This solution applies to all Barracuda NG Firewalls running firmware version 5.2.2.
In order to import and use external IPv4 address information on your NG Firewall, you will need to follow these steps:
1. Create Admin Account with Shell Access
- Log in to the Barracuda NG Firewall unit and open the "Config Tree". Double click "Administrators" and lock the configuration window. Click on the add symbol (+) to add a new account.
- Enable this account and enter the "Full Name".
- In the "Administration Authorization", select the desired "Role" for this account. Barracuda Networks recommends the predefined "Mail" account.
- Set "Shell Level" to "Standard_Login" to allow access to the shell for this Admin account.
- As "Authentication Level" can either "Password" or "Key" or a combination of both be used. For Reasons of comfort, you can select "key" followed by importing the RSA key through "Public RSA Key" "Ex/Import".
- For reason of security, also the "Peer IP Restriction" policy can be adjusted to grant access from specific IP addresses only.
- Note to correctly transfer the private RSA key and username to the SSH/SCP client used to transfer the IP addresses to the Barracuda NG Firewall.
- Create a new firewall rule where SSH based access to an IP of the server to which also the firewall service is attached is redirected to the loop-back address 127.0.0.1.
- Make all connections to this server IP address to ensure that the procedure also works for HA setups.
- Note that the import tool will synchronize the data with any HA partner unit all by itself.
- The file containing the IP addresses to import must reside in the following directory on the Barracuda NG Firewall: /var/phion/home/
- It is recommended to introduce a temporary file format to ensure that only data of completly copied files are imported into network objects. E.g.: addresses.dirty
- Once the transfer has ended a move operation should be run to change the name of the file to the one that is then used for the actual import. E.g., # mv ?f /var/phion/home//addresses.dirty /var/phion/home//addresses.
- IP addresses listed in the file must be whitespace separated.
- The content of the file must not exceed 10,000 IP addresses per file.
- To check if the import process was successful, have a look at the Forwarding Firewall log file. (CustomExternalImport)
4. Introduction of CustomExternalObjects
To be able to import IP addresses into network objects, a new type of objects need to be introduced.
- Open the Config Tree of a Barracuda NG Admin, and open the Repository tree. Navigate to "Service" > "Firewall". Right click the "Firewall Rules" node and and select "Create New Object". Since we are going restore the default settings for this Repository node, name it "DefaultRules".
- Right click the newly created Repository node, and select "Copy from Default" and select the "Factory Default" settings. Click "Activate" to commit the changes.
- Open the "DefaultRules" Repository node and select "Network Objects". Within the "DYNAMIC" section, you will now find Objects named "CustomExternalObject1-4". Select these Objects, open the context menu and copy them to the clipboard.
- Now leave the Repository tree and open the "Forwarding Rules" node of your Barracuda NG Firewall to import the new Network Objects.
- Open the "Network Objects" window, click the "Lock" button and right-click into the Network Objects table and select "Paste".
5. Create Cron Job for Import
- To periodically import IP addresses into the Network Objects, create a cron job to trigger the import process.
- Open the Config Tree and open the "System Scheduler" within the "Advanced Configuration? node. Lock the configuration, select "Daily Schedule" and create a new "Interhour Schedule" job.
- Add a Command and enter the following string:
- /opt/phion/bin/CustomExternalAddrImport -i /var/phion/home// -o 1
- For High Availability setups, add -h to perform HA synchronization.
- This command executes the CustomExternalAddrImport binary located in /opt/phion/bin and imports the IP addresses of a file located in /var/phion/home/.
- These IP addresses are imported into the Custom Network object with the index 1 (CustomExternalObject1).
- Select "every" as "Minutely Schedule" and define the period in the "Run Every...Minutes" parameter.
6. On a Barracuda NG Control Center
- The Control Center has an established trust relationship with any of its managed boxes. Thus data distribution via a job schedule from the CC is straightforward. Data import can thus either take place directly into selected boxes or into the CC itself using the same methods as described above. Then a separate schedule would be used to transfer and subsequently move the imported address information to all affected boxes.
- On these boxes, the same 5 minute insertion job schedule can be run.
- It is advisable not to use the ?h (HA synchronization flag) when doing this via the CC. The more straightforward way is to transfer the files to each affected box via a secure copy to the actual box management IP address.
- Via linkage the schedule can be configured on the CC for all affected boxes.
- The predefined external objects can be copied into the global objects database and then be used throughout the firewall policy configuration where appropriate.
Link to This Page: