Global ACLs define strict access control (allow/deny) rules for all the services configured on the Barracuda Web Application Firewall.
To Create a Global ACL Rule
| URL: /v1/security_policies/{policy_id}/global_acls | |||
| Method: POST | |||
| Description: Adds a global ACL rule with the given values. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| name | Alphanumeric | Yes | A name for the URL ACL rule. |
| url_match | Alphanumeric | The URL to be matched to the URL in the request. The URL should start with a "/" and can have at most one " * " anywhere in the URL. A value of “/*” means that the access control rule (ACL) applies for all URLs in that domain. | |
| extended_match | String | Yes |
An expression that consists of a combination of HTTP headers and/or query string parameters. Updating extended match parameters value is shown in the example below. See Example 2. |
| extended_match_sequence | Numeric | Yes | A number to indicate the order in which the extended match rule must be evaluated in the requests. |
| action | Enumeration | Optional |
The action to be taken on the request matching this URL. The enumerated values include:
|
| deny_response | Enumeration | Conditional |
The response to be sent to the client if the request is denied. The enumerated values include:
Note: Required ONLY when action is set to deny_and_log or deny_with_no_log. |
| response_page | Enumeration | Conditional |
The response page to be sent to the client. The enumerated values include:
Note: Required ONLY when action is set to deny_and_log or deny_with_no_log. |
| redirect_url | Alphanumeric | Conditional |
A URL to which a user should be redirected. Note: Required ONLY when action is temporary_redirect or permanent_redirect. |
| comments | Alphanumeric | Optional | Description about the global ACL rule. |
| follow_up_action | Enumeration | Yes |
The required follow up action to be taken whenever the request is denied. The enumerated values include:
Note: The default value is "none". |
| follow_up_action_time | Numeric | Yes |
Sets the time (sec) to block the client IP if Follow Up Action is set to Block Client-IP. The time can range between 1 to 600000 seconds. Note: The default time range set is 60 seconds. |
Example 1:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"acl_1","redirect_url":"/index.html","extended_match_sequence":"3"}'
Response:
{"id":"acl_1","token":"eyJldCI6IjEzODAxNTE3MTUiLCJwYXNzd29yZCI6IjhkNjk5MjY3YzY4MGUyNzQxNGEzOGZlZjU0\nN2RjYTIwIiwidXNlciI6ImFkbWluIn0=\n"}
Example 2:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"acl_1","url_match":"/test.html","extended_match":"(Method eq GET)&&(HTTP-Version eq HTTP/1.1)||(Header User-Agent eq mozilla)","extended_match_sequence":"1","action":"deny_and_log","deny_response":"response_page","response_page":"default","comments":"This is acl_1 url acl"}'
Response:
{"id":"acl_1","token":"eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n"}
To Retrieve Global ACL Rules
|
URL: /v1/security_policies/{policy_id}/global_acls /v1/security_policies/{policy_id}/global_acls/{global_acl_id} | |||
| Method: GET | |||
| Description: Lists all global ACL rules if “global_acl_id” is not specified. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| parameters | Alphanumeric | Optional | Any specific parameter name that needs to be retrieved. See Example 2. |
Example 1:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X GET
Response:
{"extended_match_sequence":"3","name":"acl_1","comments":"","extended_match":"*","url_match":"/*","action":"process","redirect_url":"/index.html","id":"acl_1","token":"eyJldCI6IjEzODAxNTE3ODgiLCJwYXNzd29yZCI6IjYyMjJlMDk0ZTA1Yzg0M2I0ZDczOTE0NDhh\nOTU3N2EyIiwidXNlciI6ImFkbWluIn0=\n"}
Example 2:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=action,deny_response,enable_url_acl,name
Response:
{"name":"acl_1","enable_url_acl":"yes","action":"process","deny_response":"response_page","id":"acl_1","token":"eyJldCI6IjE1MDQzMTcwMTgiLCJwYXNzd29yZCI6IjMwZGMzYmM2ZGQ3NmU0MmU2MjkwYTNiMTM5\nYmMzYjNjIiwidXNlciI6ImFkbWluIn0=\n"}
To Update a Global ACL Rule
| URL: /v1/security_policies/{policy_id}/global_acls/{global_acl_id} | |||
| Method: PUT | |||
| Description: Updates the values of given parameters in the given global ACL rule. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| enable_url_acl | String | Optional |
Enforce this URL ACL rule for all the Services configured on the Barracuda Web Application Firewall or not. The values include:
|
| url_match | Alphanumeric | Optional | The URL to be matched to the URL in the request. The URL should start with a "/" and can have at most one " * " anywhere in the URL. A value of “/*” means that the access control rule (ACL) applies for all URLs in that domain. |
| extended_match | String | Optional |
An expression that consists of a combination of HTTP headers and/or query string parameters. Updating extended match parameters value is shown in the example below. See Example 2. For information on how to write extended match expressions, refer http://techlib.barracuda.com/x/ExtendedMatchSyntax. |
| extended_match_sequence | Numeric | Optional | A number to indicate the order in which the extended match rule must be evaluated in the requests. |
| action | Enumeration | Optional |
The action to be taken on the request matching this URL. The enumerated values include:
|
| deny_response | Enumeration | Conditional |
The response to be sent to the client if the request is denied. The enumerated values include:
Note: Required ONLY when action is set to deny_and_log or deny_with_no_log. |
| response_page | Enumeration | Conditional |
The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):
Note: Required ONLY when deny_response is set to response_page. |
| redirect_url | Alphanumeric | Optional | A URL to which a user should be redirected if action is temporary_redirect or permanent_redirect. |
| comments | Alphanumeric | Optional | Description about the global ACL rule. |
|
follow_up_action
|
Enumeration | Yes |
The required follow up action to be taken whenever the request is denied. The enumerated values include:
Note: The default value is None. |
| follow_up_action_time | Numeric | Yes |
Sets the time (sec) to block the client IP if Follow Up Action is set to Block Client-IP. The time can range between 1 to 600000 seconds. Note: The default time range set is 60 seconds. |
Example 1:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"deny_with_no_log"}'
Response:
{"id":"acl_1","token":"eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n"}
Example 2:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"enable_url_acl":"yes","extended_match":"(Method eq GET)&&(HTTP-Version eq HTTP/1.1)","extended_match_sequence":"5","action":"deny_with_no_log","deny_response":"reset"}'
Response:
{"id":"acl_1","token":"eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n"}
To Delete a Global ACL Rule
| URL: /v1/security_policies/{policy_id}/global_acls/{global_acl_id} |
| Method: DELETE |
| Description: Deletes the given global ACL rule. |
Example:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X DELETE
Response:
{"msg":"Successfully deleted","token":"eyJldCI6IjEzODAxNTYxNjAiLCJwYXNzd29yZCI6ImYzNmYwNGI2NDRhNjhmMWEwYjNjODQ3MzNk\nNWVmOWE0IiwidXNlciI6ImFkbWluIn0=\n"}