User`s guide

ManualsBrandsBarracuda Networks ManualsNetworkingFirewall X100

Application policies regulate how this session is treated by the Barracuda Firewall if certain network traffic is detected by the application

filter. Traffic can be reported, dropped, or throttled.

The application filter identifies the type of traffic that you want to limit or control. The application-aware filter detects peer-to-peer client

applications (such as IM, peer-to-peer based file sharing, and Skype) that usually cannot be detected by pattern-based

intrusion prevention mechanisms.

Users/Time

For more granular control, you can configure firewall rules that are only applied to specific users or during specific times.

Users can be used as a criteria for the rule. Users can be managed locally at the Barracuda Firewall or through several external

authentication services like MS Active Directory, NTLM, LDAP, RADIUS, OCSP, or the . To create users objects, goBarracuda DC Agent

to the page.FIREWALL > User Objects

Administrators can create firewall rules that are only active for specific times or dates. For example, you can create a time object that

includes Mondays and the hours of 8:00 am to 9:00 am. You can apply this time object to a rule so that traffic is only passed during these

times. You can also create a time object that includes the lunch hour and apply it to a firewall rule that allows web browsing with a higher

bandwidth policy. To create new time objects, go to the page.FIREWALL > Time Objects

Advanced

You can also configure the following advanced firewall settings:

Interface Group – For each rule, an interface can be assigned to the origin of the connection request. The interface group specifies the

interface that the source address is allowed to use. The following table describes each available interface group:

Interface Group Description

Matching

Ensures that arriving packets are processed through the same

interface, which forwards the corresponding reply packets.

Source and destination addresses are thus only reversed. This

method helps prevent a network attack in which an attacker

might try using internal addresses from outside the internal

network (IP spoofing).

Any

Uses the first interface matching the request, in accordance with

the routing configuration. The packet source is not verified. Reply

packets might be forwarded through another interface, if multiple

interfaces capable of doing so are available. In very special

configurations, checking the physical source of packets cannot

be required.

DSL/DHCP

Explicitly restricts rule processing to the specified dynamic

network interface (if installed and configured).

WIFI/WIFI2/WIFI3

Explicitly restricts rule processing to the specified Wi-Fi network

interface (if installed and configured).

VPNClients

Explicitly restricts rule processing to the specified virtual network

interface of a VPN client (if installed and configured).

Explicitly restricts rule processing to the specified 3G network

interface (if installed and configured).

SYN Flood Protection – SYN flood protection protects from a popular kind of DoS attack against computer systems. The Barracuda

Firewall can eliminate SYN flooding attacks for inbound or outbound attacks. The firewall completes the handshake and only

then performs a handshake with the actual target. This helps to protect the target from SYN flood attacks. Disabling SYN flood protection

can cause an overhead in packet transmission but can speed up interactive protocols like SSH.

Firewall Rules Order

You can view the firewall rules on the page. The firewall rules are processed from top to bottom to determine if theFIREWALL > Firewall Rules

traffic matches the criteria. Because the first matching rule is executed to handle the network traffic, ensure that you arrange your rules in the

correct order.