/
General Firewall Configuration

General Firewall Configuration

To adjust resources used by your firewall service, you can change the sizing parameters in the General Firewall Configuration (CONFIGURATION > Configuration Tree > Box > Infrastructure Services) section of the Barracuda CloudGen Firewall. After changing general firewall configuration settings, perform a Firmware Restart (CONTROL > Box) for the changes to take effect. Default values vary depending on the model.

Firewall Sizing

Maximum Number of Connections

  • Max Session Slots – Set the maximum number of session slots allowed. The amount of memory consumed by the firewall is updated when this value is changed and displayed in the Firewall Memory [MB] field. (When set to the default value, the firewall service will consume about 150 MB RAM).

  • Max UDP [%] – (advanced) Defines the percentage of the Max Session Slots allowed to be UDP sessions.

With eventing activated (parameter UDP Limit Exceeded set to yes), the event FW UDP Connection Limit Exceeded [4009] is generated when the limit is exceeded.

This setting can be overridden with the Resource Protection settings in the advanced section of a forwarding firewall rule. Private IPv4 addresses are exempted completely.

  • Max Echo [%] – (advanced) Defines the percentage of the Max Session Slots allowed to be ICMP sessions.

With eventing activated (parameter Echo Limit Exceeded set to yes), the event FW ICMP-ECHO Connection Limit Exceeded [4027] is generated when the limit is exceeded.

This setting can be overridden with the Resource Protection settings in the advanced section of a forwarding firewall rule. Private IPv4 addresses are exempted completely.

  • Max Other [%] – (advanced) Defines the percentage of the Max Session Slots allowed to be an IP protocol type, except TCP, UDP, or ICMP.

With eventing activated (parameter Other Limit Exceeded set to yes), the event FW OTHER-IP Session Limit Exceeded [4029] is generated when the limit is exceeded.

This setting can be overridden with the Resource Protection settings in the advanced section of a forwarding firewall rule. Private IPv4 addresses are exempted completely.

  • Firewall Memory [MB] – Displays the estimated memory requirement according to the current firewall configuration settings. If the value exceeds 200 MB, an additional bootloader parameter may be required. On i686-based CloudGen Firewalls with more than 768 MB RAM requiring additional vmalloc space to satisfy the increased memory demand of non-default firewall settings, we recommend increasing the vmalloc area in steps of 128 MB, starting at 384 MB. For more information, see How to Configure the Bootloader.

Reboot the box after setting the parameter, and wait until the firewall service successfully starts after the system boot. Do not use vmalloc areas larger than 640 MB. The vmalloc area is shared among several kernel subsystems. Therefore, the exact size of the allocated vmalloc area that is required to load the firewall cannot be predetermined. Setting the vmalloc parameter to enable increased acpf memory operation is discouraged on systems with 768 MB of RAM or on "i386" architecture systems. Setting this parameter on those boxes could negatively affect the system performance and/or stability. The architecture of an installed CloudGen Firewall box can be determined with the following command: rpm -q kernel --qf %{ARCH}\\n.

 

Global Limits 1

  • Max DNS Entries – Defines the maximum number of DNS queries that may be triggered by the use of network objects containing hostnames. 75% of the queries are reserved for the forwarding firewall and 25% for the host firewall. Network objects used in both forwarding and host firewall rulesets will trigger two DNS queries and be counted twice.

The firewall can only match IP addresses. When the maximum amount of allowed DNS queries is exceeded, hostnames can no longer be resolved, causing access rules using these networks objects to never match.

  • Max Acceptors – (advanced) Maximum number of pending accepts for inbound rules. An acceptor is a dynamic implicit rule that is generated by plugins handling dynamic connection requests. The FTP protocol, for example, uses a data connection in addition to the control connection on TCP port 21 to perform the actual file transfer. By analyzing the FTP protocol, the firewall knows when such data connections occur and creates an acceptor to allow the corresponding data transfer session.

  • Max Pending Inbounds – Maximum number of pending TCP inbound requests. This parameter comes into effect only when the TCP accept policy is set to inbound for the access rule.

  • Max BARPs – (advanced) Defines the maximum number of bridging ARPs allowed. A bridging ARP entry (BARP) stores the information that specifies which bridge interface corresponds to a certain MAC address. Additionally, associated IP addresses are stored along with the BARP entry. Modifying this value may be useful for large bridging setups.

  • Max Plugins – (advanced) Maximum number of rules using plugins.

  • Dyn Service Names (RPC) – Maximum number of dynamic service name entries.

Global Limits 2

  • Max. Dynamic Rules – Maximum number of dynamically activated rules. The default preset value is 128.

  • Max. Multiple Redirect IPs – Maximum number of IP addresses in rules with multiple redirect target IPs. The default preset value is 128.

Global Inbound Mode Limits

To establish a TCP connection, the TCP three-way handshake must be completed. You can use different accept policies to change how incoming and outgoing TCP connections are handled on a per-rule basis.

For more information, see Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies.

  • Inbound Mode Threshold [%] – The default preset value is 20.

    If the percentage value of the maximum number of sessions in the pending accept state is exceeded, the firewall will apply the inbound accept policy for SYN flood protection for all incoming TCP sessions, regardless of what is configured on the Access Rule level, i.e.:

access_rule_tcp_policy.png

When the firewall switches into inbound mode, a related message will be written into the security log and an event 4004 with a related information text will be created.
When the firewall terminates this mode, it will be written into the security log, and an event 4004 with a related information text will be created.

  • SYN Cookie High Watermark [%] – This is the percentage (of the maximum number of pending inbounds) of pending inbound accepts to switch to TCP SYN cookie usage for enhanced SYN flooding protection. The default preset value is 20.

  • SYN Cookie Low Watermark [%] – This is the percentage (of the maximum number of pending inbounds) of pending inbound accepts to go back to ordinary SYN handling. The default preset value is 15.

Source-Based Session Limits

  • Max Local-On Session/Src – (advanced) Maximum number of sessions per source IP address. Cannot be set to more than Max Session Slots.

With eventing activated (parameter Session/Src Limit Exceeded set to yes), the event FW Global Connection per Source Limit Exceeded [4024] is generated when the limit is exceeded.

  • Max Local-In UDP/Src – (advanced) Maximum number of UDP sessions per source IP address.

With eventing activated (parameter UDP/Src Limit Exceeded set to yes), the event FW UDP Connection per Source Limit Exceeded [4008] is generated when the limit is exceeded.

  • Max Local-In Echo/Src – (advanced) Maximum number of ICMP Echo sessions per source IP.

With eventing activated (parameter Echo/Src Limit Exceeded set to yes), the event FW ICMP-ECHO Connection per Source Limit Exceeded [4026] is generated when the limit is exceeded.

  • Max Local-In Other/Src – (advanced) Maximum number of sessions for all other IP protocols (not TCP, UDP, ICMP) per source IP address.

With eventing activated (parameter Other/Src Limit Exceeded set to yes), the event FW OTHER-IP Connection per Source Limit Exceeded [4028] is generated when the limit is exceeded.

  • Max Pending Local Accepts/Src – (advanced) Maximum number of pending accepts per source IP address.

Firewall History

The firewall history stores connection information for troubleshooting purposes. You can configure how many and how long connections are stored in the General Firewall Configuration settings. Use the Advanced View to configure these settings.

  • Max. Access Entries – Determines the size of the visualization caches.

  • Max. Block Entries – Determines the maximum number of block entries.

  • Max. Drop Entries – Determines the maximum number of drop entries.

  • Max. Fail Entries – Determines the maximum number of fail entries.

  • Max. Scan Entries  – Determines the maximum number of scan entries.

  • Max. ARP Entries – Determines the maximum number of ARP entries.

  • DNS Resolve IPs – Setting this parameter to yes will resolve IPs to hostnames on the firewall history. This may cause excessive load on the DNS servers.

If many DNS objects are used frequently, disable host resolution in the firewall history to avoid delays and errors in the DNS resolution.

Operational

Ruleset-Related Settings

  • Rule Matching Policy – Selects the way in which a rule lookup is performed.

    • Kernel space - linear lookup – Adequate for small rulesets.

    • Kernel space - tree lookup (fastest) – Preferred option for large rulesets with hundreds of rules.
      As a rule of thumb, for about 1000 session/s the Kernel space should be enabled for better firewall performance. Additionally, if many firewall objects (> 200) are used, the Kernel space - tree option is recommended.

  • Rule Change Behavior – This setting applies only to the forwarding firewall and not to the host firewall because the host firewall generally does not allow re-evaluation of a session upon a rule-change. The setting specifies whether an existing connection is terminated (Terminate-on-change or not (Keep-on-change) if the ruleset changes and the session is no longer allowed by the new ruleset.

  • No Rule Update Time Range – This option allows you to define a time range during which access rules may not be updated. Use international time format. For example, to disallow rule update from 14:00 through 22:00, insert 14-22.

  • On-demand network objects update – This option allows you to enable on-demand network objects. 

  • Network objects update interval – Update interval in minutes for on-demand network objects.

Contact Us
Barracuda Campus
Barracuda Support