Barracuda Web Application Firewall Release Notes - Version 9.0.0.008 (Pre requisite : 8.1.0.009)

Before installing a new version of firmware:

1. Make a backup of your configuration using the ADVANCED > Backup page.
2. Read all release notes that apply to versions more recent than the one currently running on your system.

The update process typically takes only a few minutes after the update is applied. Make sure you do not reboot the machine during this time. The progress bar would indicate the status but in some rare cases, the progress bar may not be seen. If this happens, please revisit the URL after five minutes. If the process takes longer, contact Barracuda Networks Technical Support to investigate.

CAUTION:

• The upgrade when coming from 8.0.x to 8.1.1, will be a major one (unlike an upgrade from 8.1.x to 8.1.1) and the upgrade process, may take more than 10 minutes in case the configuration is large, specially with many servers configured. Please donot reboot the machine while the upgrade process is in progress
• Downgrading to a previous major version (like from 8.0.x to 7.9.x) is NOT recommended. Please contact Barracuda Networks Technical Support if you are thinking about attempting a firmware downgrade, and make sure that you have carefully gone through the known issues sections for the earlier firmware versions.

Backups taken AFTER a firmware revert or downgrade (such as from 8.1.x to 8.0.x), may not be compatible for use after a subsequent firmware upgrade (such as from 8.0.x back up to 8.1.x), so make sure that you back up your configuration settings BEFORE actually start any firmware change process (either upgrade OR revert). If a feature is available in later versions and the configuration is in place for that feature, a downgrade does retain the configuration. This means that after the downgrade, the configuration pertaining to such a feature might be visible but would not take effect.

After restoring your settings from a backup, you should always REBOOT to make sure that they take effect.

NOTE: On an upgrade to 7.9.x, older web firewall logs and access logs will no longer be available on the User Interface. It is advised to export relevant logs using one or more of the available options under Advanced > Export Logs, before commencing the upgrade.

Barracuda Web Application Firewall Product Activation

If this is a new system, you must activate your Energize Updates subscription prior to initial use. Your Energize Updates subscription includes access to Technical Support, new firmware releases and ongoing security definitions updates.
To activate your Barracuda Web Application Firewall subscription:

1. Using your Web browser, go to the BASIC > Status page.
2. In the Subscription Status section, check the Energize Updates entry. If Energize Updates is Not Activated, click the activation link to be redirected to the Barracuda Networks Product Activation page. Complete activation of your subscription(s).

If it is connected to the Internet, your Barracuda Web Application Firewall automatically updates its activation status after you reload the browser page when viewing the BASIC > Status page. If it is not connected to the Internet yet, enter the activation code provided after completing the details on the Barracuda Networks Product Activation page. Click Activate. If the code is correct, the Barracuda Web Application Firewall will update its activation status.

Version 9.0.0

The Barracuda Web Application Firewall firmware version 9.0.0 is a major release with the following new additions to the firmware. For a longer version of the release notes, please click here

• The version 9.0.0 supports hardware with multiple physical ports and also offers link bonding to maximize the throughput
• Integration with Barracuda Advanced Threat Protection for advanced protection against malicious uploads
• Integration with NG Firewalls in cloud deployment scenarios
• Geo IP matching at the content rule level
• Various enhancements and fixes to the 8.1.1 firmware based on customer deployments and user inputs

Version 8.1.1

The Barracuda Web Application Firewall firmware version 8.1.1, is a follow up to 8.1, and has the following main features and fixes. For a longer version of the release notes, please click here

• Security
• Ability to configure all IP reputation rules, including Geo IP rules, at the application level, to support rules based on X-Forwarded-For or other headers
• Support for the macro for inserting hostname in redirect URLs for Allow/Deny Rules
• Referrer header field values also supported by the Mask sensitive data feature
• If the Web Firewall Policy binding in the rule group level is left empty, it would inherit the policy defined in the service level
• Management
• Custom date range filters added to the CPU and Memory Utilization reports. These reports are available under System Summary Reports.
• Service Group filter added to Search on the Basic->Services page
• Special characters allowed for LDAP passwords
• Deployments
• Azure Security Center : Added support for ARM templates for Tier 2 Integration
• Azure Security Center : Integration with Logging and Reporting capabilities of the Azure Security Center
• Amazon Web Services : Enhanced Bootstrapping capabilities using AWS CFT and using Barracuda Web Application Firewall templates and Barracuda Web Application Firewall configuration backups
• Other Issues
• Issues addressing possible CPU utilization spikes in the 8.1 firmware and optimization to reduce the memory footprint of the data path process during processing of HTTP or HTTPS requests

Version 8.1

The Barracuda Web Application Firewall firmware version 8.1 is a major release that introduces multiple product enhancements to security, access control and management capabilities. Some of the enhancements are highlighted below:

• Enhanced Web Scraping Protection
• Granular Binding of Security Policies
• Support for AMQP formatting in Exported Logs
• URL and Parameter Profile Optimization
• Support for Auto-Scaling in AWS
• SAN Certificate CSR
• Support for JSON Key Profiles
• Load Balancing across Server Name Resolution
• Integration with Barracuda Vulnerability Manager, HPE Fortify OnDemand and HPE Fortify WebInspect Vulnerability Scanners Integration with Denim ThreadFix
• Support for HTTP/2 and Websockets (BETA)
• Redesigned BASIC > Services page to enhance scalability
• Support for ActiveSync applications via the Web Application Firewall

Version 8.0.1

The Barracuda Web Application Firewall firmware version 8.0.1 is a maintenance release which has fixes for issues found in 8.0 GA release

Version 8.0

The Barracuda Web Application Firewall firmware version 8.0 is a major release which introduces multiple product security, access control, management, and usability enhancements. Some of these are highlighted below while the longer version of release notes is here

• Security
• JSON payload can now be inspected for attacks.
• Attack patterns have been re-organized for better visibility and control.
• Client certificate based authentication can be enforced for specific URL space.
• Access Control Enhancements
• Federated Authentication via SAML 2.0.
• The Access Control policy capabilities have been enhanced to customize and configure the login/logout pages.
• Ability to enforce Brute force policy for failed login attempts.
• Centralized Management Service
• Supports version 3.5.2 Barracuda Control Server.
• Barracuda Control Server v3.5.2 provides:
• Single login for managing multiple Barracuda Web Application Firewalls.
• Ability to upgrade multiple systems from one window.
• Ability to generate aggregated reports for multiple Barracuda Web Application Firewalls.
• Mechanism to configure multiple Barracuda Web Application Firewalls through templates.
• System Management
• Logging and Reporting:
  • Multi-level drill down capability added in Reports module to assist in forensic analysis.
  • Composite and Classic views have been implemented in Access Logs and Web Firewall Logs.
  • Each log in Web Firewall Logs and Access Logs is associated with an unique ID.
  • Unique ID can be added to the response page using the response page macros.
  • Ability to set the time (in 24 hour format), day/date and schedule the report.
• Support for IBM App Scan 9.x.
• REST API for configuring Allow / Deny Rules.

Version 7.9.2

Notes on the Barracuda Web Application Firewall version 7.9.2:

Change in behaviour:

• Base64 decoding is not applied to the parameter value that adhere to Data URI scheme unless Base64 Decode Parameter Value is set to "Yes". [BNWF-19540]
• The Barracuda Web Application Firewall now does not perform deep inspection on the content of the POST body that is in text/plain format. [BNWF-19281]

Fixes and Enhancements

• Enhancement: It is now possible to include or remove the "Timestamp" and "Unit name" fields in logs that are exported to the syslog server. [BNWF-19508]
• Fix: Negative integer in the "Max-age" header value is now honoured by the Barracuda Web Application Firewall. [BNWF-19542]
• Fix: Username can contain backslash (\) for RADIUS authentication. [BNWF-19543]
• Fix: "Policy Fix" now creates a correct parameter profile for the parameter that contains a colon. [BNWF-19103]
• Fix: After upgrade to 7.9.1.010, the cookies were modified or not displayed in Cookies Exempted on the SECURITY POLICIES > Cookie Security page. This issue is fixed now. [BNWF-18890]
• Fix: Internal database for log storage has been resized in the Barracuda Web Application Firewall 360 and 460 to reduce RAM usage. [BNWF-19105]
• Fix: Various fields of web firewall logs and access logs are normalized to handle multi-byte charsets and escape sequence characters, which caused issues when logs were exported to CSV format.[BNWF-19136] [BNWF-19683] [BNWF-19580] [BNWF-16619]
• Fix: An upgrade in the Azure platform resulted in some rare outage issues. This has been fixed now.[BNWF-19200]
• Fix: An issue with the process of firmware upgrade using offline mode, is resolved.[BNWF-19302]
• Fix: A possible outage caused due to memory overrun while logging SSL protocol version, has been addressed.[BNWF-18993]
• Fix: If the Header for Client IP Address is selected for a service, the Barracuda Web Application Firewall checks for the occurrence of the header till 64 HTTP headers, and picks the right client IP address. [BNWF-18950]
• Fix: Virus detection feature is now available for A2 instances on Azure and Amazon Web Services. [BNWF-18922]
• Fix: In Bridge mode, the services created in languages other than English now works as expected. [BNWF-18823]
• Fix: The URL encryption issue is fixed to encode the URLs properly to handle spaces in between the URL path.[BNWF-17222]
• Fix: When the requests do not match the configured response body rewrite rules, the response is not chunk encoded and connection is not closed for HTTP/1.1 requests by the Barracuda Web Application Firewall. [BNWF-19546]
• Fix: If the file without name is uploaded through multipart/form-data and no virus is detected in the uploaded content, then the request is not logged in the BASIC > Web Firewall Logs page.[BNWF-19432]

Version 7.9

This release of the Barracuda Web Application Firewall is a major release which includes a number of usability, security and management features, some of which are highlighted below:

• Security
• Cryptographic encryption of selected URL spaces is now available
• Cookie exemption can now include asterisk (*) wildcard character with the cookie name. [BNWF-592]
• Enhancements to attackdef framework which include:
• Active / Passive / Off control per signature
• Definition updates can be automatically updated without requiring a restart of the system
• Notifications in case of availability of new definitions
• Tool to validate Regex patterns for attack types
• Ability to view locked out clients in the Barracuda UI
• CAPTCHA as a followup policy has now configuration options to deal with clients violating bruteforce policies
• SSL improvements which include PFS support, SNI and recent vulnerability fixes for heartbleed and other CVEs on OpenSSL
• Parameter names are now inspected for attacks in the request
• Access Control
• Multi domain support for LDAP & Kerberos
• Support for Chained authentication (LDAP + RADIUS)
• Management
• A fresh new Barracuda User Interface
• Availability of interface information on status page itself
• Backend enhancements to logging to ensure more number of access and webfirewall logs reside on the system
• Geo IP tagging of access and firewall logs
• Enhancements to search functionalities, and ability to save the searches
• Enhancements to reporting functionalities
• A new notification framework which gives configurability on event thresholds, system and service related event notifications via email
• Hit counts now available for url Allow deny rules
• Password security policy can be enforced to the internal and external administrators configured on the ADVANCED > Admin Access Control page
• A rework of the templating system to provide more flexibility
• Improvements to REST API
• Platform
• Integration of cloud stuff into the main stream firmware