Sometimes you need to step outside of your usual sphere of technologies, and this is one of those times. I have, for a project, needed to become quite conversant with the Barracuda NG Firewall.
So, it makes sense that I can get one to play with at home. It will run on KVM, Xen, Citrix XenServer, Hyper-V and VMWare. But will it run in UNetLab?
Let’s find out. Before we do that though I am going to do a very quick review.
Barracuda NG Firewall review
I must say that when I was given the options of what firewall to run (the choices being either Check Point or Barracuda, I immediately banged my hand on the table and proclaimed my desire to run Check Point.
Have you every tried to download a trial from Check Points website? It’s almost impossible without having to sacrifice a goat or something. Barracuda, on the other hand, make getting an eval a very simple task.
So, we rolled out our first NG Firewall and, with a lot of help from Barracuda, I must say I am rather impressed.
Coming from an ASA background, some things don’t seem to work as easily, such as the firewall ruleset, but in reality, this is just a mindset issue, and really, it does work well if you stop thinking like an ASA.
There are a couple of things I really love about the NG Firewalls, and that is the ability to cut and paste. Now I know that cutting and pasting has been around for ages, but it’s nice that if you have two firewalls, one already set up with Site to Site VPNS, you can copy the VPN settings to the clipboard, and paste them onto the new firewall.
It makes life so much easier, you can do this access-rules as well, and it will even change the box IPs for you, and automatically create any custom objects required for the rule.
It’s early days yet, but as I get more to grips with the NG, the more I like it.
Anyway, that’s my three minute Barracuda NG Firewall review. Let’s set one up in UNetLab.
Running the Barracuda NG Firewall in UNetLab
This is my very simple topology.
The router (lazily named “R”) will have the IP address 192.168.100.1 (/24), and the NGF will use 192.168.100.10, the Windows PC will use 192.168.100.21.
To install the NG Firewall in UNetlab you need to download the OVA file from Barracuda. You can sign up for free at https://www.barracuda.com/purchase/evaluation. Select Firewall NG and fill out the form.
To install it you need to copy the OVA file to your UNetLab machine, extract, convert, rename, move it and run the fixpermissions wrapper:
[email protected]:/tmp# cd /tmp/ [email protected]:/tmp# tar -xvf GWAY-6.1.0-112-VC610.ova [email protected]:/tmp# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 GWAY-6.1.0-112-VC610-disk1.vmdk hda.qcow2 [email protected]:/tmp# mkdir /opt/unetlab/addons/qemu/win-barracuda-6.1.0 [email protected]:/tmp# mv hda.qcow2 /opt/unetlab/addons/qemu/win-barracuda-6.1.0/ [email protected]:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Once this is done, you can create the topology add it. Note that there will soon be a proper UNetLab template for this! All being well, it will boot up:
The VM will then enter ART (Active Recovery Technology), here you can set a static IP address:
Now save it. If you are using a Mac, then press fn + F3 to save.
You should now have connectivity:
Router(config)#int e0/1 Router(config-if)#ip add 192.168.100.1 255.255.255.0 Router(config-if)#no shut Router(config-if)#end Router#ping 192.168.100.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.100.10: !!!!! Success rate is 100 percent (5/5) Router#
The tricky part is how to get the NGAdmin utility loaded on the Windows VM, this was a neat little thing I learned today. It also deserves (well I think so) a post of its own, so click here to find out how to load files into a Qemu VM.
So once we have our files loaded into the Windows VM, we can fire up the NGAdmin console.
It shows us the splash screen:
And we can log in using root and the password of “ngf1r3wall”.
Click on Trust at the Authentication check box
If (like me) you havn’t got your UNetLab network hooked into your main network, then click on Cancel at this box:
After a few moment, we have logged into the box, and we have two days in which to register it with Barracuda. So, it will need to have proper internet access.
A couple more screenshots:
It all looks pretty happy. I haven’t done any of the configuration yet, but will do posts on those later on. Need to get my NG licensed first.