Barracuda Primary Firewall Entry-list Coverage Lab – CyberSecurity Memo


This publish is a steady publish from earlier one Barracuda CloudGen Firewall F12 Preliminary Configuration Lab.

On this publish, I’m gonna present you the best way to configure WAN / LAN interfaces, the best way to create your individual forwarding entry rule, plus Vacation spot NAT rule. 

Associated publish:

Topology

 

On-line PNG Format Topology Diagram:

Configure Interfaces

  • LAN – Port 2
  • WAN – Port 4

Go to Configuration – IP Configuration – Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:

For straightforward troubleshooting objective, don’t neglect allow the choice: Responds to ping, if you end up configuring LAN/WAN port. That may make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Standards

 

These settings define the traffic that will be dealt with by the rule:

Setting

Description

Bi-Directional

If the rule should
be utilized to traffic going
to and from the specified supply and vacation spot, choose this examine
field.

Supply

The supply IP addresses of the traffic.

Service

The IP protocol used
or, with TCP/UDP, the related IP protocol and port for
the traffic.

Vacation spot

The vacation spot IP addresses/netmask of the traffic.

 

Authenticated Consumer

The
authenticated customers and teams who’re affected by this rule. For extra data, see Firewall
Authentication
. If the rule requires consumer authentication at the firewall, the
rule is depicted with an icon
in

the Identify column in the rule overview window.

 

Rule Activation

 

These settings specify if the rule is lively and how lengthy it ought to be lively: 

Setting

Description

 

Dynamic Rule

If the rule should
be dynamically activated and deactivated for set durations
of time, choose this examine field. For extra
data on configuring dynamic guidelines, see
How to Activate a Dynamic Firewall Rule.

 

 

Deactivate Rule

To deactivate the rule, choose
this examine field. To reactivate the rule, clear
this examine field.

 

To conceal inactive guidelines in the rule set, click on the Present/Cover Inactive Guidelines icon
in the navigation bar. It is the first
icon on the high proper
of the rule
set.

Motion and Connection

 

The Motion setting specifies how the Barracuda NG Firewall handles traffic that matches the rule standards. These are the choices that you can choose:


There are fairly a couple of completely different actions to your guidelines, 

  • Block
  • Deny
  • Go
  • DST NAT
  • MAP
  • App Redirect
  • Broad-Multicast
  • Cascade

Motion

Description

Block

Ignores the traffic and does not reply any matching packets.

 

 

Deny

Dismisses traffic and sends the following:

  TCP-RST (for TCP requests)

ICMP Port Unreachable (for UDP requests)

  ICMP Denied
by Filter (for
different IP protocols) to the supply.

Go

Passes the
community traffic to the specified vacation spot.

Dst NAT

Rewrites
the vacation spot IP handle and port. You possibly can specify the connection kind; this
lets you use
supply NAT and vacation spot NAT
collectively.

 

Map

Maps one
vacation spot IP handle or subnet to a different IP object. The map can also be accessible the reversed manner.

For this
motion, you can choose both
shopper (vacation spot NAT) or any predefined translation map for the connection kind.

 

App Redirect

Redirects the
traffic to a native software (clear proxying).

 

Superior parameters and timeouts of this kind
behave like in the native
firewall.

Broad Multicast

Propagates the traffic to a number of interfaces. This motion is solely wanted
with bridging.

Cascade

Specifies that the traffic
should be processed by a subset of the primary rule set.

Cascade Again

If the traffic does not match any guidelines in a rule subset specified by a Cascade

rule, use this motion
to direct traffic
dealing with to the primary rule
set.

Execute

The traffic is piped into the STanDard IN (STDIN) of a program
operating on the server.

Relying on the Motion of the rule, you can choose a Connection
Methodology
that specifies how the supply,
vacation spot, or service of the traffic is manipulated because it passes the Barracuda
NG Firewall. This setting sometimes
specifies the outgoing supply IP handle for handle translation. The following Connection Methodology choices are accessible:

 

Connection Methodology

Description

<explicit-conn>

Lets you define the IP handle
used to carry out
supply community handle translation (NAT).

 

Dynamic Scr NAT

Performs
supply NAT for the defined
connection. The supply IP handle of community packets shall be manipulated
dynamically, in accordance with the routing desk
of the Barracuda NG Firewall.

Loopback

Performs supply
NAT with the loopback IP handle of 127.0.0.1.

No Src NAT

No supply NAT is
carried out.

Supply
NAT with DHCP | ISDN | UMTS | xDSL

Performs supply NAT with the IP handle of the specified
community interface kind (DHCP, ISDN,
UMTS, or xDSL). The firewall doesn’t carry out a routing desk
lookup.

Supply NAT with VIP

Performs supply
NAT with the VIP handle
of the distant
administration tunnel. The firewall does
not carry out a routing desk
lookup.

Src NAT 1st Server
IP

Performs
supply NAT with the first Server IP handle. The firewall does not
carry out a routing
desk lookup.

Src NAT 2nd Server
IP

Performs
supply NAT with the 2nd Server IP handle. The firewall does not
carry out a routing desk.

 

Traffic Modification and Inspection

These settings specify if the traffic
is modified or inspected: 

Setting

Description

Redirect Goal

This setting
is for guidelines
with the Motion set
to Dst Nat, App Redirect, or Map. In this part, you can specify
the outgoing vacation spot IP handle for handle translation.

 

You can choose
the following insurance policies:

 

 

IPS Coverage The traffic is inspected by the IPS engine in accordance to the chosen

 

IPS coverage.

 

 

Utility Coverage The traffic is inspected in accordance to the chosen software

 

coverage. For extra data, see
Layer 7 Utility Management.

Coverage

 

Time Objects If Dynamic
Rule
is enabled,
choose the required
Time Object.

 

 

QoS Band (Fwd)
Traffic in the ahead route is dealt with in accordance to the

 

chosen QoS Band. For extra data,
see Traffic Shaping.

 

 

QoS Band (Reply) Traffic in the reverse route is dealt with in accordance to the

 

chosen QoS Band.

 

Configure Go Forwarding Firewall Rule

On this lab, we’re gonna create a move motion rule, which is Enable rule in different vendor’s firewall. 

Go entry rule permits visitors for a selected Service coming from the Supply to entry the chosen Vacation spot . For the Supply and Vacation spot , you possibly can specify community objects, IP addresses, networks, or geolocation objects .
pass_rule.png

Observe: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462929/how-to-create-a-pass-access-rule/

Configure Vacation spot NAT Firewall Rule

A Dst NAT entry rule redirects visitors that’s despatched to an exterior IP handle to a vacation spot within the inside community. The next instance reveals a Dst NAT rule permitting HTTP and HTTPS entry from the Web to a server within the DMZ (172.16.0.10). The redirect goal could be a single IP handle or hostname, or a community object. Hostnames and IP addresses will be appended with a port quantity to redirect the visitors to a unique port.

Observe: https://campus.barracuda.com/product/cloudgenfirewall/doc/79462926/how-to-create-a-destination-nat-access-rule/



Source_link

Leave a Reply

Your email address will not be published.