Configuring Barracuda NextGen Firewall for your Azure Cloud Integration using ARM

Azure Cloud integration enables the firewall to connect to get in touch to the Azure service fabric to rewrite Azure User Defined Routes monitor the IP Forwarding setting NIC of the respective firewall VM.  Azure User Defined Routing enables you permits you to use Firewall F-Series high availability cluster within the public subnet since the default gateway for all those VMs running at backend networks.

Enable IP forwarding for a firewall VMs and apply an Azure routing table to the backend networks. By using a management certificate with an Azure subscriber ID, the firewall VMs can alter the Azure routing table over the fly in the event the virtual server fails over from a VM to another. Azure route table rewriting has to be configured about the primary and secondary F-Series Firewall. In case a global HTTP proxy is configured, all REST API calls are sent via through proxy.

steps

For the firewall to be able to connect to the Azure backend, you must create and upload a management certificate. The certificate must be valid for at least two years.

  1. Log into the firewall via ssh.
  2. Create the certificate:
    1. openssl req x509 nodes days 1095 newkey rsa:2048 keyout arm.pem out arm.pem
  3. Answer the questions at the prompt. The Common Name is used to identify this certificate in the Azure web interface.
  4. Convert the certificate to CER, as required by Azure:
    1. openssl x509 inform pem in arm.pem outform der out arm.cer
  5. Extract the RSA key:
    1. openssl rsa in arm.pem out arm.key.pem

You now have three certificates: arm.pem, arm.key.pem and arm.cer.

Step 2. Create a custom Azure access control role for Cloud Integration

Create a custom role to use with Cloud Integration.

The role name must be unique.

  1. Launch Azure PowerShell.
  2. Create a new role by cloning an existing role. Clear all privileges and then add just the privileges needed for Cloud Integration. The subscription ID must be entered in the following format: "/subscriptions/abcdefg1234567891011212".
    1. # Create a custom role for NGF Cloud Integration. An existing role is cloned, all rights removed and then assigned proper privileges
    2. $role = GetAzureRmRoleDefinition “Virtual Machine Contributor”
    3. $role.Id = $null
    4. $role.Name = ‘NGF Role’
    5. $role.Description = “Barracuda NextGen Firewall Cloud Integration”
    6. $role.Actions.Clear()
    7.  
    8. # Add role definitions to the empty role
    9. $role.Actions.Add(“Microsoft.Compute/virtualMachines/*”)
    10. $role.Actions.Add(“Microsoft.Network/*”)
    11. $role.AssignableScopes.Clear()
    12. $role.AssignableScopes.Add(YOUR_SUBSCRIPTION_ID)
    13. $firewallRole = NewAzureRmRoleDefinition Role $role

Step 3. Upload the Azure management certificate via Azure PowerShell

The identifierURis must be unique.

  1. Launch Azure PowerShell.
  2. Execute the following commands to import arm.cer as a management certificate:
    1. LoginAzureRmAccount
    2. $cert = NewObject System.Security.Cryptography.X509Certificates.X509Certificate(“PATH_TO_CER_FILE”)
    3. $key = [System.Convert]::ToBase64String($cert.GetRawCertData())
    4. $app = NewAzureRmADApplication DisplayName “DISPLAY_NAME” HomePage http://localhost” IdentifierUris http://localhost” CertValue $key
    5. # write down the application ID ($app.ApplicationID is the “client ID” in NextGen Admin)
    6. NewAzureRmADServicePrincipal ApplicationId $app.ApplicationId
    7. # wait for the service principal to be created
    8. StartSleep Seconds 10
    9. # in the command below, you can use “-Scope” to restrict permissions to specific resource groups
    10. NewAzureRmRoleAssignment RoleDefinitionName $firewallRole.Name ServicePrincipalName $princ.ServicePrincipalNames[0]
Monitoring

Go to NETWORK > Azure UDR to see the UDR routing table for all subnets in the firewalls VNET. Routes using the firewall VM as the nexthop are marked with a green icon. During the UDR HA failover process this icon changes to red.

arm-udr_01

All activity is logged to the Box\Control\daemon log file

arm-udr_02

script for azure version 2.5
$pathToCERfile = 'PATH_TO\arm.cer'
$ADAppName = 'DOCNGF'
$roleDefName = 'Network Contributor' 
# Set the resource group the Azure Route Table is in 
$resourceGroupName = 'RESOURCE_GROUP_NAME'
# your subscription ID
$subscriptionid = 'YOURSUBSCRIPTIONID'
# the identifier must be unique
$identifier = 'http://localhost'
# the identifier and role name must both be unique
$identifier = 'http://localhost'
$roleName = 'NGF Role'
# Select the Azure subscription
Select-AzureRmSubscription -SubscriptionId $subscriptionID
# Create a custom role for NGF Cloud Integration. An existing role is cloned, all rights removed and then assigned proper privileges
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = $roleName
$role.Description = "Barracuda NextGen Firewall Cloud Integration"
$role.Actions.Clear()
# Add role definitions to the empty role 
$role.Actions.Add("Microsoft.Compute/virtualMachines/*")
$role.Actions.Add("Microsoft.Network/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add($subscriptionID)
$firewallRole = New-AzureRmRoleDefinition -Role $role
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($pathToCERfile)
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName $ADAppName -HomePage $identifier -IdentifierUris $identifier -CertValue $key
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId -Verbose
#wait for the service principal to be created 
Start-Sleep -Seconds 10
New-AzureRmRoleAssignment -RoleDefinitionName $firewallRole -ServicePrincipalName $app.ApplicationId
script for  Azure PowerShell version 3.1
$pathToCERfile = 'PATH_TO\arm.cer'
$ADAppName = 'NGF'
# Set the resource group the Azure Route Table is in 
$resourceGroupName = 'RESOURCE_GROUP_NAME'
# your subscription ID
$subscriptionID = 'YOURSUBSCRIPTIONID'
# the identifier and role name must both be unique
$identifier = 'http://localhost'
$roleName = 'NGF Role'
# Select the Azure subscription
Select-AzureRmSubscription -SubscriptionId $subscriptionID
# Create a custom role for NGF Cloud Integration. An existing role is cloned, all rights removed and then assigned proper privileges
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = $roleName
$role.Description = "Barracuda NextGen Firewall Cloud Integration"
$role.Actions.Clear()
# Add role definitions to the empty role 
$role.Actions.Add("Microsoft.Compute/virtualMachines/*")
$role.Actions.Add("Microsoft.Network/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add($subscriptionID)
$firewallRole = New-AzureRmRoleDefinition -Role $role
# convert and upload the authentication certificate 
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($pathToCERfile)
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName $ADAppName -HomePage $identifier -IdentifierUris $identifier -CertValue $key
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId -Verbose
#wait for the service principal to be created 
Start-Sleep -Seconds 10
New-AzureRmRoleAssignment -RoleDefinitionName $firewallRole.Name -ServicePrincipalName $princ.ServicePrincipalNames[0]
Advertisements