How to Configure Advanced Barracuda OS System Settings

Last updated on 2020-04-23 04:21:21

This configuration instance addresses the seasoned Linux expert. Normally, there is no need to consult this file because the default settings have been chosen so as to comply with standard Barracuda CloudGen Firewall system requirements.

If you wish to use the Barracuda CloudGen Firewall system as a generic managed Linux platform, you may come up against situations where modifications might be desirable. You can also view this file to get an overview of the kernel relevant settings.

Configure Advanced System Settings

Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > System Settings.
Expand the Configuration Mode menu and select Switch to Advanced View.
Click Lock.
Configure the the parameters as listed in the below Advanced System Settings section.
Click OK.
Click Send Changes and Activate.

Advanced System Settings

The following settings are available for configuration:

IPv4 Settings

To specify IPv4 settings, select IPv4 Settings from the Configuration menu in the left navigation pane. You can specify the following settings:

Section	Setting	Description
SMP Settings - Performance Tuning	Interface CPU Assignment	From this list, you can select the following settings: Auto-Detect – Auto-detection of NIC/CPU interrupt handling. Depending on installed services, one of the settings below will be set. Optimize for Firewall – Optimized setting for high firewall throughput. Optimize for VPN – Optimized setting for high VPN throughput. Optimize for Mixed VPN – Optimized setting for firewall as well as VPN throughput. Interrupt Balancing – Operation mode for non-firewall and VPN throughput.
	Receive Packet Steering	Depending on the processed traffic, enabling this setting gives you better overall throughput of the system.
	Explicit Interface Assignment	In this table, specify an Interface Name and click OK. In the Explicit Interface Assignment window, specify the following settings: Rx Interrupt CPUs - List of CPUs to be given the receive interrupt. Copy Tx from Rx - If enabled, Rx values will be used for Tx values. Tx Interrupt CPUs - List of CPUs to receive the transmit interrupt.
General IP Settings	TCP ECN Active	Enable this setting to reduce the TCP traffic when a router load is at a maximum and therefore packet loss is possible. Do not activate this setting when using CloudGen Firewalls with proxy or mail gateway services configured. Non-Barracuda CloudGen Firewall systems and some application filters may not be able to handle the ECN header options. When such external systems fetch the TCP header flags, a two-bit mistake occurs because of the way that ECN options are implemented into the TCP header. As a result, the Barracuda CloudGen Firewall does not establish the connection because of the incorrectly answered SYN.
General IP Settings	IP Dyn Address	Select only if you are experiencing problems with network connections using dynamic IP address allocation (ADSL, cable modem). If the forwarding interface changes socket (and packet) along with this parameter enabled, the source address while in SYN_SENT state gets rewritten ON RETRANSMISSIONS.

ARP Settings

To specify ARP settings, select ARP Settings from the Configuration menu in the left navigation pane. You can specify the following settings:

Setting	Description
ARP Src IP Announcement	Defines different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on an interface. This settings field uses the arp_announce setting, whose values have been translated by Barracuda Networks to any (internal value = 0), best (internal value = 1), and primary (internal value = 2). Note the following excerpt from the kernel documentation: any – (internal value = 0) Use any local address, configured on any interface. best – (internal value = 1, default) Try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target costs reachable via this interface require the source IP address in ARP requests to be part of the logical network configured on the receiving interface. When the request is generated, subnets that include the target IP address are checked. The source addresses from these subnets are preserved. If there is no such subnet, the source address is selected according to the rules for the setting primary. primary – (internal value = 2) Always use the best local address for this target. In this mode, the source address in the IP packet is ignored and a local address is preferred for talks with the target host. Such a local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found, the first local address on the outgoing interface or on all other interfaces is selected, with the hope that a reply is received for the request, sometimes regardless of the source IP address that is announced. Increasing the restriction level increases the likelihood of receiving an answer from the resolved target while decreasing the level announces more valid sender's information and thus is prone to violating privacy requirements. prefsrc – (internal value = 3) Use the local address returned from preferred source routing lookup for this target.
ARP Cache Size	The maximum number of entries allowed in the ARP cache (default: 8192).

Setting

Description

ARP Src IP Announcement

Defines different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on an interface. This settings field uses the arp_announce setting, whose values have been translated by Barracuda Networks to any (internal value = 0), best (internal value = 1), and primary (internal value = 2). Note the following excerpt from the kernel documentation:

any – (internal value = 0) Use any local address, configured on any interface.
best – (internal value = 1, default) Try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target costs reachable via this interface require the source IP address in ARP requests to be part of the logical network configured on the receiving interface. When the request is generated, subnets that include the target IP address are checked. The source addresses from these subnets are preserved. If there is no such subnet, the source address is selected according to the rules for the setting primary.
primary – (internal value = 2) Always use the best local address for this target. In this mode, the source address in the IP packet is ignored and a local address is preferred for talks with the target host. Such a local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found, the first local address on the outgoing interface or on all other interfaces is selected, with the hope that a reply is received for the request, sometimes regardless of the source IP address that is announced.

Increasing the restriction level increases the likelihood of receiving an answer from the resolved target while decreasing the level announces more valid sender's information and thus is prone to violating privacy requirements.

prefsrc – (internal value = 3) Use the local address returned from preferred source routing lookup for this target.

ARP Cache Size

The maximum number of entries allowed in the ARP cache (default: 8192).

Routing Cache

Garbage collection is done regularly by the kernel. The entries shown here provide full access to all relevant kernel settings.

Section	Setting	Description
Routing Cache Settings	Max Routing Cache Entries	Specifies the maximum number of entries in the kernel’s routing cache. On systems with a large number of sessions and routed IP addresses, this value may need to be increased. Increasing this setting marginally increases memory consumption. On small systems, a value of 4096 is sufficient.
Garbage Collection	GC Elasticity	Specified as integer log2 of an internal setting used to steer the sensitivity of the garbage collection algorithm. It is provided for completeness only. Changing it requires a thorough understanding of the GC algorithm to achieve the desired effect (default: 8, allowed values: 1, 2, 4, 8, 16, 32).
	GC Interval [s]	This setting is used by the kernel's regular GC loop and defines the loop time in seconds between two regular GC events (min: 1, max: 120, default: 60).
	GC Min Interval [s]	The minimum time in seconds between two garbage collections (min: 1, max: 120, default: 60). This setting is provided because GC may either occur throughout a regular GC loop (see above) or may be triggered by a kernel event outside the regular loop. This setting warrants that in the latter case, GC is not to run too frequently. Both settings above (GC Interval [s] and GC Min Interval [s]) may be decreased when the routing cache has a tendency of growing very quickly and running the risk of a cache overflow. However, frequent and unnecessary GC events may decrease the system performance.
	GC Threshold	A threshold value of cache entries which is used to determine the necessity of garbage collection and to which extent (that is, how radical) entries must be removed (min: 1024, max: 65535, default: 8192). This setting should always be significantly smaller than the maximum number of cache entries.
	GC Timeout [s]	Time in seconds after which an inactive routing cache entry is removed from the cache. Note that active entries may not be removed from the cache (min: 1, max: 300, default: 60). Decreasing this value keeps the routing cache smaller. If the same routing entry is successively required in shorter intervals, a full routing lookup must be performed instead of a quick cache lookup.

I/O Settings

The remaining block of configuration entries is special in so far as the IDE tuning option is only activated by rebooting the system. This prevents the user from repeatedly activating and deactivating this low-level setting on a running system. Doing so during full operation may freeze the operating system.

Setting	Description
I/O Tuning	Enable, if you wish to edit the maximum number of file handles and nodes that the OS kernel can handle.
I/O Scheduler	From this list, you can select a specific Linux I/O scheduler or select the default scheduler (selected by Barracuda).
Open Files (max)	The maximum number of open file descriptors that the Barracuda CloudGen Firewall system is prepared to handle (min. 8192, max. 655536). It is recommended that you do not allot more than 256 files per 4 MB of RAM. Changing the default setting is unnecessary if you do not experience any problems.

CompactFlash

Flash settings will be ignored for all non-flash RAM-based systems.

To specify flash memory settings, select CompactFlash from the Configuration menu in the left navigation pane. You can specify the following settings:

Section	Setting	Description
RAM Drive Settings	Size (in %)	The percentage of the total available RAM to be used in the tmpfs RAM partition (default: 20). If, instead, you want to specify this value in MB, delete any settings from this field.
RAM Drive Settings	Size (in MB)	The size of the tmpfs RAM partition specified in MB. To enter a value in this field, you must clear any value from the Size (in %) field.
Log Settings	Size Settings	In this table, you can specify the maximum size settings for all log file types. However, you may not need to edit these settings because they are adjusted automatically for certain systems. If you do choose to add or edit a table entry for a log file, specify the resource and the maximum size of the service log files for the resource.
Log Settings	Wrap Logfiles	Enable log cycling if required. Enabling this feature may cause high memory consumption.
CompactFlash Settings	Disable CompactFlash mode	To disable the system from starting in flash RAM mode, regardless of the storage architecture that the flash RAM auto detection recognizes, select y es . Enabling this feature may cause hardware damage. Use with due care.
CompactFlash Settings	Force CompactFlash mode	To start the system in flash RAM mode, regardless of the storage architecture that the flash RAM auto detection recognizes, select yes.