We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Best Practice - Azure Public Cloud

  • Last updated on

Configuring a Barracuda NextGen Firewall F-Series in the Azure cloud requires you to adapt setup procedures according to the requirements and restrictions of the cloud.

In this article

Use Automatically Filled Custom External Network Objects

The Barracuda NextGen Firewall F-Series automatically fills the custom external network objects with network information acquired from the Azure Cloud:

  • Custom external object number 1 contains the internal IP address.
  • Custom external object number 2 contains the internal network address.
  • Custom external object number 3 contains the external IP address.

For more information, see Custom External Network Objects.

Configuring Services on Barracuda NextGen Firewall F-Series HA Clusters in Azure

When using the Barracuda NextGen Firewall F-Series in an HA cluster, special consideration must be made for services running on the virtual server. Since both HA units use different IP addresses (which cannot be transferred to the other unit during failover), all services must listen on the loopback interface. You must also create app redirect access rules with the Management IP network object as the destination.

See below for an example app redirect access rule for a NextGen F-Series Firewall HA cluster. Use Any (not Internet) as the source to also enable connections from other clients in the VNET:

BP_Azure01.png

Configuring Client-to-Site IPsec VPN on the NextGen Firewall F-Series in an HA Cluster in Azure

Configure the VPN service to listen on a 127.0.0.X address and create an app redirect access rule. Use Any as the source if you are using the Azure Connectivity Agent. Redirect both IPsec-VPN and NGF-VPN network objects to the VPN service because TCP port 691 is used by the Azure load balancer as the probing port. Fore more information, see How to Configure Azure Load Balancer for HA Clusters using PowerShell and ARM.

  • Configure a Client-to-Site IPsec VPN (with or without PSK). For more information, see Client-to-Site VPN
  • Open the VPN Settings - Server Settings and, in the Advanced tab, change Use IPSec dynamic IPs to No
    BP_Azure02.png
  • Verify that the ike3 and Tina VPN processes are not listening on port TCP/691 or UDP/500/4500 on the management IP address. This is necessary to ensure that the traffic is handled by the Forwarding Firewall Service (and not the Host Firewall service). Open the CONTROL > Resources page and double-click on the ike3 / Tina VPN process: 
    BP_Azure03.pngBP_Azure04.png
  • IPsec VPN clients can use only one IP address for the destination. The VIP/RIP of the cloud service must be used to access the VPN service. Two Azure load-balanced endpoints for UDP 500 and UDP 4500 (for ESPoUDP) must be created. Use TCP Port 691 as the probing port and set the probing interval to the shortest possible setting: 5 seconds.
  • Add the two load-balanced endpoints to both primary and secondary firewalls.

The failover of the virtual server is almost instantaneous. The Azure load balancer, however, takes about 10 seconds to redirect traffic to the secondary unit. This may cause existing client-to-site connections to be interrupted. No traffic can be transmitted through the Client-to-Site VPN tunnel during the failover process.

Restoring a PAYG NextGen Firewall F-Series from a PAR File

Since the PAYG licenses are generated only on the first boot, extra care must be taken to not replace these licenses when using a PAR file to restore the configuration of another NextGen Firewall F-Series.

Step 1. Create PAR File

On the source PAYG NextGen Firewall F-Series, create a PAR file.

For more information, see How to Back Up and Restore Your Systems or How to Create PAR or PCA Files on the Command Line.

Step 2. Export PAYG License

On the destination PAYG NextGen Firewall F-Series, export the PAYG licenses to a file to be able to restore them later.

  1. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  2. Click Lock.
  3. Select the license in the Licenses list, click the export icon, and select Export to File.
    export_01.png
  4. Save the lic file.
  5. Click Unlock.
Step 3. Restore from PAR

Restore the configuration from the PAR file. But before activating, replace the license with the license file exported in step 2.

  1. Go to CONFIGURATION > Configuration Tree.
  2. Right-click on Box and select Restore from PAR File.
    export_02.png
  3. Select the PAR file. Upon completion, the Box Configuration restored popup opens.
    export_03.png
  4. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  5. Delete all licenses in the Licenses list.
  6. Click + and select Import from File.
  7. Select the license file you exported in step 2.
  8. Click OK and agree to the end user licensing agreement.
  9. Click Send Changes and Activate.
  10. Go to CONTROL > Box.
  11. If necessary, click Activate new network configuration and select Failsafe from the popup.

You can now use the new PAYG image with the configuration included in the PAR file.

Last updated on