.1 Control Field selection are:
Curve with time axis
Bars with time axis
The following values may be adjusted in the Control field Depending on the statistics type either a source or a
Filter
related to viewing of statistics files of type Time: destination address has to be specified. The format of
these addresses depends on the Barracuda NG Firewall
Fig. 93 Control field for type Curve with time axis service type and is equivalent to the corresponding Top
statistic.
Clear button Clicking this button clears the Filter field.
Show Checkboxes to the right of the Show label define
display of minimum, maximum and/or average values.
Min (minimum) - When selected, a green curve for the
lowest value within the selected time interval is
displayed.
Max (maximum) - When selected, a red curve for the
the highest value within the selected time interval is
displayed.
Average - When selected, a black curve for the
calculated average value within the selected time
interval is displayed.
List 91 Control field for type Curve with time axis section Options With appropriate selection (see Min, Max, Average
Parameter Description checkboxes), three curves for minimum (green),
Show button Clicking this button generates the statistics analysis. To maximum (red), and average (black) values will be
open the report in a new tab instead of overwriting displayed.
currently displayed content, select the
New tab checkbox prior to clicking the Show button.
To detail a part of the analysis, left-click the starting
History Clicking this button opens the Statistics History
point of the new interval, drag the cursor through the
window, which lists all analyzes that have been window and release the mouse-button at the intervals
executed during the current Barracuda NG Admin end point.
session. Double-click a report in the list to open it anew.
Alternatively, browse through all available reports by
Fig. 95 Time Interval selection
clicking the and arrows to the right of the
history button.
List 92 Control field for type Curve with time axis section Time Interval - Curves
Parameter Description
(for Statistics Type: Curve with time axis)
From Start time for the analysis on a specific day.
To End time for the analysis on a specific day.
Day Start and end date of the analysis.
Bin / Coarse The Bin value represents the density of the graph.
Select the Coarse checkbox to reduce density and to
smoothen the curve. Lower graph density is suitable
for survey of long observation periods.
Today Sets the analysis period to the current date.
Same Day Sets the analysis period to the selected start date.
Single Day Sets the analysis period to the selected start date.
Shifts the analysing period to an earlier or later time
interval following the configured settings in the From,
To and Day fields.
Right-click the selected area to open the related context
List 93 Control field for type Curve with time axis section Time Interval - Bars
menu and click Show selected interval to display the
Parameter Description new time interval in detail.
(for Statistics Type: Bars with time axis) In the newly opened view, right-click anywhere, then
Year / Month / Checkbox selection and insertion of appropriate date click Show next interval in the context menu to display
Day values into the fields below, sets the analysing period
to the corresponding interval. the statistics details following the previously shown
Today Sets the analysis period to the current date. time interval. Note that clicking this option influences
Shifts the analysing period to an earlier or later time the time values in the Time Interval section within the
interval following the configured settings in the From, Control field (see above).
To and Day fields.
z Bars with time axis
Section Options
z Statistics type
For the top file types, there is only the Top list statistic
type
z Src Filter
In this box, character strings can be entered, according
to which IP address, port and protocol are to be filtered.
Wildcards ? and * can be used.
z Clear
Button for re-setting the Src filter
z Show
There is no minimum, maximum of average for top
statistics.
z Show button
The options that have been set are activated by a left
mouse click
z History
Via this button a dialog is opened containing the last
statistics displays and their settings.
By clicking on the arrows ( , ) previously set
options are displayed.
3. Configuration
The range of statistics files that may be viewed in the List 94 Infrastructure Services - Statistics General section Global Settings
Statistics viewer depends on settings for: Parameter Description
z Statistics generation by each service (Configuration Disc Write This option defines the statistics data types that should
be recorded and written to the harddisk. The following
Service List 390 Service Configuration - Statistics options are available:
section Statistics Settings, page 97). Default settings On (default) - Box and Server statistics are written to
provide that all services generate statistics. disk
Off - No statistics are written to disk
z Configuration of the Statistics daemon (see 3.1 Box_only - Only box statistics are written to disk
Service Configuration). Server_only - Only server statistics are written to
disk
Skip Null Stats This parameter steers the behavior of cstat
concerning 0 byte or 0 connection statistics. When set
3.1 Service Configuration to yes (default: no) empty statistics files will be omitted
when writing to the harddisk.
Query Process In case of high CPU load during statistical queries this
Fig. 99 Configuration dialog - Statistics - Statistics Cooking Priority parameter allows decreasing process priority (range 0
(highest) - 19 (lowest); default: 8).
List 96 Statistic Cooking section Type: Time Time statistics may be cooked in a 2-level approach: In the
Parameter Description first level cooking granularity is increased to 1 hour, in the
Resolution 1h Number of days, after which the granularity of second to a full day. The second level can only be enabled
after (Days) statistics data of type time should be increased to one if the first is enabled, too. It is intended for providing the
hour. Data more recent than the inserted number of
days will not be affected.
data for long-term trends, for example data for disk
Resolution 1d Number of days, after which the granularity of
utilisation. The number of days that will be stored within a
after (Days) statistics data of type time should be increased to one single cook instance is calculated out of the specified
day. offsets.
Note:
The period between cooking from hour to day For Top statistics only a one-level approach is available,
granularity has to be 2 days minimum. If set to 1 day it because the additionally attainable factor of compression
will result in a summary offset for hourly granularity of
0 days per instance. This will lead to an error message is primarily data-dependent and cannot be estimated
in the dstat log file similar to the following: Cannot reliably. Cooking granularity may be either weekly or
create, file byte.hour_tot<cookInstStartTS> exists monthly.
already.
Delete Data Number of days, after which statistics data of type time Deletion of obsolete file instances is as well controlled by
after (Days) should be deleted. offset specification.
List 97 Statistic Cooking section Type: Top
Note:
Parameter Description These offsets determine when statistics data is obsolete
Note: and that they are used for calculation of cooking
Options in this section apply to Top statistics only (for
example byte (Top Dst), conn (Top Src), ). parameters.
Condense Data Number of days, after which statistics data of type top
after (Days) should be merged into larger temporal bins. Data more
On the other hand cooking offsets imply the offset when
recent than the inserted number of days will not be raw data files become obsolete and can be deleted. See
affected. figure 910 to understand the relationship between
Delete Data Number of days, after which statistics data of type top configuration parameters.
after (Days) should be deleted.
Resolution Available resolutions are weekly and monthly. Settings The length of a cooking instance can be calculated using
trigger data rearrangement so as to be representative the equation [(cook1 TS - cook2 TS)-1] * 2.
of an entire week or a month.
Attention: Fig. 910 Event chain of a cooking instance
It is recommendable only to change this parameter as
long as the system is not productive. Thoughtless raw daily files
modifying may cause imprecise visualisation in the raw
TS time stamp
statistics viewer due to incomplete cook instances. raw 29.08. cook2
20.08.-17.09. delete TS = today - 60
raw 30.08. (complete)
Statistic Transfer view (parameter
raw
Delete Data after
List 98 Statistic Transfer Transfer Settings raw
raw 28.09. cook1 cook2 TS = today - 30
Parameter Description 18.09.-02.10. (parameter
raw 29.09. (complete)
Note: Resolution 1d after
This section is only available if the box is raw
CC-administered. Configuration is required in context raw
with collection of statistics files by the CC Statistics
Collector service (dstatm) running on the Barracuda raw 12.10. cook1 delete raw data =
NG Control Center. For a description of configuration 03.10.-14.10. cook1 TS - 2
raw 13.10. (incomplete)
options, see Barracuda NG Control Center
raw 14.10. cook1 TS = today - 14
9.4 Transfer Settings, page 465.
(parameter
raw 15.10. Resolution 1h after (Days)
Calculation of cooking and deletion offsets: raw
today
raw 29.10.
Local compression cooking and deletion are configured
separately for Time and Top statistics by providing the
earliest point in time when an action (cooking or deletion)
should be performed. These points in time are specified
incrementally as number of days in the past.
Example:
On October 15, an offset of 5 means, that file instances
from an earlier date than October 9 through October 9
should be processed. File instances from October 10
through October 14 (which indicates an offset of 5 days)
and additionally October 15 should remain uncooked.
4. Advanced Topics
4.1 Cooking of Statistics Statistical data is stored in separate file instances. The
collected data with the highest time resolution is stored in
daily files containing one day per file (raw data). After
The following chapter explains a feature that can only be
some time the data may be compressed to a time
understood with some deeper insight into the statistics
resolution of one hour and stored in files that contain
module.
multiple days (cooked data). The number of days stored in
Figure 911 shows firewall connection time statistics, a compressed (cooked) instance depends on the specific
reaching from March 08 to March 16, with minimum and configuration settings. It is important to state that such a
maximum values enabled. As we can see there are no cooked instance does not contain minimum and maximum
minimum and maximum values available for March 08 to values, because here they are of no significance.
10. Querying the same time statistics starting with March
For the given firewall service, the full time resolution is
09 (figure 912) results in minimum and maximum values
only available for March 09 and earlier. Before this date,
on March 09 and 10. This is not an error in the statistics
time statistics are compressed. This is the reason for the
module, but can rather be explained by examining the data
above mentioned divergence. The query in figure 911 uses
instances used to satisfy a request. Furthermore, this
the cooked data for March 8 to 10 and covers the analysis
scenario may only occur for transfer rates (bytes or
of the remaining days with raw data. Minimum and
connections per time unit).
maximum values are available with the first raw data
Fig. 911 Timed connection statistics starting at 08.03. instance used, which is March 11. The statistics module can
execute the query in figure 912 with raw data files only,
and thus presents minimum and maximum values over the
whole time interval.
z Delete all sub-folders and files in /var/phion/stat/. z Set the correct time.
4.2.3 Further Issues With wrong time settings the date and time entries in the
Access Cache will be incorrect.
Especially on CC-administered boxes time drift might z Adjusting the box time will solve this problem.
cause some other problems as well. Below you will find a
brief summary of known issues and an instruction how to z In addition to this adjustment flush the Access cache
correct them. with the command acpfctrl cache flush all.
Wrong time settings may lead to incorrect license handling. With wrong time settings Cron Jobs will be executed
Licenses may not yet be valid thought they should be, or untimely.
they lose their validity too early. Licenses of z Adjusting the box time is the only required action to
CC-administered boxes cannot be validated correctly solve this problem.
against the CC if the time difference between these two
systems is too large.
Restarting the rangeconf service on the CC or the control 4.2.3.6 Mail Gateway
service on the administered box is another source of error
on incorrectly adjusted systems. The restart will involve a Wrong time settings will lead to a divergence between the
license validation and if this fails box licenses might get retrieving and the delivery time of e-mails.
deactivated immediately. z Adjusting the box time is the only required action to
z Move the file /opt/phion/preserve/licstamp on solve this problem.
the administered box to another place. z If there are still many e-mails in the queue, which you
wish to be stamped with the correct date and time, you
Attention: may optionally delete the databases spool.db and
The services will be stopped by this action. history.db in the directory
z Set the correct time. /phion0/spool/<server_servicename>. They will
then be created freshly.
z Restart the rangeconf service on the CC.
z Restart the control service on the box.
Eventing
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2. Event Configuration
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2.1.1 Events Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
2.1.2 Severity Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
2.1.3 Notification Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
2.1.4 Server Action Tab - Execute Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
2.1.5 Basic Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2 Event Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
2.2.2 Confirm Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.3 Delete Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.4 Alarm Types / Disable Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
2.2.5 Filter Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
2.2.6 Event Monitor - Live Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
1. Overview
1.1 General Via the so-called Notification type you are able to define
actions that are carried out if a certain event is triggered
(like mails, program executions, SNMP traps; see 2.1.3
The event module displays current information about the
Notification Tab, page 324).
Barracuda NG Firewall.
Whenever an event is generated, the counting device for Attention:
this event will be increased. If this counter reaches its The event monitor should be used as a tool to get a
(configurable) limit the system will go into alarm condition. quick overview of the system(s). In order to maintain the
event monitors usability it is recommended to delete
older entries. The statistics and the log module are
created to recall the past.
2. Event Configuration
The listing is divided into the following columns: List 101 Events tab - Event details
Parameter Description
Table 101 Overview of events in the Events tab
Notification ID This is the notification setting applying to the event.
Column Description The Notification ID determines alarm actions that
ID This is the Event-ID. should be initiated when the event occurs (like e-mail
generation, pop-up of alarm messages, ). For
Description This event description is written to the event monitor information on notification settings see 2.1.3
GUI and to logging facilities. The event description is Notification Tab, page 324.
sometimes extended by additional information in case Setting to "0 null" means that notification settings are
the event may be triggered by multiple processes. to be inherited from the configuration defined in the
Severity ID This is the severity level that has been assigned to the Severity tab (see 2.1.2 Severity Tab, page 323).
event. Comment Optionally insert a customized event description into
Severity This is the severity description. Severity categories this field.
range from informational events to security events. Persistent This parameter is only of interest on CC-administered
Notification ID This is the effective notification setting applying to the checkbox boxes. When selected (default) the event is only
event. propagated to the CC once, even if occurring
frequently. Before it can be propagated anew, it has to
Notification This is the notification description.
be deleted on the CC. This measure may be taken to
Pers. This is the effective persistency setting of the event. prevent excessive event propagation.
This setting is only of interest on CC-administered
Propagate to CC This parameter is only of interest on CC-administered
boxes (see Persistent checkbox, page 323).
checkbox boxes. When selected (default) generated box events
Prop. This is the effective setting for propagation of the are propagated to the CC.
event to a CC. This setting is only of interest on
Note:
CC-administered boxes (see 2.1 General, page 322).
This setting overrides the equivalent setting in the
Drop This is the effective setting for dropping of the event Severity tab (see page 324). Refer to 2.1 General,
(see Drop Event checkbox, page 323). page 322 to understand the processing logic.
Drop Event Events that have been appointed for dropping
The following functional elements are placed at the bottom checkbox (checkbox selected) are neither inserted into the local
DB nor are they propagated to a CC.
of the listing:
z Lookup field z Click Send Changes and Activate to activate your
Insert the object ID of the element you are looking for changes.
here to find it quickly.
z Change button 2.1.1.2 Font Styles used in the Event Tab
Double-click or select a list entry and click the
Change button to open the object for editing. The following font styles apply for event depiction:
Table 102 Font styles characterising event settings
2.1.1.1 Change an Event Entry Font style Description
angle and weight Settings for this event have not been customized. They
To change the properties of an event, lock the regular are inherited from settings defined in the Severity tab.
configuration dialog, select the event, then open it by angle regular/ The Notification ID for this event has been customized
double-clicking. This makes available the Detail window. weight bold and thus overriding the ID defined in the Severity tab.
This event has been appointed for dropping in the
Fig. 101 Event detail window Severity tab but the setting has been revoked in the
Event tab.
angle This event has been appointed for dropping through
italic/weight customisation of Severity ID settings in the Severity
regular tab.
angle The event has been appointed for dropping in the Event
italic/weight tab thus overriding the inherited setting configured in
bold the Severity tab.
2.1.2.1 Modification of the Severity Using the buttons New, Change or simply by
double-clicking on an entry opens the Detail dialog.
By double-clicking a severity entry the dialog for editing is
opened: Global settings
2.1.3.1 Server Action Tab - Mail If the global settings Event must be confirmed (see
Global settings, page 324) is selected, the checkbox
By ticking the checkbox Enable and selecting the server Repeat every is available. Activating this option unlocks
action Mail (Type menu), events that are using this the section below, where the specific repeat time interval
notification ID create a mail that is, for example, sent to is to be entered. Therefore, simply enter the wanted time
the corresponding administrator. interval (numeric type) and select the time unit (seconds).
The event will repeat executing the program until the user
Fig. 104 Server Action tab - Type Mail confirms the event in the event monitor.
Note:
If the checkbox Repeat Every is not activated, the
selected Type of Server Action will only be triggered
once, as long as the Event is not acknowledged.
Note:
2.1.4 Server Action Tab - Execute If the basic tab (see 2.1.5 Basic Tab, page 327) is already
configured, the set default values will be pre-entered.
Program
List 105 Server Action tab - Type SNMP
By ticking the checkbox Enable and selecting the server
Column Description
action Execute Program (Type menu), events that are
Destination IP address of the external monitoring system.
using this notification ID start a specific program.
Spec Type Via this field the sent specific Trap PDU type is
configurable according to the needs of the monitoring
Fig. 105 Server Action tab - Type Execute Program
system. Alternatively, the unique event ID can be used
for purpose (see below).
Note:
If network management software like Tivoli
NetView6000 or HP Open View is ought to receive
SNMP traps, set this parameter to 1.
Use Event ID Ticking this checkbox causes the usage of the
checkbox corresponding event ID as specific trap type.
Note:
If network management software like Tivoli
NetView6000 or HP Open View is ought to receive
SNMP traps, do NOT activate this checkbox.
Enterprise This line displays the registered Barracuda Networks
company OID (1.3.6.1.4.1.10704).
Enter the path and the filename of the executable in the Community This field is used for entering the SNMP community
where the Barracuda NG Firewall is located in
field Parameter. This can be any executable file on the according to your community concept.
Barracuda NG Firewall.
Note:
Enter the path name like /tmp/executable.
Fig. 107 Example for a SNMP trap 2.1.4.2 Client Action Tab
Note:
Client actions concern actions in Barracuda NG Admin
(what happens at event monitoring).
The example shown in figure 108 results in the following List 107 SNMP Service Notifications section Default SNMP
notifications: Parameter Description
SNMP This field is used for entering the community where the
Table 104 SNMP Service notifications Community Barracuda NG Firewall is located in according to your
Activate community concept.
After Activate
Event count notification at
minutes notification List 108 SNMP Service Notifications section Default Mail
counter
5 2 3 no Parameter Description
15 3 4 no From Sender ID. It is recommended to use the box name and
60 5 5 yes its domain to have a clearly identifiable ID.
To Holds the mail address where the event mail is sent to.
Assuming the settings above means that a wrong Mail Server IP address or resolvable name of the affected mail
password is entered 5 times within 1 hour. This will server.
Possible errors:
To use actions (server action or client action) select the
Enable checkbox. 2.2 Event Monitoring
Check the tab Thresholds for correct entries (increasing
values) and the checkbox Activate Notification if any of
these thresholds are reached.
2.2.1 General
To open the event monitor, click Events in the box
2.1.5 Basic Tab menu of the graphical administration tool Barracuda NG
Admin.
Use this tab to define general parameters for event
Fig. 1010 Event monitor
propagation and default settings for alarm notifications.
Parameter Description
Send Event to When selected (default), CC-administered boxes
CC forward their events to the central eventing service
(mevent) on the Barracuda NG Control Center. Event
forwarding also applies to events that are generated on
the Barracuda NG Control Center itself.
Attention:
In the upper left of the dialog are three buttons:
This setting defines if boxes are to generally propagate
their events to the CC. If cleared, events are never
z All
propagated. The setting in the Basic tab overrules the Update all current events.
settings defined in the other configuration areas
(Severity tab, see 2.1.2 Severity Tab, page 323 and z Live
Events tab, see 2.1.1 Events Tab, page 322). Listens continuously for new events. This also enables
Silent Box Select this checkbox to disable event alarms and popup windows and sound; see 2.2.6 Event Monitor -
collect events only.
Live Mode, page 330.
Max Event This is the maximum number of event entries that are
Records to be displayed in the Event Monitoring GUI (default z (filter)
4000). Note that if this maximum has been reached
new events will not be recorded in the Monitoring GUI. Adapt a filter mechanism to all current events (see
It is recommended to delete events on a regular basis 2.2.5 Filter Settings, page 330).
and to refer to the Logs and Statistics Monitoring areas
to recall the past.
Note:
List 107 SNMP Service Notifications section Default SNMP Notification messages are only enabled in live mode.
Parameter Description
SNMP IP address of the external monitoring system.
Destination
z Delete Event
Note:
Erases an event. It is recommended to delete older
Hence to have the event monitor in normal mode can be
entries to keep a "compact" event monitor.
seen as a display of the current event system status.
z Properties
Severity status column
Displays details of a selected event
This column contains the following icons (sorted ascending
according to their priority): Fig. 1012 Page 1 of the Properties dialog
z Information
z Warning
z Error
z Notice
z Security
z Send - Acknowledgement
Use this function to acknowledge events asking for
confirmation. Acknowledging an event will terminate
the alarm function, if the corresponding event has been
configured with generation of warning notifications
(playing of sound or generation of e-mail messages).
List 1010 Event Properties - Page 2 tab section Confirmed
z Send - Reset Alarm Parameter Description
This function has the same impact as event Confirmed - by Admin - Who has confirmed the event?
acknowledgement. In addition, it removes the warning - by Peer - IP address of the management
workstation
icon from the task bar. - Date - Date and time when the event has been
marked as read, that means confirmed.
z Send - Mark as Read
This function is only available for uncritical events not List 1011 Event Properties - Page 2 tab section Time
asking for confirmation. It has the same impact as
Parameter Description
simply marking an event in the list for three seconds.
Insert Date and time when the event was inserted in the
Marking an event as read adds access information to database
the event properties "Page 2 tab" (figure 1012, Box Internal system information related to the insert
page 328). time (please ignore this value).
Update Date and time of status changes of this event
z Temporary Disable (mark, read, acknowledge, )
Disables alarm conditions temporarily. Disabled events Alarm Date and time when the alarm had been sent
are displayed in italic. t. disabled Date and time when the alarm was disabled
temporarily
Attention:
Temporarily disabled events will not use the alarm
communication (pop-up window, sound) to the user for
this time (if alarm options are set).
Note:
If an event has to be confirmed and is in alarm condition,
deleting alarm will also delete request for
acknowledgement.
If an alarm is stopped, repeating server actions (mail,
executable on box, ) will stop also.
2.2.5 Filter Settings Enter the corresponding value into the pull-down field (for
example, field Layer ID) and click Add. Clicking on OK
To narrow down the view in the listing, filter options can be closes the Add Criterion dialog and sets the value in the
applied. To open the Filter dialog, click the filter button . corresponding field of the Filter dialog.
z Time restrictions are not to apply. In live mode alarm messages like pop-up windows and
sound (if it is configured) are also enabled.
Fig. 1014 Filter dialog with values according to the example
To enable live mode click the Live button. This will change
the top label "Current Event" to "Live Event" with green
background.
A status bar in the lower right corner will also indicate this
status. When an event occurs in the live mode, the
background will blink green and red for a few seconds. The
newly occurred event is indicated with a flag symbol ( ).
DNS
1. Overview
1.1 Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
2. Installation
2.1 Create Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
3. Configuration
3.1 Service Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
3.2 DNS Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
3.3 Zone Independent DNS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
3.4 Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.1 Predefined Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.2 Add a New Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
3.4.3 Edit/Add a New Start of Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
3.4.4 Edit/Add a New Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
3.4.5 Add a New Host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
3.4.6 Add a New Mail-Exchanger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
3.4.7 Add a New Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
3.4.8 Add New Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
3.4.9 Reverse Lookup Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
1. Overview
This chapter describes how to install and configure a
Barracuda NG Firewall DNS server.
1.1 Literature
The following reading is recommendable to get familiar
with DNS and BIND:
z DNS and BIND, 4th Edition
written by Paul Albitz and Cricket Liu, published by
O'Reilly & Associates
ISBN 1-56592-512-2
z SuSE Linux 7.3 Netzwerk, 2. Auflage 2001
published by SuSE GmbH (included in SuSE Linux 7.3
Professional Package)
z DNS-HOWTO
en.tldp.org/HOWTO/DNS-HOWTO.html
2. Installation
A box server already has to exist, before a DNS service can
be created.
Attention:
DNS service installation collides with a running
Forwarding/Caching DNS (bdns) (see Run Forwarding /
Caching DNS, page 55). The DNS service must run
exclusively. Do NOT install both services.
3. Configuration
List 111 DNS Server - Properties configuration section Interface root zone and means any zone for which there is no
Parameter Description locally defined zone (slave or master) or cached answer.
forward This field offers various selections which IP address the
source-ip DNS server should use for contacting other DNS Attention:
servers. Do NOT modify the root server settings unless you
server-first - The DNS service uses the first server IP
for connecting. exactly know what you are doing.
server-second - The DNS service uses the second
server IP for connecting.
explicit - The DNS service uses an explicit IP address
for connecting. This IP address must be configured as a 3.4.2 Add a New Zone
server IP.
<blank> - The default settings of BIND are used.
To introduce a new zone right-click on your DNS server
List 112 DNS Server - Properties configuration section Security and select Lock Server from the context menu. Optionally
you may lock the DNS Server in the Config Tree already.
Parameter Description
The configuration may now be modified.
The security section holds security options for the DNS
service. In each pull-down field one of the following Select Add New Zone from the context menu and
values can be filled in:
none configure the following options:
any (one or more IP addresses)
These entries can optionally be complemented with List 113 DNS Server - Zone configuration section General
further IP addresses.
Parameter Description
Note:
Separate multiple entries of IP addresses or address Type Set the needed zone type here
ranges (inverted CIDR notation has to be used (Getting Master Every domain configuration change takes
Started 5. Inverted CIDR Notation, page 25)) with a place on the master. From here the
semicolon and space (like 10.0.0.53; 10.0.0.67; information is propagated to the secondary
192.168.0.10; 10.17.0.0/16). servers.
allow notify Lists the hosts that are allowed to notify the DNS A master zone requires at least a Start of
server about zone changes. Authority (SOA) record and a Name Server
(NS) record. Be sure to examine the
allow query Lists the hosts that are allowed to query the DNS security settings of the master zone, since
server. By default all hosts are allowed to query the a corrupt master zone can cause a lot of
DNS server. problems.
allow recursion Specifies which hosts are allowed to make recursive Slave A slave zone is a replica of a master zone.
queries on this server. The masters list specifies one or more IP
allow transfer Lists the hosts that are allowed to fetch the DNS addresses that the slave contacts to update
database from the DNS server. its copy of the zone.
DNS slave zones do not require much
blackhole Specifies a list of addresses that the server will not
configuration; just enter the IP addresses
accept queries from or use to resolve a query.
of the master server (or servers) and
examine the security settings. Be sure to
set a transfer-source-IP, otherwise the
slave zone will not be accepted by the DNS
3.4 Zone Configuration Forward
server.
A forward zone is used to direct all queries
in it to other servers. The specification of
options in such a zone will override any
3.4.1 Predefined Zones global options declared in the options
statement.
A forward zone does not need a
As described before the Barracuda NG Admin DNS GUI transfer-source-IP. Be sure to check the
security settings.
contains two predefined zones:
Hint The initial set of root name servers is
z _template specified using a hint zone. When the
server starts up, it uses the root hints to
This zone contains the general template, which is used find a root name server and get the most
as model for all newly created zones. The procedure for recent list of root name servers. The
creating and modifying template settings is identical to Barracuda NG Firewall DNS server already
has pre-configured a hint zone (Zone "."),
the procedure for creating and editing settings in so normally there is no need to introduce
another zone. Note that only template settings which another hint zone.
have already existed before creating the zone will be Note:
inherited. Double-click on the entry (_template) to Depending on the selected types the necessary settings
may be slightly different. Such settings are marked with
create or modify settings for SOA, Primary Server, (optional) in the following.
Nameserver, Right-click into the main window to Origin Enter the domain name you wish to create here (for
create new hosts, mail-exchangers, Every setting Domain example, barracuda.com).
Name
made here will be clearly arranged in a separate row
Lookup This section is used for defining whether the zone should
within the main window and can be selected for further Forward or Reverse lookup.
modification or deletion. DNS forward lookup provides IP addresses for known host
names, while reverse lookup provides host names for
z . known IP addresses.
The initial set of root-servers is defined using a hint The Barracuda NG Firewall DNS server is able to provide
DNS reverse lookup only for 8-bit networks (like
zone. When the server starts up it uses the hint zone 213.47.10.0/24).
file to find a root name server and get the most recent Masters This field is available when type Slave is selected. Enter
list of root name servers. The 'zone "."' is short for this (optional) the master IP addresses here.
Forwards This field is available when type Forward is selected. Enter
(optional) the forward IP addresses here.
By clicking the advanced button a new window appears 3.4.3 Edit/Add a New Start of Authority
containing additional settings:
At creation time of the Barracuda NG Firewall DNS Server
Fig. 114 DNS properties with open advanced window
a standard template is created which is automatically
inherited by newly generated zones. This standard
template may freely be deleted or modified. In case you
have deleted it, and have thereafter created a new zone,
proceed as follows to comprehend the following
instructions:
Select the newly created domain lacking a Start of
Authority (SOA) record in the tree view, right-click into the
main window and choose Add a New Start of Authority
(SOA) from the context menu.
If the SOA record already exists, double-click on one of the
existing entries with type NS or SOA and select the
properties tab Start of Authority (SOA).
List 114 DNS Server - Zone configuration - Advanced Settings section Interface
Parameter Description
notify Allows the administrator to select whether the DNS
server should notify slave DNS servers about zone
changes. Possible values for selection are
yes/no/explicit. If explicit is selected enter the explicit
IP in the also notify field below.
also notify Here you may enter a list of hosts that should be
notified about zone changes although these machines
are not registered slaves of the DNS server.
Note:
Separate multiple entries with a semicolon and space
(like 10.0.0.53; 10.0.0.67; 192.168.0.10).
transfer-source This field is only available for type Slave. It defines the
-ip IP address the slave has to use when contacting its
master DNS server.
The following options are available:
service-default
server-first
server-second
explicit
Note:
Slave zones must have transfer-source-ip to work. List 116 DNS Server - SOA configuration
Parameter Description
List 115 DNS Server - Zone configuration - Advanced Settings section Security
Serial Enter a serial number here.
Parameter Description Note:
offers detailed security options for the DNS service. Clicking Update will increase the serial number by one.
Each pull-down field can take one of the following The serial number of the master has to be higher than
values: the serial number saved on the slave, otherwise the
none slave will stop fetching information updates from its
master.
any
Primary Sever Select the primary name server of the domain here.
allow notify This field is only available for type Slave. It defines if
the Slave accepts notifications about updates from its Note:
master. By clicking Pickup already created entries can be
selected.
allow query Lists the hosts that are allowed to query the DNS
server. By default all hosts are allowed to query the Responsible Use this field to define a person responsible for this
DNS server. person host/zone. The syntax that has to be used is
username.domain (for example
allow update Lists the hosts that are allowed to update the database ernestexample.test.org)
of the DNS server.
Note:
allow transfer Lists the hosts that are allowed to fetch the DNS By clicking Pickup already created entries can be
database from the DNS server. selected.
Refresh after This interval tells the slave how often it has to check
whether its data is up to date.
Retry after When the slave fails to reach the master server after
the refresh period (Refresh after), then it starts trying
again after this set time interval.
Expire after When the slave fails to contact the master server for
the expire period, the slave expires its data. Expiring
means that the slave stops giving out answers about
the data because the data is too old to be useful.
List 116 DNS Server - SOA configuration List 117 DNS Server - Name Server configuration
Note:
In order to function, the reverse zone already has to
exist (see 3.4.9 Reverse Lookup Zones, page 338).
List 118 DNS Server - Adding a New Host Host (A) tab
Parameter Description
Superordinate This is a read-only field. It displays the name of the
domain domain where the new host is created in.
Note:
This field is also displayed in all other tabs of this
window.
Host Enter the name of the host here.
Note:
In all other tabs of this window this field is also
displayed but read-only.
List 118 DNS Server - Adding a New Host Host (A) tab List 1112 DNS Server - Adding a New Mail-Exchanger Mail-Exchanger (MX)
tab
Parameter Description
IP address To enter a new host IP address click Add. To delete an Parameter Description
existing address click Delete. Mailserver (A) Here the name of the mailserver has to be entered.
Expire (TTL) The format for this field is days:hours:minutes:seconds. Note:
By clicking Pickup already created entries can be
List 119 DNS Server - Adding a New Host Host Information (HINFO) tab selected.
Mailserver Use this field to set the mailserver priority.
Parameter Description priority
The fields of this tab (Hardware Type and Operating Expire (TTL) The format for this field is days:hours:minutes:seconds.
System) can be used to provide information on used
hardware and operating system platform a host is
running. List 1113 DNS Server - Adding a New Mail-Exchanger Mailbox information
(MINFO) tab
List 1110 DNS Server - Adding a New Host Text (TXT) tab Parameter Description
Parameter Description Mailbox (MB) Here the name of the mailbox has to be entered.
Text In this field any text can be entered, for example, for Note:
describing the system to simplify maintenance of the By clicking Pickup already created entries can be
DNS database. selected.
Expire (TTL) The format for this field is days:hours:minutes:seconds. Error mailbox Here the name of the error mailbox has to be entered.
(MB) Note:
List 1111 DNS Server - Adding a New Host Well-Known Services (WKS) tab By clicking Pickup already created entries can be
selected.
Parameter Description
Expire (TTL) The format for this field is days:hours:minutes:seconds.
Enter the IP address and the used protocol in the
appropriate fields. The services need to be entered in List 1114 DNS Server - Adding a New Mail-Exchanger Well-Known Services
plain text and separated with blanks (like telnet ssh (WKS) tab
smtp ftp).
Parameter Description
Enter the IP address and the used protocol in the
3.4.6 Add a New Mail-Exchanger appropriate fields. The services need to be entered in
plain text and separated with blanks (for example
telnet ssh smtp ftp).
To introduce a new mail exchanger, press the right mouse
button in the main window and select New
Mail-Exchanger from the context menu. 3.4.7 Add a New Domain
Fig. 119 Configuring a new mail exchanger To introduce a new sub-domain, click right in the main
window and then select New Domain from the context
menu.
Note:
Completely set up new sub-domains before executing
Send Changes > Activate. Unconfigured sub-domains
will be deleted.
3.4.8 Add New Others Table 111 Supplementary DNS configuration objects overview
Object Description
There are several other objects you can add to your DNS RP RP identifies the name (or group name) of the responsible
configuration. person(s) for a host. This information is useful in
troubleshooting problems over the network.
RT Route-through binding for hosts that do not have their own
Note:
direct wide area network addresses (experimental).
Consult the BIND documentation to learn about the SVR Information on well known network services (replaces WKS).
appropriate parameters and functions of these objects. TXT A TXT record contains free-form textual data. The syntax of the
text depends on the domain in which it appears; several systems
Note:These objects can be introduced by right-clicking in
use TXT records to encode user databases and other
the right part of the DNS config window and selecting administrative data.
New Others. WKS WKS records describe the well-known services supported by a
particular protocol at a specified address. The list of services
The following objects can be added to the DNS and port numbers comes from the list of services specified in
/etc/services. There should be only one WKS record per protocol
configuration: and address. Because the WKS record is not widely used
throughout the Internet, applications should not rely on the
Table 111 Supplementary DNS configuration objects overview existence of this record to recognize the presence or absence of
Object Description a service. Instead, the application should simply attempt to use
the service.
A New host
X25 Representation of X.25 network addresses (experimental)
AAAA IPv6 address
AFSDB AFSDB records specify the hosts that provide a style of
distributed service advertised under this domain name. A
subtype value (analogous to the preference value in the MX
3.4.9 Reverse Lookup Zones
record) indicates which style of distributed service is provided
with the given name. Subtype 1 indicates that the named host is Each of the four available zones can be defined as reverse
an AFS database server for the AFS cell of the given domain
name. Subtype 2 indicates that the named host provides lookup zone.
intra-cell name service for the DCE cell named by the given
domain name. To do so, switch the lookup box from forward to reverse
CNAME CNAME specifies an alias or nickname for the official or when creating a new zone.
canonical name. An alias should be the only record associated
with the alias; all other resource records should be associated The input mask will change and you will be able to enter
with the canonical name and not with the alias. Any resource the address of the network you wish to create a reverse
records that include a zone name as their value (for example, NS lookup zone for.
or MX) must list the canonical name, not the alias. This resource
record is especially useful when changing machine names.
Fig. 1111 Create reverse lookup zone
HINFO HINFO records contain host-specific data. They list the hardware
and operating system that are running on the listed host. If you
want to include a space in the machine name, you must quote
the name. Host information is not specific to any address class,
so ANY may be used for the address class. There should be one
HINFO record for each host. For security reasons, many sites do
not include the HINFO record, and no applications depend on
this record.
ISDN Representation of ISDN addresses.
MB MB lists the machine where a user wants to receive mail. The
"name" field is the user's login; the machine field denotes the
machine to which mail is to be delivered. Mail box names should
be unique to the zone.
MG The mail group record (MG) lists members of a mail group.
MINFO MINFO creates a mail group for a mailing list. This resource
record is usually associated with a mail group, but it can be used
with a mailbox record. The "name" specifies the name of the
mailbox. The "requests" field is where mail such, as requests to
be added to a mail group, should be sent. The "maintainer" is a
mailbox that should receive error messages. This is particularly
appropriate for mailing lists when errors in members' names
should be reported to a person different to the sender.
MR MR records lists aliases for a user. The "name" field lists the alias
for the name listed in the fourth field, which should have a
corresponding MB record.
MX MX records specify a list of hosts that are configured to receive An appropriate name for the reverse lookup zone will
mail sent to this domain name. Every host that receives mail automatically be created from the network address. In our
should have an MX record, since if one is not found at the time example, the network address is 10.0.0.0 which results in
the mail is delivered, an MX value will be imputed with a cost of
0 and a destination of the host itself. an automatically created reverse lookup zone named
NS NS lists a name server responsible for a given zone. The first 0.0.10.in-addr.arpa.
"name'' field lists the zone that is serviced by the listed name
server. There should be one NS record for each name server of By clicking the advanced button the advanced option
the zone, and every zone should have at least two name servers, window will pop up allowing you to define the same options
preferably on separate networks.
as described in 3.4.2 Add a New Zone, page 334.
PTR PTR allows special names to point to some other location in the
domain. The following example of a PTR record is used in setting
up reverse pointers for the special in addr.arpa domain. This line
is from the example mynet.rev file. In this record, the "name''
field is the network number of the host in reverse order. You only
need to specify enough octets to make the name unique.
Proxy
1. HTTP Proxy
1.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
1.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
1.2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
1.2.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
1.2.3 Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
1.2.4 Content Inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
1.2.5 Advanced. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
1.3 Transparent Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
1.4 Reverse Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
1.4.1 Example Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
3. URL Filter
3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
3.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.1 Configuring URL Filter Redirectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.2 Configuration of the URL Filter Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
3.3.3 Configuring of URL Filter - Redirector Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
3.3.4 Adapting the Local Firewall Rule Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4 Communication & Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4.1 Communication with External HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
3.4.2 Proventia URL Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
3.5 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
3.6 Load Sharing and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
1. HTTP Proxy
1.1 Installation Insert a name for the proxy service and assign HTTP
Proxy as software module.
Note:
DNS Server IP and Box DNS Domain must be specified
in the Box Settings file before creating the proxy
service (Configuration Service 2.2.3.3 DNS, page 55). The
proxy service will otherwise fail to start.
1.2 Configuration
To configure specific proxy service settings double-click
HTTP Proxy Settings.
List 122 HTTP Proxy Service Parameters - General section Log Settings List 125 HTTP Proxy Service Parameters - Network section Network Settings
Parameter Description Parameter Description
Write Store-Log The store log file records information about storage TCP Outgoing The proxy server uses this IP address when executing
and deletion of cached objects. This information is Address HTTP requests. Available for selection are: First-IP,
essentially important for troubleshooting. Second-IP, Dynamic, Other (which means an explicit
Write The cache log file records debug and failure messages IP address). With setting Dynamic a suitable address
Cache-Log generated by squid during operating time. Amongst for request execution is chosen automatically from the
others, it includes information about service start and available server address pool.
termination, and execution of ACLs. Note:
Debug Level The debug level defines the verbosity of the cache log Explicitly defined IP addresses must be available in the
file (default: normal). Additional IP list in the Server Configuration file (see
normal Setting to normal results in minimal 3. Configuring a New Server, page 94).
logging. Errors will not be listed exhaustively; TCP Listening The TCP Listening Port defines the port the proxy
statistical information will not be generated. Port service is listening on for incoming TCP connections.
verbose - Setting verbose generates statistical (TCP Incoming is set as Bind Type in the service
information and logs most errors. configuration window; see Configuration Service
List 387 Service Configuration - General section
debug Setting to debug results in exhaustive
Service Definition, page 97).
logging of errors and statistical information.
Note:
Attention:
The TCP Listening Port configured here is directly
Use option debug with care, as full logging claims high
related to the Service Object "PROXY" which is
disk capacity.
configured in the Services tab of the Local Firewall. If
Log via Syslog This parameter determines handling of log files that you change the value of the TCP Listening Port to
are generated by the HTTP Proxy service. Setting to no another value than the default 3128, remember to
triggers local log file generation. Setting to yes change the value of the Service Object "PROXY" as
forwards logging data to the local Syslog-Proxy well because this one is used in the default HTTP proxy
(Configuration Service 5.2.3 Syslog Streaming, Local Firewall rule set. If port settings are not adapted
page 116) where further data processing can be in the Service Object, all HTTP traffic is blocked.
defined. Setting to Auto (default) queries the
UDP Incoming The proxy server uses this IP address when responding
Syslog-Proxy configuration prior to log data
Address to ICP queries. Available for selection are: First-IP,
processing. If a streaming profile for HTTP Proxy log
Second-IP, None, Other (which is an explicit IP
files is defined, it will be used to stream log files to a
address).
syslog server and generates a local log file as well.
Note:
Note:
Explicitly defined IP addresses must be available in the
Set to no if you encounter performance issues in
Additional IP list in the Server Configuration file (see
conjunction with remote logging of busy servers.
3. Configuring a New Server, page 94).
List 123 HTTP Proxy Service Parameters - General section Misc. Settings UDP Outgoing The proxy server uses this IP address when executing
Address ICP and DNS queries. Available for selection are:
Parameter Description First-IP, Second-IP, Other (which is an explicit IP
address).
This part of the configuration offers manual control of
size and structure of the cache directories. Click Set to Note:
open the cache config. Explicitly defined IP addresses must be available in the
Additional IP list in the Server Configuration file (see
Size in MB Specifies the maximum size of the cache directory in
3. Configuring a New Server, page 94).
MB. The cache is located in
/var/phion/squid-cache_SERVERNAME_SERVICE Note:
NAME. Using at least 100 MB is recommended. Insert 255.255.255.255 into this field when
accessing the Internet through a dynamically assigned
Level1 These settings define the structural organisation of the
IP address (like using an xDSL line).
Directories / proxy service's cache directory. The default values (16 /
Level2 256) are the recommended minimum values for Level1 ICP Port This is the port through which the proxy service
Directories and Level2 directories respectively. Define settings handles ICP (Internet Cache Protocol) connections
with deliberation, since high values result in a vast with its neighbour caches (default: 3130). If not needed
number of subdirectories. set to 0 to disable.
Neighbour see Section Neighbour Settings
List 124 HTTP Proxy Service Parameters - General section Fail Cache Settings
Section Neighbour Settings List 128 HTTP Proxy Service Parameters - General - Neighbour Settings section
Cache Behavior
Use this section to configure this proxy servers behavior Parameter Description
towards neighbouring proxies. Adjacent proxies can rank Note:
before or be coequal with the proxy, which means they can Activities related to the caching parameters are logged
either be treated as parents or siblings. Click Insert to to the files <server_servicename>\proxy\store and
access. These files can be viewed in the Barracuda NG
create a new neighbouring proxy and specify a Name for it. Admin LogGUI (DHCP, page 287).
URL Fetching This parameter takes complete URLs or a list of words,
Attention: which if found in an URL cause the object to be handled
The name specified in this place is used as expression in directly by the proxy itself. Before communicating with
the proxy servers ACL list. The same applies to the any of the cache peers, squid first tries to fetch the
requested URL directly from the server. If it cannot find
Name field specified for a new record in the ACL Entries it, it tries to establish a connection to the configured
section (see 1.2.3.4 Access Control - Section ACL Entries, parent cache(s).
page 345). To avoid conflicts, make sure these two Note:
URLs entered without protocol specification are
names never match. applied on both possible protocols, HTTP and FTP (like
www.barracuda.com, *barracuda*). Please
The following parameters are available for configuration. consider the following characteristic, when fetching
FTP URLs with virus scanner and FTP scanning
List 126 HTTP Proxy Service Parameters - General - Neighbour Settings activated at the same time: If directly fetched FTP
URLs ought to be virus scanned, specify their protocol
Parameter Description as well (like ftp://www.barracuda.com,
IP/Hostname This field contains either IP address or hostname of the ftp://*barracuda*). The data stream will otherwise
neighbouring proxy server. be forwarded without virus scanning.
Neighbour Type This field defines the relationship to the neighbouring Note:
proxy server. Possible values are parent or sibling. It is recommended to include dynamic pages into this
Attention: tag (like jsp, asp, php, ).
In a sibling relationship, a peer may only request Attention:
objects already held in the cache. A sibling cannot Though configured in context per neighbour cache, the
forward cache misses on behalf of the peer. value of the URL Fetching parameter is inherited by all
Exclusive This parameter is only activated with Neighbour Type neighbours in use. A specific domain, once configured
Parent set to parent. When set to yes all requests are for direct access in a single configuration section, will
forwarded to the Exclusive Parent. This setting is always be fetched directly, even if not inserted in other
recommended if the parent proxy is a virus scanning configuration sections.
proxy server. Cache Direct This parameter is linked to parameter URL Fetching.
Proxy Port Specifies the port, on which the neighbour server Objects Set to yes to enable caching of URLs with
listens for incoming HTTP requests (default: 3128). characteristics specified above. Set to no to disable
caching.
ICP Port Specifies the port, on which the neighbour server
listens for incoming ICP connections (default: 3130). Domain This parameter takes a list of explicit domains for
To configure a neighbour cache not using ICP, enable Restrictions which the neighbour caches are to be queried. The
the UDP echo port on it and specify 7 as ICP port value. following syntax applies:
For neighbours, which do not support ICP queries, .domainame.tld
specify 0 as ICP port value and define no-query in the .subdomain.domainame.tld
Options parameter (Section Option Settings) below. *.domainname.tld
A domain name preceded by an exclamation mark
Cache Priority Setting a value for the Cache Priority is mandatory. means that all domains are to be requested from the
Lower numbers mean higher priority. The neighbour cache except the specified one.
cache with the highest priority number will be !.domainname.com
considered first. The priority may be set to any value, if Cache hosts with no domain restrictions configured will
only one neighbour cache exists. It will then be ignored. be queried for all domains.
Attention: Cache Domain This parameter is linked to parameter Domain
The Cache Priority may not be set to value 0. Objects Restrictions. Set to yes to cache URLs fetched from
Note: the parent.
An example for cache priority weighing is described in Cache Peer This parameter takes a list of IP addresses/IP address
1.2.3.11 Cache Behavior Configuration Example. Access ranges which is to be directed to a specific neighbour
cache. If restrictions are not configured, the cache will
List 127 HTTP Proxy Service Parameters - General - Neighbour Settings section be queried for all requests.
Option Settings Cache IP Set to yes to cache requests originating from the IPs
Parameter Description Objects specified above.
retrieved information to agent and network management Click the Set button to open the User Authentication
station as queried. configuration window:
The following scheme depicts the proxy server's position in Fig. 126 Config Section Dialog - Authentication Settings
an environment communicating through SNMP.
Priority
Messages
Parameter Description
Enable SNMP This option enables the Proxy SNMP agent. If set to No,
the proxy will not listen for SNMP traffic.
Note:
SNMP Address This parameter defines the address the Proxy SNMP
listens on for SNMP traffic. The agent uses the defined
The availability of the options depends on the set
SNMP address(es) to accept messages from SNMP Authentication Scheme.
agents and to return packets to them.
SNMP Port Listening port for SNMP queries. List 1210 HTTP Proxy Service Parameters - Authentication Settings
Attention: Parameter Description
Do not use the default SNMP port, if a SNMP Service is
configured on this server. Authentication Defines the authentication method applying:
Scheme General Remote-MS-CHAP-Phibs: for Windows 2003
IP/Mask IP/Mask Defines which hosts/networks are
granted to query the SNMP Service. Server domains in native mode.
Access to the SNMP port is allowed Note:
for all peers with the source To use MSCHAPv2 authentication method, it is required
network addresses configured here. to integrate the Barracuda NG Firewall as a member
Squid checks all snmp_access ACL into the Windows domain.
operators when it is queried by a Note:
SNMP management station. Remote-MS-CHAP-Phibs replaces the option
Community Defines the community name (acts Native-NTLM from former versions.
as a sort of password) to identify PHIBS-Specific-Schemes: for non windows
membership of a community. network environments.
Note:
When using one of the first two methods, a fallback
1.2.3 Access Control scheme has to be configured in the PHIBS Specific
Authentication Scheme section to allow for
authentication of non windows clients as well.
Attention:
1.2.3.1 Section Authentication When using a Windows 2003 server domain with
scheme Native-NTLM take the following into
consideration:
A user authentication scheme has to be configured if you Domain has to be in Mixed-Mode (NOT Native) AND
want your users to authenticate themselves when using registry key
the proxy. HKLM/SYSTEM/CurrentControlSet/Services/la
nmanserver/parameters/requiresecuritysign
ature
Note: has to be set to 0
If an authentication scheme has been configured, all The following parameters are only available with
users will be asked to authenticate themselves by Remote-MS-CHAP-Phibs selected as Authentication
Scheme:
default. Defining ACLs in the Access Control - Section
Authentication This field contains the text that is displayed in the
ACL Entries 1.2.3.4, page 345 revokes this default Text MS-CHAP authentication window of the client.
setting. From now on, ACLs making use of ACL Type Enter a significant text to let the user know, which
proxyauthentication must be defined explicitly (see server requires authentication.
Supplying an authentication text is mandatory.
User Authentication, page 346).
Authentication Number of workers started for authentication. The
Worker default value is 5.
MS-CHAP Note:
For proxy servers with great load this value may be set
up to 48.
The following parameters are only available with
Native-NTLM selected as Authentication Scheme:
Windows This is the name of the domain the authentication
Domain Name server resides in.
List 1210 HTTP Proxy Service Parameters - Authentication Settings 1.2.3.2 Section Access Control - Proxy Access
Parameter Description Handling Scheme
Domain This is the host name of the Windows domain controller
Controller providing authentication operation. Enter the host In the Access Control section, access control lists can be
name without its domain suffix. The name has to be
DNS resolvable. defined exhaustively. Sections ACL ENTRIES and
Attention: ACTIONS make GUI helpers available for configuration.
Do not enter IP addresses instead of host names. Sections ACL FILELIST and LEGACY allow integration of
No restrictions apply to the number of domain
controllers in use. Multiple domain controllers improve
complete ACL files.
performance due to load balancing ability.
The parameter Access Configuration influences the
Note:
Since Native-NTLM uses small time-out values, it may
configuration mode. With default selected, access control
be necessary to add the parameters is managed through ACL ENTRIES, ACTIONS, and ACL
auth_param ntlm max_challenge_reuses and FILELIST sections. If set to legacy all ACLs may be
auth_param ntlm max_challenge_lifetime
within the Generic squid.conf Entries (Section specified manually in the LEGACY section without using
ADVANCED SQUID CONFIGURATION, page 351) for GUI helpers.
fine tuning.
Attention: Note:
Do not use Domain Controllers in conjunction with low
speed connections, for example 10MBit network
When configuring Access Control in legacy mode or
connections or VPN tunnels. through an ACL FILELIST, ACLs must match squid.conf
syntax exactly.
List 1211 HTTP Proxy Service Parameters - Authentication Settings section
PHIBS Specific Authentication Scheme The value Default is related to the use of the default
Parameter Description Access Configuration mode. It sets all ACLs, which have
Note: not been set to allow explicitly, to deny by default. Squid
This section has to be configured with either first looks for ACL files in the ACL FILELIST, then continues
authentication method selected. It is either applied
solely, otherwise the settings represent a fallback the workflow by processing entries in the ACL ENTRIES
scheme, in case the other authentication methods are and ACTIONS sections.
not applicable (see parameter Authentication Scheme
General). Fig. 127 Proxy Access Handling Scheme
Authentication This field contains the text that is displayed in the
Text authentication window of the client. No
Correct
Enter a significant text to let the user know, which port? Squid block
For proxy servers with great load this value may be set
up to 48. Yes Yes
allow
PHIBS A pull-down menu gives five different schemes to No
Authentication
Authentication choose from: set?
Scheme MSNT, MSAD, RADIUS, LDAP, RSAACE
Yes
Note:
The authentication schemes are activated and Correctly No
configured in the box configuration (Configuration authenticated? Authenticator block
server. Yes
No
User List Policy The option deny-explicit means that all domain-users allow
who are listed in the user list are not allowed to use the
proxy service.
Request Yes
The option allow-explicit means that only domain matches one of the
deny actions?
users that are listed in the user list are allowed to use
the proxy service. This does not mean that they do not No
require authentication. No
Request
User List List of usernames that are used for the User List deny matches one of the
allow actions?
Policy.
Yes
Yes
All Actions Yes Request No
for ACL Entries matches one of Default Behavior
set to deny? the actions?
No
allow
Connection
establishment
Request No
matches one of Dependent on the default
the actions? behavior access is allowed or denied.
Yes
Note:
For each allow action a deny action
with logical inverse statement and
vice versa exists.
1.2.3.3 Access Control - Using Regular Table 121 Short overview of metacharacters in regular expressions
Expressions Metacharacter Description
Matches 0 or 1 occurrence of the character or regular
In Barracuda NG Firewall Perl-compatible regular expression immediately preceding. For example, the
?
regular expression z? would match the string warez
expressions (PCRE) show to advantage, for example in the but not the string intermezzo.
HTTP Proxy server ACL configuration section. Here they
may be used in various configuration fields where the aim
is to substitute hard coded character strings against 1.2.3.4 Access Control - Section ACL Entries
expressions that match in multiple cases. The table below
summarizes those regular expressions, which are most This section allows defining ACL Types, which afterwards
frequently applicable for this purpose. when set together in the ACL ACTION section, build up an
access control list. Click Insert to generate a new ACL
Note: and specify a significant Name for it. The following objects
Abundant reading is available for an exhaustive are available for configuration:
instruction of how to use regular expressions. A handy
quick syntax overview can be found at List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries
List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries
1.2.3.5 Access Control - Section Actions mean higher priority. ACL Filelists are processed one by
one according to their priority.
This section serves to construct an ACL list, which the
List 1214 HTTP Proxy Service Parameters - Authentication Settings - ACL
proxy server works through one by one, according to the FileList
actions priority number. The Default parameter setting
Parameter Description
below the Actions section specifies the final measure to
ACL Filelist Filename All ACL Entries (see below) are
take after the workflow of the list has been completed. stored in the specified Filename
after clicking OK. The default
Note: location of the file is
/var/phion/preserve/proxy/
In an analogous manner to firewall rule handling, proxy <servername>_<servicename>
settings are processed from top to bottom. /root/. In addition, it is also
possible to change the location by
Click Insert to generate a new Action and specify a specifying an absolute path in front
of the filename (not recommended).
significant Name for it. In this case, the destination
directory must exist.
Attention: Note:
The name specified in this place is used as expression in Do not use Filenames such as
the proxy servers ACL list. The same applies to the squid.conf, ftpsquid.conf,
This could lead into loss of
Name field specified for a new record in the Section configuration information. To avoid
Neighbour Settings section (Access control section, see such situations, it is recommended
to use the default location and .acl
Section Neighbour Settings, page 342). To avoid as the preferred filename extension
conflicts, make sure these two names never match. (example: aclfile.acl).
ACL Entries These are the entries, which are
The following objects are available for configuration: written to the file defined through
the parameter Filename. ACL
List 1213 HTTP Proxy Service Parameters - Authentication Settings - Actions Entries are processed line by line. A
line must not exceed 1012
Parameter Description characters. If a greater length
ACL Describe briefly, what this action should effect. cannot be avoided, use "/" to
Description section lines.
ACL Priority Insert a value for this actions priority. Lower numbers Attention:
mean higher priority. ACLs with higher priority are ACL Entries must exactly match the
processed first. squid.conf syntax. They are not
checked against squid.conf for
ACL Entries for In this place a pull-down menu displays all configured
compatibility. Do not use Inverted
this Action ACL entries. Choose the ACL entries this action is to
CIDR Notation.
refer to and insert them into the field on the right side.
Note:
Note:
To include ACL entries specified in
A maximum of 6 ACL entries can be inserted into an
the ACL filelist, include them in the
action.
Generic squid.conf Entries field
Attention: (see following syntax example).
Remember to delete ACL entries from an action when
deleting the value in the ACL ENTRIES section.
Action This parameter sets the action to allow or deny.
ACL Filelist Usage Example
Note:
Step 2 Include the ACL file into the configuration
The ACL FileList is processed before those entries Change to the Advanced tab and insert the following line at
configured through ACL ENTRIES and ACTION sections. the beginning of the file displayed in the Generic
Click the Insert button to define a new ACL List and squid.conf Entries field:
specify a list Name. List Names may consist of ciphers only acl STAFF src "prxacl.acl"
(max. length 12 ciphers). The number defined for an ACL acl WORLD dst 0.0.0.0/0.0.0.0
Filelist is a direct marker for its priority. Lower numbers http_access allow STAFF WORLD
1.2.3.7 Access Control - Section Legacy 1.2.3.9 ACL Time Restrictions Configuration
Examples
This section enables creation of an ACL file exactly
matching squid.conf syntax. Example 1
This parameter set is only available if parameter Access Fig. 128 ACL Time Interval configuration - Example 1
Configuration is set to legacy.
List 1216 HTTP Proxy Service Parameters - Authentication Settings - Legacy
Parameter Description
Name aclconfexpert
(predefined)
Access Control Insert the ACL Entries into this field.
Entries Attention:
ACL Entries must exactly match the squid.conf syntax.
They are not checked against squid.conf for
compatibility. Do not use Inverted CIDR Notation.
Note:
This field either takes complete ACLs, but may as well
include entries from the ACL filelist. Syntax usage as
given in the example above applies.
Note:
Multiple entries are generated for each day in squid.conf
due to time conversion.
Interpretation:
Two ACL entries have been generated for each day of the
week, spanning the whole day (except for Wednesday).
Three ACL entries have been created for Wednesday, as
there time flow has been intercepted between 14:00 and
15:00 Note, that the missing time span has been generated
Figure 1210 depicts an exemplary Access Control
as gap between 13:00 and 16:00.
configuration, with the following ACL Entries and Actions
Inserted into the Actions section with policy allow and configured in detail:
default policy denied, this ACL entry will cause allowed
z ACL Entries
proxy access on every day of the week, except Wednesday,
14:00 to 15:00. Europe/London time or 15:00 and 16:00 List 1218 ACL ENTRIES configuration
local box time respectively. Name ACL Type Value
A user from London trying to access the proxy at 14:59 clientpc source 10.0.8.1
London/Europe time will be rejected, because this portftp destinationport 21
corresponds 15:59 local box time and is still within the portwww destinationport 80
disallowed time span. protocolftp protocol FTP
protocolwww protocol HTTP
timeftp time Access activated Mo, 09:00 -
13:00
timeweb time Access activated Mo-Fr, 08:00 -
17:00
10.0.8.20 Priority
z Default policy: denied 1 2 3
1.2.5 Advanced
Note:
The section Optimizations is only available for the
Secure Web Proxy.
Parameter Description
Read Timeout Define here the read timeout of the Secure Web Proxy
(sec.) in seconds.
Note:
This timeout affects connections to the internet and to
the ICAP server.
The HTTP Proxy Fail Cache is available on gateways that
List 1221 Proxy Service Parameters - Advanced view section Advanced
are running a HTTP Proxy.
Parameter Description phions Secure Web Proxy does not provide the
Use Engine Normal: squid version 2.5 functionality of the Fail Cache.
Version NG: squid version 3.1
Generic The whole configuration file of the proxy service is
squid.conf displayed. This field offers the possibility to edit the
Entries whole configuration file (except the access control 1.2.6.1 HTTP Proxy Fail Cache Filters
part) manually. Use this section to configure a
transparent proxy (see 1.3 Transparent Proxy,
page 352) or reverse proxy (see 1.4 Reverse Proxy,
The Fail Cache GUI provides several filter options that
page 352). allow a selective view of all desired Fail Cache entries.
Attention:
These entries must exactly match the squid.conf List 1222 HTTP Proxy Fail Cache Filter Options
syntax. Entries are not checked against squid.conf for
compatibility. Do not use Inverted CIDR Notation. Parameter Description
Entries Amount of listed Fail Cache entries.
From Start time/date for Fail Cache entries.
Note:
To End time/date for Fail Cache entries.
A quick syntax check for squid.conf can be executed by
IP IP address to filter.
entering the following command at the command line
User User to filter.
interface: squid -N -f
URI URI to filter.
/var/phion/preserve/proxy/<servername_ser
Status HTTP status code to filter
vicename>/root/squid.conf. If commands have
been misarranged, the row number containing the
flawed configuration will by thrown to the output.
Note:
z httpd_accel_port 80
When using the NG HTTP Proxy Engine, to following The web server listens for connections on this port. As
lines are to be added into the Generic squid.conf instead, the web content will be served from a separate physical
to run the HTTP Proxy in transparent mode. machine, you may consider using the default listening
HTTP port 80. Optionally, switch the listening port to
http_port <proxyservice-IP>:<listenport> another value.
transparent
Note:
Squid sees a request for an URL and connects to port 80 Multiple web servers must provide content on one
(or virtual) of the server where the URL resides. Squid port uniformly.
does not have any control over the arriving request types.
z httpd_accel_single_host on/off
If Squid is listening on port 3128 it assumes that data
This option specifies whether to forward uncached
arrives using a protocol it can handle (HTTP, FTP over
requests to a single back end web server. If set to on,
HTTP). The packet type redirected to Squid is determined
requests will be forwarded regardless of what any
entirely by the hosts firewall (or an external router) and is
redirectors or host headers say.
out of Squid's control.
z httpd_accel_with_proxy on/off
Attention: This option specifies if Squid should act as both,
proxy_auth cannot be used in conjunction with a standard and reverse proxy or only as reverse proxy.
transparent proxy because it collides with any Note that generally better performance will be achieved
authentication done by origin servers. when this option is set to off.
Attention:
z httpd_accel_uses_host_header off
HTTP 1.0 must not be used in conjunction with a Requests in HTTP version 1.1 include a host header,
transparent proxy since the header of HTTP 1.0 does not specifying host name or IP address of the URL. This
contain the address of the destination server. The option should remain off in reverse proxy mode.
information gets lost, when the request is redirected to z hosts_file /etc/hosts
the firewall (or the router). This option defines the location of the hosts file. This
has to be specified, when requests to your back end
web servers are addressed to FQDNs and the proxy
server itself fetches DNS entries from external name
servers. In the hosts file, map the FQDNs of your web
sites to the actual IP the site is published on. Configure
mappings in Config > Box > Settings >
DNS section > Known Hosts (see 2.2.3.3 DNS, Table 123 Example: squid.conf file httpd_accel directive
page 55). Parameter IP address Domain
/etc/hosts 10.0.8.1 mySite1 mySite2 mySite3
www.myDomain.com sub.myDomain.com
1.4.1 Example Setup sub2.myDomain.com
Fig. 1214 Reverse proxy example configuration In the squid.conf file, the corresponding options must
be specified as follows:
Web Server Reverse Proxy Client
Table 124 Example: squid.conf file corresponding options
Option Setting
10.0.8.1:80 193.99.144.85:80 http_port 80
httpd_accel_host 10.0.8.1
httpd_accel_port 80
In the example setup, a web server is configured running httpd_accel_single_host on
three virtual hosts on an internal IP address 10.0.8.1. httpd_accel_with_proxy on/off (recommended)
Clients direct requests to these sites to httpd_accel_uses_host_header off
www.myDomain.com, sub.myDomain.com, and hosts_file /etc/hosts
sub2.myDomain.com. These names are resolvable to the IP
address 193.99.144.85, which is the official external
address of the reverse proxy server.
The reverse proxy forwards not yet cached requests to the
appropriate virtual host running on the IP address 10.0.8.1,
and otherwise serves the requested content from its
cache.
The following parameters determine settings in the
httpd_accel directive of the squid.conf file:
Table 123 Example: squid.conf file httpd_accel directive
Parameter IP address Domain
Web Server 10.0.8.1 www.myDomain.com
sub.myDomain.com
sub2.myDomain.com
DNS IN A 193.99.144.85 www.myDomain.com
sub.myDomain.com
sub2.myDomain.com
2.4 Configuration List 1223 Secure Web Proxy section SSL Settings
Parameter Description
If you have ever configured a "regular" proxy, many of the Root CA Private Generates the proxy's issuing root certificate. The Root
Key /Root CA CA Certificate should be exported and added to all
options will be familiar to you. In fact, with a few small Certificate client CA databases.
differences, everything except the SSL-related options is Note:
the same. The SSL options are described in the following. All SSL client-connections will receive a temporarily
created certificate signed by this configured CA instead
The Secure Web Proxy Service configuration area provides of the real certificate when establishing a HTTPS
three configuration entities: connection. The certificate and the corresponding
private key are used for SSL/TLS encryption and
decryption. If this root certificate is not installed on the
z URL Filter Config (see 3. URL Filter, page 360) client computers, users will get certificate-error
warnings by the browser on each new HTTPS
z Service Properties (Configuration Service connection.
4. Introducing a New Service, page 97) External Root Use this parameters to import external root
CA Private certificates. Instead of using a self signed certificate
z Secure Web Proxy Settings (see below) Key / External (parameters above), one can import an external root
Root CA certificate and its corresponding private key.
Certificate Note:
2.4.1 Secure Web Proxy Settings The root certificate must be signed by the private key.
Note:
The notes from the parameters above apply to these
Browse to Config > Box > Virtual Servers > parameters too.
<servername> > Assigned Services > Notify User Specifies whether or not the user should be notified
whenever SSL connections are decrypted, logged or
<servicename> (sslprx) > Secure Web Proxy Settings inspected (default: No). When enabled, a splash screen
to access the configuration dialog. will appear in the user's browser at regular intervals
(see Notify Again After (min)).
Note: Note:
Setting this parameter to Yes will prevent
The parameters enlisted in the following are SSL-related HTTPS-based resources embedded in HTTP-based
only. For a general description of view General, documents from being displayed as long as the
notification for the HTTPS domain hasnt been
Network, Access Control, Content Inspection and confirmed. See also the more detailed problem
Advanced, please consult 1. HTTP Proxy, page 340. description below this table.
Notify Again When enabled, a notification will reappear after a
However, note the following restrictions: After (min) specified amount of time. The default value is
60 minutes.
Note:
FTP is by default disabled. IF enabled, FTP traffic will not Fig. 1215 Secure Web Proxy User Notification and Confirmation Dialog
be scanned for viruses.
z General view:
There are no Log Settings. The system automatically
logs access and cache.
z Network view:
The most significant difference between a Secure Web
Proxy and a normal proxy is that the Secure Web Proxy
is configurable for one parent proxy only. If the setup
has multiple parent proxies, the Secure Web Proxy is to
be daisy-chained with a normal proxy, where the
parents can be configured as usual.
2.4.1.1 SSL Settings If Notify User is set to Yes, the notification dialog shown
List 1223 Secure Web Proxy section SSL Settings
above will be displayed prior to delivering any data from
any yet unconfirmed domain to the users browser via
Parameter Description
HTTPS.
Enable SSL Allows SSL decryption, the process of decrypting and
Decryption inspecting data (default: Yes). It may happen that certain embedded resources in a web
Enable Validates certificates (default: Yes). site, such as images, media files, CSS stylesheets or
Certificate Attention:
Verification
javascripts, fail to display or execute since their HTTPS
When this parameter is disabled, server certificates will
not be validated. This means that clients will be able to
source domain was not yet confirmed by the user. The
communicate with malicious sites (like phishing sites) reason for this is the proxy delivering the
without realising there is a threat. It is recommended notification HTML to the browser instead of delivering the
that this option only be disabled by someone who
knows what they are doing. requested image, media or text data. The
Use Self-Signed Define whether using a self signed or extenal notification HTML can not be interpreted correctly by the
Certificate certificate. browser at this point.
As this effect is likely to appear on widely used web sites
such as Amazon, leaving users confused, Barracuda
Networks recommends to not activate this notification
dialog.
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation
with the missing data highlighted. The header area in the User Real-Time In addition to CRLs, it is possible to do a real-time
Check (OCSP) check of the OCSP (Online Certificate Status
screenshots upper half shows a destroyed layout, Protocol)(default: Yes). If a CA supports OCSP, a
suffering of missing javascript and CSS, while, in the main certificate's validity will be checked in real time and the
result will be cached for one day.
content area, two images are missing.
Block Unknown When enabled, certificates will be denied if their
State revocation status is not determinable (either via CRLs
Fig. 1216 Missing Embedded Data on a Web Site
or OCSP)(default: No). This parameter is usually
enabled in high-security environments. However, it
results in many incident reports.
List 1226 Secure Web Proxy - SSL Certificates section Client Certificates
Parameter Description
This section discusses actions to be taken should a
server request a client certificate - a seldom but,
nevertheless, possible SSL transaction. Since private
details of the client certificate are known only to the
client, the SSL proxy will not be able to interact as it
would with other SSL connections.
Client Establishes the action to take when a client certificate
Certificate is requested. The connection will either be tunnelled
Action (without decryption) or denied (default).
Note:
Restriction is based on the site's certificate rather
than on the actual server name or IP address.
z The Whitelist allows clients to access the listed servers
or websites, even should there be something wrong
with its certificate.
z The Tunnellist specifies which servers or website
2.4.1.2 SSL Certificates connections should be tunnelled (neither intercepted
nor decrypted).
List 1224 Secure Web Proxy - SSL Certificates section Certificate Verification
Parameter Description
Allow Accepts wildcards in the CommonName such as 2.4.1.4 Advanced
CommonName *.domain.com. Browsers such as IE or Firefox allow
Wildcards wildcards and/or regular expressions. Disabling this List 1227 Secure Web Proxy - Advanced - section Optimizations
parameter provides more security (default: No, which
means disabled). Parameter Description
Deny Expired Determines whether or not expired certificates should Read Timeout Define here the read timeout of the Secure Web Proxy
Certificates be denied (default: Yes). (sec.) in seconds.
Allow Visit If a certificate is not valid, an information page will Note:
After Confirm appear in the browser. If this parameter is disabled, an This timeout affects connections to the internet and to
incident ticket will be generated and access to the site the ICAP server.
will be denied. When this parameter is enabled, the Strip HTTP1.1 If set to yes, the Secure Web Proxy extracts HTTP1.1
user can connect to the site by clicking Allow (default: Enc. Header specific lines of the HTTP1.1 header.
No). Lines
Note:
It is recommended that this parameter be disabled as it
is, essentially, the same override mechanism provided
by web browsers.
2.5 Operation
In addition to configuration, certain administrative actions
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation
can be taken in the Graphical User Interface (GUI). To
Parameter Description access the GUI, select SSL Proxy in the box menu.
Enable Checks every certificate against the revocation list of
Revocation the issuing CA (provided one is available) (default: Yes). The following tabs are available:
Check
Download CRLs Specifies when Certificate Revocation Lists (CRLs)
z Access - view accumulated real-time log.
at Hour (0..23) should be retrieved from the CAs.
z Tickets - manage incident tickets created when a user
encounters an invalid certificate.
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
Proxy Operation < Secure Web Proxy | 357
z Certificates - inspect and manage all known Root CAs. Following columns organize the Access tab of the Secure
Web Proxy.
z RSS-Feeds - inspect and manage all known RSS-Feeds
z Time - point in time when the connection was
z Webservices - inspect and manage all known
established. The content of this column may differ
webservices (including sub functions)
depending on selected time "groups" and set UTC time
Note: flag (see 2.5.1.1 Access Context Menu, page 358).
Each tab, except for Certificates, provides additional z IP Address of the client who requested the connection.
filter settings. The options in these filter settings are
taken from the available entries and will become active z Method that is used for connecting (according to
as soon as the checkbox to the right of each entry is Method Definitions in RFC2616). Possible entries are:
selected. GET, HEAD, PUT, DELETE.
z Server name of the destination.
z Count shows the number of connections.
2.5.1 Access Tab
z Bytes from client / Bytes to client indicates the
Fig. 1218 Secure Web Proxy GUI - Access tab amount of data sent/received by the client.
z User Agent displays the signature of the clients
browser.
z Content type displays the sort of sent/received data.
z Boxname provides the name of the server where the
Secure Web Proxy is running on.
z HTTP status as retrieved from the destination
(according to Status Code Definitions in RFC2616).
z User / Group displays, if configured, the group
authentication scheme the requesting client resides in.
z Show Details This entry opens an additional Show Details This entry opens an additional window
window providing detailed information concerning the providing detailed information concerning the selected
selected entry (alternatively, this view is also available ticket (alternatively, this view is also available by double
by double clicking on an entry). clicking on a ticket).
z Flush Cache removes either the selected entry Ungroup - Removes the sorting selected below.
(option Entry) or the complete access cache (option
Group by - Via this entry you may sort the tickets for ID,
-ALL-)
Server, Action or Type
z Ungroup Removes the sorting selected below.
Set Action allows the user to modify the status of an
z Group by Via this entry you may sort the tickets for incident ticket. The following commands are possible:
column wise.
z Blacklist/Whitelist/Tunnel Blacklist, whitelist or
z Show time in UTC switches the time format within tunnel connections to a server. For more details, see
the Time columns. 2.4.1.3 SSL Exceptions, page 356.
z Block Has almost the same status as blacklist except
2.5.2 Tickets Tab that the user can override the blacklist by enabling
parameter Allow Visit After Confirm (see 2.4.1.2 SSL
In this tab incident tickets can be viewed or deleted or their Certificates, List 1224 Secure Web Proxy - SSL
status can be changed. Certificates section Certificate Verification, page 356).
By clicking Update List, all incident tickets will be z Delete Deletes the incident ticket.
retrieved from the server.
Note:
Clicking Lock activates a lock required for editing the It is possible to make exceptions to the configuration
database. Once all changes have been made, click the (see 2.4.1.3 SSL Exceptions, page 356). Exceptions
same button (which has now been renamed to Unlock) to are also listed with the incident tickets, however
release the lock. unlike regular incident tickets it is not possible to
edit or delete them.
Note:
User permission is required to edit incident tickets. For
more information, Barracuda NG Control Center 8. CC 2.5.3 Certificates Tab
Admins, page 457.
All known CAs (or instances of trusted servers issuing valid
Fig. 1219 Secure Web Proxy GUI - Tickets tab with detail info certificates) are displayed in this tab. Certificates can be
deleted, denied or unconditionally allowed and certain
attributes (like name, CRL, and OCSP-URL) can be
changed.
Note:
As with incident tickets, a user must have permission in
order to make any changes to the CA tree.
The Update List and Lock buttons work just the same as in 2.5.5.1 Webservices Context Menu
the Tickets tab.
The context menu is identical with the one described in
A green square ( ) in front of a CA signifies that any
2.5.2.1 Tickets Context Menu, page 358.
certificates issued by this CA will be allowed.
A red "X" ( ) in front of a CA signifies that any certificates
issued by this CA will be denied.
Note:
New CAs will occasionally appear on this list as they
become known to the system and are downloaded from
the Internet. Initially, they will be denied. Therefore, it is
recommended to check the CA tree regularly for new
additions and, if necessary, change their status.
3. URL Filter
Browser
Step 2 URL Filter Redirector
The redirector pipes the URL request into the internal
checking routines (black lists, white lists, ). When the
Proxy requested URL can be verified in one of these internal
categories/lists, the requester is allowed access to it, if not
the request is handed over to the URL Filter Daemon
(cofsd).
Access OK? No
Proxy Block HTTP
(Basic ACL) Step 3 URL Filter Daemon
The cofs-daemon first attempts to find the requested page
Yes in the local cache. If it cannot find it there it establishes a
connection to the URL Filter Database in order to retrieve
URL Filter Web
Filter Redirector an already assigned categorisation. It then either hands
the local or external search result back to the redirector.
The process responsible for this procedure can be viewed
URL Filter Web in the Processes tab of the Control section of
Filter Daemon Barracuda NG Admin and is named <servername>_cofsd.
Note:
Block HTTP Connection allowed
A few requirements must be met, to enable the URL
Filter to query the Web Filter Database in the Internet.
See 3.3.1 Configuring URL Filter Redirectors, page 362
for configuration details.
Proxy
Browser
Proxy
URL
Filter Redirector 1
Access OK? No Proxy Block HTTP
(Basic ACL)
URL Yes
URL
Filter Redirector n
Yes
No Request in
set time slot?
1
Yes
Connecting process
Default Policy?
Configuration Configuration
Default Policy: Default Policy:
deny-all-except allow-all-except
No No
No No
No No
z URL Filter - Redirector Parameters List 1230 URL Filter Configuration - General section URL Filter Database
(see 3.3.3 Configuring of URL Filter - Redirector Settings
Parameters, page 363) Parameter Description
Use local Select this checkbox to enable usage of a local
database categorisation database. This setting is recommended
3.3.1 Configuring URL Filter on boxes with poor network connectivity to the central
ISS database servers or for installations serving more
Redirectors than 100 concurrent web users. Querying a local
database improves responsiveness of the filter.
An initial database download is triggered when this
Redirector configuration is part of the HTTP Proxy option is enabled (approximate download size: 160 MB).
configuration (see 1.2.4.3 Section Redirector Settings, Attention:
page 351). On flash RAM based appliances the local database
support cannot be used and has to be deactivated.
Browse to Config > Box > Virtual Servers > Upload Select this checkbox to activate collection of unknown
<servername> > Assigned Services > Unknown URLs URLs and their successive upload to an ISS server.
Using this feature may contribute to evaluation of not
<servicename> (proxy) > HTTP Proxy Settings > yet categorized URLs.
Content Inspection view > Redirector Settings section, to
List 1231 URL Filter Configuration - General section URL Filter Support
access the configuration area. The following values are Options
available for configuration:
Parameter Description
List 1228 Proxy Service Parameters - section Redirector Settings Log Categories Selecting this checkbox extends Proventia log files (see
per URL 3.5 Logging, Cofsd (created by the URL Filter daemon),
Parameter Description page 366) by adding the category classification to each
Enable Set to URL Filter (default: None) to enable the URL requested URL. This option should only be used to
Redirector Filter. assist in case of problems. Check for sufficient disk
Optionally, select the Other checkbox and insert the capacity before enabling it.
name of an external redirector into the field, to
implement another URL filtering tool.
Firewall login Set this parameter to Yes (default: No) if proxy
authenticated users additionallyve got to authenticate
3.3.2.2 Proxy
themselves on the firewall. The proxy server will then
forward the user login to the firewall. List 1232 URL Filter Configuration section URL Filter Proxy
Note: Parameter Description
This option will only work with usage of an User
Enable Proxy Select this checkbox if the URL Filter has to access the
Authentication Scheme (see 1.2.3.1 Section
Proventia Internet Databases through the local proxy
Authentication, page 343). Please review User
server.
Authentication, page 346 if you want to define ACL
Entries using ACL Type "proxyauthentication" Note:
explicitly. See 3.3.4 Adapting the Local Firewall Rule Set,
page 365 for a summary of access demands.
Number of This parameter determines the number of
Redirectors simultaneously working redirectors (default: 5). The Proxy Host / Specify the authentication data requested by the local
value may be increased for high traffic processing. Port / User / proxy server in this place.
Password
3.3.3 Configuring of URL Filter - List 1234 URL Filter Configuration - Filter Settings section Configurations
List 1235 URL Filter Configuration - Filter Settings section TIME SETTINGS List 1237 URL Filter Configuration section URL Filter Exceptions
3.3.3.3 Exceptions
This tab allows configuring users who may bypass the URL
Filter Redirector. Users may be identified either by their
source IP address or by their user name.
List 1237 URL Filter Configuration section URL Filter Exceptions
Parameter Description
Note:
Be sure to use the inverted CIDR notation, if activated,
for the following two parameters. (Getting Started
5. Inverted CIDR Notation, page 25)
3.3.3.6 Statistics Tab z Service Explicit with 006 TCP, Port 443 and
006 TCP, Port 6000
Section URL Filter Statistics Settings
Fig. 1223 Local rule granting access from URL Filter to Proventia Internet
Selecting a checkbox within this section creates Databases
corresponding statistics for:
z Unrestricted Users
z Unrestricted IPs
z Denied URLs per User
z Denied URLs per IP (selected by default)
z Allowed URLs per User
z Allowed URLs per IP
z Access to the the Proventia Internet Databases for URL The block-page on the external HTTP server has to be
categorisation running on the IP addresses designed as HTML page, including a parameter line that is
195.127.173.135 and 195.127.173.136 has to be enabled on processed through the CGI with all parameters desired for
TCP port 6000. explaining the reason for connection rejection.
z From the Barracuda NG Firewall the URL Filter Daemon The following parameters can be processed in a
is running on, the pointer (PTR) records of the block-page:
addresses 195.127.173.135 and 195.127.173.136 must be
recallable. z categories=[1-63], 99
indicating the categories that caused the block;
category 99 marks a not found one; see 3.4.2 Proventia
Introduce a rule in the Outbound-User tab of the local rule URL Categories, page 366, for a list of available
set with the following setting parameters categories.
z Source ServerIPs z other reasons
z Action Pass urlfd_not_running
The URL Filter Daemon is not running
z Destination World
urlfd_read_error
Could not read from URL Filter Daemon
no_more_memory
Machine is running out of memory
udp_not_received
Could not receive an answer for the requested URL. Table 125 URL categories overview
Please try later Category Description
filter_timeout 22 Recreational_Facilities/Amusement/Theme_Parks
Could not receive an answer for the requested URL. 23 Art/Museums
Please try later 24 Music
request_not_correct 25 Literature/Books
The proxy has sent an incorrect request 26 Humour/Comics
27 General_News/Newspapers/Magazines
black_list
28 Web_Mail
This site is on the BLACK LIST
29 Chat
no_category
30 Newsgroups/Bulletin_Boards/General_Discussion_Sites
This domain is in no category
31 SMS/Mobile_Phone_Accessories
timestamp_not_active 32 Digital_Postcards
Sorry, but at this time the access is blocked 33 Search_Engines/Web_Catalogs/Portals
user_limit_exeeded 34 Software_and_Hardware_Vendors/Distributors
Sorry, but the URL Filter user limit exceeded 35 Web_Hosting/Broadband
36 IT-Security
z url=www.[url].com
37 Translation
38 Anonymous_Proxies
A parameter line included in a custom block-page can look 39 Illegal_Drugs
as follows (www.msgsrv.com is the external HTTP-server 40 Alcohol
displaying the customized block-page): 41 Tobacco
www.msgsrv.com/block_page?filter_timeout&url 42 Self-Help/Addiction
= 43 Dating/Relationships
www.forbidden.com 44 Restaurants/Bars
45 Travel
www.msgsrv.com/block_page?categories=1,6,35& 46 Fashion/Cosmetics/Jewelry
url= 47 Sports
www.forbidden.com 48 Building/Residence/Architecture/Furniture
49 Nature/Environment
50 Private_Homepages
3.4.2 Proventia URL Categories 51 Job_Search
52 Investment_Brokers/Stocks
Note: 53 Financial_Services/Investment
The following list is provided by Proventia. 54 Banking/Home_Banking
55 Vehicles/Transportation
Table 125 URL categories overview 56 Weapons
Category Description 57 Health/Recreation/Nutrition
01 Pornography 58 Abortion
02 Erotic/Sex 60 Spam_URLs
03 Swimwear/Lingerie 61 Malware
04 Online_Shopping 62 Phishing_URLs
05 Auctions/Classified_Ads 63 Instant_Messaging
06 Governmental_Organizations
07 Non_Governmental_Organizations
08 Cities/Regions/Countries
09 Education 3.5 Logging
10 Political_Parties
11 Religion Activities, which are processed through the URL Filter,
12 Sects generate two log files. These log files can be viewed in the
13 Illegal_Activities Log GUI of the graphical administration tool Barracuda NG
14 Computer_Crime Admin via Logs > <servername> > <servicename>
15 Hate/Discrimination >
16 Warez/Hacking/Illegal_Software
z Cofsd (created by the URL Filter daemon)
17 Extreme
18 Gambling z Fwauthd (created by the Barracuda NG
19 Computer_Games Authentication Client processing the "block-page").
20 Toys
21 Cinema/Television
FTP Gateway
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
2. Installation
2.1 Create Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
3. Configuration
3.1 Service Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
3.2 FTP-GW Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
3.2.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
3.2.2 User specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
3.2.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
1. Overview
1.1 General
The Barracuda NG Firewall FTP Gateway service is
completely maintainable via the management console
Barracuda NG Admin.
Note:
For detailed information on the file transfer protocol
(FTP) see www.w3.org/protocols/rfc959.
2. Installation
An installed box server is a pre-requisite to the installation > Assigned Services and assign FTP Gateway as
of the FTP Gateway service. software module to create a FTP Gateway.
Activate the changes by clicking Activate. Your newly
installed FTP Gateway service is now ready for
2.1 Create Service configuration.
3. Configuration
The configuration tree of the box provides all 3.2 FTP-GW Settings
configuration options for the FTP Gateway service and
contains the following items (listed according to their To enter the configuration, select the FTP-GW Settings
sequence of usage):
entry in the configuration tree.
z Service Properties
Fig. 131 FTP-GW Settings
z FTP-GW Settings, Page 370
Note:
Boxes maintained via a Barracuda NG Control Center
(CC) can be configured locally only if an Emergency
Override is performed (Configuration Service 2.2.1.1 Box
Context Menu, page 51).
3.2.1 Settings List 132 FTP-GW Settings configuration section Virus Scanning
Parameter Description
List 131 FTP-GW Settings configuration section BEHAVIOR
Use local virus Set to yes (default: no) to enable the virus scanning on
Parameter Description scanner files retrieved via FTP download. Virus scanning
settings are configured in 1.7.4 FTP Gateway
Listening Port This parameter specifies the TCP port the gateway is Integration, page 397.
listening on (default: 21).
Dataport range Here the smallest possible allowed TCP port the List 133 FTP-GW Settings configuration section Logging
(min) gateway uses for data connections is defined (default:
30000). Parameter Description
Listen timeout This timeout defines the maximum allowed duration for Click the Show button to start the configuration
(s) connection establishment (default: 15 seconds). If the dialog for logging settings. The following actions are
timeout is exceeded the gateway terminates the logged by default.
attempt. Log download file
Bind policy Here the to-be-used Bind IP is defined. The available Log upload file
options are: Log append file
ProxyDyn (default) - The bind IP is defined by the Log rename file
routing table. Log delete file
Server-First - The FTP gateway uses the first server IP Log delete directory
for connections. Log create directory
Server-Second - The FTP gateway uses the second Log other file-actions
server IP for connections. Log denied ftp-commands
Explicit - The FTP gateway uses an explicit IP for Log protocol denies
connections (to be defined below) Log logins
Explicit Bind IP Via this parameter the explicit IP to be used by the FTP Log succeeded local logins
gateway on connection has to be entered. Take into Log denied local logins
consideration that this parameter is only available if Log destination denies
Explicit has been selected as parameter for Bind Log file-upload denies
policy (see above). Log file-download denies
Log structure-mount denies
Maximal This parameter determines the number of processes Log delete file-denies
allowed workers that the gateway may fork (default: 255). Log rename-file denies
Deny active By setting this parameter to yes, any port command Log change to upper dir denies
ftp-data will be denied by the gateway (default: no). This way Log extension denies
transfer only passive data transfer is possible, which means that Log create dir denies
the server connects to the client. Log delete dir denies
Log other ftp-commands
Deny passive By setting this parameter to yes, any PASV command
ftp will be denied by the gateway (default: no). This way
data-transfer only active data transfer is possible, which means that
the client connects to server. 3.2.2 User specific
Deny additional Setting this parameter to no allows additional FTP
ftp- commands commands that are not included in RFC 959 (like status
display in percentage) (default: yes).
User specific
FTP-command/ If active this parameter (default: yes) parses the Define different user profiles for FTP access here.
protocol check protocol and checks FTP commands for correctness.
Buffer-overflow The button Set opens a new window with several List 134 FTP-GW Settings Configuration - User specific section Configuration
protection parameters for buffer-overflow protection Assignment
configuration which can be activated or deactivated.
Each of the parameters controls two input fields: the Parameter Description
first one activates or deactivates a length restriction As a matter of fact the processing sequence goes from
(possible values yes/no), the second one defines the up to down (similar to the firewall rule set). The
length limitation if the first value has been set to yes. sequence is defined by specification of the profile
The following table displays the configured default name (a profile number).
settings:
Affected Groups Enter the groups here to which the profile and its
Parameter restrictions apply.
Description
group
Affected Users Enter the users here to which the profile and its
(Max.) Filename This parameter affects the following restrictions apply.
Length commands: RETR, STOR, SMNT,
Affected IPs for Here you may assign IP addresses to the profile that
[default: yes / APPE, RNFR, RNTO, DELE, RMD,
Anonymous need no authentication for accessing the FTP gateway
255] MKD, LIST, NLST and STAT due to
(see 3.2.3 Authentication, page 372, parameter No local
the fact that all of those commands
authorization needed, Page 372).
may contain a parameter with file or
directory name.
List 135 FTP-GW Settings Configuration - User specific section Special
(Max.) Length limitation for username Destinations
Username (USER).
Length Parameter Description
[yes / 255]
Via the parameters of this section you are able to
(Max.) Account Length limitation for account define restrictions for explicit FTP destinations
Info Length (ACCT). (overruling the global configuration defined in FTP-GW
[yes / 255] Settings Configuration - User specific section Default
(Max.) Length limitation for password User Specific, Page 372).
Password (PASS). Destination Here the IP address or DNS-resolvable hostname of the
Length FTP destination has to be entered.
[yes / 255]
Redirection This parameter allows connection redirection to
(Max.) String Limits the parameter length for another host.
Length commands REST, SITE and HELP.
Policy This parameter defines whether the destination is
[yes / 255]
accessible for this user profile or not (default: allow).
(Max.) Limits the parameter length for all
Initial directory This parameter defines the "start" directory after login.
Parameter other FTP commands.
Length Top most This parameter defines the highest possible directory
[yes / 255] directory level.
Deny file-upload Set to yes (default: no) to prohibit file upload for this
user profile.
Deny Set to yes (default: no) to prohibit file download for this
file-download user profile.
List 135 FTP-GW Settings Configuration - User specific section Special Default User specific
Destinations
Parameter Description Via this section a profile is defined that is used if no other
Deny file-delete Set to yes (default: no) to prohibit file deletion for this profile matches the request. The available parameters are
user profile. nearly identical to the ones described above. An additional
Deny Set to yes (default: no) to prohibit renaming of a file for section TIME RESTRICTIONS allows limiting the default
file-rename this user profile. profiles validity period.
Deny structure Set to yes (default: no) to prohibit a structure mount
mount for this user profile. List 138 FTP-GW Settings Configuration - User specific - Default User Specific
Deny make dir Set to yes (default: no) to prohibit directory creation section SPECIAL DESTINATIONS
for this user profile.
Parameter Description
Deny delete dir Set to yes (default: no) to prohibit directory deletion
see list 135, page 371
for this user profile.
Deny Define prohibited file extensions for this user profile. List 139 FTP-GW Settings Configuration - User specific - Default User Specific
file-extensions Enter only the extension itself without the leading dot. section OTHER DESTINATIONS
Separate multiple entries with space (like mp3 exe
doc). Parameter Description
Timeout (sec.) This parameter specifies the timeout after which an see list 136
idle connection is terminated (default: 0).
List 1310 FTP-GW Settings Configuration - User specific - Default User Specific
List 136 FTP-GW Settings Configuration - User specific section Default User section Time Restrictions
Specific
Parameter Description
Parameter Description
Use Local Time Mark the checkbox to relate time restriction settings to
Via the parameters of this section you are able to checkbox the systems time zone settings. If unchecked, the
define "global" restrictions for this user profile. parameter Time Zone below is activated to allow
Destination Here the IP address or DNS-resolvable hostname of the specific time zone configuration.
FTP destination has to be entered. Time Zone Choose a preconfigured time zone from the pull-down
Policy This parameter defines whether the FTP gateway is menu time restriction settings are meant to relate to.
available to this user profile or not (default: allow). Time Settings The default policy allows all possible actions. By
Deny file-upload Set to yes (default: no) to prohibit file upload for this default, these profile settings as well are always valid.
user profile. Activate checkboxes in the Time Interval window for
periods a restriction should apply. During this period,
Deny Set to yes (default: no) to prohibit file download for this all settings lose their validity.
file-download user profile.
Deny file-delete Set to yes (default: no) to prohibit file deletion for this
user profile.
Deny Set to yes (default: no) to prohibit renaming of a file for 3.2.3 Authentication
file-rename this user profile.
List 1311 FTP-GW Settings Configuration section Local Authentication
Deny make dir Set to yes (default: no) to prohibit directory creation
for this user profile. Parameter Description
Deny delete dir Set to yes (default: no) to prohibit directory deletion Denied This parameter holds networks from where users are
for this user profile. source-network not allowed to connect.
Deny structure Set to yes (default: no) to prohibit a structure mount s
mount for this user profile. IP addresses/networks that are entered in this
No local
Deny Define prohibited file extensions for this user profile. authorization parameter do not need to authenticate when
file-extensions Enter only the extension itself without the leading dot needed connecting.
(for example mp3).
Welcome This parameter allows generation of welcome
Timeout (sec.) This parameter specifies the timeout after which an message messages that are displayed when logging in. The
idle connection is terminated (default: 0). configuration dialog is opened when clicking Edit
Phibs settings The parameters of this configuration dialog (to be
List 137 FTP-GW Settings Configuration - User specific section Time entered via button Edit ) allow definition of details
Restrictions concerning authentication:
PHIBS Authentication Scheme
Parameter Description
This parameter defines what kind of authentication
Use Local Time Mark the checkbox to relate time restriction settings to scheme is to be used. The following schemes are
checkbox the systems time zone settings. If unchecked, the available: MSNT (default), RADIUS, LDAP, MSAD and
parameter Time Zone below is activated to allow RSAACE.
specific time zone configuration.
Note:
Time Zone Choose a preconfigured time zone from the pull-down Take into consideration that authentication schemes
menu time restriction settings are meant to relate to. MSNT and RSAACE do not provide group information.
Time Settings The default policy allows all possible actions. By PHIBS Listen IP (default: 127.0.0.1)
default, these profile settings as well are always valid.
PHIBS Timeout (default: 10)
Activate checkboxes in the Time Interval window for
periods a restriction should apply. During this period, User List Policy This parameter defines the policy for users that are
all settings lose their validity. entered in the user list (see below). The following
settings are available:
deny-explicit (default)
allow-only
User List This section is used for entering the login names for
which access is granted.
Voice over IP
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
2. SCCP
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
2.2 Installing SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
4. SIP
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2 SIP-related Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2.1 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.2.2 Firewall Forwarding Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
4.3 Installing SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
5. Monitoring
5.1 Dynamic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
1. Overview
2. SCCP
Fig. 141 Provisioning the plugin in a service object for the SCCP signalling
Note:
If this option is not specified then the default value
RTP:Skinny (see below) is used instead. No address
translation is performed for the RTP media streams
if there is no matching entry in Connections.
z srvname The name of the map must match the option of the
is a reference to a Dyn. Service label that data fills a natname parameter of the skinny firewall plugin
service object with the data stream of skinny calls configured above. The Original Address/Net is the
(syntax: skinny [srvname=<srvname>])(protocol: physical IP subnet of a node whereas the Translated
UDP). The service object can be referenced by a firewall Address/Net is the virtual address.
rule in order to forward the media streams between the
call participants. The default value of srvname is Fig. 144 Creating an Address Translation Map
RTP:Skinny.
Fig. 142 RTP Stream service object with the default service name set to
RTP:Skinny
Callmanager Hub
Hub IP phones
Barracuda NG Firewall
Virtual Subnet
Fig. 145 Skinny signal protocol firewall rule with Skinny firewall plugin
Fig. 146 RTP firewall rule with network address translation from the voipnat
address translation map
3.2 Configuration List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab
Parameter Description
H.323 is configured within the Firewall Forwarding H.323 Gatekeeper The H.323 alias of the neighbour
Neighbors Name gatekeeper.
Settings ( Config > Box > Virtual Servers > Gatekeeper The vendor of the neighbour
<servername> > firewall). Type gatekeeper (GnuGK, CiscoGK,
ClarentGK, GlonetGK).
Fig. 147 Firewall Forwarding Settings - H.323 Gatekeeper Configuration dialog Gatekeeper This is the hostname of the IP address
Hostname of the neighbour gatekeeper.
Gatekeeper This is the H.225 port number of the
Port neighbour gatekeeper.
Gatekeeper The specified password is used to log
Password into the neighbour gatekeeper for
neighbour clustering
support.
Neighbor The timeout of LRQ (Location Request) messages for
Timeout (sec.) browsing the neighbor cluster.
H.323 Endpoints that are permanently registered at the
Endpoints gatekeeper. This is useful for interfaces that do not
support H.225 RAS.
H.323 Alias H.323 alias of the permanent endpoint.
Gateway Hostname or IP address of the
Hostname/I endpoint. Endpoints with dynamic IPs
P must use H.225 registration to connect
to the firewall gatekeeper.
Prefix All calls with this number or prefix are
routed to this endpoint.
Call Redirect Original All calls with this prefix are rerouted.
Prefix
New Prefix The Original Prefix is removed from the
dialled number and replaced with the
new prefix.
RAS The following options are available:
Authentication None allows all H.225 RRQ (Registration Requests).
Radius registers the username at a radius server.
Radius+CAT uses the Cisco Access Token in the RRQ
message for registration at a radius
server.
Radius Server IP address or hostname of the radius server. An
optional port number may be specified after a colon (:).
<hostname>[:<port]
Radius The shared secret of the radius server.
Password
Radius Server If the server does not answer within the specified time
Timeout period then the authentication fails.
(millisec)
Radius IDCache Lifetime of the 8-bit request cache ID. After the
Timeout timeout expires the cache ID of a request may be
(millisec) reused. If the timeout is too short, then the radius
List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab server may drop requests with the same cache ID.
Radius Server The number of tries of authentication requests that are
Parameter Description
Transmission sent to the radius server. The Radius Server Timeout
Enable H.323 Starts the firewall gatekeeper if set to yes. determines the time intervals between the
Gatekeeper Note: transmissions.
In order to allow communication of the H.323 Radius with Include Cisco h323-ivr-out attribute in the radius
equipment with the Barracuda NG Firewall gatekeeper Terminal Alias request.
you must add rules to the local firewall. We recommend
Fixed Radius If this option is used and the RAS Authentication is set
to allow all incoming and outgoing UDP and TCP ip
User / Fixed to Radius then all registration requests will use the
ports from the networks with H.323 nodes that are
Radius Fixed Radius User and Fixed Radius Password for
directly communicating with the Barracuda NG Firewall
Password registration at the radius server. If this field is left blank
gatekeeper.
then the username is used as password.
Gatekeeper This is the H.323 alias name of the firewall gatekeeper.
Name
Gatekeeper Determines whether the gatekeeper binds on first or
Bind IP second IP of the server or if the gatekeeper should bind
all local IPs of the host. An explicit IP can also be
entered by ticking the Other checkbox.
Broadcast RAS Enable the sending of H.225 broadcast gatekeeper
discovery packets. This is useful for phones that
autodetect the gatekeeper.
Gatekeeper The password that must be specified by the neighbour
Password gatekeepers to logon to the firewall gatekeeper for
allowing neighbour cluster calls.
4. SIP
SIP firewall traversal and NAT is supported by the SIP transaction timeouts are defined in Config > Box
Barracuda NG Firewall service plugin. The firewall decodes > Virtual Servers > <servername> > Assigned
the SIP packets and opens and closes firewall pinholes for Services > <servicename> (firewall) > Firewall
the voice media connections. Due to the dynamic nature of Forwarding Settings > SIP.
this protocol, a table of all active calls is held in memory.
This table contains the negotiated media connections, the All timeout values are set in hundredth of seconds.
SIP transactions for the call signalling, and the calls. When List 143 Forwarding Firewall Settings - SIP Parameters
a SIP packet passes the firewall, the state of the table is
Parameter Description
altered accordingly.
INVITE Timeout The invite timeout is the timeout of an "INVITE"
The SIP plugin supports SIP signalling over UDP/IP (csec) transaction. If a reply to this request is received after
the invite timeout has expired then the reply is
packets. The default port for SIP signalling connection is discarded. This value can also be set in the SIP service
UDP port 5060. object by the "toInvite" plugin parameter (default:
3200).
Note: ACK Timeout The ACK timeout is the timeout of a replied or
(csec) acknowledged "INVITE" transaction after the
For more information about the SIP Protocol see transaction is discarded. This value can also be set in
"RFC3261: SIP: Session Initiation Protocol". the SIP service object by the "toAck" plugin parameter
(default: 3200).
Reply Timeout The reply timeout defines how long the firewall will wait
(csec) for a reply of a non-invite transaction. This value can
also be set in the SIP service object by the "toReply"
4.2 SIP-related Parameters plugin parameter (default: 400).
Transaction The transaction timeout is the timeout of a replied
Timeout (csec) non-invite transaction. This value can also be set in the
SIP service object by the "toTrans" plugin parameter
4.2.1 Firewall Settings (default: 500).
5. Monitoring
Wireless LAN
2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
2.2 Network Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
2.3 WLAN Default Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.5 WLAN Access Point Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.6 Radius/EAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
2.7 Wireless Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.8 Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.8 Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2.9 WLAN Access Point GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
2. Configuration
z Choose the country you are residing in the Location z Click Activate New
pull-down menu. z Choose Failsafe
Step 3 Wi-Fi Operational Mode If you are not performing the network activation for the
z Select IEEE 802.11bg in the Operational Mode first time and you changed anything within Control > Box >
drop-down menu. Configuration > WLAN, then
z Click Activate New
Step 4 Channel Selection
z Choose Force
2.3 WLAN Default Routes WPA-PSK Wi-Fi Protected Access with Pre-Shared-Key
authentication
WPA-Radius/EAP Wi-Fi Protected Access with Extensible
Configure a default route for the WLAN by performing the Authentication Protocol via Radius server.
following steps: WPA-PSK+WPA- WPA-PSK as well as WPA-Radius/EAP authentication.
Radius/EAP
z Go to Box > Config > Network Routes and click Lock
z Click Insert and enter a name for the route Step 3 Encryption Mode
z Enter a target network address, e.g. 192.168.1.0/24 z Select the encryption standard that should applied.
Parameter Description
EAPoL Protocol Extensible Authentication Protocol over LAN version
Version for 802.1X authentication.
EAPoL Protocol When using MS Windows XP and broadcast keys.
Version XP Key
Workaround
SSH Gateway
1. SSH Proxy
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.2 Creating a SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.3 Configuring a SSH Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
1.3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
1.3.2 Authentication & Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
1.3.3 Default Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.4 Access Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.5 Permission Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1.3.6 User Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
1. SSH Proxy
1.1 Overview z Configurable local source IP (to use policy routing) for
accessing remote systems
The SSH Proxy allows regulating SSH connections. z Configurable SSH protocol support for accessing target
systems (v2-only, or v2 and v1)
Supported features:
z Configurable escape character
z Based on openSSH 3.8p1 with proprietary modifications
for the controlled termination of SSHv2 terminal access Note:
sessions Parts of this document/description are taken from the
z No support for the termination of SSH protocol manual pages of openSSH 3.8p1.
version 1
z No support for remote execution or secure copy or
secure ftp
1.2 Creating a SSH Proxy
z No local user database required
z User authentification at the gateway via all configurable The SSH Proxy service is created as described in
and meaningful authentification schemes (not OCSP) Configuration Service 4. Introducing a New Service, page 97,
1.3.3 Default Permissions List 166 SSH Proxy configuration - Default Permissions section Access Options
Parameter Description
List 165 SSH Proxy configuration - Default Permissions section Security Options
Static Source Defines a static IP address, which is used as source
Parameter Description IP address for the SSH connection.
Max Illegal This parameter defines how often an illegal option may Allow Local Controls whether or not users may access local box
Inputs be selected by the user until the connection is Access addresses. We recommend to leave this turned off
terminated. unless you limit access to the proxy to Barracuda NG
Firewall administrators only.
Record Terminal User terminal activity is being recorded into a file.
Session Access Control Choose between
Policy By Network ACL Restriction and
Recorded Users User login names for whom the recording will take
place. By Explicit Host Specification
Users given access to certain destinations based on
Blocked Users These users have no access to any of the configured
destination hosts which are configured in the
SSH destinations.
Access Lists section and referenced by Permission
Inactivity Grace As soon as a SSH connection has no longer traffic, this Profiles.
Time [s] limit waited until the connection is terminated (default:
Network ACL Users who are not in the Blocked User Groups can
120).
be given additional access rights due to source network
Supported SSH This parameter defines the to-be-used SSH protocol restrictions.
Protocol (v2-only - default - or v2-and-v1) for connecting to
Allowed Hosts Choose an Access List (defined at 1.3.4 Access Lists,
remote targets.
List page 388)
Attention:
Since SSHv1 is considered to be insecure, Barracuda
Networks highly recommends not to use option
v2-and-v1. 1.3.4 Access Lists
Allow Outbound States whether or not data compression is supported
Compression by the proxy for outgoing client connections. Within List 167 SSH Proxy configuration Access Lists section Access List
LAN environments using compression can create a Configuration
significant CPU overhead and is typically not advisable.
Parameter Description
When connecting to remote servers over low
bandwidth links compression may appreciably improve Access Lists Edit, Insert, or Delete an access list
the user experience. Note that when set to yes the user
is prompted if he/she would like to request List 168 SSH Proxy configuration - Access Lists Access List Configuration
compression when connecting to the target server. section Access List Configuration
Forward X11 Allow X11 connection through the SSH proxy
Parameter Description
connections (transferring and displaying data used by a remote X11
application on your local workstation is permitted Allowed Hosts Edit, Insert, or Delete an allowed host
through the SSH tunnel).
Allow Public Specifies whether public key authentication is allowed List 169 SSH Proxy configuration - Access Lists Access List Configuration
Keys by the server. Set this option to yes if you wish to allow section Allowed Host Configuration
connecting users to authenticate themselves at a
Parameter Description
target system with public key authentication. While
authentication at the SSH proxy requires User Visible Name of the target host allowed to connect, seen by
user/password authentication, it still supports this Name the user (when connecting to the SSH proxy)
feature at a remote target via SSH agent forwarding. Target FQDN Fully qualified domain name of the target host defined
Support Agent Specifies whether the connection to the authentication in DNS
Forwarding agent (if any) will be forwarded to the connecting Target IP IP Address of the target host allowed to connect, seen
users machine or not. This is required when users are Address by the user (when connecting to the SSH proxy)
allowed to used cascaded agent forwarding.
Agent forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the
connecting host (for the agent's Unix-domain socket) 1.3.5 Permission Profiles
can access the local agent through the forwarded
connection. An attacker cannot obtain key material
from the agent, however they can perform operations This is nearly the same as the Default Permissions
on the keys that enable them to authenticate using the (list 165, page 388) but can be applied to users by way of
identities loaded into the agent.
assignments to login names, see 1.3.6 User
Client Log Level This parameter defines the intensity of log file creation.
Authorization.
SSH Escape Sets the SSH escape character (default: none). We
Character strongly advise against the usage of an active escape
character unless you completely trust your users.
1.3.6 User Authorization
List 166 SSH Proxy configuration - Default Permissions section Access Options
Parameter Description This view allows creating pre-defined profiles for SSH
Target Alive Sets a timeout interval in seconds after which if no permissions. The created profiles are available in User
Interval [s] data has been received from the server, ssh will send a Authorization view.
message through the encrypted channel to request a
response from the server. The default is 15, indicating The parameters are the same as mentioned in list 165,
that these messages are sent every 15 seconds to the
server. This option applies to protocol version 2 only. page 388.
Target Alive Sets the number of server alive messages (see above)
List 1610 SSH Proxy configuration - User Authorization
Max Count which may be sent without ssh receiving any messages
back from the server. If this threshold is reached while Parameter Description
server alive messages are being sent, ssh will
disconnect from the server, terminating the session. It Permission Here a pre-defined permission profile has to be
is important to note that the use of server alive Profile selected.
messages is very different from TCPKeepAlive User Names Can be used to assign a permission profile to user login
(below). The server alive messages are sent through names. If there is no valid assignment for a particular
the encrypted channel and therefore will not be user then the default permissions will apply.
spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive
mechanism is valuable when the client or server
depend on knowing when a connection has become
inactive.
Anti-Virus
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.2 Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.3 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
1.4 Avira. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
1.5 ClamAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
1.6 Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
1.7 Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
1. Overview
SMTP communication between the Barracuda NG Firewall HTML Here the HTML template pages sent to the client
Templates browser in case a page is blocked can be defined.
mail gateway and the Virus Scanner Service.
List 173 Virus Scanner Settings - Basic Setup section Advanced
Note:
Parameter Description
Licenses for Virus Scanner service (.lic file) and AVIRA
Debug Log Define here the level of debug output in the log.
products (.key file), are required for full virus scanner Level
integration functionality. Import the .lic file into the Box
Licenses container (Configuration Service 5.1.4 Inventory,
page 103). Import the .key file into the license fields
provided within the Virus Scanner service. Further 1.3 Updates
information on Avira Virus Scanner Licenses is available
in Licensing 2.3.3 "Avira Virus Scanner Licenses, This configuration module defines how the virus scanning
page 534. engines handling their pattern database updates. Within
To introduce the Virus Scanner Service, follow the the subsections, engine and data specific settings can be
instructions in Configuration Service 4. Introducing a New configurated.
Service, page 97, and select Virus Scanner as Software
Module.Configuration
1.3.1 General Update Settings
Note:
List 174 Virus Scanner Settings - Updates - section General Update Settings
Since the Virus Scanner Service always binds to
loopback addresses a Bind Type selection is not Parameter Description
List 1710 Virus Scanner Settings - Avira section Avira Non-Virus Detection ClamAV can detect malware, spyware or bandwidth
Parameter Description wasters as well. Within this section, settings regarding to
Heuristic Enables/disables detection of known or unknown these threats are defined.
Others malicious code in all types of files before an update is
Detection performed. The level of intensity ranges from 0 List 1713 Virus Scanner Settings - ClamAV section ClamAV Possibly Unwanted
meaning disabled to 3 meaning full intensity Applications (PUA)
Parameter Description
Detect All Defaults to yes.
PUAs
1.5 ClamAV Packed Files that use some kind of runtime packer. Defaults to
yes.
Settings concerning only the ClamAV virus scanning PwTool Password tools are all kind of tools that can be used to
recover or decrypt passwords. Defaults to yes.
engine.
NetTool Applications that can be used to sniff, filter, manipulate
or scan network traffic or networks. Defaults to yes.
Note:
P2P Peer-to-peer clients. Defaults to yes.
Exploits within key frames (ActiveX controls) will not be
IRC Internet Relay Chat clients. Defaults to yes.
detected by the ClamAV virus scanning engine.
RAT Remote Access Tools, may be trojans, but also tools like
VNC clients. Defaults to yes.
Tool General system tools, like process killers or finders.
1.5.1 ClamAV General Spy Keyloggers and spying tools. Defaults to yes.
Server Server based badware like DistributedNet. Defaults to
The settings within this section affect the general behavior yes.
of the ClamAV virus scanning engine Script Known problematic scripts written in Javascript,
ActiveX or similar. Defaults to yes.
List 1711 Virus Scanner Settings - ClamAV section ClamAV General
Parameter Description
Self Check Perform a database check (sec.), defaults to 600
1.5.4 ClamAV Misc Scanning Options
List 1714 Virus Scanner Settings - ClamAV section ClamAV Misc Scannning
Options
1.5.2 ClamAV Archive Scanning Parameter Description
Algorithmic In some cases, ClamAV uses algorithms to detect
Settings that define ClamAVs behavior regarding to all Detection malware. Defaults to yes.
kinds of archives, such as *.zip, *.rar or certain document Portable PE is an executable file format also used by
files Executable self-unpacking archives. Defaults to yes.
Executable and ELF files are a UN*X standard. Defaults to yes.
List 1712 Virus Scanner Settings - ClamAV section ClamAV Archive Scanning Linking Format
Parameter Description Detect Broken With this option activated, ClamAV tries to detect
Executables broken PE and ELF files and mark them as broken.
Scan Archives Enables or disables scanning of archives. Defaults to Defaults to no.
yes.
Scan OLE2 OLE files, such as MS Office and MSI. Defaults to yes.
Max. size (MB) Defines the maximum amount of data to be scanned
for each input file. Archive and other container files are Scan PDF Adobe PDF files. Defaults to yes.
recursively extracted and scanned up to this value. A Heuristic Scan Enables or disables heuristic scan precedence.
value of 0 disables the limit. Defaults to 1024. Precedence Recommended for use. Defaults to yes.
Note: Scan HTML Enables or disables HTML nor,alisation and scanning of
Disabling this limit or setting a too high value may MS Script Encoder code. Defaults to yes.
result in severe damage to the system.
Max. file size Files larger than this limit will not be scanned. A value
(MB) of 0 disables the limit. Defaults to 150. Note:
Max. nesting Nested archives are scanned recursively. This defines If Heuristic Scan Precedence is enabled and the scan
the maximum value of nesting levels. A value of 0 engine detects phishing signatures within archives or
disables the limit. Defaults to 20.
mails, scanning will be aborted and the affected files will
Max. count Maximum number of files to be scanned within any
archive. A value of 0 disables the limit. Defaults to be blocked.
10000.
Note:
Disabling the limit or setting the value too high may
result in severe damage to the system.
1.5.5 ClamAV Mail Scanning Options
Block encrypted Generally mark encrypted archives as viruses. Defaults
archives to yes. ClamAV can scan emails and recognize threats within
them.
Note: List 1715 Virus Scanner Settings - ClamAV section ClamAV Mail Scanning
If archives are nested deeper than with factor 1, the scan Options
engine will currently not scan for malicious code. Parameter Description
Mail Follow Choose whether ClamAV follows download URLs within
URLs emails and scans the linked files. Defaults to no.
Scan Partial Scan RFC1341 messages split over multiple emails.
Messages Defaults to no.
Attention:
This may open your system to a DOS attack. Dont use
it on loaded servers.
1.5.6 ClamAV Phishing Options The squid-based proxy service communicates with the
Virus Scanner WebGate by using the standardized ICAP
Phishing can optionally be recognized by ClamAV. protocol.
List 1716 Virus Scanner Settings - ClamAV section ClamAV Phishing Options Fig. 172 Schematic overview of proxy integration
Parameter Description
Use Phishing ClamAV tries to detect phishing by using signatures.
Signatures Defaults to no.
Always Block Always block SSL mismatches in URLs, even if the URL
SSL Mismatch is not in the database. Defaults to no. 1
Always Block Always block cloaked URLs, even if the URL isnt in the 2
Cloak database. Defaults to no.
List 1719 HTTP Proxy Settings - Content Inspection section Virus Scanner Fig. 173 Scan exceptions
Parameter Description
Trickle Size Low There will be no trickle feature running for files smaller
Watermark than this value. (default: 50 MB).
(MB)
Trickle Period Delay between trickle packets (default: 10 seconds).
(sec) Note:
Keep the value for Trickle Period SMALLER than the
value for Popup After to avoid problems with Progress
Popup and trickling.
Trickle HTTP This parameter enables/disables the trickle feature for
1.0 HTTP 1.0 (default: no).
Advanced Enable Data Trickle Feature
Trickle Settings Enables Data Trickling
Note:
Data Trickling only works in NG operation mode.
Note:
Data Trickling causes unscanned data to be sent to the
client.
Initial Data Trickle Size(kB)
Size of the first trickle packet Note:
Data Trickle Size(bytes) Scanning of FTP over HTTP Requests is included in the
Size of subsequent data trickle packets HTTP Proxy Settings and configured in the AVIRA
Data Trickle Buffer Size(kB)
Overall size of the trickle buffer.
ANTIVIR WEBGATE tab. Scanning of mere FTP requests
Note:
handled through settings of the FTP Gateway is
A too high value causes high memory usage. configured in the AVIRA ANTIVIR FTP SCANNING tab.
Data Trickle Dest. Domains
Restrict Data Trickling to certain domains. Note:
Data Trickle URL Pattern If the data trickling feature is active and malware has
Restrict Data Trickling to certain domains by defined
by URL-patterns.
been found within a scanned file by the virus scanning
Example: engine, the remaining portion of the file will not be
Trickling of all PDF files of a domain: .pdf$ transmitted. This will then result in a small, incomplete
Header Trickle Dest.Domains stub file at the users download location.
Restrict Header Trickling to certain domains.
Header Trickle Pattern
Restrict Header Trickling to certain domains by Trickling of all destinations appears if no special
defined by URL-patterns. restrictions are defined. The Data Trickling access
Example:
Trickling of all PDF files of a domain: .pdf$ control list (ACL) is processed prior to the Header
Trickling ACL.
Note:
For additional information regarding Regular This feature is only available when Engine Version NG
Expressions/Pattern-matching, see 1.2.3.3 Access
Control - Using Regular Expressions, page 345 is activated. It is generally not available within the
Scan Domains: Secure Web Proxy.
Exceptions Define the domains that are excepted from being
scanned.
Please see List 1719 HTTP Proxy Settings - Content
Raw:
You may also enter raw squid configuration here Inspection section Virus Scanner, page 393 in order to
(figure 173). get in-depth information about trickling and the
Progress Popup Per default the proxy progress popup is disabled. necessary parameters and settings.
Enabling the progress popup detects the following
browsers per default: List 1720 Content Inspection section Virus Scanner Progress Popup
Mozilla Firefox 2 and 3
Microsoft IE 6 and 7 Parameter Description
Opera Enable Progress Set to Yes to enable the proxy progress bar.
Popup
Apple Safari
Log Decisions Set to Yes to enable a more granular logging where
The proxy progress popup is available for both HTTP decisions why a progress bar is shown or not are
proxy and Secure Web Proxy. The progress popup can written to the log.
only be displayed for unencrypted content (HTTP Browsers Detection Regex
connections). This feature requires running a Virus Is a regular expression which will be applied to the
Scanner service and is not available in conjunction with client requests HTTP header for browser evaluation.
third-party Virus Scanner engines.
Exception Regex
Is a regular expression which will be applied to the
See list 1720 for parameter description.
client requests HTTP header as contraindication for
a popup. If e.g. a user right clicks a URL and
processes a "Save target as ..." command, no
progress bar should be popped up.
Most browsers are sending a slightly different
request in such a case.
Show Save Button
Set to Yes if the download should not be fetched
automatically but the button "Save file as ..."
should be shown instead.
List 1720 Content Inspection section Virus Scanner Progress Popup z Internet Explorer 6 mp3-files download procedure:
Parameter Description
Fig. 174 Progress bar
Mime-Types Define here the mime-types for which a progress bar
should be shown. The default settings already contain
the most useful mime-types.
Mime types which are not saved to disk but handed
over to a plugin from the browser (e.g. application/pdf)
usually should not be applied to a progress bar,
because users are expecting such types to be opened
automatically which is not possible with a progress bar.
Even worse, the browser and the plugin try to download
the requested file, but the temporary link is just valid
for one download and thus the second download
request (from the plugin) will fail.
Popup After Define here after which amount of time a progress bar
(sec) popup should be raised.
Note:
Keep the value for Trickle Period SMALLER than the
value for Popup After to avoid problems with Progress
Popup and trickling.
No Popups If Define here for which download time (this value or less)
Less Than (sec) a progress bar popup should be suppressed.
Excluded Define here a list of excluded domains (e.g. where may
Domains automated download come from). This setting
overrules the settings from above, that is if a download
matches one of the entries in this list a download
progress bar is never shown.
Note:
The filter works only for domains and subdomains. Right-click "Save target as"
(That means until the first slash (/) appears in the
path).
Select Save Target As from the context menu
Excluded Define here a exception list of sources where a Browse to the desired folder and click Save
Sources download progress bar always is suppressed. This
setting overrules the settings from above, that is if a Note:
download matches one of the entries in this list a
download progess bar is never shown. Parameter Show Save Button has to be set to Yes.
Progress Define here a HTML template of your customized
Template download progress popup. Note:
Note: With some browsers and websites, the download bar
This setting may damage your progress bar popup process can not discriminate between a Save result
seriously. Be sure what your are doing. Take the default
template as a starting point of modification.
as... and a direct link click action on the specified link
Unknown Define here a HTML template of your customized
in the browser window (i.e., download areas at
Downloads "unknown download" template which is shown if www.microsoft.com). This may lead to unexpected
Template someone tries to call a temporary URL which does not behavior without popup creation as a result of a "direct
exist any more.
link click" action. In order to learn about a possible
Note:
This setting may damage your progress bar popup solution, see KB article 1500005.
seriously. Be sure what your are doing. Take the default
template as a starting point of modification. z Internet Explorer 6 and 7 PDF-files download
Custom Import here a logo. procedure: same download procedure as with mp3-files.
Template Logo Note:
To be able to display a logo in MS Internet Explorer,
z If you want to define at Mime-Types a type text/plain be
Bypass proxy server for local addresses has to be sure to add an asterisk, otherwise it wont work
disabled in the MS Inernet Explorers proxy settings. (text/plain*).
z The download bar is not working with a transparent
Note:
proxy, except the <visible-hostname> is DNS-resolvable.
The Progress Popup does not work with HTTPS
connections. Note:
Supported browsers are Mozilla Firefox 2 and 3, When a progress popup is opened the main window is
Microsoft Internet Explorer 6 and 7. set to blank for IE6/IE7. The user has to enter a new web
address manually or use the back button to return to the
previous page.
If IE8 or a Firefox browser is used the main window
displays the page where the download was started
automatically. This is done by getting back in the
browser history by two steps. Stepping back two sites is
important for download sites where the download is
started via javascript or HTTP redirects. Otherwise the
download would start in an endless loop. On the other
hand it may happen that the main browser window is set
to the last opened web site.
Note:
If Progress Popup is enabled, no header-trickling will be
performed.
1.7.2 Data Leak Prevention (HTTP POST List 1722 MailGWSettings - Virus Scanning section Virus Protection
Scanning of SMTP e-mails is based on standard SMTP List 1724 MailGWSettings - Advanced Virus Protection Option section
communication between Barracuda NG Firewall mail Notification
gateway and Virus Scanner MailGate. Parameter Description
Expose Sender Warnings can be sent to the sender of e-mails
Step 1 Mail approaches mail gateway Alerts containing viruses/malicious software. The following
settings are available:
NO - Warnings are never sent to the originator.
Step 2 Mail is redirected to virus scanner YES - Warning are always sent to the originator.
LOCAL (default) - Warnings are sent only if the
originator is a local domain user.
Step 3 (optional) Infected mail is deleted
Note:
Use the Extended Domain Setup of the Mail Gateway
Step 4 Mail is returned for delivery to configure local domains. Users belonging to domains
defined as internal and strictly_internal through
parameter Protection Profile, are treated as local
Step 5 Mail is delivered (Mail Gateway 3.2.2 Extended Domain Setup,
page 263).
Expose Warnings concerning e-mails containing
Integration of virus scanning on a Barracuda NG Firewall Postmaster viruses/malicious software can be sent to the
mail gateway takes place by setting parameter Enable Alerts postmaster. The following settings are available: yes
(default), no.
virus scanning to yes (as it is by default).
Silently Drop When set to yes (default: no), the virus scanner service
This parameter is located in MailGW Settings > Content Phishing Mail does not generate a DSN delay message addressed to
the e-mail's sender when it recognizes a phishing
Adaptions (Mail Gateway 3.2 MailGW Settings, page 262). e-mail. The original phishing e-mail is automatically
moved to the give-up folder and no further attempts
Fig. 175 Schematic overview of mail gateway integration are made to forward it.
List 1727 MailGWSettings - External Scan Engine Step 5 If content is clean, scanned response is
Parameter Description returned to the FTP gateway.
Bind IP Here the IP address the mail gateway service listens to
and awaits virus scan engine replies from can be Step 6 FTP gateway delivers requested content to
entered.
the source client.
Note:
The Bind IPs also need to be entered as part of the
server configuration.
1
3 6
5
3
Note:
For security reasons access to this trigger is restricted
to the administrator's role:
z On single boxes access is permitted for the Manager
and Security roles (table 320, page 92).
z On Barracuda NG Control Centers access is
permitted through the VIRSCAN MODULE section
within the Administrators configuration (list 1912,
page 438).
High Availability
1. Overview
1.1 Main Principle of High Availability Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2 Definitions and Notions in a High Availability system (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2.1 Primary Box / Secondary Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
1.2.2 Primary Server / Secondary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
2. Setting up a HA System
2.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.2.1 Modes of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.3 Designing a HA System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
2.4 Configuring HA Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
2.4.1 Configuring a Stand-alone HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
2.4.2 Configuring a CC-administered HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
2.4.3 HA Sync Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
2.4.4 Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
2.4.5 Configuring Interception of Failure Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
1. Overview
1.1 Main Principle of High Table 181 State table with working communication
Primary Secondary Control Control
Availability Operations Box Box Primary Secondary
Comment
While both boxes are active, the services FFW and VPN are
Always remember to make a clear differentiation in the processed on the HA Box1 while the Services Proxy and
use of nomenclature. The naming primary box and DNS are processed on the HA Box2. If the state of the HA
secondary box respectively is always meant from the Box1 changes to "unknown" due to fatal errors either
server's point of view. Whereas, when speaking of primary hardware or software sided, the HA Box2 starts its
server and secondary server the service itself is thought Secondary Server S1 and activates FFW and VPN service
of, which has to be started on the HA partner as soon as within a few seconds.
one box or communication to a networking component the
service relies upon fails.
Using HA configuration to balance the load between boxes
is a very common and effective way to exploit all features
given by the Barracuda NG Firewall architecture.
Figure 181 visualizes the behavior of HA partners in case
of services failure on the primary server
Normal Operation
Box1 Box2
Operation without
Box 1
Box1 Box2
Operation without
Box 2
Box1 Box2
2. Setting up a HA System
Note:
It is important to configure switches and routers
properly to work in conjunction with a HA system. Most 10.0.8.0/24
important is the so-called ARP cache time or ARP
timeout. When the secondary box starts its services the eth0: eth2:
IP addresses of the primary box are used (except the Primary FW 192.168.0.1 Secondary FW
management IP) but with different MAC addresses. With 10.0.8.112 10.0.8.113
an infinite timeout configured the secondary box would eth1: 0.0.0.0
never be reached. With a timeout of 300 seconds, the eth2:
192.168.0.2
secondary box would not be reached for 5 minutes, and
the HA concept would not fulfil its purpose. The
recommended setting lies between 30 and 60 seconds.
Disadvantage: The amount of ARP requests will increase Private Uplink
with a higher timeout.
Fig. 182 HA monitoring without private uplink (HA state exchanged via
10.0.8.0/24 network)
2.3 Designing a HA System
Fig. 184 Designing a HA system
10.0.8.0/24
10.0.8.0/24
eth0: 10.0.8.100
Srv IP
Primary FW Secondary FW eth0: 10.0.8.100
10.0.8.112 10.0.8.113 A1 eth2:
Primary FW 192.168.0.1 Secondary FW
eth1: 0.0.0.0 A0: 10.0.8.112 B0: 10.0.8.113
eth1: 0.0.0.0
B1 eth2:
192.168.0.2
Private Uplink
Fig. 186 Exporting the public key to a file Perform the following step to create a CC-administered HA
pair (it is supposed that the boxes already exist):
Note:
Please consider that HA partners can only be created
within one cluster.
2.4.3 HA Sync Status connection to the secondary box. Open the context menu
with right-click on Box (Backup) and select Emergency
Configuration changes on the primary box will be Override.
transferred to the secondary box instantly. The sync status
Fig. 1811 Emergency Override of a HA Box
can be viewed via the Barracuda NG Admin configuration
GUI.
To do so, simply click HA Sync
z Do Update
An incremental update will be performed.
z Do Complete Update
A complete update will be performed.
z Discard Update
Discards the changes; needed when the two HA
The box icon gets highlighted in yellow ( ) as soon the
partners are in an inconsistent state (for example when
Emergency Override is active.
primary box was down, configuration changes had to be
made on the secondary box, that means the secondary Note:
box has been set to Emergency Override). The Emergency Override option belongs to one session
z Refresh only, that means it must be re-established in every new
Refreshes this window to see actual changes session.
(completion of update).
Step 2 Change the configuration
Note:
After enabling the Emergency Override mode, the
If HA boxes are managed by a Barracuda NG Control
configuration file can be locked and edited. As soon the
Center, this button is deactivated when connecting to
files have been manipulated, the icon in the header
the box itself.
changes and the buttons Send Changes and Reload are
HA Box synchronisation has to be triggered over the
available.
Barracuda NG Control Center.
Step 3 Send Changes and Activate
2.4.4 Emergency Override Note:
For detailed information on the functions of the buttons
If the primary box fails, configuration changes must be Send Changes and Activate, see Getting Started, page 7.
made on the secondary box. In normal operation mode it is
not possible to alter configuration via the secondary box. If The Send Changes button sends configuration changes to
there is the need to do so, the DHA box has to be set in the the server. The configuration changes will be stored until
Emergency Override mode. After re-establishing the the changes are activated. The Reload button loads the
primary box the synchronisation has to be started original file with the configuration data before having
manually. activated any changes by clicking Activate.
Hence the procedure after a serious failure of the primary To verify the changes for their functionality, it is possible
box is the following: to check the changes before activation. For this purpose
the Box tab ( Control) contains the button Verify New.
Step 1 Enable the Emergency Override mode Clicking this button results in a detailed report about the
To enable the emergency override mode open the
Barracuda NG Admin configuration GUI and establish and a
changes. When the report is OK (no errors occurred), click Insert the IP address of the primary box into the HA
Activate New to set the changes active. Partner IP field.
Insert the IP address of the secondary box into the
Fig. 1813 Example for test report Sender IP to use field.
Activate the Change Address checkboxes to the
right of both fields.
Transfer the configuration from the secondary box
to the primary box by clicking the Do Update button
and instantly thereafter the Do Complete Update
button.
Block services on the secondary box so that the
primary box can regain normal operation status.
Note:
Only configuration changes on the primary box are
transferred instantly to the secondary box. In
Emergency Override situations the synchronisation
from the secondary to the primary has to be done
manually. It is recommended to perform a complete
update since the updates are done incrementally.
Several services can be configured as HA systems, but Synchronisation can be carried out via the uplink
some of them use distinct synchronisation mechanisms. connection or alternatively via the LAN connection (see 2.
Two of these services (HA Firewall Service, Mail Gateway Setting up a HA System, page 402).
with HA) are described below in more detail. The synchronisation traffic is realized by sending UDP
Other available services are: packets, so-called sync packets (port 689), with a AES-128
encryption to prevent infiltration. The AES keys are
z DHCP: created by using the BOX RSA Keys and are changed every
for Enterprise (Barracuda NG Firewall 3.2) see DHCP, 60 seconds to maintain the high security level of the sync
page 287 traffic.
for Basic (Barracuda NG Firewall 2.4.2) see DHCP Using the LAN connection for synchronising is only
2. "Regular" DHCP, page 298 possible due to the small amount of necessary
z SSH (SSH Gateway, page 385) synchronisation traffic. This traffic is reduced by
synchronising sessions and not each packet. Due to the
z SPAM Filter (Mail Gateway 4. Spam Filtering, page 273) characteristics of the TCP protocol (SYN, SYN-ACK, ) this
causes that only already established TCP connections are
synchronized. When the synchronisation takes place
3.2 Transparent Failover for a HA during the TCP handshake, this handshake has to be
repeated.
Firewall
Fig. 1814 Synchronising procedure
We have heard now that a HA system provides safety by Active sessions Synchronized sessions
taking over the configured servers and services in case of
a breakdown of one partner and that a HA system can be
used for load balancing to exploit all features available
through the Barracuda NG Firewall architecture. Sync packet
Sync ACK
FFW FFW
So far so good, but having a firewall server/service taken
over by the second HA partner without the open sessions
is not that good. Using the function Transparent Failover
(activated per rule; active by default) synchronizes the
forward packet session (TCP in- and outbound, UDP, Box Box
Active Box Inactive Box
ICMP-Echo and OTHER-IP-Protocols) of the Firewall server FW FW
between the two HA partners.
Attention:
While connected via SSH avoid to enter any commands
unless you know exactly what you are doing.
Step 1 Connecting
Establish a connection to the secondary HA box using
Barracuda NG Admin. Now select SSH from the box
menu and log into the secondary HA box as root.
Change to the spool directory of the mail gateway by using
the following command line:
cd
/var/phion/spool/mgw/<server_service>/spool/
For <server>, type in the name of the server, and for
<service> type in the name of the mail gateway service
you have configured when introducing the service.
Step 2 Check for undelivered mails Now initiate the mail insertion and delivery of the copied
This check is done by listing the content of the spool mail in the input directory:
directory. Therefore enter the following command:
/bin/kill s SIGUSR2 <server>_<service>
ls -l
For <server> type in the name of the server, and for
If the result of this command is Total 0, there are no <service> type in the name of the mail gateway service
undelivered mails left and it is not needed to carry on. In which you have configured at the time you introduced the
this case, type exit to close your SSH session. service on the box.
However, if there are files with the extension .body and
Note:
.env, continue with the next step.
Mind the case sensitivity.
Step 3 Copy the spool directory This command inserts the imported mails from the input
Copy all files to the mail input directory of the active directory to spooling process of the active mail gateway,
(primary) mail gateway service. This is accomplished by and performs the delivery. Active mail jobs in the current
using the following command line: spooling queue are not affected by this action.
scp * <IP>:/var/phion/spool/mgw/<server>_ In order to verify whether the mails have really been
<service>/input/ inserted or not, check the mail gateway logs through
The parameter <IP> indicates the box management IP of Logs > <servername> > <servicename> mailgw).
the primary HA box, where the mail gateway service is For each newly inserted mail, a log file entry, containing
active. You will be prompted to enter the root password of the text "SPOOLER new mail inserted
the primary box. (id=########-######-########)", is generated.
After that, normal delivery of inserted mails is initiated,
Step 4 Copy the vscan directory (optional) and can be checked via the operative mail gateway GUI
If the virus scanning for mails is active, it is necessary to ( MailGW).
copy this directory too.
Therefore change to the vscan directory of the mail Step 6 Removing the obsolete mails
gateway using the following command line: After successful delivery, remove mails left in the
/spool/ and /vscan/ directories of the inactive mail
cd ../vscan/
gateway on the secondary box to avoid duplicate delivery.
Now copy all files to the mail input directory of the active
To do so, terminate the SSH session to the primary box by
(primary) mail gateway service. This is accomplished by
entering exit. The system prompt of the secondary box
using the following command line:
now appears displaying the message Connection to
scp * <IP>:/var/phion/spool/mgw/<server>_ <IP> closed.
<service>/input/
Note:
Step 5 Initiating delivery manually If the bash prompt of the secondary box does not
As soon as Step 3 and Step 4 (optionally) are completed, contain the path
the manually initiated delivery can be started on the /var/phion/spool/mgw/<server>_<service>/s
primary HA box. For this purpose you need a SSH session pool, for example because you changed to a different
to the active box. This session is established by using the directory, repeat Step 1.
following command line:
Now remove all mails in the current directory using the
ssh <IP> following command within the /spool/ directory of the
secondary box:
For <IP> type in the box management IP of the primary
HA box, where the mail gateway service is active. You will rm * -f
be prompted to enter the root password of the primary
box. After that the prompt of the primary box appears. Attention:
Usage of this command removes all files in the current
directory irrecoverably. Make sure that you have not
changed to another directory before entering rm * -f.
Note:
If Step 4, page 409, was performed, it is necessary to
remove obsolete mails also from the /vscan/
directory.
Step 7 Exit
Enter the command exit to terminate the SSH session.
This concludes the e-mail synchronisation after HA
handover.
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
2. Trust Center
2.1 Certificates and Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
2.2 CCs Trust Center Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
3. Installing a CC
3.1 Configuring the Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
3.2 Installing the Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
4. CC User Interface
4.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
4.2 Standard Context Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
5. CC Control
5.1 General Characteristics of the Graphical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
5.2 Status Map Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
5.3 Favourites Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
5.4 Configuration Updates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
5.5 File Updates Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
5.6 Sessions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
5.6.2 Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
5.7 Statistics Collection Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
5.8 Box Execution Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
5.9 Scanner Versions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
5.10 Software Update Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
5.11 Update Tasks Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
6. CC Configuration Service
6.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
6.2 Multi-Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
6.3 Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
6.4 Range Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
6.5 Cluster Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
6.6 Box Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
6.7 Defining Node Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
6.8 Repositories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
6.9 Multiple Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
6.10 Adding/Moving/Copying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
6.11 Supplement - Configuring the Cascaded Firewall (Distributed-Firewall) . . . . . . . . . . . . . . . . . . . . 449
6.12 Supplement: Migration of a CC to a New Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
7. CC Database
7.1 Database User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.2 Range Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.3 Cluster Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.4 Box Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.5 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
7.6 Service Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
8. CC Admins
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
8.2 Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
8.3 Admin User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
9. CC Statistics
9.1 Service Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
9.2 Data Collection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
9.3 Compression Cooking and Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
9.4 Transfer Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
9.5 Recovery and State Analysis of Poll Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
10. CC Eventing
10.1 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
10.2 Event User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
10.3 Event Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
10.4 Event Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
11. CC Syslog
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
11.2 Installing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.3 Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.5 Supported Ciphers and Cipher Preference by the Stunnel-based Sub-processes. . . . . . . . . . . . . 478
11.6 Filtering Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
11.7 Example Configurations for Syslog Proxy and CC Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . 479
14. CC Firewall
14.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
17. CC RCS
17.1 Activating / Configuring RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
17.2 Using RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
17.3 Retrieve Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
1. Overview
1.1 General Fig. 192 Flowchart - How a Barracuda NG Firewall becomes a Barracuda NG
Control Center
10.0.0.0/24
Configuring the box see 3.1 Configuring the Box, page 418
Installing the license(s) see 3.2 Installing the Licenses, page 419
Barracuda
NG Control
Center
Barracuda NG Configuring the CC itself see 6. CC Configuration Service, page 434
gateways
Admin PC
X509 certificates and RSA Private/Public key pairs are X509 Certificates are used to combine keys with additional
used to obtain peer (IP address) and administrator credential information.
authenticity. For private/public key encryption two They give information of the origin and the intended usage
possible encryption methods exist: of the public key they contain. Furthermore X509
certificates can be chained together building a trust chain.
2.1.1 Private Encryption Fig. 195 Certificates and Keys X509 Certificates
Issuer Issuer
Unencrypted Encrypted
data Private Encryption data Public Public
Key Verify Key
Private Key
??????? Signature Self-signed
???????
??????? Sign
Public Key
?????
Public Decryption
Private Key
The public key owner can check if the data was encrypted
with the matching private key, which is a proof of
authenticity.
Unencrypted Encrypted
data Public Encryption data
Public Key
???????
???????
Private Key ???????
?????
Private Decryption
Barracuda
Key
signed by
MASTER
Box
signed by
Key Master Master
Certificate License
Box
Key
Master
Master License
Master
Box Key
Key Key
Key
Key
Old
Key Database
signed by
Key
SSH
Key Old
Key
SSH
Key
SSH
Key
Master
SSH Box SSH
Certificate
Key Key Key
With the use of X509 certificates and private/public RSA 2.2.1 Authentication Levels for
keys the following security features are obtained: Master-box Communication
z Secure Box- Master Communication
Box and Master exchange their public keys which are As stated above the master-box trust relationship is
used for all SSL communication between the two governed by private/public key technology. Hence in a
(Strong Peer Authentication). working environment the master knows its boxes and the
boxes recognize the master as their one and only reign.
z Secure Master Administration
When using the Barracuda NG Admin, the master The default level of authentication is that a box and its
credentials can be checked to assure that the master identify themselves by their keys and IP addresses.
administrative tool is really communicating with the That means that the master does not send any
intended Barracuda NG Control Center. configuration data to untrusted boxes and no box accepts
data from an untrusted master. If, however, the Barracuda
z Secure Box Administration NG Control Center does not have a valid license (and hence
Once a secure connection to the Barracuda NG Control no master certificate) or major migrations are made, it
Center has been established and the master certificate may be necessary to soften the level of authenticity for a
has been stored, all communication to the managed short time to establish a new trust relationship. Depending
boxes can be verified by means of a trust chain. on which component is the untrusted one this has to be
z Secure Box SSH Login done either on the Barracuda NG Control Center (master
The master holds a database with the box SSH public Control window - Configuration Updates tab - Untrusted
keys, which can be downloaded using the Barracuda NG Update checkbox selected) or on the box itself to make it
Admin. This way trusted SSH login is achieved. accept the incoming data.
Table 192 Possible settings of authentication levels on the box itself
Fig. 197 Extract from the Box tab in the Box Control window where authentication
level can be lowered to interaction-free authentication
Note:
Since the Barracuda NG Admin uses the same
communication protocol as the master, this setting
applies to any Barracuda NG Admin based login attempt
with the user master.
3. Installing a CC
Selecting managementcenter/standard-hardware in the You can also have a look at the log files of the modules
Box Type Settings when creating the kickstart disk via that you just have introduced.
Barracuda NG Installer (Getting Started 2. Barracuda NG
The log entries for a typical service start-up look similar to
Installer, page 10) installs the CC automatically.
the following example:
Table 193 Example - Log file of a System Startup
To verify the installation, select Control from the box To find out which processes are running, use the box menu
menu and check whether the created services are running entry Control and open the Processes tab. There, all
(figure 198). running processes are listed.
Now the Barracuda NG Control Center has its basic setup
Fig. 198 Control - Server tab with required/recommended CC services
and is ready to receive the licenses.
3.2 Installing the Licenses To install the master identity, simply select the Config
entry from the box menu and enter CC Identity
Before you can use your Barracuda NG Control Center in ( Multi-Range > Global Settings).
productive service, you first must install the obtained
licenses on your system. Otherwise the software will Fig. 1911 Master License configuration
remain in demo mode and will be open to anyone to
manage it.
Installing licenses is done in the following steps:
When logging into the Barracuda NG Control Center for the Now your Barracuda NG Firewall Barracuda NG Control
very first time, the message shown in figure 1910 will Center is ready to operate and you can start to configure
appear, since the necessary CC licenses are not installed at the Barracuda NG Firewall appliances to be centrally
this point. Click NO to continue the login procedure. manageable.
4. CC User Interface
5. CC Control
The CC Control, amongst other things, provides real-time available through the menu item Tools (see 4.2
information about all Barracuda NG Firewall gateways the Standard Context Menu, page 420).
Barracuda NG Control Center administers. To access it,
z A menu item Arrange Icons By is included in every
click Control in the box menu. operational tab. This menu item always contains the
The following tabs are available for operational purposes: column headings of each specific section as sub-items
and allows ordering data sets by checking the
z Status Map Tab, see 5.2 Status Map Tab, page 421 corresponding label.
z Favourites Tab, see 5.3 Favourites Tab, page 422 In some places the Arrange Icons By sub-menu
contains further parameters allowing more
z Configuration Updates Tab, see 5.4 Configuration
differentiated ordering (for example Configuration
Updates Tab, page 423
Updates tab, see 5.4.3.1 Context Menu, page 424).
z Sessions Tab, see 5.6 Sessions Tab, page 424 The Arrange Icons By menu sometimes contains an
additional value Show in Groups that allows switching
z Context Menu, see 5.6.2 Context Menu, page 425
between two views, the classical view, a continuous list,
z Statistics Collection Tab, see 5.7 Statistics Collection or a list combining groups of elements.
Tab, page 425
Fig. 1913 Group view of elements in the Statistics Collection tab, sorted
z Box Execution Tab, see 5.8 Box Execution Tab, page 426 alphabetically by box name
The Status Map summarizes status information of all 5.2.1.1 Context Menu of Range/Cluster Section
systems administered by the CC. It divides systems into the
hierarchical structure range, cluster and box. Clicking a For a description of the range and cluster section context
range entry uncovers all clusters belonging to the menu, please see 5.1.2 Context Menu Entries, page 421.
respective range. Clicking a cluster entry uncovers all
boxes belonging to the respective cluster.
5.2.1.2 Context Menu of Box Section
Fig. 1914 Status Map tab
For a general description of the box section context menu,
Range please see 5.1.2 Context Menu Entries, page 421.
section
Furthermore, in this place right-clicking a selected box
Cluster makes further menu items available allowing you to jump
section
directly to certain areas within the selected Barracuda NG
Firewall.
Status of the network (Control 2.2 Network Tab, page 30) The Favourites tab aims at providing fast access to
Validity of certificates/licenses (Control 2.5 Licenses Tab,
frequently needed Barracuda NG Firewall gateways. It
page 37) contains those gateways, which have been declared as
Displays status of the box (Control 2.6 Box Tab, page 38) favourites in the Status Map tab (see 5.2.1.2 Context Menu
of Box Section, page 422).
The used icons and color codes are identical with the ones This item removes the selected Barracuda NG Firewall
used in the Status Map (see 5.2 Status Map Tab, page 421). from the Favourites tab.
Fig. 1916 Example for a Favourites tab with wallpaper and small icons
z Untrusted Update checkbox enables the update of The update status can be verified in the Flags column.
boxes that are not known to the Barracuda NG Control The following flags exist:
Center. Untrusted updates can as well be used on boxes,
Table 197 Update Status flags overview
in case problems with authentication keys arise.
Flag Description Comment
Attention: C Complete Update A full update with the complete
Untrusted updates are very hazardous, since they configuration has been applied.
work without strong authentication. E Update Error Last update was not successful.
F Force Update The last update has been forced
The Untrusted Update option only works on boxes that therewith overriding the internal
scheduler.
accept non-authenticated connections. On a Barracuda
U Untrusted Update Box and CC have not exchanged
NG Firewall, such a situation could arise after disaster authentication data, and thus have not
recovery using an old .par file or after installation from approved trustworthiness.
scratch. T Update Terminated Update has terminated.
B Update Blocked Updates are blocked.
z Update Now triggers immediate box update execution.
P Update Pending PAR file is ready to be sent.
z Complete Update triggers sending of the entire box S Update Scheduled Update has been scheduled.
configuration to the box and not only of the modified A Update Active Update process is active.
part of it.
z Block Update disables the possibility to perform a box z Last Success column
update. This column informs about date and time of the last
successful configuration update (the used syntax is
z Unblock Update enables scheduling of updates. yyyy mm dd hh:mm:ss).
z Delete updates which can no longer be applied, that z Last Try column
means updates allotted to boxes, which have been This column informs about date and time of the last
removed from the MCs configuration tree and have thus attempt to update a configuration (the used syntax is
been marked as "wild". yyyy mm dd hh:mm:ss).
z Force Delete deletes configuration updates of active z Tries column
boxes. Here the number of attempts to update the
configuration of a Barracuda NG Firewall is displayed.
Note:
z Info column
The Sessions tab does not show configuration sessions,
This column displays the IP address and name of the
which for example are produced by locking
Barracuda NG Firewall. The information (wild) flags
configuration nodes, To find out about active
update settings of nonexistent boxes.
configuration sessions use the Sessions button in the
z Flags column Config section.
Column Description
Box This is the name of the Barracuda NG Firewall. 5.7 Statistics Collection Tab
Cluster This is the name of the cluster the box resides in.
Range ID This is the name of the range cluster and box belong to. This tab provides information about collected statistics.
Service Icon The icons describe the service responsible for the Double-clicking an entry opens a detail window
session:
summarising all available information regarding the
Firewall control session (Service firewall_)
statistics collection of the specific box.
Login session
VPN session (Service VPN-Service_*vpn) The listing is divided into the following columns:
Log viewer session (Service box_logd) Table 199 Data listed in the Stat Collect tab
Statistics viewer session (Service box_qstatd)
Column Description
Box control session (Service box_control)
(Box Icon) This column shows the status of statistics collection
Barracuda NG Admin session (Service phiona) based on the reason which has provoked this status.
The following icons depict the following states:
indicates a sync operation
Statistics collection works flawlessly.
IP This is the IP address of the Barracuda NG Firewall.
Info This is the optional box description as inserted into the Statistics collection has been aborted.
Description field of the Box Config file. Statistics collection has been disabled.
Service This is the name of the service that has been accessed. Box This is the name of the Barracuda NG Firewall.
Peer This is the IP address from where the session was Cluster This is the name of the cluster the box resides in.
started.
Range ID This is the name of the range cluster and box belong to.
Admin This is the name of the administrative account that has
logged in. IP This is the IP address of the Barracuda NG Firewall.
Start This is the period that has passed since the session has State Shows whether the statistics transfer configuration is
started. based on range settings (range) or cluster settings
(cluster). If no statistics transfer configuration is
PID This is the internal, unique Process ID. defined, disabled is shown.
Sync Displays the status of the box synchronisation:
Double-clicking an entry opens a detail window clean - The synchronisation procedure has been
summarising all available information regarding the executed correctly.
specific session. dirty - The synchronisation procedure has failed or
is still in progress.
unknown - The synchronisation status cannot be
determined.
5.6.1 Context Menu Task Shows the currently running process (for example
unknown, idle).
For a general description of the context menu, please see Last Success This column informs about date and time of the last
5.1.2 Context Menu Entries, page 421. successful synchronisation (the used syntax is yyyy
mm dd hh:mm:ss).
Last Try This column informs about date and time of the last
synchronisation try (used syntax is yyyy mm dd
hh:mm:ss).
Reason This column displays the status and/or error messages.
z Remove button Select the Show All Boxes checkbox to display a view
Discards a script stored on the Barracuda NG Control showing all available boxes. The boxes belonging to a
Center. saved object are shown highlighted.
Note:
The following buttons in the Edit Object window allow
A script, which can be selected together with a box or a further actions:
box group object has to exist before a task can be
Note:
created.
If buttons are activated for use or not depends on the
selected view (checkbox Show All Boxes selected or
not) and if the object has already been saved.
5.8.3 Box List
z Show Log
In the box list boxes or groups of boxes can be selected for Displays a view of the box log file containing entries
task execution. Two tabs with different functions are about the lastly executed task. Box log files are stored
available to do so. on the CC. Their view can as well be triggered by
double-clicking a box entry in the list.
Fig. 1919 Box List Edit Object The following detail information is covered in the box list:
z Box / Cluster / Range ID columns
These data sets describe the membership of the
Barracuda NG Firewall, that means its name and the
names of cluster and range it belongs to.
z Info column
This column displays additional box information (IP
address and short name).
z Version column
This is the version number of the Barracuda NG Firewall
installed on the box.
Action bar
about the lastly executed task. Box log files are stored
on the CC. Their view can as well be triggered by
double-clicking a box entry in the list.
z Clear Log button
Clears the log files of all selected boxes. This should be
done best before executing a new task.
The following action menu only applies for the Objects tab:
z Edit button
Clicking this button allows editing a selected object.
z New button Step 2 Select the boxes and the cleantmp script
Creates a new object. Select all boxes on the Boxes tab in the Box list window
and the cleantmp script in the Script list window
z Remove button
simultaneously.
Removes the selected object
z Import button Step 3 Create the tasks
Imports a Barracuda NG Control Center Object into the Click the Create Task button in the Box list window.
Microsoft Windows System registry.
z Export button Step 4 Schedule the tasks
Exports a Barracuda NG Control Center Object from the Schedule the tasks for Immediate Execution in the
Microsoft Windows System registry. Box group objects Schedule Task window.
are saved to Barracuda NG Control Center Object
(*.mco) files.
Table 1913 Data listed in the system list of the Software Update tab
Attention:
Column Description
Only use RPMs provided by Barracuda Networks. If you
Last good This is the time that has passed since the CC has
are for some reason forced to install an arbitrary RPM, status fetched status information from a box successfully.
you yourself must make sure that the installed software Barracuda NG Firewalls 3.4.4 and later, and 3.6.1 and
is compatible with the Barracuda NG Firewall later propagate status information to the CC actively.
Information that has been "pushed" to the CC by these
components present. systems is flagged with P in the column listing.
Hotfixes are zipped TAR files which include the package Last attempt This column indicates, if the last attempt to fetch status
data and a script called doit. The activation procedure successful information from a box has been successful (yes/no).
simply unpacks the TAR file in a temporary directory Last attempt If the last attempt to fetch status information from a
and then calls the doit script within this directory. The box has been unsuccessful, this column indicates the
time that has passed since then.
script then copies the package file to the proper
Fail reason This column lists the reason for status information
location. update failure.
You can create your own hotfixes and use them to
distribute files among your boxes.
5.10.1.1 Views
The display of the Software Update tab is divided into four
areas (figure 1927):
Note:
z Action bar An Administrator only sees ranges, clusters, and boxes
z System List, see 5.10.1 System List, page 430 of his scope.
System list
Note:
Only a root Admininstrator is allowed to edit groups
(create, delete& rename group).
5.10.1 System List z To create a group:
Click the Lock button in the Action bar.
In the system list, administrative entities may be arranged
in views corresponding to the structure of the Barracuda Right-click any item in the System list, select Create
NG Control Center configuration tree. Views are triggered Group from the context menu and specify a group
by appropriate selection in the Current View list within the name (characters: <space> ' " and | are not allowed
View/Filter list (see View/Filter List below). for group names - these characters will be replaced
by an underdash (_)).
Each view includes detailed information about every
Click the Save Groups button in the Action bar.
system the Barracuda NG Control Center administers. The
detail information is arranged in the following columns. z To delete a group:
Note that not all columns are available in every view. Click the Lock button in the Action bar.
Table 1913 Data listed in the system list of the Software Update tab
Select the group in the System list, right-click and
select Remove from the context menu. Note that
Column Description
the preconfigured group element !unassigned may
Name This is the name of the CC-administered box.
not be deleted. When a group is deleted, boxes
Cluster This is the name of the cluster the box resides in.
assigned to it are automatically moved to the group
Range This is the name of the range that the cluster and the
box belong to.
!unassigned.
Group This is the name of the group the box has been Click the Save Groups button in the Action bar.
assigned to.
z To assign a box to a group:
Version This is the software version installed on the box.
IP This is the management IP address of the box. Click the Lock button in the Action bar.
Click a box, drag it to the group it should be
assigned to and drop it.
Click the Save Groups button in the Action bar. z Check all
Click here to select all systems displayed in the listing.
Note: For selected systems update tasks may be created (see
Boxes may only be assigned to one group. 5.11.1 Example, page 433).
Note:
z Uncheck all
Everybody can see all groups und move his ranges, Click here to unselect all systems.
clusters, and boxes into any group. z Collapse all
Click here to collapse the complete configuration tree.
z Ranges
z Expand all
Fig. 1929 Software Update tab - Ranges view Click here to expand the complete configuration tree.
In the Groups view, the following additional entries are
available:
Note:
In the Ranges view, boxes are arranged in a tree To enable group-related context menu items, lock the
structure as known from the configuration tree in the View/Filter list area by clicking the Lock button.
Config section of Barracuda NG Admin. z Create Group
z Boxes Click here to create a new organisational group.
z Rename
Fig. 1930 Software Update tab - Boxes view
Select a group and click here to rename it. Note that the
preconfigured group element !unassigned may not be
renamed.
z Remove
In the Boxes view, boxes are arranged ordered Select a group and click here to delete it. Note that the
alphabetically by their name. preconfigured group element !unassigned may not be
z Versions deleted. When a group is deleted, boxes assigned to it
are automatically moved to the group !unassigned.
Fig. 1931 Software Update tab - Versions view
Column Description
Box This is the name of the Barracuda NG Firewall.
Cluster This is the name of the cluster the box resides in.
Range ID This is the name of the range cluster and box belong to.
(Box Icon) This column depicts the status of an executed task.
The task is executed successfully.
Task execution has failed.
RPM This is the name of the RPM that is currently executed.
Info This column lists additional information such as
IP address and short name.
Status This is the assigned task status.
0 Pending Copy
1 Failed Copy
2 Completed Copy (ready for activation)
Time This column informs about date and time when the
update was started (the used syntax is yyyy mm dd
hh:mm:ss).
Reason This is the failure reason in case the last execution try
has failed.
5.11.1 Example Check the update task list for the status of the package
transfer and wait until the task is in the Copy Completed
The example below describes how to create a software state.
update task in the Software Update tab and add it to the
Note:
Update Tasks tab.
This may take some time.
Step 1 Import a package
Click the Import button in the Software list window, select
a package and click open to import it into the CC. Step 7 Activate the package
Access the Update Tasks tab, select the task and then
Step 2 Check the package content select Perform Update from the context menu. Wait until
Double-click the imported package in the package the update task entry disappears from the list.
selection list and make sure that it contains the desired
software. Step 8 Review the log files
In the Software Update tab, double-click the specific
Fig. 1933 RPM information window
Barracuda NG Firewall to view the log files and check if the
desired actions have been taken.
6. CC Configuration Service
z Box
6.2 Multi-Range
The configuration node Multi-Range represents the
highest level within the Barracuda NG Control Center
configuration tree hierarchy. It contains all available
ranges, clusters and boxes that are managed by the
Barracuda NG Control Center.
This entry becomes available when the configuration The following firewall objects may be defined globally:
tree view is restricted to either range or cluster view
z Networks
(see above). Clicking it expands the configuration tree
view to display of all ranges and clusters. z Services
z Migrate Clusters, Migrate Ranges, Migrate Complete z User Groups
Tree z Content Filter
For a description of these context menu entries, refer to
6.9 Multiple Releases, page 446. Note:
In case global Firewall objects are renamed this change
has to be confirmed directly with Send Changes >
Activate before editing further Firewall objects.
6.3 Global Settings
The configuration procedure of global objects is identical
Global Settings are applicable for all ranges, clusters and to the procedure on single boxes. For details, see Firewall
boxes that the Barracuda NG Control Center administers. 2.2 Rule Set Configuration, page 140.
The following settings are available for configuration:
z Eventing 6.3.2.1 Global Firewall Objects vs.
z Global Firewall Objects Range/Cluster Firewall Objects
z Pool Licenses, page 436 For a more granulated definition of Firewall Objects, Global
z CC Identity, page 436 Firewall Objects can be overridden by Range Firewall
Objects or Cluster Firewall Objects.
z CC Parameters, page 437
Range or Cluster Firewall Objects that should override
z CC Access Notification, page 438
those defined globally, must have the same object name.
z Administrative Roles, page 438 If an identical Object is created in a Cluster or a Range, the
following Information Message appears.
z Statistics Cook Settings, page 439
z VPN GTI Editor (Global), page 439 Fig. 1938 Overriding Global Network Objects
Note:
As Global GTI Objects are created dynamically, they 6.3.4 Global Settings - CC Identity
cannot be renamed or modified.
The CC Identity configuration area allows configuring
various CC-related settings (for example CC IP address(es),
6.3.3 Global Settings - Pool Licenses private keys, ).
6.3.4.1 Identification
Fig. 1940 CC Identity - Identification
in the listing. CC IP Address Into this field, insert the IP address that should be used
for connections between CC and CC-administered
boxes.
Additional CC Into this field, insert the IP address(es) that should be
IP Addresses used for logins to the CC on box level.
6.3.4.2 Trust Chain List 196 CC Identity - Trust Chain Configuration section CC SSH Access Keys
Parameter Description
List 195 CC Identity - Trust Chain Configuration section Trust Chain
Preceding CC In this section former SSH keys are stored as soon as a
Configuration SSH Key new CC SSH Key is generated.
Parameter Description
The menu Ex/Import offers the following options:
CC Certificate The CC Certificate is the Main Identity of the
Export to Clipboard/File
Barracuda NG Control Center.
Exports the old SSH key to the clipboard or to a file.
It is signed by the license key and distributed to
CC-administered boxes for authentication purposes, Export to Clipboard/File (password protected)
thus ensuring trustable communication. Exports the old SSH key to the clipboard or to a file.
However, it is necessary to define and confirm a
To insert appropriate company information into the password that has to be entered, when importing
certificate click Edit. To view certificate information the key.
click Show. Note that the certificate's public hash Export Public to Clipboard/File
(displayed to the right) changes when a new CC Exports the public key to the clipboard or to a file.
Private Key is generated (see below). Import from Clipboard/File
Note: Imports the old SSH key from the clipboard or from
Certificate installation procedure on Barracuda NG a file.
Control Centers is described in detail in 3.2 Installing
the Licenses, page 419.
CC SSL In contrast to the CC Certificate (see above), the CC 6.3.5 Global Settings - CC Parameters
Certificate SSL Certificate not signed by the license key but
self-signed instead.
The SSL certificate automatically changes when the CC These parameters describe the behavior of the Barracuda
Certificate changes. It is sent out to all managed boxes NG Control Center
in a hidden conf file (masterpub.conf). The CC SSL
Certificate is required for SSL-compatible peer
authentification between a box transmitting data and
z within the status map ( Control > Status Map)
the CC Syslog Service in context with SSL based log file
streaming. z when running a configuration update ( Control >
CC Private Key Here the MCs private key is handled. The button New Configuration Updates)
Key generates a new private key and hash (displayed to
the right). z when running remote execution
List 196 CC Identity - Trust Chain Configuration section CC SSH Access Keys Note:
Insert the CC box IP to embed the CC itself into the
Parameter Description status map.
CC SSH Key Here the MCs SSH key is handled. The button New Key
generates a new SSH key and hash (displayed to the List 198 CC Parameters - Operational Setup section Configuration Update
right). Setup
Parameter Description
The menu Ex/Import offers the following options:
Export to Clipboard/File Max. Update This parameter defines the maximum number of
Exports the master SSH key to the clipboard or to a Processes simultaneous configuration updates.
file. HA Sync Default 120 seconds. In case of HA synchronization
Export to Clipboard/File (password protected) Timeout problems increase this timeout.
Exports the master SSH key to the clipboard or to a
file. However, it is necessary to define and confirm a List 199 CC Parameters - Operational Setup section Remote Execution Setup
password that has to be entered, when importing
the key. Parameter Description
Export Public to Clipboard/File Max. Exec This parameter defines the maximum number of
Exports the public key to the clipboard or to a file. Processes simultaneous sessions.
Import from Clipboard/File
Imports the master SSH key from the clipboard or List 1910 CC Parameters - Operational Setup section Barracuda NG Earth
from a file. Setup
Parameter Description
Poll Box VPN Choose yes when you are using Barracuda NG Earth.
Status The CC will collect all relevant data that is necessary to
be displayed in Barracuda NG Earth.
For a description of the Revision Control System (RCS), (accessible through Config > Multi-Range > Global
refer to 17. CC RCS, page 499. Settings).
The user interface consists of a listing displaying already
6.3.6 Global Settings - CC Access existing profiles (columns display the corresponding
settings) and three buttons for interaction.
Notification
z Edit button
By means of the parameters available in this tab, the This button opens the configuration dialog with the
notification types, which are induced by specific actions, settings of the selected role.
can be configured.
z Delete button
The user interface allows configuring the so-called Service The button removes the selected role from the listing.
Defaults that apply when no special notifications are
z Insert button
set/required. The sections Type 1 Admin, Type 2 Admin,
This button allows creating a new administrative role.
and Type 3 Admin allow defining notification settings for
The first window opened requires the defining role
3 types of administrators (configurable in Admins, see number. After confirming the number by clicking the
8.3.1 Creating a New Admin Profile, Login Event menu, OK button the role configuration dialog is opened
page 460). providing the following settings:
In order to enter the access notification window, simply
List 1911 Administrative Roles - Role Setup Roles section Role Name
select the entry CC Access Notification from the
Parameter Description
configuration tree ( Multi-Range > Global Settings).
Name This parameter takes a describing name for the
administrators role.
Currently used types are:
z Silent (no event)
Note:
z Notice The checkboxes in this following section define whether
z Warning the corresponding module can be accessed by the
administrator (checkbox selected). When selected the
z Alert permissions can be set in detail by clicking the Edit or
Set buttons.
The latter three may be used to modify the severity of a
context dependent event type. A listing of generated List 1912 Administrative Roles - Role Setup Roles section Module
events can be found in System Information 5. List of Default Parameter Permissions
Events, page 536. CC Config Kill Sessions
Permissions Change Permissions
Change Events
6.3.6.1 Barracuda NG Admin Authentication Show Admins
Success / Barracuda NG Admin Manage Admins
Authentication Failure Create/Remove Range
Create/Remove Cluster
The following objects are available for configuration: Use RCS
z Configuration Center (Success) / Configuration Create/Remove Boxes
Center (Failure) Create/Remove Server
Login to CC Config Create/Remove Service
Create/Remove Repository
z Central Event (Success) / Central Event (Failure) Manage HA Sync
Login to CC Event Create PAR File
Allow Config View on Box
z Central Statistics (Success) / Central Statistics Allow Emergency Override
(Failure) CC Control Show Map
Permissions Show Config. Updates
Login to CC Statistics
Manage Config. Updates
z Central PKI (Success) / Central PKI (Failure) Show Box REXEC
Login to CC PKI Service Manage Box REXEC
Show Box Software Updates
List 1912 Administrative Roles - Role Setup Roles section Module List 1912 Administrative Roles - Role Setup Roles section Module
Parameter Permissions Parameter Permissions
Control Start/Stop Server Secure-Web- Access Cache Management,
Permissions Block Server Proxy to manipulate access cache entries
Permissions Ticket Management,
Start/Stop Service
to process access request tickets
Block Service
Cert. Authorities Management,
Delete Wild Route - to accept/deny a root CA
Activate New Configuration - to modify CRL handling
Restart Network Subsystem XML Services Management,
to modify settings for RSS-feeds or Webservices (allow,
Set or Sync Box Time
scan, deny, delete)
Restart NGFW Subsystem
Reboot System
Activate Kernel Update 6.3.8 Global Settings - Statistics Cook
Kill Sessions Settings
Import License
Remove License This section globally defines the compression of statistics
View License Data files that have been collected by the Barracuda NG Control
Event Silence Events Center from it CC-administered boxes. For a detailed
Permissions Stop Alarm description of configuration options see 9.3 Compression
Mark as Read Cooking and Deletion, page 463.
Confirm Events
Delete Events
Log Read Box Logfiles 6.3.9 Global Settings - VPN GTI Editor
Permissions Delete Box Logfiles
(Global)
Read Service Logfiles
Delete Service Logfiles
Open the Global VPN GTI Editor to access the Barracuda
Statistics Read Box Statistics
Permissions
NG Firewall VPN Graphical Tunnel Interface (GTI). For
Delete Box Statistics
detailed information on this configuration section, see 15.
Read Service Statistics
VPN GTI, page 490.
Delete Service Statistics
DHCP Server Enable Commands
Permissions
Access Control Enable Commands
6.3.10 Global Settings - Box VIP Network
Service Ranges
Permissions
CC Access Enable Commands, Configuration of this section is necessary to introduce
Control Service to modify or remove entries from the status and access
Permissions cache so-called remote management or box tunnels. A box
Block Box Sync. tunnel is used to establish an encrypted communication
to disable authentication sync within a between the Barracuda NG Control Center and the
Firewall Terminate Connections Barracuda NG Firewall if the management IP of the
Permissions Modify Connections gateway is not directly reachable (for example routing
Kill Handler Processes issues).
Dynamic Rule Control
A common example is to establish communication between
Toggle Trace
a gateway at a remote location and the CC located at the
Note:
Selecting this parameter together with View Trace headquarter where the remote site is only reachable by an
Output and Change Settings enables the admin to run internet connection.
admintcpdump on the command line. See
documentation Command Line Interface for detailed In general the box management IP is within the network
information.
address range of the remote site.
View Trace Output, see note on parameter Toggle
Trace Since it is neither recommended nor always possible to
Change Settings, see note on parameter Toggle Trace enable an external management IP, which is directly
View Rule Set accessible from the internet (for example when the
Manipulate Access Cache Entries internet provider assigns a dynamic external IP), another
VPN Server Terminate VPN Tunnels method has to be found to establish a connection between
Permissions Disable/Enable VPN Tunnels box and CC.
View Configuration
Even if a VPN tunnel between remote site and headquarter
Mail Router Enable Commands
Permissions is established, it is recommended to use box tunnels. If the
View Stripped Attachments
remote site is not reachable due to a misconfiguration of
Retrieve Stripped Attachments
the VPN tunnel or a blocked VPN service, the box tunnel
Delete Stripped Attachments
will nevertheless stay established.
Virscan Service Allow Block Virus Pattern Update
Permissions Allow Manual Virus Pattern Update VIP network ranges defined in this section are enabled as
Proxy ARPs on the Barracuda NG Control Center and
should thus not collide with used IP addresses in this
network segment.
In addition to the definition of VIP networks, the usage of a List 1913 Box VIP Network Ranges VPN Settings
box tunnel requires configuration of the Remote Parameter Description
Management section in the box network node. Prebuild Normally cookie are built on demand. For many tunnel
Cookies on building up simultaneously it is better to have the
Note: Startup cookie already precalculated. This causes a slower VPN
[No] service startup but a faster tunnel buildup afterwards.
Using remote management tunnels requires the This feature can be turned off configuring the VPN
introduction of an additional service 'mvpn' on the settings parameter Prebuild Cookies on Startup (see
Barracuda NG Control Center itself. list 53, page 219) .
Listen to Port Defines, whether incoming VPN connections on
A Barracuda NG Firewall that is managed through a box 443 port 443 should be accepted or not (default: Yes). In
[Yes] some cases you might want to disable using port 443
tunnel establishes an encrypted VPN connection to the for incoming VPN connections, for example
Barracuda NG Control Center. All communication between connections arriving at port 443 should be redirected
Barracuda NG Control Center and gateway is processed by the firewall service to another machine.
Using the VPN settings parameter Use port 443 (see
through the box tunnel (TCP, port 692). Even list 53, page 219) this functionality can be turned off.
communication between the admin workstation and the
remote box is handled through the box tunnel. Barracuda
NG Admin utilizes the Virtual IP (VIP) that is defined in 6.3.10.3 Rekey/Alive Rates
the Box - Network Configuration - Remote Management
section as box address (destination address) when All the limits configured here are enforced by the MVPN
establishing a connection to the CC. It is thus essential that Service on the Barracuda NG Control Center per default. If
VIP network ranges be routed from the admin workstation the remote box itself should enforce the limits, paramter
to the CC. Server enforces Limits should be set to No
List 1914 Box VIP Network Ranges Rekey/Alive Rates
z Insert button
This button allows creating a new network range. The
first opened window requires the defining name for the 6.4 Range Configuration
network range. After confirming the name with OK the
configuration dialog is opened providing the following A range is the largest configuration entity, built up of one
settings: or multiple clusters. Ranges are meant to simplify central
Address Range Start IP address administration of huge networks. Within ranges, global
Address Range Netmask settings, spanning all existent clusters can be defined.
Within clusters, in turn, global settings, spanning all
z Delete button
existent boxes can be configured. Beyond this, specific
This button deletes the selected network range from
security implementations in the Cluster Services allow
the listing.
configuration of security settings not available for regular
services (see 6.11 Supplement - Configuring the Cascaded
6.3.10.2 VPN Settings Firewall (Distributed-Firewall), page 449).
Setups with configured ranges involve the following
List 1913 Box VIP Network Ranges VPN Settings
further benefits:
Parameter Description
Pending Session buildup is limited that once a buildup of
z Statistics
Session 5 sessions is detected any further session request will When the CC is configured to collect statistics, the
Limitation be dropped until one of the already initiated sessions is statistics data gets range classified. This amongst
[default Yes] completed.
This feature can be turned off configuring the VPN others allows range specific accounting.
settings parameter Pending Session Limitation (see
list 53, page 219). z Administrative settings
Use Tunnels for Normally a tunnel registers itself at the firewall causing Ranges can be allocated to administrative roles (see
Authentication an auth.db entry with the tunnel network and the Range Name, page 441). This allows specific ranges only
[Yes] tunnel credentials. This can be used to build firewall to be administered by explicitly assigned administrative
rule having the tunnel name or credentials as
condition. This feature is rarely used (maybe not at all). roles.
Using the VPN settings parameter Use Site to Site
Tunnels for Authentication (see list 53, page 219)
this functionality can be turned off improving the
startup speed dramatically.
6.4.1 Creating a New Range List 1917 Creating a new range section Specific Settings
Parameter Description
Right-click Multi-Range and select Create Range from Own Event If the range requires special event settings, set this
Settings parameter to yes (default: no). By doing so, the file
the context menu to create a new range. Enter a
Eventing is introduced below Multi-Range >
Range Name (Note: only numbers allowed) and confirm <rangename> > Range Settings where the
your entry by clicking the OK button. This opens the range custom event settings for the range may be defined.
For information concerning the parameters available
configuration dialog (later accessible via Multi-Range > in this customising file, see 10.3.3 Cluster-specific
<rangename> > Range Properties). Event Settings, page 470.
Own Firewall Setting to yes (default: no) enables range-specific
Note: Objects firewall objects. It introduces the file Range Firewall
Make sure to click Send Changes > Activate after Objects below Multi-Range > <rangename> >
Range Settings where range-specific network
having introduced a new range. Otherwise, boxes will objects may be defined. For information on
not receive a valid box certificate and will not be able to characteristics and handling of network objects, see
establish a trust relationship to the CC. Firewall 2.2.4 Network Objects, page 148.
Own VPN GTI Setting to yes (default: no) enables a range-specific
Fig. 1941 Create Range - configuration dialog Editor VPN GTI Editor. It introduces the file VPN GTI
Editor (<rangename>) below Multi-Range >
<rangename> > Range Settings. For information
on the functionality of the VPN GTI Editor, see 15. VPN
GTI, page 490.
Own Policy Setting to yes (default: no) enables range-specific
Server Objects policy server objects. It introduces the nodes
Access Control Objects (containing files
Welcome Message, Personal Firewall Rules,
Pictures and Registry Checks), just like
Access Control Service s below Multi-Range >
<rangename> > Range Settings. For detailed
information see Configuration Service Section
Policy Based Routing, page 69.
Own Shaping Setting to yes (default: no) enables range-specific
Trees traffic shaping settings. It introduces the file Range
Shaping Trees below Multi-Range >
<rangename> > Range Settings. For detailed
information see Configuration Service 2.2.6 Traffic
Shaping, page 82.
Parameter Description
6.4.2.1 Range-specific Cook Settings
Range Name This read-only field displays the range number as
inserted during the creation dialog. Take into consideration that specific cook settings are only
Description Insert a significant range description into this field. available if the parameter Specific Cook Settings (see
6.4.1 Creating a New Range, parameter Own Cook
List 1916 Creating a new range section Contact Info Settings) is set to yes.
Parameter Description
For information concerning the parameters available in
Full Name/ To ease approaching the range administrator, these
Contact fields should be filled with appropriate contact this customising file, please have a look at 9.3.2 Range
Person/Telepho information. Specific Settings, page 464.
ne Nr./Email
Address
List 1917 Creating a new range section Specific Settings 6.4.2.2 Range-specific Event Settings
Parameter Description
Take into consideration that specific event settings are
Disable Update This parameter enables/disables configuration updates
for boxes from this range (default: no). only available if the parameter Specific Event Settings
Collect Setting to yes (default) triggers the Barracuda NG (see 6.4.1 Creating a New Range, parameter Own Event
Statistics Control Center to collect statistics from managed Settings) is set to yes.
boxes within this range.
If the range requires special cook settings for statistical For information concerning the parameters available in
Own Cook
Settings data, set this parameter to yes (default: no). By doing this customising file, please have a look at 10.3.2
so, the file Statistics Cook Settings is introduced Range-specific Event Settings, page 469.
below Multi-Range > <rangename> > Range
Settings where the custom cook settings for the range
may be defined. For information concerning the
parameters available in this customising file, see 9.3.2
Range Specific Settings, page 464.
6.5 Cluster Configuration Range, page 441. However, they only apply to the specific
cluster and overrule superordinate settings.
z Cluster services List 1920 Creating a new cluster section Specific Settings
Cluster services are services that can run on multiple Parameter Description
cluster servers. Disable Updates This parameter enables/disables configuration updates
An example for a cluster service is the for boxes from this range (default: no).
Distributed-Firewall service. The Distributed-Firewall Collect Setting to yes triggers the Barracuda NG Control
(Cascaded Firewall) is a cluster firewall. This means that Statistics Center to collect statistics from managed boxes within
this cluster. Setting like-range (default) inherits the
the firewall service is running in operational mode on settings from the Range Config file (see Collect
more than one box at the same time with the same Statistics, page 441).
configuration. This offers easy configuration and easy Own Cook If the cluster requires special cook settings for
implementation for load sharing scenarios. Settings statistical data, set this parameter to yes (default: no).
By doing so the file Statistics Cook Settings is
For information on how to create and configure a
introduced below Multi-Range > <rangename> >
cluster service, see 6.5.1.2 Creating a Shared Service, <clustername> > Cluster Settings where the
page 443. custom cook settings for the cluster may be defined.
For information concerning the parameters available in
this customising file, see 9.3.3 Cluster Specific Settings,
In addition to the benefits mentioned above, the other page 464.
benefits are: Own Event If the cluster requires special event settings, set this
Settings parameter to yes (default: no). By doing so the file
z Statistics Eventing is introduced below Multi-Range >
When the CC is configured to collect statistics, the <rangename> > <clustername> > Cluster
statistics data gets cluster classified. This amongst Settings where the custom event settings for the
others allows cluster specific accounting. cluster may be defined. For information concerning the
parameters available in this customising file, see 10.3.3
z Administrative settings Cluster-specific Event Settings, page 470.
Clusters can be allocated to administrative roles. Own Firewall Setting to yes (default: no) enables cluster-specific
Objects firewall objects. It introduces the file Cluster
Firewall Objects below Multi-Range >
List 1920 Creating a new cluster section Specific Settings However, some differences need our attention:
Parameter Description
List 1921 Creating a Cluster Service section Service Definition
Own Shaping Setting to yes (default: no) enables cluster-specific
Trees traffic shaping settings. It introduces the file Range Parameter Description
Shaping Trees below Multi-Range > Software For a cluster service only three software modules are
<rangename> > <clustername> > Cluster Module available:
Settings. For detailed information see Configuration DNS (default), for configuration information see
Service 2.2.6 Traffic Shaping, page 82. DNS, page 331
Firewall, for firewall configuration information see
Firewall, page 131. For specific firewall configuration
6.5.1.1 Creating a Cluster Server information see 6.11 Supplement - Configuring the
Cascaded Firewall (Distributed-Firewall), page 449 in
this chapter.
To create a cluster server, open the context menu of the
SNMPd, for configuration information SNMP,
configuration tree item Virtual Servers and select page 513
Create Server Insert the name of the cluster server in
List 1922 Creating a Cluster Service section Admin Restrictions
the now opened dialog and confirm by clicking the OK
button, which opens the configuration dialog. The Parameter Description
configuration of a cluster server is identical with the Administered This parameter specifies the administrators allowed to
by manage the cluster. The default setting all-authorized
configuration of a server on a Barracuda NG Firewall permits management for each configured
(Configuration Service 3. Configuring a New Server, administrator.
page 94), except that network objects may be referenced The second available setting is restricted-set.
Selecting this option enables the parameter Privileged
in the Server Address fields (Firewall 2.2.4 Network Admins.
Objects, page 148). Privileged Via this parameter the administrator explicitly allowed
Admins to manage the cluster is specified. Therefore, simply
Fig. 1942 Creating a cluster server with referencing Server IP addresses to enter the Barracuda NG Admin login name of the
network objects corresponding administrator and click the Insert
button in order to add him to the listing to the right.
Via Change you may edit an already existing name.
Select the wanted entry, modify the spelling and click
Change in order to add the new name to the listing.
By selecting an existing entry and clicking Delete, the
admin is removed from the list and thus, after
activating the changes, is no longer able to administer
the cluster service.
6.5.1.2 Creating a Shared Service Once a Shared Service has been created, it can be added to
a Cluster Server. To add a Cluster Service to a Cluster
To create a shared service (also known as Cluster Service), Server browse to Multi-Range > <rangename> >
open the context menu of the configuration tree entry
<clustername> > Virtual Servers > <servername>,
<clustername> > Shared Services. Insert a cluster right-click the server node and select Add Shared
service name and confirm it by clicking the OK button. This Service from the context menu. A new window pops up,
opens the configuration dialog. allowing selection of the respective service. Mark the
The configuration of a shared service is identical to the service and click the OK button.
configuration of a service on a Barracuda NG Firewall
Fig. 1943 Adding a Cluster Service
(Configuration Service 4. Introducing a New Service,
page 97).
The Cluster Service is added to the Service node below the 6.6.1 Create Box Wizard
Cluster Server. <DNS_servername> (DNS-Service) and
<SNMPd_servername> (snmp) service nodes are created To create a new box you can right-click Boxes and select
as links to the unique Cluster Service below the Cluster Create Box from the context menu (see Configuration
Service node. The same applies to the global settings of Service 2.2.2 Box Properties, page 52) or you use the
the <cfirewall_name> (cfirewall) node. The Cascaded Create Box wizard:
Firewall Specific node is the only object, which has to be z Right-click the range or the cluster where you want to
configured below the <servername> > Assigned introduce the new box
Services node directly, as settings made here apply per
z Select Create Box Wizard from the context menu
server and not per cluster (see 6.11.4 The Local Rules
Section and The Special Rules Section, page 451). Fig. 1944 Box configuration wizard for creating a box
6.6.2 Launching a Box List 1925 Barracuda NG Control Center Node Properties section Administrative
Level
To switch from the CC to a box right-click the desired box Parameter Description
and choose Launch Control for Box (<box IP address>) History states configuration actions performed on this entity;
administrator and peer IP are logged:
from the context menu.
Entry Description
Fig. 1945 Box configuration launch control for box param when changes to the read or write
level were made
lock when conf entity was locked
unlock when conf entity was unlocked
change when conf entity was changed
add when a server/service object was
added to the conf tree
6.8 Repositories
For increased configuration comfort, configuration
repositories can be defined.
Configuration data that is used on more than one machine
should be stored in a repository. This saves time and
reduces configuration errors, since the information is
entered only once and is then linked from the
corresponding repository. Three types of repositories
exist:
z Cluster Repository
6.7 Defining Node Properties z Range Repository
z General Repository
For additional access restriction, the CC offers the context
menu entry Properties for each item of the
Cluster repositories should be used for saving cluster
configuration tree.
specific configuration data, while range repositories should
List 1924 Barracuda NG Control Center Node Properties contain configuration data for boxes of the whole range.
Parameter Description The general repository can be used for saving
Name purely informational; displays name of the services configuration data, which can be used on all boxes that are
software module
introduced by the Barracuda NG Control Center.
Description purely informational; displays a short description for
the software module
Fig. 1946 Different types of repositories
Created purely informational; displays date/time, admin, admin
IP of service creation
Last Modified purely informational; displays date/time, admin, admin
IP of last modification
Release Release version installed on the box (only netfence /
Barracuda NG Firewall versions 3.4, 3.6, 4.0 and 4.2 are
supported in multi-release environments).
Cluster repository
Parameter Description
Your Level purely informational; displays your administrative level.
Read By entering the corresponding configuration level, the
read permission is specified.
Note:
Any level lower than the set one has access. (see 8.3.1
Creating a New Admin Profile, page 458)
Write By entering the corresponding configuration level, the
write permission is specified. Note:
Note: Due to compatibility reasons, two nodes are structured
Any level lower than the set one has access. (see 8.3.1
Creating a New Admin Profile, page 458) in a different way in box repository tree than within box
Click Change to save the new configuration. range tree configuration:
Modify Event This menu specifies the type of event notification if the z Authentication Service is placed in Advanced
corresponding file is modified. Available notification
types are: Configuration and not in Infrastructure Services
No Event (default)
z System Settings is placed in Box and not in
Normal Event (generates event Config Node
Change Notice [2400]) Advanced Configuration
Notice Event (generates event Config Node
Change Warning [2401])
Alert Event (generates event Config Node Change
Alert [2402])
6.9 Multiple Releases Just like boxes, ranges and clusters repository objects can
be migrated to a newer version (see 6.9.3.4 Migrating a
Repository Object).
A Barracuda NG Firewall Barracuda NG Control Center 4.2
is equipped with the ability to manage Barracuda NG When administering a multi-release environment use the
Firewalls installed with release versions 3.4 and higher. release view to identify system information versions easily
Especially in huge network environments, where ad hoc in order to
migration of all systems to the recent version
z install correct hotfixes and updates through the
simultaneously cannot be accomplished, this feature
Software Update Tab (see 5.10 Software Update Tab,
enables easy and up-to-date administration.
page 429);
z prepare netfence 3.4/3.6/4.0 version gateways for
6.9.1 Administering Multiple Releases update to the recent Barracuda NG Firewall version 4.2.
z verify object version numbers in the repositories.
The smallest administration entity demanding uniform
software versions is a cluster. When creating a new cluster
(see 6.5.1 Creating a New Cluster), the software release 6.9.2 Updating to the Recent Version
version has to be specified. Every box that is introduced to
a cluster is then expected to work with the same release Before migrating the configuration, each gateway has to
version. be updated to the recent software version. Execute the
To verify the version number bound to each configuration software update in the Software Update Tab (see 5.10
node, select Toggle Release View from the context menu Software Update Tab, page 429).
available through right-clicking the configuration tree
Note:
entry Multi-Range. The release information is then
Keep in mind that when updating Barracuda NG
displayed to the right of each configuration node.
Firewalls to the recent version 4.2, software update has
Fig. 1947 Configuration tree displayed in default view (left) and with toggled to be accomplished per cluster. Once the decision for
release view (right) updating has been made, the software update has to be
executed for all boxes within a cluster, before the cluster
can be migrated and again be managed by the
Barracuda NG Control Center.
Note:
Migration can only be executed to the applicable
succeeding software release version (that means
gateways installed with netfence 3.4 must be migrated
to version 3.6 first, before they can be migrated to
version 4.0 and then to version 4.2).
Note:
Clicking Migrate Cluster(s), Range(s), Complete Tree
migrates the configuration but does not activate the
new configuration on the spot. Instead, it flags all
configuration nodes, which the migration process is
going to change. Click the Activate button to activate
the new configuration (see example Migrating a Cluster).
Step 1 Lock the cluster and select Migrate Cluster Step 1 Lock the range and select Migrate Range from
from the context menu the context menu
Fig. 1949 Migrating a cluster - Step 1 Fig. 1952 Migrating a range - Step 1
Fig. 1951 Example: Mail-Gateway configuration nodes prior to and after Migrate
Cluster activation
6.9.3.3 Migrating Multiple Clusters/Ranges
Step 3 Click Activate Step 1 Create a version 4.2 repository object with
Click Activate to activate the new configuration. the same configuration settings as the former object.
Note:
Repository migration can only be executed to the
applicable succeeding software release version (that
means 3.4 version repositories are to be migrated to
version 3.6 first, before they can be migrated to
version 4.0 and then to version 4.2).
6.10 Adding/Moving/Copying
Step 5 Commit your selection via OK button and 6.11 Supplement - Configuring the
have the box moved
Cascaded Firewall
Attention:
Box servers and services will only be added if NO name
(Distributed-Firewall)
violation occurs. In case of already existing
configuration entities with the same name, servers and The Cascaded Firewall (Distributed-Firewall) is a so-called
services will not be added to the CC configuration. cluster service. It is a variant of the Barracuda NG Firewall
specially designed to simplify firewall administration by
multiple administrators. The Distributed-Firewall includes
6.10.2 Moving/Copying Managed Boxes, all features of the Barracuda NG Firewall. Unlike the
common firewall service, though, the Distributed-Firewall
Servers and Services is not only organized into one rule set, but can include up
to three rule sets. As a result, the firewall rule set topology
Attention: provides three organisational scopes:
Due to the hierarchal structure of repositories, it may
z Global Rules (see 6.11.3 The Global Rules Section)
happen that configurations linked from a repository are
written to a file and, thus, are no links anymore. z Local Rules (see 6.11.4 The Local Rules Section)
6.11.1 Hierarchical Structure of Rule For further information on Cascaded Rules see Firewall
Sets 2.5 Cascaded Rule Sets, page 169.
Global Rules
6.11.2 Creating a Cascaded Firewall
The Global Rule set is the first rule set considered in the
Distributed-Firewall configuration. It manages rules valid For general information how to create a Shared Service,
for all cfirewall services within a specific cluster. please refer to 6.5.1.2 Creating a Shared Service, page 443.
Local and Special Rules are coequal but both come after The creation of the Cascaded Firewall Cluster Service
Global Rules. Local and Special rules can only work with (cfirewall) itself takes place in the following steps:
network objects that have been cascaded to them from
the Global Rules section. Step 1 Creation of the Distributed-Firewall service
Fig. 1958 Cascading the localnet network object Fig. 1961 Configuration nodes of the Distributed-Firewall service - Global section
Cascade
Rule 4
6.11.6 Cascaded Firewall z 11 clusters are set up in a range (one cluster for the
Holding company itself, the other 10 clusters for each of
(Distributed-Firewall) - her companies).
Configuration Example
z A cfirewall service is introduced in each cluster.
A Holding enterprise owns 10 companies, each of them z The network addresses of Companies A-J and their
disposing of 10 locations. Firewalls are installed in every respective locations are entered into the Trusted
location. Each company has its own IT department. The Networks of the Holdings Localnet object.
locations of each company communicate with one another.
z In the Range Repository, a rule set compliant with the
Holding's policy is set up in the Global Rules section.
6.11.6.1 Initial Situation z The Global Rules sections of the companies'
Distributed-Firewalls are linked to this Global Rules
The holding's security policy demands the following object in the Range Repository.
general standards to apply:
Fig. 1964 Content of the Global Rule Set, which is saved in the Range
z POP3 requests to the Internet should always be Repository
blocked.
z Internet communication processing is only allowed via
gateways (proxies, mail gateways, ).
z Communication between the Holding itself and its
10 companies (Company A-J) is only allowed to be
handled through global security policies (for example
z Permissions of Cluster Service node and nodes below
only Lotus Notes is allowed).
are set to read-only, in order to prevent change of
Localnet and link to the Global Rules object in the
On basis of these demands, the Cascaded Firewall can be Range Repository by the IT administrators in the
set up as follows: companies (figure 1963 - Protected node).
Fig. 1963 Exemplary Distributed-Firewall setup z The right to change settings in the Local Rules section
is assigned to the IT administrators of the companies.
Note:
With the settings depicted in figure 1964, only the right
to change company internal settings is assigned to the
IT administrators, as only the destination object
localnet is cascaded. Thus, as desired, the IT
administrators will not be able to change settings for
Internet access,
Server-service
wide configuration
Protected
node
z A new rule set, configuring handling of connections
over port 5555 is set up in the Special Rules section of
Company B.
Cluster-service-wide
configuration
(linked to Repository)
Barracuda NG
10.0.8.110
VIP: 10.0.8.128/28
eth0: 10.0.8.34
10.0.8.0/24
Box
Man: 10.0.81.1
VIP: 10.0.8.129
Barracuda NG
10.0.8.110
10.0.82.110 VIP: 10.0.8.128/28
10.0.82.128/28
eth0: 10.0.8.34
10.0.8.0/24
10.0.82.34
10.0.82.0/24
eth0: 10.0.8.100
FW: 10.0.8.112 10.0.82.100
10.0.82.112
eth1: 172.31.80.3
Box
Man: 10.0.81.1
VIP: 10.0.8.129
10.0.82.129
6.12.1 Preparing the Network for CC Step 5 Introduce new Box VIP ranges
Migration to a New Network While you are still logged on CC level, browse to Config
> Multi-Range > Global Settings > Box VIP
The following preliminary steps must be taken before Network Ranges. Introduce the net 10.0.82.128/28 as new
actual migration of the Barracuda NG Control Center (CC). Network Range.
Note:
If you are migrating a HA (High Availability) system, do
not forget to apply the changes on the HA partner as
well.
Step 2 Introduce a second server IP on the CC box Step 8 Introduce additional FW rule sets on the HQ
(Server configuration) border firewall
Browse to Config > Box > Virtual Servers > Only rules concerning the redirection of the remote
management tunnels need to be adapted.
<servername> > Server Properties > General view >
Clone the needed existing rule sets, and perform the
section Virtual Server IP Addresses. Insert the IP address
necessary changes on the clones.
10.0.82.34 into the Second-IP field.
Step 9 Ensure correct routing from the remote boxes
Step 3 Activate the new network configuration
to the CC
Browse to Control > Box tab and click the
Activate New button. Step 10 Ensure external management access
To maintain connectivity when changing the VIP or in case
Step 4 Introduce additional Management IPs of a remote management settings misconfiguration, make
Log into the Barracuda NG Control Center on server level sure to configure management accesses to all boxes that
using the CC tab and the CC IP 10.0.8.34. work independently of the management VPN tunnels (for
Browse to Config > Multi-Range > Global Settings example define external management IPs on all boxes of
> CC Identity > General tab. the branch offices).
Insert the IP addresses 10.0.82.34 and 10.0.82.110 into the Step 11 Activate the new network configuration
field Additional CC IP Addresses. Log into the Barracuda NG Control Center on box level.
Browse to Control > Box tab and click Activate New.
6.12.2 Migrating the CC to a New Execute the script by selecting it in the Scripts tab and
simultaneous selection of the boxes where it is to be
Network executed in the window left to the Scripts tab. While all
needed objects are selected click the Create Task button
Note: in the Selected Boxes section. The script is now executed.
Administration of boxes will not be possible until the
next to be taken steps are thoroughly accomplished and Step 4 Check Configuration Updates for successful
migration is completed. completion
Browse to Control > Configuration Updates tab and
To relocate the CC to its new environment proceed as check the update status messages for successful
follows: completion of box network activation.
Step 1 Check Configuration Updates for successful Step 5 Set the new CC IPs
completion To assure that the correct CC IP address is used for
Log into the Barracuda NG Control Center on server level communication, interchange the Management IPs created
using the CC tab and the new CC IP 10.0.82.34. above in Step 4 Introduce additional Management IPs (see
Browse to Control > Configuration Updates tab and above).
check the update status messages in the list for all boxes
Switch the CC IPs 10.0.8.34 and 10.0.8.110 with the
bound to the Barracuda NG Control Center. Do not proceed
additional CC IPs 10.0.82.34 and 10.0.82.110 respectively.
with the following steps unless all updates have been
completed successfully.
Step 6 Delete obsolete rule sets on the HQ border
firewall
Step 2 Reconfigure remote managed boxes
Delete the former rule sets on the HQ border firewall,
Browse to Config > Multi-Range > <rangename> >
which have been replaced through introduction of
<clustername> > Boxes > Box > Network > additional r sets bound to the new IPs in "Step 8 Introduce
Management Access view > Remote Management Tunnel additional FW rule sets on the HQ border firewall" (see
section above).
Change the following network parameters:
Step 7 Assert the new network configuration
z Virtual IP (VIP) Log into the Barracuda NG Control Center on box level
Switch the Virtual IP from 10.0.8.129 to 10.0.82.129. using the Box tab and the MIP 10.0.82.110.
z Tunnel Details
Browse to Control > Box tab and click the Activate
Switch the Target Networks from 10.0.8.0/24 to
New button. Select Soft activation from the available
10.0.82.0/24.
options.
Switch the Reachable IPs from Server IP 10.0.8.34 to
10.0.82.34 and MIP 10.0.8.110 to 10.0.82.110.
Step 8 Perform a complete update via the Barracuda
NG Control Center
Step 3 Activate the new network configuration on
Log into the Barracuda NG Control Center on server level
the boxes
using the CC tab and the CC IP 10.0.82.34
Browse to Control > Box Execution.
Click New Script to generate a script for activation of the Browse to Control > Configuration Updates tab. Click
new network configuration on all boxes. the Update Now button.
7. CC Database
7.1 Database User Interface the Cluster Configuration (see 6.5 Cluster Configuration,
page 442).
To access the the Database user interface, log in to the CC
on server level and select Database from the box menu.
The CC Database area gives an overview of all ranges, 7.4 Box Tab
clusters, boxes, servers, and services the Barracuda NG
Control Center administers. The view is purely This tab provides information concerning all boxes that are
informational. Double-clicking an entry in any tab listing, managed via the Barracuda NG Control Center. The shown
opens the selected object in the configuration tree of the information is a summary of the input that was given
CC. during creation of the boxes and is split into columns that
are named accordingly to the parameters of the Box
The following tabs are available for operational purposes:
Configuration (see 6.6 Box Configuration, page 444).
z Range tab see 7.2 Range Tab, page 456
z Cluster tab see 7.3 Cluster Tab, page 456
z Box tab see 7.4 Box Tab, page 456 7.5 Server Tab
z Server tab see 7.5 Server Tab, page 456
This tab provides information concerning all servers that
z Service tab see 7.6 Service Tab, page 456 are managed via the Barracuda NG Control Center. The
shown information is a summary of the input that was
Note:
given during creation of the servers and is split into
The button bar on top of the window is void of any columns that are named accordingly to the parameters of
functionality and may be ignored. the Server Configuration (Configuration Service
3. Configuring a New Server, page 94).
8. CC Admins
Note:
Icons that are displayed partly transparent indicate
inherited, that means linked access permissions.
The user interface is divided into two configurational 8.3.1 Creating a New Admin Profile
areas, a button bar on top of the window, and the Admins
tab in the main window.
Note:
The buttons have the following functions: Create administrative roles (see 6.3.7 Global Settings -
z Activate button Administrative Roles, page 438) and define node
Clicking Activate applies configuration changes. properties (see 6.7 Defining Node Properties, page 445)
before creating a new administrator profile.
z Undo button
Clicking Undo revokes configuration changes that have
Step 1 Locking the data set
not yet been activated.
Click the Lock button to enable content modification in the
z New Entry button Admins tab.
Clicking New Entry allows creating a new administrator
Then click the New Entry button to open the
profile (see 8.3.1 Creating a New Admin Profile,
Administrator configuration window.
page 458).
z Refresh button Fig. 1974 Administrator configuration dialog
Clicking Refresh updates the view in the Admin tab.
In the Admin tab existing administrator profiles can be Step 2 Defining General
information, page 458
arranged as follows:
z Order By Administrators
Step 4 Defining the Administrative
Arranges administrator profiles alphabetically by name. Scope, page 459
z Order By Hierarchy
Arranges administrative scopes by range and cluster.
z Order By Roles Step 5 Defining the Operative
Settings, page 460
Arranges administrator profiles by assigned roles.
z Order By Level
Arranges administrator profiles by assigned
administrative level.
List 1926 Creating a new administrator - Administrator tab section General List 1927 Creating a new administrator - Details tab section Password
Parameters
Parameter Description
Password Via this parameter the password for the Barracuda NG Parameter Description
Admin login has to be specified. The password has to Warning period Specifies the number of days before the password
be verified by reentering it in the field Confirm. before expiry date on which a request for password change is
For additional parameters concerning configuration of expiration displayed.
password/key handling, check Details tab (see below). Grace period Specifies the number of days after the password expiry
In addition to the parameters mentioned above, the after expiration date on which the password is still accepted.
Basic Data section offers an additional option:
Password must This checkbox defines whether the current password
disable checkbox
differ on change may be re-used on password change.
By ticking this check box, the administrators profile
is deactivated for further usage. Assigned Range This parameter defines the visibility of configuration
sessions. By selecting a range, only administrators
Attention:
authorized to configure this range see active
Please take into consideration that disabling affects
configuration sessions of this administrator.
the system only as soon as the modified admin
configuration is activated. Authentication This parameter defines the authentication that is
Level required to access a system. The following types of
External If external authentication is required, the
authentication are available: Password or Key
Authentication corresponding method can be selected here. The
(default), Password, Key, Password AND Key.
field following authentication schemes are available:
msnt - see Configuration Service 5.2.1.7 MSNT Public Key This section of the configuration dialog serves for
Authentication, page 115 handling the public key. The button Export/Import
offers import options.
ldap - see Configuration Service 5.2.1.3 LDAP
Authentication, page 113 Peer IP Specifies IP addresses and/or subnets of
Restriction administration workstations on which Barracuda NG
radius - see Configuration Service 5.2.1.4 Radius
Admin runs.
Authentication, page 114
msad - see Configuration Service 5.2.1.1 MSAD
Authentication, page 111 Step 4 Defining the Administrative Scope
rsaace - see Configuration Service By assigning elements like range or cluster, the scope
5.2.1.5 RSA-ACE Authentication, page 114 implicitly defines those systems to which the admin
Note: basically has access rights. The default settings only
Since it is mandatory that the to-be-used
authentication scheme is configured on both, CC box provide for GUI-based access. Optionally, the administrator
and administered box, Barracuda Networks highly may receive access rights to the operating system layer
recommends to configure the authentication schemes (shell login) which widens the scope.
via the repository and, then, to set appropriate
references. Additionally, every administrator is granted access to the
External login Here the login name configured within the central services of the CC, whereas his view on the system
name field corresponding authentication scheme has to be
entered. is restricted to his administrative scope.
9. CC Statistics
> Virtual Servers > <servername> > Assigned Read Timeout in This parameter specifies the timeout when polling the
seconds for boxes for statistical data (default: 60).
Services > <servicename> (dstatm)). data
9.2 Data Collection Transfer Settings section of each box within the range
(see 9.4 Transfer Settings, page 465).
Configuration
9.2.2 Cluster Specific Settings
On a Barracuda NG Control Center, statistics collection
settings may be defined by range and by cluster, in which To configure cluster specific collection settings, in the box
cluster specific settings override range specific settings. menu click Config, and then double-click
Provided that CC-administered boxes are configured to Cluster Properties (accessible through Multi-Range
supply statistics data (see 9.4 Transfer Settings, > <rangename> > <clustername>).
page 465), statistics files may be collected from multiple
systems miscellaneously. Fig. 1978 Cluster Configuration dialog
Note:
Cluster and range specific statistics collection
configuration is done on the Barracuda NG Control
Center. Therefore, when connecting to the CC with the
graphical administration tool Barracuda NG Admin make
sure to log on via the CC- Address of the Barracuda NG
Control Center.
List 1932 Statistics Cook Settings - Statistics Cooking section Cook Settings List 1934 Statistics Cook Settings - Statistics Cooking section Type: Top
Parameter Description
Note:
Options in this section apply to Top statistics only (for
example byte (Top Dst), conn (Top Src), ).
9.4 Transfer Settings List 1935 Statistics Cook Settings - Transfer Settings
Parameter Description
The Transfer Settings sections is only available on Directory Pattern-Match settings apply to statistics files
Pattern available in sub-folders of /var/phion/mainstat.
CC-administered Barracuda NG Firewalls. Configuration is Patterns may be specified by either inserting full folder
required in context with collection of statistics files by the names or by using wildcards (? and *), in which the
CC Statistics Collector service (dstatm) running on the question mark wildcard (?) stands for a single
character and the asterisk wildcard (*) stands for an
Barracuda NG Control Center. arbitrary number of characters.
In the Transfer Settings section, define the statistics files Attention:
When using directory patterns, make sure that they do
which should be transferred to the Barracuda NG Control not interfere with the module settings configuration.
Center. For a specific data type always use EITHER module OR
directory pattern settings. dstats works through the
To configure transfer settings for a Barracuda NG Firewall, configured instances successively, and will omit
directory patterns that apply to directories it has
in the box menu click Config, and then double-click already processed.
Statistics (accessible through Multi-Range > Additionally, for clearly arranged management, place
directory patterns at the end of the configuration file.
<rangename> > <clustername> Boxes >
Example pattern:
<boxname> > Infrastructure Services). To include all statistics files starting with "conn"
generated by Firewall services running on all servers
Fig. 1981 Transfer Settings configuration dialog starting with "S" in ranges 1 and 2, insert the following
pattern structure:
Actual file structure:
/var/phion/mainstat/1/S1/service/FW/conn<
xxx>
/var/phion/mainstat/1/S2/service/FW/conn<
xxx>
/var/phion/mainstat/2/S3/service/FW/conn<
xxx>
Directory pattern:
*/S?/service/FW/conn*
Attention:
Avoid too openly defined patterns spanning multiple
folders, such as */service/*/*. If you do use
patterns spanning multiple folders, be aware of their
implication and always position them at the list bottom.
Data Types for From this list, select the statistics type(s) that should
Service be transferred to the Barracuda NG Control Center.
Multiple selections are possible. Add each type by
clicking the Insert button.
Included Into this field, insert subservices that should be
subservice included in statistics file transfer.
directories Note:
Subservices may only be specified for server modules.
Data Types for From this list, select the subservice statistics type(s)
Subservice that should be transferred to the Barracuda NG Control
Center. Multiple selections are possible. Add each type
by clicking the Insert button.
List 1935 Statistics Cook Settings - Transfer Settings Cascading When set to yes (default: no), all cascaded sub-folders
Included (indicated by icon ) in an included subservice will be
Parameter Description transferred.
Settings for In this field, select the software module to whose Parameter When set to High (default: Standard) all sub-folders of
statistics data the settings below should apply. In the Resolution an included subservice will be transferred.
list, all software modules are available that generate
statistics data. Optionally, Pattern-Match may be
selected to define a file pattern that should apply for
cooking of statistics data.
Selecting Pattern-Match enables the Directory
Pattern field below, which expects insertion of an
applicable file pattern.
9.5.1 Get Statistic and Recover z Right click on a box and open the context menu
z Click Get Statistic to trigger statistic collection
In some cases it can happen that statistic collection needs or
to be triggered on demand or the statistic collection
process has to be re-initiated in case of malfunction. z Click Recover to start a recovery process is case of a
In the Statistic collection tab of a Barracuda NG Control malfunction of statistic collection.
Center GUI, each box is listed that polls statistics to a
Barracuda NG Control Center.
10. CC Eventing
Event forwarding is based on a 2-way communication Step 4 Alternative a CC Event Service status
between the Box event module running on the operative changed
Barracuda NG Firewall (Box) and the CC Event Service If the status of the event is modified on the CC, the status
module running on a Barracuda NG Control Center (CC). change is propagated from the CC to the Box, which
confirms the changed status by sending an ACK.
Note:
10.1 Example The status change notification is retransmitted until the
CC receives an ACK from the Box.
The following example illustrates how this communication
process is working. Fig. 1987 CC Event Service status changed
Box CC
Step 5 Alternative b Box: Event status changed
If the event status is modified on the Box that generated
the event, the status change is also propagated to the CC
Event which confirms the new status by sending an ACK.
Note:
Step 2 Event propagation The status change notification is retransmitted until the
The event is propagated to the CC and the CC confirms the Box receives an ACK from the CC.
reception by sending an acknowledgement (ACK) to the
emitter of the event. Fig. 1988 Box: Event status changed
Note:
Box Event status changed CC
The emitter retransmits its event until it receives an
ACK from the CC.
Acknowledgement
Fig. 1985 Box event propagation to CC
Step 3 Event introduced to CC Event Service module Fig. 1989 CC: Delete Event
As soon as the event is transmitted to the CC, it is
introduced into the CC Event Service module and can be
Box Delete Event CC
viewed and modified within the CC Event Service monitor
GUI.
Acknowledgement
Fig. 1986 CC: Box event occurred
Box CC
Step 7 Alternative d Box: Event deleted
If the event is deleted directly on the Box, the procedure is
the same as mentioned above. The difference is that the
Box Event Box sends the deletion request to the CC and awaits the
acknowledgement before the event is finally deleted.
Acknowledgement
Note:
After having accomplished the required modifications,
make sure to click Send Changes and Activate in order
to activate the new configuration.
Note:
After having accomplished the required modifications,
make sure to click the buttons Send Changes and
Activate in order to activate the new configuration.
11. CC Syslog
Service IPs
Yes
UDP/TCP 5144 5143 (SSL)
TCP:127.0.0.1:5143
syslog-engine
11.1.3 Log Delivery
Log reception via port 5144: 11.1.3.1 Log Delivery To Local Disk
Since connections to the syslog-engine are unencrypted Fig. 1993 Example for message delivery to local disk
and unauthenticated the firewall default settings restrict
access to port 5144 for both, TCP and UDP protocols, to: Log messages
syslog-engine
Log reception via port 5143:
Using port 5143 for log reception enables managed boxes
without management tunnels to connect via a SSL
connection to port 5143. Using SSL allows for both CC box
encryption and authentication.
/var/phion/mlogs/
(default)
11.1.3.2 Log Delivery via Private Uplink (HA Sync) Barracuda NG Control Center this way of transferring is
not recommended.
Fig. 1994 Example for a HA sync via private uplink (using the override IPs is
mandatory) z SSL passive receiving
This type describes relaying to an external log via
Log messages loopback on the CC box (figure 1996), that is the syslog
Log reception service is the SSL client.
Override IPs
syslog-engine syslog-engine Fig. 1996 Example for passive SSL receiving
/var/phion/mlogs/ /var/phion/mlogs/
(default) (default)
11.2 Installing
To install the CC Syslog Service simply follow the
11.1.3.3 Log Delivery by Relaying
instructions in Configuration Service 4. Introducing a New
Service, page 97, and select CC Syslog Service as
When relaying log messages to an external log host,
Software Module.
Barracuda NG Firewall provides three different methods to
perform the task (used SSL cypher: AES-128):
z SSL active querying
This type describes relaying to an external log host with 11.3 Configuring
permanent reading access of the log host to the
CC-box-internal FIFO module (figure 1995), that is the Beside the standard Service Properties that each software
syslog service is the SSL server. module provides, configuring takes place in the CC
Syslog Service of the CC box. Therefore, enter the
Fig. 1995 Example for successful active SSL querying
Barracuda NG Control Center on box-level and select
stunnel server Box > Virtual Servers > <servername> >
(log files created in
<server>_<service>_sslsrv) Assigned Services > <servicename> (msyslog) >
Log reception Port 5244 CC Syslog Service.
external
syslog-engine log host
SSL connection
CC box
FIFO
Connection flow/
11.3.1 Basic Setup
establishment
constantly reading List 1936 CC Syslog Server configuration section Operational Setup
Log messages Parameter Description
Log reception Idle Mode Syslogging is activated by default (setting no, that
external means not idle). When active, the service listens for
syslog-engine log host incoming log messages from its managed boxes and
SSL connection hence processes them as configured through the
FIFO
following parameters. Nonetheless, even when idle
CC box Data flow (setting yes, that means idle) it as well listens for
incoming messages to avoid ICMP Port Unreachable
messages being sent back to the connecting systems. It
then simply discards the received messages.
As a matter of fact, if this reading access is not provided
(for example because log host is down), transferring log
messages is not possible. Especially when having an HA
List 1936 CC Syslog Server configuration section Operational Setup List 1937 CC Syslog Server configuration section Plain Data Reception
Parameter Description Parameter Description
Run as User Note: TCP Port This parameter is only available as long as the
This parameter is only available in Advanced View parameter Supported Protocols contains a TCP option
mode. and defines the port that is to be used for receiving log
This parameter defines the user name that will be used messages (default: 5144).
when synchronising the log with the HA partner Attention:
system. By default this parameter is set to system user If you change this port assignment to another port (be
msyslog. By ticking the checkbox Other (to the right) sure to use a port higher than 1024) you willve got to
you may enter any other name. adjust the local firewall rule set on the CC box.
Attention:
Once set, do not change. List 1938 CC Syslog Server configuration section Tuning Parameters
User ID Note: Parameter Description
This parameter is only available in Advanced View
mode. Note:
This parameter set is only available in Advanced View
Here the ID of the system user (parameter Run as mode.
User, see above) is defined (default: 7999).
Message Queue Via this parameter you may define the maximum
Service Key This parameter is required for authentication purposes Size possible size of the out-message queue if messages are
against connecting clients using the SSL connections. not immediately deliverable (default: 16384). The
In order to create a new 1024-bit SSL private key, out-message queue is used when writing to disk,
simple click the New Key button. On the right of this transferring to HA partner or when relaying log to
line the hash of the certificate is displayed. external log hosts.
By default creating a new SSL private key results in a
freshly generated Service Certificate (see below) that Max TCP This parameter is only available as long as the
is automatically signed with the new private key. Connections parameter Supported Protocols contains a TCP option
and defines the maximum number of concurrent
Service This certificate is required for SSL connections, incoming TCP connections (default: 50). This
Certificate regardless whether they are passive or active ones. Via parameter provides improved security by preventing
button Show the certificate is displayed, and via DoS attacks.
button Edit the certificate may be modified. Again,
to the right, the hash mark is displayed. GC Idle This parameter defines the threshold (number of
Threshold objects in memory) after which garbage collection is
Attention: initiated when idle (that means no messages within
It is mandatory that both, SSL Private Key AND SSL 10 ms; default: 200).
Certificate, have the same hash mark.
GC Busy This parameter defines the threshold (number of
Support If this parameter is set to yes (as it is by default) the Threshold objects in memory) after which garbage collection is
Trusted Data service will listen for incoming SSL connections on initiated even when busy (default: 3000). If this limit is
Reception configured IPs and defined SSL Listen Port exceeded messages will be lost.
(port 5143; Trusted Data Reception view).
Note:
This option is not needed when managed boxes deliver
log content through a box management tunnel.
11.3.2 Trusted Data Reception
Boxes without a management tunnel should use the
SSL option for delivery. In this case you should not set
this option to no and likewise configure the affected Note:
boxes to use SSL for log delivery. This parameter set is only available with parameter
Store on Disk Setting this parameter to yes (default: no) causes Support Trusted Data Reception (Basic Setup view)
writing the incoming log messages to the specified
logging path (customisable via parameter Local Log
set to yes.
Directory, see 11.3.3 Local Storage, page 474). By
default the path for logging is /var/phion/mlogs. List 1939 CC Syslog Server configuration - Trusted Data Reception
Sync to HA This parameter enables the real-time transfer of log Parameter Description
Partner messages to the HA partner. As a matter of fact, this
parameter is only available if parameter Store on Disk SSL Listen Port Note:
is set to yes. Synchronising takes place via a SSHv2 This parameter is only available in Advanced View
tunnel between the HA partners. For information mode.
concerning the configuration of such high available This parameter defines the listening port for SSL
synchronisation, please have a look at 11.3.4 HA connections (default: 5143).
Synchronization, page 474.
SSL Busy Note:
External This parameter enables the optional transfer of log Timeout [s] This parameter is only available in Advanced View
Relaying messages to external loghosts. By default this mode.
parameter is set to no. For information concerning the
This timeout defines for how long (in seconds) a SSL
configuration of such external relaying, please have a
connection may be in busy condition until it is
look at 11.3.5 Relaying Setup, page 475.
terminated (default: 300).
List 1937 CC Syslog Server configuration section Plain Data Reception SSL Close Note:
Timeout [s] This parameter is only available in Advanced View
Parameter Description mode.
Note: This timeout defines for how long (in seconds) a SSL
This parameter set is only available in Advanced View connection may be in close condition until it is
mode. terminated (default: 60).
Supported Via this parameter you define what kind of sockets are SSL Idle Note:
Protocols available for incoming log messages. Available options Timeout[s] This parameter is only available in Advanced View.
are UDP&TCP (opens an UDP and a TCP socket; This timeout defines for how long (in seconds) a SSL
default), UDP (opens an UDP socket only) and TCP connection may be in idle condition until it is
(opens a TCP socket only). terminated (default: 43200).
UDP Port This parameter is only available as long as the
parameter Supported Protocols contains an UDP
option and defines the port that is to be used for
receiving log messages (default: 5144).
Attention:
If you change this port assignment to another port (be
sure to use a port higher than 1024) you need to adjust
the local firewall rule set on the CC box.
List 1940 CC Syslog Server configuration - Trusted Data Reception section SSL List 1941 CC Syslog Server configuration - Local Storage Setup section Local
Client Authentication Log Directory
Parameter Description Parameter Description
Service Via this menu the to-be-used service certificate is Log Keep Via this parameter you define for how long the log files
Certificate selected (default: Use_MC_SSL_Cert; that means the Duration are kept on the local system. The following periods are
SSL certificate of the Barracuda NG Control Center will available:
be used for authentication, see 6.3.4.2 Trust Chain, day - log file name: <logmesssage>.$HOUR.log;
page 437). When using option Use_MC_SSL_Cert it is after 23 h the log files created by syslog are
highly recommended to use verify_peer_certificate as overwritten.
type of Client Authentication. week (default) - log file name:
Attention: <logmesssage>.$WEEKDAY.$HOUR.log; after one
When updating (not newly installing) the system from week the log files (that is mon, tue, wed, ) created by
any version prior to version 2.4.2 (all versions up to syslog are overwritten. After one week the log files are
2.4.1-x) the CC SSL Certificate is not yet present. To overwritten
create the certificate, open the CC Identity file and no-limit - log file name: <logmesssage>.log;
make a dummy change followed by activation. Note:
Barracuda NG Firewall versions 2.4.2 and higher This setting is a very specific one and, therefore,
already contain the certificate, so it need not be should be used by experts only (contacting Barracuda
activated. Networks Support highly recommended.).
Client Here you define the way clients will authenticate
Authentication themselves (default:
verify_peer_with_locally_installed_certificate). 11.3.4 HA Synchronization
Trusted Clients This section is used for importing/exporting the client
certificates required for authentication when using
SSL-based log delivery to the CC. Via this tab the log-message synchronisation between HA
partners is configured.
11.3.3 Local Storage List 1942 CC Syslog Server configuration - HA Synchronization section HA
Synchronization Setup
This tab is used for configuring the local behavior of the Parameter Description
syslog service on the Barracuda NG Control Center box. SSH Here the SSH key management is provided. By clicking
Authentication New Key you may create a new key for the SSH
This tab is only editable if parameter Store on Disk (see Key connection. Alternatively, you may import already
11.3.1 Basic Setup, page 472) is set to yes. existing keys (either from clipboard or file) or export
the newly generated key (either to clipboard or file,
List 1941 CC Syslog Server configuration - Local Storage Setup section Local password protected or not, or the public key only).
Log Directory These import/export options are available within the
menu Ex/Import.
Parameter Description For informational purpose the keys hash is displayed to
the right of this line.
Local Log Note:
Directory This parameter is only available in Advanced View SSH Host Key Here the SSH host key management is provided. By
mode. clicking New Key you may create a new SSH key.
Alternatively, you may import already existing keys
This field holds the path where the logs of the syslog
(either from clipboard or file) or export the newly
service are written to (default: /var/phion/mlogs).
generated key (either to clipboard or file, password
This directory belongs to the configured system user
protected or not, or the public key only). These
(parameter Run as User, see 11.3.1 Basic Setup,
import/export options are available within the
page 472).
Ex/Import menu.
Use Time Note: For informational purpose the keys hash is displayed to
Received This parameter is only available in Advanced View the right of this line.
mode.
SSH Listen Port Note:
Take into consideration that this parameter is only This parameter is only available in Advanced View
available if parameter Store on Disk is set to yes. Each mode.
log message has a send-time stamp when it is written
This parameter defines the port that will be used for
to disk:
establishing the SSH connection (default: 5145).
send_stamp log_message: yes - send_stamp is
rewritten using local CC receive time Use Here you may activate/deactivate data compression
send_stamp log_message no (default) - Compression (standard gzip quality) for the SSH connection (default:
send_stamp is not modified. yes).
Prepend Note: Override Note:
Received Time This parameter is only available in Advanced View SyncIP-Primary This parameter is only available in Advanced View
mode. / Override mode.
SyncIP-Second The default HA sync is carried out between the box IPs
Take into consideration that this parameter is only
ary of the HA partners. These override parameters allow
available if parameter Store on Disk is set to yes. Each
log message gets its own time stamp(s) when it is using the IP addresses of the private uplink connection
written to disk (receive_time_stamp showing CC between the HA partners. Simply enter the proper IP
receiving time; send_stamp showing Box sending addresses and the log-message transfer is done via the
time): private uplink. This may come handy if the
receive_time_stamp send_stamp log_message synchronising load is quite high.
when set to yes (default) TCP Sync As a matter of fact this parameter is only available if
send_stamp log_message when set to no. Frequency parameter Store on Disk (see 11.3.1 Basic Setup,
File Sync Note: (lines) page 472) is set to yes.
Frequency This parameter is only available in Advanced View This parameter defines the number of log messages
[lines] mode. after which synchronisation is started. The default
value of 0 indicates nothing else than immediate
This parameter defines the number of lines after which
synchronisation as soon as a log message is received.
the synchronisation is started. The default value of 0
indicates that there is currently no delay set.
11.3.5 Relaying Setup List 1945 CC Syslog Server configuration - Relay Filters section Data Origin
Parameter Description
The following parameters are available for relaying Originator Take into consideration that this parameter group is
configuration to an external host: Systems only available if parameter Filter Box Affiliation is set
to yes. The configuration dialog for a new and/or
existing entry provides the following parameters:
List 1943 CC Syslog Server configuration - Relaying Setup section Relaying
- Hierarchy Structure
Setup
This parameter defines the structure of the log entry.
Parameter Description The following structure levels are available for
selection:
TCP Retry Here the time interval (in seconds) is defined at which a
Interval [s] TCP retry should be carried out if the connection Box-Only - adds only the box name to the log
breaks. message
Range-Only - adds only the range name to the log
List 1944 CC Syslog Server configuration - Relaying Setup section SSL Delivery message
Setup Range-Cluster - adds both, range and cluster name
to the log message
Parameter Description Range-Cluster-Box (def) - adds the complete
SSL Peer This parameter defines whether authentication takes structure to the log message
Authentication place when establishing the SSL connection. The Ranges
following options are available: This parameter is only available if parameter
no_peer_verification (default) Originator Systems is set to a value that contains
verify_peer_with_locally_installed_certificate range structure (that means all except for Box-Only)
Selecting this option requires manual import of a and allows selecting specific ranges.
valid SSL certificate from the active connecting Clusters
system to the active destination system. This parameter is only available if parameter
SSL Busy This timeout defines for how long (in seconds) a SSL Originator Systems is set to a value that contains
Timeout [s] connection may be in busy condition until it is cluster structure and allows selecting specific
terminated (default: 300). clusters.
Boxes
SSL Close This timeout defines for how long (in seconds) a SSL
This parameter is only available if parameter
Timeout [s] connection may be in close condition until it is
Originator Systems is set to a value that contains
terminated (default: 60).
box structure and allows selecting specific boxes.
SSL Idle This timeout defines for how long (in seconds) a SSL
Timeout[s] connection may be in idle condition until it is List 1946 CC Syslog Server configuration - Relay Filters section Data Selection
terminated (default: 43200).
Parameter Description
Special File Due to the structure of a streamed log message
11.3.6 Relay Filters Patterns (<range>/<cluster>/<box>/<filename>:<mess
age>), it is possible to restrict log streaming to
message containing a certain pattern in their filenames
This view offers parameters for configuring profiles, which (for example pattern fw when having a filename like
server1_fw) by using this parameter.
define the log file type which is to be
Top Level The log files offered for selection here are
transferred/streamed. However, this section requires Logdata superordinate log files build up of several instances of
parameter External Relaying (11.3.1 Basic Setup, page 472) box and service levels. The following data can be
to be set to yes in order to become active. selected:
Fatal_log: These are the log contents of the fatal log
For creating a new relay filter, click Insert and enter a (log instance name: fatal)
name for the filter. Firewall_Audit_Log: These are the log contents of
the firewall's machine readable audit data stream.
List 1945 CC Syslog Server configuration - Relay Filters section Data Origin Whether data is streamed into the
Firewall_Audit_Log has to be configured in the
Parameter Description Firewall Parameter Settings on box-level (see
SECTION AUDIT INFO GENERATION > Audit-Delivery:
Filter Box This parameter specifies whether additional
Syslog-Proxy). The log instance name corresponding
Affiliation information (for example box, cluster, range) is
to Syslog-Proxy selected will be trans7.
transmitted with the log entries (default: yes). Setting
this parameter to yes activates and requires parameter Note:
group Originator Systems (see below). When Log-File is selected in the firewall configuration
the data will go into a log file named (Box > Firewall >
audit, the instance is named box_Firewall_audit) and
thus this filter setting is not applicable. The pertinent
one then would be a selection of category Firewall
within the box selection portion of the filter.
Affected Box This parameter defines what kind of box logs are to be
Logfiles affected by the syslog daemon. The following options
are available: All (any kind of box log is affected), None
(default; none is affected) and Selection (activates
parameter group Box Log Patterns, see below).
List 1946 CC Syslog Server configuration - Relay Filters section Data Selection List 1948 CC Syslog Server configuration - Relay Destinations section Connect
by Destination SSL Setup
Parameter Description
Take into consideration that this parameter group is Parameter Description
Box Log
Patterns only available if parameter Affected Box Logfiles is Local SSL Port Note:
set to Selection. The following parameters are This parameter is only available in Advanced View.
available for configuration: This menu defines the port that will be used for
Log Groups establishing the SSL connection between CC box and
This menu offers every log group for selection that external system. The available standard port range
is available on a Barracuda NG Firewall (for example reaches from 5244 (default) up to 5253. If required,
Control, Event, Firewall, ). you may enter a custom port by simply ticking the
Log Message Filter checkbox Other.
This parameter is used for defining the affected log Attention:
types: Make sure to use a port higher than 1024.
Selection (activates parameter Selected Message
Types, see below), Destination This certificate is used when selecting Active SSL
All (default), All-but-Internal, Notice-and-Higher, SSL Certificate connect by destination as Connection Type. It holds
Warning-and-Higher, Error-and-Higher the certificate of the connecting remote SSL client.
As you can see the available options are "group This line consists of two buttons:
selections". If one explicit log type is required, the Show button for displaying the current SSL
choose Selection and set your wanted type in certificate
parameter Selected Message Types, see below. the Ex/Import button for certificate transfer purpose
Selected Message Types
This parameter allows you to set explicit log types to List 1949 CC Syslog Server configuration - Relay Destinations section Stream to
be affected by syslogging. The following types are Destination Setup
available: Parameter Description
Panic, Security, Fatal, Error, Warning, Notice, Info,
Internal Destination IP This parameter is only available when Stream
plaintext to passive destination is selected as
Affected This parameter defines what kind of logs created by Connection Type. It allows you to enter the explicit IP
Service Logfiles services are to be affected by the syslog daemon. The address of the log host.
following options are available: All (any kind of service
log is affected), None (default; none is affected) and Destination This parameter is only available when Stream
Selection (activates parameter group Service Log Port plaintext to passive destination is selected as
Patterns, see below). Connection Type. It holds the port that will be used on
the log host when connecting.
Service Log Take into consideration that this parameter group is
only available if parameter Affected Service Logfiles Transmission This parameter is only available when Stream
Patterns
is set to Selection. Mode plaintext to passive destination is selected as
Connection Type. It allows you to choose the
Log Server-Services
transmission protocol (TCP (default) or UDP). When
Here you define server and service where log
selecting a SSL-capable destination type this
messages are streamed from.
parameter is implicitly set to TCP.
Log Message Filter
This parameter is used for defining the affected log Destination This certificate is used when Stream SSL to passive
types: SSL Certificate destination is selected as Connection Type. It holds
Selection (activates parameter Selected Message the SSL certificate of the destination server.
Types, see below), All (default), All-but-Internal, This line consists of two buttons:
Notice-and-Higher, Warning-and-Higher, the Show button for displaying the current SSL
Error-and-Higher certificate
the Ex/Import button for certificate transfer purpose.
Selected Message Types
This parameter allows you to set explicit log types to Destination This parameter is only available when Stream
be affected by syslogging. The following types are SSL IP plaintext to passive destination is selected as
available: Connection Type. It is used for entering the IP address
Panic, Security , Fatal, Error, Warning, Notice, of the external system the outgoing SSL tunnel should
Info, Internal connect to (figure 1996, page 472).
Destination This parameter is only available when Stream
SSL Port plaintext to passive destination is selected as
11.3.7 Relay Destinations Connection Type. It is used for entering the port on
the external system the outgoing SSL tunnel should
connect to (figure 1996, page 472).
This view offers parameters for configuring profiles, which Loopback SSL This parameter is only available when Stream
define where logging ought to be transferred/streamed to. Port plaintext to passive destination is selected as
Connection Type and defines the to-be-used port for
However, this section requires parameter External the loopback interface (figure 1996, page 472).
The available standard port range spans the ports
Relaying (11.3.1 Basic Setup, page 472) to be set to yes in 5244 (default) up to 5253. If required, you may enter
order to become active. a custom port by simply ticking the checkbox Other.
Attention:
For creating a new relay destination, click Insert and Make sure to use a port higher than 1024.
enter a name for the destination. Sender IP Note:
This parameter is only available in Advanced View.
List 1947 CC Syslog Server configuration - Relay Destinations section
Depending on your policy routing you may need an
Connection Type Setup
explicit sender IP address for streaming log files. If so,
Parameter Description this address ought to be entered here.
Parameter Description
Name Here the name of the stream is displayed.
Active This parameter allows you to activate/deactivate the
selected log stream profile. By default, that is when
creating a new profile, this parameter is set to yes.
Log Here the available log destinations (defined in 11.3.7
Destinations Relay Destinations, page 476) can be selected.
Log Filters Here the available log filters (defined in 11.3.6 Relay
Filters, page 475) can be selected.
Yet it may sometimes be desirable to bundle together z Basic Setup view (with active Advanced View)
certain log contents, that are located in different files on
the box, either for central storage or relaying purposes. Fig. 1998 Example 1: Syslog Proxy - Basic Setup
A good example for this is the firewall log. From the box's
point of view firewall related log content goes into several
files. On one hand there is the log output generated by the
local firewall and on the other hand there is the log output
generated by the forwarding firewall service. In order to
collect both outputs into a single file on the CC you would
define a filter on the streaming box comprising the
aforementioned two logging components and a destination
corresponding to the CC where you now make use of the
override node name option. Choosing for example
"allfirewall" as an explicit node name you have ascertained
that a single file instance will be used on the CC. Depending
on your exact intentions you may now adjust the explicit
hierarchy information, that is the path information that is Set parameter Idle Mode to no.
prepended to "allfirewall". Though not using an SSL certificate, leave parameter
Use Box Certificate/Key set to yes. If setting is
changed to no, the parameters SSL Private Key and
SSL Certificate become mandatory, as it is assumed
11.7 Example Configurations for that another certificate than the box certificate will be
Syslog Proxy and CC Syslog used. With all other parameters set properly, availability
of a certificate will be ignored.
Server z Logdata Filters view
Define Infrastructure Services - Syslog Streaming -
In the following configuration examples, the essential Logdata Filters section Affected Box Logdata and
settings required to be configured in the Syslog Proxy Infrastructure Services - Syslog Streaming -
service (on the box) and on the CC Syslog Server (on box Logdata Filters section Affected Service Logdata in
level of the CC) are described. For a detailed parameter this section, specify the log file types to be sent to the
description, please refer to 5.2.3 Syslog Streaming, CC Syslog Server.
page 116 and 11.3 Configuring, page 472 in this chapter.
z Logstream Destinations view
The examples given consider the following scenarios: Set parameter Remote Loghost to explicit-IP. This
z Log message streaming using TCP&UDP (non SSL) setting causes the log files to be streamed to the
CC-Server IP.
z Log message streaming using SSL
Leave parameter Loghost Port at the default setting
z Relaying of log messages using SSL 5144.
Set parameter Use SSL Encapsulation to no.
Set parameter Add Range/Cluster Info to yes to
11.7.1 Log Message Streaming using maintain the log files structure Range/Cluster/Box.
TCP&UDP (non SSL) If set to no, the log files are saved in a directory labelled
with the box' name below the Local Log Directory
To configure log message streaming using TCP&UDP defined on the CC Syslog server (see below).
proceed as follows: z Logdata Streams view
Define combinations of Logdata Filters and
Logstream Destinations in this section. Generally, this
11.7.1.1 Configuration of Syslog Streaming
feature is useful when
Enter Box > Infrastructure Services > log files are streamed to multiple destinations.
Syslog Streaming on MCs box-level. streaming is not required continuously for all log file
types.
Note:
Through setting parameter Active to no, streaming can
be interrupted at all times.
Create Service Key and Service Certificate. Creation 11.7.2 Log Message Streaming using
is mandatory, though key and certificate are not used SSL
without SSL Encapsulation.
Set parameter Support Trusted Data Reception to no. To configure log message streaming using SSL proceed as
Set parameter Store on Disk to yes to enable saving of follows:
received log messages to harddisk.
z Local Storage view (with active Advanced View)
Specify the Local Log Directory as saving location for 11.7.2.1 Configuration of Syslog Streaming
received log messages. The default path is
/var/phion/mlogs. You may leave the default Enter Box > Infrastructure Services >
settings. Syslog Streaming on MCs box-level.
Note:
With Remote Loghost set to Barracuda CC Control,
the Master Certificate of the CC is automatically
used as Remote Certificate, that is Peer SSL
Certificate. Importing the Master Certificate into the
Peer SSL Certificate field is thus not necessary.
Configure the parameter Loghost Port to match the
value in parameter SSL Listen Port (Trusted Data
Reception view) on the CC Syslog Server. By default,
port 5143 is used for SSL connections.
Attention:
Do not use port 5144, as this setting only works
when log messages are streamed without SSL
Encapsulation. The log file data will arrive corrupt on
the CC Syslog Server if port 5144 is used.
Note:
If you change the port assignment to another port
than the default 5143, adjusting the local firewall
rule set might become necessary.
Set parameter Transmission Mode to TCP.
Set parameter Add Range/Cluster Info to yes to
maintain the log files structure Range/Cluster/Box.
If set to no, the log files are saved in a directory labelled
with the box' name below the Local Log Directory
defined on the CC Syslog server.
Relaying follows the streaming of log messages. Relaying Affected Box Logfiles / Affected Service Logfiles
can be configured with or without SSL encapsulation, The all-embracing method easiest to configure, is to
regardless of encryption settings defined for streaming. relay Affected Box Logfiles and Affected Service
Log messages can be relayed to an external host after Logfiles. If unfiltered relaying is not desired, choose
they have been written to disk on the CC Syslog Server or Selection in the Affected Box/Service Logfiles
they can immediately be passed to the external host parameters and select the log file types to be relayed.
without this intermediate step. The following example The parameter Special File Patterns allows setting
settings can succeed both of the configurations described relay filters on terms of filtering for character strings
above. (for example box_Event).
12.1 General
Fig. 1999 CC FWAudit Viewer
This service allows debugging and traffic information complex queries. In contrast to the Firewall Access Cache,
viewing for multiple gateways in one central location, thus the CC Audit Viewer does not automatically aggregate
allowing to diagnose connection problems within complex data but includes date and time just like all session-related
network environments usually in a fraction of the time that information and allows filtering on these.
would be required as compared to diagnosing the problems
Filtering of FW Audit data supports the following criteria:
from the logs or the access cache on every single gateway.
z Rule name
The collection and processing of audit log information is
realized by a service on the Barracuda NG Control Center, z Protocol
the CC Audit Info Service. z Source IP Address (netmasks may be used)
For large environments or high performance z Destination IP Address (netmasks may be used)
environments, dedicated Barracuda NG Firewall boxes can
be used to collect and retrieve Firewall Audit info, the z Interface name (either Source or Destination)
so-called FW Audit Collector. z Address, i.e. either Source or Destination IP matches
The CC Audit service receives structured firewall data (netmasks may be used)
from multiple Barracuda NG Firewall boxes and stores the z Port number and service name
firewall audit information in relational database installed
on the CC. z Source Interface name
The firewall audit information provides all information z Destination Interface name
related to firewall session in a machine-readable format.
The information is similar to the already available Firewall Additionally, the so-called Type Selection supports
Audit log, but additionally the relational database allows restriction based on the following criteria:
z Traffic Selection: The service uses TCP port 680 to receive FW Audit
Forwarding traffic , Local In traffic, Local Out traffic, data. The host firewall ruleset of an updated CC box
Loopback traffic thus needs to be extended to allow access to port 680
on the management IPs and server IPs. If you have not
z Event Selection:
modified the host firewall ruleset manually you could
Allowed, Blocked, Dropped, Fail, ARP, IPS Hit, Removed
simply select "Copy from default" in the context menu.
Generation and forwarding of FW Audit data still needs
Similar to the Barracuda NG Admin Log Viewer, the
to be enabled for the Barracuda NG Firewall boxes (see
Firewall Audit Info Viewer supports navigating to a
below).
dedicated date/time just like browsing backward and
Transport of FW Audit data is encrypted by using the
forward. After a session has been removed, the FW Audit
CC- and box RSA keys.
also contains the number of transferred bytes for this
If an unmanaged Barracuda NG Firewall system should
session. Through optional accumulation of FW Audit data a
send Audit Info data to the introduced CC Audit Info
consolidated view similar to the access cache can be
service, the CC Audit Info service provides a
achieved. Additionally the centralized FW Audit Viewer
configuration to manually import box keys.
supports FW Audit queries across multiple boxes.
To enable generation and forwarding of FW Audit data,
Fig. 20 Audit Info Viewer connect to the CC configuration tree and open the
configuration node Box > Infrastructure Services >
General Firewall Configuration. Open the Settings
dialog for Audit and Reporting > Audit Info Generation
and change the Audit Delivery parameter to
Forward-only or Local-File-and-Forward. The
destination IP address and port can be left empty - in
that case the FW Audit data is automatically forwarded
to the CC IP address.
Querying is possible by using the Barracuda NG Admin
user interface connecting either to the CC management
Note:
IP (box) or to the CC server IP (CC).
Which data will be collected depends on box settings in
Config > Box > Infrastructure Services > Licensing
General Firewall Configuration > Audit and Reporting The CC Audit Info viewer is available with Barracuda NG
> Audit Information Generation Control Center Global Edition or with Barracuda NG
(see Firewall 2.1.1.5 Audit and Reporting, page 137, Control Center option pack 2.
section Recorded Conditions list 413, page 138). z Audit Info collector (separate box)
Collecting FW Audit data on a separate Barracuda NG
Firewall box is realized by the new service " Audit Info
collector". You need to introduce the new service.
12.2 Activation Configuration see CC Audit Info viewer. Due to
performance issues the service should be run on a
The Audit Info service is available for three different dedicated system.
scenarios: Queries are done by first connecting to the box
management IP.
z local FW Audit Info viewer
Writing FW audit data locally on the Barracuda NG
Licensing
Firewall can be enabled within the configuration dialog
The Audit Info collector requires an extra license and is
Box > Infrastructure Services > General Firewall
only available in conjunction with a Barracuda NG
Configuration > Audit and Reporting > Audit Info
Control Center Global Edition or with a Barracuda NG
Generation. In the Settings dialog select Local-File for
Control Center option pack 2.
Audit Delivery settings.
The firewall now generates appropriate entries for both
local and forwarding traffic.
The FW Audit Info viewer is available by using 12.3 Limitations
Barracuda NG Admin to connect to the Firewall module
and selecting the Audit tab.
Please note that writing or querying FW Audit data within
the relational database is quite CPU and IO consuming. It is
Licensing
thus strongly recommended to enable transport of FW
The local Audit Info viewer is available on every
Audit data with care.
Barracuda NG Firewall where an FW audit logfile is
generated without the need for an additional license. A Barracuda NG Firewall can handle several thousand of
session requests per second, which is already a limit for
relational databases (transactions per second). The
z CC Audit Info viewer
centralized FW Audit Log Service may get data from
To enable the CC Audit Info Viewer you need to
dozens of Barracuda NG Firewalls thus overloading the
introduce the novel service CC Audit Info Viewer on the
relational database.
CC box. The CC Audit Info viewer is now ready to
retrieve audit information from boxes managed by this Barracuda Networks recommends to make use of the
Barracuda NG Control Center. granular configuration options, which allow reducing
traffic by explicitly specifying which data should be collect new data. In case of a failover to the backup box,
forwarded to the FW Audit host. new Audit data is stored on the backup box and querying
of this data needs to be performed on the backup box.
The FW Audit Log Service does not synchronize audit data
within a HA cluster, neither when running as server service
(Audit collector) or when running as local FW Audit Info
viewer. For the CC Audit Info viewer and for the FW Audit
Info collector, the service may run on the backup box to
Note:
For theory about certificates have a look at
"Kryptografie und Public-Key-Infrastrukturen im
Internet" by Klaus Schmeh (ISBN 3-932588-90-8) List 1952 Public Key Infrastructure (PKI) Configuration Settings section
General Settings
Usage of Certificates
Parameter Description
z SSL/TLS encryption and authentication of TCP-based HA Sync Mode This parameter enables/disables synchronisation with
protocols like HTTP, SMTP, POP, IMAP, LDAP, an optional HA partner.
Log Level Here you specify the amount of logging. The following
z S/MIME: Encryption and signature of e-mails options are available:
Silent - No logging except for fatal logs
z IPSec, L2TP Normal - Regular logging
Verbose - Regular logging including additional logs (for
z VPN connections example for troubleshooting)
List 1953 Public Key Infrastructure (PKI) Configuration Settings section LDAP
Server
PKI has to be licensed separately. Log Ticking this checkbox enables connection logging on
Connections the internal LDAP server.
External LDAP If an external LDAP server ought to be used instead of
Log on to the Barracuda NG Control Center on box level Server the internal one, the server IP address or
and create a new service using the software module CC DNS-resolvable name need to be entered here.
PKI Service. Base DN This parameter specifies the Base Distinguished Name
for inserting and searching CRLs on the LDAP server
(for example dc=barracuda,dc=com).
Root DN Here the distinguished name of the LDAP user for
importing CRLs on the LDAP server is defined.
Root Password This parameter holds the password for writing on the
LDAP server.
13.2 User Interface Now the PKI is ready for creating a new certificate (via
button Create Certificate ).
The PKI shows the certificates in a hierarchical tree view Fig. 193 Configuration dialog - General Settings tab
(accessible via box menu entry PKI, see figure 192).
The top level shows all root certificates which need to be
certificate authorities. Additionally, there are the box
certificates to get the information of all installed boxes
managed by the CC. This information is generated
automatically on the first start of the PKI. If changes apply
to installed boxes, right-click Box Certificates and then
select Update Box Certificates from the context menu.
Parameter Description
Signing CA Via this parameter you specify the certificate authority
Each CA node contains four subdirectories: which ought to sign the new certificate.
CA Sign This field allows entering the password required for
z Valid contains all valid and not expired certificates. Password signature by the CA. If no password is entered only a
certificate request will be created.
z Pending contains all unsigned certificate requests.
Template Here you may select a pre-defined template (see 13.3.3
z Expired contains all certificates with exceeded finish Editing Templates, page 487) in order to fill the
parameters of this dialog with "default" values.
dates.
z Revoked contains all certificates revoked by the
administrator (for example an end-user has lost his/her 13.3.1.1 General Settings Tab
USB stick holding the VPN certificate).
List 1955 Public Key Infrastructure (PKI) - Certificate Creation - General Settings
tab
For viewing the details of a certificate, right-click on the
certificate of interest and select View Certificate. Parameter Description
Keysize in Bits Via this parameter the key size is defined. Normally the
Instead of the common name, which is used by default, the value ranges from 512 up to 4096 bits (default:
certificates can be displayed with their full subject in the 1024 bits). Due to modern CPU power, the size should
be at least 1024 bits for end-user certificates. When the
user interfaces view. To change the view setting, select CAs lifetime is 10 years or longer, the key size should be
Show Full Subject in the context menu available by at least 2048 bits (4096 bits recommended).
right-click on either top level of Root or Box Certificates. Duration of Defines the validity period of the certificate (in days;
Validity default 5000 days). For example this leads to
5475 days for a root certificate with 15-years validity
(365 * 15).
Key Algorithm Specifies the algorithm used for key creation (rsa -
13.3 Working with PKI default; dsa).
Key Encryption Specifies the algorithm used for key encryption
(TripleDES - default; IDEA; DES).
13.3.1.2 Subject Tab List 1957 Public Key Infrastructure (PKI) - Certificate Creation - V3 Extensions
tab
List 1956 Public Key Infrastructure (PKI) - Certificate Creation - Subject tab Parameter Description
Parameter Description crlDistributionPoints Here the distribution points for the Certificate
Revocation List (CRL) are defined.
Common Name Name of the certificate.
DomainController Microsoft-specific extension for entering
Note:
DomainControllers.
Do not use special characters and underscores in the
common name. nsComment Allows entering a commentary.
Email Address E-mail address of the certificate owner.
Country Address and organisational information (for example
State or name of the organisation, unit name, ). 13.3.2 Viewing Certificates
Province
Locality
Organisation
For viewing a certificate, select the wanted one, open the
Organisation context menu and select View Certificate This opens
Unit the View Certificate dialog with 3 tabs providing the
complete information.
13.3.1.3 V3 Extensions
13.3.3 Editing Templates
Note:
Several parameters in this tab are, in addition to the Clicking Edit Templates opens the dialog for editing
regular active/inactive equipped with a Critical existing templates.
checkbox. Ticking this checkbox enforces the It has almost the same functionality as the Create
application to use V3 Extensions. Additionally, this Certificate dialog (see 13.3.1 Creating a Certificate,
causes that the certificate may not be used for any page 486) except for that there is neither a password field
other purposes than the ones defined through the nor, of course, a CA selection option.
parameters keyUsage and extentedKeyUsage.
To edit a template, select it from the Select Template
Note: pull-down menu, make your changes, and save it with
For additional information concerning V3 extensions, clicking Save Template.
please have a look at 13.3.13 V3 Extensions (look at RFC To create a new template, select any existing template
3280), page 489. from the pull-down menu, make your changes, enter a new
name in the Select Template field, and save it with clicking
List 1957 Public Key Infrastructure (PKI) - Certificate Creation - V3 Extensions
tab
Save Template. The new template will promptly be
available in the Template list of the Create Certificate
Parameter Description
dialog.
basicConstraints Defines whether the certificate is a CA
(CA:true) or not (CA:false - default).
Attention:
keyUsage Defines the intended use for the certificate. The
following types of usage are available: Deleted predefined templates can only be restored if the
digitalSignature, nonRepudiation, PKI is deleted and newly established. Deletion of the PKI
keyEncipherment, dataEncipherment, will cause deletion of all available certificates as well. Be
keyAgreement, keyCertSign, cRLSign,
encipherOnly, decipherOnly. careful not to delete predefined templates.
extendedKeyUsage Extension to the intended use for the
certificate. The following types of extended
usage are available:
serverAuth, clientAuth, emailProtection,
13.3.4 Create Request
codeSigning, timeStamping, OCSPSigning,
smarCardLogon, secureMail, msCodInd (MS If the password for the signing CA is omitted in the Create
Individual Code Signing), msCodeCom (MS
Commercial Code Signing), msCTLSign (MS Certificate dialog, a certificate request is created
Trust List Signing), msSGC (MS Server Gated instead of a certificate.
Cryptography), msEFS (MS Encrypted File
System).
subjectKeyIdentifier Hash of the subject.
13.3.5 Revoke a Certificate
authorityKeyIdentifier The subject key identifier extension provides a
means of identifying certificates that contain a
particular public key. The following types of To revoke a yet valid certificate, select it in the Valid
identifiers are available: folder, right-click on it and select Revoke Certificate
keyid:always, keyid:copy, issuer:always,
issuer:copy from the context menu. You will be prompted to enter the
authorityInfoAccess The authority information access extension parent CAs Sign Password. After doing so, the revoked
indicates how to access CA information and certificate is moved to the Revoked folder.
services for the issuer of the certificate in which
the extension appears. Information and services
may include online validation services and CA
policy data. 13.3.6 Delete a Request
subjectAltName The subject alternative names extension allows
additional identities to be bound to the subject Go to a certificate request in the Pending directory and
of the certificate. The following types are
available: Email, DNS, URI, IP, MS Domain right-click on it. Select Delete Request and click the Yes
GUID, MS Domain User. button.
issuerAltName This extension is used to associate Internet
style identities with the certificate issuer.
Fig. 195 Export Certificate dialog The CRL can either be exported as file, to clipboard or to
distribution points. The distribution points are on the ldap
server as configured in the PKI service configuration and
the local http server of the CC box.
The CRL is accessible at
z ldap://mcip/cn=CommonName,dc=AsInConfig
z ldaps://mcip/cn=CommonName,dc=AsInConfig
z mcip/pki/CommonName.crl
Example:
192.168.10.10/pki/VPN-Root.crl
ldaps://192.168.10.10/cn=VPN-Root,dc=barracu
da,dc=com
13.3.10 Export Private Key
Note:
Select the required format and export the key to a file or to For accessing the local http server a local redirect rule
the clipboard. has to be added in the CC Firewall.
Note:
For exporting to clipboard only PEM format is allowed,
since DER is a binary format.
Values:
hash
14. CC Firewall
For remote managed Barracuda NG Firewalls a so-called A generic forwarder acts like a router and simply forwards
box tunnel between CC and boxes can be used. traffic to the destination. Since each Barracuda NG Firewall
applies access restrictions by using the configured box
These box tunnels are handled by the CC service CC VPN
ACL a basic security level is guaranteed.
Service and require the configuration of Virtual Box IPs.
However, if a higher security level is required the
Barracuda NG Control Center can be equipped with a
forwarding firewall (CC Firewall).
14.1 General The CC Firewall contains the same features as described in
Firewall, page 131.
When using virtual management Box IPs (Box Management
Tunnels) it is possible either to use the CC as a generic For introducing a CC Firewall it is necessary to have a valid
forwarder or to add additional protection using the CC firewall license for the Barracuda NG Control Center.
Firewall. The CC Firewall service is created on box level of the CC as
Fig. 198 User Interface of a generic forwarder
described in Configuration Service 4. Introducing a New
Service, page 97, and selecting firewall as service module.
The configuration of the CC Firewall is analogous to the
forwarding firewall of a Barracuda NG Firewall.
z Canvas - here tunnels are created, VPN services are 15.1.2 User Interface - Canvas Section
added; that means here your VPN compound is created.
For creating a tunnel, simply left-click on the tunnels Fig. 1910 Example VPN group
designated start VPN service and move the cursor
(keeping left-clicked) to the designated end VPN
service.
Note:
By default, tunnels created in VPN GTI are
active-passive ones. In order to create active-active
tunnels, simply overrule the parameter Direction
(see 15.2.2.4 Defining Tunnel Properties, page 495)
by setting to active.
Note:
Creating tunnels between external VPN services is
NOT possible.
In addition to the drag&drop functionality, the canvas z View as list - displays the VPN group structure in
section offers a context menu providing the following table-format; since this view is read-only youll need ti
entries: change back to graphical display in order to make
z <VPN service name> - opens a dialog window changes. This is done by using this entry again.
displaying the properties of the selected VPN service
Fig. 1913 Example VPN group displayed as table
see 15.2.2.3 Defining VPN Service Properties,
page 494).
z Set Filter to <VPN service name> - hides every VPN
service that is not endpoint of a tunnel initiated by the
selected VPN service.
Note:
For every tunnel endpoint introduced through the VPN
GTI Editor (Global), dynamical Global GTI Objects are
created. These network objects can be utilized when
creating firewall rules (see Barracuda NG Control Center
6.3.2.2 Global GTI Objects, page 435 and Firewall
2.2.3 Rules Configuration, page 143, parameter Reload
GTI Objects).
15.2 Configuration
15.2.2.1 TINA Tab List 1958 VPN GTI Editor - Group Edit - TINA tab section General Settings
Parameter Description
List 1958 VPN GTI Editor - Group Edit - TINA tab section General Settings
Root Certificate In the pull-down menu available root certificates are
Parameter Description offered for selection (as defined in the GTI Editor
Defaults, see above).
Name This is a read-only field, displaying the group name as
defined when creating the VPN group. Key Time Limit This parameter defines the period of time after which
the re-keying process is started. Possible settings are
Transport This setting defines the to-be-used transport protocol 5, 10 (default), 30 and 60 minutes.
and offers the following options:
Key Traffic This parameter defines the amount of traffic after
UDP
Limit which the re-keying process is started. Possible
Tunnel uses UDP port 691 to communicate. This
settings are: No Limit, 1 MB, 5 MB, 10 MB (default),
connection type is best suited for response
50 MB
optimized tunnels.
TCP Tunnel Probing The probing parameter defines the interval of sent
Tunnel uses TCP connection on port 691 or 443 (for probes. If such a probe is not answered correctly, the
HTTP proxies). This mode is required for connection parameter Tunnel Timeout (see below) is in charge.
over SOCKS4 or HTTP proxies. The available time settings (in seconds) for the probing
parameter are:
UDP&TCP silent (no probes are sent; disables the parameter),
Tunnel uses TCP AND UDP connections. The tunnel 10 secs, 20 secs, 30 secs (default) and 60 secs.
engine uses the TCP connection for UDP requests
and the UDP connection for TCP requests and Tunnel Timeout If for some reason the enveloping connection breaks
ICMP-based applications. down the tunnel has to be re-initialized. This is
extremely important for setups with redundant
ESP
possibilities to build the enveloping connection.
Tunnel uses ESP (IP protocol 50) to communicate.
The timeout parameter defines the period of time after
This connection type is best suited for performance
which the tunnel is terminated.
optimized tunnels.
The available settings (in seconds) for the timeout
Note: parameter are:
Do NOT use ESP if there are filtering or NAT interfaces 10 secs, 20 secs (default), 30 secs and 60 secs
in between.
Note:
Routing The choice of the ideal timeout parameter strongly
This transport type is only of interest in combination depends on the availability and stability of the
with Traffic Intelligence configuration (see 2.7.1.2 connection. Barracuda Networks recommends setting
Traffic Intelligence (TI), page 235). Specifying the timeout to 30 seconds for internet connections
routing as transport disables data payload and to 10 seconds for intranet or connections over a
encryption within the tunnel. This transport should dedicated line.
only be used for uncritical bulk traffic.
Accept Offers three types of identification: Public Key
Transport type Routing activates parameter Routing
Identification (default), X509 Certificate (CA signed) and
Next-Hop in the tunnel configuration dialog, where
Type X509 Certificate (explicit)
the next-hop address for routed data packets has to
be specified. Hide in Select the checkbox and the tunnel will not be visible in
Barracuda NG the Barracuda NG Earth software.
Note:
Earth
To enter a Routing Next-Hop address when the
Direction is Passive follow these steps: Meshed Selecting this checkbox (at the bottom of the
configuration window) automatically creates tunnels
Select Direction: Active
when adding a new VPN service to the group.
Select Transport: Routing
Note:
Enter the Routing Next-Hop address Take into consideration that the tunnels are NOT
Select Direction: Passive removed after deselecting this checkbox.
Encryption Encryption mode the tunnel wants to establish as the
active part. These tunnels work with various encryption List 1959 VPN GTI Editor - Group Edit - TINA tab section Accepted Ciphers
algorithms. The initialising partner tries to establish
the encrypted connection by offering ONE of the Parameter Description
following methods. Accepted Indicates what kind of ciphers are allowed for
AES Ciphers connecting to the VPN server for users of this group.
Advanced Encryption Standard; default; capable of Reset functionality is available as soon as a cipher
128 / 256 bit key length setting was modified and restores default values.
3DES
Further developed DES encryption; three keys with List 1960 VPN GTI Editor - Group Edit - TINA tab section Bandwidth Protection
each 56 bit length are used one after the other
resulting in a key length of 168 bit. Parameter Description
CAST Bandwidth Protection settings are a part of Traffic
by Carlisle Adams and Stafford Tavares; algorithm Intelligence configuration. For a description of Traffic
similar to DES with a key length of 128 bit. Intelligence please see VPN 2.7.1.2 Traffic Intelligence
(TI), page 235. For a detailed parameter description
Blowfish
please VPN Bandwidth Protection, page 238.
works with a variable key length (up to 128 bit)
DES
List 1961 VPN GTI Editor - Group Edit - TINA tab section VPN Envelope Policy
Digital Encryption Standard; since DES is only
capable of a 56 bit key length, it cannot be Parameter Description
considered as safe any longer.
VPN Envelope settings are a part of Traffic Intelligence
Attention: configuration. For a description of Traffic Intelligence
Do NOT use DES with high risk data. please see VPN 2.7.1.2 Traffic Intelligence (TI),
Authentication Defines the to-be-used algorithm for authentication. page 235. For a detailed parameter description please
Available methods are: see VPN VPN Envelope Policy, page 238.
MD5
Message Digest 5; hash length of 128 bit
SHA
Secure Hash Algorithm; hash length of 160 bit
15.2.2.2 IPSec Tab Fig. 1915 Adding a VPN Service to a VPN Group - Step 2
Parameter Description
Encryption defines what kind of description is used
Available algorithms for Phase 1: 3DES (default), DES
and CAST.
Available algorithms for Phase 2 are: AES, 3DES
(default), CAST, Blowfish and DES.
Hash Meth. defines the used hash algorithm; available algorithms
are MD5 (default for both phases) and SHA.
DH-Group Diffie-Hellman Group defines the way of key exchange;
available options for this parameter are Group1 (default
for both phases; 768-bit modulus), Group2 (1024-bit
modulus), and Group5 (1536-bit modulus).
Lifetime defines rekeying time in seconds a server offers to the
partner (default Phase 1: 28800; default
Phase 2: 3600).
Min. Lifetime defines minimum rekeying time in seconds a server
accepts from its partner (default Phase 1: 25200;
default Phase 2: 1200).
Max. Lifetime defines maximum rekeying time in seconds a server When adding a VPN service to the VPN group, you may
accepts from its partner (default Phase 1: 32400;
default Phase 2: 4800)
define several specific parameters.
List 1964 VPN GTI Editor - Adding a VPN Service to a VPN Group section
List 1963 VPN GTI Editor - Group Edit - IPSec tab section General Settings
Server/Service
Parameter Description
Parameter Description
Accepted offers three types of identification: Shared Passphrase
Server displays server name; read-only
Identification (default), X509 Certificate (CA signed) and
Type X509 Certificate (explicit). A passphrase is Service displays service name; read-only
automatically generated when an IPSec tunnel is Info displays an optional information text; read-only
drawn.
Root Certificate offers all available root certificates for selection (as List 1965 VPN GTI Editor - Adding a VPN Service to a VPN Group section
defined in the GTI Editor Defaults, see above) Attributes
Parameter Description
Color defines the color in which the tunnels created from this
15.2.2.3 Defining VPN Service Properties VPN service to another one are displayed. Take into
consideration that disabled tunnels are not affected by
Fig. 1914 Adding a VPN Service to a VPN Group - Step 1 this parameter and are displayed grey regardless of the
color set. Additionally, the color is used in conjunction
with parameter Filled (see below) (default: black).
Thickness defines the thickness of displayed tunnels created from
this VPN service to another one (default: 1 pt)
Filled ticking causes the background of the selected VPN
service is equipped with a solid circle in color defined
above (default: disabled)
Hub ticking causes the selected VPN service to serve as a
hub (default: disabled)
Show Name enables/disables display of the selected VPN service
name (default: enabled)
Fully Meshed ticking causes automatic tunnel creation for the
selected VPN service (default: disabled)
List 1966 VPN GTI Editor - Adding a VPN Service to a VPN Group section
Tunnels
Parameter Description
displays every tunnel connection created from this
VPN service to another one (including the set
parameter values); context menu offers items Edit
Tunnel (see 15.1.2 User Interface - Canvas Section,
page 491), Delete Tunnel (see 15.1.2 User Interface -
Canvas Section, page 491) and standard context menu
entries
List 1967 VPN GTI Editor - Adding a VPN Service to a VPN Group section In
Groups
Parameter Description
purely informational and displays all groups the VPN
service is part of
The tabs VPN GTI Settings and Server/Service Settings in When editing a parameter the following visualisation
the VNP Service window are read only areas. Their content effects are shown:
is delivered through the VPN GTI Settings tab (VPN
2.4 Configuring VPN GTI Settings, page 221) and the Server z Parameter name turns from black into blue and is
Configuration tabs (Configuration Service 3. Configuring a displayed underlined (as shown in figure 1916)
New Server, page 94). z Parameter value changes from grey (indicating default
values) into black
Note:
Networks needed to be reachable behind the tunnels Note:
endpoints must be entered into the Networks In order to reset the modification, simply click on the
parameter of the Server Configuration area (see 3.3.2 blue, underlined parameter name and select Reset to
GTI Networks, page 96). Group default value from the menu.
Note:
15.2.2.4 Defining Tunnel Properties The information displayed is merged of the following
configuration entities:
As already mentioned above, Barracuda NG Firewall VPN
z Global VPN Settings - see 15.2.2 Defining Global
GTI offers the possibility to tweak any tunnel parameter to
Settings for a VPN Group, page 492
your needs.
z Local VPN GTI Settings on the corresponding
For tweaking tunnel parameters simply left-click the
boxes - see VPN 2.4 Configuring VPN GTI Settings,
Tunnel Info node and open the configuration dialog via the
page 221.
link (displayed in blue).
Fig. 1916 Open Tunnel Info node and Tunnel configuration dialog
15.2.2.5 Configuring Traffic Intelligence Settings
in the GTI VPN Editor
Note:
Functionality, characteristics and configuration
parameters of Traffic Intelligence are described in detail
in VPN 2.7.1.2 Traffic Intelligence (TI), page 235. Please
read this chapter before proceeding. In this place,
only transport creation and modification process will be
described.
Attention:
Tweaking tunnel parameters disables global settings.
Note:
Barracuda NG Earth is only available in combination
with the CC Global Edition and CC Enterprise Edition
licenses.
16.2 CC Settings
z In the CC set the parameter Poll Box VPN Status to
yes (Global Settings > CC Parameters > Barracuda NG
Earth Setup)
(see Barracuda NG Control Center 6.3.5 Global Settings -
CC Parameters, page 437, list 1910)
z To define the position of the VPN connectors, insert the
coordinates in parameter Global Position for all your
boxes (Boxes > <boxname> > Box Properties > Note:
Operational > Barracuda NG Earth Settings) Please notice that for configuration settings,
(see Configuration Service 2.2.2.2 Creating a Box - Administrative rights are required.
Operational Settings, page 53, list 33).
Define the settings best fitting to your video card, as the
application is using DirectX 9. Check for the latest driver
16.3 Requirements update at www.microsoft.com.
List 1968 Barracuda NG Earth section Graphics
z Processor: Intel Pentium IV, AMD Athlon 64 or better Parameter Description
z OS: Windows XP SP2 or Windows VISTA 32 / 64-bit Texture Quality Move the slider to select the texture quality level. The
higher the texture level the higher the CPU load.
z Graphic card: DirectX 9 level graphics card or better Low
world.200407.2048x1024.tga (6.145 KB)
z Generic Network Adapter Medium
world.200407.8100x4050.tga (96.109 KB)
z a CC and adequate licenses (see 16.1 General, page 497) High
world.200407.10800x5400.tga (170.860 KB)
z usage of GTI VPN tunnels
World Texture Choose the world texture
from
Geometry Move the slider to select the geometry quality (number
Quality of polygons). This setting influences your performance
substantially. Recommended value is medium.
High 124.416 polygons
Medium 31.104 polygons
Low 7.776 polygons
Bump Mapping Choose Enabled or Disabled.
This setting allows the video-card to apply texture
maps (bumps) to flat textures, this setting can affect
performance.
Water is Choose Enabled or Disabled.
transparent Select the way the water will be presented, this setting
can affect performance.
Graphical API Choose DirectX or OpenGL.
If your system does not support DirectX you can
choose OpenGL as an alternative.
Please notice that as the application starts with
DirectX selection by default, a check on DirectX driver
version will be performed.
List 1969 Barracuda NG Earth section Connection to CC Table 1922 Barracuda NG Earth Hotkey
16.6 Troubleshooting
If the desired boxes and/or VPN tunnels are not displayed
on Barracuda NG Earth, please follow the following steps.
16.5.1 Hotkeys
16.6.1 CC and Box Configuration
Table 1922 Barracuda NG Earth Hotkey
Hotkey Description
z CC: The parameter Poll Box VPN Status must be set to
b Bitmap bump map on/off
yes (Config > Multi-Range > Global Settings > CC
n New 2D View. Open a new 2D window that can be
Parameters > Barracuda NG Earth Setup).
moved on different desktop (especially for dual head
graphics card)
z Corresponding Box: The parameter Poll VPN Tunnel
s Transparent sphere on/off
Status must be set to yes (Config > Box > Box
t VPN Tunnel Mode on/off
Properties > Operational > Barracuda NG Earth 16.6.3 Barracuda NG Earth Configuration
Settings)
In addition, the coordinates of the box must be typed z Under Windows > start > All Programs > Barracuda
into the Global Position parameter. Networks > Barracuda NG Earth > 3D Settings ensure
that the CC server IP (not CC box IP) is typed into the
Server IP parameter.
16.6.2 VPN Tunnel Configuration
z Ensure that the VPN tunnel is defined using the GTI
editor.
z If the VPN tunnels are generated with the Meshed
option enabled, the VPN tunnel will only be displayed
when there is traffic. Double-click the group in the VPN
GTI Editor to check the Meshed checkbox (VPN GTI
Editor accessibility see 15.1 User Interface, page 490).
z Ensure that the checkbox Hide in Barracuda NG Earth
is not selected within the same dialog.
z Double-click the tunnel in the VPN GTI Editor and
ensure that the checkbox Hide in Barracuda NG Earth
is not selected within the VPN tunnel settings.
17. CC RCS
The Barracuda NG Control Center provides a Revision In order to activate RCS enter Config > Multi-Range >
Control System (RCS) for auditing purpose. The RCS, as Global Settings > CC Parameters > RCS Setup view.
soon as activated, provides complete information on
changes in the configuration of the Barracuda NG Control Fig. 1921 Configuration dialog - RCS
Center and its administered Barracuda NG Firewalls (in
theory, back to the moment RCS was activated - depending
on the amount of data).
Attention:
Please take into consideration that the DNS service is
not supported by RCS.
List 1970 CC Parameters - RCS Setup item in the configuration tree below Global Settings or via
Parameter Description the pull-down menu RCS within an explicit configuration
Version Control This parameter activates/deactivates the RCS function. file.
System
Log Change This parameter activates/deactivates the RCS Fig. 1922 RCS Versions window
Differences functionality to log all changes made to a configuration
node (file name: servicename_changes).
Log Creation This parameter specifies how to log the change of a
Differences new configuration node. The following settings are
available:
Difference-to-Default - Only differences to the
default settings are enlisted.
Full-Info - Every setting is enlisted.
None - Only changes are taken into account.
Log Removal This parameter specifies how to log file removals within
Differences a configuration node. The following settings are
available:
Difference-to-Default - Only differences to the
default settings are enlisted.
Full-Info - Every action is enlisted.
None - Removal of files is skipped.
Report Use this field to configure automated transmission of
Processing change reports to other destinations. A shell script
Script invoking Secure Copy (scp) or e-mail delivery can be
entered here.
The RCS Versions window makes the the following
Example scripts for report transmission might look as information available:
follows:
Secure copy to an external server Table 1926 Columns available in the RCS Versions window
scp "$REPORT" root@recipient.com
Column Description
mailclt to an external server
/opt/phion/bin/mailclt -f Version This column displays the version numbers of the
sender@sender.com selected activated configuration node/file. As long as
recipient@recipient.com -s "change" -m the configuration is only sent (by clicking Send
192.168.0.1 -a "$REPORT" Changes) the displayed version is session. If this
configuration is activated (by clicking Activate) the
Attention: corresponding (increased) version number is listed.
Make sure to use the variable $REPORT when using the Editing a linked file results in additional version
tools scp and mailclt. The name of the report file is information including the file version and the complete
stored in $REPORT and is thus handed over by path of this link target.
Rangeconf.
Date This is the date when a new or modified configuration
Note: has been activated. Data is arranged as follows:
On Barracuda NG Firewall 4.2 mailclt is installed by yyyy/mm/dd.
default.
Time This is the time when a new or modified configuration
Attention: has been activated. Independent of box time settings,
The option -m expects the IP address of a reachable the effective time format is always UTC.
SMTP server to follow. As DNS resolution is not
supported by RCS the mail servers IP address and not Admin Displays the login name of the editing administrator.
its MX-Record has to be specified at any rate. Peer Displays the peer address of the editing administrator.
Force Commit If set to Yes, every RCS check-in will produce a one-line Operation Displays the peer address of the editing administrator.
Message text window allowing to enter a comment. Defaults to The following entries are possible:
No. CHANGE - Indicates a modification
Attention: ADD - Indicates an added configuration entry (for
Barracuda NG Admin versions prior to 4.2.5 can not be example a newly introduced firewall rule)
used anymore for configuration changes if the Commit
REMOVE - Indicates a removed configuration entry
Message has been activated.
(for example removing a firewall rule)
LINK - Indicates a link to a repository entry.
UNLINK - Indicates that a link to a repository entry
was removed.
Link Version This column holds information only in conjunction with
a LINK operation entry. This information consists of the
version of the link target.
Link Path This column holds information only in conjunction with
a LINK operation entry and consists of the complete
path of the link target.
17.2.1 RCS Versions Dialog Selection of versions for verification is done by using the
left mouse button (that means combining SHIFT and
RCS is monitored in the RCS Versions window. This left-click will not work):
window may be opened either via the context menu of any z The first click sets the start version of interest.
z The second click sets the end version of interest. The given commentary text may later be retrieved
separately for each configuration node through the
Fig. 1923 Example for selecting versions of interest Show RCS Versions dialog within the context menu.
Fig. 1926 RCS Change Message Text within RCS Versions Dialog
Fig. 1924 Example for selecting versions of interest with selected Full History
checkbox
Column Description
Node This column offers a tree view on the changes. In the
example above, the first level specifies the name of the
configuration entity, the second level provides the
name of the data set, the third level holds the position
in the configuration dialog, and the fourth level holds
the object of editing.
Operation This is the modification type. The following types are
available:
New
Change
By clicking Select All all available versions are taken into Remove
account. Move - this type indicates that the position of the
configuration entry was moved in the hierarchy (for
After the wanted selection is done click button Show example moving a rule up or down in a rule set)
Differences in order to open the RCS Report. * - this type indicates multiple changes to the
configuration entry
New This column shows the new value of the configuration
17.2.2 RCS Change Message entity.
Old This column shows the old value of the configuration
entity.
By setting the parameter RCS Setup - Note:
Force Commit Message to Yes, a one-line text box will Columns New and Old may consist of multiple lines. For
pop-up prior to every Activate process, prompting the viewing the complete information, open the node in the
Node column or simply select Details from the
user to leave some comment on his or her changes. context menu (see below).
Version Here the version number when editing is displayed. A *
Fig. 1925 RCS Change Message Dialog displayed indicates that there are multiple version
number within this node.
Stamp This is the time stamp indicating when a configuration
has been modified. Independent of box time settings,
the effective time format is always UTC. Date and time
are arranged as follows: yyyy/mm/dd hh:mm:ss.
Admin This is the administrator who has edited the
configuration.
Peer This is the IP address that is assigned to the
administrator who has edited the configuration.
z Import / Export
Via these buttons you may export the RCS results into a
"*.prp" file for archiving purposes or import an archived
prp file.
18. CC VPN
Note:
Due to migration issues the node Master VPN Settings
may be accessible on a Barracuda NG Control Center on
box-level.
Settings in this node are ignored. On a CC, the
appropriate settings must be done within the Multi
Range > Global Settings > Box VIP Network Ranges
instead.
Only for a mastervpn offloader, these settings reside
within the service node Master VPN Settings on
box-level.
Parameter Description
Address Range single host or network range
Start
Note:
Proxy ARPs will be introduced for the entire VIP network
range including the network and broadcast address.
Note:
Network routes for local networks are automatically
introduced by the system.
Note:
If the gateways external IP address is dynamically
assigned via DHCP or xDSL the IP address will be
automatically assigned to the default settings at box
level.
18.4.1 Management Tunnel
Fig. 1932 Network Configuration Node Configuration
List 1973 Network Address Configuration
Parameter Description
Used VPN Protocol type of the remote management tunnel.
Protocol VPN2 is recommended.
VPN Point of Target IP address the VPN tunnel will be established to.
Entry Usually this is the external IP address of the perimeter
firewall that separates the CC from the internet.
VPN Port Port of the remote management tunnel.
Remote Networks that should be reachable from the remote
Networks gateway. Management IP and server IP of the CC need
to reside within these networks or ranges.
Type of Proxy Supported proxy types: HTTPS, SOCKS4 and SOCKS5
Transport Transport protocol the VPN tunnel is based on.
Protocol TCP or UDP
Encryption Encryption algorithm that is used to encrypt the VPN
Cipher tunnel.
Supported ciphers: AES, AES-256, CAST, Blowfish,
DES and 3DES
VPN Local IP Source IP address that is used to establish the
management tunnel from the gateway to the
Barracuda NG Control Center.
If this field is left blank, the system determines the
source IP via routing lookup.
VPN Interface Source network interface that is used for tunnel
establishment.
Proxy Server IP IP address of the proxy server.
List 1973 Network Address Configuration powerful GUI for managing VPN tunnels and configuration
Parameter Description lookup.
Proxy Server Port of the proxy server. Connect to the Barracuda NG Control Center on box-level
Port
and open the VPN tab in the Box Menu on the left side.
Proxy User User name for proxy authentication.
Proxy Password Password for proxy authentication. Fig. 1936 Redirect rule
Reachable IPs These IP addresses are used for monitoring of the VPN
tunnel by sending ICMP requests over the VPN tunnel.
Key Time Limit Time period for session rekeying.
[Minutes]
Tunnel Probing Time period for tunnel probing.
[Seconds]
Tunnel Timeout Time period for tunnel timeout.
[Seconds]
18.6 Troubleshooting
To check if all the configured remote management tunnels
are up and running, the CC VPN Service module offers a
Note:
Changes to the configuration within workspace
elements are reflected immediately within the
configuration tree. The workspace view is just a new,
differently structured view of the nodes from the
configuration tree.
Each workspace can either be shared with all
administrators or assigned to individual administrators.
The available Admin Workspaces are listed within the
column right-hand of the Barracuda NG Admin main List 1974 Workspace Permissions
z Now switch to the workspace, open the context menu z Select Rename Node from the context menu.
and click Activate Workspace Changes in order to
save the modifications. Fig. 1945 Rename Node within Admin Workspace
Fig. 1947 Add node to Admin Workspace Fig. 1948 Create Label
Parameter Description
Show All available workspaces and the CC configuration tree
19.3.6 Creating Admin Workspace Workspaces are listed here for quick navigation between
Labels workspaces and the ordinary config tree.
Refresh Reloads the currently active workspace.
Workspace
Labels can be used to partition an Admin Workspace into Lock Workspace Locks the currently active workspace to enable the
different sections. for performance of operations on the workspace.
Modifications
z Lock the desired workspace. Unlock Unlocks the currently active workspace.
Workspace
z Right-click the root node of the workspace.
Edit Workspace Opens the workspace settings dialog.
Properties...
Delete Deletes the currently active workspace.
Workspace
Save Workspace Saves the currently active workspace into a
to File... configuration file.
Load Workspace Loads a configuration file containing a saved
from File... workspace.
Note:
Loading a workspace overwrites the currently active
workspace.
Create Creates a directory within the currently active
Directory... workspace.
Create Label... Creates a label within the currently active workspace.
Show this When connecting to a Barracuda NG Control Center via
Workspace on Barracuda NG Admin client, the default view will be this
Startup workspace instead of the hierarchical config tree.
Show Tree on When connecting to a Barracuda NG Control Center via
Startup Barracuda NG Admin client, the default view will be the
ordinary config tree.
SNMP
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
2. Configuration
2.1 Single Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
2.2 Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
1. Overview
2. Configuration
2.1 Single Box The section SNMP Access Groups allows defining (simple)
access restrictions. By default access to the SNMP Service
Configuring SNMP Service on a Barracuda NG Firewall is not granted. To allow SNMP queries, a new access group
starts with introducing a corresponding SNMP Service. For has to be defined. The following parameters are available:
installing simply follow the instructions mentioned in List 201 SNMP Configuration - section Access Groups
Configuration Service 4. Introducing a New Service, page 97,
Parameter Description
and select SNMPd as Software Module.
Peers Here the defined peers for the current access group
After the service has been created, the following two are enlisted. To add a new peer click Insert Each
peer is defined by an identifier (Name) and consists of
configuration entries are available in the configuration an IP Address/Mask and a Community.
tree: IP Address/Mask defines which hosts/networks are
granted to query the SNMP Service.
z Service Properties - settings made during the Community defines the community name (acts as a
introduction of the service sort of password) to identify membership of a
community.
z SNMP Service Settings - described in the following View allows restriction to specific MIB modules.
Available entries are:
Fig. 201 SNMP Service configuration dialog *-ALL-* allows access to all available MIB modules
as described above
*system* restricts access to the MIB module
"system"
*interfaces* restricts access to the MIB module
"interfaces"
*at* restricts access to the MIB module "address
translation table"
*ip* restricts access to the MIB module "ip"
Note:
There has to be a default Access Group. If not, the
service will allow queries without restriction.
With SNMP services created after installation/update of
Barracuda NG Firewall 4.2 a default access group is
being introduced prohibiting unintended query in case
of default configuration.
The three entries on the top of the dialog, Description,
The SNMP Service of a Barracuda NG Firewall is available
Contact Info and Location are used to specify
at the configured server IPs.
administrative information which can be queried in the
systems information MIB module. Note:
The field Enterprise ID contains the registered enterprise Please take into consideration that the local firewall rule
ID of Barracuda Networks (as assigned by IANA - set may block access to the SNMP Service. Thus, it
www.iana.org) and is therefore read-only. It is used to might be necessary to insert a local inbound rule which
identify the vendor of the SNMP agent and to enable the allows access to UDP port 161.
vendors to define their own private enterprise objects. For details concerning the local firewall rule set, see
Firewall, page 131.
List 215 OSPF/RIP Settings - OSPF Router Setup section Router Distribution List 216 OSPF/RIP Settings section OSPF Area Configuration
Configuration
Parameter Description
Parameter Description Virtual Link ID Note:
Default Route Click the Edit button to specify default route (ABR) This parameter is only available in Advanced View
Distribution distribution settings: mode.
OSPF Metric Set the metric in the routers link Sets the virtual link ID for this area.
state advertisement. The SPF Virtual Link Note:
algorithm uses this value to Params This parameter is only available in Advanced View
calculate the cost for each route. mode.
Routes with lower cost are
preferred over routes with higher Parameters for the virtual link. For a description see
costs. OSPF/RIP Settings - Network Interfaces Configuration -
Parameter Template Configuration section OSPF
OSPF External Set external metrics type: Parameters, 1.3.7.3 Section Parameter Template
Metric Type1 Configuration.
Type1 external routes have a cost
Area Default The area default cost is the cost for the default route
that is the sum of the cost of this
Cost injected into an attached stub area.
external route plus the cost to
reach the ASBR. Summary Summary Range IP/Mask
Type2 Range IP/Mask Create summary ranges in the area to special actions
The cost of Type2 external on that range.
routes is defined alike the cost of
Type1 routes but without the cost Range Action (default: advertise):
to reach the ASBR. Special action for a range:
advertise (default)
Originate Enables the router to send the
Always default route 0.0.0.0 to a neighbour. non-advertise
The neighbour can then use this substitute
route to reach the router if all other
routes are not available. Range Cost
Route Maps Filter definitions. References Cost for a range.
OSPF/RIP Settings - Filter Setup -
Route Map Filters section Route Advertised Range
Map Filters in 1.3.9 Filter Setup. Advertise configured range to.
Route Click the Insert button to specify individual route Area Export Set an export ACL.
Redistribution redistribution settings: Filters
Route Types Available route type settings are: Area Import Set an import ACL.
Filters
connected
Area in Filters Set an import prefix list.
RIP
Area out Filters Set an export prefix list.
OSPF Metric See OSPF Metric parameter
description above.
OSPF External See OSPF External Metric
Metric parameter description above. If no 1.3.5 RIP Router Setup
external metric setting is needed,
the value NOT-SET can be defined
in this place.
This tab only has to be configured when RIP has been
Route Maps Filter definitions. References
activated in the General tab through setting the Run RIP
OSPF/RIP Settings - Filter Setup - Router parameter to yes.
Route Map Filters section Route
Map Filters in 1.3.9 Filter Setup. Specification of global RIP settings such as version, timers
and authentication, and definition of interfaces on which
the RIP process is to run, is done in this place.
1.3.4 OSPF Area Setup
For interface specific tuning please use the Network
In this section, area specific parameters are set. Interfaces, page 523.
List 216 OSPF/RIP Settings section OSPF Area Configuration List 217 OSPF/RIP Settings - RIP Router Setup section RIP Router
Configuration
Parameter Description
Parameter Description
Enable Set to no to disable this area configuration.
Configuration RIP Keychains Key/Key String To enable RIP authentication,
so-called key chains must be
Area ID Format Defines which area format is used: introduced. A key chain can consist
Integer (default) of several keys, where each key is
Quad-IP identified by a number and a key
string (password).
Area ID [IP] Area ID as Quad-IP (for example 0.0.0.1)
RIP Version The Barracuda NG Firewall routing service allows usage
Area ID [Int] Area as number (for example 1) of both standardized RIP versions RIPv1 or RIPv2. The
Authentication Defines authentication for the area following values are thus available for selection:
Type (default: Digest-MD5) Version_1 (classful)
Simple Define here the OSPF area authentication credentials. Version_2 (classless)
Authentication
RIP Terminal Password to connect via telnet and query status
Key
Password information of the RIP router. The RIP router is
Digest Define here the OSPF area authentication credentials. reachable on TCP port 2604 (loopback only).
Authentication This is mainly useful for debugging purposes.
Key Note that remote connection to the RIP terminal is not
Special Type Stub areas do not import or originate external LSAs. possible.
NSSAs are the "OSPF Not-So-Stubby Area" where an Privileged RIP Password to connect via telnet and change
ASBR can be located in a stub area (see RFC 3101) Terminal configuration of the RIP router (not recommended
(default: NONE). Password since changes made via the terminal are not
NSSA-ABR This setting option is defined by RFC 3101. persistent).
Translate Note that remote connection to the RIP terminal is not
Election possible.
Disable Disables summary LSAs. Networks Network Defines the interfaces on which the
Summary Prefix/Device RIP daemon runs.
List 217 OSPF/RIP Settings - RIP Router Setup section RIP Router List 218 OSPF/RIP Settings - RIP Router Setup section Router Distribution
Configuration Configuration
Parameter Description Parameter Description
Advanced Update Timer Specifies the time span (sec) Route Update Route Update Filtering is used to provide Access
Settings between the unsolicited sending of Filtering Control Mechanisms and mechanisms to fine-tune RIP
response messages to all metrics.
neighbours containing the routing Metric Offsets Update Configuring
table. Direction Metric Offsets
Default: 30
Enforced Metric adds an offset to
Timeout Timer Specifies the validity timeout (sec) incoming and
of a route. The route is retained in ACLs outgoing metrics
the routing tables but is no longer Devices to routes learned
valid. via RIP.
Default: 180 Route In/Out Update Route Filters are
Garbage Collect Specifies the time span (sec) after Filters Direction used to control
Timer which an invalid route is removed Object Type the advertising
from the routing table. and learning of
Default: 120 ACLs routes in routing
Administrative To determine which routing IP Prefix List updates. Filters
Distance protocol to use if two protocols with the
Devices
provide routing information for the parameter
same destination, the Update Direction
administrative distance is used as set to "in" apply
the first criterion. to routes
Higher distance values imply lower processed in
trust ratings, RIP default is 120. incoming routing
The administrative distance setting updates. The
is used to increase the metric of filter is matched
routes introduced to the system. For against the
instance, an externally learned RIP content of the
route with metric 2 and update, not
Administrative Distance 100 is against the
introduced with metric 102. This will source or
effect that the OSPF route is destination of
favoured over the RIP route. the routing
update packets.
Note:
Remember that administrative
distance is not advertised and thus
only has local impact. 1.3.6 RIP Preferences
Default Metric Defines the default metric for
redistributed routes. Does not apply List 219 OSPF/RIP Settings - RIP Preferences section RIP Preferences
to connected routes. Configuration
Default: 1
Parameter Description
Interface Default interface policy for RIP.
Default Possible values are: Log Level Specifies the verbosity of the RIP routing service.
Available values are:
passive
network is only advertised; no critical
RIP Hello packets are sent out debugging
from this interface emergencies
active (default) errors
informational (default)
List 218 OSPF/RIP Settings - RIP Router Setup section Router Distribution notifications
Configuration
warnings
Parameter Description alerts
Default Route Select checkbox to redistribute default routes. Use Special By setting this parameter to yes and selecting a table
Redistribution A list of routes which should be redistributed can be Routing Table name below, routes learned by the RIP service are
specified. introduced into an own routing table. Note that the
Route Route Types The route type can be either routing table is not automatically introduced, but has
Redistribution connected or OSPF. In the first to be configured manually by introducing Policy
case, Barracuda NG Firewall routes, Routes.
which have the flag Propagate via Table Names A list of policy routing names can be specified here.
OSPF set to Yes, are redistributed. Routes learned by the routing daemon are introduced
In the latter case routes learned via into each of the enlisted routing tables.
OSPF are redistributed.
Multipath ignore
Note that direct routes on an active
Handling multipath routes will be discarded
interface are always redistributed.
Attention:
RIP Metric Sets the metric for the selected
RIP summarizes routes to multipath routes
type of routes.
automatically if more than one next hop to a prefix
Route Maps Filter definitions. References Route exists. Use setting "ignore" with caution.
maps in FILTER tab.
assign-internal-preferences
multipath routes will be translated to several routes
with different metrics (preferences)
accept-on-same-device
multipath routes will be introduced as multipath if all
nexthops are reachable on the same interface
accept-all (default)
multipath routes will be introduced
Parameter Description Simple Password for simple authentication. This value only has
Authentication to be specified with Authentication type set to simple.
Load Interface If set to yes, the list of available interfaces is loaded Key
Info after execution of Send Changes.
Digest Password for digest authentication. This value only has
Interfaces see list 2111 Authentication to be specified with Authentication type set to
Key digest-MD5.
List 2111 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces Message Digest Key for digest authentication. This value only has to be
section Shared Interface Configuration Key ID specified with Authentication type set to digest-MD5.
Parameter Description OSPF Priority Set to a higher value, the router will be more eligible to
Interface Informational text field. become a Designated Router or a Backup Designated
Description Router. Set to 0, the router is no longer eligible to
become a Designated Router.
Apply to Specifies the network interface to which the following Default: 1
Interface settings apply.
OSPF Dead Seconds for timer value used for Wait Timer and
Activate Config Specifies the routing protocols for which the settings Interval Inactivity Timer. This value must be the same for all
for should be activated on this interface. routers attached to a common network.
Possible settings are OSPF, RIP or OSPF+RIP.
OSPF Hello Time to wait between OSPF "hello" messages to
Passive On a passive interface the routing protocol does not Interval neighbours (sec). This value must be the same for all
Interface send Hello packets. The network configured for this routers attached to a common network.
interface is still advertised. An interface is active by
default (setting: No). OSPF Minimum time waited between retransmissions (sec).
Retransmit
Parameter References templates for this interface. Interval
Template
OSPF Transmit Sets number of seconds for InfTransDelay value. The
Delay InfTransDelay parameter defines the estimated time
List 2112 OSPF/RIP Settings - Network Interfaces Configuration - Interfaces required to send a link-state update packet on the
section OSPF Specific Parameters interface.
Parameter Description
List 2116 OSPF/RIP Settings - Network Interfaces Configuration - Parameter
Network Type Type of network. Ethernet is normally broadcast.
Template Configuration section RIP Parameters
Sometimes there may be a need to use point-to-point
for Ethernet-Links, for example when there is only a Parameter Description
/30 subnet. Type non-broadcast is needed to
propagate OSPF over a VPN tunnel. Authentication Authentication for neighbours on specified interface.
Type Either no authentication (default: null), text
Bandwidth Bandwidth of the interface. Configuration is highly authentication or the cryptographic authentication
[kBit/s] recommended since this information can not be digest-MD5 (RFC2082) can be used.
determined automatically. This setting is used by OSPF
to calculate the metric. RIP Key Chain The pull-down menu displays the configured key chains
(see 1.3.5 RIP Router Setup) and allows selection of a
Interface Interface By specifying an Interface Address key chain which is used for authentication.
Addresses Addresses the configuration only applies for a
single OSPF network. This RIP Text Secret Specifies the text secret used for authentication
parameter can be useful in multinet purposes. Note that the value specified here always
environments. Otherwise the takes precedence over the RIP Keychains settings.
parameters applies to all OSPF Send Protocol Configures protocol types for transmission. Possible
networks on the given interface. values are Version_1, Version_2 or Version_1+2.
Parameter References templates for this Receive Configures protocol types for reception. Possible
Template for interface. Protocol values are Version_1, Version_2 or Version_1+2.
Address
List 2118 OSPF/RIP Settings - Neighbor Setup section OSPF Parameters List 2122 OSPF/RIP Settings - Filter Setup - Route Map Filters section OSPF
Specific Conditions
Parameter Description
Neighbor The Neighbor Priority parameter influences the Parameter Description
Priority Designated Router election. Set to a higher value, the Type Action for route map:
router will be more eligible to become a Designated permit (default)
Router. Set to 0, the router is no longer eligible to
deny
become a Designated Router or a Backup Designated
Router. Match The route map entry matches when the route matches
Default: 1 Condition the configured criteria or filter:
Dead Neighbor Seconds between two neighbour probings. ACL (default)
Poll Interval PREFIXLIST
Gateway-IP
Interface-Name
1.3.9 Filter Setup ACL Name Name of ACL defined in the Access-Lists section
above.
A filter is needed for example when redistributing routes IP Prefix List Name of IP prefix list defined in OSPF/RIP Settings -
Filter Setup - IP Prefix List Filters section IP Prefix
from one protocol to another. Available filters are ACLs List Filters List 2124.
and Prefix lists. Prefix lists are easier to use. See 1.3.9.1 Gateway IP IP of the Next Hop in the route.
Example for IP Prefix List Filter Usage for further Out Interface See interfaces to gain available interface names.
information. Name
Set Action Defines action to set:
Route maps can be used to modify routing information. In
Metric
route maps, the filter is applied to match the routes. Some
Metric-Type
set actions can be applied to the matching routes.
Set OSPF Set metric for route map.
Example: The RIP learned route 10.0.0.0/24 with metric Metric
4 hops should have metric 6 instead. The match condition Set OSPF Set external metric-type for route map.
in the route map must be a filter matching 10.0.0.0/24 and External Metric
the set condition must be metric 6.
List 2123 OSPF/RIP Settings - Filter Setup - Route Map Filters section RIP
When applying route filters in the RIP or OSPF section, only Specific Conditions
ACLs or Prefix-lists but no route maps are needed. Parameter Description
Sequence Unique identifier for a route map entry.
Note: Number
This dialog is restricted to basic ACLs (1-99). Extended Type Action for route map:
ACLs must be be configured in Tab Text Based permit (default)
Configuration (page 525). deny
Match The route map entry matches when the route matches
List 2119 OSPF/RIP Settings - Filter Setup section Access List Filters Condition the configured criteria or filter:
ACL (default)
Parameter Description PREFIXLIST
This section allows the definition of filters which can be Gateway-IP
referenced within the 1.3.4 OSPF Area Setup and within
Interface-Name
the RIP Route Update Filtering section (list 217,
page 521). Metric
Name This is the ACL name. ACL Name Name of ACL defined in the Access-Lists section
above.
Description A short description of the ACL.
IP Prefix List Name of IP prefix list defined in OSPF/RIP Settings -
Network Prefix Network/Netmask Filter Setup - IP Prefix List Filters section IP Prefix
Note: List Filters List 2124.
Enter the address in Inverted CIDR Notation (Getting Gateway IP IP of the Next Hop in the route.
Started 5. Inverted CIDR Notation, page 25). The
address will be converted to Cisco notation for the Interface Name See interfaces to gain available interface names.
config file. Set Action Defines action to set:
Type Action for prefixitem Next-Hop
permit (default) Metric
deny Set RIP Metric Set metric for route map.
Set RIP Set next-hop IP address.
List 2120 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Next-Hop IP
Map Filters
Parameter Description List 2124 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP
Prefix List Filters
Route maps are used to control and modify routing
information that is exchanged between routing Parameter Description
domains.
Prefix lists are easier to understand for route-filters
Name This is the Route Map Name. than ACLs. See 1.3.9.1 Example for IP Prefix List Filter
Usage below for information on prefix list usage.
List 2121 OSPF/RIP Settings - Filter Setup - Route Map Filters section Route Name This is the name of the IP prefix list.
Map Configuration
Parameter Description List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP
Prefix List Configuration
Description A short description of the route map.
Parameter Description
List 2122 OSPF/RIP Settings - Filter Setup - Route Map Filters section OSPF Description A short description of the IP prefix list.
Specific Conditions
Sequence Unique identifier for a prefixlist item.
Parameter Description Number
Sequence Unique identifier for a route map entry. Network Prefix Network/Netmask
Number
List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI
Prefix List Configuration
Parameter Description
Parameter Description RIP Text Created RIP syntax configuration. Shown, if Show as
Type Action for prefixitem Text is set to yes.
permit
deny
Extent Type Matching condition: 1.3.11 Text Based Configuration
none (default)
greater-than Configure dynamic routing here, if you do not want to
less-than configure it with the GUI. Already done GUI configuration
Prefix Length Minimum or maximum prefix length to be matched. will be replaced. Syntax as used for quagga or Cisco
applies.
1.3.9.1 Example for IP Prefix List Filter Usage List 2127 OSPF/RIP Settings - Text Based Configuration section Free Format
OSPF Configuration / Free Format RIP Configuration
The following examples show how a prefix list can be used. Parameter Description
Use Free Set this to yes to use free OSPF/RIP syntax
Table 212 Example for IP Prefix List Filter prefix list Format configuration.
Network Prefix Type Extent Type Free Format OSPF/RIP syntax configuration. This field applies when
Text parameter Use Free OSPF format is set to yes.
Deny default 0.0.0.0/32 deny none
route 0.0.0.0/32
permit prefix 10.0.0.0/24 permit none
10.0.0.0/24
1.4 Routing Configuration
The following examples show how to specify a group of
prefixes.
Attention:
Table 213 Example for IP Prefix List Filter group of prefixes Network routes which are required for an OSPF/RIP
Extent
network prefix must NOT be a subset of another route
Network Prefix Type (see below for an explanation).
Type
accept a mask length of 192.168.0.0/24 permit less- 24-Bit
up to 24 bits in routes than Table 214 Configuration example
with the prefix 192.168/8
Configuration Entity Values
deny mask lengths 192.168.0.0/24 deny greate- 25-Bit
greater than 25 bits in than OSPF network prefix 10.0.66.0/24
routes with a prefix of Server IP 10.0.66.98
192/8
Box network route 10.0.66.0/24 via dev eth1
permit mask lengths from 0.0.0.0/32 permit greate- 8-Bit
Additional box network route 10.0.0.0/8 via dev eth0
8 to 24 bits in all address than
spaces 0.0.0.0/32 permit less- 24-Bit
than In the configuration example (table 214), the required box
deny mask lengths 0.0.0.0/32 deny greate- 25-Bit network route "10.0.66.0/24 via dev eth1" is completely
greater than 25 bits in all than included in the additional box network route (bold). This
address spaces
will lead to a mismatch in the OSPF configuration. OSPF
deny all mask lengths 10.0.0.0/24 deny less- 32-Bit
within the network 10/8 than will neither detect eth0 nor eth1 as OSPF enabled and
deny all masks with a 192.168.1.0/8 deny greate- 25-Bit therefore not work.
length greater than or than
equal to 25 bits within the
network 192.168.1/24
permit all routes 0.0.0.0/32 permit less-
than
32-Bit
1.5 HA Operation
The OSPF/RIP service synchronizes externally learned
1.3.10 GUI as Text routes with its HA partner. Routes cannot be introduced on
the partner, while this is "passive" because network routes
Note:
required to do so are missing. The external routes HA
This parameter set is only available in Advanced View information is thus stored in a file and introduced on the
mode. HA system during startup of the OSFP/RIP service.
Take over and startup of the OSPF/RIP service usually take
The configuration done with the GUI is displayed here in a few seconds. The HA routes are introduced as protocol
quagga/Cisco commands. "extha" (number 245). These routes are then either
replaced by newly learned external OSPF or RIP routes
List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI
(protocols "ospfext" or "ripext") or removed with the HA
Parameter Description garbage collection after five minutes.
Show as Text Set this to yes to show created OSPF syntax
configuration after Send Changes.
OSPF Text Created OSPF syntax configuration. Shown, if Show as
Text is set to yes.
Fig. 211 Example setup for OSPF and RIP configuration 2.2 Configuration Steps
Internet
The instruction is broken down into the segments listed
below:
z OSPF basic setup (see 2.2.1)
z Redistribution of connected networks to OSPF (see
10.0.8.0/24
OSPF Area 1 2.2.2)
OSPF Cloud 2 z Injecting the default route to OSPF (see 2.2.3)
172.16.0.0/24 194.93.0.0/24 3 z OSPF Multipath routing (see 2.2.4)
eth3 eth2
RIP Cloud 2
z OSPF Link Authentication (see 2.2.5)
OSPF Area 0 eth1 z OSPF Route Summarisation (see 2.2.6)
4 192.168.10.0/24
62.99.0.0/24
192.168.11.0/24 z RIP basic setup (see 2.2.7)
z Redistribution between RIP and OSPF (see 2.2.8)
1 2
2.2.1 OSPF Basic Setup
OSPF Cloud 1
The network is already configured for OSPF. Several
destinations are reachable through multiple paths. The
newly installed Barracuda NG Firewall should participate in
the routing and load-sharing is to be used.
z Router 1
OSPF learned networks from OSPF Cloud 1:
Step 1 Install the OSPF/RIP service
62.99.0.0/24
For a description how to install the service, see 1.2
Installation, page 519.
Step 2 Add the network interfaces speaking OSPF to z OSPF Router Setup
the Server Properties Specify a Terminal Password and a Privileged
OSPF is spoken on two interfaces linking to the following Terminal Password. These passwords are needed to to
networks: eth1 (62.99.0.0/24) and eth2 (194.93.0.0/24). access the routing engine directly via telnet.
Setting Auto-Cost Ref Bandwidth to 10000 causes a
Fig. 212 Configuring of addresses in the Server Properties more granular cost in LAN environments. The cost is
calculated as ref-bandwidth divided by intf-bandwidth
(MBit/s). In the example, a 1 GBit link would have a cost
of 10 (10000/1000).
Figure 216 shows the output of the commands sh ip 2.2.2 Redistribution of Connected
ospf neigh and sh ip ospf route. Networks to OSPF
Fig. 216 Quagga engine output
Proceed as follows to configure redistribution of
[root@NF1:~]# telnet localhost 2604 connected networks:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Step 5 Activate OSPF advertising
Hello, this is quagga (version 0.96.5). Browse to Config > Box > Network > Networks and
Copyright 1996-2002 Kunihiro Ishiguro.
set parameter Advertise Route to yes.
User Access Verification
N E1 38.232.1.0/24
via 62.99.0.254, eth1
[1010] tag: 0 2.2.3 Injecting the Default Route to
N E1 56.47.0.0/24
via 62.99.0.254, eth1
[1010] tag: 0 OSPF
via 62.99.0.254, eth1
N E1 56.47.1.0/24 [1010] tag: 0
via 62.99.0.254, eth1 Step 7 Activate OSPF advertising
N E1 79.29.0.0/24 [1010] tag: 0
via 62.99.0.254, eth1 Static Routes as well are only advertised via OSPF when
N E1 79.29.1.0/24 [1010] tag: 0 the Advertise Route option is set in the network
via 62.99.0.254, eth1
N E1 123.43.0.0/24 [1010] tag: 0 configuration. If not already done, browse to Config >
via 62.99.0.254, eth1
N E1 123.43.1.0/24 [1010] tag: 0 Box > Network > Networks and set parameter
via 62.99.0.254, eth1 Advertise Route to yes.
N E1 134.46.0.0/24 [1010] tag: 0
via 62.99.0.254, eth1
N E1 134.46.1.0/24 [1010] tag: 0
via 62.99.0.254, eth1
Step 8 Configure Default Route Redistribution Authentication configuration is done in the Network
Default Route Redistribution is configured in the OSPF Interfaces section of the OSPF Routing configuration.
Router tab within the OSPF Routing Settings configuration. Proceed as follows to configure Link Authentication:
In the example, the following values are specified for the
Step 9 Configure a parameter template
available parameters:
Open the Network Interfaces section and click the
Fig. 218 Configuring Default Route Redistribution Insert button in the Parameter Template Configuration
section to create a new parameter template. The following
values are defined in the example: MD5 Authentication
usage with key ID "1" and authentication key "Barracuda".
2.2.4 OSPF Multipath Routing Step 10 Create a reference to the parameter template
Click the Insert button in Network Interface >
Multipath routing is configured in the OSPF Routing Interfaces (Network Interfaces view) to configure link
Settings OSPF Preferences view. authentication on an interface. The example defines the
following values:
Three options are available for Multipath Handling:
z ignore Fig. 2110 Creating a link to the parameter template
No Multipath routing is used; learned Multipath routes
are ignored.
z assign internal preferences
The metric of every equal cost route is translated to
different values - load-sharing is not used. Additional
routes are only used as backup.
z accept on same device
Multipath routing is enabled but it is only available
when the routes are learned on the same interface.
Note:
All other routers on this interface must have the same
The example configuration uses the setting accept on settings. Otherwise, adjacency cannot be established.
same device.
A new window opens allowing for configuration of the 2.2.8 Redistribution between RIP and
following values:
OSPF
Fig. 2111 Configuring route summarisation
To implement redistribution between RIP and OSPF the
following minimum settings must be configured:
z OSPF Router Setup
To redistribute routes learned by RIP insert a new entry
in the Route Redistribution Configuration section.
System Information
1. Overview
1.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
2. Networking Layer
2.1 Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
2.2 Activation Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
3. Operative Layer
3.1 Directory Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
3.1.1 Static Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
3.1.2 Dynamic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
4. Ports
4.1 Ports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
1. Overview
1.1 General
Attention:
The underlying Linux system is especially designed to
serve as a base for the Barracuda NG Firewall. Direct
interfering on the command line is not necessary for
normal operation. Such operations should be carried
out only by authorized personnel with excellent
knowledge of Linux systems and its special Barracuda
Networks implementation.
2. Networking Layer
The NGFW OS networking layer is installed by the z #BOX_NETWORK
phionetc_box package. It is called phionetc_box, because If set to N, literally nothing will happen when trying to
almost all relevant files live in the directory /etc/phion. start networking in the NGFW OS way.
The main purpose of the package is to control every part z NET_RETRY
of the system which communicates over the network. Number of entries to establish a network link. This may
Beside the Barracuda NG Firewall software modules there be useful for unreliable token ring networks.
are other packages like openssh or ntp, which get their
z PHION_START
configuration and are started by specific scripts.
If set to N, the NGFW OS operative layer will not be
started at all. Use this if you want to have a box without
proprietary Barracuda Networks software running.
2.1 Configuration Files z NETDB_START
Only of use if you have a box with a NetDB database
There are three configuration files steering and controlling system on it.
the networking behavior of the system: z START_ORA and START_ADABAS
z /etc/phion/options Only of use for a Master configuration server with an
Oracle or ADABAS D database.
z /etc/phion/boxadm.conf
z /etc/phion/boxnet.conf
The boxadm.conf file holds all information, which does
not need a network restart to be activated. Additionally it
The options file is the only one, which is not edited through holds information for Barracuda NG Firewall box services,
the GUI Barracuda NG Admin. too.
Template of the options file: An example of an operative configuration file:
Fig. 221 Example options file Fig. 222 Example boxadm.conf file
For explanation of the parameters see Configuration Service 2.2 Activation Scripts
5.1 Box Settings Advanced Configuration, page 100.
There are two scripts which are intended to be started
Attention:
from the command line:
Be extremely cautious in changing these files on the
command line. z /etc/rc.d/init.d/phion (which is actually a link to
/etc/phion/rc.d/phionrc)
The boxnet.conf file holds all information which deals with
network connections. These are the hostname and the z /etc/phion/bin/activate
network interfaces, IP addresses and routing information. All other scripts should not be started on the command line
but are invoked by the 2 scripts above.
Again, let us have a look on a sample file:
For more information see User Documentation Command
Fig. 223 Example boxnet.conf file Line Interface.
3. Operative Layer
Note:
Again: Do NOT change anything in this directories
It is not recommended to change anything below this manually.
directory. z /var/phion/logcache
The full configuration of a Barracuda NG Firewall box is Home of the Log Access Files (*.laf). These are
held under /opt/phion/config/active. The Berkeley DB files for fast access to large log files.
configuration files may be modified manually by a z /var/phion/run/<module>
Barracuda Networks support engineer or by a specially Services may store operational data in these
trained system engineer. If you are not absolutely sure directories.
about what you are doing, do not change anything in this
place.
Intervention on command line is generally not intended on
the NGFW OS operative layer. Nevertheless there is one
3.1.2 Dynamic Data powerful tool to steer the processes. It can be used to
gather comprehensive information about system state,
Log files and statistics data reside in /var/phion. routing, servers, processes. Furthermore it is able to start /
stop / block / disable servers and box processes. It is called
This directory has the following substructure. phionctrl and resides in /opt/phion/bin. For more
z /var/phion/logs information see the User Documentation Command Line
All log files are stored here. You can read it with any Interface.
editor.
Attention:
DO NOT write to it, DO NOT rename it, DO NOT put
any files in here. Every manual action can result in
strange behavior of the log GUI.
4. Ports
The following table enlists the ports of a Barracuda NG Table 222 Ports overview
Firewall that are required for communication. Port Protocol Type Daemon
807 TCP box qstatd
807 UDP box cstatd
808 TCP/UDP box event
4.1 Ports Overview 808 TCP/UDP service mevent
809 TCP box boxconfig
Table 222 Ports overview
810 TCP service masterconfig
Port Protocol Type Daemon 811 TCP service map/status
22 TCP service sshd 814 TCP service vpnserver
691 and 443 TCP/UDP service vpn 815 TCP service mailgw
680 TCP service FW-audit 816 TCP service DHCP
688 TCP service firewall 817 UDP service trans7
692 TCP/UDP VPN management 818 TCP service PKI
tunnel
843 TCP service HTTPs Proxy GUI
801 TCP box controld/status
844 TCP service policyserver
801 UDP box controld/
HA-heartbeat 845 TCP box distd
802 TCP box phibsd 880 TCP service HTTP Proxy
Fail-Cache
803 TCP box logd
44000 and TCP service policyserver
805 TCP box distd 44001
806 TCP service qstatd
The maximum command counter has been reached or has been exceeded
(see 2.2.3.7 SMS Control, Successive Command Maximum, page 58).
150 Corrupted Data File The utility dstats has identified a corrupt data file (Configuration Service Error 1 no
5.2.5 Statistics, page 119).
400 Time Discontinuity Detected The statistics daemon has detected a time shift, that means a deviation Warning 1 no
from former time settings (for example date/time settings have been
changed manually, hardware clock settings are wrong after reboot).
500 Invalid License The license that is installed on the system is invalid, for example the Error 1 yes
Hardware ID of the system does not match with the ID the license has been
issued for or the validity period has been exceeded.
501 No License Found Error 1 yes
505 License Limit Exceeded The license limit of IPs protected by the firewall has been exceeded Error 1 no
(Firewall 6.6.2 Protected IPs, page 186).
510 Invalid Argument The Watchdog repair binary could not be executed flawlessly (see 5.1.10 Error 1 no
Watchdog, page 108).
600 HA Partner Unreachable Connectivity between a Barracuda NG Firewall and its high availability Error 1 yes
partner is disrupted.
620 Box Unreachable Connectivity between CC and one of its administered boxes is disrupted. Warning 1 yes
This event is only generated on the CC.
622 Box Reachable Again Connectivity between CC and one of its administered boxes has been Information 1 no
restored. This event is only generated on the CC.
666 Process Core Found The core-search utility has found a core dump of a Barracuda NG Firewall Warning 1 no
process and has moved it to /var/phion/crash.
2000 Start Server A server has been started either by the system or manually. Information 1 no
2001 Start Service A service has been started either by the system or manually. Information 1 no
2002 Start Box Service A box-service has been started either by the system or manually. Information 1 no
2010 Stop Server A server has been stopped either by the system or manually. Information 1 no
2011 Stop Service A service has been stopped either by the system or manually. Information 1 no
2012 Stop Box Service A box-service has been stopped either by the system or manually. Information 1 no
2020 Restart Server A server has been restarted either by the system or manually. Information 1 no
2021 Restart Service A service has been restarted either by the system or manually. Information 1 no
2022 Restart Box Service A box-service has been restarted either by the system or manually. Information 1 no
2030 Block Server A server has been blocked manually. Warning 1 no
2031 Block Service A service has been blocked manually. Warning 1 no
2032 Block Box Service A box-service has been blocked manually. Warning 1 no
2040 Deactivate Server Warning 1 no
2041 Deactivate Service Warning 1 no
2042 Deactivate Box Service Warning 1 no
2044 No Valid License for Service Warning 1 yes
2045 Entering GRACE Mode A system with a formerly valid license has changed into grace mode, either Warning 1 no
because the host-key the license has been issued for does not match with
the systems host key or because the CC-administered box could not
validate its license with the CC.
2046 Entering DEMO Mode The system has been installed without importing a valid license or a valid Error 1 no
box license has been removed from it.
2047 GRACE Mode Expired Grace mode has expired and all services have been deactivated. Error 1 no
2050 Reactivate Server Warning 1 no
2051 Reactivate Service Warning 1 no
2052 Reactivate Box Service Warning 1 no
2054 Subprocess Kill Requested A sub-process has been killed manually. Information 1 no
2056 Connection Kill Requested Information 1 no
2058 Session Kill Requested Information 1 no
2060 Emergency Server Start A server has started because the HA partner is not available. Warning 1 no
2061 Emergency Server Stop A server has stopped because the HA partner server is in state active. Warning 1 no
2070 Daemon Startup Failed A daemons startup/shutdown has failed/succeeded. The daemon Warning 1 no
2071 Daemon Startup Succeeded responsible for the event will be included in the event message. Eventing Information 1 no
notifications may be configured per daemon (for example NTPd - see
2072 Daemon Shutdown Failed page 57, SSH - see page 106). They will only be generated for controlled Information 1 no
2073 Daemon Shutdown Succeeded startup/shutdown sequences and not for manual process terminations. Information 1 no
2080 Time Synchronisation Failed NTP sync with the configured NTP server has failed. NTP synchronisation Warning 1 no
settings are defined in Config > Box > Settings > TIME/NTP tab (see
page 56).
2081 Time Synchronisation NTP sync with the configured NTP server has succeeded. NTP Information 1 no
Succeeded synchronisation settings are defined in Config > Box > Settings > TIME/NTP
tab (see page 56).
The ACL does not match (see 2.2.3.7 SMS Control, Allowed Phone
Numbers, page 58).
4112 Authentication Failure Alert A login attempt with a valid login ID has failed at least three times (see Security 3 no
Config > Box > Box Misc. > Access Notification tab, page 105, and List 391
Service Configuration - Notification section Access Notification, page 98).
Appendix
1. How to . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
1.1 How to gather Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
1.2 How to tune Barracuda NG Firewall for High Performance Environments . . . . . . . . . . . . . . . . . . 545
1.3 How to set up for SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
1.4 How to mount USB Flashdisk on Barracuda NG Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
9. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
10. Barracuda Networks Warranty and Software License Agreement (v2.1) . . . . 611
10.1 Barracuda Networks Limited Hardware Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
10.2 Barracuda Networks Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
10.3 Barracuda Networks Energize Updates and Other Subscription Terms . . . . . . . . . . . . . . . . . . . . . . 613
1. How to
1.1 How to gather Group The search result now displays the Distinguished Name.
1.1.1 MSAD
Open the management console by selecting > My
Network Places > Search Active Directory. Select the
searching domain. Enter the name of the user you are
searching for and click the Find Now button.
After you have found the user, enable the X500
Distinguished Name column in the view. Therefore, select
1.1.2 LDAP
View > Choose columns from the menu, select X500
You may gather distinguished names for the
Distinguished Name and click the Add >> button
authentication scheme LDAP with an arbitrary LDAP
(figure 231).
browser.
Fig. 231 Adding a new column to the view Open this LDAP browser and connect to your domain
controller to retrieve the distinguished name (figure 233).
Note:
1.2.2.1 Interrupt Throttle Rate
This modification will not be saved in the PAR file. After
If your hardware uses Intel Gigabit NICs the interrupt rate a new installation edit the fstab file again.
should be throttled to 10.000 interrupts. Otherwise the The partitions should be then defined like in this example:
kernel tries to fetch packets from the NIC too often which
slows down overall performance. This can be done using LABEL=/ / ext3 noatime 1 1
the module parameter: LABEL=/boot /boot ext3 noatime 1 1
Packets In = 19
Bytes In = 18698
This will set the priority to - 19. Packets Out = 36
Bytes Out = 37288
To make this configuration permanent, add the command Drops = 0
Blocks = 0
to a box network Special Needs script (Box > Network > Sessions = 2
Special Needs) (Configuration Service 2.2.5.11 Special Needs, SessionsNum = 9
creation load = 0
page 80). lo : 0
pqd0 : 0
tap0 : 0
tap1 : 0
tap2 : 0
tap3 : 0
eth0 : 0
1.3 How to set up for SCEP
The line acpf_timer displays the time consumed for the
Note:
sessions to be handled in the time[nsec] tab. If the time
This documentation covers the configuration and usage
is longer than one millisecond (= 1000000 ns), you may
of the SCEP protocol within the Barracuda NG Firewall
gain higher performance when you switch to the new timer
software. Although some configuration steps will be
model.
explained on the certificate authority side, the
Run the following commands to switch the timer model: installation and operation of such a server is not part of
this documentation.
acpfctrl tune timermode 1 (new model)
acpfctrl tune timermode 0 (old model) The goal of SCEP (Simple Certificate Enrollment Protocol)
To make this configuration permanent, add the command is to support the secure issuance of certificates to network
to a box network Special Needs script (Box > Network > devices in a scalable manner, using existing technology
Special Needs) (Configuration Service 2.2.5.11 Special Needs, whenever possible. The protocol supports the following
page 80). operations:
z CA and RA public key distribution
1.2.2.6 Increasing the Routing Cache z Certificate enrollment
z Certificate query
If you have your Barracuda NG Firewall handling traffic
from big networks with a large number of IPs on both sides z CRL query
of the forwarding firewall, increase the routing cache to
gain higher performance. The X.509 certificates retrieved through SCEP can be used
currently only for site-to-site VPN. TINA and IPSec both
Increase the number of Max Routing Cache Entries to support the use of SCEP certificates.
200.000 (Box > Advanced Configuration > System
Settings > Routing Cache) (Configuration Service Note:
5.1.1.3 Routing Cache, page 100). More information about the SCEP protocol can be found
at http://tools.ietf.org/html/draft-nourse-scep-17.
Note:
200000 is a reference value. You may increase it if
necessary. 1.3.1 Configuring SCEP
The following steps are required in order to use SCEP on a
1.2.2.7 Disable CPU Power Savings Barracuda NG Firewall:
To enable highest performance on modern server systems, z Configuring the box administrative settings
the CPU power savings need to be turned off. Modify the z Configuring the VPN tunnel settings (with GTI)
servers bios settings accordingly.
z Configuring the VPN tunnel settings (without GTI)
1.2.3 Example
1.3.1.1 Configuring the Box Administrative
Example for a Special needs script (Box > Network > Settings
Special Needs):
z Select Config > Box > Administrative Settings >
renice -19 -p $(ps ax | grep ksoftirqd | grep -v grep | awk '{print
$1}') SCEP > BOX SCEP Settings.
ethtool -G port1 rx 1024
ethtool -G port2 rx 1024 z Set the parameter Enable SCEP to yes.
ethtool -G port3 rx 1024
ethtool -G port4 rx 1024 z Enter the SCEP Settings by clicking on Set or Edit.
acpfctrl tune timermode 1
See Configuration Service 2.2.3.8 SCEP, page 58 for the
description of the available parameters.
1.3.2.1 Using the GTI Unless the SCEP password policy was set to
Enter-Password-at-Box, no further intervention is
Importing the Root Certificate required for successful operation after SCEP has been
First, the root certificate used by the CA for signing the correctly configured.
SCEP certificates must be imported into the GTI. However, Barracuda NG Admin offers a few options to
z Right-click the group window of the GTI and select GTI interact with the SCEP subsystem in order to:
Editor Defaults z Show SCEP status
z Go to the Root Certificates tab, right-click the main z Re-initiate SCEP pending request
window and import the root certificate(s) via Import
PEM from File z Force SCEP update or retry
z Set the SCEP password
Selecting the authentication method
Just like any other VPN tunnel setting, the SCEP Box SCEP Status
authentication method can be set at the GTI level, at any The SCEP status and control menu are available via
GTI group level, or individually per tunnel, under Control > Box, when connected to the desired Barracuda
Identification type. NG Firewall. For the description of the available commands
z TINA tunnel: see Control 2.6.6 Section BOX SCEP Status, page 40.
Click on the TINA tab Files location
Set parameter Accept Identification Type to Box The files hold by the SCEP subsystem are stored on the
SCEP Certificate (CA signed) gateway in the directory /opt/phion/certs/scep-*
Click OK
z IPSec tunnel:
Click on the IPSec tab 1.4 How to mount USB Flashdisk
Set parameter Identification Type to Box SCEP
Certificate (CA signed)
on Barracuda NG Firewall
Click OK
1.4.1 Procedure
1.3.2.2 Using the Legacy Method
Enter the following commands:
Importing the root certificate z mkdir /mnt/usb
First, the root certificate used by the CA for signing the z mount /dev/sda1 /mnt/usb
SCEP certificates must be imported into the VPN service.
Note:
z Go to the desired VPN service in the configuration tree
Depending on the controller the command differs:
and open the VPN settings configuration window.
IDE, CCISS: /dev/sda1
z Select the Root Certificates tab, right-click the main
window and import the root certificate(s) via Import SCSI, SAS, SATA, RAID: /dev/sdb1
PEM from File Now the USB Flashdisk is ready for usage.
Selecting the authentication method Before you remove the USB Flashdisk enter the following
For each tunnel configured through the legacy method, the command:
SCEP certificate can be used as authentication method: z umount /mnt/usb
z TINA tunnel:
Click on the Identify tab
Set parameter Identification Type to Box SCEP
Certificate (CA signed)
Click OK
z IPSec tunnel:
2.1 Barracuda NG Firewall F800 Table 232 Barracuda NG Firewall F600 Box > Network
Config Node Config Label Config Entry Value
Networks Devicename [boxnet$zdev_eth1] port1
2.1.1 Box > Network Networks Devicename [boxnet$zdev_eth2] port2
Networks Devicename [boxnet$zdev_eth3] port3
Table 231 Barracuda NG Firewall F800 - Box > Network Networks Devicename [boxnet$zdev_eth4] port4
Config Node Config Label Config Entry Value Networks Devicename [boxnet$zdev_eth5] port5
General Verification CHECKLESS 0 (Always) Networks Devicename [boxnet$zdev_eth6] port6
Devices Appliance Model DEVMAP Barracuda Networks Devicename [boxnet$zdev_eth7] port7
NG Networks Devicename [boxnet$zdev_eth8] port8
Firewall
Networks Devicename [boxnet$zdev_eth9] port9
F800
Devices Network cards > ACTSTATE y
Activate Driver
Devices Network cards >
Fallback Module
AMOD NONE
2.3 Barracuda NG Firewall F200
Name
Devices Network cards > AMODOPTS[]
Fallback Driver
Options 2.3.1 Box > Network
Devices Network cards > BLTIN module
Driver Type Table 233 Barracuda NG Firewall F200 Box > Network
Devices Network cards > IFAMOD n Config Node Config Label Config Entry Value
Fallback Enabled General Verification CHECKLESS 0 (Always)
Devices Network cards > MOD e1000e, Devices Appliance Model DEVMAP Barracuda
Operation Mode ixgbe NG
Devices Network cards > MODOPTS[] Firewall
Driver Options F200
Devices Network cards > MTU1 1500 Devices Network cards > ACTSTATE y
Ethernet MTU Activate Driver
Devices Network cards > NUM Devices Network cards > AMOD NONE
Number of Devices Fallback Module
Devices Device Usage [boxnet$zgendeu_OK] OK Name
Devices Network cards > AMODOPTS[]
Fallback Driver
Options
Devices Network cards > BLTIN module
2.2 Barracuda NG Firewall F600 Driver Type
Devices Network cards > IFAMOD n
Fallback Enabled
Table 232 Barracuda NG Firewall F600 Box > Network Devices Network cards > MODOPTS[]
Driver Options
Config Node Config Label Config Entry Value Devices Network cards > MTU1 1500
General Verification CHECKLESS 0 (Always) Ethernet MTU
Devices Appliance Model DEVMAP Barracuda Devices Network cards > NUM
NG Number of Devices
Firewall Devices Device Usage [boxnet$zgendeu_OK] OK
F600
Networks Devicename [boxnet$zdev_eth0] port4
Devices Network cards > ACTSTATE y
Activate Driver Networks Devicename [boxnet$zdev_eth1] port3
Devices Network cards > AMOD NONE Networks Devicename [boxnet$zdev_eth2] port2
Fallback Module Networks Devicename [boxnet$zdev_eth3] port1
Name
Devices Network cards > AMODOPTS[]
Fallback Driver
Options
Devices Network cards > BLTIN module 2.4 Barracuda NG Firewall F100
Driver Type
Devices Network cards > IFAMOD n
Fallback Enabled 2.4.1 Box > Network
Devices Network cards > MOD e1000e
Operation Mode Table 234 Barracuda NG Firewall F100 Box > Network
Devices Network cards > MODOPTS[]
Driver Options Config Node Config Label Config Entry Value
Devices Network cards > MTU1 1500 General Verification CHECKLESS 0 (Always)
Ethernet MTU Devices Appliance Model DEVMAP Barracuda
Devices Network cards > NUM NG
Number of Devices Firewall
F100
Devices Device Usage [boxnet$zgendeu_OK] OK
Networks Devicename [boxnet$zdev_eth0] port10
Table 234 Barracuda NG Firewall F100 Box > Network Table 234 Barracuda NG Firewall F100 Box > Network
Config Node Config Label Config Entry Value Config Node Config Label Config Entry Value
Devices Network cards > ACTSTATE y Devices Network cards > MODOPTS[]
Activate Driver Driver Options
Devices Network cards > AMOD NONE Devices Network cards > MTU1 1500
Fallback Module Ethernet MTU
Name Devices Network cards > NUM
Devices Network cards > AMODOPTS[] Number of Devices
Fallback Driver Devices Device Usage [boxnet$zgendeu_OK] OK
Options
Networks Devicename [boxnet$zdev_eth0] port4
Devices Network cards > BLTIN module
Driver Type Networks Devicename [boxnet$zdev_eth1] port3
Devices Network cards > IFAMOD n Networks Devicename [boxnet$zdev_eth2] port2
Fallback Enabled Networks Devicename [boxnet$zdev_eth3] port1
Devices Network cards > MOD 8139too
Operation Mode
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
E K
Encoding Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Kernel Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
entegra Access Control Setup . . . . . . . . . . . . . . . . . . . . . 244
entegra Policy Service Options. . . . . . . . . . . . . . . . . . . . . 292 L
Entries in Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 L2TP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148, 150 LAN Rule Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Event Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148, 150 LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Expert Settings (use with care). . . . . . . . . . . . . . . . . . . . . 267 Lease Contraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 LEGACY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
EXTENDED OPTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 License Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Extended Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 License Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Extented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
External Group Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Limits and Operational Settings . . . . . . . . . . . . . . . . . . . . . 137
F Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Local Domain Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . .154 LOCAL PARAMETERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
File Specific Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Flash Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Free Format OSPF Configuration . . . . . . . . . . . . . . . . . . . 525 Log Data Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Free Format RIP Configuration. . . . . . . . . . . . . . . . . . . . . 525 Log File Rotation and Removal. . . . . . . . . . . . . . . . . . . . . . 138
FW Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . .199 Log File Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101, 115, 341
G Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152, 458 Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
General IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 M
General Service Settings . . . . . . . . . . . . . . . . . . . . . 243, 387
General Settings . . . . . . . . . . . . . . . . . . 106, 485, 493, 494 Mail Gateway Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
General Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Mail Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Generic Application Tunneling Authorization . . . 247, 248 Main Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Global Domain Parameters . . . . . . . . . . . . . . . . . . . . . . . . 263 Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316, 463 MC Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 MC IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Grey Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 MC SSH Access Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Group Based Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . .291 Misc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
GUI AS TEXT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Misc. Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Miscellaneous. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
H Miscellaneous Parameters. . . . . . . . . . . . . . . . . . . . . . . . . 293
Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
HA Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 118
Monitoring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
HA Synchronization Setup. . . . . . . . . . . . . . . . . . . . . . . . . 474
Multi Subnet Configuration . . . . . . . . . . . . . . . . . . . . . . . . 290
Header Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 N
HOST IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
HTML Tag Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Neighbour Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
I Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Network Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
ICMP Echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Network Interface Configuration . . . . . . . . . . . . . . . 63, 523
ICMP Gateway Monitoring Exemptions . . . . . . . . . . . . . . . 118
Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441, 442 Network Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
NETWORK SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Identification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
IKE Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
In Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Inbound (traffic received by the device) . . . . . . . . . . . . . . 86
NTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Installation Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installation scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Installation-script files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Integrity Check Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333, 335
Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IP Address & Networking . . . . . . . . . . . . . . . . . . . . . . . . . . 225
IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
IP Prefix List Configuration . . . . . . . . . . . . . . . . . . . . . . . . 524
IP Prefix List Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
IPSec Phase I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
IPSec Phase II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
ISDN Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
ISS Proventia Cascaded Redirector . . . . . . . . . . . . . . . . . 364
ISS Proventia Database Settings . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Deny Message. . . . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia General Settings. . . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Logging Settings . . . . . . . . . . . . . . . . . . . . 364
ISS Proventia Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
ISS Proventia Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
ISS Proventia Statistics Settings . . . . . . . . . . . . . . . . . . . 365
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
O R
OCSP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 RAM Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
OCSP Server Identification . . . . . . . . . . . . . . . . . . . . . . . . .221 Recorded Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
ONCRPC Servers / DCERPC Servers . . . . . . . . . . . . . . . . 205 Redirector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .351, 362
ONLINE TESTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Registry Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Relay Streams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Operation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Relaying Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Operation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Release Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 53, 266 Remote Execution Setup . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116, 472 Remote Management Tunnel . . . . . . . . . . . . . . . . . . . . . . . 66
Operative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 356 Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Option Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 RIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Option Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 RIP Preferences Configuration . . . . . . . . . . . . . . . . . . . . . 522
Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313, 315 RIP Router Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .521
OSPF Area Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 521 RIP SETTINGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
OSPF Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . 523, 524 RIP Specific Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
OSPF Preferences Configuration . . . . . . . . . . . . . . . . . . . 519 RIP Specific Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . 523
OSPF Router Configuration . . . . . . . . . . . . . . . . . . . . . . . . 520 Role Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
OSPF Specific Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Root Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
OSPF Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 523 Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
OTHER DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Route Map Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Outbound (traffic being sent over the device) . . . . . . . . . 86 Route Map Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Outlook Web Access Authorization . . . . . . . . . . . . . . . . . 246 Router Distribution Configuration . . . . . . . . . . . . . .521, 522
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72, 74, 76, 78
P Routing Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
RPC Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Rule Mismatch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Partner Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Rule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Password and Peer Restriction . . . . . . . . . . . . . . . . . . . . . 225
RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Password Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Peer Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240, 494
Phase 1 (default). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Phase 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227, 240
Phase2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Phibs Authentication Settings . . . . . . . . . . . . . . . . . . . . . . 200
PHIBS Specific Authentication Scheme . . . . . . . . . . . . . . 344
Plain Data Reception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Policy Based Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Policy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Policy Source Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Policy Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
POP3 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
PPPOE Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . 72
PPTP Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
PPTP Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Preauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Protocol Version 1 Options . . . . . . . . . . . . . . . . . . . . . . . . . 107
Protocol Version 2 Options . . . . . . . . . . . . . . . . . . . . . . . . 107
PROVENTIA LIMIT HANDLING . . . . . . . . . . . . . . . . . . . . . . 365
Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221, 222, 391
PUBLIC KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Q
Quarantine Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Quarantine Class 1 Rule Policy. . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Class 2 Rule Policy . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Class 3Rule Policy. . . . . . . . . . . . . . . . . . . . . . 165
Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
S U
Scanner Location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 UMTS (3G) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
SCEP HTTP Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . . 59 UMTS Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . .77
SCEP HTTP Server Authentication. . . . . . . . . . . . . . . . . . . 59 URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
SCEP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
SCEP X509 Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 USER AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . 267
SCEP X509 Request Password . . . . . . . . . . . . . . . . . . . . . . 59 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 244, 387
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334, 335 User Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 User Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Serial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 V
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 VERSION STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Virtual LAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . 95, 96
Server Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Server Specific Firewall Settings . . . . . . . . . . . . . . . . . . . .139 Virtual Server Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
SERVER STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Virtual Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 95
Server/Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Virtual Server/GTI Networks. . . . . . . . . . . . . . . . . . . . . . . . 96
Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269, 396
Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Virus Scanner. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351, 393
Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Service Identification . . . . . . . . . . . . . . . . . . . . . . . . 244, 387 Virus Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Service Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
VPN Envelope Policy . . . . . . . . . . . . . . . . . . . . . . . . 238, 493
SERVICE STATUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Session Limits and Memory Settings. . . . . . . . . . . . . . . . .135 VPN Traffic Intelligence (TI) Settings . . . . . . . . . . . . . . . . 154
Session Password Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 VPN User Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Shared Interface Configuration . . . . . . . . . . . . . . . . . . . . 523 VPN World Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Show Short/Long Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 VPN World Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Software Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 W
Spam Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Spamfilter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Watchdog Monitored Entities . . . . . . . . . . . . . . . . . . . . . . . . 111
SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Watchdog Operational Setup . . . . . . . . . . . . . . . . . . . . . . . 110
SPECIAL DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Watchdog Repair Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Special Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Web Resource Access Authorization. . . . . . . . . . . . . . . . 246
Specific Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441, 442 Web Resource Configuration . . . . . . . . . . . . . . . . . . . . . . 246
SSH Colours . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 WebDAV Resource Access Authorization. . . . . . . . . . . . 247
SSH KEYS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 WebDAV Resource Configuration . . . . . . . . . . . . . . . . . . 247
SSH Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 WHITE/BLACK LISTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
SSL Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 474
SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 X
SSL Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 248 X509 Certificate Conditions . . . . . . . . . . . . . . . . . . . . . . . . 231
Statistic Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 X509 Certificate Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Statistic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 X509 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Statistics Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 xDSL Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Statistics Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Status Map Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Stream Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Stream to Destination Setup . . . . . . . . . . . . . . . . . . . . . . . 476
Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
SUBNET SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
System Identification & Authentication . . . . . . . . . . . . . . 116
T
TCP & UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
TCP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Template Description . . . . . . . . . . . . . . . . . . . . . . . . 292, 293
TEST CONNECTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
TEST RESULT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
TI Traffic Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
TI Transport Classification. . . . . . . . . . . . . . . . . . . . . . . . . 236
TI Transport Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Time Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Time Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Time Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
TIME SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Timeout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Top Level Logdata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Top List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Transparent Agent Access Authorization. . . . . . . . . . . . 245
Trust Chain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 437
Tuning Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Tunnel Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Type Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316, 464
Type Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317, 464
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
L R
L2TP/IPSEC [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 RADIUS [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 114
LDAP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Range [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . 456
Licenses [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 RCS Setup [Barracuda NG Control Center] . . . . . . . . . . . . . . 437
Limit Handling [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Redirect Availability [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 186
Limits [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Registry [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Local Networks [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Relay Destinations [Barracuda NG Control Center] . . . . . . . 476
Local Storage [Barracuda NG Control Center] . . . . . . . . . . . 474 Relay Filters [Barracuda NG Control Center]. . . . . . . . . . . . . 475
Logdata Streams [Configuration Service] . . . . . . . . . . . . . . . 118 Relay Streams [Barracuda NG Control Center] . . . . . . . . . . . 477
Logging [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Relaying Setup [Barracuda NG Control Center] . . . . . . . . . . 475
Logstream Destinations [Configuration Service] . . . . . . . . . 117 Reporting [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
M Resources [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Mail Queue [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Responsible Person (RP) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . 338
Mail Rename (MR) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RIP Preferences [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . 522
Mailbox (MB) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RIP Router Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521
Mailbox information (MINFO) [DNS]. . . . . . . . . . . . . . . . . . . . . 337, Root Certificates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 492
Mail-Exchanger (MX) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337, Route (RT) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Routing Cache [Configuration Service]. . . . . . . . . . . . . . . . . . 100
Mailgroup (MG) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 RPC [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Main Rules [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 RSA-ACE [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 114
Mainboard [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Rule Tester [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
MC [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . . . 420 Rules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143,
Messages [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Monitoring [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 95 S
Monitoring Setup [Configuration Service] . . . . . . . . . . . . . . . 118 Scanner Versions [Barracuda NG Control Center] . . . . . . . . 429
MSAD [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 111 Scanning Options [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 391
MS-CHAP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 112 SCEP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 58
MSNT [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 115 Scripts [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 96,
N [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Server [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29,
Nameserver (NS) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336, [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Server Action [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Neighbor Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 523
Server Certificates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Network [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Server Key/Settings [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Network Interfaces [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 523 Server/Service Settings [Barracuda NG Control Center] . . 495
Network Routes [Configuration Service] . . . . . . . . . . . . . . . . 68 Service [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 456
Networks [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 61, Service or Server (SRV) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 338
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Services [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Notification [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Session Limits [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
O Sessions [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 424
Objects [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 427 Settings [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Obsolete Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Severity [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
OCSP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 115, SIP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Offline FW [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Site to Site [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Operational [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 SMS Control [Configuration Service] . . . . . . . . . . . . . . . . . . . 57
Operational Setup [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . 519 SMS Control Settings [Configuration Service] . . . . . . . . . . . 58
OSPF [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Spam [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
OSPF Area Setup [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . 521 Special Needs [Configuration Service] . . . . . . . . . . . . . . . . . . 80
OSPF Preferences [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . 519 SSL [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . . 473
OSPF Router Setup [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . 520 Start of authority (SOA) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . 335
Outbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 STATISTICS [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Outbound-User [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Statistics [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
P Statistics Collection [Barracuda NG Control Center] . . . . . . 425
Page 1 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Statistics Cooking [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Page 2 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Status [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178,
Parameter [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Parameter Templates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Status Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179,
Parameters [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Partner [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Status Map [Barracuda NG Control Center] . . . . . . . . . . . . . . 421
Partner Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Subject [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 487
Permission Profiles [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . 388 SUBNETS [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Personal Networks [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 System Access (Basic View) [Configuration Service]. . . . . . 54
Phibs [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Phion [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Phion VPN CA [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Pictures [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Pointer (PTR) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Pool Licenses [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
POP3 Setup [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
PPTP [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Processes [Control]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36,
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Protected IPs [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Proxy ARPs [Control] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Public Host Keys [Getting Started] . . . . . . . . . . . . . . . . . . . . . 24
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
T
Templates [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Test Report [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Text (TXT) [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Text Based Configuration [DHCP]. . . . . . . . . . . . . . . . . . . . . . 294,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Thresholds [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
TI [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
TI - Bandwidth Protection [Barracuda NG Control Center] 495
TI - VPN Envelope Policy [Barracuda NG Control Center] . 495
Time Objects [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
TIME/NTP [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 56
TINA [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 493
TINA Tunnels [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Traffic Selection [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Type 1 Admin [Barracuda NG Control Center] . . . . . . . . . . . 438
Type 3 Admin [Barracuda NG Control Center] . . . . . . . . . . . 438
TYPE1 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 438
TYPE2 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105
TYPE3 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 105
U
UMTS [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 77
User Authorization [SSH Gateway] . . . . . . . . . . . . . . . . . . . . 388
User Groups [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
User List [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Userspecific [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
V
V3 Extensions [Barracuda NG Control Center] . . . . . . . . . . 487
Virtual LANs [Configuration Service]. . . . . . . . . . . . . . . . . . . 65
VPN FW [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
VPN GTI Settings [Barracuda NG Control Center] . . . . . . . . 495
VPN Selection [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
VPN Service [Barracuda NG Control Center] . . . . . . . . . . . . 494
VPN Settings [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
W
Well-Known Services (WKS) [DNS] . . . . . . . . . . . . . . . . . . . . . 337,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
WWW [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
X
X25 (X25) [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
xDSL/ISDN/DHCP [Configuration Service] . . . . . . . . . . . . . . 70
2 Control
List 21 Types of network activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3 Configuration Service
List 31 Box Config section Identification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
List 32 Box Config section Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
List 33 Box Config section Barracuda NG Earth Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
List 34 Administrative Settings - System Access section Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 35 Administrative Settings - System Access section Service Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 36 Administrative Settings - System Access section Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 37 Administrative Settings - System Access section Serial Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 38 Administrative Settings section Advanced Access Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
List 39 Administrative Settings - DNS section Basic DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 310 Administrative Settings - DNS section Advanced DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 311 Administrative Settings - Caching DNS Service section Advanced DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
List 312 Administrative Settings - TIME/NTPs section Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
List 313 Administrative Settings - TIME/NTPs section NTP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
List 314 Administrative Settings - SMS Control section SMS Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 315 Administrative Settings - SMS Control section Access Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 316 Administrative Settings - SMS Control section Command Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 317 Administrative Settings SCEP section BOX SCEP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 318 Administrative Settings SCEP SCEP Settings section SCEP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
List 319 Administrative Settings SCEP SCEP Settings section SCEP Server section SCEP HTTP Server Authentication . . . . . . . . . . . . . . . . . . 59
List 320 Administrative Settings SCEP SCEP Settings section SCEP X509 Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 321 Administrative Settings SCEP SCEP Settings section SCEP X509 Request Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 322 Administrative Settings SCEP SCEP Settings section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 323 Administrative Settings SCEP SCEP Settings section Connection Details section SCEP HTTP Proxy Settings . . . . . . . . . . . . . . . . . . . 59
List 324 Administrative Settings SCEP SCEP Settings section Encoding Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
List 325 Identity section Box Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
List 326 Identity section SSH Private Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
List 327 Network - Management Network section Device Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
List 328 Network - Management Network section Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
List 329 Box Network section Network Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
List 330 Network - Virtual LANs Configuration section Virtual LAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
List 331 Management Access section Remote Management Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
List 333 Remote Management Access Tunnel Details section Management Tunnel Configuration (CC-managed box) . . . . . . . . . . . . . . . . . . . . . . 67
List 334 Remote Management Access Tunnel Details section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
List 332 Management Access section Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
List 335 Network section Main Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
List 336 Network Routes - Policy Routing section Policy Source Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
List 337 Network Routes - Policy Routing section Policy Table Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
List 338 Network - xDSL configuration section Link Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
List 339 Network - xDSL configuration section PPTP Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
List 340 Network - xDSL configuration section PPPOE Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 341 Network - xDSL configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 342 Network - xDSL configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
List 343 Network - xDSL configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 344 Networks - DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 345 Networks - DHCP configuration section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 346 Networks - DHCP configuration section DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
List 347 Networks - DHCP configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 349 Networks - ISDN configuration section Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 348 Networks - DHCP configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
List 350 Networks - ISDN configuration section Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
List 351 Networks - ISDN configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
List 352 Networks - ISDN configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
List 353 Networks - ISDN configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
List 354 Networks - UMTS configuration section UMTS (3G) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 355 Networks - UMTS configuration section UMTS Connection Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 356 Networks - UMTS configuration section Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
List 357 Networks - UMTS configuration section Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 359 Connection monitoring of dynamic links section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 358 Networks - UMTS configuration section Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
List 360 Networks - IP Tunnels configuration section Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
List 361 Integrity Check configuration section Integrity Check Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
List 362 The monitoring executable openxdsl and its commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
List 363 Traffic Shaping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 364 Traffic Shaping configuration section Outbound (traffic sent over the device) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 365 Traffic Shaping configuration section Inbound (traffic received by device) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
List 366 Device/Tunnel Tree Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 367 Traffic Shaping configuration Shaping connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 368 Shape Connector Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
List 369 Shape Connector Rule section Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 370 Traffic Shaping configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 371 Traffic Shaping configuration section Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List 372 Traffic Shaping configuration section Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
List 373 Administrators configuration section Account Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 374 Administrators configuration section Administrator Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 375 Administrators configuration section Administrator Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
List 376 Administrators configuration section Administrator Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
List 377 Advanced Configuration section License Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
List 378 Server configuration - General settings on single boxes section Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 379 Server configuration - General settings on single boxes section Virtual Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 380 Server configuration (single box) - Monitoring settings section Operation Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 381 Server configuration (single box) - Monitoring settings section IP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
List 383 Server configuration (single box) - Scripts configuration section Server Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 384 Server configuration (CC) - General configuration section Virtual Server Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 382 Server configuration (single box) - Monitoring settings section Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 385 Server configuration - IDENTITY tab section Virtual Server Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 386 Server configuration - NETWORKS tab section Virtual Server/GTI Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
List 387 Service Configuration - General section Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 388 Service Configuration - General section Bind IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 389 Service Configuration - General section Available Server IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 390 Service Configuration - Statistics section Statistics Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
List 391 Service Configuration - Notification section Access Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
List 392 System Settings section General IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 393 System Settings section ARP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 394 System Settings - Routing Cache section Routing Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 395 System Settings - Routing Cache section Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
List 396 System Settings - I/O Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 397 Box Tuning - Flash Memory section RAM Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 398 Box Tuning - Flash Memory section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 399 Box Tuning - Flash Memory section Flash Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
List 3100 Advanced Configuration - Bootloader section Kernel Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
List 3101 Advanced Configuration - Bootloader section Header Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
List 3102 Advanced Configuration - Log Cycling section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3103 Log Cycling - File Specific Settings section Log File Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3104 Log Cycling - File Specific Settings - section Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3105 Box Misc - Log Cycling - File Specific Settings - section Log Cycling Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
List 3106 Box Misc - Access Notification section Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
List 3107 Box Misc - SSH Basic Setup section General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
List 3108 Box Misc - SSH Advanced Setup section Protocol Version 2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
List 3109 Box Misc - SSH Advanced Setup section Protocol Version 1 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
List 3110 Advanced Configuration - Software Update section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
Appendix Parameter List Directory | 559
List 3111 Advanced Configuration - Software Update section Release Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
List 3112 Advanced Configuration - Watchdog Basic Setup section Monitoring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3113 Advanced Configuration - Watchdog Basic Setup section Watchdog Repair Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3114 Advanced Configuration - Watchdog Details section Watchdog Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
List 3115 Advanced Configuration - Watchdog Details section Watchdog Monitored Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
List 3116 MSAD Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3117 MSAD Authentication Basic section Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3120 Parameters for MS-CHAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3118 MSAD Authentication Basic section Mail Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3119 MSAD Authentication Basic section Extented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
List 3121 Parameters for LDAP Authentication section LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
List 3122 Parameters for Radius Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3123 Parameters for RSA-ACE Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3124 Parameters for MSNT Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
List 3125 Parameters for MSNT Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3126 Parameters for OCSP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3127 Parameters for Explicit Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3128 Parameters for Timeouts and Logging section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3129 Parameters for Timeouts and Logging section Timeout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3130 Parameters for Timeouts and Logging section Expert Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
List 3131 Infrastructure Services - Syslog Streaming - Basic Setup section Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3132 Infrastructure Services - Syslog Streaming - Basic Setup section System Identification & Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3133 Infrastructure Services - Syslog Streaming - Logdata Filters section Affected Box Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
List 3134 Infrastructure Services - Syslog Streaming - Logdata Filters section Affected Service Logdata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3135 Infrastructure Services - Syslog Streaming - Logstream Destinations section Destination Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3136 Infrastructure Services - Syslog Streaming - Logstream Destinations section Data Transfer Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3137 Infrastructure Services - Syslog Streaming - Logstream Destinations section Log Data Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
List 3138 Infrastructure Services - Syslog Streaming - Logdata Streams section Stream Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3139 Infrastructure Services - Control - Monitoring Setup section Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3140 Infrastructure Services - Control - Monitoring Setup section HA Monitoring Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3141 Infrastructure Services - Control - Monitoring Setup section ICMP Gateway Monitoring Exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3142 Infrastructure Services - Control - Administrative Sessions section Auto Logout Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
List 3144 Infrastructure Services - Control - CPU-Load Monitoring section Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3145 Infrastructure Services - Control - CPU-Load Monitoring section CPU-Load Warning Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3146 Infrastructure Services - Control - CPU-Load Monitoring section CPU Load Error Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3143 Infrastructure Services - Control - Administrative Sessions section Session Password Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
List 3147 Infrastructure Services - Log Configuration section Log Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4 Firewall
List 41 Box Services - General Firewall Configuration - Peer-to-Peer Detection and Protocol Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
List 42 Box Services - General Firewall Configuration - Peer-to-Peer Protocol Detection Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
List 43 General Firewall Configuration - Global Limits section Session Limits and Memory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 44 General Firewall Configuration - Global Limits section Access Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 45 General Firewall Configuration - Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
List 46 General Firewall Configuration - Operational . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
List 47 General Firewall Configuration - Audit and Reporting tab section Limits and Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 48 General Firewall Configuration - Audit and Reporting tab section Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 49 General Firewall Configuration - Audit and Reporting tab section Audit Information Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 410 General Firewall Configuration - Audit and Reporting tab section Connection Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 411 General Firewall Configuration - Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
List 412 Audit Information Generation Settings section Audit Info Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 413 Audit Information Generation Settings section Recorded Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 414 Audit Information Generation Settings section Log File Rotation and Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
List 415 General Firewall Configuration - Connection Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
List 416 Firewall Forwarding Settings - Firewall section Server Specific Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
List 417 Items of the Navigations Bars main element "Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
List 418 Subordinate elements of the item Information in the navigation bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
List 419 Firewall configuration - Rule Creation/Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
List 420 Firewall configuration - Action section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
List 421 Firewall configuration - Destination section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
List 422 Firewall configuration - Redirection section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
List 423 Firewall configuration - Connection section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
List 424 Firewall configuration - Time Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
List 425 Net Object configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List 426 Net Object configuration parameters section Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
List 427 Net Object configuration parameters section Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
List 428 Network Object - Type Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
List 429 Network Object - Type Hostname section Entry / Excluded Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
List 430 Firewall configuration - Service Objects parameters section TCP & UDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 431 Firewall configuration - Service Objects parameters section ICMP Echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 432 Firewall configuration - Service Objects parameters section General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
List 433 Firewall configuration - Service Objects - General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
List 434 Firewall configuration - Service Objects - General settings section Failover and Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
List 435 Firewall configuration - Service Objects - General settings section VPN Traffic Intelligence (TI) Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
List 436 Firewall configuration - Service Objects - General settings section BOB Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
List 437 Proxy ARP object configuration values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
List 438 Firewall configuration - Content Filter creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
List 439 Port Protocol Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
List 440 Port Protocol Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
List 441 Firewall configuration - Advanced Rule Parameters section Rule Mismatch Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
List 442 Firewall configuration - Advanced Rule Parameters section TCP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
List 443 Firewall configuration - Advanced Rule Parameters section Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 444 Firewall configuration - Advanced Rule Parameters section Counting / Eventing / Audit Trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 445 Firewall configuration - Advanced Rule Parameters section Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
List 447 Firewall configuration - Enhanced Advanced Rule Parameters section Rule Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
List 446 Firewall configuration - Advanced Rule Parameters section Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
List 448 Firewall configuration - Time Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
List 449 Firewall configuration - Accept Policy section section Firewall configuration - Advanced Rule Parameters section Resource Protection 166
List 450 Firewall configuration - Accept Policy section section Firewall configuration - Advanced Rule Parameters section TCP Policy . . . . . . 166
List 451 Firewall Forwarding Settings - Bridging section Layer2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
List 452 Firewall Forwarding Settings - Bridging section Quarantine Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
List 453 Firewall Forwarding Settings - Bridging section Quarantine Bridging- Quarantine Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
List 454 Firewall configuration - Authentication parameters section FW Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
List 455 Firewall configuration - PHIBS settings section Phibs Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
List 456 Firewall configuration - Rules - User Groups section Authentication Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 457 Firewall configuration - Rules - User Groups section Policy Roles Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 458 Firewall configuration - Rules - User Groups section X509 Certificate Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 459 Firewall configuration - Rules - User Groups section VPN User Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 460 Firewall configuration - Rules - User Groups section Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List 461 Firewall configuration - Forwarding Firewall - RPC tab section RPC Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
List 462 Firewall configuration - Forwarding Firewall - RPC tab section ONCRPC Servers / DCERPC Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
5 VPN
List 51 VPN Configuration - Personal Network Network Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
List 52 VPN Vonfiguration - Server Certificates - General Access Control Service Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 53 VPN Configuration - Server Certificates - General Server Configuration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 54 VPN Configuration - Server Certificates - General Default Server Certificate Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
List 55 VPN configuration - Server Certificates - Advanced Device Configuration Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 56 VPN configuration - Server Certificates - Advanced section IKE Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 57 VPN configuration - Server Certificates - Advanced section Custom Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 58 VPN Configuration- Root Certificates - Certificate Details Tab Certificate Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 59 VPN Configuration- Root Certificates - Certificate Details Tab Usage Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 510 VPN configuration- Root Certificates - Certificate Details Tab CRL Error Handling Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
List 511 VPN Configuration - Root Certificates - Certificate Revocation Tab URI Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 512 VPN Configuration - Root Certificates - Certificate Revocation Tab Login Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 513 VPN Configuration - Root Certificates - Certificate Revocation Tab Proxy Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 514 VPN Configuration- Root Certificates - OCSP Tab OCSP Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 515 VPN Configuration- Root Certificates - OCSP Tab OCSP Server IdentificationTab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
List 516 VPN Configuration- VPN GTI Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 517 VPN Configuration- VPN GTI Settings Proxy Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 518 VPN configuration- L2TP/PPTP Settings - General section Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
List 520 VPN Configuration - L2TP/PPTP Settings - PPTP PPTP Settings Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 519 VPN Configuration- L2TP/PPTP Settings - L2TP/IPSEC L2TP Settings Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 521 VPN Configuration- L2TP/PPTP Settings - User List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
List 522 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
List 523 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation IP Address & Networking Section . . . . . . . . . . . . . . . . . . . . . 225
List 524 VPN Configuration - Client to Site - VPN CA Tab - Personal License Creation Password and Peer Restriction Section . . . . . . . . . . . . . . . 225
List 525 VPN configuration - Client to Site - VPN CA Tab - Personal License Creation Active Certificate / Obsolete Certificate Section . . . . . . . . 226
List 526 VPN Configuration - Client to Site - VPN CA Tab - Template Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
List 527 VPN Configuration - Client to Site - External CA Tab > IPSec Tab Phase 1 (default) / Phase 2 Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
List 528 VPN Configuration - Client to Site - External CA Tab > IPSec Tab Lifetime Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
List 529 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Barracuda Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 530 VPN Configuration - Client to Site - External CA Tab > Barracuda Tab Accepted Ciphers Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 531 VPN Configuration - Client to Site - External CA Tab > Common Tab Common Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
List 532 VPN Configuration - Client to Site - External CA Tab > Common Tab Network Routes Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
List 533 VPN Configuration - Client to Site - External CA Tab > Common Tab ACL Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
List 534 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings X.509 Client Security Section . . . . . . . . . 229
List 537 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group VPN Settings > Preauthentication Details . . . . . . . . . . . . . . . . . 230
List 535 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings Server Section . . . . . . . . . . . . . . . . . . . . . . . 230
List 536 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Match Settings section Preauthentication . . . . . . . . . . . . . 230
List 538 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition > AD Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
List 539 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition > AD Lookup > AD Lookup Advanced Settings 231
List 540 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
List 541 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition X509 Certificate Conditions Section . . . . . . 231
List 542 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition External Group Condition Section . . . . . . . . . 231
List 543 VPN Configuration - Client to Site - External CA Tab > Rules Tab > Group Policy Condition Peer Condition Section . . . . . . . . . . . . . . . . . . 231
List 544 VPN Configuration - Client to Site - Registry Tab > New Registry Rule Set Registry Entry Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
List 545 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel General Tunnel Settings Section . . . . . . . . . . . . . . . . . . . . . . . . 233
List 546 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel TI Transport Classification Section . . . . . . . . . . . . . . . . . . . . . . 236
List 547 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Transport Selection Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
List 548 Firewall Connection Object - VPN Traffic Intelligence (TI) TI Traffic Prioritisation Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
List 549 VPN configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel > TI Tab - Bandwidth Protection Section . . . . . . . . . . . . . . . . . . . 238
List 550 VPN configuration - Site to Site - TINA Tunnels tab > New TINA Tunnel > TI tab section VPN Envelope Policy . . . . . . . . . . . . . . . . . . . . . 238
List 551 VPN Configuration - Site to Site - TINA Tunnels Tab > New TINA Tunnel > TI Tab Transport (complement) Section . . . . . . . . . . . . . . . . . 239
List 552 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
List 553 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab Phase 1 and Phase 2 Section . . . 240
List 554 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec Tunnel > Base Configuration Tab Networks Section . . . . . . . . . . . . . 240
List 555 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
List 556 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab Partner Identification Section . . . . . . 241
List 557 VPN Configuration - Site to Site - IPSEC Tunnels Tab > New IPSec tunnel > Authentication Tab Parameters Section . . . . . . . . . . . . . . . 241
List 558 VPN configuration - SSL-VPN Basic Setup section General Service settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
List 559 VPN configuration - SSL-VPN Basic Setup section Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 560 VPN configuration - SSL-VPN Authentication & Login section User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 561 VPN configuration - SSL-VPN Authentication & Login section Corporate ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
List 562 VPN configuration - SSL-VPN Barracuda NG Network Access Client Access Control section Barracuda NG Network Access Client Access Control Setup
244
List 563 VPN configuration - SSL-VPN Barracuda NG SSL-VPN Client section Barracuda NG SSL-VPN Client Setup . . . . . . . . . . . . . . . . . . . . . . . . 245
List 564 Barracuda NG SSL-VPN Client section Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
List 565 Barracuda NG SSL-VPN Client Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 566 Barracuda NG SSL-VPN Client Transport Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 567 VPN configuration - SSL-VPN Web Resources section Web Resource Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 568 Web Resources section Web Resource Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 569 VPN configuration - SSL-VPN Outlook Web Access section Outlook Web Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
List 570 VPN configuration - SSL-VPN WebDAV/Sharepoint section WebDAV Resource Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 571 WebDAV Resources section WebDAV Resource Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 572 VPN configuration - SSL-VPN Application Tunneling section Application Tunneling Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 573 Application Tunneling Configuration Service Configuration section Application Access Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
List 574 Application Tunneling Configuration Generic Application Tunneling section Generic Application Tunneling Authorization . . . . . . . . . . 247
List 576 VPN configuration - SSL-VPN Dynamic Firewall Rules section Dynamic Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 577 Firewall Rule Activation section Dynamic Firewall Rule Activation Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 578 VPN configuration - SSL-VPN Access Rights Query section Access Rights Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
List 575 Generic Application Tunneling Authorization SSL Tunnels section SSL Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
6 Mail Gateway
List 61 MailGW Settings - Basic Setup section Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 62 MailGW Settings - Basic Setup section Local Domain Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 63 MailGW Settings - Basic Setup section Global Domain Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 64 MailGW Settings section Extended Domain Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
List 65 MailGW Settings section Extended Domain Setup Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
List 66 MailGW Settings - Pop3 Setup section POP3 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
List 67 MailGW Settings - Advanced Setup section Operational Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
List 68 MailGW Settings - Advanced Setup section Allowed Relaying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
List 69 MailGW Settings - Advanced Setup section Cloning and Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
List 610 MailGW Settings - Content Filter - Attachment Stripping section Advanced Attachment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
List 611 MailGW Settings - Content Filter - Grey Listing section Advanced Grey Listing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
List 612 MailGW Settings - Content Filter - Blacklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
List 613 MailGW Settings - Content Filter - HTML-Tag Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 614 MailGW Settings - Content Filter - Misc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 615 MailGW Settings - Limits section Mail Gateway Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 616 MailGW Settings - Limits section DoS Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
List 617 MailGW Settings section Entries in Access Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
List 618 MailGW Settings - Event Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
List 619 MailGW Settings - Spam Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
List 620 Spamfilter Config section Spamfilter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 621 Spamfilter Config section WHITE/BLACK LISTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 622 Spamfilter Config section ONLINE TESTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
List 625 Spamfilter Config - Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 623 Spamfilter Config section RULES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 624 Spamfilter Config section TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
List 626 Spamfilter Config section TRAINING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
7 DHCP
List 71 DHCP Enterprise Configuration - Operational Setup section Service Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 72 DHCP Enterprise Configuration - Operational Setup section HA Synchronisation Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 73 DHCP Enterprise - Address Pool Configuration section Address Pool Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 74 DHCP Enterprise - Address Pool Configuration section Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
List 75 DHCP Enterprise - Address Pool Configuration section Multi Subnet Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
List 76 DHCP Enterprise Configuration - SUBNETS tab section Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
List 77 DHCP Enterprise - Address Pool Configuration section Further Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
List 78 DHCP Enterprise Configuration - Known Clients section Group Based Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 79 DHCP Enterprise - Known Clients - Client Group Member section Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 710 DHCP Enterprise - Known Clients - Client Group Member section Client Match & Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 711 DHCP Enterprise - Known Clients - Client Group Member section Advanced Client Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
List 712 DHCP Enterprise - DHCP Option Templates section Template Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 713 DHCP Enterprise - DHCP Option Templates section Basic Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 714 DHCP Enterprise - DHCP Option Templates section Barracuda NG Network Access Clients Access Control Service Options . . . . . . . . . . 292
List 715 DHCP Enterprise - DHCP Option Templates section Extended Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
List 716 DHCP Enterprise - Parameter Templates section Template Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 717 DHCP Enterprise - Parameter Templates section Lease Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 718 DHCP Enterprise - Parameter Templates section Dynamic DNS Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 719 DHCP Enterprise - Parameter Templates section Miscellaneous Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
List 720 DHCP Enterprise - Classes section Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 721 DHCP Enterprise - Dynamic DNS section DNS Update Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 722 DHCP Enterprise - Dynamic DNS section DNS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 723 DHCP Enterprise - GUI as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 724 DHCP Enterprise - Text Based Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
List 725 DHCP Server Settings section GLOBAL SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 726 DHCP Server Settings - section Option Section and IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 727 DHCP Server Settings section SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 728 DHCP Server Settings section BASIC OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 729 DHCP Server Settings section EXTENDED OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
List 730 DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
8 Log Viewer
9 Statistics
List 91 Control field for type Curve with time axis section Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
List 92 Control field for type Curve with time axis section Time Interval - Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
List 93 Control field for type Curve with time axis section Time Interval - Bars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
List 94 Infrastructure Services - Statistics General section Global Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 95 Box Services - Statistics Cooking section Statistic Cooking section Cook Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 96 Statistic Cooking section Type: Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
List 98 Statistic Transfer Transfer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
List 97 Statistic Cooking section Type: Top . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
10 Eventing
List 101 Events tab - Event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
List 103 Severity tab - Severity details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 102 Severity tab - Column view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 104 Notification tab - Column view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
List 105 Server Action tab - Type SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
List 106 SNMP Service Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 107 SNMP Service Notifications section Default SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 108 SNMP Service Notifications section Default Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
List 109 Event Properties - Page 1 tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
List 1010 Event Properties - Page 2 tab section Confirmed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
List 1011 Event Properties - Page 2 tab section Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
11 DNS
List 111 DNS Server - Properties configuration section Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
List 112 DNS Server - Properties configuration section Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
List 113 DNS Server - Zone configuration section General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
List 114 DNS Server - Zone configuration - Advanced Settings section Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 115 DNS Server - Zone configuration - Advanced Settings section Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 116 DNS Server - SOA configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
List 117 DNS Server - Name Server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
List 118 DNS Server - Adding a New Host Host (A) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
List 1112 DNS Server - Adding a New Mail-Exchanger Mail-Exchanger (MX) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1113 DNS Server - Adding a New Mail-Exchanger Mailbox information (MINFO) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1114 DNS Server - Adding a New Mail-Exchanger Well-Known Services (WKS) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 119 DNS Server - Adding a New Host Host Information (HINFO) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1110 DNS Server - Adding a New Host Text (TXT) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
List 1111 DNS Server - Adding a New Host Well-Known Services (WKS) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
12 Proxy
List 121 HTTP Proxy Service Parameters - General section Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 122 HTTP Proxy Service Parameters - General section Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 123 HTTP Proxy Service Parameters - General section Misc. Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 124 HTTP Proxy Service Parameters - General section Fail Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 125 HTTP Proxy Service Parameters - Network section Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
List 126 HTTP Proxy Service Parameters - General - Neighbour Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 127 HTTP Proxy Service Parameters - General - Neighbour Settings section Option Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 128 HTTP Proxy Service Parameters - General - Neighbour Settings section Cache Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
List 129 HTTP Proxy Service Parameters - General section SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
List 1210 HTTP Proxy Service Parameters - Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
List 1211 HTTP Proxy Service Parameters - Authentication Settings section PHIBS Specific Authentication Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 344
List 1212 HTTP Proxy Service Parameters - Authentication Settings - ACL Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
List 1213 HTTP Proxy Service Parameters - Authentication Settings - Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1214 HTTP Proxy Service Parameters - Authentication Settings - ACL FileList . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1215 ACL Filelist Usage Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
List 1216 HTTP Proxy Service Parameters - Authentication Settings - Legacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
List 1217 HTTP Proxy Service Parameters - Authentication Settings - Time Restriction configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
List 1218 ACL ENTRIES configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
List 1219 Proxy Service Parameters section Data Leak Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1220 Proxy Service Parameters - Advanced view section Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1221 Proxy Service Parameters - Advanced view section Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1222 HTTP Proxy Fail Cache Filter Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
List 1223 Secure Web Proxy section SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
List 1224 Secure Web Proxy - SSL Certificates section Certificate Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1225 Secure Web Proxy - SSL Certificates section Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1226 Secure Web Proxy - SSL Certificates section Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1227 Secure Web Proxy - Advanced - section Optimizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
List 1228 Proxy Service Parameters - section Redirector Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1229 URL Filter Configuration - General section URL Filter General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1230 URL Filter Configuration - General section URL Filter Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1231 URL Filter Configuration - General section URL Filter Support Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1232 URL Filter Configuration section URL Filter Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
List 1233 URL Filter Configuration - Filter Settings section URL Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1234 URL Filter Configuration - Filter Settings section Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1235 URL Filter Configuration - Filter Settings section TIME SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
List 1236 URL Filter Configuration section URL Filter Deny Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1237 URL Filter Configuration section URL Filter Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1238 URL Filter Configuration section URL Filter Cascaded Redirector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1239 URL Filter Configuration section URL Filter Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
List 1240 URL Filter Configuration section URL Filter Limit Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
13 FTP Gateway
List 131 FTP-GW Settings configuration section BEHAVIOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 132 FTP-GW Settings configuration section Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 133 FTP-GW Settings configuration section Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 134 FTP-GW Settings Configuration - User specific section Configuration Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 135 FTP-GW Settings Configuration - User specific section Special Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
List 136 FTP-GW Settings Configuration - User specific section Default User Specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 137 FTP-GW Settings Configuration - User specific section Time Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 138 FTP-GW Settings Configuration - User specific - Default User Specific section SPECIAL DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 139 FTP-GW Settings Configuration - User specific - Default User Specific section OTHER DESTINATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 1310 FTP-GW Settings Configuration - User specific - Default User Specific section Time Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
List 1311 FTP-GW Settings Configuration section Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
14 Voice over IP
List 141 Firewall Forwarding Settings - H.323 Gatekeeper tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
List 142 Box Firewall Settings - SIP Parameters section Access Cache Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
List 143 Forwarding Firewall Settings - SIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
15 Wireless LAN
List 151 382
List 152 383
List 153 383
List 154 Primary Radius Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
List 156 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 157 EAP Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 158 WPA Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 155 Radius Fallback Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 159 Operational Tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
List 1510 Logging Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
16 SSH Gateway
List 161 SSH Proxy configuration - General section General Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 162 SSH Proxy configuration - General section Service Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 163 SSH Proxy configuration - Authentication & Login section User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 164 SSH Proxy configuration - Authentication & Login section User Session Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
List 165 SSH Proxy configuration - Default Permissions section Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 166 SSH Proxy configuration - Default Permissions section Access Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 167 SSH Proxy configuration Access Lists section Access List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 168 SSH Proxy configuration - Access Lists Access List Configuration section Access List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 169 SSH Proxy configuration - Access Lists Access List Configuration section Allowed Host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
List 1610 SSH Proxy configuration - User Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
17 Anti-Virus
List 171 Virus Scanner Settings - Basic Setup section Basic Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 172 Virus Scanner Settings - Basic Setup section Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 173 Virus Scanner Settings - Basic Setup section Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 174 Virus Scanner Settings - Updates - section General Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
List 175 Virus Scanner Settings - Updates - section Avira Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 176 Virus Scanner Settings - Updates - section ClamAv Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 177 Virus Scanner Settings - Updates - section Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 178 Virus Scanner Settings - Avira section Avira General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 179 Virus Scanner Settings - Avira - section Avira Archive Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 1710 Virus Scanner Settings - Avira section Avira Non-Virus Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
List 1711 Virus Scanner Settings - ClamAV section ClamAV General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1712 Virus Scanner Settings - ClamAV section ClamAV Archive Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1713 Virus Scanner Settings - ClamAV section ClamAV Possibly Unwanted Applications (PUA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1714 Virus Scanner Settings - ClamAV section ClamAV Misc Scannning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1715 Virus Scanner Settings - ClamAV section ClamAV Mail Scanning Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
List 1716 Virus Scanner Settings - ClamAV section ClamAV Phishing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1717 Virus Scanner Settings - ClamAV section ClamAV Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1718 Virus Scanner Settings - Streaming Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1719 HTTP Proxy Settings - Content Inspection section Virus Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
List 1720 Content Inspection section Virus Scanner Progress Popup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
List 1721 HTTP Proxy Settings - Content Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1722 MailGWSettings - Virus Scanning section Virus Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1723 MailGWSettings - Advanced Virus Protection Option section Scanner Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1724 MailGWSettings - Advanced Virus Protection Option section Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1725 MailGWSettings - Advanced Virus Protection Option section Adaptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1726 MailGWSettings - Advanced Virus Protection Option section No Scan Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
List 1727 MailGWSettings - External Scan Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
18 High Availability
20 SNMP
List 201 SNMP Configuration - section Access Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
List 2123 OSPF/RIP Settings - Filter Setup - Route Map Filters section RIP Specific Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2124 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP Prefix List Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2125 OSPF/RIP Settings - Filter Setup - IP Prefix List Filters section IP Prefix List Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2118 OSPF/RIP Settings - Neighbor Setup section OSPF Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
List 2126 OSPF/RIP Settings - GUI as Text section Text Equivalent of GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
List 2127 OSPF/RIP Settings - Text Based Configuration section Free Format OSPF Configuration / Free Format RIP Configuration . . . . . . . . . . . 525
22 System Information
23 Appendix
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
B [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168,
Backup Box [Configuration Service]. . . . . . . . . . . . . . . . . . . . 95 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Backup MX [Configuration Service] . . . . . . . . . . . . . . . . . . . . 72, Block & Terminate [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 168
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74, Block Box Sync [Barracuda NG Control Center] . . . . . . . . . 439
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78 Block encrypted archives [Anti-Virus] . . . . . . . . . . . . . . . . . . 391,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Bad Rulefile Loaded [Mail Gateway]. . . . . . . . . . . . . . . . . . . . 272
Block if mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 148,
Balance Preferred and Second [VPN] . . . . . . . . . . . . . . . . . . 237 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166,
Balanced Timeout [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 152 [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Band [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Block If User Limit Exceeded [Proxy]. . . . . . . . . . . . . . . . . . . 365
Band A-G [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 89 Block on Mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . 163
Band Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239, Block on other error [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . 391
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Block Server [Barracuda NG Control Center]. . . . . . . . . . . . 439
Bandwidth [Configuration Service] . . . . . . . . . . . . . . . . . . . . 89, Block Service [Barracuda NG Control Center] . . . . . . . . . . . 439
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Block Unknown State [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 356
Bandwidth Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Block unsupported archives [Anti-Virus] . . . . . . . . . . . . . . . 391
Base DN [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 112,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 485 Block Update [Barracuda NG Control Center] . . . . . . . . . . . 424
Basic [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . 112 Blocked Local Sessions [Firewall]. . . . . . . . . . . . . . . . . . . . . . 138
basicConstraints [Barracuda NG Control Center] . . . . . . . . 487 Blocked Sessions [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Bind IP [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Blocked User Groups [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 244,
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Bind IPs [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Blocked Users [SSH Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 388
Bind NTPd [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 62
BOB Settings [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Bind policy [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Boot File [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Bind To Authenticate [Configuration Service] . . . . . . . . . . . 113
Boot File Name [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293,
Bind Type [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 97 [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Bitmap [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226, Boot File Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Boot Loader Location [Configuration Service] . . . . . . . . . . 102
BK Colour [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 22
Boot Unknown Clients [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . 293
Black List [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
BOOTP Clients Policy [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 290
blackhole [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Boottime Release Check [Configuration Service] . . . . . . . . 108
Blacklist From [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 276
Box [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
Blacklists [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Block [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Box Authentication [Barracuda NG Control Center] . . . . . . 428
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Box Certificate [Configuration Service] . . . . . . . . . . . . . . . . 60
Box DNS Domain [Configuration Service]. . . . . . . . . . . . . . . 55
Box Inventory [Configuration Service] . . . . . . . . . . . . . . . . . 103
Box Log Patterns [Barracuda NG Control Center] . . . . . . . 476
Box Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 52
Box Private Key [Configuration Service] . . . . . . . . . . . . . . . 60
Box Reachable Statistics [Barracuda NG Control Center] . 437
Box Unique Name [Configuration Service] . . . . . . . . . . . . . . 52
Box->MC Access [Configuration Service] . . . . . . . . . . . . . . . 53
Bridging Device [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging Group [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Bridging TTL Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 195
Broadcast Address [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Broadcast RAS [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . 377
Broad-Multicast [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Browse... [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Browser [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Browser Cleanup [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Browsers [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
BSD [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Buffer-overflow protection [FTP Gateway] . . . . . . . . . . . . . 371
Bump Mapping [Barracuda NG Control Center]. . . . . . . . . . 497
Transfer Rate Limit [Configuration Service] . . . . . . . . . . . . 75
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
C [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343,
[SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
CA Root [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Complete Update [Barracuda NG Control Center]. . . . . . . . 424
CA Sign Password [Barracuda NG Control Center] . . . . . . 486 Completed [Barracuda NG Control Center]. . . . . . . . . . . . . . 423
Cache Direct Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 342 Compression [Configuration Service] . . . . . . . . . . . . . . . . . . 104,
Cache Domain Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 342 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Cache IP Objects [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Condense after (days) [Barracuda NG Control Center] . . . 464
Cache MSAD-groups [Configuration Service] . . . . . . . . . . . 112 Condense Data after (Days) [Statistics] . . . . . . . . . . . . . . . . 317
Cache Peer Access [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuration Level [Barracuda NG Control Center] . . . . . 460
Cache Priority [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Configuration Read [Getting Started] . . . . . . . . . . . . . . . . . . 22
Cache Timeout (sec) [Configuration Service] . . . . . . . . . . . 115 Configurations [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Call Redirect [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . . . 377 Confirm Events [Barracuda NG Control Center] . . . . . . . . . 439
Cascade [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, Confirmed [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Connect Timeout [Configuration Service]. . . . . . . . . . . . . . . 77
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Connection Color [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cascade Back [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146, Connection Timeout [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 154
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Connection Type [Configuration Service] . . . . . . . . . . . . . . . 71,
Cascaded is Primary [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 364 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 476
Cascaded Redirector [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 364 Connections [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Cascading Included [Barracuda NG Control Center] . . . . . 465 Consistency Verification [Configuration Service] . . . . . . . . 80
Categories [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Console Max. Idle [Configuration Service] . . . . . . . . . . . . . . 118
CCP Control Protocol [Configuration Service] . . . . . . . . . . 75 Console(COM1)AndManagement [Configuration Service] . 54
Cert. Authorities Management [Barracuda NG Control Center] ConsoleOnly(COM1) [Configuration Service]. . . . . . . . . . . . . 54
439 Contact Info [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Certificate Login Matching [VPN] . . . . . . . . . . . . . . . . . . . . . 229 Contact Mail [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341,
Certificate Mgmt... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391,
Certificate Policy [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Challenge Timeout (sec) [Configuration Service] . . . . . . . 115 Contact Person [Barracuda NG Control Center] . . . . . . . . . 441,
Change Events [Barracuda NG Control Center] . . . . . . . . . 438 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 442
Change HW clock to UTC [Getting Started]. . . . . . . . . . . . . 12 Content [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Change Permissions [Barracuda NG Control Center] . . . . 438 Content Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Change Personal Network [VPN]. . . . . . . . . . . . . . . . . . . . . . 218 Context Identifier [Configuration Service] . . . . . . . . . . . . . . 77
Change Server Password... [VPN] . . . . . . . . . . . . . . . . . . . . . 226 Continue if mismatch [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 148,
Change Settings [Barracuda NG Control Center]. . . . . . . . 439 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Channel Bonding Settings [Configuration Service] . . . . . . 75 Continue on Mismatch [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 158,
Check Interval [Configuration Service] . . . . . . . . . . . . . . . . 79, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 110 Control Permissions [Barracuda NG Control Center] . . . . . 439
Check Reachability [Configuration Service] . . . . . . . . . . . . 80 Cookie Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
Check Spam [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 266 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Check System Load [Configuration Service]. . . . . . . . . . . . 111 Cookie Timeout (Min.) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Check User Home [Configuration Service] . . . . . . . . . . . . . 107 Copy to Obsolete [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Class [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Corrupted Data Action [Statistics] . . . . . . . . . . . . . . . . . . . . . 316,
Clear [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 463
Clear DF Bit [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Count Destination IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 164
Clear Filter - deletes the set filter [Barracuda NG Control Center] Count Source IP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
492 Country [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 59,
Clear Log [Barracuda NG Control Center] . . . . . . . . . . . . . . 427 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 487
Clear Log ... [Barracuda NG Control Center] . . . . . . . . . . . . 428 Create Boxes [Barracuda NG Control Center] . . . . . . . . . . . 438
Clear on Failure [Configuration Service] . . . . . . . . . . . . . . . 108 Create Cluster [Barracuda NG Control Center] . . . . . . . . . . 438
Clear on Success [Configuration Service] . . . . . . . . . . . . . . 108 Create Copy ... [Barracuda NG Control Center] . . . . . . . . . . 427
Client [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, Create Default Route [Configuration Service] . . . . . . . . . . . 72,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74,
Client Alive Interval [SSH Gateway] . . . . . . . . . . . . . . . . . . . 387 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Client Alive Max Count [SSH Gateway] . . . . . . . . . . . . . . . . 387 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Client Authentication [Barracuda NG Control Center] . . . 474 Create New Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Client Certificate Action [Proxy] . . . . . . . . . . . . . . . . . . . . . . 356 Create PAR File [Barracuda NG Control Center] . . . . . . . . . 438
Client Codepage [Configuration Service]. . . . . . . . . . . . . . . 115 Create Proxy ARP [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 145,
Client Description [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Client DHCP Options [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 291
Create Range [Barracuda NG Control Center] . . . . . . . . . . . 438
Client Hostname [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Create Repository [Barracuda NG Control Center] . . . . . . . 438
Client Log Level [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . 388
Create Server [Barracuda NG Control Center]. . . . . . . . . . . 438
Client Loopback TCP Port [VPN] . . . . . . . . . . . . . . . . . . . . . . 247,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Create Service [Barracuda NG Control Center] . . . . . . . . . . 438
Client Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Create Task [Barracuda NG Control Center] . . . . . . . . . . . . 427
Client Port Used [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Create Time Interval for Rule [Firewall] . . . . . . . . . . . . . . . . 148
Client Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Created [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 445
Clone Routes [Configuration Service] . . . . . . . . . . . . . . . . . 73, CRL Poll Time [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 74, crlDistributionPoints [Barracuda NG Control Center]. . . . . 487
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 76, Cryptographic Service Provider [Getting Started] . . . . . . . 23
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78 Cumulative Interval [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 137
Closing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Cumulative Maximum [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 137
Cluster [Barracuda NG Control Center] . . . . . . . . . . . . . . . . 460 Custom Template Logo [Anti-Virus]. . . . . . . . . . . . . . . . . . . . 395
Cluster Name [Barracuda NG Control Center] . . . . . . . . . . 442 Cut Whitelists [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 269
Collect Statistics [Configuration Service] . . . . . . . . . . . . . . 53, Cycle [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 441,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 442
Color [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 494
Comment [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
[Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Common Name [Configuration Service] . . . . . . . . . . . . . . . 59,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 487
Community [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325,
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
D [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147,
Daily Report Mail to [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 270 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Daily Schedule [Configuration Service] . . . . . . . . . . . . . . . . . 103 Deny active ftp-data transfer [FTP Gateway] . . . . . . . . . . . 371
Data Limit (kB) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Deny additional ftp- commands [FTP Gateway]. . . . . . . . . . 371
Data Selection [Configuration Service] . . . . . . . . . . . . . . . . . 116, Deny delete dir [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 372
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 117 Deny Expired Certificates [Proxy] . . . . . . . . . . . . . . . . . . . . . 356
Data Selector [Configuration Service] . . . . . . . . . . . . . . . . . . 116, Deny file-delete [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 372
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 117
Deny file-download [FTP Gateway] . . . . . . . . . . . . . . . . . . . . 371,
Data Trickle Buffer Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . 394 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Data Trickle Dest. Domains [Anti-Virus] . . . . . . . . . . . . . . . . 394 Deny file-extensions [FTP Gateway] . . . . . . . . . . . . . . . . . . . 372
Data Trickle Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 394 Deny file-rename [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 372
Data Trickle URL Pattern [Anti-Virus] . . . . . . . . . . . . . . . . . . 394 Deny file-upload [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 371,
Data Types for Service [Barracuda NG Control Center]. . . 465 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Data Types for Subservice [Barracuda NG Control Center] 465 Deny make dir [FTP Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 372
Database Mirror [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Deny on Mismatch [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Dataport range [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 371 Deny Page [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
DDNS Domainname [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Deny passive ftp data-transfer [FTP Gateway] . . . . . . . . . . 371
DDNS Hostname [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Deny structure mount [FTP Gateway] . . . . . . . . . . . . . . . . . . 372
Deactivation Lag [Configuration Service] . . . . . . . . . . . . . . . 65 Deny Threshold [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 275
Dead Neighbor Poll Interval [OSPF and RIP]. . . . . . . . . . . . . 524 Deny URL [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Dead Peer Detection Interval (s) [VPN] . . . . . . . . . . . . . . . . . 220 Description [Configuration Service]. . . . . . . . . . . . . . . . . . . . 97,
Debug Level [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 118
Debug Log Level [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 390 Dest. [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Def Lease Time [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Destination [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163,
Default [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344, [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371,
Default HTTPS Certificate [Firewall] . . . . . . . . . . . . . . . . . . . 200 [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Default HTTPS Private Key [Firewall] . . . . . . . . . . . . . . . . . . 200 Destination Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 187
Default Image Name [Configuration Service]. . . . . . . . . . . . 102 Destination IP [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346,
Default Internal Mail Server [Mail Gateway] . . . . . . . . . . . . . 264 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 476
Default Internal MX [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 263 Destination Port [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 187,
Default Key [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 476
Default Master DNS [Configuration Service] . . . . . . . . . . . . 56 Destination SSL Certificate [Barracuda NG Control Center] 476
Default Metric [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . 520, Destination SSL IP [Barracuda NG Control Center] . . . . . . 476
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Destination SSL Port [Barracuda NG Control Center] . . . . 476
Default NIC [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 13 Destination-specific SSL-Settings [Firewall]. . . . . . . . . . . . . 200
Default Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164, Detect AdSpy [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Detect All PUA [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Default Poll Time (secs) [Firewall] . . . . . . . . . . . . . . . . . . . . . 205 Detect All Types [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Recipient DB [Mail Gateway] . . . . . . . . . . . . . . . . . . . 263 Detect Appl. Model Mismatch [Configuration Service] . . . . 53
Default Recipients [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 263 Detect BDC [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Recipients Lookup [Mail Gateway] . . . . . . . . . . . . . . 263, Detect Broken Executables [Anti-Virus] . . . . . . . . . . . . . . . . 392
[Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Detect Dialers [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Route Distribution [OSPF and RIP]. . . . . . . . . . . . . . 521 Detect Games [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Route Redistribution [OSPF and RIP] . . . . . . . . . . . 522 Detect HiddenExt [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . 391
Default Store [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . 23 Detect Jokes [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Default User specific [FTP Gateway] . . . . . . . . . . . . . . . . . . . 372 Detect Pck [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Browser Access [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . 346 Detect Phish [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Maximum Connections [Proxy]. . . . . . . . . . . . . . . . . . 346 Detect Spr [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Define Request Method [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 346 Detection Regex [Anti-Virus]. . . . . . . . . . . . . . . . . . . . . . . . . . 394
Define Transfer Protocol [Proxy] . . . . . . . . . . . . . . . . . . . . . . 346 Device [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
Defined Connections [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 89,
Delay [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Delete [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 424 Device Addresses Reside [Firewall] . . . . . . . . . . . . . . . . . . . . 149
Delete Box Logfiles [Barracuda NG Control Center] . . . . . . 439 Device Autodetection [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 289
Delete Box Statistics [Barracuda NG Control Center]. . . . . 439 Device Index [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220,
Delete Data after (Days) [Statistics] . . . . . . . . . . . . . . . . . . . 317 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Delete Data after (days) [Barracuda NG Control Center]. . 464 Device IP Address [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Delete Events [Barracuda NG Control Center] . . . . . . . . . . . 439 Device Name [Configuration Service] . . . . . . . . . . . . . . . . . . 86
Delete Group [Barracuda NG Control Center] . . . . . . . . . . . 491 Device Realm [Configuration Service]. . . . . . . . . . . . . . . . . . 80
Delete Infected Mails [Mail Gateway] . . . . . . . . . . . . . . . . . . . 266 Devices [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 89,
Delete Service Logfiles [Barracuda NG Control Center]. . . 439 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Delete Stripped Attachments [Barracuda NG Control Center]439 devmtu [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . 73
Delete Task [Barracuda NG Control Center]. . . . . . . . . . . . . 426 DHCP Client Identifier [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 291
Delete Tunnel [Barracuda NG Control Center] . . . . . . . . . . . 492, DHCP Connect Timeout [Configuration Service]. . . . . . . . . 73
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494 DHCP Enabled [Configuration Service] . . . . . . . . . . . . . . . . . 73
Delete VPN Service from Group [Barracuda NG Control Center] DHCP Interface [Configuration Service] . . . . . . . . . . . . . . . . 73
492 DHCP Packet Size [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Delete VPN Service from GTI Editor [Barracuda NG Control Cen- DHCP Server Identifier [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . 289
ter]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 DHCP Server IPs [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Delete Wild Route [Barracuda NG Control Center] . . . . . . . 439 DHCP Server Permissions [Barracuda NG Control Center] 439
Delivered Entries [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 272 DH-Group [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
Delivery IPs [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
Delivery Policy [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 264 [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 494
Demo Mode [Barracuda NG Control Center]. . . . . . . . . . . . . 498 Dial Allowed From [Configuration Service]. . . . . . . . . . . . . . 75
Demo or Export Mode [Getting Started] . . . . . . . . . . . . . . . . 11 Dial Allowed Until [Configuration Service] . . . . . . . . . . . . . . 75
Denied Classes [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Dial Mode [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 75
Denied source-networks [FTP Gateway] . . . . . . . . . . . . . . . . 372 Dial Out Prefix [Configuration Service] . . . . . . . . . . . . . . . . . 74
Denied URLs per IP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Digest Authentication Key [OSPF and RIP]. . . . . . . . . . . . . . 521,
Denied URLs per User [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . 365 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Deny [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144, Direction [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
572 | Index of Configuration Parameters Appendix
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Directory Pattern [Statistics]. . . . . . . . . . . . . . . . . . . . . . . . . 316, Drop Mails over Attachment Limit [Mail Gateway] . . . . . . . 271
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 464, Drop prohibited Protocols [Firewall] . . . . . . . . . . . . . . . . . . . 162
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 465 Dropped Packets [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Disable [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 DSA Host Key [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . 387
Disable & Terminate [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . 168 DSN for Max Data Size Excess [Mail Gateway] . . . . . . . . . . . 271
Disable Assembler Ciphers [Firewall] . . . . . . . . . . . . . . . . . . 136 DSN for Max Recipients Excess [Mail Gateway] . . . . . . . . . . 271
Disable Box [Configuration Service] . . . . . . . . . . . . . . . . . . . 53 DSN Mails in MIME-Format [Mail Gateway] . . . . . . . . . . . . . . 266
Disable Device Check [Firewall] . . . . . . . . . . . . . . . . . . . . . . . 158 Dst Statistics [Configuration Service] . . . . . . . . . . . . . . . . . . 97
Disable Events System Tray [Getting Started] . . . . . . . . . . 22 Dst Time-Statistics [Configuration Service] . . . . . . . . . . . . . 97
Disable FTP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Duplicates Policy [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Disable Interface Check [Firewall]. . . . . . . . . . . . . . . . . . . . . 158 Duration of Validity [Barracuda NG Control Center]. . . . . . 486
Disable Nagle Algorithm (No Delayed ACK) [Firewall] . . . 163 Dyn. Service [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Disable Quarantine Group [Firewall]. . . . . . . . . . . . . . . . . . . 195 Dyn. Service Name Entries [Firewall] . . . . . . . . . . . . . . . . . . . 135
Disable Service [Configuration Service] . . . . . . . . . . . . . . . 97 Dynamic Address Assignment [Configuration Service] . . . 75
Disable Session Passwords [Configuration Service] . . . . . 119 Dynamic BOOTP Lease Time [DHCP] . . . . . . . . . . . . . . . . . . . 293
Disable Smartcard / Token [Getting Started] . . . . . . . . . . . 23 Dynamic DNS Params [Configuration Service]. . . . . . . . . . . 72,
Disable Summary [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 521 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
Disable Update [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . 390, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 441 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Disable Updates [Barracuda NG Control Center] . . . . . . . . 442 Dynamic Rule Control [Barracuda NG Control Center]. . . . 439
Disable/Enable VPN Tunnels [Barracuda NG Control Center]439 Dynamic Rule Selector [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 248
Disabled [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 91, Dyndns Name [Configuration Service]. . . . . . . . . . . . . . . . . . 72,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 423 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
Disc Write [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Disk [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DLP [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
DLP Exception URLs [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 351,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
DNS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
DNS Config [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
DNS Database Info [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . 391
DNS Lifetime (Sec) [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 150
DNS Master IP [Configuration Service] . . . . . . . . . . . . . . . . 56
DNS Query [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
DNS Query ACL [Configuration Service] . . . . . . . . . . . . . . . 56
DNS Query Rotation [Configuration Service] . . . . . . . . . . . 55
DNS Query Timeout [Configuration Service] . . . . . . . . . . . 55
DNS Resolved IP [Configuration Service] . . . . . . . . . . . . . . 114
DNS Reverse Lookup [SSH Gateway] . . . . . . . . . . . . . . . . . . 387
DNS Search Domains [Configuration Service] . . . . . . . . . . 55
DNS Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
DNS Server IP [Configuration Service]. . . . . . . . . . . . . . . . . 55,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
DNS Servers [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
DNS Slave Zones [Configuration Service] . . . . . . . . . . . . . . 56
DNS Update Scheme [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 294
DNS Zone [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
DNS Zones [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Do Fwd Updates [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Domain [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 59,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Domain Action [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . 275
Domain Config [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Domain Controller [Configuration Service] . . . . . . . . . . . . . 113,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Domain Controller IP [Configuration Service] . . . . . . . . . . 112,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 115
Domain Controller Name [Configuration Service] . . . . . . . 112,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 115
Domain Manipulation [Mail Gateway] . . . . . . . . . . . . . . . . . . 267
Domain Name [Configuration Service]. . . . . . . . . . . . . . . . . 115,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Domain Realm [Configuration Service] . . . . . . . . . . . . . . . . 112
Domain Restrictions [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . 342
Domain Suffix [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 11
Domain Whitelist [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . 275
DomainController [Barracuda NG Control Center] . . . . . . 487
Domains [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Download CRLs at Hour (0.23) [Proxy] . . . . . . . . . . . . . . . . 356
Download Server [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . 391
Driver Module Name [Configuration Service] . . . . . . . . . . . 63
Driver Options [Configuration Service] . . . . . . . . . . . . . . . . 63
Driver Type [Configuration Service]. . . . . . . . . . . . . . . . . . . 63
Drop Event [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Drop event [Eventing] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Drop Fragmented Mails [Mail Gateway] . . . . . . . . . . . . . . . . 271
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
Appendix Index of Configuration Parameters | 573
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
F G
Failed [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 423 Garbage Collect Timer [OSPF and RIP] . . . . . . . . . . . . . . . . . 522
Failed Local Sessions [Firewall]. . . . . . . . . . . . . . . . . . . . . . . 138 Gatekeeper Bind IP [Voice over IP]. . . . . . . . . . . . . . . . . . . . . 377
Failed Sessions Termination [Firewall]. . . . . . . . . . . . . . . . . 138 Gatekeeper Name [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . 377
Failing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Gatekeeper Password [Voice over IP] . . . . . . . . . . . . . . . . . . 377
Failure Retry Intervals (Minutes) [Configuration Service] 59 Gateway [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
Failure Standoff [Configuration Service]. . . . . . . . . . . . . . . 67, [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 69,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 79 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Fallback [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Gateway Hostname [Voice over IP] . . . . . . . . . . . . . . . . . . . . 377
Fallback Driver Options [Configuration Service] . . . . . . . . 63 Gateway IP [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 377,
Fallback Enabled [Configuration Service] . . . . . . . . . . . . . . 63 [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Fallback Module Name [Configuration Service] . . . . . . . . . 63 Gateway to Modem IP [Configuration Service] . . . . . . . . . . 72
File [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 GC Busy Threshold [Configuration Service] . . . . . . . . . . . . . 116,
File Extension Filter [Mail Gateway] . . . . . . . . . . . . . . . . . . . 269 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 473
File Limit [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 GC Elasticity [Configuration Service] . . . . . . . . . . . . . . . . . . . 100
File Sync Frequency (lines) [Barracuda NG Control Center] 474 GC Idle Threshold [Configuration Service] . . . . . . . . . . . . . . 116,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 473
File system [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 12
GC Interval [Configuration Service] . . . . . . . . . . . . . . . . . . . . 101
Filename [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
GC Min Interval [Configuration Service] . . . . . . . . . . . . . . . . 101
Filename Length [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . 371
GC Threshold [Configuration Service] . . . . . . . . . . . . . . . . . . 101
Filled [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
GC Timeout [Configuration Service]. . . . . . . . . . . . . . . . . . . . 101
Filter [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160,
[Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Generate Audit Info [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 138
Filter Box Affiliation [Barracuda NG Control Center] . . . . 475 Generate Events [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Find String [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Generate Statistics [Configuration Service] . . . . . . . . . . . . . 97
Firewall Always ON [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Generic Application Tunneling [VPN]. . . . . . . . . . . . . . . . . . . 247
Firewall login [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Generic Forwarded Networks [Firewall] . . . . . . . . . . . . . . . . 137
Firewall Permissions [Barracuda NG Control Center] . . . . 439 Generic OID [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Firewall Rule Activation [VPN]. . . . . . . . . . . . . . . . . . . . . . . . 248 Generic Schedule [Configuration Service] . . . . . . . . . . . . . . 103
First DNS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Generic squid.conf Entries [Proxy] . . . . . . . . . . . . . . . . . . . . . 351
First WINS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Geometry Quality [Barracuda NG Control Center] . . . . . . . 497
First-IP (S1) [Configuration Service] . . . . . . . . . . . . . . . . . . . 95 Global Append Option [Configuration Service] . . . . . . . . . . 102
Fit to Screen [Barracuda NG Control Center] . . . . . . . . . . . 492 Global Position [Configuration Service]. . . . . . . . . . . . . . . . . 53
Fixed IP Address [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Global Replay Window Size [VPN]. . . . . . . . . . . . . . . . . . . . . . 219
Fixed Radius Password [Voice over IP] . . . . . . . . . . . . . . . . 377 Global Reverse Device Policy [Firewall]. . . . . . . . . . . . . . . . . 136
Fixed Radius User [Voice over IP] . . . . . . . . . . . . . . . . . . . . . 377 Global TCP Delay Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
Flags [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Global TOS Copy [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Flood Ping [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Go to Box [Barracuda NG Control Center] . . . . . . . . . . . . . . 492
Follow Referrals [Configuration Service]. . . . . . . . . . . . . . . 112 Go to Config Tree [Barracuda NG Control Center] . . . . . . . 492
Force Delete [Barracuda NG Control Center] . . . . . . . . . . . 424 Grace period after expiration [Barracuda NG Control Center]459
Force Flash [Configuration Service] . . . . . . . . . . . . . . . . . . . 101 Graphical API [Barracuda NG Control Center] . . . . . . . . . . . 497
Force Full Update [Barracuda NG Control Center]. . . . . . . 492 GRE with Assigned IP [Configuration Service] . . . . . . . . . . . 73,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 74,
Force Key Authentication [Configuration Service] . . . . . . 107 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 76,
Force MSS (Maximum Segment Size) [Firewall] . . . . . . . . . 163 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
Force Non Flash [Configuration Service]. . . . . . . . . . . . . . . 101 Greeting Name [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . 263
Force password change every [Barracuda NG Control Center] Grey Listing Settings [Mail Gateway] . . . . . . . . . . . . . . . . . . . 269
459 Grey Listing Time [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 270
Force re-authentication [Firewall] . . . . . . . . . . . . . . . . . . . . 199 Group [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
foreign [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Group Attribute [Configuration Service] . . . . . . . . . . . . . . . . 113,
Foreign IP Sufficient [Configuration Service] . . . . . . . . . . . 69 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 114
Forward [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178, Group Attribute Delimiter [Configuration Service] . . . . . . . 114
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Group Attribute Usage [Configuration Service] . . . . . . . . . . 114
forward [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Group Description [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward Band [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Group DHCP Options [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward Log Policy [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . 137 Group Name [Configuration Service] . . . . . . . . . . . . . . . . . . . 115
forward source-ip [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Group Parameters [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Forward X11 Connection [SSH Gateway] . . . . . . . . . . . . . . . 387 Group Pattern [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Forward X11 connections [SSH Gateway] . . . . . . . . . . . . . . . 388 Group Patterns [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Forward Zone Name [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . 294 Groups [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
forwarders [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 grow [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Forwards [DNS]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 GTI Editor Defaults [Barracuda NG Control Center] . . . . . . 491
Free Format Text [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295, GUI Corresponding Text [DHCP] . . . . . . . . . . . . . . . . . . . . . . . 294
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
FTP-command/protocol check [FTP Gateway] . . . . . . . . . . 371
Full Address Manipulation [Mail Gateway]. . . . . . . . . . . . . . 267
Full Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 55,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 91,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 441,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 442,
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 458
Fully Meshed [Barracuda NG Control Center]. . . . . . . . . . . 494
Further Subnets [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Further Tries Transport Selection Policy [VPN] . . . . . . . . . 237
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
H
H.323 Alias [Voice over IP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
H.323 Endpoints [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 377
H.323 Neighbors [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 377
HA Sync [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
HA Sync Key [SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . 387
HA Sync Mode [Barracuda NG Control Center] . . . . . . . . . . 461,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 485
HA Sync Period [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
HA Sync Timeout [Barracuda NG Control Center]. . . . . . . . 437
HA Synchronisation [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Halfside Close Timeout (s) [Firewall] . . . . . . . . . . . . . . . . . . . 163
hared Network Device [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . 289
Hash Meth. [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240,
[Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 494
Header Reordering [Configuration Service] . . . . . . . . . . . . . 66
Header Trickle Dest. Domains [Anti-Virus] . . . . . . . . . . . . . . 394
Header Trickle Pattern [Anti-Virus] . . . . . . . . . . . . . . . . . . . . 394
Help Text (html) [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Heuristic Macro Detection [Anti-Virus] . . . . . . . . . . . . . . . . . 391
Heuristic Others Detection [Anti-Virus]. . . . . . . . . . . . . . . . . 392
Heuristic Scan Precedence [Anti-Virus] . . . . . . . . . . . . . . . . 392
Hide in netfence VPN World [Barracuda NG Control Center] 493
Hint [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Hint Zone [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
History [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . 445
HMAC-MD5 Key [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Host [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336,
[DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337,
[Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Host IP [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 55
Host Name [Configuration Service] . . . . . . . . . . . . . . . . . . . . 55,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Host Name or IP Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . 231
Hosting Interface [Configuration Service] . . . . . . . . . . . . . . 65
Hostname [Getting Started]. . . . . . . . . . . . . . . . . . . . . . . . . . . 11,
[Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 62,
[OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Hostname via Rev-DNS [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . 293
HTML Templates [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . 390
HTTP Authentication [Configuration Service] . . . . . . . . . . . 59
HTTP/1.1-Keep-Alive [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . 199
HTTP/1.1-Keep-Alive timeout [Firewall] . . . . . . . . . . . . . . . . . 199
Hub [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . . . 494
HW Accel. [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
HW Acceleration [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
I ip [SNMP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
IP Address [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . 10,
I/O Tuning [Configuration Service] . . . . . . . . . . . . . . . . . . . . 101 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 62,
ICP Port [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341, [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195,
[Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205,
ID [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223,
IDE-DMA Support [Configuration Service]. . . . . . . . . . . . . . 101 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299,
Identification Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Idle Hangup Time [Configuration Service]. . . . . . . . . . . . . . 75 IP address [DNS] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Idle Mode [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 116, IP Address or Device used for Tunnel Address [VPN]. . . . . 235
[SSH Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387, IP Address/Mask [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 472, IP Addresses [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Idle Timeout [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 IP Begin [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
IEN Name Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, IP Blacklist [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 IP Configuration [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
Image [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Import ... [Barracuda NG Control Center] . . . . . . . . . . . . . . 428, IP Dyn Address [Configuration Service] . . . . . . . . . . . . . . . . 100
[Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 432 IP End [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Import Key... [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 IP Monitoring Policy [Configuration Service] . . . . . . . . . . . . 95
Import License [Barracuda NG Control Center] . . . . . . . . . 439 IP Netmask [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Import Rulelist... [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 IP Prefix List [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . 522,
Impress Server [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292, [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 IP Ranges [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345,
Inactive [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . 54, [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 IP Spoofing [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
inactive [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 IP/Hostname [Proxy]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Inactivity Grace Time [SSH Gateway]. . . . . . . . . . . . . . . . . . 388 IP/Mask [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Inbound [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136, IP-Begin [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163, IP-End [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
IPs Allowed To Connect (ACL) [Mail Gateway] . . . . . . . . . . . 277
Inbound Bandwidth [Configuration Service] . . . . . . . . . . . . 89
IPSec Client [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Inbound Rate [Configuration Service] . . . . . . . . . . . . . . . . . 87
IPSec Log Level [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Inbound SMS Handling [Configuration Service] . . . . . . . . . 77
IPSec Personal [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Inbound Threshold (%) [Firewall] . . . . . . . . . . . . . . . . . . . . . 136
IPSec PSK [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Inbound-User [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
IPSec Site-to-Site [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Include Node Creation [Barracuda NG Control Center] . . 502
IRC [Anti-Virus] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Include Server IPs [Configuration Service] . . . . . . . . . . . . . 80
ISDN Card [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 74
Include Subdomains [Mail Gateway] . . . . . . . . . . . . . . . . . . . 263
ISDN Enabled [Configuration Service] . . . . . . . . . . . . . . . . . . 74
Included subservice directories [Barracuda NG Control Center]
465 ISDN MSN [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 74
Info [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 494 ISDN on Standby [Configuration Service] . . . . . . . . . . . . . . . 74
Initial Data Trickle Size [Anti-Virus] . . . . . . . . . . . . . . . . . . . 394 ISDN Settings [Configuration Service]. . . . . . . . . . . . . . . . . . 74
Initial directory [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . . . 371 Issuer [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219,
Initiation Timeout [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Insert [Eventing]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 issuerAltName [Barracuda NG Control Center] . . . . . . . . . . 487
Insert new Personal Network [VPN] . . . . . . . . . . . . . . . . . . . 218
Install Utilities [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 13
K
Instances [Statistics] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Keep Fail Cache Entries (d) [Proxy] . . . . . . . . . . . . . . . . . . . . 341
Area ID [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Keep Log Structure [Configuration Service] . . . . . . . . . . . . 104
Inteface Realm [Configuration Service]. . . . . . . . . . . . . . . . 62 Keep Mails In Mailbox [Mail Gateway] . . . . . . . . . . . . . . . . . . 277
Interface [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, Keep Structural Info [Barracuda NG Control Center] . . . . . 476
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Kernel Parameter [Getting Started] . . . . . . . . . . . . . . . . . . . . 14
Interface Addresses [OSPF and RIP] . . . . . . . . . . . . . . . . . . 523 Key Algorithm [Barracuda NG Control Center] . . . . . . . . . . 486
Interface Computation [Configuration Service] . . . . . . . . . 64 Key Encryption [Barracuda NG Control Center] . . . . . . . . . 486
Interface Default [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . 522 Key Length [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . 23
Interface Description [OSPF and RIP] . . . . . . . . . . . . . . . . . 523 Key Regeneration Period [Configuration Service]. . . . . . . . 107
Interface Groups [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Key Time Limit [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
Interface Monitoring Policy [Configuration Service] . . . . . 96 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
Interface Name [Configuration Service] . . . . . . . . . . . . . . . 62, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 65, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 69, Key Traffic Limit [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154, [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228,
[OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234,
Interface Realm [Configuration Service] . . . . . . . . . . . . . . . 69, [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 493
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 73, Key/Key String [OSPF and RIP]. . . . . . . . . . . . . . . . . . . . . . . . 521
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 74, Keyboard Layout [Getting Started] . . . . . . . . . . . . . . . . . . . . 11
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 76, Keysize in Bits [Barracuda NG Control Center] . . . . . . . . . . 486
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 78 keyUsage [Barracuda NG Control Center]. . . . . . . . . . . . . . . 487
Interface Usage [Configuration Service] . . . . . . . . . . . . . . . 64 Kill Handler Processes [Barracuda NG Control Center] . . . 439
Interface/Tunnel Name [Configuration Service] . . . . . . . . 87 Kill Sessions [Barracuda NG Control Center] . . . . . . . . . . . . 438,
Interfaces [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 [Barracuda NG Control Center]. . . . . . . . . . . . . . . . . . 439
interfaces [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Kill Worker Process [Mail Gateway] . . . . . . . . . . . . . . . . . . . . 272
internal [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Kind of Application [VPN]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Internal Interface Name [Configuration Service] . . . . . . . . 63 Known Clients [DHCP]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290,
Internal IP-Addresses [Mail Gateway] . . . . . . . . . . . . . . . . . 266 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Internal Listen Address [Mail Gateway] . . . . . . . . . . . . . . . . 263 Known Hosts [Configuration Service] . . . . . . . . . . . . . . . . . . 55
Introduce Route on Device [Firewall] . . . . . . . . . . . . . . . . . . 159
Introduce Routes [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Invalid ARPs [Firewall]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Inventory [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 103
INVITE Timeout [Voice over IP] . . . . . . . . . . . . . . . . . . . . . . . 378
Area ID [OSPF and RIP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
IP [Getting Started] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I K L M N O P Q R S T U V W X Y Z
V W
Validate Password [Barracuda NG Control Center] . . . . . . 486 Waiting Period [Configuration Service] . . . . . . . . . . . . . . . . . 67
Value [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Waiting Period (s/probe) [Configuration Service] . . . . . . . . 79
Vendor [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Warning Period [Configuration Service] . . . . . . . . . . . . . . . . 92
Verbose [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Warning period before expiration [Barracuda NG Control Center]
Verbose Logging [Configuration Service] . . . . . . . . . . . . . . 104, 459
[Configuration Service]. . . . . . . . . . . . . . . . . . . . . . . . 111 Watch Control Daemon [Configuration Service] . . . . . . . . . 111
Version Control System [Barracuda NG Control Center] . 500 Watch SSH Daemon [Configuration Service] . . . . . . . . . . . . 111
View [SNMP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Water is transparent [Barracuda NG Control Center]. . . . . 497
View as list [Barracuda NG Control Center] . . . . . . . . . . . . 492 Web Resources [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
View Configuration [Barracuda NG Control Center] . . . . . 439 WEbDAV Address [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View License Data [Barracuda NG Control Center] . . . . . . 439 WebDAV Resources [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View Rule Set [Barracuda NG Control Center] . . . . . . . . . . 439 WEbDAV Sharename [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
View Stripped Attachments [Barracuda NG Control Center] 439 Weekday/Hour [Configuration Service]. . . . . . . . . . . . . . . . . 88
View Trace Output [Barracuda NG Control Center]. . . . . . 439 Weight [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Views [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . 491 Weight Number [Configuration Service] . . . . . . . . . . . . . . . . 69
Virscan Service Permissions [Barracuda NG Control Center]439 Welcome message [FTP Gateway] . . . . . . . . . . . . . . . . . . . . . 372
Virtual Device [Configuration Service]. . . . . . . . . . . . . . . . . 88 Went Operational [Configuration Service] . . . . . . . . . . . . . . 53
Virtual IP (VIP) [Configuration Service] . . . . . . . . . . . . . . . . 67 When using BULK transports [VPN] . . . . . . . . . . . . . . . . . . . . 237
Virtual Link ID (ABR) [OSPF and RIP] . . . . . . . . . . . . . . . . . . 521 When using QUALITY transports [VPN]. . . . . . . . . . . . . . . . . 237
Virtual Link Params [OSPF and RIP]. . . . . . . . . . . . . . . . . . . 521 White List [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Virus Protection [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . 269 White List Peers [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . 270
Visible Hostname [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 White List Senders [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . 270
Visible Interface Name [Configuration Service] . . . . . . . . . 63 Whitelist From [Mail Gateway]. . . . . . . . . . . . . . . . . . . . . . . . . 276
Visible Name [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246, Whitelist To [Mail Gateway] . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247, Wild [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . . 423
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Wildcard Support [Configuration Service] . . . . . . . . . . . . . . 72,
VJ Connection-ID [Configuration Service] . . . . . . . . . . . . . 75 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 73,
VJ TCP Header [Configuration Service] . . . . . . . . . . . . . . . 75 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 75,
VLAN Description [Configuration Service] . . . . . . . . . . . . . 65 [Configuration Service] . . . . . . . . . . . . . . . . . . . . . . . . 78
VLAN ID [Configuration Service]. . . . . . . . . . . . . . . . . . . . . . 65 Windows Domain Name [Proxy] . . . . . . . . . . . . . . . . . . . . . . . 343
VPN Device Index [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235, WINS [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226,
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
VPN Group [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 WINS Server [Configuration Service] . . . . . . . . . . . . . . . . . . . 113,
VPN HW Modules [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . 136 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292,
VPN Interface [Configuration Service]. . . . . . . . . . . . . . . . . 67 [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
VPN Local IP [Configuration Service]. . . . . . . . . . . . . . . . . . 67 Workgroup Name [Configuration Service] . . . . . . . . . . . . . . 112
VPN Name [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 World Texture from [Barracuda NG Control Center]. . . . . . 497
VPN Point of Entry [Configuration Service] . . . . . . . . . . . . 67 Write [Barracuda NG Control Center] . . . . . . . . . . . . . . . . . . 445
VPN Port [Configuration Service] . . . . . . . . . . . . . . . . . . . . . 67 Write Cache-Log [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
VPN Rate Limit [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Write Store-Log [Proxy] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
VPN Rules [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226, Write USB stick [Getting Started] . . . . . . . . . . . . . . . . . . . . . . 14
[VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 WWW root [Firewall] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
VPN Server Permissions [Barracuda NG Control Center] 439 X
VPN-Server Listen IPs [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . 245 X509 Certificate [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
VPN-Type [VPN] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 X509 Certificate & Login+Password Authentication [Firewall]201
X509 Certificate Authentication [Firewall] . . . . . . . . . . . . . . 201
X509 Key Usage [Configuration Service] . . . . . . . . . . . . . . . 59
X509 Login Extraction Field [VPN]. . . . . . . . . . . . . . . . . . . . . 230
xDSL Enabled [Configuration Service]. . . . . . . . . . . . . . . . . . 71
XML Services Management [Barracuda NG Control Center] 439
Y
Yearly Schedule [Configuration Service] . . . . . . . . . . . . . . . 103
Your Level [Barracuda NG Control Center] . . . . . . . . . . . . . 445
Z
Zone Keys [DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Zone Type [Configuration Service]. . . . . . . . . . . . . . . . . . . . . 56,
[DHCP] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Zoom out/in [Barracuda NG Control Center] . . . . . . . . . . . . 492
7. Table Directory
Table 01 Text conventions of the documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1 Getting Started
Table 11 USB stick Formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 12 Types of DEMO versions in Barracuda NG Firewall 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 13 Availability of services on Appliance Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Table 14 Contents of the Overview segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 15 Comparison CIDR - inverted CIDR notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2 Control
Table 21 Status icons flagging tabs in the Control window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 22 Connection status icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 23 Server status and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 24 Icons for network interface types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 25 Icons for network connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 26 Example: Route handling, networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 27 Example: Route handling, corresponding direct route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 28 Example: Route handling, no Source IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 29 Example: Route handling, gateway routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 210 Example: Route handling, valid source IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 211 Example configuration for router and firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 212 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 213 Routing state on active firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 214 Routing state on backup firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 215 Routing state on both firewall boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 216 Routing state on both firewall box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 217 Tabular listing of the elements of the process status panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 218 Version Status - Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 219 Possible authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 220 Box control BOX SCEP Status commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 221 Session types overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Configuration Service
Table 31 Required software modules sufficient for management and controlled low level operation of a box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 32 Lock indicator icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 33 Box configuration window icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 34 Buttons of configuration window for session management and status retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 35 Box specific configuration items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 36 Classification of the available sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 37 NICs supporting VLAN technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 38 Routing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 39 Traffic Shaping Settings Virtual Tree commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 310 Traffic Shaping Settings Interface commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 311 Traffic Shaping Settings Shaping connector commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 312 Realtime Information Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 313 Realtime Information Shaping commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 314 Bandwidth calculation by ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 315 Bandwidth calculation by total percentage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 316 Example 1 Policy Definition configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Table 317 Example 1 Interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Table 318 Example 2 Policy Definition configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Table 319 Example 2 Interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4 Firewall
Table 41 Firewall notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 42 Audit events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 43 Rule marks utilized in the rule overview window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Table 44 Currently available modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Table 45 Example Setup 1 Rule configuration firewalls A and B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 46 Example Setup 2 Rule configuration firewalls A and B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 47 Recommendation for creation of Proxy ARPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table 48 Forward policy comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Table 49 Rule Tester Test Result icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Table 410 Exemplary LAN scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Table 411 Exemplary rule configuration in comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Table 412 Improved rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Table 413 Status types and their origin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table 414 Overview of possible access cache entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Table 415 Reasons for connections denials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 416 Reasons for connection blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 417 Reasons for connection drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Table 418 Reasons for connection failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Table 419 Columns available in the upper section of the Dynamic Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 420 Columns available in the lower section of the Dynamic Rules tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 421 Columns in the protected IPs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 422 Rule state overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Table 423 Possible tracing conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 424 Bridging characteristics in comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Table 425 Structural breakdown of bridging units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Table 426 Overview of bridging operational information in the Bridging ARPs tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Table 427 Broad-Multicast action type rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Table 428 Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Table 429 RPC comparison passive / active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Table 430 Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
5 VPN
Table 51 ClientServer Communication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Table 52 Comparison of Different Tunnel Transport Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Table 53 VPN configuration - Introduce and Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Table 54 Involved Objects within a VPN Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Table 55 Example for TI Learning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Table 56 SSL tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Table 57 Possible "Last Connection" States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Table 58 Fully Transparent Tunnel VPN Configuration on VPN server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 59 Fully Transparent Tunnel VPN configuration on VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 510 Stealth Tunnel VPN Configuration on VPN Server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Table 511 Stealth Tunnel VPN configuration on VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 512 Relationship between Local and Partner Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 513 Redundant VPN Tunnel Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 514 Redundant VPN Tunnel Example Parameter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 515 Redundant VPN Tunnel Direct Routes for VPN Server 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Table 516 Redundant VPN tunnel Direct Routes for VPN server 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
6 Mail Gateway
Table 61 Items of the Navigations Bars main element "Configuration" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Table 62 E-mail client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
7 DHCP
Table 71 Example Configuration parameters for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 72 Example Configuring Address Pool 1 for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 73 Example Configuring Address Pool 2 for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 74 Example Configuration parameters for Subnet2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 75 Example Configuring Address Pool 1 for Subnet2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 76 Example Configuration parameters for Known Clients 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 77 Example Configuration parameters for Known Clients 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
8 Log Viewer
Table 81 Navigation arrows and their function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 82 Log Entry types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 83 Event Log Message Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 84 Event Log Message ID and text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Table 85 Log file entries related to clock skew detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 86 Log file entries related to synchronisation of polling list and database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 87 Log file entries related to synchronisation of polling list and database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 88 Log file entries related to synchronisation between HA-databases - Scenarios which will stop task MAIN . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Table 89 Log file entries related to synchronisation between HA-databases - Scenarios which will not stop task MAIN . . . . . . . . . . . . . . . . . . . . . . . 310
9 Statistics
Table 91 Services responsible for statistics files handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
10 Eventing
Table 101 Overview of events in the Events tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 102 Font styles characterising event settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Table 103 SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Table 104 SNMP Service notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
11 DNS
Table 111 Supplementary DNS configuration objects overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
12 Proxy
Table 121 Short overview of metacharacters in regular expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Table 122 Actions configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Table 123 Example: squid.conf file httpd_accel directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 124 Example: squid.conf file corresponding options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 125 URL categories overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
13 FTP Gateway
14 Voice over IP
Table 141 SIP Monitoring parameters overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
15 Wireless LAN
16 SSH Gateway
17 Anti-Virus
18 High Availability
Table 181 State table with working communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 182 Communication between HA partners; ARPs are independent from a HA system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Table 183 Designing a HA System Used IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 184 Designing a HA system Translated HA IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Table 185 Designing a HA system network routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
20 SNMP
22 System Information
Table 221 Basic overview of the NGFW OS Linux system and its licensing concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Table 222 Ports overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Table 223 Layer-IDs overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Table 224 Class-IDs overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Table 225 Operational Events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Table 226 Security Events overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
23 Appendix
Table 231 Barracuda NG Firewall F800 - Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 232 Barracuda NG Firewall F600 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 233 Barracuda NG Firewall F200 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 234 Barracuda NG Firewall F100 Box > Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Table 235 Glossary A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Table 236 Glossary C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Table 237 Glossary D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Table 238 Glossary E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Table 239 Glossary F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2310 Glossary G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2311 Glossary H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2312 Glossary I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2313 Glossary K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Table 2314 Glossary L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2315 Glossary M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2316 Glossary N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2317 Glossary O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2318 Glossary P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Table 2319 Glossary R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Table 2320 Glossary S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2321 Glossary T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2322 Glossary U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2323 Glossary V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Table 2324 Glossary W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
8. Figure Directory
Figure 01 Example: Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 02 Example section Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Getting Started
Figure 11 Window Box Licenses in read/write mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 12 Defining Box Type Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 13 Configuring System Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 14 Configuring Partition Settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 15 NIC adapter configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 16 Configuring USB stick settings with Barracuda NG Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 17 Box Type Settings window in Create Kickstart only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 18 rawwritewin.exe - Start screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 19 Login dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 110 Barracuda NG Admin User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 111 Start screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 112 Dialog for customising the tool bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 113 Tool bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 114 Status bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 115 Barracuda NG Admin Settings - Boxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 116 Enter New Box dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 117 Barracuda NG Admin Settings - Client tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 118 Configuring Advanced Cryptographic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 119 Barracuda NG Admin Settings - Public Host Keys tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2 Control
Figure 21 Tabs in the Control window flagged by status icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 22 Server Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 23 Network Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 24 Interface/IPs Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 25 Table section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 26 Network diagram illustrating the concept of a pending route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 27 Network diagram, pending direct routes and gateway routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 28 Example for a screened host setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 29 Sample process status view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 210 Sample Info Dialogdialog window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 211 Sample Resources tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 212 Box Control > Licenses Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 213 Network Activation dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 214 View of the box control window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 215 Box Domain Registration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 216 Typical view of the CPU information panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3 Configuration Service
Figure 31 Interdependencies of the various basic configuration entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 32 Box configuration window in compressed connection state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 33 Menu after pressing right mouse button on yet unlocked item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 34 Menu after pressing right mouse button on locked item from another session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 35 Configuration Sessions window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 36 Box configuration window detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 37 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 38 Config tree Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 39 Example for an Edit / Insert / Delete mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 310 Change / Insert / Delete mask . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 311 Barracuda NG Admin Configuration list and part of Clipboard content after Copy to Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 312 Part of Clipboard content and Barracuda NG Admin Configuration list after Merge with Clipboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 313 Structure of the config tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 314 Creating a box on a CC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 315 Box config file on a CC-administered box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 316 Administrative Settings - System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 317 Administrative Settings - DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 318 Administrative Settings - TIME/NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 319 Administrative Settings - SMS Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 320 Administrative Settings - SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 321 Box Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 322 Certificate window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 323 Output of a certificate at the command line interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 324 Box Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 325 Additional Local Networks configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 326 Virtual LAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Figure 327 Direct route configuration for Virtual LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Figure 328 Main Routing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Figure 329 Policy Routing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 330 xDSL/ISDN/DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Figure 331 IP Tunnels configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 332 Special Needs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
596 | Figure Directory Appendix
4 Firewall
Figure 41 Basic connection diagram describing the notions used throughout the firewall engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Figure 42 Tree locations of the general firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Figure 43 Config Section - Eventing Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Figure 44 Connection Tracing configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5 VPN
Figure 51 General Scheme of Remote Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 52 Remote Access with the Client Placed Behind a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Figure 53 Remote Access with the Client Using a Proxy or SOCKS Server for Routing Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 54 Two Corporate Networks Linked Together via VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Figure 55 Example for a VPN Constellation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Figure 56 Data Scheme for VPN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Figure 57 ESP and NoHash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Figure 58 VPN Configuration Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 59 VPN Configuration - Introduce and Configure Block Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 510 VPN Configuration Block Diagram - Configure VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 511 Personal Network Configuration Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 512 VPN Configuration with Routed Network (Static Route; Virtual Network / DMZ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 513 VPN configuration with Local (Proxy ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Figure 514 Server Certificates Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Figure 515 Certificate Revocation Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Figure 516 Server Certificates with Open Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Figure 517 Configuration Dialog for L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 518 Configuration Dialog for Chap Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 519 VPN Configuration Block Diagram Configure Personal VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Figure 520 Heredity of Barracuda Networks Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 521 Pool License Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Figure 522 Pool License in Plain Text Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 523 Edit Personal License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 524 Template Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Figure 525 VPN Configuration Block Diagram Configure Group VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Figure 526 New Barracuda NG Client Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 527 New Common Common Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Figure 528 Configuration Dialog - New policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Figure 529 Change Group Match Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Figure 530 Preauthentication Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Figure 531 Configuration Dialog - Group Policy Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Figure 532 AD Lookup Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 533 Certificate Conditions Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Figure 534 Configuration Dialog for Registry Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 535 VPN Configuration Block Diagram - Configure VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Figure 536 Scheme with the Basic Notations of VPN Tunnelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 537 Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Figure 538 Traffic Intelligence (TI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Figure 539 Transport Selection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 540 TINA Tunnel with multiple transport modes added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Figure 541 TI Learning Policy Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Figure 542 IPSec Tunnel Configuration - Base Configuration Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Figure 543 IPSec Tunnel Configuration > Authentication Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Figure 544 SSL-VPN login screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 545 SSL-VPN web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 546 SSL-VPN configuration node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Figure 547 SSL-VPN web portal my Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 548 SSL-VPN web portal my Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 549 Barracuda NG SSL-VPN Client installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Figure 550 Barracuda NG SSL-VPN Client login prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Figure 551 SSL-VPN web portal dynamic firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Figure 552 Java runtime version query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
6 Mail Gateway
Figure 61 MailGW Settings configuration area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Figure 62 Mail gateway positioning in a network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Figure 63 POP3 scanning example setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Figure 64 Blacklist configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Figure 65 Overview: Spam filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 66 Header of an e-mail identified as spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Figure 67 Flowchart - Spam filter client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Figure 68 Spam Analysis configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 69 Flowchart - Spam filter Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Figure 610 Spam filter configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Figure 611 Example script for e-mail collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Figure 612 Filter settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Figure 613 Statistics tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
7 DHCP
Figure 71 Processes structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Figure 72 DHCP Enterprise Configuration - Operational Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 73 DHCP Enterprise Configuration - Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Figure 74 DHCP Enterprise Configuration - Known Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Figure 75 DHCP Enterprise - Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Figure 76 Real Time Information - DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Figure 77 Example environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 78 Example Configuring CLASS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 79 Example Configuring Subnet settings for Subnet1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Figure 710 DHCP Server Settings with pre-configured settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Figure 711 Configuration - IP RANGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 712 Configuration - SPECIAL CLIENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 713 Configuration - BASIC OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Figure 714 Real Time Information - DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Figure 715 Example of use for a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 716 DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Figure 717 Cascading DHCP Relay with interfaces to be configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8 Log Viewer
Figure 81 LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Figure 82 Navigation section of the LogGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Figure 83 Log Sequence Number in Relation to System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
9 Statistics
Figure 91 Statistics user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 92 Tree structure of the Statistics module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 93 Control field for type Curve with time axis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Figure 94 Curve type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 95 Time Interval selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 96 Bar type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Figure 97 Control field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Figure 98 Example for Top list statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Figure 99 Configuration dialog - Statistics - Statistics Cooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Figure 910 Event chain of a cooking instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Figure 911 Timed connection statistics starting at 08.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Figure 912 Timed connection statistics starting at 09.03. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
10 Eventing
Figure 101 Event detail window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Figure 102 Severity tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Figure 103 Notification tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Figure 104 Server Action tab - Type Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 105 Server Action tab - Type Execute Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 106 Server Action tab - Type SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Figure 107 Example for a SNMP trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Figure 108 Example for occurring event and settings for Threshold tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Figure 109 Basic tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 1010 Event monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Figure 1011 Context menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1012 Page 1 of the Properties dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1013 Page 2 of the Properties dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Figure 1014 Filter dialog with values according to the example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 1015 Add Criterion dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Figure 1016 Event monitor in live mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Barracuda NG Firewall 4.2.10 | Revision 3.5 , Barracuda Networks 2010
600 | Figure Directory Appendix
11 DNS
Figure 111 File structure of the DNS service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 112 DNS configuration area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 113 DNS server properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Figure 114 DNS properties with open advanced window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 115 Configuring a new SOA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Figure 116 Configuring a new name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 117 Adding a nameserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 118 Configuring a New Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Figure 119 Configuring a new mail exchanger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 1110 Configuring a new sub-domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Figure 1111 Create reverse lookup zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
12 Proxy
Figure 121 Creating the HTTP Proxy service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 122 Creating the HTTP Proxy service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 123 HTTP Proxy Config node in the Configuration Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Figure 124 HTTP Proxy Service Parameters - Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Figure 125 SNMP Service message handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 126 Config Section Dialog - Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Figure 127 Proxy Access Handling Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Figure 128 ACL Time Interval configuration - Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Figure 129 ACL Time Interval configuration - Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 1210 ACL Entries and Actions configuration example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Figure 1211 Configuration of Action webaccess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 1212 Proxy neighbour cache configuration - Example setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Figure 1213 HTTP Proxy Fail Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Figure 1214 Reverse proxy example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Figure 1215 Secure Web Proxy User Notification and Confirmation Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Figure 1216 Missing Embedded Data on a Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 1217 Correct View of the Web Site from the Previous Figure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Figure 1218 Secure Web Proxy GUI - Access tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Figure 1219 Secure Web Proxy GUI - Tickets tab with detail info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Figure 1220 Secure Web Proxy GUI - Certificates tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Figure 1221 Overview: URL filtering process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Figure 1222 Flowchart - URL Filter Redirector & Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Figure 1223 Local rule granting access from URL Filter to Proventia Internet Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Figure 1224 Principle of Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Figure 1225 Principle of High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
13 FTP Gateway
Figure 131 FTP-GW Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
14 Voice over IP
Figure 141 Provisioning the plugin in a service object for the SCCP signalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Figure 142 RTP Stream service object with the default service name set to RTP:Skinny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 143 VoIP infrastructure with 2 virtual subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 144 Creating an Address Translation Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Figure 145 Skinny signal protocol firewall rule with Skinny firewall plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 146 RTP firewall rule with network address translation from the voipnat address translation map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Figure 147 Firewall Forwarding Settings - H.323 Gatekeeper Configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Figure 148 Network setup without NAT SIP/RTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
15 Wireless LAN
Figure 151 382
Figure 152 383
Figure 153 384
16 SSH Gateway
Figure 161 Configuration dialog - SSH Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
17 Anti-Virus
Figure 171 Scanning exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 172 Schematic overview of proxy integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Figure 173 Scan exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Figure 174 Progress bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Figure 175 Schematic overview of mail gateway integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Figure 176 Schematic overview of FTP gateway integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Figure 177 Disabling virus pattern updates manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
18 High Availability
Figure 181 Load Balancing with a HA system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Figure 182 HA monitoring without private uplink (HA state exchanged via 10.0.8.0/24 network) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 183 HA monitoring with private uplink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 184 Designing a HA system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Figure 185 Context menu of Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Figure 186 Exporting the public key to a file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 187 Public Host Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 188 Creation of CC-administered HA partners - Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 189 Creation of CC-administered HA partners - Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Figure 1810 Sync Status of two HA partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1811 Emergency Override of a HA Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1812 Confirmation query for Emergency Override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Figure 1813 Example for test report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Figure 1814 Synchronising procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
20 SNMP
Figure 201 SNMP Service configuration dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
22 System Information
Figure 221 Example options file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Figure 222 Example boxadm.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Figure 223 Example boxnet.conf file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Figure 224 Event Monitor GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Figure 225 Event Properties windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
23 Appendix
Figure 231 Adding a new column to the view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Figure 232 Search result containing group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Figure 233 LDAP browser with marked distinguished name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
9. Glossary
A C
Table 235 Glossary A Table 236 Glossary C
Access Cache History list of already performed firewall connections / Certificate Barracuda NG Firewall boxes make use of x.509
mail jobs / VPN connections. conformant digital certificates. For a single box without
ACK Third part of the Three-Way Handshake of a TCP Barracuda Networks trust center being available the
connection (see also SYN/ACK, SYN, FIN, Flag, certificate is basically identical to a mere RSA public
Handshake) key.
ACPF Application Controlled Packet Forwarding CGI Common Gateway Interface is a standard for
interfacing external applications with web servers.
ACL Access control list. List of IP addresses which are
allowed to manage a box Checksum The sum of a group of data items, which sum is used for
checking purposes.
Admin, Flower An administrator account which is granted only read
rights to a system (see also root) Note:
A checksum is stored or transmitted with the group of
Admin, Power An administrator account which is granted full access data items and is calculated by treating the data items
to a system (see also root) as numeric values.
ADSL Asymmetric Digital Subscriber Line, technology to Checksums are used in error detecting and correcting.
allow high speed internet connections over ordinary The value computed on data to detect error or
copper cables via the telephone net (see also manipulation during transmission (see also HASH).
Broadband)
Alive Packets ICMP packets to check the system status (see also HA)
ANSI ANSI (American National Standards Institute) is the
primary organization for fostering the development of
technology standards in the United States.
ARP Address Resolution Protocol is a protocol for mapping
an Internet Protocol address (IP address) to a physical
machine address (MAC address) that is recognized in
the local network (see also IP address, MAC).
Authentication Authentication is the process of determining whether
someone or something is, in fact, who or what it is
declared to be. In private and public computer
networks (including the Internet), authentication is
commonly done through the use of logon passwords.
There is also the possibility to make use of digital
certificates issued and verified by a Certificate
Authority (CA) as part of a public key infrastructure
(PKI) is considered likely to become the standard way
to perform authentication on the Internet. (see also
Certificate, PKI)
B
Glossary B
Bandwidth Bandwidth (the width of a band of electromagnetic
frequencies) is used for defining how fast data flows on
a given transmission path (see also Broadband).
Bash Bourne Again SHell, standard linux shell
Bind IP IP address of the firewall which is used for the further
connection (see also Destination IP, Source IP, Connect
IP)
Block Firewall Rule Type: A TCP / UDP / ICMP connection
attempt is denied due to a firewall rule match. If there
is no firewall rule defined, all connections will be
blocked (see also Pass, Redirect, Map).
Border Firewall Firewall which has a direct connection to the internet
and protects the interior part of a network.
Box Services Infrastructure services that are providing HA support,
real time system monitoring, accounting (statistics) and
logging
Box Lowest layer of Barracuda NG architecture. Entities and
processes belonging to the box layer exist
independently of all server processes.
Break Lock Attempt to break an existing lock of a configuration file
by another management session which was made by
another administrator
Broadband Links of high data rate are called broadband
connections (see also Bandwidth).
Broadcast A network segment which is limited by a network-layer
Domain device (for example a router or a Barracuda NG
Firewall)
Broadcast Data is sent to all peers in a broadcast domain
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Solution:
To solve this problem, a manual intervention on the
D
configuration file responsible for VPN-tunnel
configuration is needed. Table 237 Glossary D
Daemon System process (control daemon, cstat daemon)
If you are not familiar with the Vi text editor please get
in contact with your Barracuda NetworksBarracuda Decryption Previously encrypted data has to be decrypted in order
Networks partner, to avoid further-reaching impacts to to be able to read the original data. The decryption
your actual Barracuda NG Firewall configuration. algorithm must be the same as the algorithm used for
encryption (see also Encryption).
Default Refer to Route, Default
Proceed with the following steps: Gateway
Block the rangeconf-service (or boxconfig-service in
case of a single box) to avoid simultaneous access to Destination IP IP address to which the source connects (see also Bind
the affected configuration file. IP, Connect IP, Source IP)
DHCP Dynamic Host Configuration Protocol, a DHCP server
On Barracuda NG Control Center-boxes: provides normally information like IP addresses,
netmask, routes and DNS servers
/* DMA Direct Memory Access
vi
/opt/phion/maintree/configroot/<rangenumber>/<clust DMZ Demilitarized Zone, network to put in every from the
ername>/clusterservers/<servername>/services/<servic internet reachable machines (for example Mail-, Web-,
ename>/vpntunnel.conf or FTP-Servers)
/* DNS (BIND) Domain Name Service is used to resolve Domain names
to IP addresses, BIND is the Berkeley internet name
On single-boxes: demon (mostly used DNS server)
/*
DNS, Name The programs which store information about the
vi
Servers domain name space are called name servers.
/opt/phion/config/configroot/servers/<servername>/ser
vices/<servicename>/vpntunnel.conf DNS, Zone The transfer of zone information from a master to a
/* Transfer slave is called zone transfer
DNS, Zone Name Servers generally have complete information
Locate the string RAWIPSEC and change these sections about some part of the name space, called a zone.
like described below and save the file.
DNS, Zone, A forward zone is used to direct all queries in it to other
-------------------------- Forward servers. The specification of options in such a zone will
HIER DEIN ERSETZUNGSMUSTER override any global options declared in the options
-------------------------- statement.
DNS, Zone, Hint The initial set of root nameservers is specified using a
Final step: hint zone. When the server starts up, it uses the root
hints to find a root nameserver and get the most recent
list of root nameservers.
On Barracuda NG Control Centers: DNS, Zone, The server has a master copy of the data for the zone
Master and will be able to provide authoritative answers for it.
Start the rangeconf-service and trigger a complete
update (Control->Configuration Updates) by DNS, Zone, To resolve IP addresses to host names (domains) a
righclicking the affected Barracuda NG Firewall box and Reverse Reverse Lookup is performed
selecting "Complete Update" in the context menu. Lookup
DNS, Zone, A slave zone is a replica of a master zone. The masters
On single boxes: Slave list specifies one or more IP addresses that the slave
contacts to update its copy of the zone.
Start the boxconfig-service and copy the modified file
DST Daylight Saving Time (see also UTC, Time Zone)
to the corresponding folder (overwrite the existing file):
/*
cp E
/opt/phion/config/configroot/servers/<servername>/ser
vices/<servicename>/vpntunnel.conf Table 238 Glossary E
/opt/phion/config/active/servers/<servername>/service
s/<servicename>/vpntunnel.conf EIDE refer to IDE
/* Emergency Usually, Barracuda NG Control Center (CC) maintained
Override boxes can only be configured via the CC, unless an
emergency override is performed. This enables
configuration changes directly performed via the box
configuration.
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
V
S
Table 2323 Glossary V
Table 2320 Glossary S
Virtual LAN A Virtual LAN is used to simulate several networks on
SCSI The Small Computer System Interface, is a set of ANSI one NIC, and one switch port behaves like more
standard electronic interfaces that allow personal switches.
computers to communicate with peripheral hardware
such as disk drives, tape drives, CD-ROM drives, Virtual This becomes the primary management IP, where the
printers, and scanners faster and more flexibly than management IP box is administered by a Barracuda NG Control Center.
previous interfaces. (see also ANSI, IDE, EIDE) VNC Virtual Network Computing
Secondary Box This box checks the primary box, if the primary is VPN Virtual Private Network
unreachable it starts its server and services (see also
VPN Tunnel A second popular example for tunnelling is the
Primary Box, HA)
Stealth so-called stealth mode or half-side transparent tunnel.
Send Changes By clicking this button, configuration changes are sent In this case a local network is granted access to a
from the GUI to the Barracuda NG Firewall. The partner network, but not the other way round.
changes are not yet activated. Moreover, it hides its internal IP structure to the
Server Collection of IP addresses under which the services are partner network.
made available. VPN Tunnel The simplest configuration for tunnels is to connect
Service Pack A service pack provides a bunch of updates, the Transparent two networks with different address ranges
database which holds the version numbers is updated transparently. The effect should be that two networks
(see also Hot Fix) are connected together just like if there were nothing
but an open firewall in between.
Service Operational services that provide the actual
functionality of the Barracuda NG Firewall VPN Tunnel, Most real world VPN topologies include a headquarters
Star Shaped structure. That means that many VPN tunnels
SMB Server Message Block (protocol) terminate on one VPN server. Traffic between outposts
SMTP Simple Mail Transport Protocol is typically routed via the headquarters. This reduces
SNMP Simple Network Management Protocol; set of protocols the number of tunnels to manage.
for managing complex networks
Socks 4/5 A protocol for handling TCP traffic through a proxy W
server. It can be used with virtually any TCP
application. There are two main versions of SOCKS - V4 Table 2324 Glossary W
and V5. V5 adds an authentication mechanism for
additional security. There are many freeware Watchdog Barracuda Networks routine to control and repair
implementations of both versions. One of the most system processes
common V5 implementations is SOCKS5 (see also WebDAV Web-based Distributed Authoring and Versioning
Proxy, NAT) Wild Cards To simplify data input, certain characters stand for all
Source IP IP address of the connecting instance (see also Bind IP, other possible characters: "?" replaces a single
Connect IP, Destination IP) character- '*' replaces a whole string- wildcards and
Spool Service process of the mail gateway service which is other characters
responsible for scheduling incoming mail jobs WINS Windows Internet Naming Service; is used for providing
SSH Secure Shell, an encrypted remote shell to administer a name resolution for computers with special
system, formerly telnet or rlogin was used, but without arrangement (Server and Client must run MS
encryption they are senseless in a secure environment Windows). Such a service uses a automatically updated
database with the names of currently available PCs and
SSL Secure Socket Layer IP addresses (see also DHCP).
SYN First part of the Three-Way Handshake of a TCP
connection (see also ACK, SYN/ACK, FIN, Flag, X
Handshake)
SYN/ACK Second part of the Three-Way Handshake of a TCP
connection (see also ACK, SYN, FIN, Flag, Handshake) Y
T
Z
Table 2321 Glossary T
TCP Transmission Control Protocol
Time Server To synchronize several machines to the same time a
time server is needed (see also NTP)
Time Statistics Type of statistics which reflect traffic / data /
connections over a certain period of time.
Time Zone Time zone where a box is geographically (for example
GMT - Greenwich Mean Time)
Token Ring A token ring network is a local area network in which all
computers are connected in a ring or star topology and
a binary digit or token-passing scheme is used in order
to prevent the collision of data between two computers.
Top Statistics Type of statistics which reflect traffic / data /
connections from peers. Top statistics can be
separated in Source and Destination statistics
U
Table 2322 Glossary U
UDP User Datagram Protocol
Numerics | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
10.1 Barracuda Networks Limited Hardware 10.2 Barracuda Networks Software License
Warranty Agreement
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT
1. Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or ("AGREEMENT") CAREFULLY BEFORE USING THE BARRACUDA
authorized Distributor selling the Barracuda Networks product, if sale is not NETWORKS SOFTWARE. BY USING THE BARRACUDA SOFTWARE
directly by Barracuda Networks, Inc., ("Barracuda Networks") warrants that YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE.
commencing from the date of delivery to Customer (but in case of resale by a IF YOU ARE A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY,
Barracuda Networks reseller, commencing not more than sixty (60) days after THEN THE SOFTWARE LICENSE GRANTED UNDER THIS AGREEMENT
original shipment by Barracuda Networks, Inc.), and continuing for a period of IS EXPRESSLY CONDITIONED UPON ACCEPTANCE BY A PERSON
one (1) year: (a) its products (excluding any software) will be free from WHO IS AUTHORIZED TO SIGN FOR AND BIND THE ENTITY. IF YOU
material defects in materials and workmanship under normal use; and (b) the ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE ENTITY OR DO
software provided in connection with its products, including any software NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT
contained or embedded in such products will substantially conform to USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS
Barracuda Networks published specifications in effect as of the date of LICENSE YOU MAY RETURN THE SOFTWARE OR HARDWARE
manufacture. Except for the foregoing, the software is provided as is. In no CONTAINING THE SOFTWARE FOR A FULL REFUND TO YOUR PLACE
event does Barracuda Networks warrant that the software is error free or that OF PURCHASE.
Customer will be able to operate the software without problems or
interruptions. In addition, due to the continual development of new techniques 1. The software and documentation, whether on disk, in flash memory, in
for intruding upon and attacking networks, Barracuda Networks does not read only memory, or on any other media or in any other form (collectively
warrant that the software or any equipment, system or network on which the "Barracuda Software") is licensed, not sold, to you by Barracuda Networks,
software is used will be free of vulnerability to intrusion or attack. The limited Inc. ("Barracuda") for use only under the terms of this Agreement, and
warranty extends only to you the original buyer of the Barracuda Networks Barracuda reserves all rights not expressly granted to you. The rights
product and is non-transferable. granted are limited to Barracuda's intellectual property rights in the Barracuda
Software and do not include any other patent or intellectual property rights.
2. Exclusive Remedy. Your sole and exclusive remedy and the entire liability You own the media on which the Software is recorded but Barracuda retains
of Barracuda Networks under this limited warranty shall be, at Barracuda ownership of the Software itself. If you have not completed a purchase of the
Networks or its service centers option and expense, the repair, replacement Software and made payment for the purchase, the Software may only be
or refund of the purchase price of any products sold which do not comply with used for evaluation purposes and may not be used in any production
this warranty. Hardware replaced under the terms of this limited warranty may capacity. Furthermore the Software, when used for evaluation, may not be
be refurbished or new equipment substituted at Barracuda Networks option. secure and may use publically available passwords.
Barracuda Networks obligations hereunder are conditioned upon the return of
affected articles in accordance with Barracuda Networks then-current Return 2. Permitted License Uses and Restrictions. If you have purchased a
Material Authorization ("RMA") procedures. All parts will be new or Barracuda Networks hardware product, this Agreement allows you to use the
refurbished, at Barracuda Networks discretion, and shall be furnished on an Software only on the single Barracuda labeled hardware device on which the
exchange basis. All parts removed for replacement will become the property software was delivered. You may not make copies of the Software. You may
of Barracuda Networks. In connection with warranty services hereunder, not make a backup copy of the Software. If you have purchased a
Barracuda Networks may at its discretion modify the hardware of the product Barracuda Networks Virtual Machine you may use the software only in the
at no cost to you to improve its reliability or performance. The warranty period licensed number of instances of the licensed sizes and you may not exceed
is not extended if Barracuda Networks repairs or replaces a warranted the licensed capacities. You may make a reasonable number of backup
product or any parts. Barracuda Networks may change the availability of copies of the Software. If you have purchased client software you may install
limited warranties, at its discretion, but any changes will not be retroactive. IN the software only on the number of licensed clients. You may make a
NO EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE reasonable number of backup copies of the Software. For all purchases you
PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, may not modify or create derivative works of the Software except as provided
INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE by the Open Source Licenses included below. You may not make the
USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS Software available over a network where it could be utilized by multiple
DOCUMENTATION. devices or copied. Unless otherwise expressly provided in the
documentation, your use of the Software shall be limited to use on a single
3. Exclusions and Restrictions. This limited warranty does not apply to hardware chassis, on a single central processing unit, as applicable, or use
Barracuda Networks products that are or have been (a) marked or identified on such greater number of chassis or central processing units as you may
as "sample" or "beta," (b) loaned or provided to you at no cost, (c) sold "as is," have paid Barracuda Networks the required license fee; and your use of the
(d) repaired, altered or modified except by Barracuda Networks, (e) not Software shall also be limited, as applicable and set forth in your purchase
installed, operated or maintained in accordance with instructions supplied by order or in Barracuda Networks' product catalog, user documentation, or web
Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, site, to a maximum number of (a) seats (i.e. users with access to install
misuse, negligence or to an accident. Software), (b) concurrent users, sessions, ports, and/or issued and
outstanding IP addresses, and/or (c) central processing unit cycles or
EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS instructions per second. Your use of the Software shall also be limited by any
MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, other restrictions set forth in your purchase order or in Barracuda Networks'
WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING product catalog, user documentation or Web site for the Software. The
WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE
AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR
FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR COMMUNICATION SYSTEMS, LIFE SUPPORT MACHINES, OR OTHER
ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR EQUIPEMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL
TRADE. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE
NETWORKS' PRODUCTS AND THE SOFTWARE ARE PROVIDED "AS-IS" NOT TO USE IT IN ANY OF THESE OPERATIONS.
AND BARRACUDA NETWORKS DOES NOT WARRANT THAT ITS
PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE 3. You may not transfer, rent, lease, lend, or sublicense the Software or allow
UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR a third party to do so. YOU MAY NOT OTHERWISE TRANSFER THE
THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE SOFTWARE OR ANY OF YOUR RIGHTS AND OBLIGATIONS UNDER
CORRECTED. FURTHERMORE, BARRACUDA NETWORKS DOES NOT THIS AGREEMENT. You agree that you will have no right and will not, nor
WARRANT THAT BARRACUDA NETWORKS PRODUCTS, THE will it assist others to: (i) make unauthorized copies of all or any portion of the
SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH Software; (ii) sell, sublicense, distribute, rent or lease the Software; (iii) use
BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE the Software on a service bureau, time sharing basis or other remote access
OF VULNERABILITY TO INTRUSION OR ATTACK. system whereby third parties other than you can use or benefit from the use
of the Software; (iv) disassemble, reverse engineer, modify, translate, alter,
decompile or otherwise attempt to discern the source code of all or any
portion of the Software; (v) utilize or run the Software on more computers
than you have purchased license to; (vi) operate the Software in a fashion
that exceeds the capacity or capabilities that were purchased by you.
EARLIER OF: (A) YOUR FAILURE TO COMPLY WITH ANY TERM OF THIS prohibited; (vi) DR6 contains a security feature from Microsoft that will
AGREEMENT OR (B) RETURN, DESTRUCTION OR DELETION OF ALL automatically reboot the system without warning after 24 hours of continuous
COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of use; (vii) Barracuda alone will provide support for customer issues with DR6
Barracuda Networks and your obligations shall survive any termination of this and Microsoft and its Affiliates are released of all liability related to its use and
Agreement. Upon termination of this Agreement by Barracuda Networks, You operation; and, (viii) DR6 is subject to U.S. export jurisdiction.
shall certify in writing to Barracuda Networks that all copies of the Software
have been destroyed or deleted from any of your computer libraries, storage
devices, or any other location. 10. Trademarks. Certain portions of the product and names used in this
Agreement, the Software and the documentation may constitute trademarks
of Barracuda Networks. You are not authorized to use any such trademarks
5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF for any purpose.
THE BARRACUDA SOFTWARE IS AT YOUR OWN RISK AND THAT THE
ENTIRE RISK AS TO SATISFACTION, QUALITY, PERFORMANCE, AND
ACCURACY IS WITH YOU. THE BARRACUDA SOFTWARE IS PROVIDED 11. Export Restrictions. You may not export or re-export the Software without:
"AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, (a) the prior written consent of Barracuda Networks, (b) complying with
AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES AND applicable export control laws, including, but not limited to, restrictions and
CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, regulations of the Department of Commerce or other United States agency or
EITHER EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT authority and the applicable EU directives, and (c) obtaining any necessary
NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF permits and licenses. In any event, you may not transfer or authorize the
MERCHANTIBILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR transfer of the Software to a prohibited territory or country or otherwise in
ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF violation of any applicable restrictions or regulations. If you are a United
THIRD PARTY RIGHTS. BARRACUDA DOES NOT WARRANT THE States Government agency the Software and documentation qualify as
CONTINUED OPERATION OF THE SOFTWARE, THAT THE "commercial items", as that term is defined at Federal Acquisition Regulation
PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE ("FAR") (48 C.F.R.) 2.101, consisting of "commercial computer software" and
FUNCTIONS WILL MEET YOUR REQUIREMENTS, THAT THE "commercial computer software documentation" as such terms are used in
OPERATION WILL BE ERROR FREE OR CONTINUOUS, THAT CURRENT FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1
OR FUTURE VERSIONS OF ANY OPERATING SYSTEM WILL BE through 227.7202-4, and notwithstanding any other FAR or other contractual
SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR clause to the contrary in any agreement into which this Agreement may be
WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED incorporated, Government end user will acquire the Software and
BARRACUDA REPRESENTATIVE SHALL CREATE A WARRANTY. documentation with only those rights set forth in this Agreement. Use of either
SHOULD THE BARRACUDA SOFTWARE PROVE DEFECTIVE, YOU the Software or documentation or both constitutes agreement by the
ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR, Government that the Software and documentation are "commercial computer
OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS SHALL software" and "commercial computer software documentation", and
ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE constitutes acceptance of the rights and restrictions herein.
WHICH WERE CAUSED BY IMPROPER OPERATION, USE OF
UNSUITABLE RESOURCES, ABNORMAL OPERATING CONDITIONS (IN
12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE
PARTICULAR DEVIATIONS FROM THE INSTALLATION CONDITIONS) AS
STATE OF CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA
WELL AS BY TRANSPORTATION DAMAGE. IN ADDITION, DUE TO THE
COUNTY, CALIFORNIA, UNLESS YOUR HEADQUARTERS IS LOCATED
CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING
IN SWITZERLAND, THE EU, OR JAPAN. IF YOUR HEADQUARTERS IS
UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES
LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW SHALL BE
NOT WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM
USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR
OR NETWORK ON WHICH THE SOFTWARE IS USED WILL BE FREE OF
HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE
VULNERABILITY TO INTRUSION OR ATTACK. YOU EXPRESSLY
USED AND JURISDICTION SHALL BE INNSBRUCK. IF YOUR
ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED
HEADQUARTERS IS LOCATED IN JAPAN, JAPANESE LAW SHALL BE
PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY
USED AND JURISDICTION SHALL BE TOKYO. THIS AGREEMENT WILL
PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU
NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY
EITHER OWN OR CONTROL THAT ARE UTILIZED IN ANY BARRACUDA
JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE
PRODUCT.
U.N. CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES
OF GOODS. This Agreement is the entire agreement between You and
6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE Barracuda Networks regarding the subject matter herein and supersedes any
ABSOLUTE AND UNILATERAL RIGHT AT ITS SOLE DISCRETION TO other communications with respect to the Software. If any provision of this
DENY USE OF, OR ACCESS TO BARRACUDA SOFTWARE, IF YOU ARE Agreement is held invalid or unenforceable, the remainder of this Agreement
DEEMED BY BARRACUDA TO BE USING THE SOFTWARE IN A MANNER will continue in full force and effect. Failure to prosecute a party's rights with
NOT REASONABLY INTENDED BY BARRACUDA OR IN VIOLATION OF respect to a default hereunder will not constitute a waiver of the right to
ANY LAW. enforce rights with respect to the same or any other breach.
7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN 13. Assignability. You may not assign any rights or obligations hereunder
NO EVENT SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR without prior written consent from Barracuda Networks.
ANY INCIDENTAL SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
14. Billing Issues. You must notify Barracuda of any billing problems or
LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR
discrepancies within sixty (60) days after they first appear on the statement
ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF
you receive from your bank, Credit Card Company, other billing company or
OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE
Barracuda Networks. If you do not bring such problems or discrepancies to
BARRACUDA SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE
Barracuda Networks attention within the sixty (60) day period, you agree that
THEORY OF LIABILITY AND EVEN IF BARRACUDA HAS BEEN ADVISED
you waive the right to dispute such problems or discrepancies.
OF THE POSSIBILITY OF DAMAGES. In no event shall Barracuda's total
liability to you for all damages exceed the amount of one hundred dollars.
15. Collection of Data. You agree to allow Barracuda Networks to collect
information ("Statistics") from the Software in order to fight spam, virus, and
8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD
other threats as well as optimize and monitor the Software. Information will be
PARTY TO) COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT,
collected electronically and automatically. Statistics include, but are not
DISTRIBUTE, OR BURN TO CD (OR ANY OTHER MEDIUM) ANY
limited to, the number of messages processed, the number of messages that
COPYRIGHTED CONTENT THAT YOU ACCESS OR RECEIVE THROUGH
are categorized as spam, the number of virus and types, IP addresses of the
USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU ASSUME
largest spam senders, the number of emails classified for Bayesian analysis,
ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF
capacity and usage, and other statistics. Your data will be kept private and
COPYRIGHTED CONTENT. You agree not to publish any benchmarks,
will only be reported in aggregate by Barracuda Networks.
measurements, or reports on the product without Barracuda Networks
written express approval.
16. Subscriptions. Software updates and subscription information provided
by Barracuda Energize Updates or other services may be necessary for the
9. Third Party Software. Some Software which supports Bare Metal Disaster
continued operation of the Software. You acknowledge that such a
Recovery of Microsoft Windows Vista and Microsoft Windows 2008 Operating
subscription may be necessary. Furthermore some functionality may only be
Systems (DR6) contains and uses components of the Microsoft Windows
available with additional subscription purchases. Obtaining Software
Pre-Installation Environment (WINPE) with the following restrictions: (i) the
updates on systems where no valid subscription has been purchased or
WINPE components in the DR6 product are licensed and not sold and may
obtaining functionality where subscription has not been purchased is strictly
only be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda
forbidden and in violation of this Agreement. All initial subscriptions
and its suppliers reserve all rights not expressly granted; (iv) license to use
commence at the time of activation and all renewals commence at the
DR6 and the WINPE components is limited to use of the product as a
expiration of the previous valid subscription. Unless otherwise expressly
recovery utility program only and not for use as a general purpose operating
provided in the documentation, you shall use the Energize Updates Service
system; (v) Reverse engineering, decompiling or disassembly of the WINPE
and other subscriptions solely as embedded in, for execution on, or (where
components, except to the extent expressly permitted by applicable law, is
the applicable documentation permits installation on non-Barracuda
Barracuda Networks Inc. 2010
Barracuda Networks Warranty and Software License Agreement 613
Networks equipment) for communication with Barracuda Networks equipment make sure that they, too, receive or can get the source code. And you must
owned or leased by you. All subscriptions are non-transferrable. Barracuda show them these terms so they know their rights.
Networks makes no warranty that subscriptions will continue un-interrupted.
Subscription may be terminated without notice by Barracuda Networks for
lack of full payment. We protect your rights with two steps: (1) copyright the software, and (2) offer
you this license which gives you legal permission to copy, distribute and/or
modify the software.
17. Auto Renewals. If your Software purchase is a time based license,
includes software maintenance, or includes a subscription, you hereby agree
to automatically renew this purchase when it expires unless you notify Also, for each author's protection and ours, we want to make certain that
Barracuda 15 days before the renewal date. Barracuda Networks will everyone understands that there is no warranty for this free software. If the
automatically bill you or charge you unless notified 15 days before the software is modified by someone else and passed on, we want its recipients
renewal date. to know that what they have is not the original, so that any problems
introduced by others will not reflect on the original authors' reputations.
18. Time Base License. If your Software purchase is a time based license
you expressly acknowledge that the Software will stop functioning at the time Finally, any free program is threatened constantly by software patents. We
the license expires. You expressly indemnify and hold harmless Barracuda wish to avoid the danger that redistributors of a free program will individually
Networks for any and all damages that may occur because of this. obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's
free use or not licensed at all.
19. Support. Telephone, email and other forms of support will be provided to
you if you have purchased a product that includes support. The hours of
support vary based on country and the type of support purchased. Barracuda The precise terms and conditions for copying, distribution and modification
Networks Energize Updates typically include Basic support. follow.
20. Changes. Barracuda Networks reserves the right at any time not to TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
release or to discontinue release of any Software or Subscription and to alter MODIFICATION
prices, features, specifications, capabilities, functions, licensing terms,
release dates, general availability or other characteristics of any future
0. This License applies to any program or other work which contains a notice
releases of the Software or Subscriptions.
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such
21. Open Source Licensing. Barracuda Networks products may include program or work, and a "work based on the Program" means either the
programs that are covered by the GNU General Public License (GPL) or Program or any derivative work under copyright law: that is to say, a work
other Open Source license agreements, in particular the Linux operating containing the Program or a portion of it, either verbatim or with modifications
system. It is expressly put on record that the Software does not constitute an and/or translated into another language. (Hereinafter, translation is included
edited version or further development of the operating system. These without limitation in the term "modification".) Each licensee is addressed as
programs are copyrighted by their authors or other parties, and the authors "you".
and copyright holders disclaim any warranty for such programs. Other
programs are copyright by Barracuda Networks. Further details may be
Activities other than copying, distribution and modification are not covered by
provided in an appendix to this agreement where the licenses are re-printed.
this License; they are outside its scope. The act of running the Program is not
Barracuda Networks makes available the source code used to build
restricted, and the output from the Program is covered only if its contents
Barracuda products available at source.barracuda.com. This directory
constitute a work based on the Program (independent of having been made
includes all the programs that are distributed on the Barracuda products.
by running the Program). Whether that is true depends on what the Program
Obviously not all of these programs are utilized, but since they are distributed
does.
on the Barracuda product we are required to make the source code available.
1. You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
10.3 Barracuda Networks Energize Updates appropriately publish on each copy an appropriate copyright notice and
and Other Subscription Terms disclaimer of warranty; keep intact all the notices that refer to this License and
to the absence of any warranty; and give any other recipients of the Program
a copy of this License along with the Program.
10.3.1 The GNU General Public License (GPL) Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
You may charge a fee for the physical act of transferring a copy, and you may
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA at your option offer warranty protection in exchange for a fee.
Everyone is permitted to copy and distribute verbatim copies of this license 2. You may modify your copy or copies of the Program or any portion of it,
document, but changing it is not allowed. thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you
also meet all of these conditions:
Preamble
a) You must cause the modified files to carry prominent notices stating that
The licenses for most software are designed to take away your freedom to
you changed the files and the date of any change.
share and change it. By contrast, the GNU General Public License is
intended to guarantee your freedom to share and change free software--to
make sure the software is free for all its users. This General Public License b) You must cause any work that you distribute or publish, that in whole or in
applies to most of the Free Software Foundation's software and to any other part contains or is derived from the Program or any part thereof, to be
program whose authors commit to using it. (Some other Free Software licensed as a whole at no charge to all third parties under the terms of this
Foundation software is covered by the GNU Library General Public License License.
instead.) You can apply it to your programs, too.
must be on the terms of this License, whose permissions for other licensees
extend to the entire whole, and thus to each and every part regardless of who If any portion of this section is held invalid or unenforceable under any
wrote it. particular circumstance, the balance of the section is intended to apply and
the section as a whole is intended to apply in other circumstances.
Thus, it is not the intent of this section to claim rights or contest your rights to
work written entirely by you; rather, the intent is to exercise the right to control It is not the purpose of this section to induce you to infringe any patents or
the distribution of derivative or collective works based on the Program. other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
In addition, mere aggregation of another work not based on the Program with distribution system, which is implemented by public license practices. Many
the Program (or with a work based on the Program) on a volume of a storage people have made generous contributions to the wide range of software
or distribution medium does not bring the other work under the scope of this distributed through that system in reliance on consistent application of that
License. system; it is up to the author/donor to decide if he or she is willing to distribute
software through any other system and a licensee cannot impose that choice.
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 This section is intended to make thoroughly clear what is believed to be a
and 2 above provided that you also do one of the following: consequence of the rest of this License.
a) Accompany it with the complete corresponding machine-readable source 8. If the distribution and/or use of the Program is restricted in certain countries
code, which must be distributed under the terms of Sections 1 and 2 above either by patents or by copyrighted interfaces, the original copyright holder
on a medium customarily used for software interchange; or, who places the Program under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this
b) Accompany it with a written offer, valid for at least three years, to give any License incorporates the limitation as if written in the body of this License.
third party, for a charge no more than your cost of physically performing
source distribution, a complete machine-readable copy of the corresponding
source code, to be distributed under the terms of Sections 1 and 2 above on a 9. The Free Software Foundation may publish revised and/or new versions of
medium customarily used for software interchange; or, the General Public License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to address new
problems or concerns.
c) Accompany it with the information you received as to the offer to distribute
corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object Each version is given a distinguishing version number. If the Program
code or executable form with such an offer, in accord with Subsection b specifies a version number of this License which applies to it and "any later
above.) version", you have the option of following the terms and conditions either of
that version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of this License,
The source code for a work means the preferred form of the work for making you may choose any version ever published by the Free Software
modifications to it. For an executable work, complete source code means all Foundation.
the source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation of
the executable. However, as a special exception, the source code distributed 10. If you wish to incorporate parts of the Program into other free programs
need not include anything that is normally distributed (in either source or whose distribution conditions are different, write to the author to ask for
binary form) with the major components (compiler, kernel, and so on) of the permission. For software which is copyrighted by the Free Software
operating system on which the executable runs, unless that component itself Foundation, write to the Free Software Foundation; we sometimes make
accompanies the executable. exceptions for this. Our decision will be guided by the two goals of preserving
the free status of all derivatives of our free software and of promoting the
sharing and reuse of software generally.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source
code from the same place counts as distribution of the source code, even NO WARRANTY
though third parties are not compelled to copy the source along with the
object code. 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE
IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED
4. You may not copy, modify, sublicense, or distribute the Program except as BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN
expressly provided under this License. Any attempt otherwise to copy, WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
modify, sublicense or distribute the Program is void, and will automatically PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
terminate your rights under this License. However, parties who have received EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
copies, or rights, from you under this License will not have their licenses THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
terminated so long as such parties remain in full compliance. A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
5. You are not required to accept this License, since you have not signed it. NECESSARY SERVICING, REPAIR OR CORRECTION.
However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
(or any work based on the Program), you indicate your acceptance of this AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
License to do so, and all its terms and conditions for copying, distributing or OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
modifying the Program or works based on it. PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
6. Each time you redistribute the Program (or any work based on the TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
Program), the recipient automatically receives a license from the original DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
licensor to copy, distribute or modify the Program subject to these terms and SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
conditions. You may not impose any further restrictions on the recipients' PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
exercise of the rights granted herein. You are not responsible for enforcing SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
compliance by third parties to this License. POSSIBILITY OF SUCH DAMAGES.
7. If, as a consequence of a court judgment or allegation of patent END OF GNU TERMS AND CONDITIONS
infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that
contradict the conditions of this License, they do not excuse you from the Barracuda Networks Products may contain programs that are copyright
conditions of this License. If you cannot distribute so as to satisfy (c)1995-2005 International Business Machines Corporation and others. All
simultaneously your obligations under this License and any other pertinent rights reserved. These programs are covered by the following License:
obligations, then as a consequence you may not distribute the Program at all. "Permission is hereby granted, free of charge, to any person obtaining a copy
For example, if a patent license would not permit royalty-free redistribution of of this software and associated documentation files (the "Software"), to deal
the Program by all those who receive copies directly or indirectly through you, in the Software without restriction, including without limitation the rights to
then the only way you could satisfy both it and this License would be to refrain use, copy, modify, merge, publish, distribute, and/or sell copies of the
entirely from distribution of the Program. Software, and to permit persons to whom the Software is furnished to do so,
provided that the above copyright notice(s) and this permission notice appear
in all copies of the Software and that both the above copyright notice(s) and
this permission notice appear in supporting documentation."
Barracuda Networks Products may include programs that are covered by the 1. Definitions.
BSD License: "Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are
met: "License" shall mean the terms and conditions for use, reproduction, and
Redistributions of source code must retain the above copyright notice, this list distribution as defined by Sections 1 through 9 of this document.
of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this "Licensor" shall mean the copyright owner or entity authorized by the
list of conditions and the following disclaimer in the documentation and/or copyright owner that is granting the License.
other materials provided with the distribution.
The names of the authors may not be used to endorse or promote products "Legal Entity" shall mean the union of the acting entity and all other entities
derived from this software without specific prior written permission. that control, are controlled by, or are under common control with that entity.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS For the purposes of this definition, "control" means (i) the power, direct or
OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE indirect, to cause the direction or management of such entity, whether by
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
PARTICULAR PURPOSE." outstanding shares, or (iii) beneficial ownership of such entity.
Barracuda Networks Products may include the libspf library which is "You" (or "Your") shall mean an individual or Legal Entity exercising
Copyright (c) 2004 James Couzens & Sean Comeau, All rights reserved. It is permissions granted by this License.
covered by the following agreement: Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the
following conditions are met: 1. Redistributions of source code must retain the "Source" form shall mean the preferred form for making
above copyright notice, this list of conditions and the following disclaimer. 2. modifications,including but not limited to software source code,
Redistributions in binary form must reproduce the above copyright notice, this documentation source, and configuration files.
list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution. THIS SOFTWARE IS
"Object" form shall mean any form resulting from mechanical transformation
PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
or translation of a Source form, including but not limited to compiled object
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
code, generated documentation, and conversions to other media types.
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF
THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, "Work" shall mean the work of authorship, whether in Source or Object form,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL made available under the License, as indicated by a copyright notice that is
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF included in or attached to the work (an example is provided in the Appendix
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR below).
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) "Derivative Works" shall mean any work, whether in Source or Object form,
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF that is based on (or derived from) the Work and for which the editorial
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. revisions, annotations, elaborations, or other modifications represent, as a
whole, an original work of authorship. For the purposes of this License,
Derivative Works shall not include works that remain separable from, or
Barracuda Networks Products may contain programs that are Copyright (c) merely link (or bind by name) to the interfaces of, the Work and Derivative
1998-2003 Carnegie Mellon University. All rights reserved. Redistribution and Works thereof.
use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: 1. Redistributions of source
code must retain the above copyright notice, this list of conditions and the "Contribution" shall mean any work of authorship, including the original
following disclaimer. 2. Redistributions in binary form must reproduce the version of the Work and any modifications or additions to that Work or
above copyright notice, this list of conditions and the following disclaimer in Derivative Works thereof, that is intentionally submitted to Licensor for
the documentation and/or other materials provided with the distribution. The inclusion in the Work by the copyright owner or by an individual or Legal
name "Carnegie Mellon University" must not be used to endorse or promote Entity authorized to submit on behalf of the copyright owner. For the
products derived from this software without prior written permission. For purposes of this definition, "submitted" means any form of electronic, verbal,
permission or any other legal details, please contact Office of Technology or written communication sent to the Licensor or its representatives, including
Transfer, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA but not limited to communication on electronic mailing lists, source code
15213-3890 (412) 268-4387, fax: (412) 268-7395, control systems, and issue tracking systems that are managed by, or on
tech-transfer@andrew.cmu.edu . Redistributions of any form whatsoever behalf of, the Licensor for the purpose of discussing and improving the Work,
must retain the following acknowledgment: "This product includes software but excluding communication that is conspicuously marked or otherwise
developed by Computing Services at Carnegie Mellon University designated in writing by the copyright owner as "Not a Contribution."
(http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND "Contributor" shall mean Licensor and any individual or Legal Entity on
FITNESS, AND IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY behalf of whom a Contribution has been received by Licensor and
BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL subsequently incorporated within the Work.
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
2. Grant of Copyright License. Subject to the terms and conditions of this
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
License, each Contributor hereby grants to You a perpetual, worldwide,
CONNECTION WITH THE USE OR PERFORMANCE OF THIS
non-exclusive, no-charge, royalty-free, irrevocable copyright license to
SOFTWARE.
reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or
Object form.
Barracuda Networks Software may include programs that are covered by the
Apache License or other Open Source license agreements. The Apache 3. Grant of Patent License. Subject to the terms and conditions of this
license is re-printed below for you reference. These programs are License, each Contributor hereby grants to You a perpetual, worldwide,
copyrighted by their authors or other parties, and the authors and copyright non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this
holders disclaim any warranty for such programs. Other programs are section) patent license to make, have made, use, offer to sell, sell, import,
copyright by Barracuda Networks. and otherwise transfer the Work, where such license applies only to those
patent claims licensable by such Contributor that are necessarily infringed by
10.3.2 Apache License their Contribution(s) alone or by combination of their Contribution(s) with the
Work to which such Contribution(s) was submitted. If You institute patent
Version 2.0, January 2004 litigation against any entity (including a cross-claim or counterclaim in a
http://www.apache.org/licenses/ lawsuit) alleging that the Work or a Contribution incorporated within the Work
constitutes direct or contributory patent infringement, then any patent
licenses granted to You under this License for that Work shall terminate as of
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND the date such litigation is filed.
DISTRIBUTION
4. Redistribution. You may reproduce and distribute copies of the Work or 10.3.3 AdoDB - BSD Style-License
Derivative Works thereof in any medium, with or without modifications, and in
Source or Object form, provided that You meet the following conditions: Barracuda Networks Products may contain programs and software that are
copyright (c) 2000, 2001, 2002, 2003, 2004 John Lim All rights reserved.
Redistribution and use in source and binary forms, with or without
(a) You must give any other recipients of the Work or Derivative Works a copy modification, are permitted provided that the following conditions are met:
of this License; and Redistributions of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following
(b) You must cause any modified files to carry prominent notices stating that disclaimer in the documentation and/or other materials provided with the
You changed the files; and distribution.Neither the name of the John Lim nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission. DISCLAIMER:THIS
(c) You must retain, in the Source form of any Derivative Works that You SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
distribute, all copyright, patent, trademark, and attribution notices from the CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
Source form of the Work, excluding those notices that do not pertain to any WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
part of the Derivative Works; and WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JOHN
(d) If the Work includes a "NOTICE" text file as part of its distribution, then LIM OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
any Derivative Works that You distribute must include a readable copy of the INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
attribution notices contained within such NOTICE file, excluding those notices (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
that do not pertain to any part of the Derivative Works, in at least one of the GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
following places: within a NOTICE text file distributed as part of the Derivative BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
Works; within the Source form or documentation, if provided along with the OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
Derivative Works; or, within a display generated by the Derivative Works, if (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
and wherever such third-party notices normally appear. The contents of the OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
NOTICE file are for informational purposes only and do not modify the POSSIBILITY OF SUCH DAMAGE.
License. You may add Your own attribution notices within Derivative Works
that You distribute, alongside or as an addendum to the NOTICE text from 10.3.4 AMCC
the Work, provided that such additional attribution notices cannot be
Barracuda Networks Products may contain programs and software that are
construed as modifying the License.
copyright protected by: AMCC
215 Moffet Park Drive, Sunnyvale California, CA-94089,
You may add Your own copyright statement to Your modifications and may USAwww.amcc.com. AMCC grants to you a non-exclusive, non-transferable,
provide additional or different license terms and conditions for use, non-sublicensable license to use the Product.
reproduction, or distribution of Your modifications, or for any such Derivative
LIMITS
Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License. You may not copy, modify, rent, sell, distribute, or transfer any part of the
Software except as provided in this Agreement, and you agree to prevent
unauthorized copying of the Software; (2) you may not reverse engineer,
5. Submission of Contributions. Unless You explicitly state otherwise, any decompile, or disassemble the Software; and (3) you many not sublicense
Contribution intentionally submitted for inclusion in the Work by You to the the Software.
Licensor shall be under the terms and conditions of this License, without any
OWNERSHIP OF SOFTWARE AND COPYRIGHTS
additional terms or conditions. Notwithstanding the above, nothing herein
shall supersede or modify the terms of any separate license agreement you Title to all copies of the Software will remain with AMCC or its suppliers. The
may have executed with Licensor regarding such Contributions. Software is copyrighted and protected by United States and Austrian
copyright laws and international treaty provisions. You may not remove any
copyright, patent, or other proprietary notices from the Software. AMCC and
6. Trademarks. This License does not grant permission to use the trade BARRACUDA NETWORKS or its suppliers may make changes to the
names, trademarks, service marks, or product names of the Licensor, except Software, or to items referenced therein, at any time without notice, but is not
as required for reasonable and customary use in describing the origin of the obligated to support or update the Software. Except as otherwise expressly
Work and reproducing the content of the NOTICE file. provided, AMCC grants no express or implied right under AMCC patents,
copyrights, trademarks, or other intellectual property rights. You may transfer
the Software only if the recipient agrees to be fully bound by these terms and
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in if you retain no copies of the Software.
writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR LIMITATION OF LIABILITY
CONDITIONS OF ANY KIND, either express or implied, including, without IN NO EVENT SHALL AMCC AND BARRACUDA NETWORKS OR ITS
limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, BUSINESS
are solely responsible for determining the appropriateness of using or INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE
redistributing the Work and assume any risks associated with Your exercise OF OR INABILITY TO USE THE SOFTWARE, EVEN IF AMCC HAS BEEN
of permissions under this License. ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
JURISDICTIONS PROHIBIT EXCLUSION OR LIMITATION OF LIABILITY
FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL
8. Limitation of Liability. In no event and under no legal theory, whether in tort DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. YOU
(including negligence), contract, or otherwise, unless required by applicable MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM
law (such as deliberate and grossly negligent acts) or agreed to in writing, JURISDICTION TO JURISDICTION.
shall any Contributor be liable to You for damages, including any direct,
indirect, special, incidental, or consequential damages of any character TERMINATION
arising as a result of this License or out of the use or inability to use the Work This agreement will be terminated at any time if you violate its terms. Upon
(including but not limited to damages for loss of goodwill, work stoppage, termination, you will immediately destroy the software.
computer failure or malfunction, or any and all other commercial damages or
RESTRICTED RIGHTS LEGEND
losses), even if such Contributor has been advised of the possibility of such
damages. The AMCC Software Products are Restricted Computer Software. If the
Software Products are licensed for use by the United States or for use in the
performance of a United States government prime contract or subcontract,
9. Accepting Warranty or Additional Liability. While redistributing the Work or Customer agrees that the Software Products are delivered as: (i) commercial
Derivative Works thereof, You may choose to offer, and charge a fee for, computer software as defined in DFARS 252.227-7013, Rights in Technical
acceptance of support, warranty, indemnity, or other liability obligations Data Noncommercial Items; DFARS 252.227-7014, Rights In
and/or rights consistent with this License. However, in accepting such Noncommercial Computer Software and Noncommercial Computer Software
obligations, You may act only on Your own behalf and on Your sole Documentation; and DFARS 252.227-7015, Technical Data Commercial
responsibility, not on behalf of any other Contributor, and only if You agree to Items; (ii) as a commercial item as defined in FAR 2.101; or (iii) as
indemnify, defend, and hold each Contributor harmless for any liability restricted commercial software as defined in FAR 52.227-19, Commercial
incurred by, or claims asserted against, such Contributor by reason of your Computer Software Restricted Rights; whichever is applicable. The use,
accepting any such warranty or additional liability. duplication, and disclosure of the Software Products by the Department of
Defense shall be subject to the terms and conditions set forth in the
accompanying license agreement as provided in DFARS 227.7202. All other
END OF TERMS AND CONDITIONS use, duplication and disclosure of the Software Products and Documentation
by the United States shall be subject to the terms and conditions set forth in
the accompanying license agreement and the restrictions contained in
subsection (c) of FAR 52.227-19, Commercial Computer Software
Restricted Rights, or FAR 52.227-14, Rights in Data. Contractor/licensor is of conditions and the following disclaimer.2. Redistributions in binary form
AMCC, 6290 Sequence Drive, San Diego, CA 92121. must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
10.3.5 bind License with the distribution.THIS SOFTWARE IS PROVIDED BY THE AUTHOR
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
Barracuda Networks Products may contain programs and software that are BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (C) MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
1996-2003 Internet Software Consortium. DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
Permission to use, copy, modify, and distribute this software for any purpose DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
with or without fee is hereby granted, provided that the above copyright notice CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
and this permission notice appear in all copies. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER DAMAGE.
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10.3.9 JavaScript Virtual Keyboard
PERFORMANCE OF THIS SOFTWARE. $Id: COPYRIGHT,v 1.6.2.2.8.2 Barracuda Networks Products may contain programs and software that are
2004/03/08 04:04:12 marka Exp $ Portions Copyright (C) 1996-2001 covered by the License below.
Nominum, Inc. Permission to use, copy, modify, and distribute this software
for any purpose with or without fee is hereby granted, provided that the above The Code Project Open License (CPOL) 1.02
copyright notice and this permission notice appear in all copies. THE Preamble
SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL This License governs Your use of the Work. This License is intended to allow
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL developers to use the Source Code and Executable Files provided as part of
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO the Work in any application in any form. The main points subject to the terms
EVENT SHALL NOMINUM BE LIABLE FOR ANY SPECIAL, DIRECT, of the License are:
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, Source Code and Executable Files can be used in commercial applications;
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER Source Code and Executable Files can be redistributed; and
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
Source Code can be modified to create derivative works.
USE OR PERFORMANCE OF THIS SOFTWARE.
No claim of suitability, guarantee, or any warranty whatsoever is provided.
10.3.6 Broadcom Corporation The software is provided "as-is". The Article accompanying the Work may not
be distributed or republished without the Author's consent This License is
End User Agreement entered between You, the individual or other entity reading or otherwise
making use of the Work licensed pursuant to this License and the individual
or other entity which offers the Work under the terms of this License
Barracuda Networks Products may contain programs and software that are ("Author").
copyright Broadcom Corporation.
END USER AGREEMENT for usage of linux driver BCM9IPS500A /
BCM9IPS1000 No Warranty. THE SOFTWARE IS OFFERED "AS IS", AND License
BROADCOM GRANTS AND LICENSEE RECEIVES NO WARRANTIES OF THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS
ANY KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OF THIS CODE PROJECT OPEN LICENSE ("LICENSE"). THE WORK IS
CONDUCT WITH LICENSEE, OR OTHERWISE. BROADCOM PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY
SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS
MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE OR LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY
NONINFRINGEMENT CONCERNING THE SOFTWARE OR ANY RIGHTS TO THE WORK PROVIDED HEREIN, YOU ACCEPT AND AGREE
UPGRADES TO OR DOCUMENTATION FOR THE SOFTWARE. WITHOUT TO BE BOUND BY THE TERMS OF THIS LICENSE. THE AUTHOR
LIMITATION OF THE ABOVE, BROADCOM GRANTS NO WARRANTY GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION
THAT THE SOFTWARE IS ERROR-FREE OR WILL OPERATE WITHOUT OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. IF YOU
INTERRUPTION, AND GRANTS NO WARRANTY REGARDING USE OR DO NOT AGREE TO ACCEPT AND BE BOUND BY THE TERMS OF THIS
THE RESULTS THEREFROM INCLUDING, WITHOUT LIMITATION, ITS LICENSE, YOU CANNOT MAKE ANY USE OF THE WORK.
CORRECTNESS, ACCURACY OR RELIABILITY.
1. Definitions.
10.3.7 DHCP Relay / DHCP Enterprise Server
a. "Articles" means, collectively, all articles written by Author which describes
Barracuda Networks Products may contain programs and software that are how the Source Code and Executable Files for the Work may be used by a
copyright (c) 2004 Internet Systems Consortium, Inc. ("ISC") Copyright (c) user.
1995-2003 Internet Software Consortium. All rights reserved. Redistribution
and use in source and binary forms, with or without modification, are b. "Author" means the individual or entity that offers the Work under the terms
permitted provided that the following conditions are et: 1. Redistributions of of this License.
source code must retain the above copyright notice, this list of conditions and c. "Derivative Work" means a work based upon the Work or upon the Work
the following disclaimer. 2. Redistributions in binary form must reproduce the and other pre-existing works.
above copyright notice, this list of conditions and the following disclaimer in d. "Executable Files" refer to the executables, binary files, configuration and
the documentation and/or other materials provided with the distribution. 3. any required data files included in the Work.
Neither the name of ISC, ISC DHCP, nor the names of its contributors may be
used to endorse or promote products derived from this software without e. "Publisher" means the provider of the website, magazine, CD-ROM, DVD
specific prior written permission. THIS SOFTWARE IS PROVIDED BY or other medium from or by which the Work is obtained by You.
INTERNET SYSTEMS CONSORTIUM AND CONTRIBUTORS "AS IS" AND f. "Source Code" refers to the collection of source code and configuration files
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT used to create the Executable Files.
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
g. "Standard Version" refers to such a Work if it has not been modified, or has
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
been modified in accordance with the consent of the Author, such consent
EVENT SHALL ISC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
being in the full discretion of the Author.
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF h. "Work" refers to the collection of files distributed by the Publisher, including
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR the Source Code, Executable Files, binaries, data files, documentation,
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON whitepapers and the Articles.
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT i. "You" is you, an individual or entity wishing to use the Work and exercise
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) your rights under this License.
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2. Fair Use/Fair Use Rights. Nothing in this License is intended to reduce,
10.3.8 ISAKMP License limit, or restrict any rights arising from fair use, fair dealing, first sale or other
limitations on the exclusive rights of the copyright owner under copyright law
Barracuda Networks Products may contain programs and software that are or other applicable laws.
Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met: 1. 3. License Grant. Subject to the terms and conditions of this License, the
Redistributions of source code must retain the above copyright notice, this list Author hereby grants You a worldwide, royalty-free, non-exclusive, perpetual
(for the duration of the applicable copyright) license to exercise the rights in SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY
the Work as stated below: DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK
a. You may use the standard version of the Source Code or Executable Files OR OTHERWISE, EVEN IF THE AUTHOR OR THE PUBLISHER HAS
in Your own applications. BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
b. You may apply bug fixes, portability fixes and other modifications obtained
from the Public Domain or from the Author. A Work modified in such a way 9. Termination.
shall still be considered the standard version and will be subject to this a. This License and the rights granted hereunder will terminate automatically
License. upon any breach by You of any term of this License. Individuals or entities
c. You may otherwise modify Your copy of this Work (excluding the Articles) who have received Derivative Works from You under this License, however,
in any way to create a Derivative Work, provided that You insert a prominent will not have their licenses terminated provided such individuals or entities
notice in each changed file stating how, when and where You changed that remain in full compliance with those licenses. Sections 1, 2, 6, 7, 8, 9, 10 and
file. 11 will survive any termination of this License.
d. You may distribute the standard version of the Executable Files and b. If You bring a copyright, trademark, patent or any other infringement claim
Source Code or Derivative Work in aggregate with other (possibly against any contributor over infringements You claim are made by the Work,
commercial) programs as part of a larger (possibly commercial) software your License from such contributor to the Work ends automatically.
distribution. c. Subject to the above terms and conditions, this License is perpetual (for the
e. The Articles discussing the Work published in any form by the author may duration of the applicable copyright in the
not be distributed or republished without the Author's consent. The author Work). Notwithstanding the above, the Author reserves the right to release
retains copyright to any such Articles. You may use the Executable Files and the Work under different license terms or to stop distributing the Work at any
Source Code pursuant to this License but you may not repost or republish or time; provided, however that any such election will not serve to withdraw this
otherwise distribute or make available the Articles, without the prior written License (or any other license that has been, or is required to be, granted
consent of the Author. under the terms of this License), and this License will continue in full force
Any subroutines or modules supplied by You and linked into the Source Code and effect unless terminated as stated above.
or Executable Files this Work shall not be considered part of this Work and
will not be subject to the terms of this License.
10. Publisher. The parties hereby confirm that the Publisher shall not, under
any circumstances, be responsible for and shall not have any liability in
3 Patent License. Subject to the terms and conditions of this License, each respect of the subject matter of this License. The Publisher makes no
Author hereby grants to You a perpetual, worldwide, non-exclusive, warranty whatsoever in connection with the Work and shall not be liable to
no-charge, royalty-free, irrevocable (except as stated in this section) patent You or any party on any legal theory for any damages whatsoever, including
license to make, have made, use, import, and otherwise transfer the Work. without limitation any general, special, incidental or consequential damages
arising in connection to this license. The Publisher reserves the right to cease
making the Work available to You at any time without notice
4. Restrictions. The license granted in Section 3 above is expressly made
subject to and limited by the following restrictions:
a. You agree not to remove any of the original copyright, patent, trademark, 11. Miscellaneous
and attribution notices and associated disclaimers that may appear in the This License shall be governed by the laws of the location of the head office
Source Code or Executable Files. of the Author or if the Author is an individual, the laws of location of the
b. You agree not to advertise or in any way imply that this Work is a product principal place of residence of the Author.
of Your own. If any provision of this License is invalid or unenforceable under applicable
c. The name of the Author may not be used to endorse or promote products law, it shall not affect the validity or enforceability of the remainder of the
derived from the Work without the prior written consent of the Author. terms of this License, and without further action by the parties to this License,
such provision shall be reformed to the minimum extent necessary to make
e. You agree not to sell, lease, or rent any part of the Work. This does not such provision valid and enforceable.
restrict you from including the Work or any part of the Work inside a larger
software distribution that itself is being sold. The Work by itself, though, No term or provision of this License shall be deemed waived and no breach
cannot be sold, leased or rented. consented to unless such waiver or consent shall be in writing and signed by
the party to be charged with such waiver or consent.
d. You may distribute the Executable Files and Source Code only under the
terms of this License, and You must include a copy of, or the Uniform This License constitutes the entire agreement between the parties with
Resource Identifier for, this License with every copy of the Executable Files or respect to the Work licensed herein. There are no understandings,
Source Code You distribute and ensure that anyone receiving such agreements or representations with respect to the Work not specified herein.
Executable Files and Source Code agrees that the terms of this License The Author shall not be bound by any additional provisions that may appear
apply to such Executable Files and/or Source Code. You may not offer or in any communication from You. This License may not be modified without
impose any terms on the Work that alter or restrict the terms of this License or the mutual written agreement of the Author and You.
the recipients' exercise of the rights granted hereunder. You may not
sublicense the Work. You must keep intact all notices that refer to this 10.3.10 Microdasys
License and to the disclaimer of warranties. You may not distribute the
Barracuda Networks Products may contain programs and software that are
Executable Files or Source Code with any technological measures that
covered by the License below.
control access or use of the Work in a manner inconsistent with the terms of
this License.
f. You agree not to use the Work for illegal, immoral or improper purposes, or 1.GRANT OF LICENSE
on pages containing illegal, immoral or improper material. The Work is a) BARRACUDA NETWORKS grants to you a non-exclusive,
subject to applicable export laws. You agree to comply with all such laws and non-transferable, non-sublicensable license to use BARRACUDA
regulations that may apply to the Work after Your receipt of the Work. NETWORKS SSLPRX service, the respective BARRACUDA NETWORKS
software module.
6. Representations, Warranties and Disclaimer. THIS WORK IS PROVIDED b) BARRACUDA NETWORKS SSLPRX contains one or more of the following
"AS IS", "WHERE IS" AND "AS AVAILABLE", WITHOUT ANY EXPRESS OR software modules; SCIP, XMLRay, and/or SX-Suite (the "Product" or the
IMPLIED WARRANTIES OR CONDITIONS OR GUARANTEES. YOU, THE "Software"), in binary executable form, which are copyright protected by:
USER, ASSUME ALL RISK IN ITS USE, INCLUDING COPYRIGHT Microdasys Inc.
INFRINGEMENT, PATENT INFRINGEMENT, SUITABILITY, ETC. AUTHOR
EXPRESSLY DISCLAIMS ALL EXPRESS, IMPLIED OR STATUTORY Worldwide Headoffice
WARRANTIES OR CONDITIONS, INCLUDING WITHOUT LIMITATION, 385 Pilot Road, Suite A
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, Las Vegas, NV 89119, USA
MERCHANTABLE QUALITY OR FITNESS FOR A PARTICULAR
PURPOSE, OR ANY WARRANTY OF TITLE OR NON-INFRINGEMENT, OR www.microdasys.com
THAT THE WORK (OR ANY PORTION THEREOF) IS CORRECT, USEFUL, Microdasys grants to you a non-exclusive, non-transferable,
BUG-FREE OR FREE OF VIRUSES. YOU MUST PASS THIS DISCLAIMER non-sublicensable license to use the Product.
ON WHENEVER YOU DISTRIBUTE THE WORK OR DERIVATIVE WORKS.
2 . PERMITTED USES
7. Indemnity. You agree to defend, indemnify and hold harmless the Author
a) Subject to timely payment of license fees BARRACUDA NETWORKS
and the Publisher from and against any claims, suits, losses, damages,
shall grant you an exclusive right to install and use the programme on a data
liabilities, costs, and expenses (including reasonable legal or attorneys fees)
storage device from issuance of the license certificate for the licensed period
resulting from or relating to any use of the Work by You.
of time. The license exclusively concerns the use of the Product by you for
your own data processing processes. You shall not be entitled to grant third
8. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY parties access to the Product. You undertake to keep the Software safe so
APPLICABLE LAW, IN NO EVENT WILL THE AUTHOR OR THE that access and, thus, copying or using the Software by third parties is
PUBLISHER BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY prevented.
b) This Software End User License Agreement ("Agreement") permits you to 8. NOTE ON SSL SUPPORT
use one copy of the Product, as a server for up to a number of computers for The Product contains support for encrypted programs using SSL. SSL
which you have paid for this license (each, a "Seat"); as a special case you technology is not fault tolerant and is not designed, manufactured, or
may have been granted a license for an unlimited number of users. A intended for use or resale as on-line control equipment in hazardous
computer serves as a Seat when the user at the Seat accesses or utilizes, environments requiring fail-safe performance, such as in the operation of
directly or indirectly, the Product. Use of software or hardware which reduces nuclear facilities, aircraft navigation or communication systems, air traffic
the number of computers directly accessing or utilizing the Product (also control, direct life support machines, or weapons systems, in which the failure
known as "pooling" or "multiplexing") will not be deemed to reduce the of SSL technology could lead directly to death, personal injury, or severe
number of Seats. Each computer indirectly accessing or utilizing the Product physical or environmental damage. Generally speaking, and regardless of the
is still considered a Seat. You are permitted to install the product on more SSL support the product is not intended for any uses in which , in which the
than one server for load-balancing and High-Availability reasons, provided failure of the product could lead directly to death, personal injury, or severe
that the total number of licensed seats accessing either one of these servers physical or environmental damage. Furthermore, the Product does not
is not exceeded. provide complete protection against harmful applications.
YOU ARE EXPLICITLY WARNED THAT THE SECURITY ENHANCEMENT
3. TESTING FEATURES OF THE PRODUCT DO NOT PROVIDE TOTAL PROTECTION
The Software is available for evaluation purposes by way of time limited AGAINST DAMAGING SOFTWARE ROUTINES.
evaluation licenses. The evaluation license required to test the software can
be obtained free of charge. The Software must only be used in connection 9. LIMITED WARRANTY
with an implementation of a BARRACUDA NETWORKS system. The scope
of use of the Software will be partly restricted by those systems. Subject to payment of applicable license fees, Microdasys warrants that the
Product will perform substantially in accordance with the accompanying
Product manual(s) or on-line documentation for a period of 90 days from the
4. COPYRIGHT date of fee payment. Any implied warranties on the Product are limited to 90
a) All title and copyrights in and to the Product and any copies thereof are days. Microdasys does not warrant that the Product is error free.
owned by Microdasys or its suppliers. The Product is protected by US and Microdasys's entire liability and your exclusive remedy under this warranty
Austrian copyright laws, international treaty provisions and all other shall be, at Microdasys's option, either (a) return of the price paid or (b) repair
applicable national laws. The Product is licensed, not sold. All title and or replacement of the Product that does not meet this limited warranty and
intellectual property rights in and to the content which may be accessed which is returned to Microdasys with a copy of your receipt. This limited
through use of the Product are the property of the respective content owner warranty is void if failure of the Product has resulted from accident, abuse, or
and may be protected by applicable copyright or other intellectual property misapplication. Any replacement Product will be warranted for the remainder
laws and treaties. This agreement grants you no rights to use such content. of the original warranty period or 30 days, whichever is longer.
Therefore, you must treat the Product like any other copyrighted material
(e.g. a book or musical recording) except that if the Product is not copy 10. NO OTHER WARRANTIES
protected, you may make one copy of the Product solely for backup or
archival purposes, provided any copy must contain all of the original EXCEPT AS EXPLICITLY SET FORTH IN THIS AGREEMENT, THE
Product's proprietary notices. You may not copy the Product manual(s), PRODUCT IS PROVIDED "AS IS". NEITHER MICRODASYS NOR
on-line documentation, or any written materials accompanying the Product. If BARRACUDA NETWORKS WARRANT THAT THE PRODUCT IS
you receive your first copy of the Product electronically, and a second copy ERROR-FREE. ADDITIONALLY, MICRODASYS AND BARRACUDA
on media, the second copy may be used for archival purposes only, and must NETWORKS DISCLAIM ALL WARRANTIES, EITHER EXPRESS OR
contain the same proprietary notices which appear on and in the Product. IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
This Agreement does not grant you any right to any enhancement or update. MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE, AND
NON-INFRINGEMENT.
b) You expressly acknowledge that Microdasys is the owner of all proprietary
rights and rights to use the Product which result from copyright. In case you
violate such rights and other mandatory copyright provisions, Microdasys 11. NO LIABILITY FOR CONSEQUENTIAL DAMAGES
shall be entitled to all legal remedies which are provided for under copyright
IN NO EVENT SHALL MICRODASYS AND BARRACUDA NETWORKS OR
law to defend copyrights protection.
ITS SUPPLIERS BE LIABLE FOR ANY CONSEQUENTIAL OR INDIRECT
DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION,
5. RESTRICTIONS DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER
a) You may not rent or lease the Product, and may not transfer your rights PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO
under this Agreement without obtaining the prior written consent of USE THIS MICRODASYS AND BARRACUDA NETWORKS, EVEN IF
BARRACUDA NETWORKS. To the extent such restriction is allowable under MICRODASYS AND BARRACUDA NETWORKS HAVE BEEN ADVISED OF
law, and unless provided otherwise by mandatory statutory provisions, you THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION SHALL APPLY
shall not be entitled to translate the programme from object code into source NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY
code (e.g. by reverse engineering, disassembling or decompiling). LIMITED REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE
b) You shall not be entitled to crack or change the license key. EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON HOW
c) You shall not be entitled to modify or delete any notes regarding rights, LONG AN IMPLIED WARRANTY MAY LAST, OR THE EXCLUSION OR
trademarks or the like which are stated in the programme or on the media on LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE
which the programme is stored. ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. THIS
AGREEMENT GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY
d) You may not distribute copies of the Product to third parties unless ALSO HAVE OTHER RIGHTS, WHICH VARY FROM JURISDICTION TO
explicitly authorized to do so by an additional written agreement. JURISDICTION
e) You may not integrate, incorporate or bundle the Product into any other
software or include the Product in other software or hardware without
receiving the prior written consent of BARRACUDA NETWORKS. 12. EXPORT REGULATIONS
BARRACUDA NETWORKS g) You acknowledge that the source code form a) This software contains cryptography and is therefore subject to US
of the Product remains a confidential trade secret of Microdasys and/or its government export control under the U.S. Export Administration Regulations
suppliers. You must maintain all copyright notices on all copies of the (EAR). EAR Part 740.13(e) allows the export and reexport of publicly
Product. available encryption source code that is not subject to payment of license fee
or royalty payment. Object code resulting from the compiling of such source
h) The license may be linked to the hardware configuration via a license key. code may also be exported and reexported under this provision if publicly
In the case of modifications of the hardware configuration BARRACUDA available and not subject to a fee or payment other than reasonable and
NETWORKS shall be free to issue another license key to you free of charge. customary fees for reproduction and distribution. This kind of encryption
You shall then lose the right to continue to use the first license key. source code and the corresponding object code may be exported or
BARRACUDA NETWORKS shall be entitled to request evidence thereof reexported without prior U.S. government export license authorization
within fourteen days of receipt of the new license key. provided that the U.S. government is notified about the Internet location of the
software. The open source software used in this product is publicly available
without license fee or royalty payment, and all binary software is compiled
6. TERM
from the open source code. The U.S. government has been notified about
The term of this Agreement is perpetual. However, you may terminate your this software as explained above. Therefore, the source code and compiled
license at any time by destroying all copies of the Product and Product object code may be downloaded and exported under U.S. export license
documentation. exception (without a U.S. export license) except to the following destinations:
Afghanistan (Taliban controlled areas), Cuba, Iran, Iraq, Libya, North Korea,
Serbia, Sudan and Syria. This list of countries is subject to change.
7. TERMINATION
b) Products delivered by BARRACUDA NETWORKS are designed for being
Your license will terminate automatically if you fail to comply with the used within and for remaining in the EU. Re-export, be it separately or
limitations described above. On termination, you must destroy all copies of integrated into a system, shall be subject to exportapproval. You must comply
the Product. with all applicable foreign trade legislation and US Export Regulations
including valid ECCN numbers. Reselling to customers that operate,
manufacture, service or otherwise are involved with any nuclear material for license from time to time. Each revision is distinguished by a version number.
any purpose,shall require special permits. BARRACUDA NETWORKS You may use this Software under terms of this license revision or under the
reserves the right to adjust the provisions on export and import at any time if terms of any subsequent revision of the license.THIS SOFTWARE IS
national or international legislation so requires. PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS
"AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
13. MISCELLANEOUS MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
a) This Agreement represents the complete agreement concerning the DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS
license between you and Microdasys and supersedes all prior agreements CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE
and representations between you and Microdasys. SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
b) It may be amended only by writing executed by you, Microdasys and
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
BARRACUDA NETWORKS. If any provision of the Agreement is held to be
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
unenforceable for any reason, such provision shall be reformed only to the
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
extent necessary to make it enforceable.
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
c) This Agreement is governed by the laws of the United States of America. (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
Should you have any questions concerning this Agreement, or if you desire to OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
contact BARRACUDA NETWORKS for any reason, please contact the POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright
BARRACUDA NETWORKS affiliate serving your country or write to: holders must not be used in advertising or otherwise to promote the sale, use
BARRACUDA NETWORKS ,Inc., 385 Pilot Rd., Suite A, Las Vegas, NV, or other dealing in this Software without specific, written prior permission.
89141 Title to copyright in this Software shall at all times remain with copyright
d) If individual provisions of this contract are or become ineffective, the holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation.
remaining provisions of this contract shall not be affected. The contracting Copyright 1999-2001 The OpenLDAP Foundation, Redwood City, California,
parties shall co-operate as partners in order to find a provision which comes USA. All Rights Reserved. Permission to copy and distribute verbatim copies
as close as possible to the ineffective provisions. of this document is granted.(eay@cryptsoft.com).The implementation was
written so as to conform with Netscapes SSL.This library is free for
commercial and non-commercial use as long as the following conditions are
14. RPA aheared to. The following conditions apply to all code found in this
All Certificate Authorities ("CA") have some sort of agreement in place distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL
(usually called Relying Party Agreement, "RPA"). We strongly recommend code. The SSL documentation included with this distribution is covered by the
that you read these prior to using any of their services, including but not same copyright terms except that the holder is Tim Hudson
limited to Certificate Revocation List ("CRL") and Online Certificate Status (tjh@cryptsoft.com).Copyright remains Eric Young's, and as such any
Protocol ("OCSP") repositories. It is your sole responsibility to retrieve these Copyright notices in the code are not to be removed.If this package is used in
agreements from each CA's respective website and decide to whether or not a product, Eric Young should be given attribution as the author of the parts of
to agree to the terms and conditions of the RPA of each CA. You may only the library used.This can be in the form of a textual message at program
use the Microdasys/ BARRACUDA NETWORKS SCIP CRL and OCSP and startup or in documentation (online or textual) provided with the
the Microdasys/ BARRACUDA NETWORKS SCIP Certificate Validation package.Redistribution and use in source and binary forms, with or without
Engine for certificates of those CAs which RPA you have read, understood modification, are permitted provided that the following onditions are
and agreed to. You are also responsible for re-visiting the websites of the met:Redistributions of source code must retain the copyright notice, this list of
CAs from time to time, to verify whether or not the content of the RPA has conditions and the following disclaimer.Redistributions in binary form must
been amended. By installing and using the phi BARRACUDA NETWORKS reproduce the above copyright notice, this list of conditions and the following
on SCIP product and the Microdasys/ BARRACUDA NETWORKS CRL and disclaimer in the documentation and/or other materials provided with the
OCSP Engine and Database, you declare that you have read and understood distribution.All advertising materials mentioning features or use of this
the above and accept its conditions. software must display the following acknowledgement:"This product includes
cryptographic software written by Eric Young (eay@cryptsoft.com)"The word
This product includes software developed by the OpenSSL Project for use in 'cryptographic' can be left out if the routines from the library being used are
the OpenSSL Toolkit (http://www.openssl.org/) not cryptographic related :-).If you include any Windows specific code (or a
derivative thereof) from the apps directory (application code) you must
include an acknowledgement: "This product includes software written by Tim
15. PURCHASE PRICE
Hudson (tjh@cryptsoft.com)"THIS SOFTWARE IS PROVIDED BY ERIC
Unless otherwise agreed in the course of distribution, the following regulation YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
shall apply: INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
The purchase price for the Program including the license certificate shall be MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
transferred to the company account of BARRACUDA NETWORKS within DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
fourteen days of delivery of the license certificate without another invoice for BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
the due purchase price being necessary. If your are in default of payment of EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT
the purchase price, BARRACUDA NETWORKS shall be entitled to charge LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
default interest at a rate of 8 % p.a. above the three-months EURIBOR LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
applicable from time to time. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
16. ENHANCEMENTS OF PROGRAMMES (UPDATES) AND SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
MODIFICATIONS OF PROGRAMMES DAMAGE.The license and distribution terms for any publically available
a) BY PURCHASING THE LICENSE CERTIFICATE YOU SHALL NOT version or derivative of this code cannot be changed. i.e. this code cannot
ACQUIRE ANY RIGHT TO FURTHER SUPPORT BY BARRACUDA simply be copied and put under another distribution license [including the
NETWORKS OR TO DELIVERY OF UPDATES OR PROGRAMME GNU Public License.]
EXTENSIONS.
10.3.12 OpenSSH License
b) You expressly agree that data concerning you which becomes known to
BARRACUDA NETWORKS within the scope of the business relationship with Barracuda Networks Products may contain programs and software that are
you shall be collected and processed by BARRACUDA NETWORKS for the covered by the License below.
purpose of information about the development of updates and new
programme versions and for offering of maintenance contracts and for other
offers. Licensed Software: This file is part of the OpenSSH software.The licenses
which components of this software fall under are as follows. First, we will
c) You acknowledge and agree that your personal data be stored and
summarize and say that all components are under a BSD license, or a license
processed by BARRACUDA NETWORKS for the purpose of internal data
more free than that.
collection, data processing and for information about the development in
connection with the delivered product and of updates and new programme OpenSSH contains no GPL code.
versions. In accordance with Section 107 TKG [Austrian Telecommunications 1. Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved
Act] you expressly agree to receipt of such information also by e-mail.
As far as I am concerned, the code I have written for this software can be
used freely for any purpose. Any derived versions of this software must be
10.3.11 The OpenLDAP Public License clearly marked as such, and if the derived work is incompatible with the
Barracuda Networks Products may include programs that are covered by the protocol description in the RFC file, it must be called by a name other than
OpenLDAP Redistribution and use of this software and associated "ssh" or "Secure Shell".
documentation ("Software"), with or without modification, are permitted [Tatu continues]
provided that the following conditions are met:Redistributions of source code
However, I am not implying to give any licenses to any patents or copyrights
must retain copyright statements and notices, Redistributions in binary form
held by third parties, and the software includes parts that are not under my
must reproduce applicable copyright statements and notices, this list of
direct control. As far as I know, all included source code is used in
conditions, and the following disclaimer in the documentation and/or other
accordance with the relevant license agreements and can be used freely for
materials provided with the distribution, and Redistributions must contain a
verbatim copy of this document.The OpenLDAP Foundation may revise this
any purpose (the GNU license being the most restrictive); see below for THIS SOFTWARE IS PROVIDED BY THE AUTHORS "AS IS" AND ANY
details. EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
[However, none of that term is relevant at this point in time. All of these TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
restrictively licensed software components which he talks about have been FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
removed from OpenSSH, i.e., THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
RSA is no longer included, found in the OpenSSL library DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
IDEA is no longer included, its use is deprecated SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
DES is now external, in the OpenSSL library
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
GMP is no longer used, and instead we call BN code from OpenSSL LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
Zlib is now external, in a library ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The make-ssh-known-hosts script is no longer included
TSS has been removed
5. One component of the ssh source code is under a 3-clause BSD license,
MD5 is now external, in the OpenSSL library held by the University of California, since we pulled these parts from original
RC4 support has been replaced with ARC4 support from OpenSSL Berkeley code.
Blowfish is now external, in the OpenSSL library Copyright 1983, 1990, 1992, 1993, 1995 The Regents of the University of
California. All rights reserved.
[The license continues]
Note that any information and cryptographic algorithms used in this software Redistribution and use in source and binary forms, with or without
are publicly available on the Internet and at any major bookstore, scientific modification, are permitted provided that the following conditions are met: 1.
library, and patent office worldwide. More information can be found e.g. at Redistributions of source code must retain the above copyright notice, this list
"http://www.cs.hut.fi/crypto". of conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
The legal status of this program is some combination of all these permissions with the distribution. 3. Neither the name of the University nor the names of
and restrictions. Use only at your own responsibility. You will be responsible its contributors may be used to endorse or promote products derived from this
for any legal consequences yourself; I am not making any claims whether software without specific prior written permission. THIS SOFTWARE IS
possessing or using this is legal or not in your country, and I am not taking PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
any responsibility on your behalf. EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE,
6. The progresssmeter code used by scp(1) and sftp(1) is copyright by the
YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
NetBSD Foundation.
CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW
OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY Copyright 1997-2003 The NetBSD Foundation, Inc. All rights reserved.
OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE This code is derived from software contributed to The NetBSD Foundation by
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, Luke Mewburn.
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGE ARISING OUT OF THE USE OR INABILITY This code is derived from software contributed to The NetBSD Foundation by
TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF Jason R. Thorpe of the Numerical Aerospace Simulation Facility, NASA
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES Ames Research Center.
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE Redistribution and use in source and binary forms, with or without
PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF modification, are permitted provided that the following conditions are met: 1.
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE Redistributions of source code must retain the above copyright notice, this list
POSSIBILITY OF SUCH DAMAGES. of conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided
2. The 32-bit CRC compensation attack detector in deattack.c was with the distribution. 3. All advertising materials mentioning features or use of
contributed by CORE SDI S.A. under a BSD-style license. Cryptographic this software must display the following acknowledgement: This product
attack detector for ssh - source code includes software developed by the NetBSD Foundation, Inc. and its
Copyright 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights contributors. 4. Neither the name of The NetBSD Foundation nor the names
reserved. Redistribution and use in source and binary forms, with or without of its contributors may be used to endorse or promote products derived from
modification, are permitted provided that this copyright notice is retained. this software without specific prior written permission. THIS SOFTWARE IS
PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A.
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE
DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR
USE OR MISUSE OF THIS SOFTWARE. Ariel Futoransky
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
3. ssh-keygen was contributed by David Mazieres under a BSD-style license. BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
Copyright 1995, 1996 by David Mazieres. INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
Modification and redistribution in source and binary forms is permitted LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
provided that due credit is given to the author and the OpenBSD project by (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
leaving this copyright notice intact. OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
4. The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and 7. Remaining components of the software are provided under a standard
Paulo Barreto is in the public domain and distributed with the following 2-term BSD license with the following names as copyright holders:
license:
@version 3.0 (December 2000) Optimised ANSI C code for the Rijndael Markus Friedl
cipher (now AES) Theo de Raadt
@author Vincent Rijmen Niels Provos
@author Antoon Bosselaers Dug Song
@author Paulo Barreto Aaron Campbell
This code is hereby placed in the public domain. Damien Miller
Kevin Steves Redistributions of source code must retain the copyright notice, this list of
Daniel Kouril conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
Wesley Griffin following disclaimer in the documentation and/or other materials provided
Per Allansson with the distribution. 3. All advertising materials mentioning features or use of
this software must display the following acknowledgement: "This product
Nils Nordman
includes cryptographic software written by Eric Young (eay@cryptsoft.com)."
The word 'cryptographic' can be left out if the routines from the library being
Redistribution and use in source and binary forms, with or without used are not cryptographic related :-). 4. If you include any Windows specific
modification, are permitted provided that the following conditions are met: 1. code (or a derivative thereof) from the apps directory (application code) you
Redistributions of source code must retain the above copyright notice, this list must include an acknowledgement: "This product includes software written by
of conditions and the following disclaimer. 2. Redistributions in binary form Tim Hudson (tjh@cryptsoft.com)."
must reproduce the above copyright notice, this list of conditions and the THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY
following disclaimer in the documentation and/or other materials provided EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
The license and distribution terms for any publically available version or
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
derivative of this code cannot be changed. i.e. this code cannot simply be
DAMAGE.
copied and put under another distribution license [including the GNU Public
License.]
10.3.13 OpenSSL License
Barracuda Networks Products may contain programs and software that are 10.3.14 The PHP License,
Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
The PHP License, version 3.0
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met: Barracuda Networks Products may contain programs and software that are
Copyright (c) 1999 - 2002 The PHP Group. All rights reserved. Redistribution
1. Redistributions of source code must retain the above copyright notice, this
and use in source and binary forms, with or without modification, is permitted
list of conditions and the following disclaimer.
provided that the following conditions are met: 1. Redistributions of source
2. Redistributions in binary form must reproduce the above copyright notice, code must retain the above copyright notice, this list of conditions and the
this list of conditions and the following disclaimer in the documentation and/or following disclaimer. 2. Redistributions in binary form must reproduce the
other materials provided with the distribution. above copyright notice, this list of conditions and the following disclaimer in
3. All advertising materials mentioning features or use of this software must the documentation and/or other materials provided with the distribution. 3.
display the following acknowledgment: "This product includes software The name "PHP" must not be used to endorse or promote products derived
developed by the OpenSSL Project for use in the OpenSSL Toolkit. from this software without prior written permission. For written permission,
(http://www.openssl.org/)" please contact group@php.net. Products derived from this software may not
be called "PHP", nor may "PHP" appear in their name, without prior written
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used permission from group@php.net. You may indicate that your software works
to endorse or promote products derived from this software without prior in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP
written permission. For written permission, please contact Foo" or "phpfoo". 4. The PHP Group may publish revised and/or new
openssl-core@openssl.org. versions of the license from time to time. Each version will be given a
5. Products derived from this software may not be called "OpenSSL" nor may distinguishing version number. Once covered code has been published under
"OpenSSL" appear in their names without prior written permission of the a particular version of the license, you may always continue to use it under
OpenSSL Project. the terms of that version. You may also choose to use such covered code
6. Redistributions of any form whatsoever must retain the following under the terms of any subsequent version of the license published by the
acknowledgment: "This product includes software developed by the PHP Group. No one other than the PHP Group has the right to modify the
OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" terms applicable to covered code created under this License. 5.
Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes PHP, freely available from
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP
ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT DEVELOPMENT TEAM AS IS'' AND ANY EXPRESSED OR IMPLIED
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
DAMAGE. SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE. This software consists of voluntary contributions made by many
==============================================
individuals on behalf of the PHP Group. The PHP Group can be contacted via
This product includes cryptographic software written by Eric Young Email at group@php.net. For more information on the PHP Group and the
(eay@cryptsoft.com). This product includes software written by Tim Hudson PHP project, please see <http://www.php.net>. This product includes the
(tjh@cryptsoft.com).Original SSLeay License Copyright (C) 1995-1998 Eric Zend Engine, freely available at <http://www.zend.com>.
Young (eay@cryptsoft.com) All rights reserved. This package is an SSL
implementation written by Eric Young (eay@cryptsoft.com). The 10.3.15 PostgreSQL
implementation was written so as to conform with Netscapes SSL. This
library is free for commercial and non-commercial use as long as the Barracuda Networks Products may contain programs and software that are
following conditions are aheared to. The following conditions apply to all code Copyright (c) 1996-2005, The PostgreSQL Global Development Group
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just Portions Copyright (c) 1994, The Regents of the University of California
the SSL code. The SSL documentation included with this distribution is Permission to use, copy, modify, and distribute this software and its
covered by the same copyright terms except that the holder is Tim Hudson documentation for any purpose, without fee, and without a written agreement
(tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any is hereby granted, provided that the above copyright notice and this
Copyright notices in the code are not to be removed. If this package is used in paragraph and the following two paragraphs appear in all copies. IN NO
a product, Eric Young should be given attribution as the author of the parts of EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY
the library used. This can be in the form of a textual message at program PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
startup or in documentation (online or textual) provided with the package. CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING
Redistribution and use in source and binary forms, with or without OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
modification, are permitted provided that the following conditions are met: 1. EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. THE UNIVERSITY OF CALIFORNIA IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT ARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT,
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
HEREUNDER IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
10.3.16 PuTTY License LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Barracuda Networks Products may contain programs and software that are ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Copyright (c) 1997-2000 Simon Tatham. Portions copyright Robert de Bath,
Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez 10.3.19 SNMPD License
Furlong, Nicolas Barry.Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated documentation files Barracuda Networks Products may contain programs and software that are
(the "Software"), to deal in the Software without restriction, including without covered by the License below.
limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions: The The BARRACUDA NETWORKS SNMP daemon is based on the net snmp
above copyright notice and this permission notice shall be included in all project. The following license conditions are valid for the original part of the
copies or substantial portions of the Software. THE SOFTWARE IS software.
PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
Various copyrights apply to this package, listed in 3 separate parts below.
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
Please make sure to take note of all parts. Up until 2001, the project was
NONINFRINGEMENT. IN NO EVENT SHALL SIMON TATHAM BE LIABLE
based at UC Davis, and the first part covers all code written during this time.
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
From 2001 onwards, the project has been based at SourceForge, and
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
Networks Associates Technology, Inc hold the copyright on behalf of the
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
wider Net-SNMP community, covering all derivative work done since then. An
OTHER DEALINGS IN THE SOFTWARE.
additional copyright section has been added as Part 3 below also under a
BSD license for the work contributed by Cambridge Broadband Ltd. to the
10.3.17 RipeMD160 project since 2001. ---- Part 1: CMU/UCD copyright notice: (BSD like) -----
Barracuda Networks Products may contain programs and software that are Copyright 1989, 1991, 1992 by Carnegie Mellon University Derivative Work -
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. 1996, 1998-2000 Copyright 1996, 1998-2000 The Regents of the University
This package is an SSL implementation written by Eric Young of California All Rights Reserved
(eay@cryptsoft.com). The implementation was written so as to conform with Permission to use, copy, modify and distribute this software and its
Netscapes SSL. This library is free for commercial and non-commercial use documentation for any purpose and without fee is hereby granted, provided
as long as the following conditions are aheared to. The following conditions that the above copyright notice appears in all copies and that both that
apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, copyright notice and this permission notice appear in supporting
etc., code; not just the SSL code. The SSL documentation included with this documentation, and that the name of CMU and The Regents of the University
distribution is covered by the same copyright terms except that the holder is of California not be used in advertising or publicity pertaining to distribution of
Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as the software without specific written permission.
such any Copyright notices in the code are not to be removed. If this package CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA
is used in a product, Eric Young should be given attribution as the author of DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
the parts of the library used. This can be in the form of a textual message at INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
program startup or in documentation (online or textual) provided with the FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE
package. Redistribution and use in source and binary forms, with or without UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT
modification, are permitted provided that the following conditions are met: 1. OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
Redistributions of source code must retain the copyright notice, this list of RESULTING FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER
conditions and the following disclaimer. 2. Redistributions in binary form IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
must reproduce the above copyright notice, this list of conditions and the ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
following disclaimer in the documentation and/or other materials provided PERFORMANCE OF THIS SOFTWARE.
with the distribution. 3. All advertising materials mentioning features or use of
this software must display the following acknowledgement: "This product
includes cryptographic software written by Eric Young (eay@cryptsoft.com)". ---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) -----
The word 'cryptographic' can be left out if the routines from the library being
Copyright (c) 2001, Networks Associates Technology, Inc All rights reserved.
used are not cryptographic related :-). 4. If you include any Windows specific
code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement: "This product includes software written by Redistribution and use in source and binary forms, with or without
Tim Hudson (tjh@cryptsoft.com)". THIS SOFTWARE IS PROVIDED BY modification, are permitted provided that the following conditions are met:
ERIC YOUNG AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, Redistributions of source code must retain the above copyright notice, this
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF list of conditions and the following disclaimer. Redistributions in binary form
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE must reproduce the above copyright notice, this list of conditions and the
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS following disclaimer in the documentation and/or other materials provided
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, with the distribution.
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; Neither the name of the NAI Labs nor the names of its contributors may be
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) used to endorse or promote products derived from this software without
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
DAMAGE. The license and distribution terms for any publically available FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
version or derivative of this code cannot be changed. i.e. this code cannot THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY
simply be copied and put under another distribution license [including the DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
GNU Public License.] CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
10.3.18 SHA2 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
Barracuda Networks Products may contain programs and software that are CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
Copyright 2000 Aaron D. Gifford. All rights reserved. Redistribution and use OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
in source and binary forms, with or without modification, are permitted SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
provided that the following conditions are met: 1. Redistributions of source DAMAGE.
code must retain the above copyright notice, this list of conditions and the ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) -----
following disclaimer. 2. Redistributions in binary form must reproduce the
Portions of this code are copyright (c) 2001, Cambridge Broadband Ltd. All
above copyright notice, this list of conditions and the following disclaimer in
rights reserved.
the documentation and/or other materials provided with the distribution. 3.
Neither the name of the copyright holder nor the names of contributors may Redistribution and use in source and binary forms, with or without
be used to endorse or promote products derived from this software without modification, are permitted provided that the following conditions are met:
specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE Redistributions of source code must retain the above copyright notice, this
AUTHOR(S) AND CONTRIBUTOR(S) AS IS'' AND ANY EXPRESS OR list of conditions and the following disclaimer. Redistributions in binary form
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided of a larger (possibly commercial) software distribution provided that you do
with the distribution. The name of Cambridge Broadband Ltd. may not be not advertise this Package as a product of your own.
used to endorse or promote products derived from this software without 6. The scripts and library files supplied as input to or produced as output from
specific prior written permission. the programs of this Package do not automatically fall under the copyright of
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' this Package, but belong to whomever generated them, and may be sold
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT commercially, and may be aggregated with this Package.
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 7. C or perl subroutines supplied by you and linked into this Package shall
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO not be considered part of this Package.
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 8. The name of the Copyright Holder may not be used to endorse or promote
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF products derived from this software without specific prior written permission.
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) PARTICULAR PURPOSE.
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 10.3.21 TUN/TAP driver for Mac OS X
10.3.20 SpamAssassin (Artistic License) Barracuda Networks Products may contain programs and software that are
covered by the License below.
Barracuda Networks Products may contain programs and software that are
covered by the License below.
A part of this software uses the tun/tap driver for Mac OS X provided
byMattias Nissler. This driver comes along with following terms of
Preamble license:tun/tap driver for Mac OS X Copyright (c) 2004, 2005 Mattias Nissler
The intent of this document is to state the conditions under which a Package <mattias.nissler@gmx.de>
may be copied, such that the Copyright Holder maintains some semblance of Redistribution and use in source and binary forms, with or without
artistic control over the development of the package, while giving the users of modification, are permitted provided that the following conditions are met:
the package the right to use and distribute the Package in a more-or-less Redistributions of source code must retain the above copyright notice, this list
customary fashion, plus the right to make reasonable modifications. of conditions and the following disclaimer. Redistributions in binary form must
reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the
Definitions: distribution. The name of the author may not be used to endorse or promote
"Package" refers to the collection of files distributed by the Copyright Holder, products derived from this software without specific prior written permission.
and derivatives of that collection of files created through textual modification. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND
"Standard Version" refers to such a Package if it has not been modified, or ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
has been modified in accordance with the wishes of the Copyright Holder. LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO
"Copyright Holder" is whoever is named in the copyright or copyrights for EVENT SHALL THEAUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
the package. INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES
"You" is you, if you're thinking about copying or distributing this Package. (INCLUDING, BUT NOTLIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSSOF USE, DATA, OR PROFITS; OR
"Reasonable copying fee" is whatever you can justify on the basis of media
BUSINESS INTERRUPTION) HOWEVERCAUSED AND ON ANY THEORY
cost, duplication charges, time of people involved, and so on. (You will not be
OF LIABILITY, WHETHER IN CONTRACT,STRICT LIABILITY, OR TORT
required to justify it to the Copyright Holder, but only to the computing
(INCLUDING NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY OUT
community at large as a market that must bear the fee.)
OF THE USE OF THIS SOFTWARE, EVEN IFADVISED OF THE
"Freely Available" means that no fee is charged for the item itself, though POSSIBILITY OF SUCH DAMAGE.
there may be fees involved in handling the item. It also means that recipients
of the item may redistribute it under the same conditions they received it. 10.3.22 Vortex and AXL
1. You may make and give away verbatim copies of the source form of the
Standard Version of this Package without restriction, provided that you Barracuda Networks Products may contain programs and software that are
duplicate all of the original copyright notices and associated disclaimers. copyright (C) 2007 Advanced Software Production Line, S.L. All rights
reserved. the software includes source code from the following projects,
2. You may apply bug fixes, portability fixes and other modifications derived which are covered by their own licenses: Vortex Library, fully available at
from the Public Domain or from the Copyright Holder. A Package modified in http://www.aspl.es/vortex AXL, fully available at: http://www.aspl.es/axl
such a way shall still be considered the Standard Version.
DISCLAIMER: THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
3. You may otherwise modify your copy of this Package in any way, provided HOLDERS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
that you insert a prominent notice in each changed file stating how and when INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
you changed that file, and provided that you do at least ONE of the following: MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
a) place your modifications in the Public Domain or otherwise make them DISCLAIMED. IN NO EVENT SHALL JOHN LIM OR CONTRIBUTORS BE
Freely Available, such as by posting said modifications to Usenet or an LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
equivalent medium, or placing the modifications on a major archive site such EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
as ftp.uu.net, or by allowing the Copyright Holder to include your LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
modifications in the Standard Version of the Package. LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
b) use the modified Package only within your corporation or organization.
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
c) rename any non-standard executables so the names do not conflict with OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
standard executables, which must also be provided, and provide a separate SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
manual page for each non-standard executable that clearly documents how it DAMAGE.
differs from the Standard Version.
d) make other distribution arrangements with the Copyright Holder. 10.3.23 WinPcap
4. You may distribute the programs of this Package in object code or Barracuda Networks Products may contain programs and software that are
executable form, provided that you do at least ONE of the following: Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). Copyright
a) distribute a Standard Version of the executables and library files, together (c) 2005 - 2008 CACE Technologies, Davis (California). All rights reserved.
with instructions (in the manual page or equivalent) on where to get the Redistribution and use in source and binary forms, with or without
Standard Version. modification, are permitted provided that the following conditions are met: .
b) accompany the distribution with the machine-readable source of the Redistributions of source code must retain the above copyright notice, this list
Package with your modifications. of conditions and the following disclaimer. 2. Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
c) accompany any non-standard executables with their corresponding
following disclaimer in the documentation and/or other materials provided
Standard Version executables, giving the nonstandard executables
with the distribution. 3. Neither the name of the Politecnico di Torino, CACE
non-standard names, and clearly documenting the differences in manual
Technologies nor the names of its contributors may be used to endorse or
pages (or equivalent), together with instructions on where to get the Standard
promote products derived from this software without specific prior written
Version.
permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
d) make other distribution arrangements with the Copyright Holder. HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
5. You may charge a reasonable copying fee for any distribution of this IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
Package. You may charge any fee you choose for support of this Package. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
You may not charge a fee for this Package itself. However, you may distribute PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
this Package in aggregate with other (possibly commercial) programs as part COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, form must reproduce the above copyright notice, this list of conditions and the
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF following disclaimer in the documentation and/or other materials provided
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER with the distribution. 3. All advertising materials mentioning features or use of
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN this software must display the following acknowledgement: "This product
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE includes software developed by Yen Yen Lim and North Dakota State
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS University" 4. The name of the author may not be used to endorse or promote
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH products derived from this software without specific prior written permission.
DAMAGE. This product includes software developed by the University of THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY
California, Lawrence Berkeley Laboratory and its contributors. This product EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
includes software developed by the Kungliga Tekniska Hgskolan and its TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
contributors. This product includes software developed by Yen Yen Lim and FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
North Dakota State University. THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-------------------------------------------------------------------------------- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
Portions Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
Regents of the University of California. All rights reserved. Redistribution and INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
use in source and binary forms, with or without modification, are permitted LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
provided that the following conditions are met: 1. Redistributions of source (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
code must retain the above copyright notice, this list of conditions and the OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
following disclaimer. 2. Redistributions in binary form must reproduce the POSSIBILITY OF SUCH DAMAGE.
above copyright notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distribution. 3. All --------------------------------------------------------------------------------
advertising materials mentioning features or use of this software must display Portions Copyright (c) 1993 by Digital Equipment Corporation. Permission to
the following acknowledgement: "This product includes software developed use, copy, modify, and distribute this software for any purpose with or without
by the University of California, Berkeley and its contributors." 4. Neither the fee is hereby granted, provided that the above copyright notice and this
name of the University nor the names of its contributors may be used to permission notice appear in all copies, and that the name of Digital
endorse or promote products derived from this software without specific prior Equipment Corporation not be used in advertising or publicity pertaining to
written permission. THIS SOFTWARE IS PROVIDED BY THE INSTITUTE distribution of the document or software without specific, written prior
AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED permission. THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH REGARD TO
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL
REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT USE OR PERFORMANCE OF THIS SOFTWARE.
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) --------------------------------------------------------------------------------
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All
rights reserved. Redistribution and use in source and binary forms, with or
-------------------------------------------------------------------------------- without modification, are permitted provided that the following conditions are
Portions Copyright (c) 1983 Regents of the University of California. All rights met: 1. Redistributions of source code must retain the above copyright notice,
reserved. this list of conditions and the following disclaimer. 2. Redistributions in binary
Redistribution and use in source and binary forms are permitted provided that form must reproduce the above copyright notice, this list of conditions and the
the above copyright notice and this paragraph are duplicated in all such forms following disclaimer in the documentation and/or other materials provided
and that any documentation, advertising materials, and other materials with the distribution. 3. Neither the name of the project nor the names of its
related to such distribution and use acknowledge that the software was contributors may be used to endorse or promote products derived from this
developed by the University of California, Berkeley. The name of the software without specific prior written permission. THIS SOFTWARE IS
University may not be used to endorse or promote products derived from this PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY
software without specific prior written permission. THIS SOFTWARE IS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
PARTICULAR PURPOSE. INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-------------------------------------------------------------------------------- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
Portions Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Hgskolan PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
(Royal Institute of Technology, Stockholm, Sweden). All rights reserved. ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
Redistribution and use in source and binary forms, with or without LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
modification, are permitted provided that the following conditions are met: 1. ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Redistributions of source code must retain the above copyright notice, this list ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
of conditions and the following disclaimer. 2. Redistributions in binary form --------------------------------------------------------------------------------
must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved.
with the distribution. 3. All advertising materials mentioning features or use of Redistribution and use in source and binary forms, with or without
this software must display the following acknowledgement: "This product modification, are permitted provided that: (1) source code distributions retain
includes software developed by the Kungliga Tekniska Hgskolan and its the above copyright notice and this paragraph in its entirety, (2) distributions
contributors." 4. Neither the name of the University nor the names of its including binary code include the above copyright notice and this paragraph
contributors may be used to endorse or promote products derived from this in its entirety in the documentation or other materials provided with the
software without specific prior written permission. THIS SOFTWARE IS distribution. The name of Juniper Networks may not be used to endorse or
PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY promote products derived from this software without specific prior written
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, FITNESS FOR A PARTICULAR PURPOSE.
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL --------------------------------------------------------------------------------
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF Portions Copyright (c) 2001 Daniel Hartmeier All rights reserved.
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR Redistribution and use in source and binary forms, with or without
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON modification, are permitted provided that the following conditions are met: -
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT Redistributions of source code must retain the above copyright notice, this list
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) of conditions and the following disclaimer. - Redistributions in binary form
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF must reproduce the above copyright notice, this list of conditions and the
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. following disclaimer in the documentation and/or other materials provided
-------------------------------------------------------------------------------- with the distribution. THIS SOFTWARE IS PROVIDED BY THE
Portions Copyright (c) 1997 Yen Yen Lim and North Dakota State University. COPYRIGHT HOLDERS AND CONTRIBUTOR "AS IS" AND ANY
All rights reserved. Redistribution and use in source and binary forms, with or EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
without modification, are permitted provided that the following conditions are TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
met: 1. Redistributions of source code must retain the above copyright notice, FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
this list of conditions and the following disclaimer. 2. Redistributions in binary THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
syslinux BSD
syslog-ng GPL To protect your rights, we need to make restrictions that forbid distributors to
sysreport GPL deny you these rights or to ask you to surrender these rights. These
restrictions translate to certain responsibilities for you if you distribute copies
tar GPL of the library or if you modify it.
tcl BSD
tcpdump BSD For example, if you distribute copies of the library, whether gratis or for a fee,
tcp_wrappers Distributable you must give the recipients all the rights that we gave you. You must make
sure that they, too, receive or can get the source code. If you link other code
tcsh distributable
with the library, you must provide complete object files to the recipients, so
telnet BSD that they can relink them with the library after making changes to the library
termcap Public Domain and recompiling it. And you must show them these terms so they know their
rights.
texinfo GPL
textutils GPL
We protect your rights with a two-step method: (1) we copyright the library,
tightvnc GPL and (2) we offer you this license, which gives you legal permission to copy,
time GPL distribute and/or modify the library.
tmpwatch GPL
traceroute BSD To protect each distributor, we want to make it very clear that there is no
ttcp Public Domain warranty for the free library. Also, if the library is modified by someone else
and passed on, the recipients should know that what they have is not the
unzip BSD original version, so that the original author's reputation will not be affected by
usbutils GPL problems that might be introduced by others.
usermode GPL
utempter MIT Finally, software patents pose a constant threat to the existence of any free
program. We wish to make sure that a company cannot effectively restrict the
util-linux distibutable
users of a free program by obtaining a restrictive license from a patent holder.
vconfig distributable Therefore, we insist that any patent license obtained for a version of the
vera_ttf GPL library must be consistent with the full freedom of use specified in this license.
vim-common freeware
vim-minimal freeware Most GNU software, including some libraries, is covered by the ordinary GNU
General Public License. This license, the GNU Lesser General Public
vixie-cron distributable License, applies to certain designated libraries, and is quite different from the
watchdog GPL ordinary General Public License. We use this license for certain libraries in
wget GPL order to permit linking those libraries into non-free programs.
which GPL
wireless-tools GPL When a program is linked with a library, whether statically or using a shared
library, the combination of the two is legally speaking a combined work, a
words freeware derivative of the original library. The ordinary General Public License
xauth XFree86 therefore permits such linking only if the entire combination fits its criteria of
freedom. The Lesser General Public License permits more lax criteria for
xml-common GPL
linking other code with the library.
zend-optimizer GPL
zlib BSD
We call this license the "Lesser" General Public License because it does Less
zlib-devel BSD to protect the user's freedom than the ordinary General Public License. It also
provides other free software developers Less of an advantage over
competing non-free programs. These disadvantages are the reason we use
Barracuda Networks Products may contain programs and software that are the ordinary General Public License for many libraries. However, the Lesser
covered by the Lesser General Public License The Lesser General Public license provides advantages in certain special circumstances.
License license is re-printed below for you reference.
10.3.25 GNU Lesser General Public License For example, on rare occasions, there may be a special need to encourage
the widest possible use of a certain library, so that it becomes a de-facto
Version 2.1, February 1999 standard. To achieve this, non-free programs must be allowed to use the
Copyright (C) 1991, 1999 Free Software Foundation, Inc. library. A more frequent case is that a free library does the same job as widely
used non-free libraries. In this case, there is little to gain by limiting the free
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
library to free software only, so we use the Lesser General Public License.
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
In other cases, permission to use a particular library in non-free programs
enables a greater number of people to use a large body of free software. For
[This is the first released version of the Lesser GPL. It also counts as the example, permission to use the GNU C Library in non-free programs enables
successor of the GNU Library Public License, version 2, hence the version many more people to use the whole GNU operating system, as well as its
number 2.1.] variant, the GNU/Linux operating system.
Preamble Although the Lesser General Public License is Less protective of the users'
The licenses for most software are designed to take away your freedom to freedom, it does ensure that the user of a program that is linked with the
share and change it. By contrast, the GNU General Public Licenses are Library has the freedom and the wherewithal to run that program using a
intended to guarantee your freedom to share and change free software--to modified version of the Library.
make sure the software is free for all its users.
The precise terms and conditions for copying, distribution and modification
This license, the Lesser General Public License, applies to some specially follow. Pay close attention to the difference between a "work based on the
designated software packages--typically libraries--of the Free Software library" and a "work that uses the library". The former contains code derived
Foundation and other authors who decide to use it. You can use it too, but we from the library, whereas the latter must be combined with the library in order
suggest you first think carefully about whether this license or the ordinary to run.
General Public License is the better strategy to use in any particular case,
based on the explanations below.
Terms and Conditions for Copying, Distribution and Modification
0. This License Agreement applies to any software library or other program
When we speak of free software, we are referring to freedom of use, not which contains a notice placed by the copyright holder or other authorized
price. Our General Public Licenses are designed to make sure that you have party saying it may be distributed under the terms of this Lesser General
the freedom to distribute copies of free software (and charge for this service if Public License (also called "this License"). Each licensee is addressed as
you wish); that you receive source code or can get it if you want it; that you "you".
can change the software and use pieces of it in new free programs; and that
you are informed that you can do these things.
A "library" means a collection of software functions and/or data prepared so Once this change is made in a given copy, it is irreversible for that copy, so
as to be conveniently linked with application programs (which use some of the ordinary GNU General Public License applies to all subsequent copies
those functions and data) to form executables. and derivative works made from that copy.
The "Library", below, refers to any such software library or work which has This option is useful when you wish to copy part of the code of the Library into
been distributed under these terms. A "work based on the Library" means a program that is not a library.
either the Library or any derivative work under
copyright law that is to say, a work containing the Library or a portion of it, 4. You may copy and distribute the Library (or a portion or derivative of it,
either verbatim or with modifications and/or translated straightforwardly into under Section 2) in object code or executable form under the terms of
another language. (Hereinafter, translation is included without limitation in the Sections 1 and 2 above provided that you accompany it with the complete
term "modification".) corresponding machine-readable source code, which must be distributed
under the terms of Sections 1 and 2 above on a medium customarily used for
"Source code" for a work means the preferred form of the work for making software interchange.
modifications to it. For a library, complete source code means all the source
code for all modules it contains, plus any associated interface definition files, If distribution of object code is made by offering access to copy from a
plus the scripts used to control compilation and installation of the library. designated place, then offering equivalent access to copy the source code
from the same place satisfies the requirement to distribute the source code,
Activities other than copying, distribution and modification are not covered by even though third parties are not compelled to copy the source along with the
this License; they are outside its scope. The act of running a program using object code.
the Library is not restricted, and output from such a program is covered only if
its contents constitute a work based on the Library (independent of the use of 5. A program that contains no derivative of any portion of the Library, but is
the Library in a tool for writing it). Whether that is true depends on what the designed to work with the Library by being compiled or linked with it, is called
Library does and what the program that uses the Library does. a "work that uses the Library". Such a work, in isolation, is not a derivative
work of the Library, and therefore falls outside the scope of this License.
1. You may copy and distribute verbatim copies of the Library's complete
source code as you receive it, in any medium, provided that you However, linking a "work that uses the Library" with the Library creates an
conspicuously and appropriately publish on each copy an appropriate executable that is a derivative of the Library (because it contains portions of
copyright notice and disclaimer of warranty; keep intact all the notices that the Library), rather than a "work that uses the library". The executable is
refer to this License and to the absence of any warranty; and distribute a copy therefore covered by this License. Section 6 states terms for distribution of
of this License along with the Library. such executables.
You may charge a fee for the physical act of transferring a copy, and you may When a "work that uses the Library" uses material from a header file that is
at your option offer warranty protection in exchange for a fee. part of the Library, the object code for the work may be a derivative work of
the Library even though the source code is not. Whether this is true is
2. You may modify your copy or copies of the Library or any portion of it, thus especially significant if the work can be linked without the Library, or if the
forming a work based on the Library, and copy and distribute such work is itself a library. The threshold for this to be true is not precisely defined
modifications or work under the terms of Section 1 above, provided that you by law.
also meet all of these conditions:
a) The modified work must itself be a software library. If such an object file uses only numerical parameters, data structure layouts
b) You must cause the files modified to carry prominent notices stating that and accessors, and small macros and small inline functions (ten lines or less
you changed the files and the date of any change. in length), then the use of the object file is unrestricted, regardless of whether
it is legally a derivative work. (Executables containing this object code plus
c) You must cause the whole of the work to be licensed at no charge to all portions of the Library will still fall under Section 6.)
third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a table of data to
be supplied by an application program that uses the facility, other than as an Otherwise, if the work is a derivative of the Library, you may distribute the
argument passed when the facility is invoked, then you must make a good object code for the work under the terms of Section 6. Any executables
faith effort to ensure that, in the event an application does not supply such containing that work also fall under Section 6, whether or not they are linked
function or table, the facility still operates, and performs whatever part of its directly with the Library itself.
purpose remains meaningful.
6. As an exception to the Sections above, you may also combine or link a
(For example, a function in a library to compute square roots has a purpose "work that uses the Library" with the Library to produce a work containing
that is entirely well-defined independent of the application. Therefore, portions of the Library, and distribute that work under terms of your choice,
Subsection 2d requires that any application-supplied function or table used provided that the terms permit modification of the work for the customer's own
by this function must be optional: if the application does not supply it, the use and reverse engineering for debugging such modifications.
square root function must still compute square roots.) You must give prominent notice with each copy of the work that the Library is
used in it and that the Library and its use are covered by this License. You
must supply a copy of this License. If the work during execution displays
These requirements apply to the modified work as a whole. If identifiable copyright notices, you must include the copyright notice for the Library among
sections of that work are not derived from the Library, and can be reasonably them, as well as a reference directing the user to the copy of this License.
considered independent and separate works in themselves, then this Also, you must do one of these things:
License, and its terms, do not apply to those sections when you distribute
them as separate works. But when you distribute the same sections as part of a) Accompany the work with the complete corresponding machine-readable
a whole which is a work based on the Library, the distribution of the whole source code for the Library including whatever changes were used in the
must be on the terms of this License, whose permissions for other licensees work (which must be distributed under Sections 1 and 2 above); and, if the
extend to the entire whole, and thus to each and every part regardless of who work is an executable linked with the Library, with the complete
wrote it. machine-readable "work that uses the Library", as object code and/or source
code, so that the user can modify the Library and then relink to produce a
modified executable containing the modified Library. (It is understood that the
Thus, it is not the intent of this section to claim rights or contest your rights to user who changes the contents of definitions files in the Library will not
work written entirely by you; rather, the intent is to exercise the right to control necessarily be able to recompile the application to use the modified
the distribution of derivative or collective works based on the Library. definitions.)
b) Use a suitable shared library mechanism for linking with the Library. A
suitable mechanism is one that (1) uses at run time a copy of the library
In addition, mere aggregation of another work not based on the Library with
already present on the user's computer system, rather than copying library
the Library (or with a work based on the Library) on a volume of a storage or
functions into the executable, and (2) will operate properly with a modified
distribution medium does not bring the other work under the scope of this
version of the library, if the user installs one, as long as the modified version
License.
is interface-compatible with the version that the work was made with.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do this, you
must alter all the notices that refer to this License, so that they refer to the c) Accompany the work with a written offer, valid for at least three years, to
ordinary GNU General Public License, version 2, instead of to this License. (If give the same user the materials specified in Subsection 6a, above, for a
a newer version than version 2 of the ordinary GNU General Public License charge no more than the cost of performing this distribution.
has appeared, then you can specify that version instead if you wish.) Do not d) If distribution of the work is made by offering access to copy from a
make any other change in these notices. designated place, offer equivalent access to copy the above specified
materials from the same place.
e) Verify that the user has already received a copy of these materials or that
you have already sent this user a copy. 13. The Free Software Foundation may publish revised and/or new versions
of the Lesser General Public License from time to time. Such new versions
For an executable, the required form of the "work that uses the Library" must will be similar in spirit to the present version, but may differ in detail to
include any data and utility programs needed for reproducing the executable address new problems or concerns.
from it. However, as a special exception, the materials to be distributed need
not include anything that is normally distributed (in either source or binary Each version is given a distinguishing version number. If the Library specifies
form) with the major components (compiler, kernel, and so on) of the a version number of this License which applies to it and "any later version",
operating system on which the executable runs, unless that component itself you have the option of following the terms and conditions either of that
accompanies the executable. version or of any later version published by the Free Software Foundation. If
the Library does not specify a license version number, you may choose any
It may happen that this requirement contradicts the license restrictions of version ever published by the Free Software Foundation.
other proprietary libraries that do not normally accompany the operating
system. Such a contradiction means you cannot use both them and the 14. If you wish to incorporate parts of the Library into other free programs
Library together in an executable that you distribute. whose distribution conditions are incompatible with these, write to the author
to ask for permission. For software which is copyrighted by the Free Software
7. You may place library facilities that are a work based on the Library Foundation, write to the Free Software Foundation; we sometimes make
side-by-side in a single library together with other library facilities not covered exceptions for this. Our decision will be guided by the two goals of preserving
by this License, and distribute such a combined library, provided that the the free status of all derivatives of our free software and of promoting the
separate distribution of the work based on the Library and of the other library sharing and reuse of software generally.
facilities is otherwise permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work based on NO WARRANTY
the Library, uncombined with any other library facilities. This must be
distributed under the terms of the Sections above.
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE
b) Give prominent notice with the combined library of the fact that part of it is IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY
a work based on the Library, and explaining where to find the accompanying APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING
uncombined form of the same work. THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
8. You may not copy, modify, sublicense, link with, or distribute the Library EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
except as expressly provided under this License. Any attempt otherwise to IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
copy, modify, sublicense, link with, or distribute the Library is void, and will PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
automatically terminate your rights under this License. However, parties who PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE
have received copies, or rights, from you under this License will not have their LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
licenses terminated so long as such parties remain in full compliance. NECESSARY SERVICING, REPAIR OR CORRECTION.
9. You are not required to accept this License, since you have not signed it. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
However, nothing else grants you permission to modify or distribute the AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
Library or its derivative works. These actions are prohibited by law if you do OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
not accept this License. Therefore, by modifying or distributing the Library (or LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
any work based on the Library), you indicate your acceptance of this License INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
to do so, and all its terms and conditions for copying, distributing or modifying CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
the Library or works based on it. TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
10. Each time you redistribute the Library (or any work based on the Library), LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH
the recipient automatically receives a license from the original licensor to HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY
copy, distribute, link with or modify the Library subject to these terms and OF SUCH DAMAGES.
conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing
compliance by third parties with this License. END OF TERMS AND CONDITIONS
11. If, as a consequence of a court judgment or allegation of patent Barracuda Networks Products may contain programs and software that are
infringement or for any other reason (not limited to patent issues), conditions covered by the Artistic License The Artistic license is re-printed below for you
are imposed on you (whether by court order, agreement or otherwise) that reference.
contradict the conditions of this License, they do not excuse you from the
conditions of this License. If you cannot distribute so as to satisfy 10.3.26 The "Artistic License"
simultaneously your obligations under this License and any other pertinent
Preamble
obligations, then as a consequence you may not distribute the Library at all.
For example, if a patent license would not permit royalty-free redistribution of The intent of this document is to state the conditions under which a Package
the Library by all those who receive copies directly or indirectly through you, may be copied, such that the Copyright Holder maintains some semblance of
then the only way you could satisfy both it and this License would be to refrain artistic control over the development of the package, while giving the users of
entirely from distribution of the Library. the package the right to use and distribute the Package in a more-or-less
customary fashion, plus the right to make reasonable modifications.
Definitions
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply, and "Package" efers to the collection of files distributed by the Copyright Holder,
the section as a whole is intended to apply in other circumstances. and derivatives of that collection of files created through textual modification.
It is not the purpose of this section to induce you to infringe any patents or "Standard Version" refers to such a Package if it has not been modified, or
other property right claims or to contest validity of any such claims; this has been modified in accordance with the wishes of the Copyright Holder as
section has the sole purpose of protecting the integrity of the free software specified below.
distribution system which is implemented by public license practices. Many "Copyright Holder" is whoever is named in the copyright or copyrights for
people have made generous contributions to the wide range of software the package.
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to distribute "You" is you, if you're thinking about copying or distributing this Package.
software through any other system and a licensee cannot impose that choice. "Reasonable copying fee" is whatever you can justify on the basis of media
cost, duplication charges, time of people involved, and so on. (You will not be
required to justify it to the Copyright Holder, but only to the computing
This section is intended to make thoroughly clear what is believed to be a community at large as a market that must bear the fee.)
consequence of the rest of this License.
"Freely Available" means that no fee is charged for the item itself, though
there may be fees involved in handling the item. It also means that recipients
12. If the distribution and/or use of the Library is restricted in certain countries of the item may redistribute it under the same conditions they received it.
either by patents or by copyrighted interfaces, the original copyright holder Conditions
who places the Library under this License may add an explicit geographical
distribution limitation excluding those countries, so that distribution is 1. You may make and give away verbatim copies of the source form of the
permitted only in or among countries not thus excluded. In such case, this Standard Version of this Package without restriction, provided that you
License incorporates the limitation as if written in the body of this License. duplicate all of the original copyright notices and associated disclaimers.
2. You may apply bug fixes, portability fixes and other modifications derived AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
from the Public Domain or from the Copyright Holder. A Package modified in INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
such a way shall still be considered the Standard Version. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
3. You may otherwise modify your copy of this Package in any way, provided SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
that you insert a prominent notice in each changed file stating how and when PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
you changed that file, and provided that you do at least ONE of the following: ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
a) place your modifications in the Public Domain or otherwise make them ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
Freely Available, such as by posting said modifications to Usenet or an ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. (Note: The above
equivalent medium, or placing the modifications on a major archive site such license is copied from the BSD license at:
as uunet.uu.net, or by allowing the Copyright Holder to include your www.opensource.org/licenses/bsd-license.html, substituting the appropriate
modifications in the Standard Version of the Package. references in the template.) (end)
b) use the modified Package only within your corporation or organization.
c) rename any non-standard executables so the names do not conflict with 10.3.28 Mozilla Public License
standard executables, which must also be provided, and provide a separate Barracuda Networks Software may include programs that are covered by the
manual page for each non-standard executable that clearly documents how it Mozilla Public License Version 1.1
differs from the Standard Version.
d) make other distribution arrangements with the Copyright Holder.
1. Definitions.
4. You may distribute the programs of this Package in object code or
executable form, provided that you do at least ONE of the following: 1.0.1 "Commercial Use" means distribution or otherwise making the Covered
Code available to a third party.
a) distribute a Standard Version of the executables and library files, together
with instructions (in the manual page or equivalent) on where to get the 1.1 "Contributor" means each entity that creates or contributes to the
Standard Version. creation of Modifications.
b) accompany the distribution with the machine-readable source of the
Package with your modifications. 1.2 "Contributor Version" means the combination of the Original Code, prior
c) give non-standard executables non-standard names, and clearly Modifications used by a Contributor, and the Modifications made by that
document the differences in manual pages (or equivalent), together with particular Contributor.
instructions on where to get the Standard Version.
d) make other distribution arrangements with the Copyright Holder. 1.3 "Covered Code" means the Original Code or Modifications or the
5. You may charge a reasonable copying fee for any distribution of this combination of the Original Code and Modifications, in each case including
Package. You may charge any fee you choose for support of this Package. portions thereof.
You may not charge a fee for this Package itself. However, you may distribute
this Package in aggregate with other (possibly commercial) programs as part
1.4 "Electronic Distribution Mechanism" means a mechanism generally
of a larger (possibly commercial) software distribution provided that you do
accepted in the software development community for the electronic transfer
not advertise this Package as a product of your own. You may embed this
of data.
Package's interpreter within an executable of yours (by linking); this shall be
construed as a mere form of aggregation, provided that the complete
Standard Version of the interpreter is so embedded. 1.5 "Executable" means Covered Code in any form other than Source Code.
6. The scripts and library files supplied as input to or produced as output from
the programs of this Package do not automatically fall under the copyright of
this Package, but belong to whoever generated them, and may be sold 1.6 "Initial Developer'' means the individual or entity identified as the Initial
commercially, and may be aggregated with this Package. If such scripts or Developer in the Source Code notice required by Exhibit A.
library files are aggregated with this Package via the so-called "undump" or
"unexec" methods of producing a binary executable image, then distribution 1.7 "Larger Work'' means a work which combines Covered Code or portions
of such an image shall neither be construed as a distribution of this Package thereof with code not governed by the terms of this License.
nor shall it fall under the restrictions of Paragraphs 3 and 4, provided that you
do not represent such an executable image as a Standard Version of this
Package. 1.8 "License'' means this document.
7. C subroutines (or comparably compiled subroutines in other languages)
supplied by you and linked into this Package in order to emulate subroutines
1.9 "Modifications'' means any addition to or deletion from the substance or
and variables of the language defined by this Package shall not be
structure of either the Original Code or any previous Modifications. When
considered part of this Package, but are the equivalent of input as in
Covered Code is released as a series of files, a Modification is:
Paragraph 6, provided these sub-routines do not change the language in any
way that would cause it to fail the regression tests for the language. A. Any addition to or deletion from the contents of a file
8. Aggregation of this Package with a commercial distribution is always containing Original Code or previous Modifications.
permitted provided that the use of this Package is embedded; that is, when B. Any new file that contains any part of the Original Code or
no overt attempt is made to make this Package's interfaces visible to the end
user of the commercial distribution. Such use shall not be construed as a previous Modifications.
distribution of this Package.
9. The name of the Copyright Holder may not be used to endorse or promote 1.10. "Original Code'' means Source Code of computer software code which
products derived from this software without specific prior written permission. is described in the Source Code notice required by Exhibit A as Original
10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS Code, and which, at the time of its release under this License is not already
OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE Covered Code governed by this License.
IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A "Patent Claims" means any patent claim(s), now owned or hereafter
PARTICULAR PURPOSE. acquired, including without limitation, method, process, and apparatus claims,
in any patent Licensable by grantor.
The End
1.11. "Source Code" means the preferred form of the Covered Code for
10.3.27 MIT-License making modifications to it, including all modules it contains, plus any
associated interface definition files, scripts used to control compilation and
Barracuda Networks Products may contain programs and software that are installation of an Executable, or source code differential comparisons against
covered by the MIT-License either the Original Code or another well known, available Covered Code of
Redistribution and use in source and binary forms, with or without the Contributor's choice. The Source Code can be in a compressed or
modification, are permitted provided that the following conditions are met: * archival form, provided the appropriate decompression or de-archiving
Redistributions of source code must retain the above copyright notice, this list software is widely available for no charge.
of conditions and the following disclaimer. * Redistributions in binary form
must reproduce the above copyright notice, this list of conditions and the
1.12. "You" (or "Your") means an individual or a legal entity exercising rights
following disclaimer in the documentation and/or other materials provided
under, and complying with all of the terms of, this License or a future version
with the distribution. * Neither the names of the author(s) nor the names of
of this License issued under Section 6.1. For legal entities, "You" includes
other contributors may be used to endorse or promote products derived from
any entity which controls, is controlled by, or is under common control with
this software without specific prior written permission. Disclaimer THIS
You. For purposes of this definition, "control" means (a) the power, direct or
SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
indirect, to cause the direction or management of such entity, whether by
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
contract or otherwise, or (b) ownership of more than fifty percent (50 %) of the
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
outstanding shares or beneficial ownership of such entity.
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
2. Source Code License. If Contributor has knowledge that a license under a third party's intellectual
2.1 The Initial Developer Grant. property rights is required to exercise the rights granted by such Contributor
under Sections 2.1 or 2.2, Contributor must include a text file with the Source
The Initial Developer hereby grants You a world-wide, royalty-free, Code distribution titled "LEGAL" which describes the claim and the party
non-exclusive license, subject to third party intellectual property claims: making the claim in sufficient detail that a recipient will know whom to contact.
(a) under intellectual property rights (other than patent or trademark) If Contributor obtains such knowledge after the Modification is made available
Licensable by Initial Developer to use, reproduce, modify, display, perform, as described in Section 3.2, Contributor shall promptly modify the LEGAL file
sublicense and distribute the Original Code (or portions thereof) with or in all copies Contributor makes available thereafter and shall take other steps
without Modifications, and/or as part of a Larger Work; and (such as notifying appropriate mailing lists or newsgroups) reasonably
calculated to inform those who received the Covered Code that new
(b) under Patents Claims infringed by the making, using or selling of Original
knowledge has been obtained.
Code, to make, have made, use, practice, sell, and offer for sale, and/or
otherwise dispose of the Original Code (or portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date (b) Contributor APIs.
Initial Developer first distributes Original Code under the terms of this If Contributor's Modifications include an application programming interface
License. and Contributor has knowledge of patent licenses which are reasonably
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for necessary to implement that API, Contributor must also include this
code that You delete from the Original Code; 2) separate from the Original information in the LEGAL file.
Code; or 3) for infringements caused by: i) the modification of the Original
Code or ii) the combination of the Original Code with other software or
devices. (c) Representations
Contributor represents that, except as disclosed pursuant to Section 3.4(a)
above, Contributor believes that Contributor's Modifications are Contributor's
2.2 Contributor Grant. original creation(s) and/or Contributor has sufficient rights to grant the rights
Subject to third party intellectual property claims, each Contributor hereby conveyed by this License.
grants You a world-wide, royalty-free, non-exclusive license:
(a) under intellectual property rights (other than patent or trademark) 3.5 Required Notices.
Licensable by Contributor, to use, reproduce, modify, display, perform,
sublicense and distribute the Modifications created by such Contributor (or You must duplicate the notice in Exhibit A in each file of the Source Code. If it
portions thereof) either on an unmodified basis, with other Modifications, as is not possible to put such notice in a particular Source Code file due to its
Covered Code and/or as part of a Larger Work; and structure, then You must include such notice in a location (such as a relevant
directory) where a user would be likely to look for such a notice. If You
(b) under Patent Claims infringed by the making, using, or selling of created one or more Modification(s) You may add your name as a Contributor
Modifications made by that Contributor either alone and/or in combination to the notice described in Exhibit A. You must also duplicate this License in
with its Contributor Version (or portions of such combination), to make, use, any documentation for the Source Code where You describe recipients' rights
sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications or ownership rights relating to Covered Code. You may choose to offer, and
made by that Contributor (or portions thereof); and 2) the combination of to charge a fee for, warranty, support, indemnity or liability obligations to one
Modifications made by that Contributor with its Contributor Version (or or more recipients of Covered Code. However, You may do so only on Your
portions of such combination). own behalf, and not on behalf of the Initial Developer or any Contributor. You
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date must make it absolutely clear than any such warranty, support, indemnity or
Contributor first makes Commercial Use of the Covered Code. liability obligation is offered by You alone, and You hereby agree to indemnify
the Initial Developer and every Contributor for any liability incurred by the
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for
Initial Developer or such Contributor as a result of warranty, support,
any code that Contributor has deleted from the Contributor Version; 2)
indemnity or liability terms You offer.
separate from the Contributor Version; 3) for infringements caused by: i) third
party modifications of Contributor Version or ii) the combination of
Modifications made by that Contributor with other software (except as part of 3.6. Distribution of Executable Versions.
the Contributor Version) or other devices; or 4) under Patent Claims infringed
by Covered Code in the absence of Modifications made by that Contributor. You may distribute Covered Code in Executable form only if the requirements
of Section 3.1-3.5 have been met for that Covered Code, and if You include a
notice stating that the Source Code version of the Covered Code is available
3. Distribution Obligations. under the terms of this License, including a description of how and where You
have fulfilled the obligations of Section 3.2. The notice must be conspicuously
3.1 Application of License.
included in any notice in an Executable version, related documentation or
The Modifications which You create or to which You contribute are governed collateral in which You describe recipients' rights relating to the Covered
by the terms of this License, including without limitation Section 2.2. The Code. You may distribute the Executable version of Covered Code or
Source Code version of Covered Code may be distributed only under the ownership rights under a license of Your choice, which may contain terms
terms of this License or a future version of this License released under different from this License, provided that You are in compliance with the
Section 6.1, and You must include a copy of this License with every copy of terms of this License and that the license for the Executable version does not
the Source Code You distribute. You may not offer or impose any terms on attempt to limit or alter the recipient's rights in the Source Code version from
any Source Code version that alters or restricts the applicable version of this the rights set forth in this License. If You distribute the Executable version
License or the recipients' rights hereunder. However, You may include an under a different license You must make it absolutely clear that any terms
additional document offering the additional rights described in Section 3.5. which differ from this License are offered by You alone, not by the Initial
Developer or any Contributor. You hereby agree to indemnify the Initial
Developer and every Contributor for any liability incurred by the Initial
3.2 Availability of Source Code. Developer or such Contributor as a result of any such terms You offer.
Any Modification which You create or to which You contribute must be made 3.7. Larger Works.
available in Source Code form under the terms of this License either on the
same media as an Executable version or via an accepted Electronic You may create a Larger Work by combining Covered Code with other code
Distribution Mechanism to anyone to whom you made an Executable version not governed by the terms of this License and distribute the Larger Work as a
available; and if made available via Electronic Distribution Mechanism, must single product. In such a case, You must make sure the requirements of this
remain available for at least twelve (12) months after the date it initially License are fulfilled for the Covered Code.
became available, or at least six (6) months after a subsequent version of that
particular Modification has been made available to such recipients. You are
4. Inability to Comply Due to Statute or Regulation.
responsible for ensuring that the Source Code version remains available
even if the Electronic Distribution Mechanism is maintained by a third party. If it is impossible for You to comply with any of the terms of this License with
respect to some or all of the Covered Code due to statute, judicial order, or
regulation then You must: (a) comply with the terms of this License to the
3.3 Description of Modifications. maximum extent possible; and (b) describe the limitations and the code they
You must cause all Covered Code to which You contribute to contain a file affect. Such description must be included in the LEGAL file described in
documenting the changes You made to create that Covered Code and the Section 3.4 and must be included with all distributions of the Source Code.
date of any change. You must include a prominent statement that the Except to the extent prohibited by statute or regulation, such description must
Modification is derived, directly or indirectly, from Original Code provided by be sufficiently detailed for a recipient of ordinary skill to be able to understand
the Initial Developer and including the name of the Initial Developer in (a) the it.
Source Code, and (b) in any notice in an Executable version or related
documentation in which You describe the origin or ownership of the Covered
5. Application of this License.
Code.
This License applies to code to which the Initial Developer has attached the
notice in Exhibit A, and to related Covered Code.
3.4 Intellectual Property Matters
(a) Third Party Claims.
6. Versions of the License.
11. MISCELLANEOUS.
7. DISCLAIMER OF WARRANTY.
This License represents the complete agreement concerning subject matter
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS"
hereof. If any provision of this License is held to be unenforceable, such
BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
provision shall be reformed only to the extent necessary to make it
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE
enforceable. This License shall be governed by California law provisions
COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
(except to the extent applicable law, if any, provides otherwise), excluding its
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS
conflict-of-law provisions. With respect to disputes in which at least one party
TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS
is a citizen of, or an entity chartered or registered to do business in the United
WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY
States of America, any litigation relating to this License shall be subject to the
RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER
jurisdiction of the Federal Courts of the Northern District of California, with
CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING,
venue lying in Santa Clara County, California, with the losing party
REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY
responsible for costs, including without limitation, court costs and reasonable
CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF
attorneys' fees and expenses. The application of the United Nations
ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER
Convention on Contracts for the International Sale of Goods is expressly
THIS DISCLAIMER.
excluded. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not apply to this License.
8. TERMINATION.
8.1 This License and the rights granted hereunder will terminate 12. RESPONSIBILITY FOR CLAIMS.
automatically if You fail to comply with terms herein and fail to cure such
As between Initial Developer and the Contributors, each party is responsible
breach within 30 days of becoming aware of the breach. All sublicenses to
for claims and damages arising, directly or indirectly, out of its utilization of
the Covered Code which are properly granted shall survive any termination of
rights under this License and You agree to work with Initial Developer and
this License. Provisions which, by their nature, must remain in effect beyond
Contributors to distribute such responsibility on an equitable basis. Nothing
the termination of this License shall survive.
herein is intended or shall be deemed to constitute any admission of liability.
8.2. If You initiate litigation by asserting a patent infringement claim
(excluding declatory judgment actions) against Initial Developer or a
Contributor (the Initial Developer or Contributor against whom You file such 13. MULTIPLE-LICENSED CODE.
action is referred to as "Participant") alleging that: Initial Developer may designate portions of the Covered Code as
"Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer
permits you to utilize portions of the Covered Code under Your choice of the
(a) such Participant's Contributor Version directly or indirectly infringes any
NPL or the alternative licenses, if any, specified by the Initial Developer in the
patent, then any and all rights granted by such Participant to You under
file described in Exhibit A.
Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from
Participant terminate prospectively, unless if within 60 days after receipt of
notice You either: (i) agree in writing to pay Participant a mutually agreeable EXHIBIT A -Mozilla Public License.
reasonable royalty for Your past and future use of Modifications made by
such Participant, or (ii) withdraw Your litigation claim with respect to the "The contents of this file are subject to the Mozilla Public License Version 1.1
Contributor Version against such Participant. If within 60 days of notice, a (the "License"); you may not use this file except in compliance with the
reasonable royalty and payment arrangement are not mutually agreed upon License. You may obtain a copy of the License at
in writing by the parties or the litigation claim is not withdrawn, the rights http://www.mozilla.org/MPL/
granted by Participant to You under Sections 2.1 and/or 2.2 automatically
terminate at the expiration of the 60 day notice period specified above. Software distributed under the License is distributed on an "AS IS" basis,
WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
(b) any software, hardware, or device, other than such Participant's License for the specific language governing rights and limitations under the
Contributor Version, directly or indirectly infringes any patent, then any rights License.
granted to You by such Participant under Sections 2.1(b) and 2.2(b) are
revoked effective as of the date You first made, used, sold, distributed, or had The Original Code is ______________________________________.
made, Modifications made by that Participant.
The Initial Developer of the Original Code is ________________________.
Portions created by ______________________ are Copyright (C)
8.3 If You assert a patent infringement claim against Participant alleging that _____________________________. All Rights Reserved.
such Participant's Contributor Version directly or indirectly infringes any
patent where such claim is resolved (such as by license or settlement) prior to
the initiation of patent infringement litigation, then the reasonable value of the Contributor(s): ______________________________________.
licenses granted by such Participant under Sections 2.1 or 2.2 shall be taken
into account in determining the amount or value of any payment or license.
Alternatively, the contents of this file may be used under the terms of the
8.4 In the event of termination under Sections 8.1 or 8.2 above, all end user
_____ license (the "[___] License"), in which case the provisions of [______]
license agreements (excluding distributors and resellers) which have been
License are applicable instead of those above. If you wish to allow use of
validly granted by You or any distributor hereunder prior to termination shall
your version of this file only under the terms of the [____] License and not to
survive termination.
allow others to use your version of this file under the MPL, indicate your
decision by deleting the provisions above and replace them with the notice
9. LIMITATION OF LIABILITY. and other provisions required by the [___] License. If you do not delete the
provisions above, a recipient may use your version of this file under either the 25. [28]Lars H. Mathiesen <thorinn@diku.dk> adaptation of foundation code
MPL or the [___] License." for Version 3 as specified in RFC-1305
26. [29]David L. Mills <mills@udel.edu> Version 4 foundation: clock
[NOTE: The text of this Exhibit A may differ slightly from the text of the notices discipline, authentication, precision kernel; clock drivers:
in the Source Code files of the Original Code. You should use the text of this Spectracom, Austron, Arbiter, Heath, ATOM, ACTS, KSI/Odetics; audio
Exhibit A rather than the text found in the Original Code Source Code for clock drivers: CHU, WWV/H, IRIG
Your Modifications.] 27. [30]Wolfgang Moeller <moeller@gwdgv1.dnet.gwdg.de> VMS port
28. [31]Jeffrey Mogul <mogul@pa.dec.com> ntptrace utility
_____________________________________________________________ 29. [32]Tom Moore <tmoore@fievel.daytonoh.ncr.com> i386 svr4 port
30. [33]Kamal A Mostafa <kamal@whence.com> SCO OpenServer port
10.3.29 NTP License
31. [34]Derek Mulcahy <derek@toybox.demon.co.uk> and [35]Damon
Barracuda Networks Software may include programs that are covered by the Hart-Davis <d@hd.org> ARCRON MSF clock driver
NTP License This file is automatically generated from html/copyright.htm
Copyright Notice [Dolly the sheep] "Clone me," says Dolly sheepishly The 32. [36]Rainer Pruy <Rainer.Pruy@informatik.uni-erlangen.de>
following copyright notice applies to all files collectively called the Network monitoring/trap scripts, statistics file handling
Time Protocol Version 4 Distribution. Unless specifically declared otherwise 33. [37]Dirce Richards <dirce@zk3.dec.com> Digital UNIX V4.0 port
in an individual file, this notice applies as if the text was explicitly included in 34. [38]Wilfredo Snchez <wsanchez@apple.com> added support for
the file. NetInfo
35. [39]Nick Sayer <mrapple@quack.kfu.com> SunOS streams modules
/******************************************************************** 36. [40]Jack Sasportas <jack@innovativeinternet.com> Saved a Lot of space
* Copyright (c) David L. Mills 1992-2000 * on the stuff in the html/pic/ subdirectory
* Permission to use, copy, modify, and distribute this software and its 37. [41]Ray Schnitzler <schnitz@unipress.com> Unixware1 port
documentation for any purpose and without fee is hereby granted, provided 38. [42]Michael Shields <shields@tembel.org> USNO clock driver
that the above copyright notice appears in all *
39. [43]Jeff Steinman <jss@pebbles.jpl.nasa.gov> Datum PTS clock driver
* copies and that both the copyright notice and this permission *
40. [44]Harlan Stenn <harlan@pfcs.com> GNU automake/autoconfigure
* notice appear in supporting documentation, and that the name * makeover, various other bits (see the ChangeLog)
* University of Delaware not be used in advertising or publicity * 41. [45]Kenneth Stone <ken@sdd.hp.com> HP-UX port
* pertaining to distribution of the software without specific, * 42. [46]Ajit Thyagarajan <ajit@ee.udel.edu>IP multicast/anycast support
* written prior permission. The University of Delaware makes no * 43. [47]Tomoaki TSURUOKA <tsuruoka@nc.fukuoka-u.ac.jp>TRAK clock
* representations about the suitability this software for any * driver
* purpose. It is provided "as is" without express or implied * 44. [48]Paul A Vixie <vixie@vix.com> TrueTime GPS driver, generic
* warranty. * TrueTime clock driver