Follow these steps to configure Barracuda WAF-as-a-Service to protect your web applications. For an overview of the traffic flow you will have created through this process, refer to Understanding Traffic Flow with Barracuda WAF-as-a-Service.
A. Configure Barracuda WAF-as-a-Service
Navigate to https://waas.barracudanetworks.com/ and log in with your Barracuda account credentials.
If you do not already have a Barracuda account, click Free 30-Day Trial to sign up for a trial of WAF-as-a-Service.
At the top of the page, select Applications. Then click Add Application.
Websites: Enter a familiar name for the application you want to protect. Then enter all possible DNS domains your users will use to access this service, including different forms, like
example.com. Click Continue.
IP Address: Select one or more protocols and associated ports that Barracuda WAF-as-a-Service should listen on to protect your application. For HTTP traffic, you can choose if you want to add security by redirecting HTTP traffic to the more secure HTTPS protocol.
When you add your first application, you must allocate a new IP address for the application. For subsequent applications, you can choose to allocate a new IP address or reuse an IP address from an existing application. If you choose to reuse, select the IP address that you want to reuse. Refer to IP Allocation for more information. Click Continue.
Backend Server: Specify the protocol for the backend server – HTTP or HTTPS, then specify its IP address or Hostname and port. This is typically the current IP Address or hostname associated with the DNS domains you entered in step 1.
Click Test Connection to ensure that Barracuda WAF-as-a-Service can connect to the backend server. When you have successfully tested the connection, click Continue.
If the test displays a warning, refer to Backend IP Address Errors for troubleshooting information.
Select Mode: Specify whether you want to Monitor or Block malicious traffic. If you are protecting an existing, live application, to minimize site downtime, we recommend you only monitor traffic for about a week before blocking malicious traffic. If you are protecting a new application, you can start blocking malicious traffic immediately. For more information, refer to Understanding Monitor and Block Modes. Click Add.
Change DNS: Copy the information provided so you can change your DNS A records through your hosting provider. If you use the Click to Copy link, the new A record value is copied to your clipboard, so you can paste it directly into your service provider’s interface in the next step. Click Close.
B. Change A Records
Go to your domain provider’s DNS management portal to change the A records you obtained in the previous step. Changing your DNS A records to point to your application's IP Address will redirect all of your web application traffic to Barracuda WAF-as-a-Service.
Reach out to your domain provider directly with any questions.
C. Restrict Direct Traffic
Ensure that users cannot access your application server directly, without going through Barracuda WAF-as-a-Service. For full instructions, refer to Restricting Direct Traffic.
D. Change Origin IP
Change your IP range so historical DNS lookups do not expose your origin IP, allowing an attacker to bypass Barracuda WAF-as-a-Service. In addition, be sure you do not expose your origin IP in other DNS records, such as your MX (mail server) records.
Once you change your DNS records, traffic will automatically flow to Barracuda WAF-as-a-Service. Remember that DNS records are public domain, and there are many places where historical records are archived. These historical DNS records will likely contain your original IP from before you activated Barracuda WAF-as-a-Service. Therefore, Barracuda recommends that once you activate Barracuda WAF-as-a-Service, you change your IP range so a historical DNS lookup does not expose your origin IP. This could allow an attacker to bypass Barracuda WAF-as-a-Service and attack your network infrastructure directly.
If you are using the Barracuda Email Security Gateway, you can use its Cloud Protection Layer feature to prevent your MX records from being exposed. Refer to How to Set Up Your Cloud Protection Layer in the Barracuda Email Security Gateway documentation for more information.