It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SecureEdge

How to Configure a Barracuda CloudGen Firewall in Barracuda SecureEdge

  • Last updated on

Barracuda SecureEdge allows administrators to enroll Barracuda CloudGen Firewall units with the cloud service. CloudGen Firewalls can be registered with Barracuda SecureEdge as a point of enforcement for Resource Access policies and can be either stand-alone or CC-managed boxes. The registration process of a CloudGen Firewall with Barracuda SecureEdge is similar to the way Azure Cloud Gateways are registered with the service. All enrolled appliances are directly connected to the cloud service to fetch policies and endpoint configurations. 

cgf-enrolled.png

Requirements

  • On CloudGen Firewall boxes, Barracuda SecureEdge requires the Policy Profiles rule set. 
  • During this setup, VPN configuration (connectivity) and Remote Access policies are applied. Web Filter policies must be configured on the CloudGen Firewall.
  • For HA pairs, enter the token only in the primary box. The secondary box does not require any additional configuration. 
  • On CloudGen Firewall boxes, Barracuda SecureEdge requires the Caching DNS to be enabled. For more information, see How to Configure a Caching DNS Service.
  • On CloudGen Firewall boxes, you must enable the VPN service. For more information, see How to Assign Services.

With SecureEdge enabled, the log streaming configuration on the CloudGen Firewall may be overwritten.

Step 1. Retrieve the Registration Token from SecureEdge

The token is valid for 30 minutes only, and you need a separate token for each CloudGen Firewall appliance you want to enroll.

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. In the left menu, click the Tenants/Workspaces icon.
  3. From the drop-down menu, select the workspace your appliance should be assigned to.
    workspace-production-9.0.png
  4. In the left menu, click the Integration icon, and select CloudGen Firewalls.
    goto-cgf.png
  5. The CloudGen Firewalls page opens. In the top-right corner of the window, click Registration Token.
    cgf-reg-token.png
  6. The Generate Registration token window opens.
  7. Click on the clipboard icon to copy the token to your clipboard.
    generate_token_firewall.png
  8. Paste the token into a text file.

Step 2. Log into the Barracuda CloudGen Firewall

  1. Connect to your firewall using Barracuda Firewall Admin.

    dashboard-firewall-admin.png

  2. On the Firewall Admin Dashboard page, the appliance details are displayed and can be noted. For example, host name and serial number.
    appliance-detail.png

  3. Click the SecureEdge icon.

    click secureedge.png

  4. In the Connect to SecureEdge window, enter the registration token that you retrieved in Step 1. 
    connect -to- secure-edge.png

  5. Click OK.
  6. Go back to the Barracuda SecureEdge configuration, and click OK.

After the configuration is finished, the appliance automatically appears in the SecureEdge Cloud UI. You can see the new appliance with host name and serial number enrolled on the CloudGen Firewalls page and that the connection is established between the CloudGen Firewall and Barracuda SecureEdge. 
cgf-enrolled.png

Step 3. (Optional) Verify that the Barracuda CloudGen Firewall Appliance Is Enrolled

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. Select the workspace containing your appliance.
  3. In the left menu, click the Integration icon, and select CloudGen Firewalls.

All appliances enrolled in the selected workspace are displayed.
cgf-enrolled.png

Remove Existing Enrolled Appliances

If you want to remove an existing enrolled appliance,

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. Select the workspace containing your appliance.
  3. In the left menu, click the Integration icon, and select CloudGen Firewalls.
  4. Click on the trash can icon next to the enrolled appliance you want to remove.
    cgf-del.png
  5. Click OK to confirm.
  6. Click Save.

Verify the Status of Barracuda SecureEdge in Barracuda Firewall Admin

  1. Log into the CloudGen Firewall using Barracuda Firewall Admin.
  2. The Barracuda Firewall Admin page opens. 
  3. Click the Barracuda SecureEdge icon.

Monitoring ZTNA Access Rules and RAC Policies in the Firewall 

On a Barracuda CloudGen Firewall, ZTNA access rules are auto-generated and cannot be moved. However, if you introduce the section separators PRE-BEGIN and PRE-END and place your own rule in between, this rule is placed before the ZTNA auto-generated rules.

rac_rule_01.png

To view ZTNA access rules and RAC policies deployed via Cloud UI in Firewall Admin:

  1. Log into the CloudGen Firewall using Barracuda Firewall Admin.
  2. Go to FIREWALL > Forwarding Rules.
    rac_rule_00.png
  3. Next to the Main Rules tab, a new tab <RACPOL> has been introduced (if applicable).

The <RACPOL> tab shows the policies the administrator has configured in the cloud service as Zero Trust Access rules. 

Enable Security Inspection for Connected Firewalls

On Barracuda CloudGen Firewall version 9.0.1, the forwarding ruleset blocks UDP port 443 per default via rule BOX-BLOCK-UDP443. However, for security inspection to work on CloudGen Firewalls used as SecureEdge Point of Entry, QUIC traffic must be denied manually. To block the QUIC protocol on UDP 443, you must create a new rule and place it on top of the cloud-maintained/autogenerated rules. For more information, see: How to Block UDP Port 443 on CloudGen Firewalls.

Additional Information

  • On a CloudGen Firewall box, enabling SecureEdge will replace the original VPN server certificate. The new root certificate can be downloaded via the Cloud UI, if needed (i.e., to import it into Trusted Root Cert stores on computers running NAC/VPN Client).
  • When enabling SecureEdge on a box with an existing X.509-based C2S-VPN configuration, the VPN server will always try to extract the username from the Common Name (CN) field.