It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.


  • Last updated on

The Barracuda NextGen Firewall F-Series comes with two firewall services, one for handling local inbound/outbound traffic and the other for handling all forwarding traffic. The Host Firewall service runs on the box layer and cannot be removed. The Forwarding Firewall service can be added once on every F-Series Firewall.


The Host and Forwarding Firewall can handle only IP protocols. Non-IP traffic (such as Spanning Tree Protocol or IPX/SPX) is not forwarded.

Forwarding Firewall

The Forwarding Firewall handles all traffic for which the destination does not match with a listening socket on the firewall. You can create one (forwarding) Firewall service on each F-Series Firewall. This service listens to all IP addresses configured for the virtual server and is responsible for all connections that must be transferred over the firewall to a remote host. The firewall rules for the Forwarding Firewall are maintained in the forwarding ruleset. The Forwarding Firewall is tightly integrated with Application Control, Virus Scanners, Advanced Threat Protection (ATP), Intrusion Prevention System (IPS), and the URL Filter. Examples of connections that use the Forwarding Firewall are:

  • A web browser that connects to an external web server without using the HTTP Proxy service.
  • The administrator pings an external Linux server.
  • Incoming and outgoing traffic coming out of a VPN tunnel.

For more information, see Forwarding Firewall.

Host Firewall

There is one Host Firewall service running on the box layer of every F-Series Firewall and Control Center. Host Firewall rules are applied to connections where the target IP address and port number match a listening socket of a service on the firewall. The boxfw service manages this ruleset and additional traffic handlers such as SIP, RPC, Timer, Audit, and Sync. Restarting the boxfw service reinitializes the service handlers and reloads the ruleset. The boxfw service is always running. You can have only one Host Firewall on a system. Examples of connections that are handled by the Host Firewall are: 

  • An incoming connection from a web browser to the HTTP Proxy service.
  • An outgoing connection from the HTTP Proxy service running on the firewall to a web server on the Internet
  • Outgoing and incoming VPN traffic from the VPN service to the tunnel endpoint
  • Outgoing NTP or DNS queries

For more information, see Host Firewall.

Last updated on