We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure a High Availability Cluster in Azure via Web Portal and ASM

  • Last updated on

To safeguard against hardware and software failures in the Azure cloud, use a high availability (HA) setup. The Barracuda NextGen Firewall F-Series units are deployed in an Azure availability set in a cloud service in order to guarantee that both virtual machines are running in different fault domains in the Azure datacenter. Both systems are connected to the same Azure virtual network and use static internal IP addresses (DIPs). An Azure load-balanced endpoint (level 4 load balancer) can be used to offer TCP- and UDP-based services on the VIP. For the backend servers to use the F-Series Firewall as the default gateway, Azure User Defined Routing must be configured. When a failover occurs the F-Series Firewall changes the default route of the backend subnets to use the F-Series Firewall the virtual server is running on. This removes the requirement for the Azure Connectivity Agent.

Azure (Load-balanced) Endpoints can only be used for TCP/UDP-based services. All other IP protocols (ICMP, ESP,...) are blocked.

Connecting to services and managing the HA cluster in the Azure cloud:

  1. Accessing Services in Azure/ on the F-Series Firewall – Create a Load-balanced Endpoint for each service accessed on or behind the F-Series Firewall in Azure.
  2. Management Access – If you are not using a Barracuda NextGen Control Center to manage your F-Series Firewall use the following solution to be able to access both VMs with NG Admin:
    • Create an Endpoint on port TCP/807 to manage the primary F-Series Firewall.
    • Configure a Client-to-Site VPN. You can now reach the static internal IP address of the secondary F-Series Firewall through the Client-to-Site VPN.

ha_setup_azure.png

Before you begin

Step 1. Create an Azure wide Virtual Network

Public Instance Level IPs (PIPs) require a wide Virtual Network (wideVNET). WideVNETs use the Location tag instead of the AffinityGroup and cannot be created using the web interface.

  1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 
  2. In the left menu, click on NETWORKS.
    vnet01.png
  3. Click EXPORT in the bottom pane to download the current network configuration as an XML file.  You are prompted to save the NetworkConfig.xml file.
  4. Edit the network configuration XML file and add a definition for the wide Virtual Network. Alternatively, you can also modify an existing Virtual Network.

    [...] 
    
      <VirtualNetworkSite name="wideVNET" Location="West Europe">
        <Subnets>
          <Subnet name="Frontend">
            <AddressPrefix>10.0.20.0/24</AddressPrefix>
          </Subnet>
          <Subnet name="Backend">
            <AddressPrefix>10.0.30.0/24</AddressPrefix>
          </Subnet>
    
     </Subnets>
        <AddressSpace>
          <AddressPrefix>10.0.0.0/16</AddressPrefix>
        </AddressSpace>
      </VirtualNetworkSite>
    
    [...]
  5. In the lower left-hand corner, click + NEW > NETWORK SERVICES > VIRTUAL NETWORK > IMPORT CONFIGURATION. The IMPORT NETWORK CONFIGURATION FILE window opens.
    vnet02.png
  6. Select the modified network configuration XML file and click Next.
  7. Verify the changes to your Virtual Networks and click OK. 
    vnet03.png
  8. Click OK

Your VNET is now listed in the NETWORKS section.

vnet04.png

Step 2. Create an Azure cloud service

Create a cloud service. The Barracuda NextGen Firewalls will be deployed in the same cloud service so you can later assign both virtual machines the same Availability Set.

  1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com). 
  2. In the left pane, click on CLOUD SERVICES.
    cloudService01.png
  3. In the lower left-hand corner click + NEW > COMPUTE > CLOUD SERVICE > CUSTOM CREATE.
    cloudService02.png
  4. Enter the URL for the cloud service. E.g., BarracudaNGCloudService
  5. Select a REGION OR AFFINITY GROUP for the cloud service. E.g., West Europe
    cloudService03.png
  6. Click OK.

You now have a cloud service located in the Azure datacenter of your choice.
cloudService04.png

Step 3. Deploy two Barracuda NextGen Firewalls

Deploy two Firewall Virtual Machines in the Microsoft Azure cloud, using:

  • The cloud service created in Step 2.
  • The VNET and Frontend Subnet created in Step 1.

Optional: Depending on the deployment method, you may also assign static internal IP addresses to the NextGen Firewalls.

For more information, see Microsoft Azure Deployments using Azure Service Manager (ASM).

Step 5. Assign static internal IP addresses to the firewall VMs

The Azure virtual machine will automatically reboot after assigning the static IP address.

You must use a static internal IP address to be able to create a high availability cluster. Choose free IP addresses in the Frontend subnet of the Virtual Network for both F-Series Firewalls.

  1. Open a Windows Azure PowerShell.
  2. Check if the chosen IP address is available by entering: 
    Test-AzureStaticVNetIP -VNetName <your Azure virtual network name> -IPAddress <your chosen static internal IP address>
    AzureHA01.png
  3. Save the virtual machine to a local variable. 
    $staticVM = Get-AzureVM -ServiceName <Cloud Service name of your NG> -Name <virtual machine name>
    AzureHA02.png
  4. Change the internal IP address of the virtual machine from dynamic to static. 
    Set-AzureStaticVNetIP -VM $staticVM -IPAddress <your chosen static internal IP address> | Update-AzureVM
    AzureHA03.png

    The F-Series Firewall automatically reboots.

  5. Repeat the procedure for the secondary unit, using a different IP address from the same subnet. 

Both Firewall VMs are now assigned static internal IP addresses:

AzureHA04.png

Step 6. Change the network configuration to use the static internal IP addresses

Change the network configuration of the primary and secondary firewall to use a static network interface.

Step 6.1 Reconfigure the network interface

Change the network interface type from dynamic to static.

  1. Log into the primary firewall via the assigned PIP.
  2. Go to CONFIGURATION > Configuration Tree  > Box > Network
  3. In the left menu, click on xDSL/DHCP/ISDN
  4. Click Lock.
  5. Delete the DHCP01 entry in the DHCP  Links list.
  6. Select No from the DHCP  Enabled dropdown list
    AzureHA07.png
  7. Click Send Changes.
  8. In the left menu, click on IP Configuration.
  9. In the Management IP and Network section in the Interface Name line, untick the Other checkbox. 
  10. Select eth0 from the Interface Name list.
  11. Enter the static internal IP address from Step 1 as the Management IP (MIP). E.g., 10.0.20.6
    AzureHA08.png
Step 6.3 Create the default route

Add the default route.

  1. In the left menu, click on Routing.
  2. Click in the Routes table and configure the following settings:
    • Target Network Address – Enter 0.0.0.0/0
    • Route Type – Select gateway
    • Gateway – Enter the first IP address of the subnet the F-Series Firewalls reside in. E.g., 10.0.20.1 if the IP addresses of the units are 10.0.20.6 and 10.0.20.7
    • Trust Level – Select Unclassified.
      Azure_default_route.png
  3. Click OK.
  4. Click Send Changes and Activate.
Step 6.4 Disable ICMP Monitoring of the Gateway

ICMP probing must be disabled for the interface.

  1. Go to *CONFIGURATION > Configuration Tree > Infrastructure Services > Control.
  2. Click Lock.
  3. In the ICMP Gateway Monitoring Parameter section click + to add an entry to the No Probing for Interface table.
    disable_icmp_probing_01.png
  4. Enter eth0 In Other
    disable_icmp_probing_02.png
  5. Click Send Changes and Activate.
Step 6.5 Activate the network changes

Activate the changes to the network configuration.

  1. Go to CONTROL > Box.
  2. In the Network section of the left menu, click on Activate new network configuration.
  3. Click Activate Now or Force. 

    Do not use a Failsafe network activation when changing the management IP address.

Step 6.6 Reconfigure the secondary unit

Complete Steps 6.1 - 6.4 for the secondary unit.

Both F-Series Firewall systems are now using the static 'eth0' network interfaces (CONTROL > Network).

AzureHA11.png

Step 7. (PAYG only) Import PAYG licenses from the secondary firewall

Step 7.1 Export the PAYG license from the secondary firewall
  1. Log into the secondary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Select the license file, click the export icon, and select Export to File.
  5. Click Unlock
Step 7.2 Import the PAYG license on the primary firewall
  1. Log into the primary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Licenses.
  3. Click Lock.
  4. Click + and select Import from File.
  5. Select the license file exported from the secondary firewall.

The primary firewall now has both PAYG licenses listed in the Licenses list.

Step 8. Create a DHA cluster configuration

Create a DHA cluster configuration. For more information on DHA, see High Availability.

  1. Log into the primary F-Series Firewall.
  2. Go to CONFIGURATION > Configuration Tree.
  3. Right-click on Box and select Create DHA  Box.
  4. Go to CONFIGURATION > Configuration Tree > HA Box > HA Network.
  5. Select eth0 from the Interface Name list.
  6. Enter the static IP address of the secondary F-Series Firewall as the Management IP (MIP).  E.g., 10.0.20.7 
  7. In the left menu, select Routing. 
  8. Verify the default route is present. (0.0.0.0/0 gateway XX.XX.XX.1).
  9. Click Send Changes and Activate.

Step 9. Deploy the HA PAR file to the secondary unit

Step 9.1 Create the PAR file for the HA unit
  1. Log into the primary F-Series Firewall unit.
  2. Go to CONFIGURATION > Configuration Tree.
  3. Right-click on Box and select CREATE PAR FILE for HA box. You are prompted to save the boxha.par file.
Step 9.2 Deploy the PAR file on the secondary unit
  1. Log into the secondary F-Series Firewall unit.
  2. Go to CONFIGURATION > Configuration Tree.
  3. Right-click on Box and select Restore from PAR file.
  4. Choose the boxha.par file created in Step 4.1.
  5. Click Activate
  6. Go to CONTROL > Box.
  7. In the left menu in the Network section, click on Activate new network configuration.
  8. Click Failsafe.
  9. In the left menu in the Operating System section, click Firmware Restart

The F-Series Firewall systems are now in a high availability cluster.

Step 9.3 Set the active and backup unit for the virtual server
Standalone F-Series Firewalls
  1. Log into the primary unit.
  2. Go to your cluster in the NextGen Control Center > Virtual Servers > your virtual server > Server Properties.
  3. Click Lock.
  4. In the Virtual Server Definition section, define the primary unit and secondary unit.
    • Active Box – Select This-Box.
    • Backup Box – Select Other-Box.
    Standalone_HA_07.png
  5. Click Send Changes and Activate.
Managed F-Series Firewalls
  1. Log in to your Control Center.

  2. Go to your cluster in the NextGen Control Center > Virtual Servers > your virtual server > Server Properties.
  3. Click Lock.
  4. In the Virtual Server Definition section, define the primary unit and secondary unit.
    • Primary Box – The active system.
    • Secondary Box – The HA partner.

    CC_HA_01.png

  5. Click Send Changes and Activate.

Step 10. (BYOL only) Activate and license the two firewall VMs

Activate the license on the secondary firewall then on the primary firewall. If the primary unit is activated prior to the secondary unit the licenses for the secondary can not be downloaded. In this case reboot the primary firewall and perform a complete manual HA sync and update to download and install the licenses correctly.

For more information, see How to Activate and License a NextGen F-Series High Availability Cluster.

Step 11. Add both firewall virtual machines to the same availability set

The Azure virtual machine will automatically reboot after assigning a new availability set.

To avoid hardware failures, and to take advantage of the Microsoft Azure SLA for the compute cloud, both virtual machines must be in the same availability set.If you already placed the two F-Series Firewalls in a Availability Set during deployment continue with Step 10.

  1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com).
  2. In the left pane, click on Virtual Machines. 
  3. Click on the primary firewall VM. The DASHBOARD opens.
  4. In the top menu, click on CONFIGURE.
  5. Select Create an availability set.
  6. Enter the name for the AVAILABILITY SET. E.g., HA_SET
  7. In the bottom pane, click SAVE. Wait for the changes to be applied. The virtual machine will reboot.
  8. Click on the secondary F-Series Firewall. The DASHBOARD opens.
  9. In the top menu, click on CONFIGURE.
  10. From the AVAILABILITY SET list, select the availability set created for the primary F-Series Firewall. E.g., HA_SET.
  11. In the bottom pane, click SAVE. Wait for the changes to be applied. The virtual machine will reboot. 

Both firewall VMs are now in the same availability set. Go to virtual machines > your primary or secondary virtual machine > CONFIGURE . Both virtual machines are now listed below the AVAILABILITY SET list.

Step 12. Configure a load balanced endpoint

Create a load-balanced endpoint for each Internet facing service you want to offer. E.g., a load-balanced endpoint for port UDP/691 if you are connecting via TINA to the VPN service on the HA cluster.

  1. Log into your Microsoft Azure Management Portal (https://manage.windowsazure.com).
  2. In the left menu, click on VIRTUAL MACHINES
  3. Click on the primary firewall VM. The DASHBOARD opens.
  4. In the top menu, click on ENDPOINTS.
  5. Select ADD A STAND-ALONE ENDPOINT.
  6. Click OK.
  7. In the ADD ENDPOINT window, enter:
    • Name – Enter a name for the endpoint.
    • PROTOCOL – Select TCP or UDP depending on your TINA configuration.
    • PUBLIC PORT – Enter the external port: E.g.,691
    • PRIVATE PORT – Enter the internal port. E.g., 691
    • CREATE A LOAD-BALANCED SET – Select the checkbox to enable load balancing for these ports.
  8. Click NEXT
  9. Configure the load-balanced set: 
    • LOAD-BALANCED SET NAME – Enter a name for the load balanced endpoint. 
    • PROBE PROTOCOL – Select TCP
    • PROBE PORT – Enter the port the service is listening on internally. E.g., 691
    • PROBE  INTERVAL – Enter how many seconds should be between probes. Default: 5sec
    • NUMBER OF PROBES  Enter how many probes should be sent before the service is switched to the other unit. Default: 2
  10. Click OK. The load-balanced endpoint is created.
  11. Click on the secondary firewall VM. The DASHBOARD opens.
  12. In the top menu, click on ENDPOINTS.
  13. Select ADD AN ENDPOINT TO AN EXISTING LOAD BALANCED SET.
  14. Select the load balanced endpoint created for the primary unit.
  15. Click NEXT.
  16. Enter a NAME
  17. Click OK.

Step 13. Remove the SETUP-MGMT-ACCESS access rule

This redirect access rule is no longer needed and can be deleted.

  1. Go to CONFIGURATION > Configuration Tree  > Box Virtual Servers > S1 > Firewall > Forwarding Rules .
  2. Click Lock
  3. Right-click on SETUP-MGMT-ACCESS firewall rule and click Delete. 
  4. Click Send Changes and Activate.

Step 14. Configure Azure User Defined Routing

Azure User Defined Routing allows you to use the F-Series Firewall HA cluster in the frontend subnet as the default gateway for all your VMs running in the backend networks. You must enable IP forwarding for the F-Series Firewall VMs and create and apply an Azure routing table to the backend networks. Using a management Certificate and the Azure subscriber ID the F-Series Firewall VMs can change the Azure Routing Table on the fly when the virtual server fails over from one VM to the other.

Step 14.1 Configure User Defined Routes for your VNET

Create a User Defined routing table and enable IP Forwarding for the two F-Series Firewall VMs.  Assign this user defined routing table to all subnets that use the F-Series Firewall HA cluster as the default gateway.

For more information, see How to Configure Azure Route Tables (UDR) in Azure using PowerShell and ASM.

Step 14.2 Create the Azure Management certificate

For the F-Series Firewall to be able to connect to the Azure backend, you must create and upload a Management certificate.

  1. Log in to the firewall via ssh.
  2. Create the certificate:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
  3. Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
  4. Convert the certificate to CER, as required by Azure: 
    openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

    openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer

If you are using an OpenSSL version that generates PKCS#8 keys you must extract the RSA key separately:

openssl rsa -in mycert.pem -out mycert.key.pem

In this case upload mycert.pem as the Azure Management Certificate and mycert.key.pem as the Management Key on the F-Series Firewall.

You now have two certificates mycert.pem and mycert.cer.

Step 14.3 Upload the Azure Management certificate
  1. Log into the Microsoft Azure Management Portal (https://manage.windowsazure.com).
  2. On the bottom of the left menu, click on SETTINGS.
  3. In the top navigation, click on MANAGEMENT CERTIFICATES.
  4. On the bottom Click UPLOAD. 
  5. Select the mycert.cer certificate created in Step 12.2. and click OK.

The management certificate is now listed with the Common Name of the certificate used as the Name.

Step 14.4. Configure Cloud Integration  

You must enter your Azure SubscriptionId, VNET name and the management certificate to allow the F-Series Firewall to change the Azure User Defined Routing Table.

  1. Login to the primary firewall.
  2. Go to CONFIGURATION > Configuration Tree > Box > Advanced Configuration > Cloud Integration.
  3. Click Lock.
  4. In the left menu, click Azure Networking.
  5. Enter your Azure Subscription ID. Use Get-AzureSubscription in Azure PowerShell to display your SubscriptionId.
  6. Enter the Virtual Network Name.
  7. Next to Management Certificate click Ex/Import and select Import from PEM File. The File browser window opens.
  8. Select the mycert.pem certificate created in step 12.2 and click Open.
  9. Next to Management Key click Ex/Import and select Import from File. The File browser window opens.
    Select the mycert.pem certificate created in step 12.2 and click Open.

    If you are using an OpenSSL version that generates PKCS#8 keys import the mycert.key.pem file as the Management Key on the F-Series Firewall.

  10. Set Protect IP forwarding settings to yes.
    UDR_HA_01.png

  11. Click Send Changes and Activate.

The Azure Routing table is now updated every time the virtual server fails over.

Step 15. (Optional) Assign Public Instance Level IP addresses to the firewall virtual machines

To access both firewall virtual machines directly and individually, a Public Instance Level IP Address (PIP) must be assigned to each VM. PIPs can only be assigned and managed via Azure PowerShell and are currently not visible in the Microsoft Azure web interface. Once assigned to a VM, PIPs are used as the default source IP address for outgoing connections initiated by the F-Series Firewall.

For more information, see Reserved, Static and Public IP Addresses in the Azure Cloud using ASM.

Last updated on