We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Dynamic Page

  • Last updated on

The Dynamic page provides information about dynamic processes within the firewall rule set. During normal operation, there are three main things that happen dynamically: the counting of protected IPs, redirection, and dynamic rule activation. To access the Dynamic page, open the FIREWALL tab, expand the ribbon bar at the top, and click the Dynamic icon. To refresh the displayed information, click Refresh on the top right of the window.

dynamic_page.png

The Dynamic page arranges information into the following tabs.

Dynamic Rules

The Dynamic Rules tab provides information about the use of dynamic rules and Hostname network objects (see: Hostname (DNS Resolvable) Network Objects). 

In the upper section of the tab, data regarding the use of dynamic rules is arranged in the following columns:

  • Rule – Icon representing the rule status (inactive - cross; active - green square) and the name of the dynamic rule. This column also displays the username when set.
  • Status – The current state of the rule (Disabled - inactive; Enabled - active).
  • Expires – Interval until the current state expires.
  • Expire Action – Action taken as soon as the dynamic activation expires.

In the lower section of the tab, data regarding Hostname network objects is arranged in the following columns: 

  • Index Iterative ID of the network object. The index number is determined by the combination of the Max. DNS Entries value (see General Firewall Configuration) and the percentage distribution of DNS queries allowed for network objects in use by the local and Forwarding Firewall rule sets. Index numbers start with 0 for network objects used by the Forwarding Firewall. The initial index number for network objects used in the local firewall is 75% of the Max. DNS Entries value - that is, 384 with the default of 512 Max. DNS Entries configured.

    Managed F-Series Firewalls inherit global, cluster-specific, and range-specific Hostname objects. These objects are automatically added to the memory space of the Forwarding Firewall rule set.

  • DNS Name – The DNS resolvable hostname configured in the network object.
  • Status – The current state of the network object. The following states are available: New, Pending, Resolved.
  • Addresses – The result of the DSN query.
  • Last Update – Time that has passed since the currently active DNS entry was last retrieved by the Barracuda NextGen Firewall F-Series.
  • Lifetime – Lifetime that is configured in the network object.

To manually update the DNS resolution of currently used network objects, select one or multiple list entries, then right-click and click Refresh selected DNS entries in the context menu.

A single DNS resolvable hostname is limited to 24 IP addresses. If a hostname is resolvable for more than 24 IP address, only the first 24 IP addresses will be resolved and processed.

Protected IPs

The Protected IPs tab provides information concerning the number of active IP addresses (so-called protected IP addresses) for virtual Barracuda NextGen Firewall F-Series appliances.

Virtual Barracuda Firewall licenses are classified by the number of protected IP addresses. Verify that the actual number of protected IP addresses does not exceed the licensed number of protected IP addresses for your Vx model.

On the Protected IPs page, the following columns are available: 

  • ID – Icon representing the protected IP status and an iterative ID number.
  • Status – Status of each protected IP address (licensed or obsolete).
  • Last – Time expired since the IP address was last counted.
  • Address – Address of the protected IP address.
  • App Detect – Windows Application Detection.

Every hour the list of protected IP addresses is checked to verify if the IP addresses are still in use, and if inactive, marked as obsolete. Every 30minutes obsolete IP addresses are removed from the list of protected IP addresses. As these two tasks are not synchronized protected IP addresses may be considered active for as long as 90minutes after the last active connection.

Dynamic Services

The Dynamic Services tab provides information about protected IP addresses and is used in conjunction with ONCRPC (see: Firewall Plugin Modules). The following columns are available:

  • Used Address – IP address of the service used.
  • Proto – The protocol.
  • Port – Port of the service used.
  • Service Name – Name of the service used.
  • Service Desc – Service description ,if entered.
  • Target Address – Target IP address of the service.
  • Expires – The expiration date.
  • Used – Information on usage.
  • Updated – Update information.
  • Source Address – The source IP address.
  • Source Mask – The source netmask.

Redirect Availability 

The firewall monitored the destination IP addresses used for Dst NAT access rules. Depending on the availability and redirection policy (cycle or fallback) the firewall decides which destination IP address the traffic is forwarded to. The state of the destination IP addresses per rule is displayed using the following columns: 

  • Rule – Name of the rule.
  • Address – The target address.
  • Used – Number of connection requests redirected to the target address.
  • Unreachable Since – Time since the target has been unavailable.
  • Last Retry – Time since last retry.
  • Count Retry – Number of retries since the target was marked unavailable.
  • Bad Port – Unreachable port. Important when the rule is sensitive on more than one critical port.

SIP

The SIP tab provides details about voice media connections (Voice over IPHow to Configure the SIP Plugin Module). The information is displayed under the following columns:

  • Call-ID – The Call-ID belonging to this media connection.
  • Start – The duration of the call.
  • Status – The status column indicates the call's state. The following markers exist:
    • Init – The call has just arrived.
    • Setup – Connection establishment is just taking place.
    • Established – The call has been established.
    • Teardown – The call is about to be terminated.
    • Terminated – The call has been terminated. (The call is not deleted from the table immediately after termination. It stays visible until no further media connections or SIP transactions related to it exist.)
  • Srv Name – The name of the dynamic service, which is used for RTP rule lookup.
  • SYNC – The sync status.

The lower section provides an overview of all RTP media connections (Audio/Video Data Streaming) and RTCP connections (Quality Feedback and Media Signalling). Usage of RTCP is optional. If RTCP is not used during a media connection, the entry for RTCP connections disappears after the balanced timeout of the service has expired. Medium and call are interconnected through the call-ID.

Bridging ARPs

The Bridging ARPs tab provides information about connections that have been established over bridging interfaces (see: Bridging).

  • MAC – The MAC address of the external interface that has established a connection to the bridging interface.
  • Interface – The bridging interface through which the connection has been established.
  • Group – The name of the bridged interface group the interface belongs to.
  • IPs – The IP addresses recorded here belong to the MAC address displayed in the first column.
  • Type – The IP addresses bound to a MAC address are dynamic if they have been learned dynamically through proxy ARPing. The type is static if the MAC/IP combination documented through the other columns has been configured statically through the parameter Static Bridge MAC.
  • Timer – The connection timer.

Right-clicking a selected entry makes the following actions available in a context menu:

  • Remove Selected MACs – Deletes the selected MAC address(es) from the list.
  • Remove IPs from Selected MAC – Deletes IP addresses from a specific MAC that have been saved during a bridged connection establishment, without removing the MAC address itself from the list.
Last updated on