Jump to content


Configure NextGen Firewall and Web Application Firewall Integration

WAF Integration NGF

  • Please log in to reply
No replies to this topic

#1 Sander de Jongh

Sander de Jongh
  • Members
  • 1 posts

Posted 19 November 2018 - 09:26 AM



We are trying to create a new Barracuda NGF and WAF Integration into our Microsoft Azure infrastructure.


Current Setup:


1. Full MS-Azure infrastructure, exists out of only one MS-Azure Virtual Network and three two separate MS-Azure subnets.

2. We placed the Barracuda NGF device in (MS-Azure-Subnet-1) and the Barracuda WAF in (MS-Azure-Subnet-2).

3. Azure VN-subnet 3 hold a dedicates MS-IIS (test) HTTP/HTTPS Web-server.

4. Followed all steps documented in: https://campus.barra...ll-integration/

5. Created a dedicate MS-Azure Routing Table:

Default-gateway: (redirect all network traffic ( > virtual-device > IP address Barracuda NGF VM) and linked to the Barracuda WAF (back-end) device


After testing, All HTTP/HTTPS traffic coming into the Barracuda NGF (front-end) device does not automatically get forward to the Barracuda WAF (back-end) device. Only after changing in the Barracuda NGF the forwarding rule-set - Connection Method from: "Original Source IP" to "Dynamic SNAT" all incoming HTTP/HTTPS traffic successfully gets forward to the Barracuda WAF (back-end) device.


However, now in the Barracuda WAF access logs, we only see as original source IP, the IP address of the Barracuda NGF (front-end) device.


Does anyone had the same infrastructure setup issues?


In addition, above Barracuda imp. documentation states only to use for NGF Connection Method: the "Original Source IP" and not the "Dynamic SNAT" setting, is this setting correct?


Second: does anybody knows how to change as requested in the same document the "default gateway IP address" of the Barracuda WAF device, this option is in MS-Azure WAF (VM) by default grayed out?


Alternatively, can this simply be solved by issuing a dedicated MS-Azure Routing table for the Barracuda WAF device that automatically forwards all network traffic (0.0.0/0) to the Barracuda NGF (front-end) device?