Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Transcription

1 Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501 Lab Guide Official training material for Barracuda certified trainings and Authorized Training Centers. Edition 2018 Revision 1.0 campus.barracuda.com campus@barracuda.com

2 Barracuda Networks Inc., April 24, The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

3 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Lab Description Task 1. Task 2. Task 3. Task 4. The Firewall Engine After a long PoC phase, the company has decided to move its resources into the cloud. Microsoft s cloud solution has been chosen to be the future host of all company services. With a partner, the CTO has outlined the basic network concept, which, in phase one, is one VNET with three subnets. The first subnet is connected to a dynamic public IP and serves as the front end to the other two subnets. The front end subnet accepts all traffic from the outside via a public IP assigned to the firewall. The other two internal subnets host a web server and a terminal / Windows server. All the traffic of these subnets needs to be routed through the firewall, regardless of whether it is inbound or outbound traffic. The partner who created the PoC also offered a template for easier deployment. This template now needs to be verified and adopted based on the topology plan and network requirements the CTO, CSO, and IT administrator have created. The firewall needs to be prepared for a future high availability setup. All outgoing traffic needs to be routed through the firewall. Inbound traffic must be terminated on the firewall. Time synchronization must be guaranteed throughout the network. A website should be served by the internal web server and reachable from the Internet. The terminal / Windows server should be reachable via RDP from the Internet. The terminal / Windows server itself, and all its users, should get access to the Internet. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch Microsoft s Security Center, in combination with the collected data on the firewall, is reporting a growing number of attacks on the publicly available resources. This has forced the IT administrator to take the services offline. But because of the importance of the services, the CTO has decided to put them back online, even though they are not sufficiently patched. The IT administrator and the CSO decided to protect the resources via an SSL VPN solution. Therefore, an SSL VPN solution with the companion application CudaLaunch needs to be configured and rolled out to the clients. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access Security guidelines and best practices always highlight that a management interface must be protected from intruders. Therefore, direct access from an untrusted network to the management interface should be prohibited. To resolve this design flaw, only access via a client-to-site or the terminal / Windows server should be allowed. Without adding additional services into the cloud environment, the Barracuda CA is the perfect fit to authenticate against the VPN service and grant access to the management interface. To protect access to the public IP / DNS name even further, the CSO has decided to use the Network Security Groups feature. It should block all incoming traffic, except the one for SSL VPN and VPN, and allow all outgoing traffic created by the clients inside the VNET. Improve IOPS Performance Increased demand on an environment is a sign that a project has been successful. However, the IT administrator has been getting reports that connections are sometimes dropped or get stalled. These situations resolve themselves within time, but the admin fears that the number of such issues can increase down the road. There are already some ideas on the table as to why these issues occur. The IT team strongly believes that the virtual machine size-limited IOPS is the reason. It is therefore necessary to limit the IOPS and increase the number of possible IOPS without downtime.

4

5 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Lab Outline N Use objects and inheritance of configuration values wherever possible. N The lab outline demonstrates one of several possible solutions based on the lab description above. Therefore, use it only as a guide, not as the only solution of the lab description. Task 1. The Firewall Engine This lab helps you to understand the pre-deployed virtual network in Azure. After understanding the traffic flow within the network, the pre-deployed firewall gets configured to allow access to specific resources. Step 1. Verify the Pre-Deployed Setup Log into Azure. 1. Access the Azure Portal at using a pre-installed browser. 2. Log in with the credentials provided in the topology diagram: User: cudauser@universitybarracuda.onmicrosoft.com Password: <use provided credentials> Check your preconfigured Azure topology. 1. In the left navigation pane, click Resource groups 2. Select the Resource group assigned by your instructor and verify that all settings from your network topology plan are correct. Virtual Network: vnnet-x-y Virtual Network > Subnets: ngnet, webnet, tsnet Virtual machine > Network interfaces: NAME, PRIVATE IP ADDRESS Network interface > IP configurations: PRIVATE IP ADDRESS (Static) Network interface > IP configurations: IP forwarding > Enabled Route Table > Routes: Address Prefix: /0 NEXT HOP: NGFW-IP Route Table > Subnets: webnet Network security group: Inbound/Outbound security rules predefined by Azure Public IP Address: DNS Name (External access: dnsname.region.cloudapp.azure.com) Availability set > Virtual machines: NG-AS Connect to the NextGen Firewall F - Welcome page. 1. Go to Resource Group > NGFW - Virtual Machine > Properties > Public IP Address / DNS Name Label > Overview > Essentials and copy the DNS name. 2. Start a new tab in your web browser and paste the DNS name (External access). 3. You should now see the NextGen Firewall F - Welcome page. 4. Download and install NextGenAdmin.exe. Connect to your firewall. 1. Launch NextGen Admin. 2. Select Firewall and enter the DNS name (External access) for your NGF (dnsname.region. cloudapp.azure.com). 3. Enter your login credentials: Username: root

6 6 Microsoft Azure - NGF0501 Barracuda NextGen Firewall F Lab Guide Password: <use provided credentials> 4. The Authentication Check window opens, select Trust Key. 5. Click Sign In. 6. In NextGen Admin, the Dashboard tab is selected by default.

7 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Step 2. Basic Network Configuration Deactivate the preconfigured DHCP interface and configure it as an interface with a static IP. 1. Go to Configuration Tree > Network > xdsl/dhcp/isdn 2. Click Lock. 3. In the DHCP Client Setup section, set DHCP Enabled to no. 4. In the left navigation pane, click IP Configuration. 5. In the Management IP and Network section, adjust the management interface to use a static IP address. Set the check box next to Interface Name labeled Other to active. You can now enter a custom value into the Interface Name field. Interface Name: eth0 Management IP: Associated Netmask: 24-Bit Responds to Ping: yes Use for NTPd: yes Configure the default route. 1. Change to the Routing configuration by clicking Routing in the left navigation pane. 2. Click the + sign above the IPv4 Routing Table to add the default route. Specify the following values: Name: default Target Network Address: /0 Gateway: Trust Level: Unclassified Activate your changes. 1. Click Send Changes and Activate. 2. Go to Control > Box > Network and click on Activate new network configuration > Failsafe. Define the DNS Server IP as and check the Time Settings. 1. Go to Configuration > Box > Administrative Settings. 2. In the left navigation pane, expand Configuration and click DNS Settings. 3. In the Basic DNS Settings section, add as a new entry to the DNS Server IP table. 4. In the left navigation pane, click Time Settings/NTP. 5. In the Time Settings section, choose your local time zone. 6. In the NTP Settings section, set the following parameters: NTP sync on Startup: yes Time Server IP: time.windows.com Start NTPd: yes Step 3. Configure the Firewall Engine Create a network object for every subnet within the VNET and a VNET object grouping all subnet objects. 1. Go to Configuration > Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Networks. 2. Click Lock. 3. Click the + sign in the top-right corner of the screen to open the Edit/Create Network Object window. 4. Create the following objects: Name:ngnet Include Entries: /24 Type: Single Network Address

8 8 Microsoft Azure - NGF0501 Barracuda NextGen Firewall F Lab Guide Name: webnet Include Entries: /24 Type: Single Network Address Name: tsnet Include Entries: /24 Type: Single Network Address Name: NG00 Include Entries: Type: Single IP Address Name: Webserver Include Entries: Type: Single IP Address Name: Terminalserver Include Entries: Type: Single IP Address Click Send Changes and Activate Allow HTTP/HTTPS traffic directly to the web server. N Do not allow the entire Internet to access the web server because this could lead to major security N issues in the environment. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules. 2. Create a rule allowing HTTP/HTTPS traffic from the Internet to the web server over the firewall. Name: internet-2-webserver-http-s Action: Dst NAT Source: Internet Service: HTTP+S Destination: All Firewall IPs Redirection: Webserver (set the Reference check box to active) Connection Method: Original Source IP 3. Move it to the appropriate position in the ruleset. 4. Click Send Changes and Activate. Allow RDP traffic directly to the terminal server. N Do not allow the entire Internet to access the terminal server because this could lead to major security N issues in the environment. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules Access Rules. 2. Create a rule allowing RDP traffic from the Internet to the terminal server over the firewall. Name: internet-2-terminalserver-rdp

9 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Action: Dst NAT Source: Internet Service: RDP Destination: All Firewall IPs Redirection: Terminalserver (set the Reference check box to active) Connection Method: Original Source IP 3. Move it to the appropriate position in the ruleset. 4. Click Send Changes and Activate. Deactivate all unnecessary rules. 1. Right-click all the preconfigured rules not needed for the setup and click Deactivate Rule. Test the connectivity and enforcement of the access rules. 1. Open a web browser and verify that you can connect to the web server through region.cloudapp.azure.com] 2. Open an RDP connection to the terminal server using the DNS name (External access). 3. Disable Enhanced internet security in the terminal server: Start > Server Manager > Local Server > Properties > Internet Explorer Enhanced Security Configuration > Administrators/Users > OFF. Create appropriate access rules to allow the terminal server access to the Internet. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules. 1. Click Lock and the + sign to add a new: Name: Terminalserver-2-Internet Action: Pass Source: Terminalserver Service: Any Destination: Internet Connection Method: Dynamic NAT 2. Click Send Changes and Activate. Test connectivity and accessibility. Open the RDP connection to the terminal server and launch Internet Explorer. 1. Go to 2. In NextGen Admin, monitor your session on the Firewall > Live and Firewall > History pages. Task 2. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch Not every resource in the VNET must be shared with everyone in the Internet. SSL VPN and CudaLaunch allows you to get access to resources inside the network, but without giving public access to these services. Step 1. Configure the SSL VPN Service Connect to your firewall. 1. Launch NextGen Admin. 2. Select Firewall and enter the DNS name (External access) for your NGF (dnsname.region.cloudapp.azure.com). 3. Enter your login credentials: Username: root Password: <use provided credentials>

10 10 Microsoft Azure - NGF0501 Barracuda NextGen Firewall F Lab Guide Activate 443 for SSL VPN service. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Settings. 2. Click Lock. 3. Click Click here for Server Settings. 4. Change Use port 443 to NO. 5. Click OK. 6. Click Send Changes and Activate. Create the user for the SSL VPN within NGF Local Authentication. 1. Go to Configuration Tree > Infrastructure Services > Authentication Service > NGF Local Authentication. 2. Create a user. NGF Local Scheme: Yes Click the + sign. Username: <yourname> Password: <securepassword> 3. Click Send Changes and Activate. Configure the SSL VPN default. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN. 2. Activate the SSL VPN service in General Service Settings: Enable SSL VPN: Yes Enable CudaLaunch: Yes (up to 7.1 only) 3. Add the Listen IPs: In the Listen IPs table, click the + sign. Listen IP: In the left navigation pane, click Authentication & Login. 5. In the User Authentication section, select Authentication Scheme and add NGF Local. 6. Click Send Changes and Activate. Check the SSL VPN service. 1. Go to Control > Resources. 2. Right-click in the table Resources and select Search for Text. 3. In the Search Window, select Search Text and search for ssl. 4. Double-click on the resource sslvpn-engine. 5. In the Info Dialog Window, check the Listening Sockets: Listening Sockets: :443 Create the SSL VPN - proxied web app. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN. 2. In the left navigation pane, click Web Apps. 3. Add the web server: In the Proxied Web Apps table, click the + sign. Name: Webserver Web Apps Template: Generic Visible Name: Webserver Root URL: Allowed User Groups: * 4. Click OK 5. Click Send Changes and Activate.

11 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Create the SSL VPN - native app. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN. 2. In the left navigation pane, click Native Apps. 3. Add the application server: In the Native Apps table, click the + sign. Name: terminalserver Visible Name: Terminalserver Application Server Hosts: Application Protocol: RDP Application TCP Port: 3389 Client Loopback TCP Port: 0 Allowed User Groups: * 4. Click OK. 5. Click Send Changes and Activate. Allow HTTPS traffic directly to the SSL VPN service. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > Firewall > Forwarding Rules. 2. Create/Check the rule allowing HTTPS traffic from the Internet to the SSL VPN service. Name: SERVICE-VPN-ACCESS Action: App-Redirect Source: ANY Service: HTTPS,NGF-VPN Destination: All Firewall IPs Redirection: Move it to the appropriate position in the ruleset. 4. Click Send Changes and Activate. Test the connectivity and enforcement of the access rules. 1. Open a web browser and verify that you can connect to the web server region.cloudapp.azure.com] 2. Select Continue to this Website when the certificate error comes up. 3. When the SSL VPN web portal starts, fill in the NGF local username and password and click Log in. Step 2. CudaLaunch Install CudaLaunch and test the RDP connection through the SSL VPN tunnel. 1. For Windows, download CudaLaunch from For mobile users, open a web browser and verify that you can connect to the web server name/external access] When the SSL VPN web portal starts, fill in the NGF local user login and password. On the top left of the page, select the icon Settings > Settings > Downloads > CudaLaunch 2. Install CudaLaunch and open it. 3. Add the DNS name/external access to connect with the SSL VPN service. Enter the hostname of the server you want to connect to: DNS name/external access 4. Click Connect and fill in the NGF local username and password. Then click Log in. 5. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the required user credentials: Username: student Password: <Terminalserver_password> 6. Launch NextGen Admin.

12 12 Microsoft Azure - NGF0501 Barracuda NextGen Firewall F Lab Guide 7. On the Firewall > Live and Firewall > History pages, monitor your session. Deactivate the Dst NAT rules from the Internet to internal servers. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules. 2. Select the following rules: Name:internet-2-webserver-http-s Name:internet-2-terminalserver-rdp 3. Right-click and select Deactivate Rules. 4. Click Send Changes and Activate. With CudaLaunch, check the RDP connection through the SSL VPN tunnel. 1. Open CudaLaunch. 2. Add the DNS name/external access to connect with the SSL VPN service. Enter the hostname of the server you want to connect to: DNS name/external access 3. Click Connect and fill in the NGF local username and password and click Log in. 4. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the required user credentials: Username: student Password: <Terminalserver_password> Task 3. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access To secure management within the VNET, it is necessary to avoid any direct management connections and to block all unsecure protocols to hosts inside the VNET. This is why a client-to-site VPN should be terminated on the NextGen Firewall and used as the only way to access the inside of a VNET. Step 1. Configure Client-to-Site VPN Connect to the primary Firewall. 1. Launch NextGen Admin 2. Select Firewall and enter the DNS Name (External access) for your NGF (dnsname.region.cloudapp.azure.com) 3. Enter your login credentials: Username: root Password: use your provided credentials Create VPN service certificate. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Settings 2. Click Click here for Server Settings 3. Create a new Default Key 4. Create a new certificate by using Ex/Import > New/Edit Certificate Create a client network used for the VPN connection. 1. Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Client Networks 2. Right-click and open New Client Network Name: C2SMGMTNetwork Network Address: Network Mask: 24 Gateway: Type: routed

13 Lab Guide Barracuda NextGen Firewall F Microsoft Azure - NGF Create a service key that can be used by the Barracuda VPN CA. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Service Certificate/Keys 2. Right-click and open New Key Name: ServiceKey Key Length: Click Send Changes and Activate Create a Barracuda VPN CA template routing traffic into the VNET. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > Client to Site > Barracuda VPN CA > Templates 2. Right-click and open New Template Name: C2S-MGMT-Template DNS: Domain: cudau.org Network Routes: /16 Create a personal license to be used with the VPN Client and export it. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > Client to Site > Barracuda VPN CA > Pool Licenses 2. Right-click on the lower field and open New personal license Index: <choose provided one> Used by: <yourname> Network: C2SMGMTNetwork Template: C2S-MGMT-Template ENA: no VPN always ON: No Scheme: ngflocal User ID: <yourname> VPN-Type: Personal + SSL License Type: File Server Key: ServiceKey 3. Click Export to File and export it as a *.vpn VPN Server: <NG00 Public IP> 4. Click Send Changes and Activate N This file can be directly imported into an already installed VPN Client with all settings provided except the N password. Otherwise download the VPN client from login.barracudanetworks.com Create the user for the personal license within ngflocal. 1. Go to Configuration Tree > Infrastructure Services > Authentication Service > NGF Local Authentication 2. Create a user matching the name used in the personal license in the field User ID NGF Local Scheme: Yes Click the + sign Username: <yourname> Password: <securepassword> 3. Click Send Changes and Activate

14 14 Microsoft Azure - NGF0501 Barracuda NextGen Firewall F Lab Guide vcreate appropriate access rules to allow VPN clients access to the subnets. 1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Networks 2. Create a network object for the VPN network Name: C2S-VPN-MGMT-Network Include Entries: /24 Type: Single IPv4 network 3. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules 4. Allow the VPN network access to ngnet Name: C2S-MGMT-2-ngnet Action: Pass Source: C2S-VPN-MGMT-Network Service: Any Destination: ngnet Connection Method: Original Source IP 5. Click Send Changes and Activate Test connectivity and accessibility. 1. Connect to the firewall hosted in Azure using the exported VPN profile. 2. Test connectivity to the internal IP of your firewall. Step 2. Network Security Groups Secure access to the network also with Azure tools Log into Azure. Configure the network security group assigned to the primary firewall. Allow inbound traffic for HTTP, HTTPS and the TINA protocol. Allow any outbound traffic. Test connectivity and accessibility. Test your connectivity by trying to access your firewall via NextGen Admin directly without connected VPN. Verify connectivity to the SSL VPN portal. Connect using the VPN Client to get back management access. Task 4. Improve IOPS Performance Step 1. Increase maximum IOPS Adding additional data disks in Raid 0 extends the maximum IOPS count. Log into Azure. Add additional data disks to the firewall. Limit the size of the data disks to 1 GB to save time. Create a RAID0 and move /phion0 onto the created RAID. Step 2. Decrease generated IOPS Limit the number of generated IOPS by deactivating some services, but do not weaken the monitoring features too much. Log into the firewall. Change the log mechanism to not be written to disk, but keep logs in RAM. We do not want to lose the logs at all, and in the future Microsoft s OMS should be able to get logs streamed. Turn off statistics for all layers. Remove services that are not being actively used.

15

16 campus.barracuda.com