We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

File-Based Configuration Management for Barracuda Web Application Firewall

  • Last updated on

Overview

Software Management lifecycle has drastically changed with the advent of Public Cloud Platforms and DevOps Environment. With these latest technologies, system administrators will now need an easy and elegant way to dynamically configure the system to keep up with the ever changing network and security requirements.

To make the DevOps task easier for the system and network administrators, the Barracuda Web Application Firewall delivers a simplistic solution by providing a file-based configuration management approach.

The following are the key highlights of the file-based configuration management approach:

  • Simplify the overall configuration management on the Barracuda Web Application firewall.
  • Simplistic yet comprehensive and robust solution which covers all the configuration objects on the Barracuda Web Application Firewall.
  • Organizes and maintains the Infrastructure as a code that can then be used for versioning, reviewing, and easy auditing.
  • Internally, it directly maps to the comprehensive Barracuda Web Application Firewall Version 3 REST API’s
  • In Cloud Platforms, this can be seamlessly used for system bootstrapping.

This approach uses the JSON based text configuration file to define all the configuration that are installed on the Barracuda Web Application Firewall. 

The JSON configuration file is manually created by the administrator and is used to specify all the required configuration objects and the desired operations. The JSON file is then validated and installed on the Barracuda Web Application firewall using the Graphical User Interface.  In Cloud Platforms, the JSON file is also used for bootstrapping the system. The contents of the file are easily modified and the configuration is replicated to suit your requirements.

This feature is applicable across all the Barracuda CloudGen WAFs (AWS, Azure, and GCP).

Configuration File Anatomy

The Barracuda Web Application Firewall configuration file is a JSON file with one major section “Config”. It includes parameters and attributes for the overall configuration. An example of the JSON configuration file structure is shown below.

{
       "config": [
              {
                    "type": “…”,
                    "operation": “…”,
                    "payload": {
                                                
                                "param1": “…”,
                                "param2": “…”,
                     }
              },
                         {
                     "type": “…”,
                     "operation": “…”,
                     "payload": {
                                                
                                "param1": “…”,
                                "param2": “…”,
                     }
              },
                        .
                        .
                        .
       ]
}    

Attribute

Description

 

Example

Operation

Defines the actions to be performed on the configuration objects.

Create, Edit and Delete are the operations supported in the Barracuda Web Application Firewall configuration management. See the table below to understand the mapping of each operation to the respective API type.

API request type Operation
post.png CREATE
put.png EDIT
Delete.png DELETE
"type": “Certificates”,
"operation": “Create”,

performs an operation of creating a certificate

 

Type Specifies the type of the object defined by the configuration file  
"type": “Certificates”,
"operation": “Create”,

The type “certificates” can be created

Parent 

(OPTIONAL)

Identifies the configuration hierarchy

 
"type":"parameter-profiles",
"parent": “/services/Prod_App/url-profiles/url1”

A parameter profile is configured for URL policy “url1” under services “Prod_App”

Payload

Parameters that define the configuration object.

Refer to example value of an object in REST API guide to know about the parameters.

Refer to example value of an object in REST API guide to know about the parameters.

"payload": {
             "name":"Prod_App",
             "type":"https",
             "ip-address":"bwaf::SYSTEM_IP",
             "port":"444",
             "certificate":"testcert",
             "group":"default",
             "vsite":"default",
             "status":"On",
             "address-version":"IPv4",
             "comments":"This
is the production service for the lab"
         }
attribute.png

Special Macros

  • SYSTEM_IP Macro - When SYSTEM_IP is specified for the ip-address parameter, the Barracuda CloudGen WAF will automatically use the system ip address while creating a service.
    The following example payload shows the usage of the SYSTEM_IP macro while creating a service.
     

    { "type":
    "services", "operation" : "CREATE",
    "payload": { "name":"Prod_App",
    "type":"https", "ip-address":"bwaf::SYSTEM_IP", "port":"443",
    "certificate":"testcert",
    "group":"default", "vsite":"default",
    "status":"On",
    "address-version":"IPv4", "comments":"This
    is the production service for the lab" }
    },

Getting started with the configuration file-based approach

The JSON Configuration file is manually created by specifying the configuration objects and operations. This file is then used while configuring Barracuda Web Application Firewall. The flowchart visualizes the steps involved in manually creating a configuration file:

  1. Creating a file - <filename>.json
  2. Creating Objects for the JSON Configuration File
  3. Validating the Configuration File
  4. Bootstrapping using the Config.json file

Flowchart.png

Creating a file - <filename>.json

The JSON file is created or edited using any text editor. You can specify any name to your configuration file, but Barracuda recommends you to save the file with a “.json” file extension only.

Creating Objects for the JSON Configuration File

The configuration objects of the JSON file is created by referring to the Barracuda Web Application Firewall REST API documentation. Perform the following steps to include the configuration objects and operations.

  1. Click the Barracuda Web Application Firewall REST API documentation link to navigate to the list of APIs.
    RESTAPI.png
  2. Select the object you intend to include in the JSON file. For example - Services, Server, and so on.
    Service.png
  3. Select the operation you intend to perform. For Example - POST. Refer to the Anatomy section to know more about API request types that you must select to perform the operation.
    PostServer.png
  4. Copy the JSON content and paste it in the configuration file.
    JSONContent.png

You can perform the same steps described above to add multiple configuration objects in the JSON file.

Validating the Configuration File

After creating the configuration JSON file, you should validate the file by uploading this in the Barracuda Web Application Firewall User interface. The Restore WAF Configuration File section allows you to upload the JSON file for validation and for restoring the configurations.

Perform the following steps to validate and restore the configurations of the JSON file:

  1. Log in to the Barracuda Web Application Firewall.
  2. Navigate to ADVANCED > Backups > Restore WAF Configuration File.
  3. Click Browse and select the JSON file that you created.
  4. From Select Action Type, specify the option that you want to perform on the JSON configuration file.
  • Test - creates a sandbox environment on the Barracuda Web Application Firewall to test and validate the configurations specified in the JSON file. The validation process might take few minutes for completion depending on the size of the configuration. However, the progress of completion is indicated on the User Interface. A Success/Failure message is displayed at the end of the validation process.
  • Restore - applies the configurations specified in the JSON file. The process might take few minutes for completion depending on the size of the configuration. However, the progress of completion is indicated on the User Interface. A Success/Failure message is displayed at the end of the installation process. In case if there is an error, the configuration on the system is automatically reverted to the state prior to the config restore. Also, you can view the details of the error by clicking the link displayed on the User Interface.
  • Click Upload Now to upload the JSON file.
  • Bootstrapping using the Config.json file
    Amazon Web Services
    1. Upload the config json file in the bootstrapping S3 bucket.

      Ensure that you always name the file with a .json extension.

    2. Launch the cloudformation stack and specify the JSON filename. Note that with this parameter, you can either specify the backup filename or the config.json file.
      At the time of bootstrapping the instance picks up the configurations from the JSON, frames REST v3 requests internally and executes them on the WAF.
    Microsoft Azure
    1. Upload the config json file in the bootstrapping blob.
    2. Launch the cloudformation stack and specify the JSON filename. Note that with this parameter, you can either specify the backup filename or the config.json file.
      At the time of bootstrapping the instance picks up the configurations from the JSON, frames REST v3 requests internally and executes them on the WAF.

    Example - JSON file

    The Barracuda Web Application Firewall in particular uses the config.json file to configure applications. One example of the JSON file that covers the following operations is summarized below.

    • Create certificate with name "testcert"
    • Create HTTPS service with name "Prod_App" by binding certificate "testcert"
    • EDIT service "ProdApp"
    • Create Server "ALB_backend"
    • Create Server "ALB_backend2"
    • Delete Server "ALB_backend2"
    • Create URL profile "url1" for service "ProdApp"
    • Create Param Profile for URL profile "url1"
    {
       "config":[
          {
             "type": "certificates",
             "operation" : "CREATE",
             "payload":
    {
                 "name":"testcert",
                 "allow_private_key_export":"yes",
                 "city":"san_franscisco",
                 "common_name":"prod.barracuda.com",
                 "country_code":"US",
                 "curve_type":"secp256r1",
                 "key_size":"1024",
                 "key_type":"rsa",
                 "organization_name":"techkaizen.net",
                 "organization_unit":"devops",
                 "state":"california"
             }
          },
          {
             "type": "certificates",
             "operation" : "CREATE",
             "payload" :
    {
                 "name":"testcert2",
                 "allow_private_key_export":"yes",
                 "city":"san_franscisco",
                 "common_name":"labs.barracuda.com",
                 "country_code":"US",
                 "curve_type":"secp256r1",
                 "key_size":"1024",
                 "key_type":"rsa",
                 "organization_name":"internal.net",
                 "organization_unit":"dev",
                 "state":"california"
             }
          },
          {
             "type": "services",
             "operation" : "CREATE",
             "payload":
    {
                 "name":"Prod_App",
                 "type":"https",
                 "ip-address":"bwaf::SYSTEM_IP",
                 "port":"443",
                 "certificate":"testcert",
                 "group":"default",
                 "vsite":"default",
                 "status":"On",
                 "address-version":"IPv4",
                 "comments":"This
    is the production service for the lab"
             }
          },
          {
            "type": "basic-security",
            "parent": "/services/Prod_App",
            "operation" : "EDIT",
            "payload" :
    {
                "rate-control-status": "Off",
                "mode": "Active",
                "ignore-case": "Yes",
                "web-firewall-log-level": "5-Notice",
                "trusted-hosts-action": "Default",
                "rate-control-pool": "NONE",
                "web-firewall-policy": "default"
            }
          },
          {
             "type": "servers",
             "parent" : "/services/Prod_App",
             "operation" : "CREATE",
             "payload" :
    {
                 "name":"ALB_backend",
                 "identifier":"IP
    Address",
                 "address-version":"IPv4",
                 "status":"In
    Service",
                 "ip-address":"10.2.4.18",
                 "port":"80",
                 "comments":"Creating
    the server"
             }
          },
          {
             "type": "servers",
             "parent": "/services/Prod_App",
             "operation" : "CREATE",
             "payload" :
    {
                 "name":"ALB_backend2",
                 "identifier":"IP
    Address",
                 "address-version":"IPv4",
                 "status":"In
    Service",
                 "ip-address":"10.2.4.18",
                 "port":"80",
                 "comments":"Creating
    the server"
             }
          },
          {
             "type": "servers",
             "parent" : "/services/Prod_App",
             "name" : "ALB_backend2",
             "operation" : "DELETE"
          },
          {
              "type": "url-profiles",
              "parent": "/services/Prod_App",
              "operation" : "CREATE",
              "payload" :
    {
                  "name":"url1",
                  "status": "On",
                  "extended-match": "*",
                  "exception-patterns":
    [],
                  "url": "/public/index.html",
                  "allow-query-string": "Yes",
                  "maximum-upload-files": "5",
                  "comment":
    "",
                  "referrers-for-the-url-profile":
    ["goodf"],
                  "maximum-parameter-name-length": "64",
                  "csrf-prevention": "None",
                  "mode": "Passive",
                  "max-content-length": "32768",
                  "extended-match-sequence": "1",
                  "blocked-attack-types":
    [],
                  "display-name":
    "",
                  "custom-blocked-attack-types":
    [],
                  "hidden-parameter-protection": "Forms"
              }
          },
          {
              "type": "parameter-profiles",
              "parent": "/services/Prod_App/url-profiles/url1",
              "operation": "CREATE",
              "payload" :
    {
                  "name":"param_1",
                  "status": "On",
                  "allowed-file-upload-type": "Extensions",
                  "max-value-length": "1000",
                  "exception-patterns":
    [],
                  "parameter": "test_param",
                  "validate-parameter-name": "No",
                  "required": "No",
                  "parameter-class": "String",
                  "comments": "test
    param profile",
                  "base64-decode-parameter-value": "No",
                  "ignore": "No",
                  "file-upload-mime-types":
    [],
                  "maximum-instances": "1",
                  "file-upload-extensions":
    ["*"],
                  "custom-parameter-class":
    "",
                  "type": "Input",
                  "values":
    ["param1"],
                  "allowed-metachars":
    ""
              }
          }
       ]
    }

    Example - Creating Certificates

    You can create/upload certificates to Barracuda Web Application Firewall using the JSON file. For uploading the certificates, you should provide the content of the certificates in the “base64”format.
    The following example shows how to upload a trusted server certificate with filename "server_001.cert" to Barracuda Web Application Firewall.

    1. Verify the content of the certificate file.

      @root-S:~/certs$ cat server_001.cert
      -----BEGIN CERTIFICATE-----
      MIIDBTCCAe2gAwIBAgIJAOM++mrve/8CMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
      ...
      MyA3naQCWaPSef65qaCeB/XOAZ0BRviqglnUEreHfmdtUZakmgrdALE9bKGy3nja
      J1aZxPjc7l8z
      -----END CERTIFICATE-----
    2. Encode the content of the certificate file to "base64" format. You can use the following command in the standard LINUX console:

      @root-S:~/certs$ cat server_001.cert |  base64 | awk 'BEGIN{ORS="";} {print}'
      LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVuVENDQTRVQ0NRQzN1SkRCWXBNejJUQU5CZ2txa...
    3. Copy the output of the previous command and paste it in the "content" parameter under payload. For example,

      {
          "type": "certificates",
          "operation" : "CREATE",
          "payload": {
              "name":"trusted_cert",
              "category": "trusted_server",
              "content" : "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t..."
          }
      }

    You can follow the same steps described above for uploading certificates or trusted certificates.

    1. Create certificates
    2. Upload certificate
    3. Upload trusted certificate.
    4. Upload trusted server certificates.
    {
        "config": [{
                "type": "certificates",
                "operation": "CREATE",
                "payload": {
                    "name": "create_certificate",
                    "allow_private_key_export": "Yes",
                    "city": "Bengalore",
                    "common_name": "test45.com",
                    "country_code": "IN",
                    "key_size": "2048",
                    "key_type": "rsa",
                    "organization_name": "Barracuda.com",
                    "organization_unit": "operations",
                    "state": "Karnataka"
                }
            },
            {
                "type": "certificates",
                "operation": "CREATE",
                "payload": {
                    "name": "trusted_certificate",
                    "category": "trusted_server",
                    "content": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lKQU9NKyttcnZl....",
                }
            },
            {
                "type": "certificates",
                "operation": "CREATE",
                "payload": {
                    "name": "signed-certificate-1",
                    "category": "signed",
                    "signed_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVrakNDQW5vQ0FXVX...",
                    "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBclVFYlB0OVZ...",
                    "intermediary_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVuVENDQTRVQ0NRQz...",
                    "type": "pem",
                    "key_type": "rsa",
                    "allow_private_key_export": "Yes",
                    "assign_associated_key": "no",
                    "password": "abcd"
                }
            },
            {
                "type": "certificates",
                "operation": "CREATE",
                "payload": {
                    "name": "signed-certificate-2",
                    "category": "signed",
                    "signed_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUl...",
                    "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ0KTUlJRW93SUJBQUtDQVFFQXJt...",
                    "intermediary_certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGdkRDQ0E2U2dBd0lCQWdJQ0VBQXdEUVlKS29aSWh2Y05BUUVM...",
                    "type": "pem",
                    "key_type": "rsa",
                    "allow_private_key_export": "Yes",
                    "assign_associated_key": "no"
                }
            }
        ]
    }
    Last updated on