It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda WAF-as-a-Service


  • Last updated on

The Barracuda WAF-as-a-Service supports a comprehensive REST API module for management and configuration.

Accessing the API

This section describes how to invoke a REST API call on the Barracuda WAF-as-a-Service and the expected response.

The REST API supports HTTPS URI requests. The documentation for the API is available at:

API Endpoint

The base URL for accessing the Barracuda WAF-As-A-Service is:


Combine the base URL with the required API resource to make a call, for example /api_login or /applications/.

Login Access Token

To use the Barracuda WAF-as-a-Service REST API, a login access token is required for authentication. Login credentials with admin privileges or a role-based administrator with restricted permissions can be used.

The login request must include the username and password to generate the token. HTTPS request examples are provided below for reference:

Once the token is fetched, include the token as a value to the ‘auth-api’ header in subsequent API calls.

To complete the login to WAAS use the /api_login resource:


Curl Example:

curl -X 'POST' \
'' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'email=<account email address>&password=<account password>'

Using the WAAS API to create/modify the configuration:

Example: To create an application, the REST resource is /applications/

Curl Example:

curl -X 'POST' \
   '' \
   -H 'accept: application/json' \
   -H 'Content-Type: application/json' \
   -H 'auth-api:        eyJhY2NfaWQiOiA4OTg1NzMwLCAidXNlcl9pZCI6IDE2NTkzLCAiZXhwaXJhdGlvbiI6IDE2ODY4NDE4MTN9.74d9bb7c70f98c77bc4be37dd4eeae896c5b7f063c8e45944a4e4dfa83f104ab'     \
   -d '{
   "applicationName": "new app",
   "backendPort": 443,
   "useHttp": true,
   "useExistingIp": true,
   "backendIp": "",
   "maliciousTraffic": "Passive",
   "serviceIp": "",
   "httpsServicePort": 443,
   "redirectHTTP": true,
   "useHttps": true,
   "httpServicePort": 80,
   "backendType": "HTTPS",
   "serviceType": "HTTP",
   "account_ips": {},
   "hostnames": [
           "hostname": ""

Audit Logs

The Audit Logs provide information about the actions/activities performed by users on the WAF-as-a-Service web interface. The response schema includes the following details:

  • unique_id: A unique identifier generated for the user.
  • actor: Denotes the actor who changed the value of the parameter. It can be Customer, Support Team, Engineering Team or System.
  • action: The action performed by the user.
  • component_modified: The component name that was modified.
  • summary: Description of the changes made.
  • changes: Displays the component name which has been modified.
  • new_val: Value of the parameter/variable after the update.
  • old_val: Value of the parameter/variable before the update.
  • setting: Name of the parameter/variable for which the value was updated.
  • is_api_change: Denotes whether the change is from API or the web interface.
  • date: The date and time when the action was performed.
  • user_text: Name of the user.
  • user_tooltip: Email address of the user.
  • app_name: Name of the application.
  • app_is_deleted: Denotes if the application where the change is made is deleted or is in use.

Schema Example: