It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

Firewall Rules

  • Last updated on

Access rules are used to manage traffic going through the NextGen Firewall X-Series. The firewall service is tightly integrated with Application Control, IPS, and the URL Filter service.

About Firewall Objects

Use firewall objects to reference specific networks, services, user groups, or connections when creating firewall access rules. You can use the firewall objects that are preconfigured on the NextGen Firewall X-Series or create custom firewall objects. The main purpose of firewall objects is to simplify creation and maintenance of access rules. Firewall objects are re-usable, which means that you can use one firewall object in as many rules as required. Each firewall object has a unique name that is more easily referenced than an IP address or a network range (see Firewall Objects).

Access Rule Settings

For each access rule, you can configure the following settings:

  • Name – The name of the access rule. This name is displayed on the BASIC > Active Connections, Recent Connections, and IPS Events pages.
  • Description – An additional description field for the access rule.
  • Action – Specifies how the firewall handles network traffic that matches the criteria of the rule. The following actions are available:
    • Allow/Block Allow: The firewall passes all network traffic that matches the access rule.  Block: T he firewall ignores all network traffic that matches the access rule and does not answer to any packet from this particular network session.
    • Reset The firewall dismisses all network traffic that matches the access rule. Matching network sessions are terminated by replying  TCP-RST  for TCP requests,  ICMP Port Unreachable  for UDP requests, and  ICMP Denied by Filter  for other IP protocols.
    • DNAT The firewall rewrites the destination IP address, network, or port to a predefined network address. Enter multiple destination IP addresses for load balancing or fallback configurations. To additionally forward to a different port, you can append the port number to the IP address. E.g.,
    • Redirect to Service – The firewall redirects the traffic locally to one of the following services that are running on the firewall: Caching DNS, SIP Proxy, HTTP Proxy, VPN, SSL VPN, or NTP.
  • Connection – Defines the outgoing interface and source (NAT) IP address for traffic matching the access rule. The following table lists the five default connection objects:

    Predefined Connection Object
    Outgoing Interface and IP Address Determined By
    Default (SNAT)Change the source IP address of network packets to the IP address of the interface with the lowest metric according to the routing table.
    No SNATConnection is established using the original source IP address. Use if simple routing with NAT is desired.
    SNAT with DSL IP Source NAT with the IP address of the DSL uplink.
    SNAT with 3G IP Source NAT with the IP address of the 3G uplink.
    SNAT with DHCP IP Source NAT with the IP address of the DHCP uplink.

    You can also create custom connection objects . For example, multiple source IP addresses and interfaces can be specified in the same connection object. This allows failover or session-based balancing between up to four links. Balancing can be achieved using either a round robin or weighted random algorithm.

  • Service – Describes the protocol and protocol/port range of the matching traffic. You can define one or more services for the access rule. You can select a predefined service object or create your own service objects (see: Service Objects).
  • Source – The source IP address/netmask of the connection that is affected by the rule. You can select a network object or explicitly enter a specific IP address/netmask. You can also create your own network objects (see: Network Objects).
  • Destination – The destination IP address/netmask of the connection that is affected by the rule. You can select a network object or explicitly enter a specific IP address/netmask.

Bandwidth Policies

You can adjust the bandwidth for all matching traffic:

  • Bandwidth policies protect the available overall bandwidth of the Internet connection. Network traffic is classified and throttled or prioritized within each access rule. To adjust the overall bandwidth of each network interface, go to the NETWORK > IP Configuration page. There are eight predefined bandwidth policies. For additional information, see How to Configure Bandwidth Policies or QoS.
  • Bandwidth policies for application traffic are configured in the application policy rules. For more information, see How to Configure an Application Policy.


For more granular control, you can configure access rules that are applied only to specific users or during specific times.

  • Users can be used as a criteria for the rule. Use the Barracuda DC Agent to enable the firewall to be aware of which connection belongs to a specific user. You can also create users objects (see: User Objects ).
  • You can create access rules that are only active for specific times or dates. For example, you can create a time object that includes only Mondays and the hours of 8:00 am to 9:00 am. An access rule including this time object will only allow traffic during the time span defined in the time object (see: Schedule Objects ).


You can also configure the following advanced firewall settings:

  • Interface Group – When creating an access rule, you can assign interfaces that the source address is allowed to use. Arriving packets of traffic that match the rule are then processed to the specified network interfaces according to the interface group settings. For more information, see How to Create Interface Groups.

  • SYN Flood Protection – SYN flood protection protects against a common kind of DoS attack. The firewall can eliminate SYN flooding attacks for inbound or outbound attacks. The firewall completes the handshake and only then performs a handshake with the actual target. This helps to protect the target from SYN flood attacks. Disabling SYN flood protection can cause an overhead in packet transmission, but can speed up interactive protocols like SSH.
    For optimal protection, SYN Flood Protection needs to know the Maximum Sessions and the Maximum Sessions per Source IP address that can be opened before the firewall takes measures. In Always On mode, the firewall compares these two values against the current session values, blocks the source IP if one of the two limits is exceeded, and frees the allocated session resources. In Automatic mode, the firewall switches to a different TCP handshake mode to protect the network.

In this Section