It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Web Application Firewall
Overview Documentation Training Certification Materials

Release Notes Version 12.3

  • Last updated on
Please Read Before Updating

Before updating to a new firmware version, be sure to back up your configuration and read the release notes for each firmware version that you will apply.

Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. The update process typically takes only a few minutes to apply. If the process takes longer, please contact Barracuda Networks Technical Support for assistance.


Deprecation Notice: FTP and FTP SSL have been deprecated. Administrators cannot create FTP and FTP SSL services through the web interface and REST API. [BNWF-57635]

Fixes and Enhancements in 12.3

Monitoring, Logging and Reporting

Enhancements:

  • Syslog now shows if a report is sent successfully on scheduled reports. [BNWF-57017]

  • Added a new field "Error Details" to the Access Log. This field will be visible only for 408 errors and includes details about the error. [BNWF-57268]

  • SSL errors encountered during backend server connections are now logged under "Error Details" with the 408 error code. [BNWF-57172]

  • When the Client Type is Exception Profiling, the audit log’s "Details" page now displays “System” as the Role, indicating that WAF made the changes. [BNWF-55672]

Fixes:

  • An issue where JSON key names were not displayed in Web Firewall Logs when the key value type was an array and the request exceeded the configured value length has been resolved. [BNWF-56132] [BNWF-56172]

  • An issue where JSON key names were not displayed in Web Firewall Logs when the key value type was an array and the request violated the JSON Security Policy, has been resolved. [BNWF-56172] [BNWF-56153]

  • An intermittent issue that caused incomplete log data transmission to Azure Event Hub is resolved. Log exports now function reliably with no data loss. [BNWF-54725]

  • MIME types are now correctly displayed in Web Firewall Logs. [BNWF-56944]

  • The "Attacks" report now correctly displays attack names and dates. [BNWF-45852]

  • The “Top Bad Bot” report now displays the correct count of bots based on the selected time range. [BNWF-56648]

  • When a non-applicable filter is selected in Show Report, a pop-up message appears, notifying the user that the filter is not supported and asking whether they wish to proceed without the filter. After the confirmation, the report is generated. [BNWF-54533]

Security

Enhancements:

  • Added SHA-256 for authentication and AES-256 for encryption to enhance the security of SNMP queries. [BNWF-55742]

  • Two new Gen AI bot categories (Gen AI (Language Model) and Gen AI (Conversational Agent)) have been added as predefined BOT Categories in the Blocked Categories list. [BNWF-57681]

Change in Behaviour:

  • The Barracuda Web Application Firewall will now block JSON requests if the key value length exceeds 256K. [BNWF-57751]

  • JSON requests with the key value exceeding 256KB are now blocked. [BNWF-56894]

  • ReCAPTCHA tokens for domains with long names and site keys are now honoured by Default Parameter protection. [BNWF-56292] 

Fixes:

  • JSON Security validation is not enforced on the request if it matches the allow ADR rule. [BNWF-55003]

  • A possible race condition driven by brute-force functionality is addressed. [BNWF-56151]

Geo IP and Regional Updates

Enhancements:

  • South “Sudan" and "Kosovo" have been added to the Geo IP regions list. [BNWF-57712]

API and Integration

Enhancements:

  • The Import API now supports dynamic multi-token endpoints during Swagger/OpenAPI specification imports. Endpoints with multiple path parameters (e.g., /user/{id}/orders/{orderId}) defined in the spec file will be accurately recognized and imported. [BNWF-56350]

  • AWS tools have been integrated to enable the export of memory metrics to CloudWatch. [BNWF-56453]

  • Improved stability and reliability of the API specification import feature, addressing various edge cases and enhancing overall compatibility. [BNWF-56448] [BNWF-56839] [BNWF-57312] [BNWF-57342]

Performance Optimization

Enhancements:

  • An improvement that allows for more efficient handling of SSL/TLS connections, leading to better overall application responsiveness and reduced latency. [BNWF-56678]

System

Enhancements:

  • The table order in "Exception Heuristics" and "View Internal Pattern" remains static and does not change after the page refresh. [BNWF-55518]

Change in Behaviour:

  • The table order in "Exception Heuristics" and "View Internal Pattern" remains static and does not change after the page refresh. [BNWF-55518]

Fixes:

  • Data Path crash due to the Form Protection Module has been fixed. [BNWF-57432]

  • A race condition where the data sent to an already closed HTTP2 stream resulted in a crash has been fixed. [BNWF-56709]

  • Resolved a crash occurring when a server is deleted due to changes in hostname resolution, while an in-flight request to the server remains pending for over 8 minutes before receiving a response. [BNWF-57244]

  • A possible outage when servers respond with a status code as 101 and a specific pattern of headers is resolved. [BNWF-57171]

  • An issue where the modified flag was incorrectly set on newly created hostname servers, has been resolved. [BNWF-56675]

  • An issue with IP list management when the first two IP addresses remained idle beyond the configured expiry time, has been resolved. [BNWF-56604]

  • Server hostnames now resolve to multiple IP addresses, regardless of whether the service name or content rule name contains uppercase or lowercase letters. [BNWF-56517]

  • WAF IP reputation module now ignores duplicate IP entries in the custom IP list. [BNWF-55533]

  • Admin Access Control, High Availability, and all other modules are now available on 1060b. [BNWF-54556]

  • A race condition where the server IP keeps changing when the connection pool is "Off", has been resolved. [BNWF-56843]

Website Profiles

Fixes:

  • Parameter profile names now cannot start with numeric characters. [BNWF-56985]

  • Uploading a single file triggered a 'Too Many Uploads' error during the URL Profile validation process. [BNWF-57349]

Certificate Management

Fixes:

  • An issue with Let's Encrypt certificate generation has been addressed. [BNWF-57056]

  • Let's Encrypt certificate is now generated when the “Default Language and Encoding” is set to any language, including Japanese. [BNWF-56203]

  • Let’s Encrypt service busy responses are now efficiently managed. [BNWF-52550]

Scanning

Fixes:

  • File names with spaces and commas are now honoured by the BATD scan. [BNWF-56003]

  • Implemented a mechanism to communicate with the Virus Scanning Service asynchronously. [BNWF-54679]

Clustering and High Availability

Fixes:

  • A Client Fingerprint cookie created on one WAF is now accepted by other WAFs within the cluster. [BNWF-56674]

Bot Handling

Fixes:

  • Requests from User agents that are configured as “Allowed bots” will be exempted from ABP driven client profile-based risk score violations. [BNWF-57162]

Health Monitoring

Fixes:

  • Server health check related issues are fixed for turbo mode hostname servers. [BNWF-55673]

Cipher Support

Fixes:

  • The ChaCha20 cipher is not supported on port 8002. [BNWF-56552]

Fingerprinting

Fixes:

  • Client Fingerprint entries now change from active to passive after the specified idle timeout and not based on the initial creation time of the active fingerprint. [BNWF-56076]

  • When Fingerprinting is enabled, requests using the OPTION method without a fingerprint cookie, are no longer counted towards Fingerprint Challenges Exceeded. [BNWF-57060]

Authentication

Fixes

  • Client authentication settings can now be modified (enabled or disabled) without disrupting traffic flow. [BNWF-57135]