It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Understanding the Usage of Operational-Relevant IP Addresses on the CloudGen Firewall

  • Last updated on

Basic Aspects

During the configuration of the firewall, numerous IP addresses must be set. For a better overview, network and IP addresses can be classified as objects with predefined names like VPN-Networks, WWAN Local IP, or Trusted LAN. Alternatively, they can get their implicit name during their input. These IP addresses are available for further use at several places in the user interface, which is connected to the 2-layer architecture of the CloudGen Firewall for greater availability and manageability.

The Box Layer

The box layer is a ‘static’ layer and provides a certain set of functionalities necessary for the general operation and basic connectivity for managing the firewall. It houses basic infrastructure services like SNMP, Authentication, and the preconfigured Host Firewall. Usually, it is not necessary to make modifications in this layer. By default, the box layer houses IP addresses that ensure the basic accessibility of the CloudGen Firewall through the Management IP address that is part of the Management Network.

For more information, see How to Configure the Management Network, IP and Shared IPs in the Management Network.


The Service Layer

The service layer provides space for licensable services that extend the CloudGen Firewall’s functionality to user-specific needs. Some services, such as the Forwarding Firewall, are already available when the firewall is powered up for the first time. Other services can be configured later by the user, e.g., VPN, Virus Scanner, or DNS.

Running a service primarily requires configuring the interfaces, networks, and IP addresses under which the service must be available. All service-relevant network and IP addresses must be configured in a pool where specific IP addresses can later be picked from for configuring a special service. Services like the Forwarding Firewall, OSPF/RIP/BGP, DHCP, and DHCP Relay are always available on all interfaces with their configured service IP addresses, whereas other services can be configured to operate with selectively assigned interfaces and IP addresses.


HA Capability

CloudGen Firewalls can be configured to operate redundantly in an active-passive role. While the primary firewall operates, the secondary one stands by. Each firewall must have a unique management IP address within the same management network.

The secondary firewall is configured on the primary firewall. All configured service settings on the primary will, therefore, be identical for the secondary firewall. All IP addresses configured for a service are generally HA-capable and are therefore also called Shared IP addresses. Because shared IP addresses rely on the underlying network configuration, the network addresses are also called Shared Networks

In case the primary firewall fails or was shut down by the administrator, the secondary firewall automatically takes over all shareable networks and IPs, and continues to provide all services from the primary one. The concept of HA capability is available both for stand-alone and Control Center-managed firewalls.

Configuration of Shared Networks and IPs and Assigning of Services

Before services can be used, the shareable networks and IP addresses must be configured where a service must operate on.

1. Configuration of Shared Networks and IPs

In the first step, all service-relevant networks and IPs must be configured in a pool. This is done by assigning a network address to a certain interface, e.g., assign to eth0 or assign to eth1. Then, all service IP addresses within this network must be configured, e.g.,, or, After activating these shareable networks and IP addresses on the CloudGen Firewall, they can later be assigned to a service.

Shared IPs are tagged with the alias ‘None’ by default. Shared IPs that are commonly used by most services can be alternatively tagged with either ‘First-IP’ or ‘Second-IP’ during the configuration and can be referenced through this tag.

For more information, see How to Configure Shared Networks and IPs.

2. Assigning Services

A required service must be selected from a list of available services. For each service, the required service IP addresses must be assigned to the service in the respective Service Properties configuration window. When assigning a shared IP from the pool of configured IP addresses to a service, the associated IP address(es) can also be selected by using one of the tags ‘First-IP’, ‘Second-IP’, or ‘First+Second-IP’. IP addresses with the tag ‘None’ can be selected from the list of available service IP addresses by selecting ‘Explicit’.

For more information, see How to Assign Services.