This solution applies to:
- NG Firewall firmware versions 5.0.x, 5.2.x
When you place a (non-Control Center managed) NG firewall at a remote site, you may still wish to access it for remote management and configuration over the internet.
This may also apply to cases where Barracuda Support needs direct access to the box for troubleshooting.
Attention: Please be aware that Barracuda does not recommend to generally open management access from the internet over an extended period of time.
This constitutes a significant security risk, especially allowing access via SSH.
If at all possible, limit access to very few source addresses (do so by selecting in step eight "Source" not "World" but your desired IP-Address-range), disable the rule when not needed, and utilize a combination of user/password and key authentication to minimize the risk potential.
Implement a Local Redirect rule for the management ports to the internal management IP.
The following steps explain this in detail:
First open the Host Firewall Rules on the NG Firewall.
Switch to the Service Objects on the left.
Right click and copy the NGF-MGMT-BOX object to your clipboard.
Close the Host Firewall Rules and open the Forwarding Rules.
Again open the Service Objects.
Lock the node and paste the copied service object.
Confirm the insertion of the object and its referenced items
Return to the Rules at the top, create a new Local Redirect Object rule, and reference the appropriate objects. Depending on where you wish to allow access from, or how the box connects to the internet (dynamic or static IP address), you will need to select different source or destination addresses:
- Source: to allow access from anywhere, choose the Internet reference, for specific addresses either choose <explicit-src> and enter them below, or create a new Network Object with the desired information and reference that
- Service: should be the previously copied NGF-MGMT-BOX object
- Destination: if the box connects to the internet via a dynamic address, you can't explicitly choose a single IP; instead utilize the Internet object*. With a static external IP address, you can simply enter that one
- Redirection: in Local Address enter your internal management IP, as defined in the network settings.
* Note: This will not cause any problems accessing other boxes over the firewall, as the local redirect rule type only works for access to IPs on the firewall itself.
Link to This Page: