The Dynamic page provides information about dynamic processes within the firewall rule set. During normal operation, there are three main things that happen dynamically: the counting of protected IPs, redirection, and dynamic rule activation. To access the Dynamic page, open the FIREWALL tab, expand the ribbon bar at the top, and click the Dynamic icon. To refresh the displayed information, click Refresh on the top right of the window.
The Dynamic page arranges information into the following tabs.
The Dynamic Rules tab provides information about the use of dynamic rules and Hostname network objects (see: Hostname (DNS Resolvable) Network Objects).
In the upper section of the tab, data regarding the use of dynamic rules is arranged in the following columns:
- Rule – Icon representing the rule status (inactive - cross; active - green square) and the name of the dynamic rule. This column also displays the username when set.
- Status – The current state of the rule (Disabled - inactive; Enabled - active).
- Expires – Interval until the current state expires.
- Expire Action – Action taken as soon as the dynamic activation expires.
In the lower section of the tab, data regarding Hostname network objects is arranged in the following columns:
Index – Iterative ID of the network object. The index number is determined by the combination of the Max. DNS Entries value (see General Firewall Configuration) and the percentage distribution of DNS queries allowed for network objects in use by the local and Forwarding Firewall rule sets. Index numbers start with 0 for network objects used by the Forwarding Firewall. The initial index number for network objects used in the local firewall is 75% of the Max. DNS Entries value - that is, 384 with the default of 512 Max. DNS Entries configured.
- DNS Name – The DNS resolvable hostname configured in the network object.
- Status – The current state of the network object. The following states are available: New, Pending, Resolved.
- Addresses – The result of the DSN query.
- Last Update – Time that has passed since the currently active DNS entry was last retrieved by the Barracuda NextGen Firewall F-Series.
- Lifetime – Lifetime that is configured in the network object.
To manually update the DNS resolution of currently used network objects, select one or multiple list entries, then right-click and click Refresh selected DNS entries in the context menu.
The Protected IPs tab provides information concerning the number of active IP addresses (so-called protected IP addresses) for virtual Barracuda NextGen Firewall F-Series appliances.
Virtual Barracuda Firewall licenses are classified by the number of protected IP addresses. Verify that the actual number of protected IP addresses does not exceed the licensed number of protected IP addresses for your Vx model.
On the Protected IPs page, the following columns are available:
- ID – Icon representing the protected IP status and an iterative ID number.
- Status – Status of each protected IP address (licensed or obsolete).
- Last – Time expired since the IP address was last counted.
- Address – Address of the protected IP address.
- App Detect – Windows Application Detection.
Every hour the list of protected IP addresses is checked to verify if the IP addresses are still in use, and if inactive, marked as obsolete. Every 30minutes obsolete IP addresses are removed from the list of protected IP addresses. As these two tasks are not synchronized protected IP addresses may be considered active for as long as 90minutes after the last active connection.
The Dynamic Services tab provides information about protected IP addresses and is used in conjunction with ONCRPC (see: Firewall Plugin Modules). The following columns are available:
- Used Address – IP address of the service used.
- Proto – The protocol.
- Port – Port of the service used.
- Service Name – Name of the service used.
- Service Desc – Service description ,if entered.
- Target Address – Target IP address of the service.
- Expires – The expiration date.
- Used – Information on usage.
- Updated – Update information.
- Source Address – The source IP address.
- Source Mask – The source netmask.
The firewall monitored the destination IP addresses used for Dst NAT access rules. Depending on the availability and redirection policy (cycle or fallback) the firewall decides which destination IP address the traffic is forwarded to. The state of the destination IP addresses per rule is displayed using the following columns:
- Rule – Name of the rule.
- Address – The target address.
- Used – Number of connection requests redirected to the target address.
- Unreachable Since – Time since the target has been unavailable.
- Last Retry – Time since last retry.
- Count Retry – Number of retries since the target was marked unavailable.
- Bad Port – Unreachable port. Important when the rule is sensitive on more than one critical port.
- Call-ID – The Call-ID belonging to this media connection.
- Start – The duration of the call.
- Status – The status column indicates the call's state. The following markers exist:
- Init – The call has just arrived.
- Setup – Connection establishment is just taking place.
- Established – The call has been established.
- Teardown – The call is about to be terminated.
- Terminated – The call has been terminated. (The call is not deleted from the table immediately after termination. It stays visible until no further media connections or SIP transactions related to it exist.)
- Srv Name – The name of the dynamic service, which is used for RTP rule lookup.
- SYNC – The sync status.
The lower section provides an overview of all RTP media connections (Audio/Video Data Streaming) and RTCP connections (Quality Feedback and Media Signalling). Usage of RTCP is optional. If RTCP is not used during a media connection, the entry for RTCP connections disappears after the balanced timeout of the service has expired. Medium and call are interconnected through the call-ID.
The Bridging ARPs tab provides information about connections that have been established over bridging interfaces (see: Bridging).
- MAC – The MAC address of the external interface that has established a connection to the bridging interface.
- Interface – The bridging interface through which the connection has been established.
- Group – The name of the bridged interface group the interface belongs to.
- IPs – The IP addresses recorded here belong to the MAC address displayed in the first column.
- Type – The IP addresses bound to a MAC address are dynamic if they have been learned dynamically through proxy ARPing. The type is static if the MAC/IP combination documented through the other columns has been configured statically through the parameter Static Bridge MAC.
- Timer – The connection timer.
Right-clicking a selected entry makes the following actions available in a context menu:
- Remove Selected MACs – Deletes the selected MAC address(es) from the list.
- Remove IPs from Selected MAC – Deletes IP addresses from a specific MAC that have been saved during a bridged connection establishment, without removing the MAC address itself from the list.