This article provides the list of features that a request is validated with when a service is configured in Passive mode. When the operating mode is set to Passive, the requests are still validated and, if a violation is detected, a log is generated and displayed on the BASIC > Web Firewall Logs page, and the traffic is allowed to pass through to the back-end server. The Passive mode of evaluating traffic allows administrators to make necessary changes to a security policy without affecting the clients’ access to the applications.
The Barracuda Web Application Firewall executes the following operations in both Active and Passive modes, if they are configured by the administrator:
- All SSL configurations for the front-end and back-end connections.
- Insertion of JavaScript code for client tracking.
- Submission of traffic data to the cloud layer for analysis if an Advanced Bot Protection license has been purchased and if data submission has not been explicitly turned off.
- Client-side checks for web scraping, such as run-time modification of robots.txt, insertion of cooking, and JS file checks.
- All network-level rules and Network Firewall rules.
- Enforcement of Access Control rules
- Website Translation rules that rewrite content, URLs, and domains in HTTP requests and responses.
- Malformed HTTP requests are not processed and will be denied in Passive mode.
- Following are the protocol violations that can be observed in Passive mode:
- Malformed Version
- Malformed Request Line
- Malformed Header Line
- Invalid or Malformed HTTP Request
- Malformed Content-Length
- Pre 1.0 request
- Multiple Content-Length headers
- Request containing both Transfer-Encoding and Content-Length headers
- Parameter parsing failures due to internal parse errors or violation of standards
- Large JSON key-value pairs that fail our internal memory allocation limits of >256KB
- Internal memory allocation failures due to large payload of >1M
Exceptions in Passive Mode
Some features of the Barracuda WAF are designed to affect request/response payloads even in Passive mode. The following section covers these features and the exceptions in Passive mode:
Cookie Security
- If the “Allow unrecognized cookie” setting is configured to be “Always” or “Custom”, the encrypted and signed version of the cookie set by the server in the response is prefixed with the string “BNES_” by default even in Passive mode, and the cookies in the subsequent requests are sent to the backend server.
- Cookie attributes, such as HTTP only, Secure, or Same Site, are introduced to the original cookies in Passive mode as well.
- Max age of the session cookie is recorded when set by the backend server, and the value is checked for and enforced when the session cookie is sent as part of a subsequent request. However, the cookies are not dropped even if the age expires.
- When Cookie Replay Protection is configured, an IP mismatch and header mismatch do not result in the cookies getting dropped. The cookie is forwarded to the backend server.
Request and Response Rewrite and Website Translation Modules
- The Barracuda Web Application Firewall will continue to apply the request rewrite and response rewrite policies in Passive mode, which can result in modifications to the headers, URLs, and redirecting requests/responses as specified in the rules.
- Payloads getting translated due to website translations and instant SSL translations continue to get translated/rewritten in passive mode, too.
DDoS Prevention Limits
- Attack pattern inspection of parameter values is limited to 8K in Passive mode.
Features that Need Changes to the Response Body
- If the Enforce CAPTCHA attribute is set to Suspicious Clients under the Application DDOS Mitigation, a challenge JavaScript is inserted in the response body in Passive mode, too, but the client is not evaluated further for suspicion.
- A challenge JavaScript is inserted in responses in Passive mode if a web scraping policy is configured to track challenges and mouse movements.
- Enabling Client Fingerprinting results in a JavaScript getting inserted in responses in Passive mode, too.