Skip to main content

Barracuda Cloudgen Firewall

Barracuda Cloudgen Friewall modeling rule and parsing rule for XSIAM

Overview

Barracuda CloudGen Firewall is a next-generation firewall and SD-WAN solution. It combines security and SD-WAN into a single platform, providing secure connections across your entire network that are all managed from one central location.

This pack includes

Data normalization and querying capabilities:

  • Rules for parsing and modeling firewall activity logs that are ingested via BrokerVM into Cortex XSIAM.
    • Querying ingested Barracuda Cloudgen Firewall logs in XQL Search using the barracuda_cgfw_raw dataset.

Supported log categories

  • Logs from box/Firewall/Activity log file. See more information, see here
  • This pack only supports syslog in a key=value format.

Supported timestamp formats

Timestamp parsing is only supported for UNIX timestamp (UTC).

Data Collection

Barracuda Cloudgen Firewall side

You need to configure Barracuda Cloudgen Firewall to forward Syslog messages.

  1. Go to CONFIGURATION -> Full Configuration -> Box -> Infrastructure Services -> Syslog Streaming.
  2. Click Lock.
  3. Set Enable Syslog Streaming to yes.
  4. Click Send Changes and Activate.
    For more information, see here
  • Important: To ensure logs are ingested and modeled correctly, you must configure the log message structure to be key=value pairs. Please follow the steps below:
  1. Go to CONFIGURATION -> Full Configuration -> Box -> Infrastructure Services.
  2. Look for Activity Log Mode.
  3. Change the mode to Log-Pipe-Separated-Key-Value-List. This tells the firewall to format its log entries with pipes separating the key=value pairs (e.g., key1=value1|key2=value2).
  4. After changing general firewall configuration settings, perform a Firmware Restart (CONTROL -> Box) for the changes to take effect.
    For more info, see here

Cortex XSIAM side - Broker VM

To create or configure the Broker VM, use the information described here.

Follow the below steps to configure the Broker VM to receive Barracuda Cloudgen Firewall logs.

  1. Navigate to Settings → Configuration → Data Broker → Broker VMs.

  2. Go to the APPS column under the Brokers tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.

  3. Click Add New.

  4. When configuring the Syslog Collector, set the following parameters:

    Parameter Value
    Protocol Select UDP for the default forwarding, TCP or Secure TCP (depends on the protocol you configured in Barracuda Cloudgen Firewall).
    Port Enter the syslog service port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Barracuda Cloudgen Firewall.
    Format Enter RAW.
    Vendor Enter barracuda.
    Product Enter cgfw.

In order to use the collector, use the Broker VM option.

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedApril 20, 2023
Last ReleaseAugust 27, 2025
Network Security
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.