It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Release Notes Version 9.1

  • Last updated on
Please Read Before Updating

Before updating to a new firmware version, be sure to back up your configuration and read the release notes for each firmware version which you will apply.

Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. The update process typically takes only a few minutes to apply. If the process takes longer, please contact Barracuda Networks Technical Support for assistance.

If a server is added with the hostname, the Barracuda Web Application Firewall will automatically create server entries for all IP addresses that resolves to the configured hostname. Deleting the first server that was added with the hostname, will now delete all the automatically created server entries. [BNWF-25536]

Fixes and Enhancements in 9.1

Security

  • Vulnerability Fix: A vulnerability that allowed malicious XML documents to be uploaded through the 'Import Vulnerability Report' feature, has been addressed. [BNWF-24251]
  • Feature: SAML signatures can now be signed with RSA-256. [BNWF-25902]
  • Enhancement: The default value for "Max Header Value Length" is increased to 1024 bytes. [BNWF-25419]
  • Enhancement: The OWA 2013 security policy now includes "application/mapi-http" in the default list of content types. [BNWF-25418]
  • Enhancement: “Follow Up Action” can now be configured for services under URL: Allow/Deny Rules in the WEBSITES > Allow/Deny page. [BNWF-25002]
  • Enhancement: CAPTCHA responses are made non cacheable with inclusion of no-cache headers in the response. [BNWF-25224]
  • Fix: If "Enable Web Application Firewall" is set to "No" for a service, the requests to the service are now exempted from JSON validation. [BNWF-24241]
  • Fix: Portions of URL which fall outside "known extensions" are now scanned for various attack patterns as configured under URL protection in a security policy. [BNWF-25872]

Access Control

  • Feature: A single whitelist of IP addresses can now be created to bypass all the following checks: IP Reputation, Bruteforce, WebScraping, DDoS and Slow Client evaluation. [BNWF-25000]
  • Enhancement: In the Bruteforce policy, it is now possible to specify the number of bytes to be exchanged between a client and the server by configuring “Maximum Bandwidth Per IP” or “Maximum Bandwidth From All Sources”. [BNWF-25004]
  • Enhancement: Bruteforce policy is enhanced with the new configurable parameters to count valid and invalid requests separately. [BNWF-25005]
  • Fix: An issue with the synchronization of internal LDAP users/groups in the clustered units, has been fixed. [BNWF-25495]
  • Fix: The status of JSON profiles (ON/OFF) is now displayed in the WEBSITES > JSON Security page. [BNWF-19486]
  • Fix: An issue with the SAML metadata generation when the signing and encryption certificates are same, has been fixed. [BNWF-26060]
  • Fix: An issue where SAML cookies were set with the HTTPOnly and Secure attributes regardless of the actual configuration, has been fixed. [BNWF-25997]

Networking

  • Fix: If Network ACL is configured with the “icmp-drop-with-no-response” option, the packets will be dropped without sending ICMP Unreachable replies. [BNWF-24568]
  • Fix: Clearing the configuration in Bridge mode resulted in the assignment of the same IP address to Br0 and Eth0 interfaces, leading to loss of access to the unit . This issue has been addressed. [BNWF-25295]

System

  • Feature: You can connect/disconnect to the Barracuda DDoS Prevention Service using the Enable/Disable option in the BASIC > Dashboard page. [BNWF-24990]
  • Feature: When Proxy protocol is enabled, an “accept list” can be configured to allow requests that do not contain a proxy header. [BNWF-24997], [BNWF-24999]
  • Feature: "Application Layer Health Check" in the server configuration now includes the "Domain" field to configure the SNI server name. [BNWF-21690]
  • Enhancement: Proxy protocol is now supported for HTTPS services. [BNWF-23443]
  • Enhancement: A possible memory leak in freeing up requests which may happen in very specific request pattern cases, has been addressed. Proactive detection and alert emails are also generated to alert the admins for these memory leaks. [BNWF-25688]
  • Enhancement: Bulk Edit for certificates is now possible using Partial templates. [BNWF-26403]
  • Fix: Rebooting a Barracuda Web Application Firewall configured with a management VLAN resulted in loss of access to the system. This issue has been addressed. [BNWF-25476]
  • Fix: Firmware update alert notifications now use the correct terminology for Early Access releases. [BNWF-25396]
  • Fix: Errors seen in “Bandwidth Threshold” breach alerts, have been fixed. [BNWF-25375]
  • Fix: Network layer rules were created when IP Reputation was set to Application Layer. This has now been fixed, and these rules are not created. [BNWF-25303]
  • Fix: Duplicate verbs cannot be configured in "FTP Allowed Verbs" in the WEBSITES > FTP Security page. [BNWF-25284]
  • Fix: Issue with fetching pages with JavaScript data having URLs more than 300 kb, has been resolved. [BNWF-25173]
  • Fix: The "Service" template under Advanced > Templates now includes SNI configurations. [BNWF-25273]
  • Fix: It is now possible to enable Proxy Protocol for a service without enabling Web Sockets. [BNWF-25358]
  • Fix: HSTS enabled services now perform permanent redirection for any requests coming over the non-secure transport. [BNWF-24782]
  • Fix: A high CPU condition caused by failures in backend SSL connections, has been addressed. [BNWF-23450]
  • Fix: An issue that resulted configuration rollback when the attack pattern mode was changed, has been addressed. [BNWF-24805]
  • Fix: An issue that displayed garbled characters in the BASIC > Dashboard page for Japanese language in IE browsers, has been addressed. [BNWF-24538]
  • Fix: A possible spike in the live connections graph when no traffic or very low amount of traffic is passing through the unit, has been addressed. [BNWF-23295]
  • Fix: An issue with the datapath traffic when a server was enabled/disabled, has been fixed. [BNWF-23810]
  • Fix: Auto-generated HSTS redirect services cannot be enabled/disabled now. [BNWF-25519]
  • Fix: An issue that created junk entries in the database for URL/Parameter profiles, has been addressed. [BNWF-25550]
  • Fix: An issue where the web admin UI login failed for LDAP users, has been fixed. [BNWF-25563]
  • Fix: An issue with server hostname resolution that resulted in corruption of the server entries, has been addressed. [BNWF-25608], [BNWF-26345]
  • Fix: An issues where server hostname resolution added empty entries has been fixed. [BNWF-25679]
  • Fix: If the headers in a response sent by the server are larger than 256KB, the response is dropped to prevent possible memory usage issues. [BNWF-25793]
  • Fix: A data path corruption that caused service interruption while evaluating clients for Web Scraping, is now fixed. [BNWF-26266]
  • Fix: A slow memory leak that was observed while evaluating clients for Web Scraping and Application DDoS, is now fixed.  [BNWF-26265]
  • Fix: A race condition that occurs while checking for file mime-types in a request with many file uploads, is now fixed. [BNWF-26263]
  • Fix: When an IPv4 service received traffic with an IPv6 address in the “X-Forwarded-For header”, the IPv6 address was not logged. This is now fixed, and the IPv6 address will be logged. [BNWF-25957]
  • Fix: When “URL Translations” and “URL Encryption” are enabled, the Barracuda Web Application Firewall now sends only the original referer header to the server. [BNWF-26296]
  • Fix: An issue where service creation took a long time is now fixed. [BNWF-25994]
  • Fix: An issue where hostname resolution of servers was intermittently not working, is now fixed. [BNWF-26453]
  • Fix: When a server/rule group server with identifier as hostname was added, DNS resolution for the hostname servers was not querying the secondary DNS server when primary DNS server was not resolving to any IP address. This issue is now fixed. [BNWF-25697]
  • Fix: It is now possible to perform “Bulk Edit” operations for Certificates using "More Actions" on the BASIC > Services page. [BNWF-26816], [BNWF-26181]
  • Fix: When the back-end server piggy backed a FIN on the response packet, the back-end server connection was not closed. This has now been fixed. [BNWF-27088]
  • Fix: An issue that removed the domain and certificate mapping when “Enable SNI” was set to “No”, has been fixed now. [BNWF-27027]
  • Fix: An issue that wiped the domain(s) and certificate(s) after modifying the SNI configuration, is now fixed. This fix also resolves the domain and ECDSA certificate mapping issue. [BNWF-27229]
  • Fix: An issue that generated excessive logs when a cookie key was modified, resulting in increased latency, has been fixed. [BNWF-26987]
  • Fix: An issue where blocked IP addresses were not being populated on a connected Barracuda NG Firewall, has been resolved. [BNWF-26097]
  • Fix: In the Bridge mode, modifying the “Session Timeout” value for a HTTPS service resulted in temporary service disruption. This is fixed now. [BNWF-26957]

  • Fix: A rare kernel hang due to an issue with the ACPI module, has been fixed. [BNWF-26724]

Logging and Reporting

  • Feature: The negotiated Cipher Suite for services and servers are now logged in System Logs. [BNWF-19118]
  • Enhancement: Two new reports have been added: "Service Connections" and "Service Live Connections". [BNWF-24830]
  • Enhancement: A log has been added to display the relevant information when IP reputation at the Application Layer is turned ON, and the blocked IP address is a Private IP address. [BNWF-26736]
  • Enhancement: Access Log export to FTP has been enhanced to support FTP connections that use non-default ports. [BNWF-26052]
  • Fix: Traffic trends data was not deleted when Logs and Statistics were cleared. This has now been fixed. [BNWF-25023]
  • Fix: False positive errors for the internal logging database are now suppressed. [BNWF-24024]
  • Fix: When OOB health checks are disabled, and the backend servers are unreachable, a new log is now generated. This log is available under Advanced > System Logs. [BNWF-24593]
  • Fix: An issue with exporting logs to the CSV format when the filter match value contained special character like semi-colon, etc. in it, has been addressed. [BNWF-24900]
  • Fix: Email Notification for server status change (UP/DOWN) will now include service name, service group name and vsite information. [BNWF-6179]
  • Fix: Access Logs can now be enabled/disabled for Content Rules. [BNWF-19722]
  • Fix: The “Exception List” report now displays blocked/allowed next to the country codes. [BNWF-25931]
  • Fix: Scheduled reports were appearing in English when other languages were selected. This is now fixed. [BNWF-25840]
  • Fix: HTML email reports generated in the Japanese language were showing garbled data. This issue has now been fixed. [BNWF-26552]
  • Fix: An issue where the "Protocol" field of Access Logs was set to "WebSocket" regardless of traffic, has now been fixed to show the correct protocol. This issue occurred in entries where the backend server was not reachable. [BNWF-26486]

  • Fix: The "Top Services by Bandwidth" report now shows the correct data when the report filter is set for more than one day. [BNWF-26142]

User Interface

  • Fix: An issue where inaccurate data was displayed in some BASIC > Dashboard graphs is now fixed. [BNWF-25529]
  • Fix: The WAN interface is now chosen by default for the "Total Bandwidth" graph on the BASIC > Dashboard page. [BNWF-27070]
  • An inconsistency in updating the configuration and search results on the Basic > Services page, has been addressed. [BNWF-25360]

Role Based Administration

  • Fix: Users with the "Guest" role cannot perform any configuration. [BNWF-25314]
  • Fix: An issue where an admin with Read-Only access could modify rule group server configuration, has now been fixed. [BNWF-27031]

Management

  • Feature: The Barracuda Web Application Firewall now generate SNMP Trap messages for data path failures i.e. if the system hangs, crashes or the link is down. [BNWF-26187]

  • Fix: Restoring a backup that contained services configured with non-exportable private key certificates, resulted in configuration rollback. This issue has been addressed. [BNWF-25175]
  • Fix: In the earlier firmware versions, the backup files saved on Amazon S3 was not displayed in the ADVANCED > Backups page. This issue is not seen the latest firmware version 9.1. [BNWF-23889]

High Availability

  • Feature: When deployed in a High Availability cluster, traffic will now failover to the standby unit when memory utilization on the active unit exceeds 70%. [BNWF-25203]
  • Fix: Configuration changes made to URL and Parameter Optimizers are now synchronized in the clustered systems. [BNWF-25115]

REST API

  • Feature: SNI domains and certificates can now be deleted using REST API v3. [BNWF-24951]
  • Fix: It is now possible to enable/disable Services through the new REST API v3. [BNWF-25438]
  • Fix: In the high availability environment, the serial number of the Barracuda Web Application Firewall is validated when editing the Vsite through REST API v3. [BNWF-19754]

Virtual Machine

  • Fix: An issue that resulted in the reset of the admin password after establishing a support tunnel connection on newly deployed virtual machines, has been addressed. [BNWF-25733]