We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How to Configure a Transparent Redirection from a Barracuda CloudGen Firewall

  • Last updated on

The Barracuda CloudGen Firewall can transparently redirect all HTTP and HTTPS traffic to a Barracuda Web Security Gateway located in a DMZ. The Barracuda Web Security Gateway can then process the HTTP/HTTPS request using the original source and destination IP addresses. After the Barracuda Web Security Gateway applies all local policies and collects the statistics, the web traffic is then forwarded to the Internet via the CloudGen Firewall. This configuration allows the Barracuda Web Security Gateway to apply all policies as if it were directly connected to the client, and allows it to create meaningful statistics and connection information.

trans_redirect_diagram.png

Before your Begin

  • Verify that the Forwarding Firewall service is using Feature Level 7.0 or higher.
  • The CloudGen Firewall and the Barracuda Web Security Gateway must be connected to the same subnet (within the same ARP domain).
    Optional: Configure the CloudGen Firewall for SSL inspection. See How to Configure SSL Inspection in the Firewall.
  • The Barracuda Web Security Gateway should be running version 10.0 or higher and be configured for SSL Inspection in Transparent Mode. See How to Configure SSL Inspection Version 10 and Above.
  • The Barracuda Web Security Gateway must be connected to a different subnet than the clients, and the CloudGen Firewall must be the default gateway for the Barracuda Web Security Gateway.

Step 1. Create a transparent redirect Dst NAT access rule on the Barracuda CloudGen Firewall

Create the Dst NAT access rule to forward all traffic to the Barracuda Web Security Gateway.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Create an access rule to forward selected traffic coming from your clients:
    • Action – Select DNAT.
    • Source – Select Trusted Networks. Alternatively, enter the network the client using the Barracuda Web Security Gateway is in.
    • Destination – Select Internet.

    • Services – Select HTTP+S.

    • Target List Enter the IP address of the Barracuda Web Security Gateway without a port. E.g.. 172.16.0.10

      Do not use network objects containing host names (DNS objects). The firewall does not redirect traffic to a hostname or FQDN. 

    • Fallback/Cycle – If you have defined multiple target IP addresses, select how the firewall distributes the traffic between the IP addresses.
      • Fallback – The connection is redirected to the first available IP address in the list.
      • Cycle – New incoming TCP connections are distributed evenly over the available IP addresses in the list on a per-source IP address basis. The same redirection target is used for all subsequent connections of the source IP address. UDP connections are redirected to the first IP address and not cycled.
    • List of Critical Ports Enter a space-delimited list of ports used.
    • Connection Method – Select Original Source IP.
    • Application Policy (optional) Enable Application Control and SSL Inspection to gain deeper insight on the traffic redirected to the Barracuda Web Security Gateway.

      transparent_redirect_00.png

  4. In the left menu, click Advanced.
  5. In the Miscellaneous section, set Transparent Redirect to Enable.

    transparent_redirect_01.png

  6. Click OK.
  7. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
  8. Click Send Changes and Activate.

Step 2. Create an pass access rule for the Barracuda Web Security Gateway to access the Internet

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Create a PASS rule to allow the HTTP proxy to access the Internet:
    • Action – Select Pass
    • Source – Enter the IP address of the Barracuda Web Security Gateway.
    • Destination – Select Internet.
    • Service – Select HTTP+S.

    • Connection Method – Select Dynamic NAT.
    • Application Policy (optional) – Select Application Control policies.
      transparent_redirect_02.png
  4. In the left menu, click Advanced.
  5. In the Dynamic Interface Handling section, set Source Interface to Any.
  6. Click OK.
  7. Click Send Changes and Activate.

Step 3. Create a Pass access rule for the HTTP proxy to access the client network

To allow the Barracuda Web Security Gateway to access the client, you must create a PASS rule:

  • Action – Select Pass
  • Source – Enter the IP address of the Barracuda Web Security Gateway .
  • Destination – Select Trusted Networks
  • Service – Select HTTP+S.

  • Connection Method – Select Original Source IP.
  • Application Policy (optional) – Select Application Control policies.

    transparent_redirect_03.png

Step 4. Configure the Barracuda Web Security Gateway

In order to successfully send the connection from the proxy to the Internet, you must configure the device:

  • Route to the Internet using the CloudGen Firewall as the default gateway.
  • Route to the internal client network using the CloudGen Firewall as the gateway.
  • Traffic must use the IP address of the Barracuda Web Security Gateway as the source IP address for outgoing connections.
  • The Barracuda Web Security Gateway must accept the HTTP and HTTPS connections on the same port as the firewall.

Step 5. Import the Barracuda Web Security Gateway's root certificate

If you are running SSL Inspection on the CloudGen Firewall, you must add the root certificate used for SSL Inspection on the Barracuda Web Security Gateway to the Trusted Root Certificates. For details about configuring SSL Inspection and certificates on the Barracuda Web Security Gateway, see How to Configure SSL Inspection.

Download the root certificate from the Barracuda Web Security Gateway

On the Barracuda Web Security Gateway, go to ADVANCED > SSL Inspection and Download  the Root Certificate for Browsers. You now have the webfilter.barracuda.pem file containing the root certificate on the client running Firewall Admin.

wsg_download_root_cert.png

  1. On the CloudGen Firewall, go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual servers > Firewall > Security Policy Settings.
  2. Click Lock.
  3. Click + in the Trusted Root Certificates list and select Import from PEM File.  A file dialog opens.
    import_root_cert_01.png

  4. Select the file containing the root certificate you previously exported from the Barracuda Web Security Gateway.
  5. Enter a Name.
  6. Click OK
  7. Click Send Changes and Activate.

The certificate is now listed in the Trusted Root Certificates list.

import_root_cert_02.png

Next Steps

Import the root certificates from the CloudGen Firewall and the Barracuda Web Security Gateway on the clients to avoid SSL certificate errors. If SSL Inspection is only enabled on one of the devices, then you only need to install the root certificates on the clients for that device.

Last updated on