Because many applications either are web-based or connect via SSL- or TLS-encrypted connections to servers in the Internet, they can be detected and then controlled as they pass the Barracuda NextGen Firewall F-Series. If Application Control and SSL Interception is enabled in the Forwarding Firewall rule that handles the application traffic, the traffic is sent to the application ruleset and processed as follows:
- SSL-encrypted traffic is decrypted.
- Application rules are processed from top to bottom to determine if they match the traffic. If no rule matches, the default application policy is applied.
- If a matching application rule is found, the detected application is handled according to the rule settings. The application can be reported, or it can be restricted by time, bandwidth (QoS), user information, or content.
- SSL traffic is re-encrypted.
- The traffic is forwarded it to its destination.
Application Ruleset and Application Control
Dedicated ruleset to detect and control application traffic. You can create rules to drop, throttle, prioritize, or report detected applications and sub-applications. Traffic patterns are compared to predefined application objects containing detection patterns to detect the latest applications. The application pattern database is updated as part of the Energize Updates subscription. You can also customize application definitions based on previously analyzed network traffic. To classify applications and threats, all application objects are categorized based on risk, bandwidth, or vulnerabilities.
For more information, see How to Enable Application Control.
Many applications transmit their data over connections encrypted with SSL or TLS. SSL Inspection intercepts and decrypts encrypted traffic to allow Application Control to detect and handle embedded features or sub-applications of the main application. For example, you can create a policy that permits the general usage of Facebook, but forbids Facebook chat. If you choose not to enable SSL Inspection, the main applications can still be detected, but the firewall is not able to differentiate between individual features, such as Facebook chat or Facebook games.
For more information, see How to Configure SSL Interception in the Firewall.
Websites accessed by the users are categorized based on the URL category database. Depending on the policy assigned to this URL category, the website can then be allowed, blocked, or temporary access allowed. You can create either a whitelist (blocking everything except for selected sites) or a blacklist (blocking known unwanted content). If a site is not in the URL database, you can define a custom URL policy for it. The URL Filter can only filter based on the URL of the website. It does not offer the more granular control over subsections of the website.
For more information, see URL Filtering in the Firewall.
HTTP(S), FTP and SMTP(S) traffic can be transparently scanned for malicious content as the traffic passes through the firewall. The Virus Scanner service includes two virus scanning engines: Avira and ClamAV. If a user downloads a file containing malware, the F-Series Firewall detects and discards the infected file and then redirects the user to a warning page. You can use the Avira and/or the ClamAV antivirus engines and specify the MIME types of all files that are to be scanned.
For more information, see Virus Scanning and ATP in the Firewall.
Advanced Threat Protection (ATP)
Barracuda Advanced Threat Protection secures your network against zero day exploits and other malware not recognized by the IPS or Virus Scanner. You can choose between two policies which either scan the files after the user has downloaded them and, if perceived to be a threat, quarantine the user, or scan the file first and then let the user download the file after it is known to be safe.
File Content Scan
Filter files transmitted via HTTP(S), FTP, or SMTP(S), depending on their file type, name, or MIME type.
For more information, see File Content Filtering in the Firewall.
Check the source IP address of incoming SMTP(S) connections against a DNSBL and modify the header and subject of the email if the sender is listed in the DNSBL.
For more information, see Mail Security in the Firewall.
Safe Search and YouTube for Schools
Enforce Safe Search on Google, Bing, Yahoo, and YouTube. Only allow access to the YouTube for Schools channel connected with the YouTube for Schools token supplied by YouTube.
For more information, see How to Enforce Safe Search in the Firewall and How to Enforce YouTube for Schools in the Firewall.
Block all Google accounts (personal and G Suite) except for accounts in the whitelisted G Suite domains.
For more information, see How to Configure Google Accounts Filtering in the Firewall.
Application Control with HTTP Proxies
You can use Application Control in combination with HTTP(S) proxies. Depending on the configuration and type of proxy service, the detection of sub-applications may not be available.
For more information, see Using Application Control Features with HTTP(S) Proxies.