Jump to content


Configuring a DMZ in Barracuda WAF(on premise)


  • Please log in to reply
1 reply to this topic

#1 Atefeh Zaker

Atefeh Zaker
  • Members
  • 2 posts

Posted 22 January 2020 - 03:08 PM

Hi team,


I want to use our on-premise "Barracuda WAF" to have a DMZ interface so that our web-servers could be put inside. I'm using the two-armed proxy mode and I want to deploy a topology but I'm a bit confused about how to configure the DM zone interface. I've read about https://campus.barra...onfigure-a-dmz/ as it explains it for a "Next Generation Firewall X" but I'm still feeling confused. Can you help me a bit about the scenario?

#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 87 posts

Posted 22 January 2020 - 05:28 PM

The WAF works fundamentally different from a network firewall. While a network firewall forwards traffic between interfaces , the WAF proxies for the traffic. In two arm mode, after you configure a virtual service, when a client tries to connect to the application via the configured service, there is a TCP connection between the client and the WAF's interface. Upon inspection of the traffic, if the traffic is valid, the payload is sent to the backend application on a totally different TCP connection. Due to this mode of operation, there is really no way the client can directly communicate with the backend server.

Normally, the WAF's WAN interface or the interface that you want to receive the client traffic on, is connected to the DMZ interface of the network firewall. As you are deploying the waf in 2-arm deployment, the LAN interface of the waf would be setup with a new network, to which the servers would connect.

So, I don't see a reason for a DMZ network on the WAF beyond these. 

Based on this information, can you evaluate your requirement again and see if there is a need nevertheless ?