It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Advanced Barracuda OS System Settings

  • Last updated on

This configuration instance addresses the seasoned Linux expert. Normally, there is no need to consult this file because the default settings have been chosen so as to comply with standard Barracuda CloudGen Firewall system requirements.

If you wish to use the Barracuda CloudGen Firewall system as a generic managed Linux platform, you may come up against situations where modifications might be desirable. You can also view this file to get an overview of the kernel relevant settings.

Configure Advanced System Settings

  1. Go to CONFIGURATION > Configuration Tree > Box Advanced Configuration > System Settings.
  2. Expand the Configuration Mode menu and select Switch to  Advanced View.
  3. Click Lock.
  4. Configure the the parameters as listed in the below Advanced System Settings section.
  5. Click OK
  6. Click Send Changes and Activate.

Advanced System Settings

The following settings are available for configuration:

IPv4 Settings

To specify IPv4 settings, select IPv4 Settings from the Configuration menu in the left navigation pane. You can specify the following settings: 

SectionSettingDescription
SMP Settings - Performance Tuning

Interface CPU Assignment

From this list, you can select the following settings:

  • Auto-Detect – Auto-detection of NIC/CPU interrupt handling. Depending on installed services, one of the settings below will be set.
  • Optimize for Firewall – Optimized setting for high firewall throughput.
  • Optimize for VPN – Optimized setting for high VPN throughput.
  • Optimize for Mixed VPN – Optimized setting for firewall as well as VPN throughput.
  • Interrupt Balancing – Operation mode for non-firewall and VPN throughput.
Receive Packet Steering

Depending on the processed traffic, enabling this setting gives you better overall throughput of the system.

Explicit Interface Assignment

In this table, specify an Interface Name and click OK. In the Explicit Interface Assignment window, specify the following settings:

  • Rx Interrupt CPUs - List of CPUs to be given the receive interrupt.
  • Copy Tx from Rx - If enabled, Rx values will be used for Tx values.
  • Tx Interrupt CPUs - List of CPUs to receive the transmit interrupt.
General IP SettingsTCP ECN Active

Enable this setting to reduce the TCP traffic when a router load is at a maximum and therefore packet loss is possible.

Do not activate this setting when using CloudGen Firewalls with proxy or mail gateway services configured. Non-Barracuda CloudGen Firewall systems and some application filters may not be able to handle the ECN header options. When such external systems fetch the TCP header flags, a two-bit mistake occurs because of the way that ECN options are implemented into the TCP header. As a result, the Barracuda CloudGen Firewall does not establish the connection because of the incorrectly answered SYN.

IP Dyn Address  Select only if you are experiencing problems with network connections using dynamic IP address allocation (ADSL, cable modem). If the forwarding interface changes socket (and packet) along with this parameter enabled, the source address while in SYN_SENT state gets rewritten ON RETRANSMISSIONS.
ARP Settings

To specify ARP settings, select ARP Settings from the Configuration menu in the left navigation pane. You can specify the following settings:

SettingDescription

ARP Src IP Announcement

Defines different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on an interface. This settings field uses the arp_announce setting, whose values have been translated by Barracuda Networks to any (internal value = 0), best (internal value = 1), and primary (internal value = 2). Note the following excerpt from the kernel documentation:

  • any – (internal value = 0) Use any local address, configured on any interface.
  • best – (internal value = 1, default) Try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target costs reachable via this interface require the source IP address in ARP requests to be part of the logical network configured on the receiving interface. When the request is generated, subnets that include the target IP address are checked. The source addresses from these subnets are preserved. If there is no such subnet, the source address is selected according to the rules for the setting primary.
  • primary – (internal value = 2) Always use the best local address for this target. In this mode, the source address in the IP packet is ignored and a local address is preferred for talks with the target host. Such a local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found, the first local address on the outgoing interface or on all other interfaces is selected, with the hope that a reply is received for the request, sometimes regardless of the source IP address that is announced.

Increasing the restriction level increases the likelihood of receiving an answer from the resolved target while decreasing the level announces more valid sender's information and thus is prone to violating privacy requirements.

  • prefsrc – (internal value = 3) Use the local address returned from preferred source routing lookup for this target.
ARP Cache SizeThe maximum number of entries allowed in the ARP cache (default: 8192).
Routing Cache

Garbage collection is done regularly by the kernel. The entries shown here provide full access to all relevant kernel settings.

SectionSettingDescription
Routing Cache Settings Max Routing Cache Entries

Specifies the maximum number of entries in the kernel’s routing cache. On systems with a large number of sessions and routed IP addresses, this value may need to be increased.

Increasing this setting marginally increases memory consumption. On small systems, a value of 4096 is sufficient.

Garbage Collection

GC Elasticity 

Specified as integer log2 of an internal setting used to steer the sensitivity of the garbage collection algorithm. It is provided for completeness only. Changing it requires a thorough understanding of the GC algorithm to achieve the desired effect (default: 8, allowed values: 1, 2, 4, 8, 16, 32).

GC Interval [s] 

This setting is used by the kernel's regular GC loop and defines the loop time in seconds between two regular GC events (min: 1, max: 120, default: 60).

GC Min Interval [s]

The minimum time in seconds between two garbage collections (min: 1, max: 120, default: 60). This setting is provided because GC may either occur throughout a regular GC loop (see above) or may be triggered by a kernel event outside the regular loop. This setting warrants that in the latter case, GC is not to run too frequently.

Both settings above (GC Interval [s] and GC Min Interval [s]) may be decreased when the routing cache has a tendency of growing very quickly and running the risk of a cache overflow. However, frequent and unnecessary GC events may decrease the system performance.

GC Threshold

A threshold value of cache entries which is used to determine the necessity of garbage collection and to which extent (that is, how radical) entries must be removed (min: 1024, max: 65535, default: 8192).

This setting should always be significantly smaller than the maximum number of cache entries.

GC Timeout [s] 

Time in seconds after which an inactive routing cache entry is removed from the cache. Note that active entries may not be removed from the cache (min: 1, max: 300, default: 60).

Decreasing this value keeps the routing cache smaller. If the same routing entry is successively required in shorter intervals, a full routing lookup must be performed instead of a quick cache lookup.

I/O Settings 

The remaining block of configuration entries is special in so far as the IDE tuning option is only activated by rebooting the system. This prevents the user from repeatedly activating and deactivating this low-level setting on a running system. Doing so during full operation may freeze the operating system.

SettingDescription
I/O Tuning

Enable, if you wish to edit the maximum number of file handles and nodes that the OS kernel can handle.

I/O SchedulerFrom this list, you can select a specific Linux I/O scheduler or select the default scheduler (selected by Barracuda).

Open Files (max)

The maximum number of open file descriptors that the Barracuda CloudGen Firewall system is prepared to handle (min. 8192, max. 655536). It is recommended that you do not allot more than 256 files per 4 MB of RAM. Changing the default setting is unnecessary if you do not experience any problems.

CompactFlash

Flash settings will be ignored for all non-flash RAM-based systems.

To specify flash memory settings, select CompactFlash from the Configuration menu in the left navigation pane. You can specify the following settings: 

SectionSettingDescription

RAM Drive Settings

Size (in %) 

The percentage of the total available RAM to be used in the tmpfs RAM partition (default: 20). If, instead, you want to specify this value in MB, delete any settings from this field.

Size (in MB)

The size of the tmpfs RAM partition specified in MB. To enter a value in this field, you must clear any value from the Size (in %) field.

Log Settings

Size Settings 

In this table, you can specify the maximum size settings for all log file types. However, you may not need to edit these settings because they are adjusted automatically for certain systems. If you do choose to add or edit a table entry for a log file, specify the resource and the maximum size of the service log files for the resource.

Wrap Logfiles

Enable log cycling if required.

Enabling this feature may cause high memory consumption.

CompactFlash Settings 

Disable CompactFlash mode

To disable the system from starting in flash RAM mode, regardless of the storage architecture that the flash RAM auto detection recognizes, select y es .

Enabling this feature may cause hardware damage. Use with due care.

Force CompactFlash mode

To start the system in flash RAM mode, regardless of the storage architecture that the flash RAM auto detection recognizes, select yes.