It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Prepare for the Installation

  • Last updated on

Before installing your Barracuda Web Application Firewall:

  • Certain changes might be required to the existing network depending upon the network configuration and the deployment mode you choose. Network changes can be classified as:
    • Hardware changes – Changes related to cabling, switches, routers, network interfaces, etc.
    • Configuration changes Changes related to DNS databases, IP addresses of hosts and services, router configuration, etc.
  • (Reverse proxy deployment only) If Client Impersonation is set to Yes in the BASIC > Services page, an additional IP address should be configured on the LAN subnet of the Barracuda Web Application Firewall. This should be the default gateway configured on the back-end real servers.
  • Note the server IP address and TCP port of the web applications you want to protect.
  • Verify that you have the necessary equipment:
    • Barracuda Web Application Firewall (check that you have received the correct model)
    • AC power cord
    • Ethernet cables
    • Mounting rails (model 660 and higher) and screws
    • VGA monitor (recommended)
    • PS2 keyboard (recommended)

Open Network Address Ranges on Firewall

If your Barracuda Web Application Firewall is located behind a network firewall, allow outbound traffic from the Barracuda WAF to the following Barracuda Networks destinations and the ports mentioned on the network firewall to ensure proper operation:

The following services require outbound connections from all Barracuda Networks appliances.

Hostname

PortTCP/UDPDirectionPurpose
updates.cudasvc.com

80,8000,443

TCP

Outbound

Update Infrastructure (Definitions, Firmware, Patches, Provisioning)

cnt12.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt13.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt14.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt15.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt20.upd.cudasvc.com:80, 800080, 8000TCPOutbound
cnt21.upd.cudasvc.com:80, 800080, 8000TCPOutbound
auth.svc.fusion.cudasvc.com

80, 443

TCP

Outbound

Federated Authentication Service - Used for IP reputation checks and Advanced Bot Protection.

 

 

 

 

auth.rzc.svc.fusion.cudasvc.com

80,443

TCP

Outbound

auth.rdn.svc.fusion.cudasvc.com

80,443

TCP

Outbound

auth.fra.svc.fusion.cudasvc.com

80,443

TCP

Outbound

api.eucentral1.aws.grip.cudasvc.com80,443TCPOutbound

IP Reputation lookup to GRIP.

The Barracuda WAF will use one of these four (4) FQDNs. The FQDN is selected at run time.

api.euwest1.aws.grip.cudasvc.com80,443TCPOutbound
api.useast1.aws.grip.cudasvc.com80,443TCPOutbound
api.uswest1.aws.grip.cudasvc.com80,443TCPOutbound
prod.ap.batic.cudasvc.com

443

TCPOutbound

Advanced Bot Protection – lookup service endpoint

(Required only if ABP subscription is enabled)

batic.barracudanetworks.com443TCPOutboundAdvanced Bot Protection Dashboard access (Required only if ABP subscription is enabled)

brainiac-prod-access-logs-eh-ns-dedicated.servicebus.windows.net

brainiac-prod-web-firewall-logs-eh-ns-dedicated.servicebus.windows.net

brainiac-prod-system-logs-eh-ns-dedicated.servicebus.windows.net

brainiac-prod-ingestion-eh-ns-dedicated.servicebus.windows.net

5671, 5672, 443

TCPOutbound

Advanced Bot Protection – Ingestion endpoint (Required only if ABP subscription is enabled)

Upstream Barracuda CloudGen Firewall443TCPOutboundOnly required if there is a Barracuda CloudGen Firewall deployed and when the Barracuda Web Application Firewall needs to connect to the firewall to update blocked IPs.
CRL DownloadsCheck CRL URL and portTCPOutbound

Required if CRL is configured 

 

OCSP Responder URLCheck the OCSP Responder URL and portTCPOutboundRequired if OCSP Stapling is configured

acme-v02.api.letsencrypt.org

443TCPOutboundRequired if Let's Encrypt service is used to generate certificates
www.google.com

443

TCPOutbound

Google reCAPTCHA endpoint

(For using reCAPTCHA v2 and v3)

ntp.barracudacentral.com123UDPOutboundDefault Barracuda NTP server

backfeed.barracuda.com

443TCPOutbound

Backfeed Traffic

airlockstatic.nap.aws.cudaops.com80, 443TCPOutbound

airlock.nap.aws.cudaops.com

80, 443TCPOutbound
term.cuda-support.com22, 443, 8788TCPOutboundSupport tunnel connection
fttcp.prod.bac.barracudanetworks.com80, 8000, 23557, 48320TCPOutboundConfiguration Backups to the Cloud

Apart from this, the Barracuda WAF can optionally connect to services on different ports based on the configuration enabled. A list of such services and commonly used ports is listed below:

HostnamePortTCP/UDPDirectionPurpose
term.cuda-support.com22 (Primary Port)TCPOutboundTechnical Support connections
443 (Backup Port)
8788 (Backup Port)
 443TCPOutboundInitial VM Provisioning *
 8788TCPOutbound

Proxy port for support connections

 25TCP OutboundEmail alerts
 53TCP OutboundDomain Name Service (DNS)
ntp.barracudacentral.com123 UDP OutboundNetwork Time Protocol (NTP)
By default, the NTP is set to ntp.barracudacentral.com
 32575TCPInbound/Outbound (between HA peers)Synchronize configuration between clustered units
 8002TCPInbound/Outbound (between HA peers)HA communication with Peer unit
 32576UDPInbound/Outbound (between HA peers)For exchanging cluster heartbeat packets between cluster peers
 42832TCPInboundRe-provisioning of License (applicable for virtual machine deployments)
* The initial provisioning port can be disabled once the initial provisioning process is complete.

Required Outbound Connections for Advanced Bot Protection Dashboard Access

The following outbound connections are to be allowed for Advanced Bot Protection Dashboard access:

Hostname

PortTCP/UDPDirectionPurpose
tunnel-gateway.cudadps.com (For Tunnel Server)443TCPOutboundTo enable connection between Barracuda Web Application Firewall and ATI dashboard.
manage.cudadps.com (For API's)443TCPOutboundBack-end API calls used to establish UI connection every time customer opens a dashboard.
manage.ui.cudadps.com (For UI)443TCPOutboundFront-end URL for ATI dashboard.

Barracuda Advanced Threat Protection (BATP) Servers

The following outbound connections are to be allowed for Advanced Threat Protection:

HostnamePortTCP/UDPDirectionPurpose

api-euwest1-aws.batd.cudasvc.com

api-uswest1-aws.batd.cudasvc.com

api-apsoutheast1-aws.batd.cudasvc.com

api-useast1-aws.batd.cudasvc.com

api-eucentral1-aws.batd.cudasvc.com

api-apsoutheast2-aws.batd.cudasvc.com

api-useast2-aws.batd.cudasvc.com

api-apnortheast1-aws.batd.cudasvc.com

api-cacentral1-aws.batd.cudasvc.com OR
*.batd.cudasvc.com

443TCPOutboundAdvanced Threat Protection