Barracuda Primary Firewall Entry-list Coverage Lab – CyberSecurity Memo

This publish is a steady publish from earlier one Barracuda CloudGen Firewall F12 Preliminary Configuration Lab.

On this publish, I’m gonna present you the best way to configure WAN / LAN interfaces, the best way to create your individual forwarding entry rule, plus Vacation spot NAT rule. 

Associated publish:



On-line PNG Format Topology Diagram:

Configure Interfaces

  • LAN – Port 2
  • WAN – Port 4

Go to Configuration – IP Configuration – Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:

For straightforward troubleshooting objective, don’t neglect allow the choice: Responds to ping, if you end up configuring LAN/WAN port. That may make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Standards


These settings define the traffic that will be dealt with by the rule:




If the rule should
be utilized to traffic going
to and from the specified supply and vacation spot, choose this examine


The supply IP addresses of the traffic.


The IP protocol used
or, with TCP/UDP, the related IP protocol and port for
the traffic.

Vacation spot

The vacation spot IP addresses/netmask of the traffic.


Authenticated Consumer

authenticated customers and teams who’re affected by this rule. For extra data, see Firewall
. If the rule requires consumer authentication at the firewall, the
rule is depicted with an icon

the Identify column in the rule overview window.


Rule Activation


These settings specify if the rule is lively and how lengthy it ought to be lively: 




Dynamic Rule

If the rule should
be dynamically activated and deactivated for set durations
of time, choose this examine field. For extra
data on configuring dynamic guidelines, see
How to Activate a Dynamic Firewall Rule.



Deactivate Rule

To deactivate the rule, choose
this examine field. To reactivate the rule, clear
this examine field.


To conceal inactive guidelines in the rule set, click on the Present/Cover Inactive Guidelines icon
in the navigation bar. It is the first
icon on the high proper
of the rule

Motion and Connection


The Motion setting specifies how the Barracuda NG Firewall handles traffic that matches the rule standards. These are the choices that you can choose:

There are fairly a couple of completely different actions to your guidelines, 

  • Block
  • Deny
  • Go
  • MAP
  • App Redirect
  • Broad-Multicast
  • Cascade




Ignores the traffic and does not reply any matching packets.




Dismisses traffic and sends the following:

  TCP-RST (for TCP requests)

ICMP Port Unreachable (for UDP requests)

  ICMP Denied
by Filter (for
different IP protocols) to the supply.


Passes the
community traffic to the specified vacation spot.


the vacation spot IP handle and port. You possibly can specify the connection kind; this
lets you use
supply NAT and vacation spot NAT



Maps one
vacation spot IP handle or subnet to a different IP object. The map can also be accessible the reversed manner.

For this
motion, you can choose both
shopper (vacation spot NAT) or any predefined translation map for the connection kind.


App Redirect

Redirects the
traffic to a native software (clear proxying).


Superior parameters and timeouts of this kind
behave like in the native

Broad Multicast

Propagates the traffic to a number of interfaces. This motion is solely wanted
with bridging.


Specifies that the traffic
should be processed by a subset of the primary rule set.

Cascade Again

If the traffic does not match any guidelines in a rule subset specified by a Cascade

rule, use this motion
to direct traffic
dealing with to the primary rule


The traffic is piped into the STanDard IN (STDIN) of a program
operating on the server.

Relying on the Motion of the rule, you can choose a Connection
that specifies how the supply,
vacation spot, or service of the traffic is manipulated because it passes the Barracuda
NG Firewall. This setting sometimes
specifies the outgoing supply IP handle for handle translation. The following Connection Methodology choices are accessible:


Connection Methodology



Lets you define the IP handle
used to carry out
supply community handle translation (NAT).


Dynamic Scr NAT

supply NAT for the defined
connection. The supply IP handle of community packets shall be manipulated
dynamically, in accordance with the routing desk
of the Barracuda NG Firewall.


Performs supply
NAT with the loopback IP handle of

No Src NAT

No supply NAT is
carried out.


Performs supply NAT with the IP handle of the specified
community interface kind (DHCP, ISDN,
UMTS, or xDSL). The firewall doesn’t carry out a routing desk

Supply NAT with VIP

Performs supply
NAT with the VIP handle
of the distant
administration tunnel. The firewall does
not carry out a routing desk

Src NAT 1st Server

supply NAT with the first Server IP handle. The firewall does not
carry out a routing
desk lookup.

Src NAT 2nd Server

supply NAT with the 2nd Server IP handle. The firewall does not
carry out a routing desk.


Traffic Modification and Inspection

These settings specify if the traffic
is modified or inspected: 



Redirect Goal

This setting
is for guidelines
with the Motion set
to Dst Nat, App Redirect, or Map. In this part, you can specify
the outgoing vacation spot IP handle for handle translation.


You can choose
the following insurance policies:



IPS Coverage The traffic is inspected by the IPS engine in accordance to the chosen


IPS coverage.



Utility Coverage The traffic is inspected in accordance to the chosen software


coverage. For extra data, see
Layer 7 Utility Management.



Time Objects If Dynamic
is enabled,
choose the required
Time Object.



QoS Band (Fwd)
Traffic in the ahead route is dealt with in accordance to the


chosen QoS Band. For extra data,
see Traffic Shaping.



QoS Band (Reply) Traffic in the reverse route is dealt with in accordance to the


chosen QoS Band.


Configure Go Forwarding Firewall Rule

On this lab, we’re gonna create a move motion rule, which is Enable rule in different vendor’s firewall. 

Go entry rule permits visitors for a selected Service coming from the Supply to entry the chosen Vacation spot . For the Supply and Vacation spot , you possibly can specify community objects, IP addresses, networks, or geolocation objects .


Configure Vacation spot NAT Firewall Rule

A Dst NAT entry rule redirects visitors that’s despatched to an exterior IP handle to a vacation spot within the inside community. The next instance reveals a Dst NAT rule permitting HTTP and HTTPS entry from the Web to a server within the DMZ ( The redirect goal could be a single IP handle or hostname, or a community object. Hostnames and IP addresses will be appended with a port quantity to redirect the visitors to a unique port.



Leave a Reply

Your email address will not be published.