Security February 28, 2026 by Greg

Barracuda Firewall Setup: What We Configure for Every Client Network

Barracuda CloudGen firewalls are solid hardware. But a firewall is only as good as its configuration, and most out-of-the-box setups leave gaps that attackers exploit.

Here’s what we configure on every Barracuda deployment — and what your current IT provider probably skipped.

The Basics That Get Skipped

Default admin credentials. You’d be shocked how many Barracuda units are running with admin/admin or the factory-set password. First thing we do: change the admin password to a 24-character random string stored in a password manager. Not “Company2026!” — a real password.

Firmware updates. Barracuda releases firmware updates monthly. We’ve seen units running firmware from 2021 in production networks. Every update includes security patches for vulnerabilities that are actively being exploited. We schedule monthly firmware reviews.

Unused services. The default config enables services most small businesses never use — VPN concentrators, SNMP, remote management ports. If it’s not needed, we disable it. Every open port is a potential entry point.

Firewall Rules We Always Implement

Outbound Filtering (Yes, Outbound)

Most shops only configure inbound rules. But outbound filtering catches compromised machines calling home to command-and-control servers.

We block outbound traffic to known malicious IP ranges, restrict DNS to approved resolvers (preventing DNS tunneling), and log all outbound connections to non-standard ports. If a workstation suddenly starts sending traffic to a server in Eastern Europe on port 4443, we want to know about it.

Geo-IP Blocking

If your business operates in South Florida, there’s no legitimate reason for inbound traffic from certain countries. We configure geo-IP rules to block traffic from regions with high rates of automated attacks. This alone cuts scan traffic by 73% on average.

Application Layer Filtering

Layer 7 inspection catches threats that port-based rules miss. We enable application-aware filtering for HTTP/HTTPS traffic, blocking:

  • SQL injection patterns
  • Cross-site scripting (XSS) attempts
  • Known exploit signatures
  • Malformed HTTP requests

IDS/IPS Configuration

Barracuda’s built-in intrusion detection/prevention system is powerful but needs tuning. The default ruleset generates too many false positives, causing alert fatigue.

We customize the IPS profile:

  • High-confidence rules: Block automatically
  • Medium-confidence rules: Alert + log for review
  • Low-confidence rules: Log only
  • Custom rules: Tailored to the client’s application traffic patterns

After a 2-week tuning period, our clients average 3.2 actionable alerts per week instead of the 200+ noise alerts from a default config.

VPN Configuration

For clients with remote workers or branch offices, we configure the Barracuda’s built-in VPN with:

  • IKEv2 (not PPTP — ever)
  • Certificate-based authentication (not pre-shared keys)
  • Split tunneling only for business resources (not all traffic)
  • Per-user access policies restricting which internal resources each VPN user can reach

Monitoring and Alerting

A firewall that nobody monitors is just an expensive router. We configure:

  • Real-time alerts for blocked intrusion attempts
  • Daily summary reports emailed to the client
  • Monthly threat analysis reviewing blocked traffic patterns
  • Quarterly rule reviews to update policies based on new threats

The Result

Across our managed Barracuda deployments, we’ve blocked 99.7% of inbound threats before they reached the internal network. Zero ransomware incidents. Zero data breaches.

Your firewall is your first line of defense. Make sure it’s actually defending.

Need a security audit of your current firewall configuration? Contact us.

Back to Blog