How to run Barracuda NG Firewall on UNetLab

Sometimes you need to step outside of your usual sphere of technologies, and this is one of those times. I have, for a project, needed to become quite conversant with the Barracuda NG Firewall.

So, it makes sense that I can get one to play with at home. It will run on KVM, Xen, Citrix XenServer, Hyper-V and VMWare. But will it run in UNetLab?

Let's find out. Before we do that though I am going to do a very quick review.

Barracuda NG Firewall review

I must say that when I was given the options of what firewall to run (the choices being either Check Point or Barracuda, I immediately banged my hand on the table and proclaimed my desire to run Check Point.

Have you every tried to download a trial from Check Points website? It's almost impossible without having to sacrifice a goat or something. Barracuda, on the other hand, make getting an eval a very simple task.

So, we rolled out our first NG Firewall and, with a lot of help from Barracuda, I must say I am rather impressed.

Coming from an ASA background, some things don't seem to work as easily, such as the firewall ruleset, but in reality, this is just a mindset issue, and really, it does work well if you stop thinking like an ASA.

There are a couple of things I really love about the NG Firewalls, and that is the ability to cut and paste. Now I know that cutting and pasting has been around for ages, but it's nice that if you have two firewalls, one already set up with Site to Site VPNS, you can copy the VPN settings to the clipboard, and paste them onto the new firewall.

It makes life so much easier, you can do this access-rules as well, and it will even change the box IPs for you, and automatically create any custom objects required for the rule.

It's early days yet, but as I get more to grips with the NG, the more I like it.

Anyway, that's my three minute Barracuda NG Firewall review. Let's set one up in UNetLab.

Running the Barracuda NG Firewall in UNetLab

This is my very simple topology.

The router (lazily named "R") will have the IP address 192.168.100.1 (/24), and the NGF will use 192.168.100.10, the Windows PC will use 192.168.100.21.

To install the NG Firewall in UNetlab you need to download the OVA file from Barracuda. You can sign up for free at https://www.barracuda.com/purchase/evaluation. Select Firewall NG and fill out the form.

To install it you need to copy the OVA file to your UNetLab machine, extract, convert, rename, move it and run the fixpermissions wrapper:

root@unl01:/tmp# cd /tmp/
root@unl01:/tmp# tar -xvf GWAY-6.1.0-112-VC610.ova
root@unl01:/tmp# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 GWAY-6.1.0-112-VC610-disk1.vmdk hda.qcow2
root@unl01:/tmp# mkdir /opt/unetlab/addons/qemu/win-barracuda-6.1.0
root@unl01:/tmp# mv hda.qcow2 /opt/unetlab/addons/qemu/win-barracuda-6.1.0/
root@unl01:/tmp# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Once this is done, you can create the topology add it. Note that there will soon be a proper UNetLab template for this! All being well, it will boot up:

The VM will then enter ART (Active Recovery Technology), here you can set a static IP address:

Now save it. If you are using a Mac, then press fn + F3 to save.

You should now have connectivity:

Router(config)#int e0/1
Router(config-if)#ip add 192.168.100.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#end
Router#ping 192.168.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.10:
!!!!!
Success rate is 100 percent (5/5)
Router#

The tricky part is how to get the NGAdmin utility loaded on the Windows VM, this was a neat little thing I learnt today. It also deserves (well I think so) a post of it's own, so click here to find out how to load files into a Qemu VM.

So once we have our files loaded into the Windows VM, we can fire up the NGAdmin console.

It shows us the splash screen:

And we can log in using root and the password of "ngf1r3wall".

Click on Trust at the Authentication check box

If (like me) you havn't got your UNetLab network hooked into your main network, then click on Cancel at this box:

After a few moment, we have logged into the box, and we have two days in which to register it with Barracuda. So, it will need to have proper internet access.

A couple more screenshots:

it all looks pretty happy. I havn't done any of the configuration yet, but will do posts on those later on. Need to get my NG licensed first.

How to get files into a Qemu VM

Picture the scene, you have created a Windows VM for use in UNetLab. You loaded it with all your go-to applications, and are good to go.

A week or so down the line you have a new requirement, that demands a certain application to be loaded on to the VM.

What do you do? Delete the VM and recreate it? That would be a waste of a license. VNC doesn't handle cut and paste, and you can't get it connected to your internal network in order to download it.

I had this issue today. For a post on how to run Barracuda NG Firewall in UNetLab, I needed to run the NGAdmin program. But the pnet0 interface wouldn't play ball, and I can't cut and paste form my Mac into the VNC.

So, I mulled over my options for a moment, then realised that I could copy the files I needed to the /tmp/ directory on the UNetLab box and make an ISO of that folder. This can then be used by the Qemu guest as a standard CDRom!
UNetLab does not come with the mkisofs program by default, so you'll need to install this:

root@unl01:~# sudo apt-get install mkisofs
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'genisoimage' instead of 'mkisofs'
The following packages were automatically installed and are no longer required:
  linux-headers-3.13.0-61 linux-headers-3.13.0-61-generic
  linux-headers-3.13.0-62 linux-headers-3.13.0-62-generic
  linux-image-3.13.0-61-generic linux-image-3.13.0-62-generic
Use 'apt-get autoremove' to remove them.
Suggested packages:
  wodim cdrkit-doc
The following NEW packages will be installed:
  genisoimage
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 587 kB of archives.
After this operation, 1,580 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty/main genisoimage amd64 9:1.1.11-2ubuntu3 [587 kB]
Fetched 587 kB in 0s (840 kB/s)
Selecting previously unselected package genisoimage.
(Reading database ... 129086 files and directories currently installed.)
Preparing to unpack .../genisoimage_9%3a1.1.11-2ubuntu3_amd64.deb ...
Unpacking genisoimage (9:1.1.11-2ubuntu3) ...
Setting up genisoimage (9:1.1.11-2ubuntu3) ...
root@unl01:~#

You will need to make sure that the exe file is on your UNetLab machine:

root@unl01:~# ls /tmp/
netio32768  ngadmin_6-1-0-150 (1).exe  vmware-root
root@unl01:~# cd /tmp/

It's there, so let's make a fiolder and copy it into it:

root@unl01:/tmp# mkdir Barracuda
root@unl01:/tmp# mv ngadmin_6-1-0-150\ \(1\).exe Barracuda/

Now we can create a cdrom image in the win-7-pro directory, called cdrom.iso (do not name it anything other than this), using the folder /tmp/Barracuda as the source:

root@unl01:/tmp# mkisofs -o /opt/unetlab/addons/qemu/win-7-Pro/cdrom.iso /tmp/Barracuda/
I: -input-charset not specified, using utf-8 (detected in locale settings)
 47.84% done, estimate finish Tue Sep  8 10:42:26 2015
 95.75% done, estimate finish Tue Sep  8 10:42:26 2015
Total translation table size: 0
Total rockridge attributes bytes: 0
Total directory bytes: 116
Path table size(bytes): 10
Max brk space used 0
10452 extents written (20 MB)
root@unl01:/tmp#

Now we can turn on the Windows VM and access the CDRom drive. If the VM was turned on before the cdrom.iso file was copied to the directory then shut it down and start it up again.

Bingo, the CD Rom is there. And so are my much needed files: