It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Configuring Action Policy for Attack Groups

  • Last updated on

Go to SECURITY POLICIES > Action Policy to configure for each security policy what action to take when a violation occurs. Discrete Action Policies can be configured for the following attack groups:

  • advanced-policy-violations
  • application-profile-violations
  • param-profile-violations
  • protocol-violations
  • request-policy-violations
  • response-violations
  • url-profile-violations
  • header-violations

To edit the action taken when a particular attack is detected, locate the respective Attack Action Name in the list and click Edit (in the Options column) next to it.

You can choose from the response to a request deemed an attack by this security policy:

  • Protect and Log: Blocks any request containing the specified attack and logs the attack.
  • Protect and no Log: Blocks any request containing the specified attack without logging the attack.
  • Allow and Log: Logs the violation.
  • None: Ignores the violation.

For a description about the attack actions under each attack group, see  Attacks Description - Action Policy .

Configuring Request Denials

If you choose an action policy that protects (denying attacks, whether logging or not), you must configure the Deny Response and Follow Up Actions for attacks.

Set Deny Response to one of the following options:

  • Close Connection: Closes the connection to the sending client.
  • Temporary Redirect: Redirects the request with the 302 status code to the URL specified in the parameter Redirect URL.
  • Permanent Redirect: Redirects the request with the 301 status code to the URL specified in the parameter Redirect URL.
    Redirect URL: Specifies the URL where the request is redirected if the deny response is set to Temporary Redirect or Permanent Redirect
    Redirect URL should be specified when the status code in HTTP status is one of 3xx redirect response codes.

Redirect URL should be specified in one of the following formats:

  • http://domain/url  
  • https://domain/url
  • /url

Where "url" and "domain" can be any ASCII strings. URL can be empty.

Examples: http://secure.xyz.com/error.html , https://secure.xyz.com/logerror.cgi , or /error.html

  • Send Response: Sends the response indicated in Response Page.
    Response Page: Specify the response page to be sent to the client.

Configure a Follow Up Action taken when a request is denied by choosing from the following:

  • None: Ignores the violation.
  • Block Client IP: Blocks the sending client for the time specified in Follow Up Action Time.
  • Challenge with CAPTCHA: Denies the response, and any subsequent requests from the same client IP address will be tracked for the next 900 seconds and will be challenged with a CAPTCHA image. The client will not be allowed to access any further resource until the CAPTCHA is answered. This is to thwart any reconnaissance efforts from the automated clients that are found to be suspicious due to such attack activity. The number of attempts for solving such a CAPTCHA challenge is five (5), and the number of re-fetches of the CAPTCHA image allowed is 128. Such tracked client IP addresses will have to answer the CAPTCHA if they are idle for more than 300 seconds. Note that the Follow Up Action Time has no relevance to this option.
  • Block Client Fingerprint - Blocks all requests from the client fingerprint to the service for the time specified in Follow Up Action Time.
  • Tarpit Client - Puts the clients into Tarpit whose risk scores have crossed the suspicious value for the time specified in Tarpit Inactivity Timeout.
    • Backlog Requests Limit - The total number of requests that are held in a backlog to be served from a tarpitted client.
      Values: 0 to 100
      Recommended: 50
    • Tarpit Inactivity Timeout - The idle timeout time in seconds, after which the client will be removed from the tarpit.
      Values: 300 to 36000 secs
      Recommended: 300 secs

Follow Up Action Time: Specifies the time in seconds to block the sending client if Follow Up Action is set to Block Client IP.

  • Range: 1 to 600000
  • Units: Seconds

Click Help on the SECURITY POLICIES > Action Policy page for more information about configuring action policy.