Barracuda Web Application Firewall Release Notes - Version 10.0.1.005 (Pre-requisite : 9.2.1.005, Release : Jan 2020)

Before installing a new version of firmware:

1. Make a backup of your configuration using the ADVANCED > Backup page.
2. Read all release notes that apply to versions more recent than the one currently running on your system.

The update process typically takes only a few minutes after the update is applied. Make sure you do not reboot the machine during this time. The progress bar would indicate the status but in some rare cases, the progress bar may not be seen. If this happens, please revisit the URL after five minutes. If the process takes longer, contact Barracuda Networks Technical Support to investigate.

CAUTION:

• The upgrade when coming from 9.2.x to 10.0.0, will be a major one and the upgrade process, may take more than 10 minutes in case the configuration is large, specially with many servers configured. Please do not reboot the machine while the upgrade process is in progress
• Downgrading to a previous major version (like from 10.0.0.x to 9.2.x) is NOT recommended. Please contact Barracuda Networks Technical Support if you are thinking about attempting a firmware downgrade, and make sure that you have carefully gone through the known issues sections for the earlier firmware versions.

Backups taken AFTER a firmware revert or downgrade (such as from 10.0.0.x to 9.2.x), may not be compatible for use after a subsequent firmware upgrade (such as from 9.1.x back up to 9.2.x), so make sure that you back up your configuration settings BEFORE actually start any firmware change process (either upgrade OR revert). If a feature is available in later versions and the configuration is in place for that feature, a downgrade does retain the configuration. This means that after the downgrade, the configuration pertaining to such a feature might be visible but would not take effect.

After restoring your settings from a backup, you should always REBOOT to make sure that they take effect.

NOTE: Before upgrading a virtual machine, it is highly recommended to take a snapshot of that virtual machine.

Barracuda Web Application Firewall Product Activation

If this is a new system, you must activate your Energize Updates subscription prior to initial use. Your Energize Updates subscription includes access to Technical Support, new firmware releases and ongoing security definitions updates.
To activate your Barracuda Web Application Firewall subscription:

1. Using your Web browser, go to the BASIC > Status page.
2. In the Subscription Status section, check the Energize Updates entry. If Energize Updates is Not Activated, click the activation link to be redirected to the Barracuda Networks Product Activation page. Complete activation of your subscription(s).

If it is connected to the Internet, your Barracuda Web Application Firewall automatically updates its activation status after you reload the browser page when viewing the BASIC > Status page. If it is not connected to the Internet yet, enter the activation code provided after completing the details on the Barracuda Networks Product Activation page. Click Activate. If the code is correct, the Barracuda Web Application Firewall will update its activation status.

Version 10.0.1.005

The Barracuda Web Application Firewall version 10.0.1.005 is a maintenance release which augments the previous firmware release of 10.0.1.003 and includes the following important enhancements and fixes:

Fix : Service outage due to integration of Barracuda WAF with the Advanced Bot Protection (ABP) micro services is fixed..

Fix : Multiple fixes in the data ingestion and cookie integration modules towards the stability of Advanced Bot Protection (ABP) feature

Fix : An issue with potential high CPU utilization when "parse URLs in scripts" is enabled, is addressed

Fix : Changes in the HTTP2 and cookie interaction modules towards stability

Fix : A rare race condition during the management of IP reputation database, which leads to an outage, is addressed

Fix : A race condition during the processing of SSl packets, which leads to an outage, is fixed

Fix : A probable issue in meta character processing, which can lead to a false positive or an outage, is addressed

Enhancement : Support for SAML attribute configured on WAF with local id as USER

Enhancement : Support for 10000 internal users in the kerberos and internal LDAP authentication modules

Version 10.0.1

The Barracuda Web Application Firewall version 10.0.1 is a maintenance release which augments the previous major firmware release of 10.0 and includes the following enhancements and fixes:

• Advanced Bot Protection enhancements
  • Enhancements for client risk profiling
  • Enforcement of CAPTCHA or DENY policies on the clients based on the risk scores computed via cloud analysis
  • Per service enforcement of advance bot protection features which require cloud analysis
  • Performance improvements for the Bot Protection Service
• Security
  • Addressed the security vulnerability raised for the SACK Panic attack.
• Features
  • Support for “application/x-dosexec” MIME type for BATP.
  • Ability to add a server based on hostname at the time of service creation.
  • Added API v3 support for the Secure Administration feature.
  • Added GUI option to display/clear lockout fingerprints.
  • Added template support for URL and Parameter profile optimisers.
• Bug fixes
  • Fixed a data path outage issue due to caching.
  • Fixed a data path issue/memory leak with Client authentication for content rules.
  • Fixed multiple data path issues seen with HTTP2 traffic.
  • Performance improvements for the sync process between WAF units in a High Availability cluster.
  • Improvement in page load times for the Websites and Exception Profiling tabs in the GUI.
  • Moved the ‘Secure Browsing’ feature from the Websites tab to the Advanced tab.
  • Misc bug fixes.

Version 10.0

The Barracuda Web Application Firewall version 10.0 is the major upgrade version to 9.2 release and has the following important enhancements and fixes:

• Advanced Bot Protection – v1
  • Client tracking & rating
    • Client finger printing for correlating multiple requests
    • Integration with third party feeds IP reputation and user-agent based client categorization
    • Computation of risk scores for each request based on detected violations
  • Protection mechanisms
    • Brute Force enhancements: Enforcement of Bruteforce policies on a finger print level
    • Credential Stuffing detection: Detection of credential stuffing attacks using cloud based microservice
    • Comment Spam / Referrer Spam detection by inspection of data POSTed in forms or injected in Referer header
    • Google reCAPTCHA : Enhanced client validation using Google reCAPTCHA
  • User interface enhancements
    • Bot Mitigation tab for all configuration related to bot protection
    • New reports and dashboard enhancements, listed below :
      • Bot traffic Analysis
      • Top Good/Bad Bots
      • Bots by Categories
      • Captcha Summary Report
      • Comment Spam vs Referer Spam
      • Credential Stuffing versus Login Requests
  • Cloud layer for advanced analysis
    • Databases of compromised credentials, analyzed client finger prints.
    • Ingestion of request data into cloud service. This data will be used in v2 for building behavioral rules
    • Lookup services for client fingerprints and credentials
• SSL enhancements
  • Support for TLSv1.3
• Usability enhancements
  • Enhancements to the certificate page to support multiple thousands of certificates and their management
  • Enhancements to the logging to show expired certificates
• Control Center features
  • Support for tracking WAF throughput usage statistics when connected to WAF Control Center.
• Fixes
  • Role-based administration fixes for both UI as well as for REST API.
  • Added support for new JSON Security Policy fixes from the Policy Fix Wizard.
  • Rate-limiting support for WAF’s REST API.
  • Enhancements to factory shipped templates (namely Drupal).
  • Updated v3.1 REST API version for ‘Certificates’.
  • Virus scan now allowed on files as large as 100M in size
  • Advanced network configuration can now be performed using REST API.

Version 9.2.1.005

The Barracuda Web Application Firewall version 9.2.1.005 is a maintenance release to address issues seen on the previous GA release of 9.2

• Feature : Ability to export syslogs to cloud services such as Sumologic
• Fix : An issue with potential high CPU utilization when "parse URLs in scripts" is enabled, is addressed
• Fix : An issue with scheduled jobs causing high system load is addressed
• Fix : A memory leak in a logging process when configured via private IPs, is addressed
• Fix : Issue with user names with back slash being unable to login via Radius authentication, is addressed
• Fix : File extensions allowed to be uploaded at parameter profile level, can be case sensitive
• Fix : An issue with the web firewall policy wizard is addressed

 

Version 9.2.0.014

The Barracuda Web Application Firewall version 9.2.0.014 is the major upgrade version to 9.1 release and has the following important enhancements and fixes:

• Support for network HSM with Gemalto integration
• Support for Encryption of Logs and Problem Report as part of GDPR Compliance
• Support for handling IDP initiated SAML Single Logout for multiple authorization policies
• Support for integrating WAF with Barracuda Reporting server for exporting logs and viewing reports
• Support 2FA for Admin Access. Introduced Dual Factor Authentication to provide additional layer of security
• The lockout feature has been enhanced to support per service lockout of the violating client IPs
• The performance of REST API's (v3) GET requests has been improved
• Users can now deploy virtual appliances with multiple ports (apart from WAN & LAN) and WAN can be a part of bond in
• API v3 - comprehensive role-based administration capabilities with granular controls and complete API coverage for all operations has been added

 

Version 9.1.1.008

The Barracuda Web Application Firewall version 9.1.1.008 has the following important fixes:

 

• A rare condition leading to an outage when the response rewrite rules are in place with a rewrite condition
• A rare race condition leading to an outage when the Web Scraping or CAPTCHA policy is enabled
• A possible scenario with high CPU consumption and system freezing freeze up when the Web Scraping feature is enabled
• Consumption of memory over a period of time when Mask Sensitive Data is enabled on parameter's value
• A regression that occurs when connecting to Sharepoint server and Remote Desktop Gateway via Web Application Firewall
• During IP Management, high memory consumption over a period of time when bruteforce, CAPTCHA or Web Scraping features are enabled
• Heterogenous port configurations issue in a cluster scenario, is addressed

 

Version 9.1.1.007

The Barracuda Web Application Firewall version 9.1.1 has the following important enhancements apart from bug fixes

 

• Service Principal Configuration (SPN) has been moved from: "AccessControl->AuthenticationPolicies->Edit Authentication " to AccessControl->AuthenticationPolicies->Add/Edit Authorization This enables the customers to use different domain SPNs for different applications configured under Authorization while using the same service. Previously, all the applications on a service, configured under Add/Edit Authorization had restriction to use only only one SPN (Whatever was configured in Authentication Service attached to the Authentication Policy).
• The failure conditions during connection pool when the latencies with the servers are high, are logged
• A new configuration option "Count Auth Response Codes" is added under Bruteforce Prevention module. When enabled, it will count all error response codes as failure responses, otherwise it will ignore '401' and '407' response codes while counting the error responses.
• Extended match enhancement of the Client-IP header to support comma separated IP's Eg: (Client-IP eq 1.1.1.1,2.2.2.2,3.3.3.3)
• Introduced a new configuration "Detect Mouse Event" under both DDoS policy and WebScraping policy
• The persistent cookie value that is used for load balancing, will be encrypted from now on.
• API v3 now supports HTML encoded characters in filters.
• Optimization to reduce the time taken to apply configuration with 2K+ URL profiles.
• Start time of FTP of access logs and the frequency of FTP access logs are now synced to peer box if two WAFs are in cluster.

 

Version 9.1.0.014

 

• Fix : A possible outage when SSL connections timeout in the middle of a response from the backend servers, is addressed
• Fix : A possible outage when the backend servers respond with non standard response codes, is addressed
• Fix : An inconsistency in the updating of the configuration and search results on the Basic->Services screen, is addressed

 

Version 9.1.0

The Barracuda Web Application Firewall firmware version 9.1 has the following main features and fixes. For a longer version of the release notes, please click here

• Security
• Support for Volumetric DDoS prevention service
• Proxy protocol support for both HTTP and HTTPS services
• Whitelist feature for DDoS capabilities
• Followup action for Allow Deny Rules
• CAPTCHA responses are made non cacheable with inclusion of no-cache headers in the response
• Management
• Comprehensive API support for configuration of WAF objects and retrieval of logs and statistics
• Internal LDAP users/groups in the clustered units are synchronized
• System now generate SNMP Trap messages for data path failures i.e. if the system hangs, crashes or the link is down
• High Availability
• When deployed in a High Availability cluster, traffic will failover to the standby unit when memory utilization on the active unit exceeds 70%
• Other Issues
• SAML signatures can now be signed with RSA-256
• The negotiated Cipher Suite for services and servers are now logged in System Logs
• An issue that resulted in the reset of the admin password after establishing a support tunnel connection on newly deployed virtual machines, has been addressed

Version 9.0.1

The Barracuda Web Application Firewall firmware version 9.0.1 is a followup to 9.0.0, and has the following major changes

• Enhancement : The Basic->Service page is enhanced to ensure a better usability experience, faster load and configuration updates
• Enhancement : Barracuda Advance Threat Protection (BATP) is enhanced to scan when licenses are provisioned
• Fix : URL paths in certain cases, were not inspected for attacks when the attack vector comes as a part of neither the base URL nor the query part. This is fixed
• Fix : An issue which resulted in the proxy IP not getting logged properly for requests on a persistent connection, is resolved.
• Fix : The URL with a query is redirected back to the same after successful CAPTCHA validation

Version 9.0.0

The Barracuda Web Application Firewall firmware version 9.0.0 is a major release with the following new additions to the firmware. For a longer version of the release notes, please click here

• The version 9.0.0 supports hardware with multiple physical ports and also offers link bonding to maximize the throughput
• Integration with Barracuda Advanced Threat Protection for advanced protection against malicious uploads
• Integration with NG Firewalls in cloud deployment scenarios
• Geo IP matching at the content rule level
• Various enhancements and fixes to the 8.1.1 firmware based on customer deployments and user inputs

Version 8.1.1

The Barracuda Web Application Firewall firmware version 8.1.1, is a follow up to 8.1, and has the following main features and fixes. For a longer version of the release notes, please click here

• Security
• Ability to configure all IP reputation rules, including Geo IP rules, at the application level, to support rules based on X-Forwarded-For or other headers
• Support for the macro for inserting hostname in redirect URLs for Allow/Deny Rules
• Referrer header field values also supported by the Mask sensitive data feature
• If the Web Firewall Policy binding in the rule group level is left empty, it would inherit the policy defined in the service level
• Management
• Custom date range filters added to the CPU and Memory Utilization reports. These reports are available under System Summary Reports.
• Service Group filter added to Search on the Basic->Services page
• Special characters allowed for LDAP passwords
• Deployments
• Azure Security Center : Added support for ARM templates for Tier 2 Integration
• Azure Security Center : Integration with Logging and Reporting capabilities of the Azure Security Center
• Amazon Web Services : Enhanced Bootstrapping capabilities using AWS CFT and using Barracuda Web Application Firewall templates and Barracuda Web Application Firewall configuration backups
• Other Issues
• Issues addressing possible CPU utilization spikes in the 8.1 firmware and optimization to reduce the memory footprint of the data path process during processing of HTTP or HTTPS requests

Version 8.1

The Barracuda Web Application Firewall firmware version 8.1 is a major release that introduces multiple product enhancements to security, access control and management capabilities. Some of the enhancements are highlighted below:

• Enhanced Web Scraping Protection
• Granular Binding of Security Policies
• Support for AMQP formatting in Exported Logs
• URL and Parameter Profile Optimization
• Support for Auto-Scaling in AWS
• SAN Certificate CSR
• Support for JSON Key Profiles
• Load Balancing across Server Name Resolution
• Integration with Barracuda Vulnerability Manager, HPE Fortify OnDemand and HPE Fortify WebInspect Vulnerability Scanners Integration with Denim ThreadFix
• Support for HTTP/2 and Websockets (BETA)
• Redesigned BASIC > Services page to enhance scalability
• Support for ActiveSync applications via the Web Application Firewall

Version 8.0.1

The Barracuda Web Application Firewall firmware version 8.0.1 is a maintenance release which has fixes for issues found in 8.0 GA release

Version 8.0

The Barracuda Web Application Firewall firmware version 8.0 is a major release which introduces multiple product security, access control, management, and usability enhancements. Some of these are highlighted below while the longer version of release notes is here

• Security
• JSON payload can now be inspected for attacks.
• Attack patterns have been re-organized for better visibility and control.
• Client certificate based authentication can be enforced for specific URL space.
• Access Control Enhancements
• Federated Authentication via SAML 2.0.
• The Access Control policy capabilities have been enhanced to customize and configure the login/logout pages.
• Ability to enforce Brute force policy for failed login attempts.
• Centralized Management Service
  • Single login for managing multiple Barracuda Web Application Firewalls.
  • Ability to upgrade multiple systems from one window.
  • Ability to generate aggregated reports for multiple Barracuda Web Application Firewalls.
  • Mechanism to configure multiple Barracuda Web Application Firewalls through templates.
• Supports version 3.5.2 Barracuda Control Server.
• Barracuda Control Server v3.5.2 provides:
• System Management
• Logging and Reporting:
  • Multi-level drill down capability added in Reports module to assist in forensic analysis.
  • Composite and Classic views have been implemented in Access Logs and Web Firewall Logs.
  • Each log in Web Firewall Logs and Access Logs is associated with an unique ID.
  • Unique ID can be added to the response page using the response page macros.
  • Ability to set the time (in 24 hour format), day/date and schedule the report.
• Support for IBM App Scan 9.x.
• REST API for configuring Allow / Deny Rules.