We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

  • Last updated on

In this lab, you will deploy an unsecure web application into Amazon Web Services (AWS), and then secure the application using the Barracuda Web Application Firewall. To create the environment, you will deploy a Virtual Private Cloud, Internet Gateway and NAT Gateway to provide for the virtual networking. Then a Barracuda Web Application Firewall and an Ubuntu server with Apache, PHP, MySQL and the Damn Vulnerable Web Application (DVWA), installed.

DVWA is a PHP/MySQL web application that is vulnerable attack. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. More information can be found on the DVWA site.

Once this infrastructure is built you create an Elastic Load Balancer in AWS that will direct traffic from the Internet to the Barracuda Web Application Firewall (both management and web). Next you will configure a Barracuda Web Application Firewall (WAF) to provide the service of the Damn Vulnerable Web Application (DVWA). After this is created you will connect to the DVWA web application and run the attacks to see how they are logged in the Barracuda Web Application Firewall.

These detailed step-by-step instructions will guide you through the lab.


  • Deploy and configure an AWS Virtual Private Cloud.
  • Provision and configure the Barracuda Web Application Firewall.
  • Deploy and configure the DVWA application.
  • Simulate attacks on the site using the DVWA application and capture the attacks being launched, configure policies and run reports from the WAF.


  • Amazon Web Services subscription
  • Valid contact details to complete the Barracuda Web Application Firewall trial registration

The following is a diagram of the deployment that will be completed at the end of this hands-on lab.


Exercise 1: Environment Setup

In this exercise, you will use an AWS Console to implement the infrastructure that will be leveraged for the rest of the exercises. This includes creating the Virtual Private Cloud (VPC), provisioning the Barracuda Web Application Firewall, the Elastic Load Balancer (ELB), and the Ubuntu server which will host the DVWA application.

Task 1: Create the Networking Infrastructure using an AWS Console
  1. Go to the AWS portal https://console.aws.amazon.com/. After entering your credentials, the AWS Dashboard will display.
  2. Click through Console > Networking & Content Delivery > VPC.
  3. Next, click Start VPC Wizard.
  4. On Step 1: Select a VPC Configuration, click Select.
  5. Complete the Step 2: VPC with a Single Public Subnet screen using the following details and then click Create VPC.
    • IPv4 CIDR block –
    • VPC name – BarracudaWAFLab
    • Availability Zone – us-east-1a
    • Subnet name – www
  6. Next, click Subnets and review the subnet that was created by the wizard.
  7. Right click on the subnet, and then click Modify auto-assign IP settings. The Modify auto-assign IP settings screen opens.
  8. Check the box for Enable auto-assign public IPv4 address and then click Save.
  9. From the Subnet screen, click Create Subnet to create a new subnet.
  10. Complete the Create Subnet screen using the following details, then click Yes Create:
    • Name tag apps
    • Availability Zone – us-east-1a
    • IPv4 CIDR block10.0.1.0/24
  11. On the Subnets page, review both the www and apps subnets.
  12. From the VPC Dashboard, click Internet Gateways and review how this was created by the wizard. Make sure that the State shows attached.
  13. Next, click Route Tables to review how the routing has been configured.
  14. Notice that the www subnet has been configured to associate the Internet bound route to the Internet Gateway.
  15. From the AWS console, click VPC under the Networking and Content Delivery, then click NAT Gateways.
  16. Click Create a NAT Gateway.

    The Create a NAT Gateway window opens.
  17. Select the www Subnet, then click Create a New EIP.
  18. Once this is completed click Create a NAT Gateway.
  19. Next, click Route Tables to review how the routing has been configured.
  20. Locate the second route table that was created, but currently has 0 subnets associated.
  21. Click this Route Table and select Routes. Notice how currently this is only a route for local traffic in the CIDR range of This means there is no route to the Internet.
  22. Click Edit, to make changes to the route table:
    1. Click Add Another Route.
    2. As the Destination, select
    3. As the Target, select the NAT gateway.
    4. Click Save.
  23. Click the Subnet Associations tab, and select Edit.
  24. Now, check the box for the apps subnet to associate this route table with the apps subnet.
    Now the private servers on the apps subnet will use the NAT gateway for their Internet bound traffic.
Task 2: Provision the Barracuda WAF using the AWS Marketplace
  1. Sign-in to the AWS Console.
  2. On the right-hand side of the console under AWS Marketplace, click the Learn more link.
  3. In the AWS Marketplace search box, type Barracuda Web Application Firewall and then click on the magnifying glass.
  4. Several Barracuda products will be returned by this search. Choose the Barracuda Web Application Firewall (WAF) – PAYG.
  5. Once the WAF page loads, click Continue.
  6. Complete the Launch wizard using the following settings:
    • Type – 1-Click Launch
    • Software Pricing – Hourly / m3. medium
    • Version – accept the latest version.
    • Region – US East (N. Virginia)
    • EC2 Instance Type – m3.medium
    • VPC Settings – Select the VPC and www subnet (
    • Security Group – Select Create new based on seller settings.
    • Key Pair – Select or Create a New Key
  7. After verifying the selections, click Launch with 1-click.
  8. Next on the AWS Marketplace Product Support Connection screen, click Share your contact details.
  9. Complete the Barracuda Support Form and click Register & Close.
  10. After completing the registration, the following page will appear from which the WAF was launched:
  11. Click on the EC2 Console link in the green message about the deployment of the Barracuda Web Application Firewall. Once it is deployed the instance will show it is Running.

    Don't continue on to the next step until the Barracuda WAF instance is in the running state as in the screen shot above.

Task 3: Provision the Elastic Load Balancer
  1. In the AWS Console, click on Load Balancers.
  2. Select Create Load Balancer.
  3. Select the Classic Load Balancer as the type of Elastic Load Balancer, and click Continue.
  4. In Step 1: Define Load Balancer, complete the screen using these inputs.
    • Load Balancer Name – BarracudaWAF-ELB
    • Create LB Inside – Select the VPC that you created for this lab.
    • Subnet – Select the www subnet.
  5. Click Next: Assign Security Groups.
  6. Deselect the default security group, and select the new Barracuda Web Application (WAF) security group that was created by the AWS Marketplace deployment of the device.
  7. Click Next: Configure Security Settings.
  8. Click Next: Configure Health Check.
  9. Complete the Step 4: Configure Health Check screen, using the following settings:
    • Ping Protocol – TCP
    • Ping Port – 8000
    • Advanced Details – Accept defaults.
  10. Click Next: Add EC2 Instances.
  11. On the Step 5: Add EC2 Instances screen, click on the instance.
  12. Click Next: Add Tags.
  13. Click Review and Create.
  14. Review Step 7: Review and compare to the ensure that everything is configured properly.
  15. You should then get a message that the BarracudaWAF-ELB was successfully created:
  16. In the AWS Console, click the Load Balancers link.
  17. On the BarracudaWAF-ELB load balancer that you crated, on the Description tab, locate the DNS name of the load balancer and copy it to a text file. You will use this to connect to later in the lab.
  18. Next, click the Instances tab. You may notice that the WAF has yet to be put into service by the ELB. Wait until you see that the Status change to InService. You need to hit the refresh button to see the updates.
  19. Click the Instance ID number which will break up details about the BarracudaWAF instance.
  20. On the Description tab, locate the IPv4 Public IP for the WAF and take note of the address.
  21. Open a new tab on your web browser and point it to PUBLIC IP address on the management port of 8000. This will bring you to the home page of the WAF where there will be a licensing agreement displayed.

    If the VM has just booted there may be a note that the VM is provisioning. This is normal and takes a few minutes to complete.

  22. Scroll down to the bottom of the webpage and click Accept.
  23. Once the system starts the login page will appear. Once this page has loaded move on to the next step leaving the tab here.
Task 4: Provision Ubuntu Server with the DVWA Application
  1. From the AWS console click Instances, then click Launch Instance.
  2. Scroll down and select the Ubuntu Server 14.04 LTS (HVM) AMI to deploy as your Web Server for the DVWA.
  3. At Step 2: Chose an Instance Type, select t2.small size for the VM. Then click Next: Configure Instance Details.
  4. On Step 3: Configure Instance Details, complete the screen using these details wherever details are not provided leave the defaults, move on to the next step without clicking Next.
    • Subnet – apps
    • Primary IP –
  5. Again, on Step 3: Configure Instance Details, scroll down and click the Advanced Details tab. Copy this script text into the User Data box:
    • #!/bin/bash
    • wget https://opsgilityweb.blob.core.windows.net/20170304-barracudawaf/dvwa.sh
    • bash dvwa.sh

      Make sure that when pasting from the work document you could get spacing issues. The script is only 3 lines, so check the spacing or the VM won't provision properly.

  6. Click Next: Add Storage.
  7. On the Step 4: Add Storage screen, accept the defaults and click Next: Add Tags.
  8. On the Step 5: Add Tags screen, accept the defaults and click Next: Configure Security Groups.
  9. On Step 6: Configure Security Group, name it DVWA, click Add Rule, and add a rule for HTTP Port 80.
  10. Click Review and Launch.
  11. On Step 7: Review Instance Launch, click Launch.
  12. Select your AWS key pair, and click Launch Instances.
  13. After a few minutes (maybe 10), check back on the EC2 Console and now both the WAF and the DVWA server should show as running. You can add names to the instances to make it easier to identify the VMs. The T2.small is the DVWA and the M3.Medium is the WAF.

In this exercise, the AWS Console was to implement the infrastructure that will be leveraged for the rest of the exercises. This included creating the Virtual Private Cloud (VPC), provisioning the Barracuda WAF, the Elastic Load Balancer (ELB), and the Ubuntu server.

Exercise 2: Configure the Barracuda WAF Virtual Appliance and the DVWA Application

In this exercise, the Barracuda WAF Appliance and the DVWA Services will be configured. First the WAF will be configured to connect to the DVWA. Once this is completed then a connection to DVWA server will be made and the configuration will be completed. After this is finished the end to end setup will be complete allowing for simulated attacks in the next exercise.

Task 1: Configure the WAF Appliance
  1. Move back to the tab that contained the login page or if this has been closed open it backup and connect to the WAF.
  2. Use the following login information:
    • Username – admin
    • Password – Instance ID of your Barracuda WAF Instance in Amazon Web Services.
  3. Once logged in, you will be directed to the Dashboard page of the Barracuda Web Application Firewall.
  4. Go to BASIC > IP Configuration.
  5. Review the networking configuration and take note of the IP address assigned to the WAF by AWS.
  6. Update the Default Host Name barracudawaf which is the name you gave the VM when you provisioned in the AWS Portal.

    The Host Name is used in reporting, and is displayed in alerts, notifications and messages sent by the Barracuda Web Application Firewall.

  7. Click Save.

    An error will be displayed about a Default Domain not configured. For this lab, this can be ignored. In production, the domain should be matched to that of the certificates being used for the SSL configuration.

Task 2: Create a Web Service to Publish the DVWA Application
  1. Log into the Barracuda device.
    • User – admin
    • Password – [InstanceID]
  2. Go to BASIC > Services.
  3. Go to ADD NEW SERVICE, update the fields, and then click Add.
    • Service Name – DVWA
    • Type – HTTP
    • Virtual IP Address – IP address assigned to the WAF by AWS.
    • Port – 80
    • Real Servers – (This is the address you assigned to the DVWA Server)
    • Create Group – No
    • Service Groups – default
  4. After about 15 seconds the firewall will update and the Services pane will now look like below:
  5. Open a new tab on the web browser and point it at the DNS name of the Elastic Load Balancer. This should be in the text file that you saved, or can be found on the ELB in the AWS Console. The DVWA server should load with the traffic flowing through the ELB and if the DVWA folder is on the server then it is installed.

    If for some reason this webpage doesn't load make sure that you have entered the correct IP address for the barracudawaf and the DVWA web server. Another troubleshooting step if the DVWA is not coming up is to review the NAT Gateway configuration. The NAT Gateway must be deployed into the www subnet and the routing table for the apps subnet must point to the NAT Gateway instance.


Task 3: Configure the Damn Vulnerable Web App
  1. From the connection to the DVWA server through the ELB, click the DVWA link to attach to DVWA and complete its configuration.
  2. This will load the DVWA web application and bring up the Database Setup page.
  3. Scroll down and click Create / Reset Database. You will briefly see an update that the database was created and then be redirected to a login page.
  4. Once at the login page use the following login information to test the application.
    • Username – admin
    • Password – password
    This will bring you to the home page of the DVWA page. This means that the application has been setup properly.
  5. Click Logout.

In this exercise, the Barracuda WAF appliance and the DVWA services were configured. The WAF was configured to connect to the DVWA, and then the DVWA application configuration was completed. This completed the necessary steps to allow for an end to end setup allowing for simulated attacks in the next exercise.

Exercise 3: Simulate Attacks and Secure the Environment using the WAF

In this exercise, attacks will be simulated against a website using the DVWA application. Using the tools of the WAF, fixes will be applied to avoid these attacks in the future.

Task 1: Command Injection Attack
  1. Open a new tab on your local web browser and navigate to the public IP address of the ELB. The example here is at http://BarracudaWAF-ELB-1474027757.us-east-1.elb.amazonaws.com/DVWA (DVWA is case sensitive). This will load the DVWA application as published via the Barracuda Web Application Firewall.

    If the address to the ELB is entered into the browser, then simply click the DVWA folder to load the application.

  2. The login page of the DVWA website will appear. Use these credentials:
    • Username – admin
    • Password – password
  3. The home page for DVWA will appear in the browser window.
  4. Once on the home page click on the Command Injection link. Next, type (this is the Google DNS server IP address), in the Enter an IP address box, and click Submit.
    The page will take 10 seconds or so to run and the provide the following output.
  5. Now move back to the browser tab for the WAF and go to BASIC > Web Firewall Logs.
  6. On the Web Firewall Logs page, update the filter with the following details, and then click Apply Filter.
    • Service IP
    • is equal to
    • IP address of the WAF
  7. Notice how the WAF has alerted at the attack.

    Highlighting the red arrow will show the severity alert.


  8. Click Save Filter, this will open a new window. Type myfilter into the Filter Name box, and then click Save.
  9. Find the last logged with the attack name OS Command Injection in URL, and click Fix.
  10. This will open a Policy Fix window. Read the details and then click Apply Fix.
    The window will update showing that the policy has been updated.
  11. Click Close Window.
  12. Move back to the DVWA application and again launch the command injection attack by entering in the Ping a Device tool.
  13. Once this is completed move back to the WAF tab and click Apply Filter. Notice that you no longer see the Attack Name OS Command Injection in URL, in the logs.
  14. Go to Basic > Dashboard.
  15. Once at the Dashboard, scroll down to the Attacks graphs. Change the time to Last Hour. It should then resemble the following showing attacks that you have made against the site.

    You may have to change the time from Last Day to Last Hour to see the results.


  16. Move back to the DVWA application in your browser. Click through some of the other attacks. Once this is completed move on to the next task.
Task 2: Using Reporting
  1. On the BarracudaWAF management screen, click Reports.
  2. In Report Options section, change the Time Frame to Today.
  3. Scroll down to the Security section, select the checkbox next to Attacks by Category, and then click Show Report.
  4. The report window will load showing the different attacks. Take the time to review the report.
  5. In the drill down section, click on the different areas to better understand the information behind the report. Select Clients or Time.
  6. Close the report by hitting the X at the top of the window.
  7. Locate the Top Attacked URLs in the Security section, select the checkbox, and then click Show Report.
  8. Review the report and mouse over the charts to see the URLs.
Last updated on