Basic Configuration of a Barracuda Web Application Firewall WAF

Basic Configuration of a Barracuda Web Application Firewall WAF

Contents 1 Overview: 2 Initial Setup: 3 Setup Outbound Firewall Rules 4 Activate the Firewall: 4.1 Subscription: 4.2 Firmware Upgrades: 4.3 Energize Updates: 5 General Settings: 5.1 IP Address: 5.2 DNS: 5.3 Syslog: 5.4 Time: 5.5 Admin Access: 5.6 SNMP Conf: 5.7 Change Password: 5.8 Setup HA Pair:

Overview:

The Barracuda WAF (Web Application Firewall) model 660

Initial Setup:

Unlike "higher quality" systems, the barracuda systems needs a keyboard and VGA monitor for the initial configuration.  When plugged in, login with the default user/password (admin/admin) and in the System Configuration window, navigate to the TCP/IP Configuration.  From there, enter in the following information: WAN (external) IP:  WAN Mask WAN Gateway Primary and secondary DNS servers.  (Note that the Barracuda's Achilles heal is the external DNS system.  It requires this to work properly, so make sure that it is robust and accessible by the Barracuda. When you are done, select save and exit.  The changes will be made instantly.

Setup Outbound Firewall Rules

The system must connect to the Barracuda Network to handle licensing.  (this way they can milk the hell out of you for an over priced support contract. :)  Without this, the system throws errors and behaves poorly for admin purposes.  To enable this bend-overage, allow the following outbound flows on your firewall: Allow TCP:80 from the Barracuda to the following networks 64.235.147.0 255.255.255.0 host 64.235.144.132 216.129.105.0 255.255.255.0 216.129.125.0 255.255.255.0 205.158.110.0 255.255.255.0

Activate the Firewall:

Subscription:

From the Basic tab, under Status, select (3) the "Click here for activation code".  This will pull up a Barracuda webpage where you can enter in your company's information for the support contract.  When you are finished, you will get an activation code, which you should paste back in (4) the Basic tabs Status page, under the Subscription Status.

Firmware Upgrades:

To update Firmware, go to the Advanced tab, select Firmware Update, and confirm that the Current installed Version is less then the Latest General Release.  If so, select Download Now under the Latest General Release section, and then select Apply Now to install the newest release.

Energize Updates:

To get the latest Security, Virus and Attack updates, under Advanced tab, select the Energize Updates sub-tab.  Then select (A) update on those subsections.  The system will be updated without needing a restart or anything.

General Settings:

IP Address: 

Under the Basic Tab, under IP Configuration, set your LAN and Management IP addresses.    The LAN interface is the one that connects directly to the servers being proxied, and the Management interface is how admin access is

DNS:

Under the Basic Tab, under IP Configuration, set your DNS servers

Syslog:

Under the Advanced Tab, under Export Logs, set the syslog servers.

Time:

There are two different places to change the time on the server, one is in the Basic tab, and the other under the "special expert variables". Under the Basic Tab, under Admin, set the timezone Then  in the Advanced tab, under System Configuration, add the Time servers under the NTP Server Settings section.

Admin Access:

Under the Basic Tab, under Admin, set the range of IP's that can connect to the admin port of this system.

SNMP Conf:

Also under the Basic Tab, further down the Admin sub-tab is the SNMP configuration tab, where you can define the snmp version, community string, and allowed IPs to poll this system.

Change Password:

Change the Admin Password by going to the Basic tab, and selecting Administration, and then adding your new password in the Password Changesection.

Setup HA Pair:

Bind a second load balancer by repeating the process above to the second unit, and then under the Advanced Tab, select High Availability, and enter in the other systems IP, and the same shared secret and group id.