We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

FW Audit

  • Last updated on

FW audit is a strictly chronological log of all sessions and events on your Barracuda NG Firewall. Information written to this log may contain:

  • Traffic – Forward, Local In, Local Out, and Loopback traffic
  • Events – Allowed, Blocked, Dropped, Failed and Removed events
  • ARP
  • IPS Hits

This data can be stored and viewed locally and/or centrally on the Barracuda NG Control Center depending on the audit delivery method configured on the NG Firewall:

  • Local-DB – Store audit log data locally in a database.
  • Forward-Only – Forward audit logs to an Audit Collector service on the NG Control Center.
  • Local-DB-And-Forward (default) – Store data in a local database and simultaneously send it to the NG Control Center.
  • Send-IPFIX – Send audit logs via IPFIX exporter.
  • Forward-and-Send-IPFIX – Forward audit logs to the NG Control Center and simultaneously send them via IPFIX exporter.
  • Regular-Log-File – Write audit log to an ASCII log file.
  • Syslog-Proxy – Generate syslog messages.
  • Executable – Feed into a custom executable via STDIN.
  • Send-UDP-Packet – Send a plain UDP stream.

Audit log viewers on both the NG Firewall and NG Control Center allow you to view the collected data either as plain log files in Log File mode, or similar to the Firewall Live view in Accumulated Event view.

Limitations
  • IPS Port scan information displayed on the Firewall > Threat Scan page are not included in the Audit logs.
  • Keep in mind that the NG Control Center has to receive and write data from a large number of NG Firewalls, each of which may be capable of handling thousands of sessions. Accessing or writing FW Audit large data sets in the relational database is very CPU- and IO-intensive. Make use of the granular configuration options to limit the amount of data included in the audit log.
  • The FW Audit Log Service does not synchronize Audit data within a HA cluster. For the CC Audit Info viewer and for the FW Audit Info collector, the service may run on the backup box to collect new data. In case of a failover to the backup box, new Audit data is stored on the backup box, and querying of this data needs to be performed on the backup box.

In this article:

Step 1. Enable FW Audit on NG Firewall

You must enable the audit log and choose where it is sent and/or stored. Repeat these steps for every NG Firewall that should send audit logs to the NG Control Center.

  1. Go to YOUR NG FIREWALL > Infrastructure Services > General Firewall Configuration.
  2. In the Configuration Mode section of the left menu, click Switch to Advanced View.
  3. In the left menu, click Audit and Reporting.
  4. Click Lock.
  5. In the Log Policy section, click Edit next to Audit Log Data. The Audit Log Data window opens.
    FWAudit01.png
  6. Select the Audit Delivery method. E.g., Local-DB-And-Forward to send audit log to an NG Control Center while also storing them locally. 
  7. Depending on the delivery method, you may have to configure additional settings.
    For the default Local-DB-And-Forward and Forward-Only delivery methods, configure the following:
    • Send to IP Address – Enter the IP address of the NG Control Center.  
    • Sent to Port – Enter 680. This is the listening port of the CC Audit Service on the NG Control Center. 
      FWAudit02.png
  8. In the Recorded Conditions section, select the type of data is included in the audit log.
    FWAudit03.png
  9. In the Log File Rotation and Removal section, configure the retention period of the audit logs (default: 3 days).
  10. Click OK.
  11. Click Send Changes and Activate.

Step 2. Create CC Audit Service on NG Control Center

  1. Log into the box level of your NG Control Center.
  2. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services.
  3. Right-click on Assigned Services and click Create Service. The Wizard window opens.
  4. Enter the Service Name.
  5. Select CC FW Audit Log Service from the Software Module list. 
  6. Click OK
  7. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > CC-Audit-Service > Central Firewall Audit.
  8. Click Lock.
  9. (optional) To receive audit logs from unmanaged NG Firewalls, add the public keys of the box certificate to the Explicit Box Keys list. 
  10. (optional) For large deployments, select Multiple Box Handler from the Box Handler Method dropdown.
  11. Click Send Changes and Activate.

The NG Control Center will now receive and store all audit log data sent by NG Firewalls using the Forward-Only and Local-DB-And-Forward delivery methods.

Local FW Audit Viewer on the NG Firewall

To view the audit log directly on the NG Firewall, you must use the Local-DB delivery method. Go to FIREWALL > Audit Log to view the audit log.

FWAudit_Viewer_standalone.png

FW Audit Info Viewer on the NG Control Center

To view audit log data on the NG Control Center, you must use the Forward-Only or Local-DB-And-Forward delivery methods. Only selected NG Firewalls (green check mark) are included in the FW Audit log viewer. In the left menu, double-click on the NG Firewall to add the units audit log to the viewer.

FWAudit_Viewer_CC.png

Last updated on