Please Read Before Updating
Before installing a new version of firmware:- Make a backup of your configuration using the ADVANCED > Backup page.
- Read all release notes that apply to versions more recent than the one currently running on your system.
CAUTION: Downgrading to a previous major version (like from 7.8.x to 7.7.x) is NOT recommended. Please contact Barracuda Networks Technical Support if you are thinking about attempting a firmware downgrade, and make sure that you have carefully gone through the known issues sections for the earlier firmware versions.
Also, backups taken AFTER a firmware revert or downgrade (such as from 7.8.x to 7.7.x), may not be compatible for use after a subsequent firmware upgrade (such as from 7.7.x back up to 7.8.x), so make sure that you back up your configuration settings BEFORE actually start any firmware change process (either upgrade OR revert). If a feature is available in later versions and the configuration is in place for that feature, a downgrade does retain the configuration. This means that after the downgrade, the configuration pertaining to such a feature might be visible but would not take effect.
After restoring your settings from a backup, you should always REBOOT to make sure that they take effect.
Barracuda Web Application Firewall Product Activation
If this is a new system, you must activate your Energize Updates subscription prior to initial use. Your Energize Updates subscription includes access to Technical Support, new firmware releases and ongoing security definitions updates.To activate your Barracuda Web Application Firewall subscription:
- Using your Web browser, go to the BASIC > Status page.
- In the Subscription Status section, check the Energize Updates entry. If Energize Updates is Not Activated, click the activation link to be redirected to the Barracuda Networks Product Activation page. Complete activation of your subscription(s).
Version 7.8.1
This release of the Barracuda Web Application Firewall includes the following new features and fixes: [ For a detailed list of features and release notes please click here. ]- Enhancement: New kernel for facilitating deployments of Barracuda Web Application Firewall in VM environments
- Enhancement: Support for base64 decoding of parameter values before applying deep packet inspection
- Enhancement: Support for normalization of Microsoft %u encoding scheme before applying deep packet inspection
- Enhancement: Configurable status codes for Redirect action in Allow-Deny-Redirect screen
- Enhancement: The CSRF token embedded in the form can have validity period/expiry time set when CSRF Prevention is set to "Forms" or "Forms and URLs".
- Enhancement: Optimization of the configuration elements to facilitate faster configuration commits
- Enhancement: An irreversible hash is performed on the user passwords including the admin password to ensure password secrecy in the system.
- Enhancement: Automatic recovery from a Bypass state is now possible without the need for rebooting the appliance.
- Enhancement: The domain information of the client is forwarded to the server along with the user credentials in the Basic Authentication Header when Send Basic Authentication is set to Yes (ACCESS CONTROL > Authorization).
- Enhancement: Tor exit nodes can now be blocked from accessing services.
- Enhancement: For MS LDAP authentication, if the server indicates an expired password, the Barracuda Web Application Firewall can redirect the user to reset it.
- Enhancement: Redirect action can be configured as temporary redirect or permanent redirect resulting in the Barracuda Web Application Firewall using 301 or 302 response codes respectively.
- Fix: The double decoding is now applied to URL before deep inspection.
- Enhancement: IP Reputation Filter is now available in Bridge mode.
- Fix: An issue with flow control in SSL layer, which may affect large size SSL transactions is addressed.
- Fix: Cipher suite preference can now be enforced from the service rather than relying only on the client's preference.
- Fix: Configuration rollbacks during "Policy Fix" operation in Web Firewall Logs has been fixed.
- Change in behaviour: Henceforth, the attack definitions are not activated automatically until "Enable Auto Apply Attack Definition" is set to Yes on the ADVANCED > System Configuration page manually. This setting is implemented to ensure that the activation of definition can be carried out during the production maintenance window.
Version 7.8.1.017
- Vulnerability fix: OpenSSL vulnerabilities outlined in CVE-2014-0224, CVE-2014-0198, CVE-2010-5298 addressed.
Version 7.8.1.016
- Fix: OpenSSL vulnerability [ CVE-2014-0160 ] for TLS/DTLS Heartbleed attack has been addressed. [ BNWF-16810 ]
- Fix: An issue with OCSP which may lead to SSL connection issues, is addressed.
- Enhancement: Action policy, when configured with "Challenge with CAPTCHA", can now be configured to redirect to CAPTCHAS as a response page for any chosen violation.
- Fix: A bug in ftp service which can lead to a rare outage scenaro, is addressed.
- Fix: A possible scenario of repeated rollbacks in a HA environment, specially when Adaptive Profiling is ON, is addressed.
- Enhancement: New ciphers for PFS support are added to the list for frontend SSL and can be chosen by the admin of the Barracuda Web Application Firewall
- Fix: The protocol parsing is more tolerant to Host header with port extensions containing white spaces.
Version 7.8
This release of the Barracuda Web Application Firewall includes the following new features and fixes: [ For a detailed list of features and release notes please click here. ]- Security
- DDoS Enhancements - The administrators can define policies on specific URL spaces to ensure the clients are challenged with a CAPTCHA to validate themselves in case the Barracuda Web Application Firewall detects them as suspicious. These challenges thwart the attempts of DDoS on process and memory intensive resources of the backend applications from bots and crawlers. This is available from the WEBSITES > DDoS Prevention page. In addition to this, the CAPTCHA challenges can also be set as a Follow Up Action to other attacks such as SQL Injection, etc via the Security Policies > Action Policy feature. This helps to detect and thwart attempts from automated tools to repeatedly scan the website for vulnerabilities and waste resources. For example, sqlmap tool scanning for SQLi will be blocked.
- Barracuda Blocklist Integration - Barracuda Blocklist is an extensive IP reputation system that lists IP addresses that are open proxies or are botnet infected. The system relies on honeypots to flag both web and spam botnets, which are used interchangeably, depending on the need. Under a DDoS attack, these addresses can be blocked with a single click to deflate the attack, with a minimal false positive risk. This is available from the WEBSITES > DDoS Prevention page.
- True File type checks for File Uploads - In earlier releases, file extension checks could be evaded on a file upload by changing the extension to match one of the whitelisted extensions. From this release, such evasions can be blocked by fingerprinting the file to establish its true MIME type and matching the type against a whitelist. For example, this prevents a hacker from changing a file extension from .exe to .doc and upload it, since it will be evaluated to application/octet-stream and blocked (assuming the later has not been added to the Allowed Mime Types on the WEBSITES > Parameter Protection page).
- Kerberos Authentication - The AAA module has been enhanced to support Kerberos authentication to backend services like OWA, SharePoint etc using Kerberos. The front end authentication would be form based authentication while the back end uses the Kerberos protocol.
- Clickjacking Protection - Clickjacking and UI redressing attacks can now be prevented by enabling Clickjacking protection from the ADVANCED > Advanced Security page.
- Cryptography
- SNI support - This release adds support for SNI (Server Name Indication ) extension to SSL. This is particularly useful in a virtual hosting scenario where organizations may have several domains hosted on a single server using the same IP address and each domain has a distinct SSL certificate.
- CRL (Certification Revocation Lists) support - This has been added for client certificates. CRLs can be automatically retrieved over HTTP and can be updated periodically by the system.
- Backup Enhancements - System backups can be now be done over FTPS.
- Performance and Stability improvements - The SSL modules have been now rearchitectured to ensure higher transactions per second and throughput support with lesser memory footprint while cutting down the risks of possible race conditions in earlier releases.
- Networking
- Synchronization for Network elements - The following objects are now synchronized across the cluster: (1) VLANs (2) Static routes (3) Interface routes and (4) ACLs. Interfaces in Management network group will not be synced in cluster.
- Backup Enhancements - NTLM V2 is now supported while taking system backup.
- Deployment - System IP can now be on a VLAN interface.
- Persistence Enhancements - The Load balancing module can use HTTP header based persistence for directing traffic to backend servers.
- Usability improvements
- Clients that have been locked out as a result of setting the Follow Up Action to Block Client, can now be unblocked manually by the administrator .
- Preferences have been added for viewing parameter profiles on the WEBSITES > Website Profiles page.
- In a clustered setup, Join Cluster operation is now available when the Failback Mode is manual. Earlier, it was only available in automatic mode.
- NIC speed, duplexity and statistics can now be viewed and edited from ADVANCED > Advanced Networking, under the configuration for Network Group: System. This is only available when Show Advanced Settings is set to Yes under ADVANCED > System Configuration.
- Access Logs now have a host filter.
- Interface routes and Custom Virtual Interfaces can now be edited.
- This release adds an option for a custom message on the login page to meet compliance requirements, e.g. FISMA requires federal systems to display an access notice on the login pages.
- A new tool has been added to find out how an IP address is categorized in the Geo IP database.
- The data path can be manually restarted after an attack definitions update.
- Logging and Reporting
- The logging module has been enhanced to integrate with IBM QRadar SIEM System.
Fixes and Enhancements
- Fix: The sensitive parameters in the query string are cloaked when a request matches the rule group. [BNWF-14641]
- Fix: The encoded parameters in the URL are not decoded once the SSO Cookie Update Interval is triggered. [BNWF-14522]
- Fix: Join Cluster operation does not remove Management routes on the secondary/backup device. [BNWF-14420]
- Fix: Server Time field in access logs was not displaying proper time in some cases. Fixed now. [BNWF-14410]
- Fix: Browsers cannot save the password for the auth login page automatically. [BNWF-14362]
- Fix: CPU Utilization graph on the BASIC > Status page displays accurate value for the time scale "Month". [BNWF-14344]
- Fix - Booting up issues on virtual machine instances installed on Citrix XEN Hypervisor have been fixed. [BNWF-14270]
- Fix: The virtual IP address is not duplicated in the database after the firmware upgrade. [BNWF-13778]
- Fix: An issue while filtering the logs (Web Firewall/Access/Audit Logs) using Time as an additional filter has been fixed. [BNWF-13691]
- Fix - Local Host Map entries on the BASIC > IP Configuration page can now be bulk edited. [BNWF-13998]
- Fix - The appliances that are not connected to the internet for activation can now be activated offline. [BNWF-13873]
- Fix: Sensitive parameter names that needs to be masked can include colon (:) in it. [BNWF-14281]
- Enhancement: Ability to have system IP address on a VLAN interface. [BNWF-5013]
- Enhancement: Report graphs are now displayed with all legends in High Chart layout. [BNWF-14364]
- Enhancement - The default access control login page for a service can be modified to include a descriptive text. [BNWF-13502]
- Enhancement: The ACLs , routes for the management network are now synchronized as part of the configuration synchronization in a cluster. [BNWF-14453]
- Enhancement: Response body rewrite is now performed for the content-type "application/x-java-jnlp-file" too. [BNWF-14608]
- Enhancement: Remote Support can now be enabled through console to override the disable option set in web UI. [BNWF-14574]
- Enhancement: Client IP address is logged in the System Logs when the verification of client certificate fails. [BNWF-14493]
Version 7.7
The firmware version 7.7 of the Barracuda Web Application Firewall is a major firmware release that enhances the security and networking related capabilities of the product. For a detailed list of features and release notes please click here. Here is an outline of some of the enhancements and features- Security:
- Protection against slow client attacks
- Blocking access based on Clients IP Reputation: This version provides an easy way to block out clients based on Geo Location tag for that IP address
- Armored browser integration: Barracuda Web Application Firewall now integrates with armored browser from Protect On Quarri to extend the security cover to the client side as well
- Enhancements to shared security policies: CSRF can be enabled using the shared security policy. Max instances check for parameters which prevent a class of HTTP Parameter pollution attacks, is enhanced for wild card parameter profiles. Administrators can now change the system generated tokens such as ncforminfo, BNES_ or BNIS_
- Networking:
- Advanced routing capabilities: The virtual site can be used as a networking entity which has its own routing tables, ACLs, using which, the services on WAF can be grouped by their own routing requirements.
- Network ACLs: Network ACLs can now be configured for traffic that is being NATed or proxied via the WAF.
- Deployment:
- Active-Active HA: Two WAFs in a clustered environment, can be configured to have active services on them, and failover/failback if one of the units fail.
- Stability and improvements of the IPv6 functionalities.
- Usability improvements:
- Integration with Cenzic for vulnerability patch management
- Bulk edit for Services page
- Persistence of node expansion state in Basic -> Services screen
- Logging and reporting enhancements
- Service level SNMP stats: The SNMP MIB has been enhanced to support multiple statistics at the application level
- System Logs, like the server "up" and "down" events etc are now available in the UI
- Syslog NG integration
- Integration with Splunk and Arcsight now available
Version 7.7.0.026(7.7 Maintenance GA release)
Notes on differences between Barracuda Web Application Firewall version 7.7.0.022 and 7.7.0.026- Enhancement: Support for Private Interfaces in a VSITE to support enhanced backend traffic routing.
- Fix: A bug in the event manager which resulted in logs not getting displayed correctly on 32 bit machines, is fixed.
- Fix: The administration access to MGMT port is now enabled by default.
- Fix: A possible race condition in the siteminder authencation module is addressed.
- Fix: A possible memory overrun in one specific path of the HPP feature of the security module is addressed.
- Case IDs addressed: 01206948, 01204338, 01204381, 01205421, 01206972, 01206766, 01222910, 01222697, 01226460.
Version 7.7.0.022 (7.7 Maintenance GA release)
Notes on differences between Barracuda Web Application Firewall version 7.7.0.020 and 7.7.0.022:- Enhancement: The API interface is enhanced for better usability.
- Enhancement: The Instant-SSL functionality is now supported in bridge mode of operation too.
- Enhancement: SMS passcode feature is enhanced to support configuration of custom access challenge URL.
- Enhancement: SMS passcode feature is enhanced to support sharing of the password with the backend during two factor authentication.
- Fix: CVE-2012-4929, CVE-2012-4930 on the possible vulnerability to SSL/TLS CRIME attack is addressed.
- Fix: A bug leading to offline upgrade taking upto 15 minutes, is resolved.
- Fix: A possible memory overrun in the HPP feature of the security module is addressed.
- Fix: Extended match for Websites->Allow/Deny rules will now accept Client networks in the Client-IP macro.
- Fix: Bulk edit of Websites->Web Site Translations now retains the context chosen in the filter.
- Fix: A possible bug in editing of services which are on a VLAN in bridge mode, is fixed.
- Fix: A bug in Basic->Reports which causes issues with emailed reports when a filter is chosen, is fixed.
- Fix: Characters such as '$','@' and '#' are allowed as sensitive parameters under Mask Sensitive Data.
- Fix: A bug in LDAPS authentication when Role Based Administration is used, is fixed.
- Case IDs addressed: 01169601, 01174363, 01175945, 01178013, 01179067, 01179965, 01178013, 01180787, 01182087, 01184134, 01194198.
Version 7.7.0.020 (7.7 GA release)
Notes on the Barracuda Web Application Firewall version 7.7.0.020:- The Barracuda Web Application Firewall has auto created DENY-ALL rule. While auto acls are created to take care of most of the functionalities that need acls, please ensure that you create allow network acls in case a functionality needs some ports to be open and are not auto created already.
- A window of downtime is needed when upgrading a cluster from 7.6.4 GA release to 7.7 or when planning a "join cluster" activity in 7.7. It is recommemded to contact Barracuda support if you are upgrading a clustered setup from 7.6.4 GA to the 7.7 release when the failback mode is Automatic
- When upgrading 7.6.4 GA to 7.7.0.023 in a clustered environment, its recommended that the failback mode is "Manual" and the standby unit is upgraded first.
- In a clustered environment, some config changes may take a little longer to complete., for eg: Creation of VSITE may take one minute or more
- When planning a revert in a clustered environment, it is recommended to revert both WAFs to the 7.6.4 during a planned downtime.
- Configuration changes will not be synchronized to the peer WAF when the peer is not in the same firmware version as the WAF on which the configuration change is being done. A heterogenous mode which has two WAFs in two different firmware versions is hence not recommended.
- Policy wizard fix for shared security policy checks on CSRF is not yet available
- Functionalities like GeoIP tagging, and HA Active-Active, are not supported in bridge mode. Please contact Barracude Technical Support when using 7.7.0.023 in bridge mode of deployment
- Upgrade from 7.6.4.012 to 7.7.0.023 in bridge mode on older machines with 32 bit kernel needs help from Barracuda Tech Support. This is usually serial numbers below 210000
Version 7.6.4
- Fixes for provisioning and licensing issues with VM version of the Barracuda Web Application Firewall
- Support for the firmware to work with Barracuda Web Application Firewall Model 963
- Feature: Backups taken on Barracuda Web Application Firewall can be chosen to be in encrypted form
Version 7.6.4.012 (7.6.4 GA release)
Notes on the Barracuda Web Application Firewall version 7.6.4.012:- Fix: The issue of potential false positives that could be triggerred during CSRF checks in case the token is not found at the end of param list, is addressed
- Fix: OCSP validation failures in certain cases of leaf certificates, is addressed
- Fix: SNMP get for service status, which could give incorrect result, is fixed
- Enhancement: Session recording limits are relaxed to capture more sessions. The UserID filter is also fixed to work in siteminder deployments
- Fix: An issue with incorrect handling of radius attributes, leading to radius login failures, is fixed.
- Enhancement: NTP time synchronizaion events are logged now
- Enhancement: Support for long FTP welcome banners in ftp proxy
- Fix: Rollbacks seen due to duplicate parameters and missing parameters
- Fix: A few issues in session recording feature, like the failure to capture inserted or rewritten headers, are fixed
- Change in Behaviour: When website translation rules are configured, the Set-Cookies which contain explicit Path attributes, will not be subjected to the translation
- Case IDs addressed : 01018200, 01058921, 01068508, 01070934, 01079598, 01084938, 01092296
- Known issue: An occasional error, which would indicate a concurrent session is in progress, may appear during certain configuration operations like breaking a cluster. The configuration does take effect in such a case, but a refresh of the Barracuda Web Application Firewall UI page is recommended in case this error is seen.
Version 7.6.3
- Siteminder enhancements, V12 SDK integration, customized extended timeouts.
- Enhancements to request, response header and body rewrite rules.
- Other enhancements and bug fixes from the version 7.4.5 merged to 7.6.3
- DNS configuration support for Admin Access control for External Authentication services
- Various miscellaneous UI enhancements for better presentability
- Fixes: Avoiding HTTP 302/307 responses during session validation timeouts to ensure POST requests with valid sessions do not fail.
Version 7.6.3.024 (7.6.3 maintenance GA release)
Notes on the Barracuda Web Application Firewall version 7.6.3.024:- Fix: The upgrade of the Barracuda kernel was failing on a few older 32 bit platforms. This is addressed in this release
- Fix: A possible race condition in the data path leading to a leak of sockets and thus memory, is addressed
- Fix: A potential configuration rollback during a Policy Tuner fix of webfirewall logs generated due to parameter profiles, is addressed
- Fix: In some configurations, it was possible that the status page inaccurately shows the number of active servers being higher than the total number of servers configured in the system. This issue is addressed
- Fix: A possible path in Cross Site Resource Forgery checks, may result in the Barracuda Web Application Firewall reporting false positives on CSRF checks. This has been addressed.
- Fix: A potential race leading to a high CPU usage from the data path in processing socket events is addressed
- Fix: If the Barracuda Web Application Firewall UI administration is configured to be on the MGMT interface, a potential issue was causing the UI to be lost after the upgrade. This is addressed in this release
- If a backup taken on 7.4.x firmware is restored onto another 7.4.x firmware, it is possible that some passwords will need to be recreated (for example, the external LDAP password, or the FTP server password in ADVANCED > Export Logs).
- After an upgrade from 7.5 (or earlier) firmware to 7.6 firmware, the logs stored on the disk will be cleared and backed up to a different directory. It is recommended that all logs be saved before an upgrade. Barracuda recommends exporting the logs to a syslog server as a best practice.
Version 7.6
This release of the Barracuda Web Application Firewall includes the following new features and fixes:- Vsites to group the services, Allow/Deny rules, Advanced security policies, Web Site Profiles and Web Site Translations.
- Enhancements to the BASIC > Status page (Dashboard) to have custom graphs and trending on CPU and memory utilizations.
- Enhancements to the UI components for better presentability in key screens like BASIC > Services, Allow/Deny rules etc.
- Most of the screens are now available for configuration and monitoring via Barracuda Cloud Control.
- Ability to push configurations related to Default security policy and Attack patterns across multiple Barracuda Web Application Firewalls via Barracuda Cloud Control.
- Various web application firewall features are now IPv6 aware, thus enabling firewalling and deep packet inspection of web apps hosted on IPv6 addresses - available in expert mode and as a beta stage since some aspects may need assistance from Barracuda Support.
- Few important bug fixes related to the handling of issues related to SSL traffic, which includes rare and occasional loss of SSL connections from the clients.
- More robustness is built into the monitoring of cluster related modules thus avoiding few stability concerns seen in previous releases. The issue of unexpected failover to the secondary box due to false alarms triggered during certain operations in a cluster mode is also taken care in this version.
Version 7.6.0.028 (7.6 GA release)
Notes on the Barracuda Web Application Firewall version 7.6.0.028:- After an upgrade from 7.5 or previous releases to the 7.6.0.028, the logs stored on the disk will be cleared and backed up to a different directory. It is recommended to save the logs before an upgrade. Barracuda recommends exporting the logs to a syslog server as a best practice.
- The status page graphs may occasionally not reflect the real traffic statistics for IPv6 services.
- While navigating across tabs in the Barracuda Web Application Firewall GUI, if a blank page is encountered, it is advised to reload the page or revisit the screen.
- After configuring both IPv4 and IPv6 services in a single Barracuda Web Application Firewall, if any subsequent change is made in BASIC > IP Configuration screen, an explicit "Reload'' is needed to have the services working again.
- When creating IPv6 servers, ensure that an appropriate route to these servers exists by creating appropriate IPv6 address on LAN or WAN interface.
- The "tcpdump'' functionality which is available via the ADVANCED >Troubleshooting screen, works reliably for IPv4 addresses only.
- Syslog settings, if chosen via ADVANCED > Export Logs, may have to be recreated after an upgrade to 7.6 from the previous version of the firmware.
- When using non-default certificates for Secure Administration (HTTPS) of the UI, there are known issues with backup and restore and upgrade. Barracuda recommends using the default (Barracuda) certificate during these operations. After the successful completion of these operations, you can re-apply your certificate.
- There are known issues in restoring a backup containing both IPv4 and IPv6 services. Please contact support for assistance, if required.
- Reverting the firmware from 7.6 version to the 7.5 version puts the old IP on the MGMT configured before the upgrade to 7.6, if a new one was used after the upgrade to 7.6