CGF01020 - Basic Configuration Tasks

CGF01020 - Basic Configuration Tasks

Assigned Services

Training Video Transcript

We're going to continue on with our initial setup of the Barracuda CloudGen Firewall and take a look at the two-
layer system architecture and how we assign services within the Barracuda CloudGen Firewall.

1
CGF01020 - Basic Configuration Tasks

2-Layer Architecture
Starting with firmware release 8.0.1, the concept of virtual
servers and services has been replaced by a new 2-layer
architecture.

Training Video Transcript

The Barracuda CloudGen Firewall starting with the 8.0.1 firmware has switched to a two-layer system architecture.
The new architecture has the Box layer and then the assigned Services layer. In the older three-layer architecture,
we had box layer and a service layer too, but in between them we had a middle layer, called the virtual server
layer.

2
CGF01020 - Basic Configuration Tasks

2-Layer Architecture
• Box layer
– Infrastructure services
– Logging, event, configuration and control
– Network subsystem
• Assigned services
– Administrator introduces selected services
– Run on top of the box layer

Training Video Transcript

We’ve removed the virtual server layer and relocated the different components and settings from the virtual
server layer into the box layer. This makes configuring and managing the Barracuda CloudGen Firewall easier.

A great example of that is within the networking node at the Box layer. We took settings such as virtual server IP
addresses and we moved them into the networking node. The Box layer is always going to be active and if you
look at the interface not much has changed. We have just added, within the existing nodes, some of the settings
from that virtual server layer into the respective areas within the config tree.

Assigned services are going to work almost identically as it did before. Now, these services will run on top of the
box layer and these are the same services that you are already familiar with , such as the forwarding firewall
service, the VPN service, the antivirus service, just to name a few.

3
CGF01020 - Basic Configuration Tasks

The Box Layer

• "Static" layer providing a certain set of functionality for:
– General operation, basic connectivity for managing the firewall, etc.
• Houses basic infrastructure services like:
– SNMP, Authentication, Host Firewall, etc.

Training Video Transcript

The Box layer, which is a “static layer”, will always be on, and this provides the base of the firewall.

This has our infrastructure and subsystem in it, such as authentication, host firewall rules, events, logs, statistics.
all that takes place at the box layer, just like it did before.
You still have your management IP addresses and your management network. Again, that has not changed with
the new system architecture.

4
CGF01020 - Basic Configuration Tasks

The Service Layer

• Provides space for services that extend the CloudGen
Firewall’s functionality to user-specific needs
– Forwarding Firewall, VPN, DNS, etc.
• Service-relevant network and IP addresses must be
configured as shared networks / IPs

Training Video Transcript

When we get into the service layer, this is where you have your add-on features such as the forwarding firewall,
the VPN service, the DNS service.

You do need to activate these services by configuring them through the configuration tree and then you'll assign
an IP address and network that these services will use. This is where you used to assign what was called the
virtual server IP address.

You are now going to assign what's called the shared IP address from a shared network.
It is doing the same thing. You define an IP address that's tied to a network. that has not changed, just the
vocabulary and where you actually make the configuration has changed.

5
CGF01020 - Basic Configuration Tasks

Box Layer Networks and IPs

• Management IP
– Unique box layer IP for management access
• Additional local IPs
– Used to introduce additional box layer IPs
– Can be used for multiple management IPs
– These IPs are generally not HA-capable

Training Video Transcript

Now, you can still define some box layer IP addresses and networks.

The one you are most familiar with is the management IP address. The management IP address lives at the box
layer, and it does not fail over in an HA scenario. This is because you want to be able to manage that firewall with
its unique address, and you don’t want to fail over and lose access to your first firewall because the management
IP moved to the secondary firewall. This would just be a silly way to set the firewall up.

You also still have the ability to introduce additional IP addresses at the box layer called additional local IPs. Now
you're probably not going to need to use these. The big drawbacks to them is that they're not HA compatible, so
if you have a fail over, they will not work on the secondary box. What it does do though, it allows you to create
additional management IP addresses. They could be internal or external, or if you don't care about HA, you can
essentially statically assign an IP address to a specific network interface on your CloudGen Firewall.

6
CGF01020 - Basic Configuration Tasks

Shared Network and IPs

• Networks and IPs used to address assigned
services
• Service IP addresses must be assigned via
the Service Properties configuration window
– Forwarding Firewall, OSPF/RIP/BGP, DHCP, and DHCP Relay are
always available on all interfaces
– Other services can operate with selectively assigned interfaces
and IP addresses
• These IP addresses are generally HA-capable

Training Video Transcript

Now the vast majority of you are going to be using shared networks and shared IPs.

This is what you're probably 99% of the time going to assign to your services. When you configure a service, not
much has changed. You still have the choice between first IP, second IP, or entering an explicit IP, and those IPs
are referencing to the new shared IP addresses. These shared networks and IPs are HA capable, and you use
them with services such as the firewall forwarding service, the VPN service, etc.

Because they are shared, they can float between your active box and your passive box. And if your active box
goes down, the traffic immediately gets picked up on your secondary box. And really there's not a major
interruption if your primary firewall goes down. The whole point of HA is continued availability in a failover.

7
CGF01020 - Basic Configuration Tasks

Good to Know
• Services and system services can be controlled
by initiating a stop, start, or restart command
• Default services are introduced according to
model type
• Assigned service names are limited to
30 characters
• Migrating from the 3-layer to the 2-layer
architecture is possible

Training Video Transcript

Some things to keep in mind.

With this concept, assigned services and system services can be started, stopped, or restarted by the
administrator manually.

With a new firewall, some services may come pre-configured for you such as the firewall forwarding service and
the VPN service. Now, this is a very limited pre-configuration. If you're dealing with our Enterprise level firewalls
above F400, you will not have any services pre-configured. Usually, most people are going to rip out these pre-
configured services so you can create the services yourself. This ensures that the configuration meets your needs
exactly for your unique environment.

An additional improvement with services is the name can be up to 30 characters. That is an increase in what used
to be. You now have up to 30 characters for the service name.

If you have an older firewall running with the three-layer system architecture, you can continue to run with that
three-layer system architecture or you can go through a migration to move from the three-layer to a two-layer
system architecture.
Details on migrating from the three-layer to two-layer are available in campus.barracuda.com.

8
CGF01020 - Basic Configuration Tasks

Thank You

Training Video Transcript

We just saw an overview of the two-layer system and talked about the improvements in the newest firmware
over the older three – layer archatecutre.