It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Configuration Template Manager

  • Last updated on

The Barracuda Firewall Control Center is a central administration unit designed to manage a large number of CloudGen Firewalls and Secure Connectors. After several years of successful operation, experience from various application fields has shown that the number of managed devices has grown steadily. This new situation demanded a new solution to configure, deploy and manage even larger and more complex configurations with increased comfort and less time effort.

Several configuration tools (Firewall Admin, ConfScript, REST, Web-UI) are in productive use for the configuration, but have different technological approaches. Large setups often have the same configuration redundantly, the managed boxes only differ in a small set of parameters. For an administrator, this causes an additional overhead for planning, deploying and managing the setup of the affected devices.

Configuration Templates are a new Control Center tool for creating and maintaining configurations for firewalls and FSCs in a new way, with a special focus on scalability and automation. The tool is available for the Control Center and CG firewalls starting with release 8.2.

Configuration Templates covers the requirement of

  • managing common configuration information for deploying and managing large scale configurations while still
  • giving a maximum freedom for individually configuring parameters which make similar configurations easy distinguishable from each other.

Configuration Units

The Configuration Template concept is based on functional Configuration Units. Each unit is a functional block of its own, which handles model and release specific settings and describes a certain feature in an abstract way. This property allows Configuration Templates to be release- and model-independent. Every Configuration Unit has a number of required and optional parameters, which are used to calculate the final configuration of a firewall or SC. The Configuration Template is responsible to correctly parametrize those inputs. This is done by wiring input parameters, calculated variables and static default values to the Configuration Unit's input parameters.

In release 8.2.0, the following Configuration Units are available:

Units for CGF Units for SC 
coreConfigures the basic settings required
by every box
scconfentryDirectly sets a config entry
sharedNetworkConfigures shared (failover capable) IPssccontainerConfigures a container on the box
siteSpecificObjectConfigures a value for a site specific objectsccoreConfigures the settings required by all boxes
dhcpConfigures a simple DHCP poolsclanConfigures a LAN interface for a box
dnsConfigures a DNS servicescvpnConfigures the VPN tunnel to the AC
firewallConfigures a firewall ConfUnit
by using a Repository Link to a ruleset
scwanConfigures the WAN interface for the box
gtiTunnelAdds a GTI VPN Tunnel between boxes in a
Hub and Spoke topology
scwifiConfigures the WiFi interface for the box
remoteManagementTunnelConfigures a remote management
tunnel for a CC managed box
scwwanConfigures a mobile WAN
repositoryLinkConfigures a link to a repository entry  

For more details on the properties of CGF related configuration units, see CGF ConfTemplate Units.

For more detail in the properties of SC related configuration units, see SC ConfTemplate Units.

Configuration Templates

Configuration Templates are the blueprint to instantiate a large number of instances, which currently can be CG firewalls and FSCs. Such a template can be thought of as a choice of available Configuration Units.

Mixing units for different products (CGF vs. FSC) in the same Configuration Template is currently not possible.

puzzle_01.png

The Configuration Templates can be expressed in the Template Definition Language (TDL), which can be deployed and managed via the FW-Admin Configuration Template Manager and the command-line tool 'tdltool'. Configuration Templates can also be deployed via the REST API and managed in a JSON format. TDL and JSON are equivalent formats to define a Configuration Template.

For more information on how to manually work with tdltool, see Template Definition Language - TDL.

Variables and Expressions

The Configuration Templates consist of keywords that make up the description for creating a configuration. In order to provide maximum flexibility on a user level, it is possible to use parameters and variables as placeholders for values that are part of the template. Parameters are constants defined per instance, and a variable consists of an expression based on parameters and constants.

Configuration Templates are run when creating and changing an instance from a template. The values for parameters are either defaulted in the Configuration Template or defined individually per instance. Variables based on those parameters are evaluated every time the Configuration Template is run.

This makes it possible to reuse a template for common/similar setups while differentiating between varying configurations based on modified values.

As an example, and at its extreme, a large number of firewalls can practically be configured uniquely based on the value of a single parameter that controls how all other variables are set in the configuration for the various instances.

On the level of the Configuration Template, configuration mismatches are partially verified. A full verification is done on the instance level, where release- and model-specific checks can be taken into account, e.g., it can be determined on a Configuration Template level if a port 'P1' is valid in general, but it can only be verified on an instance level, if port 'P1' exists for the actual model.

When the assembly of a Configuration Template from Configuration Units is finished, all expressions are checked for logic, plausibility and completeness. If no errors are found, the template can be saved and later be used in real world applications.

Example if a Configuration Template in TDL style in the FW Admin Configuration Template Manager

window_template_editor.png

The following snippet in TDL defines an expression which increments the last byte of an IP address (MIP) and assigns it to the service IP of type ipv4:

[variables]
serviceip type=ipv4 expression='ipadd(ipgetaddr(mip), "0.0.0.1")'

Instances

For using a Configuration Template in a real-world application, an instance of the Configuration Template must be created, which represents a full configuration of a managed box. When instancing, the Configuration Template framework remembers the information from which template the instance was derived from. Changes to the Configuration Template will be propagated to all of its instances.

After an instance has been created from a Configuration Template, it will show up in the configuration tree of the Control Center as a node for a managed device.

config_tree_with_device_nodes.png

These two device nodes look different from the standard device nodes indicating that they are a Configuration Template instance.

Bindings

A binding is a virtual relation between an instance and the Configuration Template it is based on. This relation determines how instances are managed after being derived from the template. The user can choose from two types of binding: strong or weak binding.

  • Strong binding – Strong binding indicates that the instance is fully managed by the underlying Configuration Template framework. Manual changes by the user are not possible. This is the safest way of managing large amounts of managed devices in the Control Center.
    Strongly bound relations are indicated by the following icon in the instance list view of the Configuration Template Manager:
    icon_strongly_bound.png
    Strongly bound boxes do not have a sub-tree in the Control Center's configuration tree in order to prevent manual configuration. This protects all subnodes from manual modification.
    config_tree_box_node_strong_binding.png
  • Weak binding – Weak binding enables classical manual configuration in the configuration tree without Configuration Template Manager. However, the price for this option is a potential of configuration conflicts between the automated and the manual configuration.
    Weakly bound relations are indicated by the following icon in the instance list view of the Configuration Template Manager:
    icon_weakly_bound.png
    Weakly bound boxes are displayed in the Control Center's configuration tree showing an expandable box node. This gives the user access to change all subnodes interactively.
    config_tree_box_node_weak_binding.png

The default mode for Configuration Template Manager is strong binding.

Bringing it all together in the Configuration Template Manager Window

Configuration Template Manager orchestrates all the components and their relations in an overview window. This window can be accessed by double-clicking the respective node in the CC configuration tree and is visible below the level of a cluster node.

conf_template_manager_in_configtree.png

When double-clicking the node, the related window for Configuration Template Manager is displayed.

window_conf_template_manager_with_data.png