The Barracuda Web Application Firewall provides independent routing entities called Network Groups. Network settings such as routes and ACLs are configured individually for each Network Group.
You can configure one Network Group for Management Path and multiple Network Groups for Data Path in the Barracuda Web Application Firewall.
- Management Path is the traffic flow from an administrator’s system or network to the Barracuda Web Application Firewall. A Network Group for the management interface controls management access of the Barracuda Web Application Firewall. Configurations are specific to a unit and are not synchronized with the Peer unit in a High Availability (HA) cluster.
- Data Path is the traffic flow from clients to the back-end server which needs to be secured or routed through the Barracuda Web Application Firewall. Multiple network groups can be configured on the Data Path to provide the routing flexibility required to deploy the appliance in complex networks. A Vsite encompasses one Network Group and its associated Services. Administrators can configure multiple Network Groups by configuring multiple Vsites. A network group is automatically created for the system during the initial configuration of the physical interfaces. Network settings in the network groups of the Vsite are evaluated first and then the network settings under System Network Group is evaluated before a packet routing or filtering decision is made. All configuration for data path network groups are synchronized with the Peer unit in the HA cluster.
The routing decisions for the Management Path and Data Path traffic are taken based on the respective routing tables. The Data Path traffic is first matched with the set of routes configured for the specific Vsite. If the traffic does not match any Vsite routing entries, it is compared to System routing entries. If it matches neither Vsite nor System routing entries, the packet is dropped.
The Barracuda Web Application Firewall supports the following routing tables:
- Management – Routes to process traffic through the Management interface.
- System - The main routing table used for processing all Data Path traffic. The System table includes WAN (WAN default gateway) and LAN interfaces configured on the BASIC > Administration page.
- Vsites – Routes designated for each Vsite configured on the BASIC > Services page. Each Vsite has its own network routing table to which the incoming/outgoing traffic is compared in order to process the traffic.
Accessing External Servers from the Barracuda Web Application Firewall
External servers can be configured on the following web interface pages:
- Authentication Services on ACCESS CONTROL > Authentication Services.
- SNMP Trap Receivers on BASIC > Administration.
- Email Notification on BASIC > Administration.
- DNS Configuration on BASIC > IP Configuration.
- Proxy Server Configuration on BASIC > IP Configuration.
- Export Logs on ADVANCED > Export Logs.
- External Authentication Servers on ADVANCED > Admin Access Control.
- NTP Servers on ADVANCED > System Configuration.
For accessing any of the external servers mentioned above whose IP address does not fall within the network of configured virtual interfaces, the Barracuda Web Application Firewall uses Interface for System Services to forward the packets. You can configure Interface for System Services on the BASIC > IP Configuration page.
If you want the route to be overridden, a host specific static route should be configured within the network group from which the server is accessible.
Example: External server reachable through 'Management' network group.
Consider you have a NTP server that is reachable though 'Management' network group and your Interface for System Services is set to WAN, then a specific static route should be configured for the NTP server within the Management network group on the NETWORKS > Routes page. Alternatively you can set your Interface for System Services as Management.
Management default gateway is 10.11.25.254 and NTP server IP address is 10.11.17.40 which is reachable via gateway 10.11.25.254, then we can add a static route on Management Network Group as host 10.11.17.40 and gateway as 10.11.25.254.
You can configure the network components by using the Vsite, Ports, VLAN, Interfaces, NAT, Routes, ACL, and Network Configuration pages in the NETWORKS tab. The network components are: