Policy profiles are centrally managed, (pre-)defined rules for handling network traffic and applications, that allow administrators to define packet behavior after the traffic was processed by access rules. Policy profiles can handle the routing decisions of packets as well as decisions based on application detection or any other layer 7 information. The Barracuda CloudGen Firewall allows administrators to manage, create, and customize general policies on a global-, range-, cluster-, or box level that can then be applied to access rules instead of configuring firewall objects. Policy profiles can be applied to access rules on Control Center-managed or stand-alone firewall units. You can customize default profiles by adding or modifying policies, or you can create new profiles with explicit policies. Policies always work top-down, and explicit policies take precedence over predefined policies.
The Barracuda CloudGen Firewall provides the following policies:
SD-WAN provides multipath VPN tunnels across all providers with redundant, reliable, and fail-safe network connections. When the VPN tunnel is up, it can transmit traffic as long as at least one ISP link is operational. Admins can retain full control over how each link is used, or they can configure the advanced balancing and bandwidth management features to optimally use the available bandwidth (for general information, see SD-WAN). SD-WAN combines a multitransport VPN tunnel with the following advanced VPN routing, balancing, and shaping features:
- Dynamic Bandwidth and Round Trip Time (RTT) Detection
- Performance-Based Transport Selection
- Adaptive Bandwidth Protection
Adaptive and Static Session Balancing
- Failover Support
Multi-Provider Load Balancing
The Barracuda CloudGen Firewall provides a predefined default configuration of SD-WAN policies that allows you to use the advantages of SD-WAN immediately, without even having to set up your own configuration. Barracuda Networks has defined an SLA for each application and protocol that decides how the application is routed in the default configuration. However, if you create explicit policies or custom applications, they apply before the default policies.
Create application policies to allow, block, or customize traffic for detected applications. Custom web applications allow administrators to handle multiple application components, the destination can be either an IP address, network, or domain, which gets resolved to IP addresses. The matching criteria are based on the OSI model layer 7 and are limited to HTTP and HTTPS. The HTTP/S requests and responses are used for matching. For HTTPS, the server name indication (SNI) is used to extract the destination information, whereas for HTTP the header information is used for determination. When SSL Inspection is enabled, the header is used for HTTPS as well. Application policies can be assigned to access rules on all firewalls that are managed by the Control Center where the policy profile has been defined. Policy entries can be edited and changed at any time. Application Control is available on CloudGen Firewall models with a valid Energize Updates subscription (for general information, see Application Control).
URL Filtering Policies
Barracuda Networks provides a large database, organized in categories, for URL filtering. You can either use the provided categories to create rules, or you can specify the domains yourself. Malicious URLs are blocked in the default configuration. You can customize a URL filtering policy profile to match individual requirements, or you can create explicit policies. The default action of a policy can be either to block all and define exceptions that are allowed, or to allow all and define exceptions that are blocked. A filter rule blocks/allows a domain or category from any source, whereas an explicit rule blocks or allows URLs from specified sources.
Malware Protection Policies
Malware protection offers protection against advanced malware, zero-day exploits, and targeted attacks not detected by the Intrusion Prevention System by scanning downloaded files, using the Avira scanning engine. If Advanced Threat Protection (ATP) is enabled, an ATP scan is also performed, and a hash DB lookup is performed before a user receives a downloaded file. The file, if 10 megabytes or less, is uploaded to the ATP cloud. Archives are unpacked, and the files they contain, which must also be 10 megabytes or less, are sent to the ATP cloud for inspection. Depending on the behavior of a file, it is assigned a threat level that is transmitted to the firewall appliance. If the threat level exceeds the ATP threat level threshold, the file is blocked; otherwise, it is delivered. Malware Protection can be used for HTTP, HTTPS, FTP, and FTPS traffic. For HTTPS and FTPS, you must enable SSL Inspection in the Firewall.
SSL Inspection Policies
SSL Inspection decrypts inbound and outbound SSL and TLS connections so the Barracuda CloudGen Firewall appliance can allow features, such as Malware Protection and the Intrusion Prevention System (IPS), to scan traffic that would otherwise not be visible to the firewall service. See SSL Inspection in the Firewall for general information on the capabilities of the SSL Inspection feature. Configure global SSL policies to manage the behavior of Control Center-managed Barracuda CloudGen Firewalls when dealing with encrypted traffic.
IPS Scanning Policies
The Intrusion Prevention System (IPS) monitors local and forwarding traffic for malicious activities and provides various countermeasures, such as blocking suspicious traffic, to avert possible network attacks. For general information on the capabilities of the CloudGen Firewall IPS feature, see Intrusion Prevention System (IPS). When IPS is enabled on the firewall, the IPS engine analyzes network traffic and continuously compares the bitstream with its internal signatures database for malicious code patterns. The Barracuda CloudGen Firewall supports a range of IPS features, such as TCP stream reassembly, URL obfuscation, and TCP split handshake. Using IPS requires a valid Energize Updates subscription.