It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Global ACLs

  • Last updated on

Global ACLs define strict access control (allow/deny) rules for all the services configured on the Barracuda Web Application Firewall.

To Create a Global ACL Rule

URL:  /v1/security_policies/{policy_id}/global_acls
Method: POST
Description: Adds a global ACL rule with the given values.
Parameter Name Data Type Mandatory Description
Input Parameters:      
name Alphanumeric Yes A name for the URL ACL rule.
url_match Alphanumeric   The URL to be matched to the URL in the request.  The URL should start with a "/" and can have at most one " * " anywhere in the URL. A value of “/*” means that the access control rule (ACL) applies for all URLs in that domain.
extended_match String Yes

An expression that consists of a combination of HTTP headers and/or query string parameters. Updating extended match parameters value is shown in the example below. See Example 2.
 

For information on how to write extended match expressions, refer to  Extended Match Syntax Help.
extended_match_sequence Numeric Yes A number to indicate the order in which the extended match rule must be evaluated in the requests.
action Enumeration Optional

The action to be taken on the request matching this URL. The enumerated values include:

  • process
  • allow
  • deny_and_log
  • deny_with_no_log
  • temporary_redirect
  • permanent_redirect
deny_response Enumeration Conditional

The response to be sent to the client if the request is denied. The enumerated values include:

  • reset
  • response_page
  • temporary_redirect
  • permanent_redirect

 

Note: Required ONLY when action is set to deny_and_log or deny_with_no_log.
response_page Enumeration Conditional

The response page to be sent to the client. The enumerated values include:

  • default
  • default-virus
  • default-error-resp
  • default-captcha-tries-error-page
  • default-captcha-sessions-error-page
  • default-suspected-activity-error-page
  • default-captcha-response-page

 

Note: Required ONLY when action is set to deny_and_log or deny_with_no_log.
redirect_url Alphanumeric Conditional

A URL to which a user should be redirected.

 

Note: Required ONLY when action is temporary_redirect or permanent_redirect.
comments Alphanumeric Optional Description about the global ACL rule.
follow_up_action Enumeration Yes

The required follow up action to be taken whenever the request is denied. The enumerated values include:

  • block_client_ip
  • challenge_with_captcha
  • none

Note: The default value is "none".

follow_up_action_time Numeric Yes

Sets the time (sec) to block the client IP if Follow Up Action is set to Block Client-IP. The time can range between 1 to 600000 seconds.

Note: The default time range set is 60 seconds.

Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"acl_1","redirect_url":"/index.html","extended_match_sequence":"3"}'

 

Response:

{"id":"acl_1","token":"eyJldCI6IjEzODAxNTE3MTUiLCJwYXNzd29yZCI6IjhkNjk5MjY3YzY4MGUyNzQxNGEzOGZlZjU0\nN2RjYTIwIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X POST -H Content-Type:application/json -d '{"name":"acl_1","url_match":"/test.html","extended_match":"(Method eq GET)&&(HTTP-Version eq HTTP/1.1)||(Header User-Agent eq mozilla)","extended_match_sequence":"1","action":"deny_and_log","deny_response":"response_page","response_page":"default","comments":"This is acl_1 url acl"}'

 

Response:

{"id":"acl_1","token":"eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n"}

To Retrieve Global ACL Rules

URL:  /v1/security_policies/{policy_id}/global_acls

          /v1/security_policies/{policy_id}/global_acls/{global_acl_id}
Method: GET
Description: Lists all global ACL rules if “global_acl_id” is not specified.
Parameter Name Data Type Mandatory Description
Input Parameters:      
parameters Alphanumeric Optional Any specific parameter name that needs to be retrieved. See Example 2.
Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"extended_match_sequence":"3","name":"acl_1","comments":"","extended_match":"*","url_match":"/*","action":"process","redirect_url":"/index.html","id":"acl_1","token":"eyJldCI6IjEzODAxNTE3ODgiLCJwYXNzd29yZCI6IjYyMjJlMDk0ZTA1Yzg0M2I0ZDczOTE0NDhh\nOTU3N2EyIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=action,deny_response,enable_url_acl,name

 

Response:

{"name":"acl_1","enable_url_acl":"yes","action":"process","deny_response":"response_page","id":"acl_1","token":"eyJldCI6IjE1MDQzMTcwMTgiLCJwYXNzd29yZCI6IjMwZGMzYmM2ZGQ3NmU0MmU2MjkwYTNiMTM5\nYmMzYjNjIiwidXNlciI6ImFkbWluIn0=\n"}

To Update a Global ACL Rule

URL:  /v1/security_policies/{policy_id}/global_acls/{global_acl_id}
Method: PUT
Description: Updates the values of given parameters in the given global ACL rule.
Parameter Name Data Type Mandatory Description
Input Parameters:      
enable_url_acl String Optional

Enforce this URL ACL rule for all the Services configured on the Barracuda Web Application Firewall or not. The values include:

  • yes
  • no
url_match Alphanumeric Optional  The URL to be matched to the URL in the request.  The URL should start with a "/" and can have at most one " * " anywhere in the URL. A value of “/*” means that the access control rule (ACL) applies for all URLs in that domain.
extended_match String Optional

An expression that consists of a combination of HTTP headers and/or query string parameters. Updating extended match parameters value is shown in the example below. See Example 2.

 

For information on how to write extended match expressions, refer http://techlib.barracuda.com/x/ExtendedMatchSyntax.
extended_match_sequence Numeric Optional A number to indicate the order in which the extended match rule must be evaluated in the requests.
action Enumeration Optional

The action to be taken on the request matching this URL. The enumerated values include:

  • process
  • allow
  • deny_and_log
  • deny_with_no_log
  • temporary_redirect
  • permanent_redirect
deny_response Enumeration Conditional

The response to be sent to the client if the request is denied. The enumerated values include:

  • reset
  • response_page
  • temporary_redirect
  • permanent_redirect

 

Note: Required ONLY when action is set to deny_and_log or deny_with_no_log.
response_page Enumeration Conditional

The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):

  • default
  • default-virus
  • default-error-resp
  • default-captcha-tries-error-page
  • default-captcha-sessions-error-page
  • default-suspected-activity-error-page
  • default-captcha-response-page

 

Note: Required ONLY when deny_response is set to response_page.
redirect_url Alphanumeric Optional A URL to which a user should be redirected if action is temporary_redirect or permanent_redirect.
comments Alphanumeric Optional Description about the global ACL rule.
follow_up_action

 

Enumeration Yes

The required follow up action to be taken whenever the request is denied. The enumerated values include:

  • Block Client-IP
  • Challenge_with_Captcha
  • None

Note: The default value is None.

follow_up_action_time Numeric Yes

Sets the time (sec) to block the client IP if Follow Up Action is set to Block Client-IP. The time can range between 1 to 600000 seconds.

Note: The default time range set is 60 seconds.

Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"deny_with_no_log"}'

 

Response:

{"id":"acl_1","token":"eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"enable_url_acl":"yes","extended_match":"(Method eq GET)&&(HTTP-Version eq HTTP/1.1)","extended_match_sequence":"5","action":"deny_with_no_log","deny_response":"reset"}'

 

Response:

{"id":"acl_1","token":"eyJldCI6IjEzODAxNTU5OTYiLCJwYXNzd29yZCI6IjhjNGYxNDFlYzgzNjIyMzcwMmMzNDc0ZDA3\nMjU3NmMxIiwidXNlciI6ImFkbWluIn0=\n"}

To Delete a Global ACL Rule

URL:  /v1/security_policies/{policy_id}/global_acls/{global_acl_id}
Method: DELETE
Description: Deletes the given global ACL rule.
Example:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/global_acls/acl_1 -u 'eyJldCI6IjEzODAxNTEyOTIiLCJwYXNzd29yZCI6IjY4YzM1YzVhYzIwYTEzMjgxOWNlYTRhMGUz\nZTQ2NjZkIiwidXNlciI6ImFkbWluIn0=\n:' -X DELETE

 

Response:

{"msg":"Successfully deleted","token":"eyJldCI6IjEzODAxNTYxNjAiLCJwYXNzd29yZCI6ImYzNmYwNGI2NDRhNjhmMWEwYjNjODQ3MzNk\nNWVmOWE0IiwidXNlciI6ImFkbWluIn0=\n"}