We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How do I exempt or block by IP or Subnet on my Barracuda Web Filter?

  • Type: Knowledgebase
  • Date changed: 3 years ago

Solution #00004277

 

Scope:

This solution applies to all Barracuda Web Filters deployed inline.

 

Answer:

Your Barracuda Web Filter must be deployed inline and be in ACTIVE mode, to make use of this solution.
Audit mode will not apply the IP exemption tables to not log traffic in the Web Log.

By default, the Barracuda Web Filter will transparently scan all web traffic and scan all traffic for malware. In some instances, it is beneficial to exempt specific traffic from filtering completely. Using the options under Block/Accept->IP Block/Exempt, you can configure certain IP addresses and ports to transmit through the Barracuda Web Filter without any filtering.

An example of when to use the IP Exempt feature is when the Barracuda Web Filter is interfering with local traffic. Under the IP and Port Exemptions section, create an exemption for your local traffic by entering the local internal subnet and netmask as both source and destination.

Example:

Exempt all internal traffic for the 192.168.0.0/16 network
  1. Enter 192.168.0.0 / 255.255.0.0 as Source IP and Netmask.
  2. Next, enter 192.168.0.0 / 255.255.0.0 as Destination IP and Netmask.
  3. Click Add.

This entry will exempt any traffic between internal LAN clients, while filtering all web traffic. Leave the Dest. Port field blank unless it is a specific port you would like to exempt. This solution is particularly useful when the Barracuda Web Filter is processing a lot of trusted internal traffic. Because less traffic is scanned, fewer system resources are used.

You can create exemptions and blocks for both single IP addresses and entire subnets. In the case of individual IP addresses,  you will need to use a full /32 subnet mask (255.255.255.255). For entire subnets you would use the appropriate CIDR netmask (class C /24 would be 255.255.255.0).

Some domains do not accept, or are unable to process, transparently proxied requests. This can be due to security reasons, such as HTTP-to-HTTPS redirection, or many other issues as described in RFC 3143. To resolve these issues, you can exempt the destination IP from being proxied all-together. On the IP Block/Exempt page, create two entries under IP and Port Exemptions. The first entry will have the remote domain’s IP address as the Destination IP address and Netmask. The second entry will have the remote domain’s IP address as the Source IP Address and Netmask, which is required to exempt all return traffic from that domain.

Example:

Exempt all traffic for the domain example.com

  1. Enter 192.0.43.10 / 255.255.255.255 as the Destination IP and Netmask.
  2. Keep the Source IP and Netmask blank and click Add.
  3. Then enter 192.0.43.10 / 255.255.255.255 as the Source IP and Netmask.
  4. Keep the Destination IP and Netmask blank and click Add.

This address will exempt all traffic to example.com. This solution is also useful for exempting internal servers that must be accessible from the internet at all times and must never be filtered, such as web, VoIP, and SMTP servers.


Link to this page:

https://campus.barracuda.com/solution/50160000000HohjAAC