We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

How to Stream Data to a BRS via a Remote Management Tunnel

  • Last updated on

In certain cases it can be necessary to stream data from a remote firewall to a Barracuda Reporting Server (BRS) that is located behind a local border firewall. In the following setup, streaming data is sent from a remote firewall through the remote management tunnel over the Internet and through the local border firewall to the Control Center, which forwards the traffic to the BRS.

brs_01.png

Before You Begin

You must complete all necessary steps for the BRS integration. For more information, see Barracuda Reporting Server (BRS) Integration.

  • If you deploy a firewall via the Control Center with a default configuration set from firmware version 7.2, the service object 'BRS', the host access rule 'BOX-BRS-REPORTINGSERVER-MGMT-NAT' and the forwarding access rule 'BOXES-2-LAN-BRS-REPORTINGSERVER' are already preconfigured.
  • If you migrate a stand-alone firewall to firmware version 7.2, these items are not preconfigured, and you must create them according to the following description.

Step 1. Create a Service Object for BRS

If you have deployed both your local and remote border firewall with a default configuration set from firmware version 7.2 via the Control Center, the service object 'BRS' is already present and you can omit this step.

You must execute this step both for the local and the remote border firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Service > Host Firewall Rules.
  2. Click Lock.
  3. In the left navigation bar, click Services.
  4. Right-click into the right listing area and choose New... from the list.
  5. The Edit/Create Service Object window is displayed.
  6. Enter the Name for the service object, e.g., BRS.
  7. Enter BRS communication port for Description.
  8. Click New Object... .
  9. The Service Entry Parameters window is displayed.
  10. Verify that 006 TCP is selected for IP Protocol.
  11. For Port Range, enter 2400.
  12. Click OK.
  13. Click New Object... .
  14. The Service Entry Parameters window is displayed.
  15. Verify that 006 TCP is selected for IP Protocol.
  16. For Port Range, enter 8100.
  17. Click OK.
    brs_edit_create_service_object.png
  18. Click OK.
  19. Click Send Changes.
  20. Click Activate.
    brs_commport_added.png

Step 2. Create a Host Firewall Rule on the Remote Firewall

If you have deployed both your local and remote border firewall with a default configuration set from firmware version 7.2 via the Control Center, the host access rule 'BOX-BRS-REPORTINGSERVER-MGMT-NAT' is already present and you can omit this step. However, you must activate the access rule 'BOX-BRS-REPORTINGSERVER-MGMT-NAT' in the list view for host access rules for Outbound.

Because streaming data must be sent through the remote management tunnel of the remote firewall to the Control Center, an appropriate host access rule must be created on the remote firewall.

  1. On a Control Center, go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > your remote box > Infrastructure Service > Host Firewall Rules.
  2. Click Lock.
  3. Click Outbound-User to select the list for outbound rules created by users.
  4. Click +.
  5. Enter the values for the rule:
    • Connection Type – Pass.
    • Name – BOX-BRS-REPORTINGSERVER-MGMT-NAT.
    • Source – Any.
    • ServiceTCP 2400 and TCP 8001 (same as BRS from Step 1).
    • Destination – Enter the IP address for the BRS, e.g., 10.17.68.107.
    • Connection Method – Select <explicit-conn>. When Original Source IP is displayed in the list for Connection Method, double-click the entry Original Source IP.
      • The Edit / Create a Connection Object windows is displayed.
      • In the section NAT Settings select Network Interface from the list for Translated Source IP.
      • Enter tap3 into the edit field for Interface Name.
      • Click OK.
        brs_tap3_for_rmt_connection.png
  6. Click OK.
  7. Click Send Changes.
  8. Click Activate.
    brs_host_firewall_rule_remote_firewall_forwarding_through_remote_management_tunnel.png

Step 3. Add the BRS to the Remote Network Addresses for Tunnels

You must add the BRS to the remote network addresses list as a target in order to forward traffic through the management tunnel.

  1. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > your remote box > Network.
  2. In the left navigation bar, click Management Access.
  3. Click Lock.
  4. In the Remote Management Tunnel section, click Show... for Tunnel Details.
  5. The Tunnel Details window is displayed.
  6. Click + for Remote Networks.
  7. Enter the IP address of the BRS to the list, e.g., 10.10.68.107.
    brs_add_brs_to_rmts.png

Step 4. On the Local Border Firewall, Allow BRS Traffic to Pass to the BRS by an Access Rule

On the Control Center, create a new access rule for the local border firewall:

  1. Go to CONFIGURATION > Configuration Tree > Multi Range > your range for your local border firewall > your cluster for your local border firewall > your local border firewall > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Click +.
  4. Enter the values for the rule:
    • Connection Type – Pass.
    • Name – Any-2-BRS.
    • Source – Any.
    • Service – Any.
    • Destination – Enter the IP address for the BRS, e.g., 10.17.68.107.
    • Connection Method – Dynamic NAT.
  5. Click OK.
  6. Click Send Changes.
  7. Click Activate.
    brs_access_rule_pass_brs_traffic_on_local_border_fw.png

Step 5. On the Control Center, Allow BRS Traffic to the BRS by an Access Rule

If you have deployed both your local and remote border firewall with a default configuration set from firmware version 7.2 via the Control Center, the host access rule 'BOXES-2-LAN-BRS-REPORTINGSERVER' is already present and you can omit this step. However, you must activate the access rule 'BOXES-2-LAN-BRS-REPORTINGSERVER' in the list view for forwarding access rules.

To forward the BRS traffic from the Control Center to the BRS, you must create the following access rule:

  1. Log into your Control Center on box level.
  2. Go to CONFIGURATION > Configuration Tree > Multi Range > Virtual Servers > Firewall > Forwarding Rules.
  3. Click Lock.
  4. Click +.
  5. Enter the values for the rule:
    • Connection Type – Pass.
    • Name – BOXES-2-LAN-BRS-REPORTINGSERVER.
    • Source – Enter the address for the VIP net used for the remote managed firewall.
    • Service – Enter TCP 2400 and TCP 8001 (same as BRS from Step 1).
    • Destination – Enter the IP address for the BRS, e.g., 10.17.68.107.
    • Connection Method – Dynamic NAT.
  6. Click OK.
  7. Click Send Changes.
  8. Click Activate.
    brs_forward_traffic_cc_to_brs.png

The remote firewall can now stream data to the BRS via the remote management tunnel.

Last updated on