Product/Models: Web Filter, all Models
Firmware: All Firmware
Firmware: All Firmware
Best Practices for the Barracuda Web Filter:
1. Internet Access
Make sure the web filter is connected to a network that has internet access (you can't log in without it).
2. Default Gateway (inline deployments)
The default gateway on the Basic -> IP Configuration page MUST be the inside IP of the firewall/router that is connected to the WAN port of the web filter, as this gateway must be the next out bound hop. It should not be the IP address of your core switch/router on the LAN side. See Solution #4234. This is the most common misconfiguration.
Static Routes. The Web Filter is not a router, so if you want to filter other subnets/networks than the web filter is on, you will need to enter static routes on the bottom of the Basic ? IP Configuration page. Note: the gateway address of static routes should be a routing device, usually a layer3 switch on the LAN side of the web filter; therefore, in most cases the gateway IP of the static route should not be the same as the default gateway of the device itself. In some cases, both the default gateway and the gateway of a static may be the IP of the firewall/router on the WAN side, but this is not a common configuration.
Do not connect both ports on the Web Filter to the same switch. The web filter, inline, should be connected between a firewall/router and a switch.
Slow DNS look ups can adversely affect the web filter significantly. Generally speaking, we get the best performance by setting the DNS servers to internal servers, and this is necessary if you have FQDNs on your internal network. Sometimes using a public DNS server, such as Google's 22.214.171.124 and 126.96.36.199, works well. Often your ISP's DNS servers will not provide good performance. Do not use openDNS's free dns server IPs as they redirect (for advertising) some pages, and this creates a problem for the web filter. The paid for openDNS servers, however, do work fine.
DNS Caching - Generally speaking, we turn DNS caching off, as it can produce 'page cannot be retrieved' errors. However, in environments were we see slow DNS lookups or periodic slow DNS look ups, we do turn it on. Use the Expert Variables page to set DNS variables. Click Advanced ->, add &expert=1 to the end of the URL and hit enter. There will be a new RED tab that says Expert Variables. Click on that tab.
4. LDAP Authentication
Make sure you only create one Authentication Service for each domain you have. If you have one domain, you should only have one authentication service. The term Server Alias can cause confusion/be misleading. Think of the Server Alias as the Domain Alias. DO NOT make one authentication service for each domain controller/hostname in your network. This is the second most common misconfiguration. Have only one domain? Make only one authentication service.
Make sure you have the DC Agent installed on all Domain Controllers in the Domain, or use the Remote option for use on one server if that's an option.
Don't forget to upgrade the DC Agent when major firmware releases are released. Some user access problems are the result of out of date DC Agents.
5. Long Term Data Storage/Archiving.
Please be aware that the Barracuda Web Filter keeps data for the past 6 months only, and that data cannot be moved from one system to another. If you're in a situation where you will need to keep data for more than six months, such as long-term archiving of years of data, you should setup a syslog server on your network to perform this function. There currently is no archiving product for the Barracuda Web Filter, like there is for the Barracuda Spam and Virus Firewall. This also implies that, there is no facility for moving data from one system to another, such as when a system is RMA'd; so if you want to keep data, set up a syslog server.
6. Network Interfaces
By default the Web Filter is set to autonegotiate each network interface. If the network interfaces on the firewall/router, or switch, do not autonegotiate properly with the Web Filter interfaces, all interfaces should be hard coded to connect manually at 100 mb/s Full Duplex. In new versions of the firmware you can see what the speed and duplex setting have been negotiated to on the Basic ? Status Page by hovering over the network connector graphics. To change the speed and duplexity on the Web Filter,you will need to call technical support. If speed or duplexity mismatches occur, significant latency will be introduced into the network.
7. Configuring User Access
Use the Block/Accept ? Content Filter as the global policies for everyone. Understand that there are two built-in groups of users: authenticated and unauthenticated. There is a pull-down policy menu toward the upper right corner of most of the pages under the Block/Accept tab. TheÂ exceptions page does not have one, as on the exceptions page you must select who the rule applies to when you make the rule. All other pages have two lists, an authenticated list and an unauthenticated list. Please see this article for the order of how rules get applied.
Make effective use of the Block/Accept's Custom Categories page. This page allows you to create customized groupings of individual domains and/or content filter categories that you can attach to exception rules for either a individual user or group.
8. Use the Web Log, Not the Browse Test
You can use the Basic ? Web Log page to troubleshoot many things that Barracuda Technical Support troubleshoots. First, in the username column, you can see if you authentication is working. If there is no username, but instead has a -, this is unauthenticated traffic. Second, use the filter at the top of the page to select source IP and enter the IP of a network computer to use to test or troubleshoot access problems. Third, you can use the destination filter to view access of different users to the same web site.
9. Configure Proxy Settings to Verify Traffic
If there seems to be a problem with a site not being blocked, rules not applying, etc., configure your browser to proxy to the web filter on port 8080 in firmware below 6.0.1.012 and port 3128 in 7.0.X and above. Go into your internet options and enter the IP of the web filter as the proxy IP and port 8080. If you get normal access, meaning that allowed and blocked requests show up in the web log, and without the proxy configured you do not, this indicates the traffic is by passing the web filter.
Link to This Page: