The following sections provide information on how to configure Barracuda Firewall Admin settings using the Firewall Admin User Interface configuration. To access the configuration menu, click the OPTIONS tab at the top left, and then selecting Settings.
To configure the connection and display for Firewall Admin, specify the client settings according to your requirements.
Enable Compression activates or deactivates data compression for Firewall Admin connections (Default: inactive) and increases efficiency like responsive management, especially over 'thin' lines. This feature is backward-compatible. Even older CloudGen Firewall releases not capable of handling compressed management connections can still be properly connected. When compression is active, the connection status icon at the top right changes to an icon with a cyan background.
Click Advanced Cryptographic Settings to edit the following advanced crypto API settings:
- Disable Smartcard /Token – Selecting this check box deactivates the advanced cryptographic API settings.
- Cryptographic Service Provider – Barracuda Networks supports all cryptographic service providers (CSPs) using the Microsoft crypto API. All CSPs installed on your local workstation are listed.
- Key Length – The key length depends on the selected CSP. Minimum, maximum, and default values for key lengths are displayed in the Cryptographic Service Provider list.
- Default Store – The default store for certificates (defaults to MY).
Specifies the provider type – Location of the certificate. You can select one of the following settings:
- CERT_STORE_PROV_SYSTEM – Certificate available in MS Management Console.
- CERT_STORE_PROV_PHYSICAL – Certificate available on eToken/Smartcard.
Flags – Availability of the certificate. Possible values are 'current user only' or 'local workstation', regardless of the logged-in user. You can select one of the following settings:
- CERT_SYSTEM_STORE_CURRENT_USE – Certificate is dedicated to this user only.
- CERT_SYSTEM_STORE_LOCAL_MACHINE – Certificate is dedicated to local workstation.
- Select Smartcard Reader – If smartcard readers are available, you can select one from this list. If the list is inactive, there are no smartcard readers available.
Use SPoE as default – Use SPoE as default if Firewall Admin should use a single point of entry to connect to the CloudGen Firewall or Control Center. TCP port 807 is used to access the firewall, and TCP port 806 for the Firewall Control Center. SPoE is required when deploying in the public cloud. When the unit cannot be reached via SPoE ports, Firewall Admin reverts to the previous connection method. Following a successful connection, the connection method is saved to the registry and re-used for the next connection to that firewall or Control Center.
Socket Connect Timeout – Duration in seconds that a login attempt can last until it is stopped due to failure and an error message is displayed (Default: 6 seconds).
Configuration Read Timeout – Duration in seconds that a connection attempt (with the Connect button) can last after a failure until it is stopped and an error message is displayed (default: 30 seconds). In addition, this setting also determines the read timeout of the configuration file on the Box Control > Licenses page. For more information, see How to License a CloudGen Firewall.
Log and Statistic Timeout – Timeout field for processing both logs and statistics.
- Log Timeout – Duration in seconds until the attempt is stopped and an error message is displayed. Used for collecting large numbers of log entries. For a set of approx. 10,000 records, it is recommended to set the value to about 300 seconds to let the log entries be processed until being displayed.
Statistics Timeout – Duration in seconds that a statistics view attempt can last until the attempt is stopped and an error message is displayed (Default: 30 seconds). Increase this setting if you expect large statistics files.
Max. Automatic Reconnects – The maximum time Firewall Admin automatically reconnects after a session has been interrupted, e.g., in case of connection attempts during updates.
- Disable Events System Tray Icon – To disable the icon in the system tray that indicates an active event, select this check box.
- Always use Session Password – To always use the last known password when reconnecting to a system after a session has been disconnected, select this check box. The password is only saved until you close Firewall Admin.
- Switch tab title order – To invert the labeling of opened tabs, select this check box. Either the system name or the system IP address will be on top.
- Print Header – In this field, you can enter a custom header for prints. A header is especially useful for identifying owners when multiple administrators use one printer.
Specifies how the date and time are formatted in various overview listings (for example, CC Control).
- Advanced Mode Configuration – To activate Advanced Configuration Mode throughout the client, select this check box.
- Enable Configuration Scripting – To enable the functionality to script the configuration, select this check box.
- Read Only Colour – To define the background color for configuration files in read-only mode, click Read Only Colour.
FW Rule Editor
- Maximum number of network objects to fill into source and destination Combo Box – Defines the maximum number of network objects to be listed for Source and Destination when creating firewall rules. You can leave this setting as default.
- Double Click to use Rule Dialog instead of Inplace Edit – Switch between in-place editing and opening the Rule Editor when double-clicking inside a cell in the rule list.
Behavior on Slow Connection
- Do always automatic data refresh on activation and timer intervals – If enabled, content of the user interface will always be automatically refreshed.
- Disable automatic data refresh for Box/CC Connections slower than <value> Latency in ms – In this field, specify a threshold in milliseconds after which automatic data refresh is disabled for connections. The CloudGen Firewall or Control Center connection will be probed on the first connection attempt.
- Disable Keyboard Navigation by <Alt> Key – To display the keyboard navigation when you press Alt, select this check box.
- Restore Dialog Positions, Restore List Columns, Restore Config Element Sizes – To restore default settings, click the corresponding button.
Custom IP Lookup Link
- Disable Custom IP Lookup Link in Firewall Live and History. Takes effect with next opened session! – To disable the custom IP lookup link in the Firewall > Live and History view, select this check box.
IPv4 Lookup URL – In this section, you can enter an HTTP/S URL to perform a custom IP address lookup (for example whatismyipaddress.com). By default, IP addresses are looked up at http://www.barracudalabs.com.
<ipv4 addr> – The IPv4 address.
External SSH Client
- Command to open SSH-Client – In this field, enter the command to open the SSH client. Use %IP address and %user to dynamically insert IP addresses and login name. Format: 'path' parameters. e.g., 'C:\putty.exe' %user@%IP address.
- Anonymize IP Addresses on Printing – When selecting this check box, IP addresses are anonymized by replacing the last 4 digits by xxx. E.g., 80.90.100.xxx when printing lists.
- Save session information – Save the IP address in the recent connection section of the login page.
- Save user name – Save the username last used to log into the IP address with the recent connection information.
- Import recent sessions – Click to import recently accessed firewalls and Control Centers from the registry.
Expanding the Barracuda Activation drop-down menu lets you configure the settings for Barracuda Activation. The settings in this section control the behavior or completely disable the Barracuda Activation process.
Policy for Contact Information – From this drop-down list you can select from the following options:
- Do not store. Ask every time – Does not store customer information locally. For each license activation, the user information needs to be entered.
- Store, but ask for confirmation – Stores customer information locally. The information does not need to be entered for each activation, but needs to be confirmed instead.
- Store and use always automatically – Stores customer information locally.
- CC: Create PAR Files – When the check box is selected, no warning will be displayed on creation of box PAR files without configured serial numbers.
- Proxy Settings – When the check box is selected, proxy settings configured in Internet Explorer will be inherited to the client.
- License Expire Warning – The amount of days left until the license expiration warning is shown.
Admin and CC Settings
When expanding the Admin and CC Settings section, you can change default display settings. You can also configure the password and key for administrators of a Firewall Control Center and stand-alone Barracuda CloudGen Firewall.
- Show Expert Settings – Selecting this check box displays expert settings in the GUI. (Changing expert setting is not recommended.)
- Use Cluster Description as Cluster Name – Selecting this check box displays the cluster description as cluster name across the entire configuration wherever cluster information on the CC is used.
Configure Stand-Alone Barracuda CloudGen Firewall Admin Settings
To configure the administrator settings for a stand-alone Barracuda CloudGen Firewall:
- Select Change Admin Credentials for Local Admin (Single Box).
- In the Box IP Address field, enter IP address of the firewall.
- In the Change Administrator Password section, you can change the password.
- In the Change Administrator Key section, you can change the keys.
Configure Barracuda Firewall Control Center Admin Settings
To configure the administrator settings for a Barracuda Firewall Control Center:
- Select Change Admin Credentials for CC Admin.
In the CC Selection section, select the Firewall Control Center. In the Address field, the IP address of the system appears.
- To view the certificate for the system, click Show Certificate.
- In the Change Administrator Password section, you can change the password.
In the Change Administrator Key section, you can change the keys.
Certificates and Private Keys
This drop-down menu contains the private key administration. Login and authentication of the administrator on a CloudGen Firewall are processed using a two-factor authentication technique. The authenticity of the admin workstation is verified using a challenge-response method. In addition to this, administrators must authenticate themselves using a personal password.
Creating a Certificate
In order to generate a new certificate/key by using Microsoft Strong Cryptographic Provider v1.0, click Create New Certificate/Key. This opens a window requiring several values to be entered. After confirming your entry, the new certificate will be displayed in the list. The columns within the main tab derive from the information entered while creating the certificate. However, two columns differ:
- Hash – Contains short information concerning the key in order to make it easier to verify whether keys are equal.
- Key Container – Displays the unique name of the CSP key container.
To delete a certificate, select the required certificate in the list and click Delete Certificate/Key.
Using Keys on a Barracuda CloudGen Firewall
Keys in PEM format cannot be used on CloudGen Firewall systems. However, Firewall Admin enables conversion of already-existing keys into certificates. If you have older keys sitting in your registry, Firewall Admin provides an additional button within this dialog named Migrate Keys to Cert. Click this button to open a password request for the available keys. After entering the proper password, the keys are converted into certificates. The subsequent dialog (Registry Keys converted to Microsoft Certificate Management - Remove Registry Keys?) offers two options:
- Yes – Removes the keys in PEM format from the registry.
- No – Keeps the keys in PEM format in the registry.
Public Host Keys
When expanding the Public Host Keys drop-down field, the following sections are available:
This section shows all firewalls that were previously accessed using this computer. The list includes the box IP address, a short hash of the key, and the unique box fingerprint. Use the Remove Selected option for deleting a selected entry from the list. A security request will pop up the next time you log into the box. The Import PEM option allows you to import PEM files. Security is increased by using certificates in this place, at the same time a security request is avoided.
This section shows all firewalls that were previously accessed using an SSH connection from this computer. The list includes the SSH IP address and the unique SSH fingerprint. In addition to the Remove Selected and Import PEM options (both having the same purpose as described above), the Enter Finger Print option is also available here. Click to enter the unique fingerprint and the corresponding IP address manually into a dialog box.
Barracuda Firewall Admin Maintenance
This drop-down menu offers you an option to install the currently running instance of Firewall Admin into the so-called Global Assembly Cache (GAC), to uninstall it again from there, and to delete further instances that have been detected on the workstation. Usually, there is no need to install Firewall Admin because the executable can simply be copied to and executed on a workstation, thereby fulfilling the hardware and OS requirements without requiring any further preparations.