It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Firewall
Overview Documentation Training Certification Materials

Best Practice - Service Configurations in the Public Cloud

  • Last updated on

Configuring a Barracuda CloudGen Firewall in the public cloud requires you to adapt setup procedures according to the requirements and restrictions of the cloud.

Use Automatically Filled Custom External Network Objects

The firewall automatically fills the custom external network objects with network information acquired directly from the cloud provider:

  • Custom external object 1 – internal IP address
  • Custom external object 2 – internal network address
  • Custom external object 3 – external IP address

For more information, see Custom External Network Objects.

Configuring Service Listeners and App Redirect Access Rules

Stand-Alone Firewalls

Stand-alone firewalls use one dynamic interface. The management IP address and the services running on it listen on the loopback interface IP addresses. Incoming traffic on the DHCP interface must be redirected with app redirect access rules to the respective service. Use the CONTROL > Resources page to check the listeners for each service.

BP_Azure_01.png

High Availability Clusters

High availability clusters must use static IP addresses as the management interface. Since floating IP addresses are not supported in the public cloud, the app redirect rule must match for the management IP addresses of both firewalls as the destination. Use Any (not Internet) as the source to also enable connections from other clients in the virtual network.

BP_Azure_01a.png

Special Considerations for the VPN Service IKEv1 IPsec Listener

By default, the IPsec service listens on 0.0.0.0. This causes problems when used in combination with an app redirect rule because incoming traffic uses the host firewall and outgoing traffic is routed via the app redirect rule.

Step 1. Configure Client-to-Site or Site-to-Site IPsec VPN

Configure an IKEv1 client-to-site or site-to-site IPsec VPN.

For more information, see Client-to-Site VPN or Site-to-Site VPN.

Step 2. Disable the IPsec Dynamic IP Setting

This disables the 0.0.0.0 listener for the ike3 (IPsec IKEv1) daemon.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.
  2. Click Lock.
  3. In the left navigation bar, click IPSec.
  4. Disable Use IPSec dynamic IPs.
    disable_UseIPSecdynamicIPs.png
  5. Click  Send Changes and Activate.
Step 3. Verify the ike3 Listeners

Open the CONTROL > Resources page and double-click on the ike3 / Tina VPN process. Verify that the ike3 and Tina VPN processes are listening only on 127.0.0.9: UDP 500 and 4500.

BP_Azure03.png

Step 4. Create an App Redirect Access Rule

Create an app redirect access rule to forward incoming traffic to the ikev1 daemon listening on the loopback interface. For stand-alone firewalls, use DHCP as the destination. For HA clusters, use both the primary and secondary firewall management IP address as the destination.

BP_Azure_04.png

Restoring a PAYG CloudGen Firewall from a PAR File

Since the PAYG licenses are generated only on the first boot, extra care must be taken to not replace these licenses when using a PAR file to restore the configuration of another CloudGen Firewall.

Step 1. Create PAR File

On the source PAYG CloudGen Firewall, create a PAR file.

For more information, see How to Back Up and Restore Firewall, Secure Access Controller and Control Center Configurations or How to Create PAR or PCA Files on the Command Line.

Step 2. Export the PAYG License on a New Firewall VM

On the destination PAYG CloudGen Firewall, export the PAYG licenses to a file to be able to restore them later.

  1. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  2. Click Lock.
  3. Select the license in the Licenses list, click the export icon, and select Export to File.
    export_01.png
  4. Save the LIC file.
  5. Click Unlock.
Step 3. Restore from the PAR File

Restore the configuration from the PAR file. But before activating, replace the license with the license file exported in Step 2.

  1. Go to CONFIGURATION > Configuration Tree.
  2. Right-click on Box and select Restore from PAR File.
    export_02.png
  3. Select the PAR file. Upon completion, the Box Configuration restored pop-up window opens.
  4. Click OK.
  5. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  6. Delete all licenses in the Licenses list.
  7. Click + and select Import from File.
  8. Select the license file you exported in Step 2.
  9. Click OK and agree to the end user licensing agreement.
  10. Click Send Changes and Activate.
  11. Go to CONTROL > Box.
  12. If necessary, click Activate new network configuration and select Failsafe from the pop-up window.

You can now use the new PAYG image with the configuration included in the PAR file.