Barracuda Web Application Firewall Release Notes - Version 12.0.0.006 (Pre-requisite : 11.0.0.007, Release : July 2022)

Before installing a new version of firmware:

1. Make a backup of your configuration using the ADVANCED > Backup page.
2. Read all release notes that apply to versions more recent than the one currently running on your system.

The update process typically takes only a few minutes after the update is applied. Make sure you do not reboot the machine during this time. The progress bar would indicate the status but in some rare cases, the progress bar may not be seen. If this happens, please revisit the URL after five minutes. If the process takes longer, contact Barracuda Networks Technical Support to investigate.

CAUTION:

• The upgrade when coming from 11.0.0.x to 12.0.0, will be a major one and the upgrade process, may take more than 10 minutes in case the configuration is large, specially with many servers configured. Please do not reboot the machine while the upgrade process is in progress
• Downgrading to a previous major version (like from 12.0.0.x to 11.0.0.x) is NOT recommended. Please contact Barracuda Networks Technical Support if you are thinking about attempting a firmware downgrade, and make sure that you have carefully gone through the known issues sections for the earlier firmware versions.

Backups taken AFTER a firmware revert or downgrade (such as from 12.0.0.x to 11.0.0.x), may not be compatible for use after a subsequent firmware upgrade (such as from 11.0.0.x back up to 12.0.0.x), so make sure that you back up your configuration settings BEFORE actually start any firmware change process (either upgrade OR revert). If a feature is available in later versions and the configuration is in place for that feature, a downgrade does retain the configuration. This means that after the downgrade, the configuration pertaining to such a feature might be visible but would not take effect.

After restoring your settings from a backup, you should always REBOOT to make sure that they take effect.

NOTE: Before upgrading a virtual machine, it is highly recommended to take a snapshot of that virtual machine.

Barracuda Web Application Firewall Product Activation

If this is a new system, you must activate your Energize Updates subscription prior to initial use. Your Energize Updates subscription includes access to Technical Support, new firmware releases and ongoing security definitions updates.
To activate your Barracuda Web Application Firewall subscription:

1. Using your Web browser, go to the BASIC > Status page.
2. In the Subscription Status section, check the Energize Updates entry. If Energize Updates is Not Activated, click the activation link to be redirected to the Barracuda Networks Product Activation page. Complete activation of your subscription(s).

If it is connected to the Internet, your Barracuda Web Application Firewall automatically updates its activation status after you reload the browser page when viewing the BASIC > Status page. If it is not connected to the Internet yet, enter the activation code provided after completing the details on the Barracuda Networks Product Activation page. Click Activate. If the code is correct, the Barracuda Web Application Firewall will update its activation status.

If a server is added with a hostname, the Barracuda Web Application Firewall will automatically create server entries for all IP addresses that resolve to the configured host name. Deleting the first server that was added with the hostname, will now delete all the automatically created server entries. [BNWF-25536]

• With the OpenSSL1.1.0, certificates signed with MD5 are no longer supported. Please replace such certificates with SHA1/SHA256 signed certificates before upgrading to 11.0.0.x. If an upgrade is done without replacing these certificates, services using them will go down and rollbacks will occur. [BNWF-31980]
• Attackdef 1.172 is shipped with this firmware. It has changes relevant to the firmware's interoperability with the Barracuda Block Listed IP database. [BNWF-32541]

Version 12.0.0.006

The Barracuda Web Application Firewall version 12.0.0.006 is an incremental upgrade to the 12.0.0.003 release and has the following critical fixes:

Fix: Fixed an issue where the JSON Security UI was not loading in the presence of large number of services. [BNWF-52015]

Fix: Fixed an issue where the 'Import Open API specification' feature was broken. [BNWF-52106]

Fix: Fixed the broken functionality in the 'Allow any Authenticated User' feature in Access Control. [BNWF-52137]

Fix: Fixed an issue where some Advanced Bot Protection alerts were seen in the System Logs for non-ABP customers [BNWF-52159].

Version 12.0.0.003

The Barracuda Web Application Firewall version 12.0.0 is a major upgrade version to the 11.0.1 release and has the following important enhancements and fixes:

Features

• Feature: Barracuda WAF now provides support to enable Cross Origin Resource Sharing (CORS) option for back-end applications. [BNWF-48893]
• Feature: WAF management web server is now upgraded to the latest stable version to address multiple security vulnerabilities. [BNWF-51348]
• Feature: Automatic discovery for API endpoints and structure learning that provides ease of use for configuring API security is available for systems with active ATI subscription. [BNWF-50871]
• Feature: The ADVANCED > Admin Access Control page provides the ability to grant Role-based administration access to perform the configured actions on the ATI dashboard. [BNWF-50137]
• Feature: Account profiling implemented for privileged account protection. [BNWF-50131]
• Feature: Ability to configure/tune CSP policy from the ATI dashboard. Provides more control over violations and supports configuration actions from the ATI dashboard. [BNWF-50034]
• Feature: Ability to show/hide all attacks graphs using a single click. [BNWF-49743]
• Feature: Attacks on the BASIC > Dashboard can be clicked to filter the logs based on the selected attack type. [BNWF-49742]
• Feature: In OpenID Authentication on ADVANCED > Admin Access Control > External Authentication Services, administrators can now configure "Allowed Users" and enable access to the web application only to the specified users. [BNWF-48852]
• Feature: Barracuda WAF now provides native parsing, security, and delivery of applications with GraphQL APIs. [BNWF-49082]
• Feature: Barracuda WAF now allows users to block requests based on their Autonomous System Numbers (ASN). You can configure ASNs at the application layer IP Reputation and block the request originating from those ASNs. [BNWF-46039]

Enhancements

• Enhancement: An accordion is added on the BASIC > Dashboard page to display Notices and Warnings. Users are provided with the expand and collapse options to view and hide the list of notices/warnings. [BNWF-51327]
• Enhancement: "Internal Attack Patterns" can now be configured using REST API v3.x. [BNWF-50741]
• Enhancement: DNS, TPS and Kernel modules are removed from the Module Log Levels list on the ADVANCED > Export Logs page. [BNWF-50690]
• Enhancement: Fingerprint risk score computation framework improved to ensure that Upstream load balancer in cloud deployments is not blocked. [BNWF-49259]
• Enhancement: In the Request/Response rewrite rule, headers that appear multiple times and match the criterion are honored and all corresponding headers are modified. [BNWF-48824]
• Enhancement: SameSite attribute can now be configured from the Cookie Security page. By default, this attribute will not be added by the WAF, which can be configured later to either Lax/Strict/None. [BNWF-45679]
• Enhancement: The country code for “Gibraltar” is added to the country list in the IP Reputation Geo Pool. [BNWF-46801]
• Enhancement: It is now possible to export country code information to the syslog servers. [BNWF-50604]
• Enhancement: Mitigations for HTTP request smuggling attacks is now taken care for non-POST methods as well. [BNWF-51004]
• Enhancement: The tolerance for the config process hang check monitors is increased to prevent a possible false positive. [BNWF-50952]

Fixes

• Fix: Datapath crash seen after reconfiguring “Exception Patterns” for an URL Profile has been fixed. [BNWF-51620]
• Fix: An empty space after 'Cookie:' was causing WAF to insert '=' when forwarding the same request to the back-end server. This has been resolved now. [BNWF-51580]
• Fix: A possible false positive that results in the monitor processes bringing down the data path due to multiple instances of data path being detected has been fixed. [BNWF-51391]
• Fix: Uploading a Trusted certificate on the ADVANCED > Secure Administration page now does not reset the supported SSL protocols that are allowed to access the WAF GUI. [BNWF-51390]
• Fix: A configuration scenario which allowed to delete a certificate that is being used as the client certificate for client authentication in one of the Content Rule Servers has been addressed. [BNWF-51355]
• Fix: A bug in the back-end SSL flow, which resulted in data-path outage has been fixed. [BNWF-51336]
• Fix: Datapath crash was observed when Rate Control was enabled. This issue has been addressed. [BNWF-51679]
• Fix: An issue that caused frequent data-path crashes when using the Advanced Bot Protection (ABP) module has been fixed. [BNWF-51198]
• Fix: It is now possible to create certificate using the Safari browser without any issues. [BNWF-51025]
• Fix: Memory issues with the data-path process when Client Fingerprinting was used has been fixed. [BNWF-51016]
• Fix: Large sites can now be downloaded without any issue when HTTP2 is enabled on the service level. [BNWF-50981]
• Fix: Multiple issues with the 'GeoIP Allowed/Blocked networks' templates has been addressed. [BNWF-50979]
• Fix: SAML relay state truncation issue due to large relay state URL has been addressed. [BNWF-50930]
• Fix: Outage in ActiveSync has been addressed. [BNWF-50770]
• Fix: JSON security now validates max array elements. [BNWF-50731]
• Fix: An issue that prevented the user from changing the HTTPS port used to access the WAF GUI, has been addressed. [BNWF-50730]
• Fix: Configuration rollback was observed when creating JWT profile with the URL match. This issue has been fixed. [BNWF-50700]
• Fix: An issue with a special character in the LDAP password has been addressed. [BNWF-50660]
• Fix: Outage due to custom header logging when handling the server response has been addressed. [BNWF-50111]
• Fix: The parameter name/value pair in requests originating from trusted hosts are now processed without enforcing attack checks. [BNWF-50091]
• Fix: An issue that caused Exception Learning to create URL profiles with empty values has been fixed. [BNWF-50041]
• Fix: Issue with deleting a saved configuration backup has been fixed. [BNWF-51209]
• Fix: An issue with the networking rules after manufacturing a WAF on very specific hardware models (964D/861C), has been addressed. [BNWF-50017]
• Fix: Sanitized rate control outage handling when HTTP2 is enabled. [BNWF-49712]
• Fix: Bruteforce is now enabled when Credential Spraying is enabled using REST API v3.x. [BNWF-49258]
• Fix: Let's Encrypt renewed certificate can now be associated to a service with the service name in capital letters. [BNWF-48524]
• Fix: SNMP memory is now monitored, and appropriate actions are being taken. [BNWF-47506]
• Fix: The 'Application Summary' report on the BASIC > Reports page now displays the Rule Group Server and Port information. [BNWF-47492]
• Fix: Web Firewall Logs now display the correct attack name and attack type. [BNWF-24155]
• Fix: In case of the 302-response code with 0-Byte data, WAF marked the response type as internal in Access logs. This issue is fixed now. [BNWF-12531]
• Fix: Issue with the Destination NAT rule table header has been fixed. [BNWF-51644]
• Fix: An issue in the backend SSL flow that resulted in data-path outage has been fixed. [BNWF-51336]
• Fix: Authentication module data path crash on parsing the Russian Unicode characters has been fixed. [BNWF-51124]
• Fix: A possible false positive which results in the monitor processes bringing down the data path due to multiple instances of data path being detected is now addressed. [BNWF-51391]
• Fix: OpenID data path crash on simultaneous login of multiple users has been addressed. [BNWF-48803]
• Fix: An issue where the request URLs in the Authentication module were trimmed off after the standard extension (Example: .exe, .cgi) has been resolved. [BNWF-49753]
• Fix: Data path crash observed in OpenID Connect when handling requests with more than 16 headers has been fixed. [BNWF-51345]
• Fix: Intermittent OpenID data path crash in some error condition has been addressed. [BNWF-50204]
• Fix: A possible outage when parsing cookies that arrive in a specific condition, has been addressed. [BNWF-50960]
• Fix: Issue with masking sensitive data with two or more consecutive parameter separators like ampersand has been addressed. [BNWF-50192]
• Fix: A possible race condition leading to an outage when the instant SSL feature is enabled, is fixed now. [BNWF-49762]
• Fix: A possible condition in which the worker processes can get busy when looking through the bruteforce related book-keeping measures has been addressed. [BNWF-49622]

 

Version 11.0.1.006

The Barracuda Web Application Firewall version 11.0.1 is a maintenance release which augments the previous firmware release of 11.0.0.007 and includes the following important enhancements and fixes:

• Feature: Ability to exempt client profile validations on IP addresses and IP address ranges. [BNWF-49269]
• Enhancement: The number of trusted CA certificates that can be associated with a service for verifying client certificates has been increased to 256. [BNWF-48485]
• Enhancement: Deep inspection is now applied for text/plain content types in POSTs. [BNWF-14836]
• Enhancement: Web Scraping now uses Advanced Threat Intelligence (ATI) for better and improved client classification. [BNWF-49263]
• Enhancement: Client fingerprint mechanism is upgraded to support wider range of applications. [BNWF-48931]
• Enhancement: Exception learning now supports learning from IPv6 trusted hosts as well. [BNWF-48188]
• Enhancement: AAA now allows LDAP users from 128 groups or more. [BNWF-48172]
• Enhancement: Policy fix added for JSON minimum number value attack. [BNWF-47663]
• Enhancement: Internal processes are optimized to improve the system performance specially for single core instances. [BNWF-34515]
• Enhancement: Max Cache Size can be configured for JSON Web Token (JWT) requests on ACCESS CONTROL > Web Token Validation > Add Validation Endpoint. [BNWF-48449]
• Enhancement: Scheduling Reports now supports multiple filtering criteria based on the type of reports similar to the UI behavior. [BNWF-45363, BNWF-45365]
• Enhancement: Ability to create and upload certificates for SAML Single Sign-On on the ADVANCED > Admin Access Control page. [BNWF-49665]
• Enhancement: The 'Enable Client Fingerprinting' parameter is moved from the BASIC > Services to the BOT MITIGATION > Bot Mitigation page. [BNWF-49548]
• Enhancement: CAPTCHA was earlier enforced for individual IP address. This will now be enforced at the level of application session to avoid problems for clients coming from NAT'ed IP addresses. Only the sessions that solve the capture will be allowed to access the requested resources, while other clients which have not solved the CAPTCHA but may be coming from the same IP address will continue to be challenged or will be blocked. [BNWF-49261]
• Enhancement: The internal cookie of the Barracuda Web Application Firewall is no longer logged as "Unrecognized". [BNWF-47238]
• Enhancement: The Patch Management UI has been updated to use the new patch client v2.0. [BNWF-48838]
• Enhancement: OpenSSL library has been upgraded to version 1.1.1l to fix security vulnerabilities. [BNWF-49994]
• Fix: Enabling "Send Basic Authentication" resulted in duplication of domain name in the Authorization header sent to the server. This issue has been addressed. [BNWF-49808]
• Fix: Server hostname resolutions in Turbo mode now works for all service types. [BNWF-49752]
• Fix: Username and Password Parameters for Credential Stuffing Protection now honor all possible characters. [BNWF-49709]
• Fix: Turbo mode hostname server resolutions are better managed to allow creation of Servers with localhost IP addresses (127.0.0.x). [BNWF-49564]
• Fix: An issue where client fingerprint was not being generated when CSP was configured with mode as 'Block' and script as 'Include Nonce', has been addressed. [BNWF-49493]
• Fix: An issue that caused accumulation of huge number of API requests from the Advanced DDoS Prevention (ADP) service, has now been fixed. [BNWF-49274]
• Fix: In Offline upgrade, issue seen in CSP/SRI due to failure in installing the dependency module, has been fixed. [BNWF-48896]
• Fix: An issue where the upload directory was not being set properly while restoring a backup from an older firmware, has been fixed. [BNWF-48869]
• Fix: Incorrect validation errors during editing of URL profiles have been removed. [BNWF-48827]
• Fix: Enforcing "Policy Fix" on a Web Firewall Log for 'Response Header Suppressed' attack does not cause configuration rollback. [BNWF-48265]
• Fix: An issue with template logging where logs were being lost after applying a large template, has been fixed. [BNWF-48211]
• Fix: The mode of Internal attack patterns does not change after a backup is restored. [BNWF-47908]
• Fix: Configuring the same WAN IP and port combination for Services and Administrative access was leading to UI being inaccessible. This issue has been fixed. [BNWF-47187]
• Fix: Updated aggregate outbound IP ranges for Twitterbot is honored from 11.0.1 firmware. [BNWF-47053]
• Fix: The Action label in the Trusted Hosts section on the Access Control > Authentication Policies > Edit Auth Policy page is changed from 'Default' to "Process". [BNWF-45918]
• Fix: A validation issue that allowed users to set the Allow/Deny rule sequence to more than 255 which is not supported, has been fixed. [BNWF-33756]
• Fix: RADIUS and LDAP authentication services now honor special characters in the password. [BNWF-27264]
• Fix: A Data-path crash caused due to wrong key profile in Passive mode, has been fixed. [BNWF-33919]
• Fix: Duplicate URL and Parameter profiles are no more created when 'Adaptive Learning' and 'Exception Learning' are ON for a service and when Policy fix is performed. [BNWF-49260]
• Fix: A Rule Group and JWT Profile can now be configured with the same name. [BNWF-49816]
• Fix: Removal of ethernet cable of active link now changes the active link to the next available active link in the Active-Backup bonding mode on the 964D model. [BNWF-49597]
• Fix: Reboot or shutdown now does not take a long time in a fully configured VM instance. [BNWF-49565]
• Fix: Non-English language characters are now allowed in Subject Alternative Names (SAN) when creating a certificate. [BNWF-49514]
• Fix: Large templates with SNI certificates mapping in the service template can now be applied successfully. [BNWF-49453]
• Fix: Firmware and Log Storage values now do not change on the BASIC > DASHBOARD web interface when the page is refreshed. [BNWF-48856]
• Fix: Group Mapping feature for SAML Admin SSO now correctly maps the group names to WAF admin roles. [BNWF-48664]
• Fix: The Bearer Token JWT Auth Mechanism field can now be configured as empty. [BNWF-48510]
• Fix: JWT Public keys uploaded using REST API are now displayed properly on the BASIC > Certificates page. [BNWF-48441]
• Fix: REST APIs to configure the SAML RBA are now available. [BNWF-48114]
  Note: When you upgrade from 11.0 to 11.0.1 firmware with SAML RBA configuration, SAML RBA needs to be reconfigured. If not, SAML Single Sign-On (SSO) does not work.
• Fix: Graphs on the BASIC > Dashboard page are now displayed properly when the language is set to French. [BNWF-47606]
• Fix: Log recovery mechanism is added to recover the logs if there is any issue in saving logs to the intermediate log storage database i.e. MongoDB. [BNWF-47373]
• Fix: An issue where website translation was not working due to an extra space in the header, has now been fixed. [BNWF-33942]
• Fix: An issue where template import was exposed to some security issues, has now been fixed. [BNWF-22692]
• Fix: If WAF can fetch a client's entry from the database, which is dynamically populated looking into the traffic pattern, it uses the "Client Type" information from the same database to validate the client. [BNWF-49507]
• Fix: Issue related to LE certificate Renewal failure due to another certificate generation, has been addressed. [BNWF-49887]
• Fix: Monitoring mechanism is added to restart MongoDB if the memory usage by the service is more than 10% of the available RAM. [BNWF-49502]
• Fix: Bond interfaces can now be created with keywords 'WAN' or 'LAN' in the name string. [BNWF-49460]
• Fix: An issue that triggered unwanted alerts with event ID 62002, has been addressed. [BNWF-49272]
• Fix: The buffer data is streamlined and now sent in correct sequence. [BNWF-48832]
• Fix: The Safari browser version should be 14.1.2 or higher to have SAML Single Sign-on to work properly. [BNWF-48542]
• Fix: In the Bridge mode, moving a service from one Vsite to another Vsite has been disabled. [BNWF-47878]
• Fix: Issue with the 'Policy Fix Wizard' where the JSON limit policy was being set to Empty, has been addressed. [BNWF-47853]
• Fix: A Data path crash that was seen after the FTP SSL service was enabled and the resources on the FTP server were accessed, has been fixed. [BNWF-49465]
• Fix: The Barracuda WAF now normalises inputs containing special characters like CR and LF inside the buffers which could be attempts to evade detection of malicious input. [BNWF-49605]
• Fix: After upgrading to the 11.0.1 firmware version, SAML Single Sign-on must be reconfigured. Certificate for signing requests must be created or uploaded and then associated with the SAML configuration. [BNWF-49930]
• Fix: An issue that displayed blank entry for "suspicious clients" when client IP addresses were marked as suspicious due to the CAPTCHA policy, has been addressed. [BNWF-49947]
• Fix: A rare scenario that resulted in high CPU utilization during the functionalities like brute-force, tracking suspicious clients, lockout and others, has been addressed. [BNWF-49125]
• Fix: Masking of sensitive data fields appearing in web firewall log details, had an issue with case sensitivity of the chosen parameter to mask. This is fixed now. [BNWF-48933]
• Fix: Monitors for the request processing have been updated to check for erroneous or accidentally launched instances of the worker processes. [BNWF-48902]
• Fix: It is now possible to configure http:// in the URI path of an Allow-Deny rule. [BNWF-47156]
• Fix: Improved validation regular expression for the credential stuffing username and password field to include all possible characters. [BNWF-49709]
• Fix: An issue related to overwriting internal files on file upload in certain scenarios is resolved now. [BNWF-50048]
• Fix: Fixed a datapath crash issue that was caused by a race condition by the Stats collection module. [BNWF-49526]
• Fix: Fixed an issue where Azure Managed Identity features were not working after upgrading to 11.0.x firmware. [BNWF-49534]
• Fix: Fixed an issue where certificate uploads were failing after Oct 1st due to a dependency on Lets Encrypt's intermediary certificate that expired. [BNWF-50122]
• Fix: Fixed an issue where logs were not getting generated in certain scenarios after upgrade to 11.0 firmware. [BNWF-50126]
• Fix: Fixed an issue which caused data-path outage with Advanced Bot Protection (along with Advanced Analytics) enabled. [BNWF-49837]
• Fix: Fixed an issue where the Certificate Status Report was not rendering via the WAF Control Center. [BNWF-50068]
• Fix: Fixed an issue where virus definition updates were not being updated every day. [BNWF-49958]
• Fix: To address disk crunch issues in the data partition on certain WAF models, the log database storage has been moved to the root partition. [BNWF-49116]

Version 11.0.0.007

The Barracuda Web Application Firewall version 11.0.0 is a major upgrade version to the 10.1.1 release and has the following important enhancements and fixes:

• Client Side Protection

  Barracuda Networks augments security with complete support for Content Security Policy and Sub Resource Integrity validations.

  • Content Security Policy is used to control the behavior of the client’s browser. A full featured wizard supporting all CSP directives enables administrators to control the resources that can be loaded in the client’s browsers and direct the behavior of the various elements, tags and other aspects of the web pages within the client’s browser. Directives such as frame-ancestors help in protecting against Click Jacking attacks. [BNWF-46278] [BNWF-46278] [BNWF-25949]
  • Sub Resource Integrity is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation. This protects the applications from supply chain attacks that may be targeted at resources such as JavaScript, images and other content loaded from 3^rd party servers. [BNWF-46278]

  These capabilities can be deployed in Report Only mode or in Block mode. In the report only mode all the violations of the policies are reported to the Barracuda Threat Intelligence Service and can be viewed using the Barracuda Threat Intelligence Service Dashboard.

• Advanced Bot Protection

  Barracuda Advanced Bot Protection capabilities have been protecting many of our customers against many types of automated attacks. Barracuda Networks continues to enhance the capabilities to detect and protect against automated attacks.

  • Credential stuffing attack protection has been enhanced to support applications that communicate credentials via JSON / AJAX requests or HTTP Basic Authentication mechanisms. [BNWF-33998]
  • Brute Force Policy can now be triggered by matching a set of text patterns in the HTTP response body [BNWF-33840]

• Security & Access Control

  In this release, additional protection for APIs and Web Socket have been introduced along with multiple other enhancements.

  • JWT Validation: JSON Web Tokens (JWT) are a common mechanism of representing claims securely especially in the context of APIs. With version 11.0, Barracuda WAF adds support for validating JWT token issued by Authorization Server. This feature is available on Barracuda WAF 660 and above models. [BNWF-46375]
  • Web Socket Security: Traffic on WebSocket can now be inspected for protocol violation and other exploits by WebSocket Security feature on WAF. Admisitrators can configure the WebSocket security profile by navigating to Websites > WebSocket Security. [BNWF-25386]
  • Tarpit: Suspicious clients can be tarpitted (slowed down) for time interval configurable from UI. [BNWF-46274]
  • Single Log Out (SLO) support for SAML: SAML for Access Control has been enhanced to support SLO where logout response for any of the participating applications resident on the WAF will send logout command to all participating SSO applications. [BNWF-33520]

• Traffic Management
  • HTTP/2: With this release, Barracuda WAF adds support for HTTP/2 for WAF-to-server communication in addition to the client-to-WAF communication that has been supported from earlier releases. [BNWF-25380]
  • Direct Server Return: Barracuda WAF service can now be configured behind a Load Balancer service with Direct Server Return. This capability are used in rare scenarios where traffic from the server has to be bypassed due to application considerations. This requires changes on the web server as well. [BNWF-46377]
  • IP Address from TCP Options (additional CDN Support): In many cases where the Barracuda WAF is deployed behind a CDN, the actual IP address of the client is encapsulated in TCP Options field by the CDN infrastructure. Barracuda WAF supports reading of Client IP and Port from TCP Options Address field. [BNWF-46376]

• System Management
  • Auto Configuration Engine: Customers with Barracuda Advanced Bot Protection license can now use the statistical and machine learning enabled configuration recommendation engine. This engine analyzes traffic patterns to recommend configurations that would make the existing deployments more secure. [BNWF-46303]
  • SAML for Role Based Administration: All user identity stores that support SAML, such as Azure AD or Microsoft AD/FS, can be integrated with Barracuda WAF to enable Role Based Administrator for the WAF administration. [BNWF-32912]
  • ABP Dashboard Enhancements: Advanced Analytics dashboard is updated to improve the performance and visualizations. [BNWF-47616]
  • API Enhancements: REST API v3.x now support performing IP reputation look ups. [BNWF-31932]
  • Alien Vault SIEM is now supported by the Barracuda WAF

• Enhancements
  • Security & Access Control
    • Enhancement: Re-captcha functionality has been enhanced to support wild card character for domains and to allow duplicate site and secret keys. [BNWF-46337]
    • Enhancement: Same Site attribute can now be configured from Cookie Security page. By default, this attribute won't be added by WAF, which can later be configured to either Lax/Strict/None. [BNWF-33938]
    • Enhancement: Bots configured in the Allowed-List will be exempted from fingerprint challenges exceeded action. [BNWF-46059]
    • Enhancement: Factory templates for Typo3, Magento, PrismWeb and OsCommerce are now available in the Advanced > Templates [BNWF-33582]
    • Enhancement: Custom Identity Theft Patterns now supports Polish, Czech and Hungarian national identification numbers as pattern algorithms. [BNWF-44932]
    • Enhancement: User can now configure OpenID-Connect scope per URL by navigating to Access Control > Authentication Policies > Add/Edit Authorization > OpenID Connect Scope. [BNWF-44803]
    • Enhancement: The host header value can now be excluded for authentication redirects.  [BNWF-33989]
    • Enhancement: Multiple domain controller IP addresses can be added for same Kerberos Domain Controller realms. [BNWF-30237]
    • Enhancement: Ability to configure minimum value for JSON number value ("Max Number Value") in JSON limit policy and JSON Profile, along with the violated value being logged correctly in the Firewall logs. [BNWF-29392]
  • Traffic Management
    • Enhancement: DSR mode is not supported for redirect services and in virtual appliance active-active cluster state. [BNWF-47931]
    • Enhancement: Support provided to enable SSL status for real servers (Servers/Rule Group Servers) with port 443. [BNWF-45431]
  • System Management
    • Enhancement: Virusdef update will get triggered once a day instead of every hour to reduce resource contentions. [BNWF-47608]
    • Enhancement: New option "Blocklisted Category" for Client Type filter drop-down under Access/WebFirewall Logs has been added. [BNWF-47599]
    • Enhancement: User will be able to filter results on host name with 128 characters. [BNWF-30092]
    • Enhancement: Support to collect statistics from more than 128 server objects under one service has been provided. [BNWF-47439]
    • Enhancement: Disk space utilization on some Web Application Firewall models has been optimized save logs and core files more efficiently. [BNWF-47349]
    • Enhancement: The extended match now has new drop-down option, HTTP/2.0 as HTTP version. [BNWF-47054]
    • Enhancement: The OpenSSL version running on WAF has now been upgraded to OpenSSL 1.1.1i to fix security vulnerabilities. [BNWF-47016]
    • Enhancement: The WEBSITES tab has a New DataTables Widget. [BNWF-46144]
    • Enhancement: JavaScript inserted for client identification is made non finger printable. The direct access to these JavaScript is no longer allowed. [BNWF-45577]
    • Enhancement: In the dashboard page details for each interface now include rx_missed_errors counter details. [BNWF-33459]
    • Enhancement: Upper limit for "Max Array Elements" and "Max Siblings" is now increased to 8192 from 1024 and 2048 respectively in JSON limit Policy and JSON Profile. [BNWF-30529]
    • Enhancement: The protocol / TLS version used between the WAF and the Web Server will now be logged in Access Logs [BNWF-26234]
    • Enhancement: The log details now show the country name instead of country code. [BNWF-25889]

• Fixes
  • Fix: The UI output showing wrong value for the FAN and CPU related params on the dashboard page for the new WAFs with the Aewin Motherboards, has been fixed. [BNWF-48217]
  • Fix: An issue on 460/V460 models where Let’s Encrypt certificate generation/renewal was failing has been fixed. [BNWF-48105]
  • Fix: Delay caused by stats collector process during data-path start has been fixed. [BNWF-47992]
  • Fix: A new category of certificates has been added under Basic > Certificates. The category shows certificates used for validating JSON Web Tokens. [BNWF-47967]
  • Fix: An issue that occurred with the Bulk edit for ACL's turning its status to automatically to On has been now fixed. [BNWF-47933]
  • Fix: Support has been extended to have max concurrent HTTP/2 streams as 100. [BNWF-47844]
  • Fix: An issue where RBA was not honored for SECURITY POLICIES has been fixed. [BNWF-47677]
  • Fix: An issue where the log rotation was not happening for certain files which lead to unwanted disk usage has been fixed. [BNWF-47553]
  • Fix: Notifications for Log storage on newer instances for AWS and Azure has been fixed. [BNWF-47534]
  • Fix: An issue where pagination was failing on website profile page when the config changed has been fixed. [BNWF-47498]
  • Fix: An issue where the user was being showed active on the Basic > Services page even though the session expired has been fixed. [BNWF-47478]
  • Fix: Audit logs for automatic fixes from Exception learning has been fixed. [BNWF-47437]
  • Fix: An audit log for the 'Firmware Revert' operation that will show up in the Audit Logs UI has been added. [BNWF-47414]
  • Fix: An issue with REST API validations that allowed users to create more than the allowed number of characters for the 'Sensitive Parameter Names' field has been added. [BNWF-47407]
  • Fix: An issue where the Dashboard and Reports was failing to load on certain occasions due to the summary DB being corrupted has been fixed. [BNWF-47344]
  • Fix: An issue where the TLS Protocol Version was not correctly passed to the web server when HTTP Request Rewrite feature was used, has been fixed. [BNWF-47341]
  • Fix: Static Routes with same IP/Mask with different default gateways on the different Vsites is now showing correctly on Networks > Routes [BNWF-47301]
  • Fix: An issue where the OpenID was not working when the backend application initiated an OpenID request has been fixed. [BNWF-47092]
  • Fix: Configuration wipe out issue caused due the configuration agent crash has been fixed. [BNWF-47071]
  • Fix: A problem with BATD functionality when the request URL length was exceeding 1K has been fixed now. [BNWF-47070]
  • Fix: The data-path crash in element parsing structure handling has been fixed. [ BNWF-47057]
  • Fix: An issue occurred due to misconfiguration in attributes map configuration causing outage for service bound to SAML authentication service has fixed now. [BNWF-46962]
  • Fix: Support for NTLM authentication on a WebSocket enabled service has been added. [BNWF-46960]
  • Fix: Application specific graphs will be populated and seen on dashboard for all systems irrespective of model [BNWF-46864 ].
  • Fix: The Configuration rollback issue after automatic attack definition update has been fixed now.[BNWF-46830]
  • Fix: An issue due to which latest browsers were showing "ERR_SSL_KEY_USAGE_IN" for Self Signed certificates created on Basic > Certificates has been fixed. [BNWF-46758]
  • Fix: Kerberos case of intermittent timeout of applications has been addressed and error logging has been enhanced to be part of system log. [BNWF-46756]
  • Fix: An issue where SNI domain bindings was getting corrupted when Let’s Encrypt Certificates were auto renewed has been fixed. [BNWF-46751]
  • Fix: Threads hung issue while using rate control has been resolved. [BNWF-46698]
  • Fix: An issue with "Backups to Keep" functionality due to which the most recent scheduled backup was getting deleted (instead of the oldest backup) is fixed now.
  • Fix: An issue where some of the services were showing incorrect status on the console during the system start up sequence has been fixed. [BNWF-46590]
  • Fix: Issue where SNMP Community string is not honoured when changed via UI  has been fixed. [BNWF-46568]
  • Fix: Memory leak in 192 byte segment due to app map content base has been fixed. [BNWF-46533]
  • Fix: Issue where Navigation options was not working in BCC for JSON security has been fixed. [BNWF-46435]
  • Fix: TLS versions that were getting disabled when certificate was added to SNI Domains via API call, has been fixed. [BNWF-46431]
  • Fix: An issue with synchronization of Exception Networks in IP Reputation across the units in HA has been fixed. [BNWF-46391]
  • Fix: An issue where all filters where not loading up properly on the UI has been is fixed. [BNWF-46387]
  • Fix: Outage due to rate control has been addressed. [BNWF-46348]
  • Fix: Configuration rollback issue due to duplicate Vsite ID being allocated in the configuration has been fixed. [BNWF-46343]
  • Fix: An issue where template of service was not getting applied for sni certificates even when the certificates were present in another unit ihas been fixed. [BNWF-46302]
  • Fix: Long User Agent header from Firefox causing SAML library to crash has been addressed. [BNWF-46258]
  • Fix: Severity for log indicating that snmp manager process is utilizing high CPU,  is changed to "Info" from "Error". [BNWF-46244]
  • Fix: An issue with snmpget for OID 1.3.6.1.4.1.20632.8.26 (Virusdef updates) has been fixed. [BNWF-46195]
  • Fix: Datapath memory leak in 64 byte segment due to internal cookies has been fixed. [BNWF-46194]
  • Fix: Datapath crash while computing SSL fingerprint has been fixed [BNWF-46176]
  • Fix: Issue while monitoring data-path memory usage on Platform 5 boxes has been fixed. [BNWF-46151]
  • Fix: HTTP/2 crash while closing idle HTTP/2 session has been fixed. [BNWF-46107]
  • Fix: Log Storage usage percentage for P5 instances is showing up correctly on Basic > Dashboard. [BNWF-46002]
  • Fix: An issue due to which hostname resolution process was exiting abruptly while deleting a Server has been fixed. [BNWF-45892]
  • Fix: An issue due to which "Default System Log Level" (available in Advanced > System Configuration > Advanced > Logging) configuration was not working has been fixed. [BNWF-44823]
  • Fix: X-Frame-options, X-Content-Type-Options and X-XSS-Protection headers have been added for authentication redirect pages. [BNWF-34039]
  • Fix: An issue with OpenID-Connect where user was getting service unavailable (503) error on accessing the application has been addressed. [BNWF-33738]
  • Fix: HTTP security headers provided by the Web Application Firewall's management interface has been updated. [BNWF-32839]
  • Fix: An issue with normalizing characters in non ascii range, causing false positives, has been addressed. [BNWF-31011]
  • Fix: An issue where the Proxy IP was not displayed properly in the Access Logs for HTTP2 request has been fixed. [BNWF-30398]
  • Fix: An issue with the REST API v3.x that did not effect the changes done for GeoIP Allowed Networks/Blocked Networks has been fixed. [BNWF-29902]
  • Fix: Change vsite Active on operation is not allowed when the clustered units are in heterogeneous state. [BNWF-29720]
  • Fix: Module log level configuration will persist now even after a reboot or traffic manager restart. [BNWF-28208]
  • Fix: Policy wizard fix for "Too many parameters" for a Content Rule bound to a different Security Policy than the Service has been fixed. [BNWF-26463]
  • Fix: Changed the text from DSR mode to Enable Loopback Adapter under Edit Service > Advanced Configuration. [BNWF-48288]
  • Fix: Datapath crash while handling JSON payload has been fixed. [BNWF-48443]
  • Fix: WAF now supports Client Secret Post, Client Secret JWT and Bearer Access Token Authentication method also to validate the JWT token with Authorization server. [BNWF-47555]
  • Fix: An issue with the application layer health check for a hostname server configured with SNI has been addressed. [BNWF-48484]
  • Fix: An issue where few tabs not being visible via the Barracuda Cloud Control has been fixed. [BNWF-48258]
  • Fix: Datapath crash while computing client fingerprint has been fixed. [BNWF-48674]
  • Fix:An Issue where Navigation options was not working in BCC for JSON security has been addressed. [BNWF-46435]
  • Fix: A memory leak in DDOS path has been fixed. [BNWF-48131]
  • Fix: The data path process crash is seen with parallel JWT request and validating with Internal method has been addressed. [BNWF-48197, BNWF-48006]
  • Fix: UI inaccessible due to unwanted logs filling up log storage has been addressed. [BNWF-48483]
  • Fix: Issue of system storage getting exhausted due to excess logging of process monitoring has been addressed. [BNWF-48673]
  • Fix: A bug which resulted in Data Path outage when using Credential Stuffing protection has been fixed. [BNWF-48515]
  • Fix: A bug leading to non enforcement of hard limits in active mode thus causing a high CPU utilization with specific long parameter inputs, is addressed. [BNWF-45450]

Version 10.1.1.010

The Barracuda Web Application Firewall version 10.1.1.010 is a maintenance release which augments the previous maintenance release of 10.1.1.008 and includes the following critical fixes:

• Fix: Fix for not being able to open the support tunnel from Platform 2 devices.
• Fix: Fix for Multi bridge HA functionality when LLCF is enabled. [BNWF-47017]
• Fix: Fix an issue on Platform 2 devices where certain log files were not being rotated. [BNWF-47185]

Version 10.1.1.008

The Barracuda Web Application Firewall version 10.1.1.008 is a maintenance release which augments the previous maintenance release of 10.1.1.006 and includes the following important fixes:

• Fix: Fix for STM not coming up on 1062 HW instances after firmware upgrade. [BNWF-46407]
• Fix: Fixes for memory leak and TCP memory issues due to HTTP2 module. [BNWF-46798]
• Fix: Fix for Multi bridge HA functionality when LLCF is enabled. [BNWF-32025]
• Fix: Fix rare issue with rendering Dashboard graphs in certain scenarios.

Version 10.1.1.006

The Barracuda Web Application Firewall version 10.1.1.006 is a maintenance release which augments the previous firmware release of 10.1.0.007 and includes the following important enhancements and fixes:

• Feature: Barracuda WAF now supports integration with two Gemalto Network HSM's in High Availability (HA) mode. [BNWF-34554]
• Feature: Lets Encrypt is migrated to use v2 and is now not dependent on v1, for which support has been stopped. [BNWF-45642]
• Feature: The Security Policies and Networks tab now have a new and improved UI appearance. [BNWF-34470]
• Feature: Support for configuring only ECDSA certificate for the service is provided. [BNWF-33972]
• Feature: If a server is part of any Rule Group, that Rule Group's name will also be displayed while logging as a result of server going down event. [BNWF-20352]
• Enhancement: Ability to add multiple fields in headers to filter, cloaking etc., and with a single save has been enhanced. [BNWF-34034]
• Enhancement: Migration of ACCESS CONTROL page's older table to New DataTables Widget, has been enhanced. [BNWF-33982]
• Enhancement: Enhanced UI Integration to display the configurational fields related to SSL/TLS Quick Settings of Advance SSL options. [BNWF-33974]
• Enhancement: REST API support added to get Locked out clients (IP/Fingerprint) and to delete client(s) from Lockout list. [BNWF-27307]
• Enhancement: Support for Kerberos groups authorization using LDAP. [BNWF-45995]
• Fix: An issue where certificates/services were not visible for HTTPS only enabled WAF in the WCC is now fixed. [BNWF-45411]
• Fix: An issue where the user was not able to add JSON Key profile on WAF via BCC in the Websites > Json Security page, has been addressed. [BNWF-45381]
• Fix: Internal CA bundle is updated now. [BNWF-45357]
• Fix: Login IP and Admin name will be correctly logged in Audit logs for configuration updates done by the internal hostname resolution process. [BNWF-45157]
• Fix: Failed export of access logs to FTP server will be correctly logged in the system logs. [BNWF-45156]
• Fix: An issue that occurred when deleting a certificate  due to some stale entries in the database, has been fixed. [BNWF-45099]
• Fix: An issue where "Configuration rolled back", "Config update in progress" was not visible in proxy view via the WAF Control Center. [BNWF-45034]
• Fix: The certificate failures are recorded with a system log which indicates a "failure in SSL Object creation" with an error string "SSL Object error".[BNWF-45022]
• Fix: An issue with CRL auto update process due which was trying to update the CRLs for a service and did not have client auth enabled, has been fixed. [BNWF-44965]
• Fix: Memory leak in datapath due to ssl fingerprinting, has been fixed. [BNWF-44954]
• Fix: An issue where the status of TLS1.3 for rule group servers displayed incorrectly, has been fixed now. [BNWF-44940]
• Fix: An issue that caused the data path outage because of web socket upgrade request with Advance Bot Protection enabled, is now fixed. [BNWF-44938]
• Fix: If Host header is provided with additional header under Application Layer Health Check, the out of band health checks will now use HTTP/1.1 connections along with 'Connection: close' header to make the request non-persistent. [BNWF-44933]
• Fix: An issue where the configuration reverted to its initial state upon firmware upgrade due to DB corruption, has been fixed. [BNWF-44846]"
• Fix: An issue in the data path which ensures the resources are not locked up for a time longer than 150 seconds, has been fixed. [BNWF-44829]
• Fix: Handled outage caused due to enabling "Allowed Groups" for ActiveSync, has been fixed. [BNWF-44824]
• Fix: An outage observed due to Tarpit and Rate Control, has been fixed. [BNWF-44815]
• Fix: An issue with CRL auto update feature which was causing the auto update to fail, has been fixed now. [BNWF-34552]
• Fix: Memory leak issue with data lake ingestion process, has been addressed. [BNWF-34542]
• Fix: The User Contexts handling for Kerberos is Sanitised. [BNWF-34532]
• Fix: An issue with SNI domains not being visible when the locale was set to French, has been fixed. [BNWF-34513]
• Fix: An issue with memory hog caused by the process responsible for syncing the throughput data to WAF control centre, has been fixed. [BNWF-34507]
• Fix: Connection issues and its repercussions gets handled by EventHub feature in WAF. [BNWF-34493]
• Fix: A CPU hog issue caused by the Adaptive Learning feature, has been fixed. [BNWF-34019]
• Fix: An issue that occurred because it failed to copy or rename a parameter profile, has been fixed. [BNWF-33978]
• Fix: REST API support to prevent conflicting configuration changes for SSL/TLS Quick settings. [BNWF-33969]
• Fix: The ECDSA Certificate bound to be with the service to achieve the Modern SSL/TLS Quick Settings, has been enforced. [BNWF-33968]
• Fix: An issue where the file containing viruses was not getting blocked intermittently, has been addressed.[BNWF-33891]
• Fix: An outage occurred by certain FTP data path handling has been  fixed by introducing a new variable in the ADVANCED > System Configuration > Traffic-management page. [BNWF-31766]
• Fix: The asynchronous event handling is enhanced to avoid possible resource issues seen rarely on some installations. [BNWF-31716]
• Fix: A rare race-condition that led to continuous configuration rollbacks and eventually leading to a wipeout of the entire configuration, has been fixed. [BNWF-30148]
• Fix: Binding a custom parameter class to a JSON key profile will work fine now. [BNWF-29886]
• Fix: Kerberos authentication with case-insensitive domain, has been addressed. [BNWF-18362]
• Fix: Tolerance for notifying Bandwidth threshold exceeded alert is increased to avoid flooding of alarms. [BNWF-45593]
• Fix: Redirect + HTTPS can now be used for Let's Encrypt certificate creation as opposed to only HTTP service. [BNWF-45888]
• Fix: SNI bindings get updated automatically on renewal of Let's Encrypt certificates. [BNWF-34504]
• Fix: Fix for delay in handling SAML responses. [BNWF-27385]
• Fix: Fix the interface renaming issue seen on certain devices on a firmware upgrade. [BNWF-46299]

Version 10.1.0.005

The Barracuda Web Application Firewall version 10.1.0 is the major upgrade version to the 10.0.1 release and has the following important enhancements and fixes:

• OpenID-Connect (OAuth 2.0)
  • WAF now supports the OpenID-Connect mechanism for authenticating and authorising users with openid-connect authentication servers
  • The supported openid-connect authentication servers include Google, MS Azure, Gluu, Keylock etc.
• Form Spam
  • Protection against fake/automated form submissions
  • Learns real-time traffic, detects forms with relevant parameters and auto-configures application based rules
  • Option to add honeypot field dynamically in the form
  • Metric based analysis for bot identification
• OCSP Stapling
  • Barracuda WAF acts as an intermediary between the client and the OCSP responder
  • Verifies and caches signed response from the OCSP responder
• Tarpit Clients
  • Ability to slow down/drop requests from suspicious clients on the basis of their Risk Score
• Advanced Bot Protection enhancements
  • Detection of Credential Spraying attacks
  • ReCaptcha v3 support
• Enhancements
  • Secure attribute in session tracking cookies
  • WAF can now detect Web Development Kit if requests are generated through these tools.
  • Override SSL ciphers for TLS v1.2 and TLS v1.3
  • IDP Metadata for SAML Authentication can be updated automatically.
  • New Attack Reports added
  • Client Profile will be created based on past history of client and accordingly action will be taken in future.
  • Revamped UI for Bot Mitigation
• Fixes
  
  • Secure Administration configuration can now be performed using REST API.
  • Fixed a Service outage due to Data Ingestion as part of Advance Bot Protection(ABP)
  • Fixed an issue with Response page Headers due to which some characters were getting encoded in the response.
  • Lets Encrypt supports SAN parameters now
  • Fixed an issue in the IP reputation policy specifically with countries belonging to Eurasia.
  • Fixed an issue with deleting all IPs from NG Firewall.
  • Fixed an issue with the REST API where the appID was not being honored at the time of service creation using POST requests.
  • Fixes for the 'More Actions' features on the Services dashboard.
• Notes
  • SMB support as a destination for Backups has been deprecated.

 

Version 10.0.1.005

The Barracuda Web Application Firewall version 10.0.1.005 is a maintenance release which augments the previous firmware release of 10.0.1.003 and includes the following important enhancements and fixes:

• Fix : Service outage due to integration of Barracuda WAF with the Advanced Bot Protection (ABP) micro services is fixed..
• Fix : Multiple fixes in the data ingestion and cookie integration modules towards the stability of Advanced Bot Protection (ABP) feature
• Fix : An issue with potential high CPU utilization when "parse URLs in scripts" is enabled, is addressed
• Fix : Changes in the HTTP2 and cookie interaction modules towards stability
• Fix : A rare race condition during the management of IP reputation database, which leads to an outage, is addressed
• Fix : A race condition during the processing of SSl packets, which leads to an outage, is fixed
• Fix : A probable issue in meta character processing, which can lead to a false positive or an outage, is addressed
• Enhancement : Support for SAML attribute configured on WAF with local id as USER
• Enhancement : Support for 10000 internal users in the kerberos and internal LDAP authentication modules

Version 10.0.1

The Barracuda Web Application Firewall version 10.0.1 is a maintenance release which augments the previous major firmware release of 10.0 and includes the following enhancements and fixes:

• Advanced Bot Protection enhancements
  • Enhancements for client risk profiling
  • Enforcement of CAPTCHA or DENY policies on the clients based on the risk scores computed via cloud analysis
  • Per service enforcement of advance bot protection features which require cloud analysis
  • Performance improvements for the Bot Protection Service
• Security
  • Addressed the security vulnerability raised for the SACK Panic attack.
• Features
  • Support for “application/x-dosexec” MIME type for BATP.
  • Ability to add a server based on hostname at the time of service creation.
  • Added API v3 support for the Secure Administration feature.
  • Added GUI option to display/clear lockout fingerprints.
  • Added template support for URL and Parameter profile optimisers.
• Bug fixes
  • Fixed a data path outage issue due to caching.
  • Fixed a data path issue/memory leak with Client authentication for content rules.
  • Fixed multiple data path issues seen with HTTP2 traffic.
  • Performance improvements for the sync process between WAF units in a High Availability cluster.
  • Improvement in page load times for the Websites and Exception Profiling tabs in the GUI.
  • Moved the ‘Secure Browsing’ feature from the Websites tab to the Advanced tab.
  • Misc bug fixes.

Version 10.0

The Barracuda Web Application Firewall version 10.0 is the major upgrade version to 9.2 release and has the following important enhancements and fixes:

• Advanced Bot Protection – v1
  • Client tracking & rating
    • Client finger printing for correlating multiple requests
    • Integration with third party feeds IP reputation and user-agent based client categorization
    • Computation of risk scores for each request based on detected violations
  • Protection mechanisms
    • Brute Force enhancements: Enforcement of Bruteforce policies on a finger print level
    • Credential Stuffing detection: Detection of credential stuffing attacks using cloud based microservice
    • Comment Spam / Referrer Spam detection by inspection of data POSTed in forms or injected in Referer header
    • Google reCAPTCHA : Enhanced client validation using Google reCAPTCHA
  • User interface enhancements
    • Bot Mitigation tab for all configuration related to bot protection
    • New reports and dashboard enhancements, listed below :
      • Bot traffic Analysis
      • Top Good/Bad Bots
      • Bots by Categories
      • Captcha Summary Report
      • Comment Spam vs Referer Spam
      • Credential Stuffing versus Login Requests
  • Cloud layer for advanced analysis
    • Databases of compromised credentials, analyzed client finger prints.
    • Ingestion of request data into cloud service. This data will be used in v2 for building behavioral rules
    • Lookup services for client fingerprints and credentials
• SSL enhancements
  • Support for TLSv1.3
• Usability enhancements
  • Enhancements to the certificate page to support multiple thousands of certificates and their management
  • Enhancements to the logging to show expired certificates
• Control Center features
  • Support for tracking WAF throughput usage statistics when connected to WAF Control Center.
• Fixes
  • Role-based administration fixes for both UI as well as for REST API.
  • Added support for new JSON Security Policy fixes from the Policy Fix Wizard.
  • Rate-limiting support for WAF’s REST API.
  • Enhancements to factory shipped templates (namely Drupal).
  • Updated v3.1 REST API version for ‘Certificates’.
  • Virus scan now allowed on files as large as 100M in size
  • Advanced network configuration can now be performed using REST API.

Version 9.2.1.005

The Barracuda Web Application Firewall version 9.2.1.005 is a maintenance release to address issues seen on the previous GA release of 9.2

• Feature : Ability to export syslogs to cloud services such as Sumologic
• Fix : An issue with potential high CPU utilization when "parse URLs in scripts" is enabled, is addressed
• Fix : An issue with scheduled jobs causing high system load is addressed
• Fix : A memory leak in a logging process when configured via private IPs, is addressed
• Fix : Issue with user names with back slash being unable to login via Radius authentication, is addressed
• Fix : File extensions allowed to be uploaded at parameter profile level, can be case sensitive
• Fix : An issue with the web firewall policy wizard is addressed

 

Version 9.2.0.014

The Barracuda Web Application Firewall version 9.2.0.014 is the major upgrade version to 9.1 release and has the following important enhancements and fixes:

• Support for network HSM with Gemalto integration
• Support for Encryption of Logs and Problem Report as part of GDPR Compliance
• Support for handling IDP initiated SAML Single Logout for multiple authorization policies
• Support for integrating WAF with Barracuda Reporting server for exporting logs and viewing reports
• Support 2FA for Admin Access. Introduced Dual Factor Authentication to provide additional layer of security
• The lockout feature has been enhanced to support per service lockout of the violating client IPs
• The performance of REST API's (v3) GET requests has been improved
• Users can now deploy virtual appliances with multiple ports (apart from WAN & LAN) and WAN can be a part of bond in
• API v3 - comprehensive role-based administration capabilities with granular controls and complete API coverage for all operations has been added

 

Version 9.1.1.008

The Barracuda Web Application Firewall version 9.1.1.008 has the following important fixes:

 

• A rare condition leading to an outage when the response rewrite rules are in place with a rewrite condition
• A rare race condition leading to an outage when the Web Scraping or CAPTCHA policy is enabled
• A possible scenario with high CPU consumption and system freezing freeze up when the Web Scraping feature is enabled
• Consumption of memory over a period of time when Mask Sensitive Data is enabled on parameter's value
• A regression that occurs when connecting to Sharepoint server and Remote Desktop Gateway via Web Application Firewall
• During IP Management, high memory consumption over a period of time when bruteforce, CAPTCHA or Web Scraping features are enabled
• Heterogenous port configurations issue in a cluster scenario, is addressed

 

Version 9.1.1.007

The Barracuda Web Application Firewall version 9.1.1 has the following important enhancements apart from bug fixes

 

• Service Principal Configuration (SPN) has been moved from: "AccessControl->AuthenticationPolicies->Edit Authentication " to AccessControl->AuthenticationPolicies->Add/Edit Authorization This enables the customers to use different domain SPNs for different applications configured under Authorization while using the same service. Previously, all the applications on a service, configured under Add/Edit Authorization had restriction to use only only one SPN (Whatever was configured in Authentication Service attached to the Authentication Policy).
• The failure conditions during connection pool when the latencies with the servers are high, are logged
• A new configuration option "Count Auth Response Codes" is added under Bruteforce Prevention module. When enabled, it will count all error response codes as failure responses, otherwise it will ignore '401' and '407' response codes while counting the error responses.
• Extended match enhancement of the Client-IP header to support comma separated IP's Eg: (Client-IP eq 1.1.1.1,2.2.2.2,3.3.3.3)
• Introduced a new configuration "Detect Mouse Event" under both DDoS policy and WebScraping policy
• The persistent cookie value that is used for load balancing, will be encrypted from now on.
• API v3 now supports HTML encoded characters in filters.
• Optimization to reduce the time taken to apply configuration with 2K+ URL profiles.
• Start time of FTP of access logs and the frequency of FTP access logs are now synced to peer box if two WAFs are in cluster.

 

Version 9.1.0.014

 

• Fix : A possible outage when SSL connections timeout in the middle of a response from the backend servers, is addressed
• Fix : A possible outage when the backend servers respond with non standard response codes, is addressed
• Fix : An inconsistency in the updating of the configuration and search results on the Basic->Services screen, is addressed

 

Version 9.1.0

The Barracuda Web Application Firewall firmware version 9.1 has the following main features and fixes. For a longer version of the release notes, please click here

• Security
• Support for Volumetric DDoS prevention service
• Proxy protocol support for both HTTP and HTTPS services
• Whitelist feature for DDoS capabilities
• Followup action for Allow Deny Rules
• CAPTCHA responses are made non cacheable with inclusion of no-cache headers in the response
• Management
• Comprehensive API support for configuration of WAF objects and retrieval of logs and statistics
• Internal LDAP users/groups in the clustered units are synchronized
• System now generate SNMP Trap messages for data path failures i.e. if the system hangs, crashes or the link is down
• High Availability
• When deployed in a High Availability cluster, traffic will failover to the standby unit when memory utilization on the active unit exceeds 70%
• Other Issues
• SAML signatures can now be signed with RSA-256
• The negotiated Cipher Suite for services and servers are now logged in System Logs
• An issue that resulted in the reset of the admin password after establishing a support tunnel connection on newly deployed virtual machines, has been addressed