It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Prepare for the Installation

  • Last updated on

Before installing your Barracuda Web Application Firewall:

  • Certain changes might be required to the existing network depending upon the network configuration and the deployment mode you choose. Network changes can be classified as:
    • Hardware changes – Changes related to cabling, switches, routers, network interfaces, etc.
    • Configuration changes Changes related to DNS databases, IP addresses of hosts and services, router configuration, etc.
  • (Reverse proxy deployment only) If Client Impersonation is set to Yes in the BASIC > Services page, an additional IP address should be configured on the LAN subnet of the Barracuda Web Application Firewall. This should be the default gateway configured on the back-end real servers.
  • Note the server IP address and TCP port of the web applications you want to protect.
  • Verify that you have the necessary equipment:
    • Barracuda Web Application Firewall (check that you have received the correct model)
    • AC power cord
    • Ethernet cables
    • Mounting rails (model 660 and higher) and screws
    • VGA monitor (recommended)
    • PS2 keyboard (recommended)

Open Network Address Ranges on Firewall

If your Barracuda Web Application Firewall is located behind a network firewall, allow outbound traffic from the Barracuda WAF to the following Barracuda Networks destinations and the ports mentioned on the network firewall to ensure proper operation:

The following services require outbound connections from all Barracuda appliances.

Hostname

PortTCP/UDPDirectionPurpose
updates.cudasvc.com

80,8000,443

TCP

Outbound

Update Infrastructure (Definitions, Firmware, Patches, Provisioning)

cnt12.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt13.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt14.upd.cudasvc.com

80, 8000

TCP

Outbound

cnt15.upd.cudasvc.com

80, 8000

TCP

Outbound

auth.svc.fusion.cudasvc.com

80, 443

TCP

Outbound

IP Reputation lookup to BRBL
auth.rzc.svc.fusion.cudasvc.com

80,443

TCP

Outbound

auth.rdn.svc.fusion.cudasvc.com

80,443

TCP

Outbound

auth.fra.svc.fusion.cudasvc.com

80,443

TCP

Outbound

prod.ap.batic.cudasvc.com

443

TCPOutbound

Advanced Bot Protection – lookup service endpoint

(Required only if ABP subscription is enabled)

brainiac-prod-access-logs-eh-namespace.servicebus.windows.net

brainiac-prod-ingestion-eh-namespace.servicebus.windows.net

brainiac-prod-web-firewall-logs-eh-namespace.servicebus.windows.net

brainiac-prod-system-logs-eh-namespace.servicebus.windows.net

5671, 5672, 443

TCPOutbound

Advanced Bot Protection – Ingestion endpoint (Required only if ABP subscription is enabled)

Upstream Barracuda CloudGen Firewall443TCPOutboundOnly required if there is a Barracuda CloudGen Firewall deployed and when the Barracuda Web Application Firewall needs to connect to the firewall to update blocked IPs.
CRL DownloadsCheck CRL URL and portTCPOutbound

Required if CRL is configured 

 

OCSP Responder URLCheck the OCSP Responder URL and portTCPOutboundRequired if OCSP Stapling is configured
 

acme-v02.api.letsencrypt.org

 

 

443TCPOutboundRequired if Let's Encrypt service is used to generate certificates
www.google.com

443

TCPOutbound

Google reCAPTCHA endpoint

(For using reCAPTCHA v2 and v3)

ntp.barracudacentral.org123UDPOutboundDefault Barracuda NTP server

backfeed.barracuda.com

443TCPOutbound

Backfeed Traffic

airlockstatic.nap.aws.cudaops.com80,443TCPOutbound

airlock.nap.aws.cudaops.com

80, 443TCPOutbound
term.cuda-support.com22, 443, 8788TCPOutboundSupport tunnel connection

For more information about opening support connections, see How to Open a Support Tunnel.

Apart from this, the Barracuda WAF can optionally connect to services on different ports based on the configuration enabled. A list of such services and commonly used ports is listed below:

PortDirectionTCPUDPUsage
22Out Yes No Technical Support connections
443OutYesNoInitial VM Provisioning *
8788 OutYesNo

Proxy port for support connections

25OutYes No Email alerts
53Out Yes Yes Domain Name Service (DNS)
123 Out No Yes Network Time Protocol (NTP)
By default, the NTP is set to ntp.barracudacentral.org
32575In/Out (between HA peers)YesNosynchronize configuration between clustered units
8002In/Out (between HA peers)YesNoHA communication with Peer unit
32576In/Out (between HA peers)NoYesFor exchanging cluster heartbeat packets between cluster peers
42832InYesNoReprovisioning of License (applicable for virtual machine deployments)
* The initial provisioning port can be disabled once the initial provisioning process is complete.

Required Outbound Connections for Advanced Bot Protection

The following Advanced Bot Protection endpoints required to be allowed are:

Lookup endpoint

  • prod.ap.batic.cudasvc.com - Port 443

Ingestion endpoint

  • To communicate to eventhub, open port 5671 and port 5672

Re-captcha endpoint

 

Exchange the Heartbeat in clustered units.

Last updated on