It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Barracuda NG Web Filter

  • Last updated on

The URL filter is comprised of multiple components to process traffic. The Barracuda NG Web Filter engine requires an NG Web Filter subscription. With the Barracuda NG Web Filter the URL category databases can be stored locally on the Barracuda CloudGen Firewall. The Barracuda NG Web Filter additionally offers an offline database for URL categories. The Barracuda NG Web filter can not be used with Application Control.

URL Filtering Process

The following flowchart illustrates how traffic is processed by the main components of the URL filter:

fw_web_filter.png

Proxy - Basic ACL

An URL request from the client browser is first processed by the HTTP proxy to determine if it is allowed by the ACL. If the basic ACL does not allow Internet browsing, the request is dismissed and the proxy server's internal block HTTP page is displayed. For more information on configuring the HTTP Proxy ACL, see How to Configure User Authentication and Access Control.

Logging

To view the logs for the URL Filter service, go to the LOGS Tab of the Barracuda CloudGen Firewall. The URL Filter service generates the following log files:

  • Fwauthd – Log created by the Barracuda Authentication Client that is processing the block page.

Load Sharing and High Availability

The URL filter can also be installed on both units in a high availability (HA) setup. In a HA setup, it may be useful to configure a second URL filter on the peer unit to share the load and to take advantage of the additional hardware. The second URL filter requires its own license.

The following figure illustrates such a setup where the URL filter is configured on both Box HA-1 and Box HA-2:

ha_share01.png
If Box HA-2 is down (for example, because of a hardware failure), Box HA-1 takes over the proxy server and URL filter server that were hosted by it.

ha_share02.png

On the Server Page, both servers may be displayed as active even though the second URL filter server is idle because both URL filter servers bind to the local host IP address of 127.0.0.1. The second server is not able to bind to the IP address, which is already in use by the other server (a corresponding log entry is created in the cofsd log file).

This behavior is necessary to avoid fraud with multiple URL Filter servers using the same license. As a result, only 100 users (the number of users depends on the NG Web Filter licenses installed on the now active box) are allowed at the same time.

In the Web Filtering settings, make sure that you have correctly configured the Block If User Limit Exceeded setting.