Please Read Before UpdatingBefore installing a new version of firmware:
- Make a backup of your configuration using the ADVANCED > Backup page.
- Read all release notes that apply to versions more recent than the one currently running on your system.
CAUTION: Downgrading to a previous major version (like from 7.9.x to 7.8.x) is NOT recommended. Please contact Barracuda Networks Technical Support if you are thinking about attempting a firmware downgrade, and make sure that you have carefully gone through the known issues sections for the earlier firmware versions.
Also, backups taken AFTER a firmware revert or downgrade (such as from 7.9.x to 7.8.x), may not be compatible for use after a subsequent firmware upgrade (such as from 7.8.x back up to 7.9.x), so make sure that you back up your configuration settings BEFORE actually start any firmware change process (either upgrade OR revert). If a feature is available in later versions and the configuration is in place for that feature, a downgrade does retain the configuration. This means that after the downgrade, the configuration pertaining to such a feature might be visible but would not take effect.
After restoring your settings from a backup, you should always REBOOT to make sure that they take effect.
CAUTION: During an upgrade to 7.9.x, the older web firewall logs and access logs will be saved to a different file and will not appear on the User Interface
Barracuda Web Application Firewall Product ActivationIf this is a new system, you must activate your Energize Updates subscription prior to initial use. Your Energize Updates subscription includes access to Technical Support, new firmware releases and ongoing security definitions updates.
To activate your Barracuda Web Application Firewall subscription:
- Using your Web browser, go to the BASIC > Status page.
- In the Subscription Status section, check the Energize Updates entry. If Energize Updates is Not Activated, click the activation link to be redirected to the Barracuda Networks Product Activation page. Complete activation of your subscription(s).
Version 7.9This release of the Barracuda Web Application Firewall is a major release which includes a number of usability, security and management features, some of which are highlighted below:
- Cryptographic encryption of selected URL spaces is now available
- Cookie exemption can now include asterisk (*) wildcard character with the cookie name. [BNWF-592]
- Enhancements to attackdef framework which include:
- Active / Passive / Off control per signature
- Definition updates can be automatically updated without requiring a restart of the system
- Notifications in case of availability of new definitions
- Tool to validate Regex patterns for attack types
- Ability to view locked out clients in the Barracuda UI
- CAPTCHA as a followup policy has now configuration options to deal with clients violating bruteforce policies
- SSL improvements which include PFS support, SNI and recent vulnerability fixes for heartbleed and other CVEs on OpenSSL
- Parameter names are now inspected for attacks in the request
- Access Control
- Multi domain support for LDAP & Kerberos
- Support for Chained authentication (LDAP + RADIUS)
- A fresh new Barracuda User Interface
- Availability of interface information on status page itself
- Backend enhancements to logging to ensure more number of access and webfirewall logs reside on the system
- Geo IP tagging of access and firewall logs
- Enhancements to search functionalities, and ability to save the searches
- Enhancements to reporting functionalities
- A new notification framework which gives configurability on event thresholds, system and service related event notifications via email
- Hit counts now available for url Allow deny rules
- Password security policy can be enforced to the internal and external administrators configured on the ADVANCED > Admin Access Control page
- A rework of the templating system to provide more flexibility
- Improvements to REST API
- Integration of cloud stuff into the main stream firmware
Version 7.9.0.020 (7.9 GA release)
- Fix: CVE-2014-3566: Fixes for the POODLE vulnerability in SSL 3.0
Version 7.9.0.019 (7.9 GA release)Notes on some known issues of Barracuda Web Application Firewall version 7.9.0.019
- The upgrade to 7.9 may take more than 5-10 mins in some cases.
Note: The 7.8.2 release has enhancements and fixes exclusively for the Barracuda Web Application Firewall Vx on Azure and AWS ONLY.
Fixes and Enhancements
- Enhancement: In the Azure cloud deployment, configuration amongst systems can be synchronized in a active/active cluster of two or more nodes. [BNWF-15475]
- Enhancement: The Barracuda Web Application Firewall now supports REST based APIs for configuration of Services, Security Policies, Certificates and Clustering. [BNWF-15474]
- In the Azure cloud deployment, the Virtual IP for services is fixed to the WAN IP address and cannot be changed
- The "Allowed API IP/Range", "Operation Mode", "Addresses" and "Interface for System Services" modules are not available in the Barracuda Web Application Firewall Vx deployed on Azure and Amazon Web Services
Fixes and Enhancements
- Enhancement: New kernel for facilitating deployments of Barracuda Web Application Firewall in VM environments
- Enhancement: Support for base64 decoding of parameter values before applying deep packet inspection
- Enhancement: Support for normalization of Microsoft %u encoding scheme before applying deep packet inspection
- Enhancement: Configurable status codes for Redirect action in Allow-Deny-Redirect screen
- Enhancement: The CSRF token embedded in the form can have validity period/expiry time set when CSRF Prevention is set to "Forms" or "Forms and URLs".
- Enhancement: Optimization of the configuration elements to facilitate faster configuration commits
- Enhancement: An irreversible hash is performed on the user passwords including the admin password to ensure password secrecy in the system.
- Enhancement: Automatic recovery from a Bypass state is now possible without the need for rebooting the appliance.
- Enhancement: The domain information of the client is forwarded to the server along with the user credentials in the Basic Authentication Header when Send Basic Authentication is set to Yes (ACCESS CONTROL > Authorization).
- Enhancement: Tor exit nodes can now be blocked from accessing services.
- Enhancement: For MS LDAP authentication, if the server indicates an expired password, the Barracuda Web Application Firewall can redirect the user to reset it.
- Enhancement: Redirect action can be configured as temporary redirect or permanent redirect resulting in the Barracuda Web Application Firewall using 301 or 302 response codes respectively.
- Fix: The double decoding is now applied to URL before deep inspection.
- Enhancement: IP Reputation Filter is now available in Bridge mode.
- Fix: An issue with flow control in SSL layer, which may affect large size SSL transactions is addressed.
- Fix: Cipher suite preference can now be enforced from the service rather than relying only on the client's preference.
- Fix: Configuration rollbacks during "Policy Fix" operation in Web Firewall Logs has been fixed.
- Change in behaviour: Henceforth, the attack definitions are not activated automatically until "Enable Auto Apply Attack Definition" is set to Yes on the ADVANCED > System Configuration page manually. This setting is implemented to ensure that the activation of definition can be carried out during the production maintenance window.
Version 7.8This release of the Barracuda Web Application Firewall includes the following new features and fixes: [ For a detailed list of features and release notes please click here. ]
- DDoS Enhancements - The administrators can define policies on specific URL spaces to ensure the clients are challenged with a CAPTCHA to validate themselves in case the Barracuda Web Application Firewall detects them as suspicious. These challenges thwart the attempts of DDoS on process and memory intensive resources of the backend applications from bots and crawlers. This is available from the WEBSITES > DDoS Prevention page. In addition to this, the CAPTCHA challenges can also be set as a Follow Up Action to other attacks such as SQL Injection, etc via the Security Policies > Action Policy feature. This helps to detect and thwart attempts from automated tools to repeatedly scan the website for vulnerabilities and waste resources. For example, sqlmap tool scanning for SQLi will be blocked.
- Barracuda Blocklist Integration - Barracuda Blocklist is an extensive IP reputation system that lists IP addresses that are open proxies or are botnet infected. The system relies on honeypots to flag both web and spam botnets, which are used interchangeably, depending on the need. Under a DDoS attack, these addresses can be blocked with a single click to deflate the attack, with a minimal false positive risk. This is available from the WEBSITES > DDoS Prevention page.
- True File type checks for File Uploads - In earlier releases, file extension checks could be evaded on a file upload by changing the extension to match one of the whitelisted extensions. From this release, such evasions can be blocked by fingerprinting the file to establish its true MIME type and matching the type against a whitelist. For example, this prevents a hacker from changing a file extension from .exe to .doc and upload it, since it will be evaluated to application/octet-stream and blocked (assuming the later has not been added to the Allowed Mime Types on the WEBSITES > Parameter Protection page).
- Kerberos Authentication - The AAA module has been enhanced to support Kerberos authentication to backend services like OWA, SharePoint etc using Kerberos. The front end authentication would be form based authentication while the back end uses the Kerberos protocol.
- Clickjacking Protection - Clickjacking and UI redressing attacks can now be prevented by enabling Clickjacking protection from the ADVANCED > Advanced Security page.
- SNI support - This release adds support for SNI (Server Name Indication ) extension to SSL. This is particularly useful in a virtual hosting scenario where organizations may have several domains hosted on a single server using the same IP address and each domain has a distinct SSL certificate.
- CRL (Certification Revocation Lists) support - This has been added for client certificates. CRLs can be automatically retrieved over HTTP and can be updated periodically by the system.
- Backup Enhancements - System backups can be now be done over FTPS.
- Performance and Stability improvements - The SSL modules have been now rearchitectured to ensure higher transactions per second and throughput support with lesser memory footprint while cutting down the risks of possible race conditions in earlier releases.
- Synchronization for Network elements - The following objects are now synchronized across the cluster: (1) VLANs (2) Static routes (3) Interface routes and (4) ACLs. Interfaces in Management network group will not be synced in cluster.
- Backup Enhancements - NTLM V2 is now supported while taking system backup.
- Deployment - System IP can now be on a VLAN interface.
- Persistence Enhancements - The Load balancing module can use HTTP header based persistence for directing traffic to backend servers.
- Usability improvements
- Clients that have been locked out as a result of setting the Follow Up Action to Block Client, can now be unblocked manually by the administrator .
- Preferences have been added for viewing parameter profiles on the WEBSITES > Website Profiles page.
- In a clustered setup, Join Cluster operation is now available when the Failback Mode is manual. Earlier, it was only available in automatic mode.
- NIC speed, duplexity and statistics can now be viewed and edited from ADVANCED > Advanced Networking, under the configuration for Network Group: System. This is only available when Show Advanced Settings is set to Yes under ADVANCED > System Configuration.
- Access Logs now have a host filter.
- Interface routes and Custom Virtual Interfaces can now be edited.
- This release adds an option for a custom message on the login page to meet compliance requirements, e.g. FISMA requires federal systems to display an access notice on the login pages.
- A new tool has been added to find out how an IP address is categorized in the Geo IP database.
- The data path can be manually restarted after an attack definitions update.
- Logging and Reporting
- The logging module has been enhanced to integrate with IBM QRadar SIEM System.
Fixes and Enhancements
- Fix: The sensitive parameters in the query string are cloaked when a request matches the rule group. [BNWF-14641]
- Fix: The encoded parameters in the URL are not decoded once the SSO Cookie Update Interval is triggered. [BNWF-14522]
- Fix: Join Cluster operation does not remove Management routes on the secondary/backup device. [BNWF-14420]
- Fix: Server Time field in access logs was not displaying proper time in some cases. Fixed now. [BNWF-14410]
- Fix: Browsers cannot save the password for the auth login page automatically. [BNWF-14362]
- Fix: CPU Utilization graph on the BASIC > Status page displays accurate value for the time scale "Month". [BNWF-14344]
- Fix - Booting up issues on virtual machine instances installed on Citrix XEN Hypervisor have been fixed. [BNWF-14270]
- Fix: The virtual IP address is not duplicated in the database after the firmware upgrade. [BNWF-13778]
- Fix: An issue while filtering the logs (Web Firewall/Access/Audit Logs) using Time as an additional filter has been fixed. [BNWF-13691]
- Fix - Local Host Map entries on the BASIC > IP Configuration page can now be bulk edited. [BNWF-13998]
- Fix - The appliances that are not connected to the internet for activation can now be activated offline. [BNWF-13873]
- Fix: Sensitive parameter names that needs to be masked can include colon (:) in it. [BNWF-14281]
- Enhancement: Ability to have system IP address on a VLAN interface. [BNWF-5013]
- Enhancement: Report graphs are now displayed with all legends in High Chart layout. [BNWF-14364]
- Enhancement - The default access control login page for a service can be modified to include a descriptive text. [BNWF-13502]
- Enhancement: The ACLs , routes for the management network are now synchronized as part of the configuration synchronization in a cluster. [BNWF-14453]
- Enhancement: Response body rewrite is now performed for the content-type "application/x-java-jnlp-file" too. [BNWF-14608]
- Enhancement: Remote Support can now be enabled through console to override the disable option set in web UI. [BNWF-14574]
- Enhancement: Client IP address is logged in the System Logs when the verification of client certificate fails. [BNWF-14493]
Version 7.7The firmware version 7.7 of the Barracuda Web Application Firewall is a major firmware release that enhances the security and networking related capabilities of the product. For a detailed list of features and release notes please click here. Here is an outline of some of the enhancements and features
- Protection against slow client attacks
- Blocking access based on Clients IP Reputation: This version provides an easy way to block out clients based on Geo Location tag for that IP address
- Armored browser integration: Barracuda Web Application Firewall now integrates with armored browser from Protect On Quarri to extend the security cover to the client side as well
- Enhancements to shared security policies: CSRF can be enabled using the shared security policy. Max instances check for parameters which prevent a class of HTTP Parameter pollution attacks, is enhanced for wild card parameter profiles. Administrators can now change the system generated tokens such as ncforminfo, BNES_ or BNIS_
- Advanced routing capabilities: The virtual site can be used as a networking entity which has its own routing tables, ACLs, using which, the services on WAF can be grouped by their own routing requirements.
- Network ACLs: Network ACLs can now be configured for traffic that is being NATed or proxied via the WAF.
- Active-Active HA: Two WAFs in a clustered environment, can be configured to have active services on them, and failover/failback if one of the units fail.
- Stability and improvements of the IPv6 functionalities.
- Usability improvements:
- Integration with Cenzic for vulnerability patch management
- Bulk edit for Services page
- Persistence of node expansion state in Basic -> Services screen
- Logging and reporting enhancements
- Service level SNMP stats: The SNMP MIB has been enhanced to support multiple statistics at the application level
- System Logs, like the server "up" and "down" events etc are now available in the UI
- Syslog NG integration
- Integration with Splunk and Arcsight now available
Version 7.7.0.026(7.7 Maintenance GA release)Notes on differences between Barracuda Web Application Firewall version 7.7.0.022 and 7.7.0.026
- Enhancement: Support for Private Interfaces in a VSITE to support enhanced backend traffic routing.
- Fix: A bug in the event manager which resulted in logs not getting displayed correctly on 32 bit machines, is fixed.
- Fix: The administration access to MGMT port is now enabled by default.
- Fix: A possible race condition in the siteminder authencation module is addressed.
- Fix: A possible memory overrun in one specific path of the HPP feature of the security module is addressed.
- Case IDs addressed: 01206948, 01204338, 01204381, 01205421, 01206972, 01206766, 01222910, 01222697, 01226460.
Version 7.7.0.022 (7.7 Maintenance GA release)Notes on differences between Barracuda Web Application Firewall version 7.7.0.020 and 7.7.0.022:
- Enhancement: The API interface is enhanced for better usability.
- Enhancement: The Instant-SSL functionality is now supported in bridge mode of operation too.
- Enhancement: SMS passcode feature is enhanced to support configuration of custom access challenge URL.
- Enhancement: SMS passcode feature is enhanced to support sharing of the password with the backend during two factor authentication.
- Fix: CVE-2012-4929, CVE-2012-4930 on the possible vulnerability to SSL/TLS CRIME attack is addressed.
- Fix: A bug leading to offline upgrade taking upto 15 minutes, is resolved.
- Fix: A possible memory overrun in the HPP feature of the security module is addressed.
- Fix: Extended match for Websites->Allow/Deny rules will now accept Client networks in the Client-IP macro.
- Fix: Bulk edit of Websites->Web Site Translations now retains the context chosen in the filter.
- Fix: A possible bug in editing of services which are on a VLAN in bridge mode, is fixed.
- Fix: A bug in Basic->Reports which causes issues with emailed reports when a filter is chosen, is fixed.
- Fix: Characters such as '$','@' and '#' are allowed as sensitive parameters under Mask Sensitive Data.
- Fix: A bug in LDAPS authentication when Role Based Administration is used, is fixed.
- Case IDs addressed: 01169601, 01174363, 01175945, 01178013, 01179067, 01179965, 01178013, 01180787, 01182087, 01184134, 01194198.
Version 7.7.0.020 (7.7 GA release)Notes on the Barracuda Web Application Firewall version 7.7.0.020:
- The Barracuda Web Application Firewall has auto created DENY-ALL rule. While auto acls are created to take care of most of the functionalities that need acls, please ensure that you create allow network acls in case a functionality needs some ports to be open and are not auto created already.
- A window of downtime is needed when upgrading a cluster from 7.6.4 GA release to 7.7 or when planning a "join cluster" activity in 7.7. It is recommemded to contact Barracuda support if you are upgrading a clustered setup from 7.6.4 GA to the 7.7 release when the failback mode is Automatic
- When upgrading 7.6.4 GA to 7.7.0.023 in a clustered environment, its recommended that the failback mode is "Manual" and the standby unit is upgraded first.
- In a clustered environment, some config changes may take a little longer to complete., for eg: Creation of VSITE may take one minute or more
- When planning a revert in a clustered environment, it is recommended to revert both WAFs to the 7.6.4 during a planned downtime.
- Configuration changes will not be synchronized to the peer WAF when the peer is not in the same firmware version as the WAF on which the configuration change is being done. A heterogenous mode which has two WAFs in two different firmware versions is hence not recommended.
- Policy wizard fix for shared security policy checks on CSRF is not yet available
- Functionalities like GeoIP tagging, and HA Active-Active, are not supported in bridge mode. Please contact Barracude Technical Support when using 7.7.0.023 in bridge mode of deployment
- Upgrade from 7.6.4.012 to 7.7.0.023 in bridge mode on older machines with 32 bit kernel needs help from Barracuda Tech Support. This is usually serial numbers below 210000
- Fixes for provisioning and licensing issues with VM version of the Barracuda Web Application Firewall
- Support for the firmware to work with Barracuda Web Application Firewall Model 963
- Feature: Backups taken on Barracuda Web Application Firewall can be chosen to be in encrypted form
Version 7.6.4.012 (7.6.4 GA release)Notes on the Barracuda Web Application Firewall version 7.6.4.012:
- Fix: The issue of potential false positives that could be triggerred during CSRF checks in case the token is not found at the end of param list, is addressed
- Fix: OCSP validation failures in certain cases of leaf certificates, is addressed
- Fix: SNMP get for service status, which could give incorrect result, is fixed
- Enhancement: Session recording limits are relaxed to capture more sessions. The UserID filter is also fixed to work in siteminder deployments
- Fix: An issue with incorrect handling of radius attributes, leading to radius login failures, is fixed.
- Enhancement: NTP time synchronizaion events are logged now
- Enhancement: Support for long FTP welcome banners in ftp proxy
- Fix: Rollbacks seen due to duplicate parameters and missing parameters
- Fix: A few issues in session recording feature, like the failure to capture inserted or rewritten headers, are fixed
- Change in Behaviour: When website translation rules are configured, the Set-Cookies which contain explicit Path attributes, will not be subjected to the translation
- Case IDs addressed : 01018200, 01058921, 01068508, 01070934, 01079598, 01084938, 01092296
- Known issue: An occasional error, which would indicate a concurrent session is in progress, may appear during certain configuration operations like breaking a cluster. The configuration does take effect in such a case, but a refresh of the Barracuda Web Application Firewall UI page is recommended in case this error is seen.
- Siteminder enhancements, V12 SDK integration, customized extended timeouts.
- Enhancements to request, response header and body rewrite rules.
- Other enhancements and bug fixes from the version 7.4.5 merged to 7.6.3
- DNS configuration support for Admin Access control for External Authentication services
- Various miscellaneous UI enhancements for better presentability
- Fixes: Avoiding HTTP 302/307 responses during session validation timeouts to ensure POST requests with valid sessions do not fail.
Version 7.6.3.024 (7.6.3 maintenance GA release)Notes on the Barracuda Web Application Firewall version 7.6.3.024:
- Fix: The upgrade of the Barracuda kernel was failing on a few older 32 bit platforms. This is addressed in this release
- Fix: A possible race condition in the data path leading to a leak of sockets and thus memory, is addressed
- Fix: A potential configuration rollback during a Policy Tuner fix of webfirewall logs generated due to parameter profiles, is addressed
- Fix: In some configurations, it was possible that the status page inaccurately shows the number of active servers being higher than the total number of servers configured in the system. This issue is addressed
- Fix: A possible path in Cross Site Resource Forgery checks, may result in the Barracuda Web Application Firewall reporting false positives on CSRF checks. This has been addressed.
- Fix: A potential race leading to a high CPU usage from the data path in processing socket events is addressed
- Fix: If the Barracuda Web Application Firewall UI administration is configured to be on the MGMT interface, a potential issue was causing the UI to be lost after the upgrade. This is addressed in this release
- If a backup taken on 7.4.x firmware is restored onto another 7.4.x firmware, it is possible that some passwords will need to be recreated (for example, the external LDAP password, or the FTP server password in ADVANCED > Export Logs).
- After an upgrade from 7.5 (or earlier) firmware to 7.6 firmware, the logs stored on the disk will be cleared and backed up to a different directory. It is recommended that all logs be saved before an upgrade. Barracuda recommends exporting the logs to a syslog server as a best practice.
Version 7.6This release of the Barracuda Web Application Firewall includes the following new features and fixes:
- Vsites to group the services, Allow/Deny rules, Advanced security policies, Web Site Profiles and Web Site Translations.
- Enhancements to the BASIC > Status page (Dashboard) to have custom graphs and trending on CPU and memory utilizations.
- Enhancements to the UI components for better presentability in key screens like BASIC > Services, Allow/Deny rules etc.
- Most of the screens are now available for configuration and monitoring via Barracuda Cloud Control.
- Ability to push configurations related to Default security policy and Attack patterns across multiple Barracuda Web Application Firewalls via Barracuda Cloud Control.
- Various web application firewall features are now IPv6 aware, thus enabling firewalling and deep packet inspection of web apps hosted on IPv6 addresses - available in expert mode and as a beta stage since some aspects may need assistance from Barracuda Support.
- Few important bug fixes related to the handling of issues related to SSL traffic, which includes rare and occasional loss of SSL connections from the clients.
- More robustness is built into the monitoring of cluster related modules thus avoiding few stability concerns seen in previous releases. The issue of unexpected failover to the secondary box due to false alarms triggered during certain operations in a cluster mode is also taken care in this version.
Version 7.6.0.028 (7.6 GA release)Notes on the Barracuda Web Application Firewall version 7.6.0.028:
- After an upgrade from 7.5 or previous releases to the 7.6.0.028, the logs stored on the disk will be cleared and backed up to a different directory. It is recommended to save the logs before an upgrade. Barracuda recommends exporting the logs to a syslog server as a best practice.
- The status page graphs may occasionally not reflect the real traffic statistics for IPv6 services.
- While navigating across tabs in the Barracuda Web Application Firewall GUI, if a blank page is encountered, it is advised to reload the page or revisit the screen.
- After configuring both IPv4 and IPv6 services in a single Barracuda Web Application Firewall, if any subsequent change is made in BASIC > IP Configuration screen, an explicit "Reload'' is needed to have the services working again.
- When creating IPv6 servers, ensure that an appropriate route to these servers exists by creating appropriate IPv6 address on LAN or WAN interface.
- The "tcpdump'' functionality which is available via the ADVANCED >Troubleshooting screen, works reliably for IPv4 addresses only.
- Syslog settings, if chosen via ADVANCED > Export Logs, may have to be recreated after an upgrade to 7.6 from the previous version of the firmware.
- When using non-default certificates for Secure Administration (HTTPS) of the UI, there are known issues with backup and restore and upgrade. Barracuda recommends using the default (Barracuda) certificate during these operations. After the successful completion of these operations, you can re-apply your certificate.
- There are known issues in restoring a backup containing both IPv4 and IPv6 services. Please contact support for assistance, if required.
- Reverting the firmware from 7.6 version to the 7.5 version puts the old IP on the MGMT configured before the upgrade to 7.6, if a new one was used after the upgrade to 7.6