We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Best Practice - Azure Public Cloud

  • Last updated on

Configuring a Barracuda NextGen Firewall F-Series in the Azure cloud requires you to adapt setup procedures according to the requirements and restrictions of the cloud.

Use automatically filled custom external network objects

The Barracuda NextGen Firewall F-Series automatically fills the custom external network objects with network information acquired from the Azure cloud:

  • Custom external object number 1 contains the internal IP address.
  • Custom external object number 2 contains the internal network address.
  • Custom external object number 3 contains the external IP address.

For more information, see Custom External Network Objects.

Configuring service listeners and app redirect access rules in Azure

Stand-alone firewalls

Stand-alone firewalls use one dynamic interface. The management IP address, the virtual server, and the services running on it listen on the loopback interface IP addresses. Incoming traffic on the dhcp interface must be redirected with app redirect access rules to the respective service. Use the CONTROL > Resources page to check the listeners for each service.

BP_Azure_01.png

High availability clusters

High availability clusters must use static IP addresses as the management interface. Since Azure does not support floating IP addresses, the app redirect rule must match for the management IP addresses of both firewalls as the destination. Use Any (not Internet) as the source to also enable connections from other clients in the virtual network.

BP_Azure_01a.png

Special considerations for the VPN service IKEv1 IPsec listener

By default, the IPsec service listens on 0.0.0.0. This causes problems when used in combination with an app redirect rule because incoming traffic uses the host firewall and outgoing traffic is routed via the app redirect rule.

Step 1. Configure client-to-site or site-to-site IPsec VPN

Configure an IKEv1 client-to-site or site-to-site IPsec VPN.

For more information, see Client-to-Site VPN or Site-to-Site VPN.

Step 2. Disable IPsec dynamic IP setting

Open the VPN Settings - Server Settings and, in the Advanced tab, change Use IPSec dynamic IPs to No. This disables the 0.0.0.0 listener for the ike3 (IPsec IKEv1) daemon.
BP_Azure02.png

Step 3. Verify ike3 listeners

Open the CONTROL > Resources page and double-click on the ike3 / Tina VPN process. Verify that the ike3 and Tina VPN processes are listening only on 127.0.0.9: UDP 500 and 4500.

BP_Azure03.png

Step 4. Create app redirect access rule

Create an app redirect access rule to forward incoming traffic to the ikev1 daemon listening on the loopback interface. For stand-alone firewalls, use dhcp as the destination. For HA clusters, use both the primary and secondary firewall management IP address as the destination.

BP_Azure_04.png

Restoring a PAYG NextGen Firewall F-Series from a PAR file

Since the PAYG licenses are generated only on the first boot, extra care must be taken to not replace these licenses when using a PAR file to restore the configuration of another NextGen Firewall F-Series.

Step 1. Create PAR file

On the source PAYG NextGen Firewall F-Series, create a PAR file.

For more information, see How to Back Up and Restore Your Systems or How to Create PAR or PCA Files on the Command Line.

Step 2. Export PAYG license on new firewall VM

On the destination PAYG NextGen Firewall F-Series, export the PAYG licenses to a file to be able to restore them later.

  1. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  2. Click Lock.
  3. Select the license in the Licenses list, click the export icon, and select Export to File.
    export_01.png
  4. Save the lic file.
  5. Click Unlock.
Step 3. Restore from PAR

Restore the configuration from the PAR file. But before activating, replace the license with the license file exported in step 2.

  1. Go to CONFIGURATION > Configuration Tree.
  2. Right-click on Box and select Restore from PAR File.
    export_02.png
  3. Select the PAR file. Upon completion, the Box Configuration restored pop-up window opens.
    export_03.png
  4. Go to CONFIGURATION > Configuration Tree > Box Licenses.
  5. Delete all licenses in the Licenses list.
  6. Click + and select Import from File.
  7. Select the license file you exported in step 2.
  8. Click OK and agree to the end user licensing agreement.
  9. Click Send Changes and Activate.
  10. Go to CONTROL > Box.
  11. If necessary, click Activate new network configuration and select Failsafe from the pop-up window.

You can now use the new PAYG image with the configuration included in the PAR file.

Last updated on