This post is a continuous post from previous one Barracuda CloudGen Firewall F12 Initial Configuration Lab.

In this post, I am gonna show you how to configure WAN / LAN interfaces, how to create your own forwarding access rule, plus Destination NAT rule. 

Related post:



Online PNG Format Topology Diagram:

Configure Interfaces

In our previous post Barracuda CloudGen Firewall F12 Initial Configuration Lab, we already have configured our mgmt port , Port 1. Now, based on our topology, we are going to configure other two ports:
  • LAN – Port 2
  • WAN – Port 4

Go to Configuration – IP Configuration – Shared Networks and IPs:

Add LAN and WAN interfaces in with corresponding configuration:
For easy troubleshooting purpose, don’t forget enable the option: Responds to ping, when you are configuring LAN/WAN port. That will make your firewall LAN/WAN port ping-able. 

Firewall Rule Settings

Traffic Criteria

 These settings define the traffic that will be handled by the rule:




If the rule must
be applied to traffic going
to and from the specified source and destination, select this check


The source IP addresses of the traffic.


The IP protocol used
or, with TCP/UDP, the relevant IP protocol and port for
the traffic.


The destination IP addresses/netmask of the traffic.


Authenticated User

authenticated users and groups who are affected by this rule. For more information, see Firewall
. If the rule requires user authentication at the firewall, the
rule is depicted with an icon

the Name column in the rule overview window.


Rule Activation

 These settings specify if the rule is active and how long it should be active: 




Dynamic Rule

If the rule must
be dynamically activated and deactivated for set periods
of time, select this check box. For more
information on configuring dynamic rules, see
How to Activate a Dynamic Firewall Rule.



Deactivate Rule

To deactivate the rule, select
this check box. To reactivate the rule, clear
this check box.


To hide inactive rules in the rule set, click the Show/Hide Inactive Rules icon
in the navigation bar. It is the first
icon on the top right
of the rule

Action and Connection

 The Action setting specifies how the Barracuda NG Firewall handles traffic that matches the rule criteria. These are the options that you can select:

There are quite a few different actions for your rules, 
  • Block
  • Deny
  • Pass
  • MAP
  • App Redirect
  • Broad-Multicast
  • Cascade




Ignores the traffic and does not answer any matching packets.




Dismisses traffic and sends the following:

  TCP-RST (for TCP requests)

ICMP Port Unreachable (for UDP requests)

  ICMP Denied
by Filter (for
other IP protocols) to the source.


Passes the
network traffic to the specified destination.


the destination IP address and port. You can specify the connection type; this
lets you use
source NAT and destination NAT



Maps one
destination IP address or subnet to another IP object. The map is also available the reversed way.

For this
action, you can select either
client (destination NAT) or any predefined translation map for the connection type.


App Redirect

Redirects the
traffic to a local application (transparent proxying).


Advanced parameters and timeouts of this type
behave like in the local

Broad Multicast

Propagates the traffic to multiple interfaces. This action is only needed
with bridging.


Specifies that the traffic
must be processed by a subset of the main rule set.

Cascade Back

If the traffic does not match any rules in a rule subset specified by a Cascade

rule, use this action
to direct traffic
handling to the main rule


The traffic is piped into the STanDard IN (STDIN) of a program
running on the server.

Depending on the Action of the rule, you can select a Connection
that specifies how the source,
destination, or service of the traffic is manipulated as it passes the Barracuda
NG Firewall. This setting typically
specifies the outgoing source IP address for address translation. The following Connection Method options are available:


Connection Method



Lets you define the IP address
used to perform
source network address translation (NAT).


Dynamic Scr NAT

source NAT for the defined
connection. The source IP address of network packets will be manipulated
dynamically, according to the routing table
of the Barracuda NG Firewall.


Performs source
NAT with the loopback IP address of

No Src NAT

No source NAT is


Performs source NAT with the IP address of the specified
network interface type (DHCP, ISDN,
UMTS, or xDSL). The firewall does not perform a routing table

Source NAT with VIP

Performs source
NAT with the VIP address
of the remote
management tunnel. The firewall does
not perform a routing table

Src NAT 1st Server

source NAT with the 1st Server IP address. The firewall does not
perform a routing
table lookup.

Src NAT 2nd Server

source NAT with the 2nd Server IP address. The firewall does not
perform a routing table.


Traffic Modification and Inspection

These settings specify if the traffic
is modified or inspected: 



Redirect Target

This setting
is for rules
with the Action set
to Dst Nat, App Redirect, or Map. In this section, you can specify
the outgoing destination IP address for address translation.


You can select
the following policies:



IPS Policy The traffic is inspected by the IPS engine according to the selected


IPS policy.



Application Policy The traffic is inspected according to the selected application


policy. For more information, see
Layer 7 Application Control.



Time Objects If Dynamic
is enabled,
select the required
Time Object.



QoS Band (Fwd)
Traffic in the forward direction is handled according to the


selected QoS Band. For more information,
see Traffic Shaping.



QoS Band (Reply) Traffic in the reverse direction is handled according to the


selected QoS Band.


Configure Pass Forwarding Firewall Rule

In this lab, we are gonna create a pass action rule, which is Allow rule in other vendor’s firewall. 

Pass access rule permits traffic for a specific Service coming from the Source to access the selected Destination . For the Source and Destination , you can specify network objects, IP addresses, networks, or geolocation objects .



Configure Destination NAT Firewall Rule

A Dst NAT access rule redirects traffic that is sent to an external IP address to a destination in the internal network. The following example shows a Dst NAT rule allowing HTTP and HTTPS access from the Internet to a server in the DMZ ( The redirect target can be a single IP address or hostname, or a network object. Hostnames and IP addresses can be appended with a port number to redirect the traffic to a different port.



By netsec

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock
%d bloggers like this: