Jump to content


Photo

Network Group Priority

Vsites System WAF Network Groups

  • Please log in to reply
1 reply to this topic

#1 Atefeh Zaker

Atefeh Zaker
  • Members
  • 2 posts

Posted 27 January 2020 - 10:30 AM

Hi team,

 

I'm working on a Barracuda WAF and I have to route a company's traffic. I'm looking at the previous configuration, which was made poorly and a question came into my mind which I couldn't figure out the answer.

 

If in "NETWORKS>Interfaces>Service Virtual Interfaces"an IP (for example 10.1.0.230 (255.255.255.255)) in being configured under a LAN network interface and if the exact IP address is there in "BASIC>Services>Services" and it's under a Service group under "default" Vsite and this time with WAN as interface, how are the rules work here?! I mean I don't understand the priority for forcing the policies here. 

(Another thing that might be helpful to add, is that in "NETWORKS>Routes>Interface Routes", under "system" network group 10.1.0.0( 255.255.0.0) is being configured as a LAN network interface). In other words, Vsites and System are two network groups defined in WAN and routing configuration can be made in both. And from what I see, some conflict-of-interest policies can be made in these two. Which ones are prioritized and why? Can you kindly help me out here please?

 

Cheers,

Atefeh 



#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 85 posts

Posted 29 January 2020 - 12:51 AM

This is valid configuration. JFYI, the system will first check the default network group configuration and if no interface route is present, will fall back to the system network group.

Basically what it means is that there is a network 10.1.0.0/16 assigned to the LAN interface. System network group is basically the bottom of the pyramid and the network info will apply to any of the network groups including the default group. So, having a custom virtual interface of 10.1.0.230 assigned to the LAN as part of the default vsite/network group is valid. What you should watch out for is if there is a default route for the traffic hitting the LAN interface.

This configuration is a tad unusual as service are "normally" assigned to the WAN interface, but the aforesaid configuration is also valid. However, to ensure that things are configured in a simplistic and expected manner, you may be well served setting the virtual services up on the WAN interface. Let us know if you need any help around that. You can also reach out to wafsupport_team@barracuda.com if you have any questions or if you would like a tech engineer to review the configuration once.