It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Audit & Reporting with IPFIX

  • Last updated on

On the Barracuda CloudGen Firewall, you can stream audit and reporting information based on the IPFIX protocol to multiple external collectors. Enable IPFIX, add collectors and optionally enable IPFIX streaming for your HTTP proxy access log.

Step 1. Enable and Configure IPFIX 

Before you can stream your audit log or HTTP proxy access log, you must enable and configure IPFIX.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration
  2. In the left menu, select Audit and Reporting.
  3. In the left menu, expand Configuration Mode and click Switch to Advanced View.
  4. Click Lock.
  5. In the Log Policy Section click Edit to set Audit Log Data. The Audit Log Handling window opens.
  6. Set Audit Delivery to Send IPFIX or Forward-and-Send-IPFIX.
  7. Click OK.
  8. In the IPFIX Streaming section, set Enable IPFIX/Netflow to yes.
  9. (optional) Set Enable intermediate report to yes.
  10. (optional) Enter the IPFIX reporting interval for intermediate reports in minutes.
  11. Choose a IPFIX Template:
    • Default – Includes basic data. This is the default template used in firmware version 5.4.X.
    • Extended – Includes all data from the default template plus octetDeltaCount, packetDeltaCount, reverseOctetDeltaCount, reversePacketDeltaCount and firewallEvent.
  12. Click + next to Collectors to add a IPFIX/Netflow collector.
    1. Enter a Name for the collector settings and click OK. The Collectors window opens.
    2. Select the protocol from the Export Mode list. Because IPFIX data streams may contain confidential data, it is recommended that you select TCP/SSL.
    3. If you are using TCP/SSL, configure the SSL certificate settings.
    4. Enter the Collector IP.   
    5. Enter the Collector Port.
    6. Select the Byte order for data. Default: BigEndian
  13. Enter the Collector IP and Collector Port of the IPFIX collector.
  14. Click OK.
  15. Click Send Changes and Activate.

You must also create a PASS host firewall rule to allow traffic between the Barracuda CloudGen Firewall and the IPFIX collector.

Step 2. (optional) Enable HTTP Proxy Access Log Streaming via IPFIX

After you configure IPFIX streaming, you can enable the Barracuda CloudGen Firewall to stream HTTP proxy access log data via IPFIX.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTT Proxy Settings.
  2. From the Configuration Mode menu, select Switch to Advanced View.
  3. Click Lock.
  4. In the Log Settings section, set IPFIX Streaming to yes.
  5. Click Send Changes and Activate.

Log Stream Information/IPFIX Output

Standard Fields
Field IDName
1octetDeltaCount
1reverseOctetDeltaCount
2packetDeltaCount
2reversePacketDeltaCount
4protocolIdentifier
7sourceTransportPort
8sourceIPv4Address
10ingressInterface
11destinationTransportPort
12destinationIPv4Address
14egressInterface
56sourceMacAddress
85octetTotalCount
85reverseOctetTotalCount
86packetTotalCount
86reversePacketTotalCount
161flowDurationMilliseconds
233

firewallEvent

Custom Fields
Private Enterprise Number Barracuda Networks: 10704
Field IDLength (octets)TypeNameDescription
14IntTimestampSeconds since epoch
21IntLogOpsee section LogOp
31IntTrafficTypesee section TrafficType
4variableStringFW RuleName of the firewall rule
5variableStringServiceNameName of service
64IntReasonReason in datatype Integer
7variableStringReasonTextReason in datatype String
84IntBindIPv4Address 
92IntBindTransportPort 
104IntConnIPv4Address 
112IntConnTransportPort 
124IntAuditCounterInternal data counter
LogOp
IDName
0Unknown
1Allow
2LocalAllow
3Block
4LocalBlock
5Remove
6LocalRemove
7Drop
8Terminate
9LocalTerminate
10Change
11Operation
12Startup
13Configuration
14Rule
15State
16LocalState
17Process
18AdminAction
19Deny
20LocalDeny
21SecurityEvent
22Sync
23Fail
24LocalFail
25ARP
26Detect
27LocalDetect
28IntermediateReport
Traffic Type
IDName
0Forwarding
1Local In
2Local Out
3Loopback