It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Release Notes Version 12.2

  • Last updated on
Please Read Before Updating

Before updating to a new firmware version, be sure to back up your configuration and read the release notes for each firmware version that you will apply.

Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. The update process typically takes only a few minutes to apply. If the process takes longer, please contact Barracuda Networks Technical Support for assistance.

Fixes and Enhancements in 12.2

Advanced Bot Protection

Features and Enhancements:
  • Client Fingerprint Cookies :
    • Any tampering of the Client Fingerprint cookie values is now detected and blocked [BNWF-55005].

    • An option is provided on the web interface to enable the Fingerprint cookie mechanism for all services that serve the subdomains of the domain of the service. This is enforced only when Enable Client Fingerprint is also set to Yes.[BNWF-54903]

  • Geo IP Region List: Kosovo and Curaçao have been added to the Geo IP regions list. [BNWF-55371] [BNWF-55142]


  • Fix: The Bot Statistics section on the Advanced Bot Protection dashboard now displays the hyperlinks. [BNWF-55010]


  • TLS defaults:
    • TLS 1.3 is enabled by default for new servers and rule group servers. [BNWF-55435]

    • TLS 1.1 is disabled by default for new SSL services, servers, and rule group servers. [BNWF-55128]

  • Added deep inspection for 'PUT' methods [BNWF-53609]
  • [BNWF-54900]

    • Supports the PUT method for virus scanning, BATD scans, and MimeType checks.

    • Supports virus scanning and MimeType checks for POST and PUT raw file uploading requests.


  • Vulnerability Fix: HTTP/2 Rapid Reset Attack vulnerabilities mentioned in CVE-2023-44487 has now been fixed. [BNWF-55472]
  • Fix: The datapath crash due to an attack exploiting the permissible value length in OpenID Connect is now fixed. [BNWF-55265]
  • Fix: Creating a new rule group using the template no longer copies the original name of the rule group. [BNWF-52774]
  • Fix: An intermittent issue where valid requests were being blocked and not redirected after solving a CAPTCHA challenge has been fixed. [BNWF-54330]
  • Fix: 'If the Credential stuffing attack is detected in the request when the service is in Active mode and the URL policy associated with the service is set to Passive, the attack is now logged on the BASIC > Web Firewall Logs page. [BNWF-54329]


Deprecation Notice: FTP and FTP SSL service types will not be supported from the next firmware release. Also, any existing FTP/FTP SSL services configured on the BASIC > Services page will be disabled. [BNWF-55679]



  • You can now show certificates that are 'Expiring in 30 days' on the BASIC -> Certificates tab. [BNWF-54640]
  • OpenSSL version: OpenSSL version has been updated to 3.0.9. [BNWF-54852]


  • Fix: An issue where the firmware was not being downloaded and applied if the proxy settings were configured has been fixed. [BNWF-55044]
  • Fix: An issue where SNMPv3 was crashing in certain scenarios when the service had 'Compression' enabled has been fixed. [BNWF-54329]
  • Fix: Users with 'accent' characters in their LDAP server username can now log in. [BNWF-54705]
  • Fix: The broken Country link in the Online Help section of BASIC > Web Firewall Logs has been fixed. [BNWF-53590]

API Security


  • JSON Profiles
    • JSON profile REST API now supports strict-check, extended-match-sequence, and extended-match parameters. [BNWF-55485]
    • JSON URL profile now supports Allowed Methods. [BNWF-55124]
    • JSON key profile "MAX Length" can now support up to 1 MB data. [BNWF-50203]
    • The hash (#) character is allowed in JSON key names. [BNWF-54723]
  • JSON Profile Extended Match
    • When a new service is created, the default JSON profile Extended Match uses a wildcard (*) to match with the incoming requests. [BNWF-55460].


  • Fix: The Maximum Upload Files is set to null (0) if the Content-Type of an endpoint is 'application/json'. [BNWF-54546]
  • Fix: You can now add multiple exception patterns when creating a JSON key profile. [BNWF-54521].
  • Fix: An issue where a false positive was being triggered when the 'Open API Spec import' feature implicitly creates a Form Spam profile has been fixed. [BNWF-54884]
  • Fix: An issue with REST API validation that allowed users to configure IPv6 addressing even when the setting was disabled under Basic > IP Configuration has been fixed. [BNWF-32441]

High Availability


  • Fix: In HA, the deletion of CRL files in one system is now synchronized with all systems in the cluster. [BNWF-55001].

Logs and Reports


  • Fix: An issue where the Attack Details section in the Web Firewall Logs was getting truncated if it contained multiple violations has been fixed. [BNWF-54806]



  • Public Cloud Rebranding - WAF images on public cloud platforms have been rebranded as "Web Application Firewall". [BNWF-54906]