What's New in the Barracuda Web Application Firewall

Features:

• VMSS - Added support for creating custom Barracuda Web Application Firewall images on Azure that can be used for the VMSS stack deployment.

• AMA Integration - The Barracuda Web Application Firewall now supports integration with the Azure Monitor Agent (AMA), enabling secure and efficient log forwarding to Azure Log Analytics and ensuring compatibility with Azure’s latest monitoring architecture. 

Enhancements:

• The Barracuda Web Application Firewall now supports Flexible Orchestration modes with Virtual Networks (VNet) in other resource groups. [BNWF-54560]

• Support for TLS versions 1.0 and 1.1 has been disabled for WebConsConf to ensure compliance with modern encryption standards. [BNWF-57052]

• The Marketplace template has been revised to support changes related to Azure Public IP SKU. [BNWF-57602]

For detailed information on fixes and enhancements, see Release Notes Version 12.3 Cloud.

Enhancements:

Monitoring and Logging

• Syslog now shows if a report is sent successfully on scheduled reports. [BNWF-57017]

• Added a new field "Error Details" to the Access Log. This field will be visible only for 408 errors and includes details about the error. [BNWF-57268]

• SSL errors encountered during backend server connections are now logged under "Error Details" with the 408 error code. [BNWF-57172]

Security 

• Added SHA-256 for authentication and AES-256 for encryption to enhance the security of SNMP queries. [BNWF-55742]

• Two new Gen AI bot categories (Gen AI (Language Model) and Gen AI (Conversational Agent)) have been added as predefined BOT Categories in the Blocked Categories list. [BNWF-57681]

• When Fingerprinting is enabled, requests using the OPTION method without a fingerprint cookie are no longer counted towards Fingerprint Challenges Exceeded. [BNWF-57060]

Geo IP

• South Sudan" and "Kosovo" have been added to the Geo IP regions list. [BNWF-57712]

Fingerprinting

• When the Client Type is Exception Profiling, the audit log’s Details page now displays “System” as the Role, indicating that the Barracuda WAF made the changes. [BNWF-55672]

API and Integration

• The Import API now supports dynamic multi-token endpoints during Swagger/OpenAPI specification imports. Endpoints with multiple path parameters (e.g., /user/{id}/orders/{orderId}) defined in the spec file will be accurately recognized and imported. [BNWF-56350]

• AWS tools have been integrated to enable the export of memory metrics to CloudWatch. [BNWF-56453]

• Improved stability and reliability of the API specification import feature, addressing various edge cases and enhancing overall compatibility. [BNWF-56448] [BNWF-56839] [BNWF-57312] [BNWF-57342]

Performance Optimization

• An improvement that allows for more efficient handling of SSL/TLS connections, leading to better overall application responsiveness and reduced latency. [BNWF-56678]

For detailed information on fixes and enhancements, see Release Notes Version 12.3.

Features and Enhancements:

Cloud

• Public Cloud Rebranding – WAF images on all supported public cloud platforms have been rebranded as "Web Application Firewall" (previously referred to as "CloudGen WAF"). Users can now use the rebranded name to navigate a marketplace and can opt for the required license types.

Advanced Bot Protection

• Client Fingerprint Cookies:

  • The system will be able to detect and block any tampering of the Client Fingerprint cookie.

  • Administrators can now enable the Fingerprint cookie mechanism for all services that serve the subdomains of the domain of the service. Note that this is enforced only when Enable Client Fingerprint is also set to Yes.

• Geo IP Region List: The IP regions list has been updated to include Kosovo and Curaçao and can be utilized to create geo-policies.

Security

• TLS Defaults as Best Practice:

  • In efforts to maintain security best practices, TLS 1.3 is now enabled by default for new servers and rule group servers.

  • In efforts to maintain security best practices, TLS 1.1 is now disabled by default for new SSL services, servers, and rule group servers.

• Virus Scan and MimeType Checks Support for Raw File Upload 

  • Files uploaded through application/octet-stream using POST methods are now subjected to virus scanning and MimeType checks. 

  • Files uploaded through multipart-formdata and application/octet-stream using the PUT method are subjected to virus scanning and MimeType checks.

  • Files uploaded using multipart-formdata using PUT also go through BATD scans. 

System

• OpenSSL Version: The firmware has been updated to OpenSSL version 3.0.9, which is an LTS version.

API Security

• JSON Profiles

  • JSON profile REST API now supports strict-check, extended-match-sequence, and extended-match parameters.

  • JSON URL profile now supports Allowed Methods.

  • JSON key profile "MAX Length" can now support up to 256k of data.

  • The hash (#) character is allowed in JSON key names.

• JSON Profile Extended Match

  • When a new service is created, the default match uses a wildcard (*) to match with the incoming requests.

For detailed information on fixes and enhancements, see Release Notes Version 12.2.

Features and Enhancements:

• Logs and Reports

  • All log pages (Web Firewall Logs, Access Logs, Audit Logs, Network Firewall Logs, and System Logs) now provide the following:

    • Import/Export Filters – Ability to import or export predefined log filters into or from different Barracuda WAF units.

    • Filter on Load – Ability to set a saved filter as a default filter that loads every time you visit a log page.

    • “Saved” and “Custom” filter options.

    • Factory-shipped log filters.

  • URL profile and ACL summary reports now display learned URLs depending on the user's preference.

• Advanced Bot Protection

  • Bot Identifier – Ability to add a bot to the Allow list either from the bot dictionary provided by the Barracuda Advanced Threat Intelligence (ATI) service or a custom bot signature.

  • Added support for hCaptcha to protect websites from spam or any other type of automated abuse like BOTS, etc.

  • Bot Library integration for allowed bots – Ability to create new allow bots from the predefined list of bots that are provided by ATI services.

  • Ability to add custom bots based on certain ASNs as Identifier.

• Time-based rules – Ability to create time-based policies to apply the rules on the service traffic for a specific period. You can define the start and end time for the rules (content rules, URL ADRs), and they are effective only during the specified time range.

• Account Take Over Protection – Login failures for servers responding with 200 OK response code and error message in the response page can now be detected based on the response data. The Auth Response Identifier in the Brute Force policy should be configured to enable this capability. 

• Redirect Service – Virtual services with service type as “Redirect Service” can be set to redirect traffic permanently (based on response code 301) or temporarily (based on response code 302).

• Security

  • It is now possible to allow traffic from ASNs specified in the IP Reputation policy. 

  • CAPTCHA policy does not enforce the CAPTCHA challenge if the service is configured in Passive mode. 

  • Extended Match Enhancement: The element type “SSL-Version” in extended match expressions can be configured to match the value of TLSv1.3. 

• System

  • OpenSSL has now been upgraded to version 1.1.1q. 

  • Password change for the Administrator login is now mandatory after the firmware upgrade if the default password is used for login. It also changes the console password if the default password is used.

For detailed information on fixes and enhancements, see Release Notes Version 12.1.

Features:

• Client-Side Protection

  • Configure and fine-tune CSP policy from the ATI dashboard – The Barracuda WAF now provides granular control to fine-tune and configure the CSP policies. The ATI dashboard now has integrated configurable elements for improved visibility and control over CSP policy violations.

• Security and Access Control

  • Cross-Origin Resource Sharing (CORS) - The Barracuda WAF now provides support to enable the Cross-Origin Resource Sharing option for back-end applications. Cross-Origin Resource Sharing (CORS) is an HTTP header-based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

  • OpenID Authentication for selected users – Barracuda Web Application Firewall administrators can now configure "Allowed Users" and enable access to the web application only to the specified users.

  • Block requests based on ASN - The Barracuda WAF now allows users to block requests based on their Autonomous System Numbers (ASN). You can configure ASNs at the application layer IP Reputation and block the request originating from those ASNs.

• System Management

  • Stable and Secure Management Web Server - The management web server has been upgraded to the latest stable version to address multiple security vulnerabilities.

  • Role-based Administration for ATI dashboard - The Barracuda WAF now gives administrators the option to grant role-based administration access to perform the configuration actions on the ATI dashboard.

  • Attack Graphs - The Barracuda WAF can now show/hide all attacks graphs using a single click. This helps to give a compact and flexible viewing area of the dashboard.

  • Filter logs based on attack type – Now administrators have an option to filter the logs based on the selected attack type. This helps administrators to perform security audits of the attack logs based on the selected attack type.

• API Security

  • Automatic discovery for API endpoints and structure learning – Automatic API discovery provides automated discovery of the API endpoints and thereby assists in learning the API structure and facilitates the configuring of API security. The feature is available for systems with an active ATI subscription.

  • GraphQL API Integration - The Barracuda WAF now provides native parsing, security, and delivery of applications with GraphQL APIs. GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data.

• Account Takeover Protection

  • Account profiling – This feature has been integrated as a part of Privileged account protection feature set. Account profiling helps in creating a profile of the respective account based on various parameters, and helps administrators to define binding policies.

Enhancements:

• SameSite attribute can now be configured from the Cookie Security page. By default, this attribute will not be added by the WAF. It can be configured later to either Lax/Strict/None.

• Addition to IP Reputation Geo pool - “Gibraltar” has been added to the country list in the IP Reputation Geo Pool.

• Improved Fingerprint risk score computation – The Barracuda Web Application Firewall now provides the improved fingerprint risk-score computation to ensure that the Barracuda WAF is not blocking upstream load balancers in cloud deployments.

• Option to export country code – Barracuda Web Application Firewall administrators can now export country code information to the syslog servers. This helps in security audits based on the country code.

• An expandable menu has been added for Notices and Warnings – The Barracuda WAF now updates users with the system-generated Notices or Warnings in the expandable menu for improved visibility. Users can expand and collapse options to view and hide the list of notices/warnings on their WAF GUI.

• Internal Attack Patterns – Administrators can now configure the internal attack patterns with the help of REST API v3.x framework.

• In the Request/Response rewrite rule - The Barracuda Web Application firewall now ensures that in the request/response rewrite rule, headers that appear multiple times and match the criterion are honored. Also, all the corresponding headers are modified.

Feature:

• Client Profile Validation allows you to configure client IP addresses and IP address ranges that need to be exempted from the risk score validation.

Enhancements:

• Web Scraping now uses Advanced Threat Intelligence (ATI) for improved client classification and provides many more bot categories.

• Client Fingerprint mechanism has been upgraded to support a wider range of applications.

• Exception Learning now supports learning from IPv6 trusted hosts as well.

• CAPTCHA Validation is now enforced at the level of application session to avoid problems for clients coming from NAT’ed IP addresses. Only the sessions that solve the CAPTCHA are allowed to access the requested resources. Other clients that have not solved the CAPTCHA but may be coming from the same IP address will continue to be challenged or will be blocked.

• Scheduling Reports now support multiple filtering criteria based on the type of reports similar to the UI behavior.

• Certificates for SAML Single Sign-On can now be created or uploaded on the ADVANCED > Admin Access Control page.

• Multiple Barracuda Threat Intelligence Service (BTIS) enhancements for improving the efficacy of the Bot Protection service (offered as a subscription to customers).

• Internal processes have been optimized to improve the system performance, especially for single-core instances.

For detailed information on fixes and enhancements, see Release Notes Version 11.0.1.

Features

• Client-Side Protection

  • Content Security Policy is used to control the behavior of the client’s browser. A full-featured wizard supporting all CSP directives enables administrators to control the resources that can be loaded in the client’s browsers and direct the behavior of the various elements, tags, and other aspects of the web pages within the client’s browser. Directives such as frame-ancestors help in protecting against clickjacking attacks.

  • Sub Resource Integrity is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation. This protects the applications from supply chain attacks that may be targeted at resources such as JavaScript, images, and other content loaded from third-party servers.

  • These capabilities can be deployed in Report Only mode or in Block mode. In the Report Only mode, all the violations of the policies are reported to the Barracuda Threat Intelligence Service and can be viewed using the Barracuda Threat Intelligence Service dashboard.

• Advanced Bot Protection

  • Barracuda Advanced Bot Protection capabilities have been protecting many of our customers against many types of automated attacks. Barracuda Networks continues to enhance the capabilities to detect and protect against automated attacks.

  • Credential Stuffing attack protection has been enhanced to support applications that communicate credentials via JSON / AJAX requests or HTTP Basic Authentication mechanisms.

  • Brute Force Policy can now be triggered by matching a set of text patterns in the HTTP response body.

• Security and Access Control

  • JWT Validation: JSON Web Tokens (JWT) are a common mechanism of representing claims securely especially in the context of APIs. With version 11.0, Barracuda Web Application Firewall adds support for validating JWT token issued by the authorization server.

  • Web Socket Security: Traffic on WebSocket can now be inspected for protocol violation and other exploits by the WebSocket Security feature on the Barracuda Web Application Firewall. Administrators can configure the WebSocket Security profile by navigating to WEBSITES > WebSocket Security.

  • Tarpit: Suspicious clients can be tarpitted (slowed down) for time interval configurable from UI.

  • Single Log Out (SLO) support for SAML: SAML for Access Control has been enhanced to support SLO where the logout response for any of the participating applications resident on the WAF will send a logout command to all participating SSO applications.

• Traffic Management

  • HTTP/2: With this release, the Barracuda Web Application Firewall adds support for HTTP/2 for WAF-to-server communication in addition to the client-to-WAF communication that has been supported from earlier releases.

  • Direct Server Return: The Barracuda Web Application Firewall service can now be configured behind a load balancer service with Direst Server Return. This capability is used in rare scenarios where traffic from the server must be bypassed due to application considerations. This requires changes on the web server as well.

  • IP Address from TCP Options (additional CDN Support): In many cases where the Barracuda WAF is deployed behind a CDN, the actual IP address of the client is encapsulated in the TCP Options field by the CDN infrastructure. The Barracuda Web Application Firewall supports reading of client IP and port from the TCP Options Address field.

• System Management

  • Auto Configuration Engine: Customers with a Barracuda Advanced Bot Protection license can now use the statistical- and machine-learning enabled configuration recommendation engine. This engine analyzes traffic patterns to recommend configurations that would make the existing deployments more secure.

  • SAML for Role Based Administration: All user identity stores that support SAML, such as Azure AD or Microsoft AD/FS, can be integrated with the Barracuda Web Application Firewall to enable Role Based Administration for the WAF administration. [BNWF-32912]

  • Alien Vault SIEM is now supported as an external Syslog server by the Barracuda Web Application Firewall.

  • API Enhancements: REST API v3.x now supports performing IP reputation lookups.

• Azure IPv6 Support - The Barracuda CloudGen WAF now supports the Azure IPv6 feature.

• Azure Sentinel Support - Added Barracuda Cloudgen WAF template for Azure Sentinel Workbooks..

• Azure Managed Identities - The Barracuda CloudGen WAF is now integrated with the Azure Managed identities for secure authentication.

• JSON formatted configuration file enhancement: Configuration files in JSON format can now be restored on WAF units that are part of a High Availability configuration.

• Integration of Gemalto SafeNet Luna Network HSM device in HA - The Barracuda Web Application Firewall provides support to integrate with two Gemalto SafeNet Luna Network HSMs in High Availability (HA) mode.

• Migration of Let's Encrypt to use v2. The WAF features are now NOT dependent on v1, for which support was stopped in July 2020.

• UI Revamp for the 'NETWORKS', 'SECURITY POLICIES' and 'ACCESS CONTROL' tabs. Tabs have been enhanced to provide an improved UI appearance and experience.

• ECDSA certificate during application onboarding - Support for configuring only an ECDSA certificate for HTTPS service is provided, moving away from the mandatory RSA certificates.

• Augmented logging with Content Rule details - If the server is part of any Content Rule, that rule's name is displayed in the email notification to identify which server is down.

• Barracuda Threat Intelligence Service (BTIS) enhancements for data ingestion (Internal).

• The InputTable widget has been enhanced to provide the ability to add multiple fields in headers, leading to a much better UI experience.

• Enhanced UI integration to display the configuration fields related to SSL/TLS Quick Settings for applications.

• Ability to read and remove an IP from the Client-IP Blocklist using REST API.

• Azure PAYG WAF integration with METTLE -   Mettle integration with the Barracuda Web Application Firewall allows customers to add/remove the Barracuda Add-Ons Subscription. The charges are based on its consumption that allows the customer to subscribe/unsubscribe to Barracuda WAF Add-Ons subscription on the fly.

• Syslog to AWS CloudWatch - The integration of CloudWatch with the Barracuda Web Application Firewall provides data and actionable insights to monitor WAF applications. With CloudWatch, you can collect and access all your performance and operational data in the form of logs and metrics

• Google API Discovery – The API Discovery module is enhanced to support new API specification rules.

• Advanced Analytics Dashboard* : Customers with the ABP subscription now have access to the new Advanced Analytics Dashboard. This dashboard can be accessed by clicking the link available in the Bot Statistics widget on the WAF Dashboard. The Advanced Analytics Dashboard is driven by the data sent to the Barracuda Threat Intelligence Service (BTIS) by your WAF units. It provides a deep dive into traffic patterns and client behavior. The dashboard is hosted on the Barracuda cloud and is regularly updated with new reports.

• New Cloud Machine Learning Models and Integration with the Infisecure Bot Engine* : Last year, Barracuda acquired Infisecure, a leading bot mitigation provider. In this release, Infisecure's bot engine has been incorporated into the ABP Cloud Machine Learning tool. Additionally, the Machine Learning layer has been updated with newer models and updated static rules for better detection.

• Credential Spraying Detection* : The Account Takeover protection is updated to support credential spraying detection, in addition to credential stuffing detection. With credential stuffing, the Barracuda Web Application Firewall identifies the attack only if the username+password pair is exactly available in our database. With Credential Spraying detection, the Barracuda Web Application Firewall detects when any of these credentials are part of the database. Customers can choose the method they wish to use based on their threat perception.
  The cloud-based Credential database has also been updated with multiple new data breach dumps.

• Tarpit as a Follow-up Action : Customers can now choose to Tarpit a client as a follow-up action. Tarpitting puts the client on a queue that is slowed down for a defined period. This is especially useful when defending APIs where other methods like CAPTCHA cannot be used.

• UI Upgrade : The ABP UI on the Barracuda WAF has been updated for better performance and usability.

• CAPTCHA State export in Access Logs : The Access logs now have a new macro to export the CAPTCHA state. If a client is issued a CAPTCHA, their response is now available in the logs.
  <Features marked with * require the Advanced Bot Protection add-on subscription>

• OCSP Stapling Support : The Barracuda WAF now supports OCSP stapling.

• OpenID Connect Supports : The Barracuda WAF now supports OpenID Connect for authentication. Customers can use this to offload OIDC authentication against any OAuth authorization service.

• Support for reCAPTCHAv3 : The Barracuda WAF now supports integration with reCAPTCHAv3, in addition to reCAPTCHAv2. 

• New page for Risk Scores : The risk scores for various action policies have now been moved from the Action Policy > Edit to a new page under the Security Policies tab.

• Quick SSL Settings :  You can now quickly configure specific combinations of SSL/TLS protocols and ciphers using the SSL/TLS Quick Settings drop-down list provided in the BASIC > Services > Edit Service menu. Currently, Barracuda supports three presets from the Mozilla Server Side Security list. Selecting a preset automatically selects the relevant TLS/SSL versions and the associated ciphers.

• SameSite Cookie Support :  SameSite cookie attribute is now honored like other cookie attributes.

• Reporting :

  • Certificate reports now show the associated services and SNI domains for ECDSA services.

  • The 'Attacks by Category' report has been enhanced to show a stacked graph for better readability and interpretation.

  • The Top Attacking Region/Country report now shows the world map with the geographical data.

• Multiple IP Address(es) Support for Amazon Web Services: The Barracuda CloudGen WAF on AWS can now be used with multiple IP addresses, either manually or automatically. During service creation, the admin can choose to either manually enter a new IP address from the AWS console, or ask the Barracuda CloudGen WAF to automatically get one using the AWS APIs. Note: This feature does not work with autoscaling at this time. HA and clustering will work with manual IP assignment.

• SR-IOV/ENA support: In AWS, the Barracuda CloudGen WAF can now be deployed on instance types supporting ENA/SR-IOV.

• Support for new Instance Types on AWS: The Barracuda CloudGen WAF on AWS now supports an extensive list of t., m., and c. instances on AWS. The full list is available at: https://campus.barracuda.com/doc/28967064/

• Openstack Autoscaling: Barracuda Web Application Firewall Vx now supports autoscaling on OpenStack .

• Backup Restore: It is now possible to restore all backup files stored in the cloud for a particular Barracuda CloudGen WAF on AWS or Azure (as determined by serial number). To access and restore from a backup file stored in the cloud that was created from a different system, please contact Barracuda Networks Technical Support for assistance.

• API Discovery with OpenAPI Spec Import: It is now possible to discover OpenAPI applications and automatically configure the JSON firewall protection with the Barracuda CloudGen WAF.

• Disaster Recovery for Multi-IP instances on Azure & AWS: In earlier releases, if a backup that contained mutli-IP configurations on Azure was uploaded to a new instance, it would use the older IPs and require IP reconfiguration. With this new feature, this can be done automatically by the admin by clicking on “Multi IPs Refresh” on the Services page. This works only on non-clustered units at this time.

• Client Profile: Enables the creation and validation of all client profiles (client fingerprints).

• Advanced Client Analysis: Once subscribed to the Advanced Bot Mitigation service, the Barracuda WAF can be configured to send HTTP requests and response metadata to the Barracuda Application Intelligence Network (AIN). This data is used to analyze client behavior, and detect and block advanced bots/attackers.

• Client Risk scores: Metadata from each request and response is sent to the cloud-based Barracuda Application Intelligence Network. This information is analyzed for each session, and the risk of the client is computed based on the traffic and client’s behavioral characteristics. The score is used to identify the client as a good bot/bad bot, a good user, or an attacker.

• Action Policies: New action policies have been added.

• UI Enhancements

  • The SECURITY POLICIES > Action Policy > Locked Out Clients page is enhanced to display client fingerprints of the locked-out clients.

  • The SECURITY POLICIES > Action Policy > Clear Locked Out Clients page is enhanced to allow the administrator to unblock client fingerprint(s) that are blocked by the Barracuda Web Application Firewall.

• Deprecated Feature

  • The Secure Browsing tab has been moved from the Websites to the Advanced tab. The Secure Browsing tab is visible ONLY if Enable Secure Browsing is enabled. Secure Browsing feature will be removed from the product in a later release.

Provides our customers with the ability to effectively defend against bots, crawlers, and automated attacks.

Advanced Bot Protection is a suite of features that include:

• Client Tracking and Rating

  • Active and Passive Client Fingerprinting to identify clients down to a browser. This means that blocking can be done at browser level rather than IP address, making the block more effective.

  • Integration with third-party feeds to identify and block bots.

  • Computation of risk scores for each request based on detected violations.

• Credential Stuffing Detection and Brute Force Protection enhancements

  • Credential Stuffing detection: Detection of credential stuffing attacks using Advanced Bot Protection Cloud service. This uses a large database of previously leaked credentials to verify and block credential attacks.

  • Brute Force enhancements: Enforcement of Brute Force policies based on a client fingerprint.

• Protection Mechanisms

  • Comment Spam / Referrer Spam detection: Inspection of links sent in HTML Form parameters (as POST requests) or injected in HTTP Referer headers.

  • Google reCAPTCHA: Enhanced client validation using Google reCAPTCHAv2.

• New Reports and Dashboard enhancements

  • Bot traffic Analysis

  • Top Good or Bad Bots

  • Bots by Categories

  • Captcha Summary Report

  • Bot Spam

  • Credential Stuffing Trends

• Cloud layer for advanced analysis [Requires subscription – extended trial available]

  • Provides credential stuffing protection.

  • Client Fingerprint analysis.

  • Lookup services for Client Fingerprints and Credentials.

• SSL enhancements - Support for TLSv1.3 for both service side SSL and server-side SSL.

• Usability enhancements

  • Enhancements to the certificate page to support multiple thousands of certificates and their management.

  • Enhancements to the logging to show expired certificates.

  • Enhancement to the UI by introducing the “Bot Mitigation” tab for all the configurations related to Advanced Bot Protection.

• Throughput usage data collection - Support for tracking WAF throughput usage statistics when connected to WAF Control Center v2.3.

• Config JSON checkpoints : provide administrators a human-readable configuration file. These files are JSON formatted files which can be modified and downloaded from the Barracuda WAF. Furthermore, they can also be stored in a version-controlled repository, such as Git or CVS.

• Generating a signed certificate using Let’s Encrypt: Barracuda WAF now provides integration with Let’s Encrypt to generate, sign, install, and renew certificates for domain names bound with applications protected by the Barracuda Web Application Firewall.

• Enabling Telemetry Data:Users can now select the type of data that they intend to send to Barracuda Networks. By enabling telemetry, users define the type of data that the WAF should collect and share with the Barracuda Networks.

• Barracuda WAF Deployment on OpenStack: Barracuda WAF can now be deployed on OpenStack as a virtual machine to protect applications running on Openstack as well as externally.

• UI Enhancements in System Configuration: The fields in the ADVANCED > System Configuration > Advanced section are reorganized into groups for better user experience.
  
  

• JSON File-Based Configuration Management (AWS and Azure): Teams utilizing infrastructure-as-code process can integrate Barracuda CloudGen WAF into their infrastructure definitions using JSON snippets. This simplifies the overall configuration management of Barracuda CloudGen WAF and makes it easy to organize and maintain as it can be used for versioning, reviewing, and auditing.

• Slack Integration (All Models): Barracuda CloudGen WAF is now able to push WAF alerts and notifications to the configured slack channel.

• WCC + WAF Integration (AWS): Using the Cloud Formation Template, administrators can direct the Barracuda CloudGen WAF to automatically join to Barracuda WAF Control Center (WCC) in autoscaling environments.

• Consolidated ARM Templates (Azure): Multiple existing non VMSS marketplace templates have been merged into a single template.Two existing VMSS marketplace templates have also been merged to a single template.

• CloudGen WAF Rebranding: All the public cloud WAF VM's will be re-branded to CloudGen WAF.

• Integration with the Gemalto Safenet Luna Network HSM: With Firmware 9.2, the Barracuda Web Application Firewall now integrates with the Gemalto SafeNet Luna Network HSM’s for added security in SSL/TLS transactions. The Gemalto SafeNet Luna HSM is a hardened physical device that stores all SSL/TLS certificates in tamper-proof hardware for additional security. All hardware and virtual WAF models 660 and above will support this integration.

• Integration with the Barracuda Reporting Server: The Barracuda Reporting Server is a purpose-built hardware appliance that rapidly generates reports while maintaining or improving accuracy of the reporting data. With this release, the Barracuda WAF and CloudGen WAF product lines integrate with the Barracuda Reporting Server to provide centralized log storage and reporting.

• Role-Based Access Control for REST APIv3: In Firmware 9.1, the revamped REST APIv3 for management and control of the Barracuda WAF and CloudGen WAF product lines was launched. In this release, a granular and comprehensive Role-based access control capabilities for the REST APIv3 have been added. With these features, you can now fully control administrative access to various API calls, and integrate this with access control systems.

• Two-Factor Authentication for Administrator Access and Role-Based Access Control Enhancements: It is now possible to configure Two-Factor Authentication for admin UI access. This includes integrations with RADIUS/LDAP based systems, RSA SecurID, and SMS passcodes. Role-Based access control settings are more granular with all operations on the web interface having READ/WRITE permission toggles, with a WRITE being the default permission.

• Networking Enhancements: In earlier firmware releases, it was not possible to include the WAN interface (eth0) as part of a link bond. This restriction is now removed, and eth0 can be part of the bond.

• Enhancements for Virtual Instances: Virtual Barracuda WAF units now support multi-ports (86x and 96x) and 10GigabitEthernet interfaces (96x) where the hypervisor supports these capabilities.

• Enhancements for GDPR Compliance: To ensure compliance with the European Union’s General Data Protection Regulations (GDPR), two new capabilities - Log Encryption, Problem Report Encryption have been introduced. Enabling these features requires turning them on the GDPR Compliance toggle in System preferences. When this capability is turned on, a passphrase should be configured. This passphrase is then used to encrypt all logs and problem reports that are generated from the unit.

• New Application Templates for Drupal and Joomla: New application templates for crating and configuring security policies for Drupal and Joomla are now available.  These templates can be used to easily create a new service using the configuration wizard. They contain security rules specific to each web application.

Watch this video for an overview of new features in version 9.1. These features are also described in the sections below.

• Support for Virtual Machine Scale Sets and Bootstrapping on Microsoft Azure: The Barracuda Web Application Firewall on Azure can now be deployed in an Azure Virtual Machine Scale Set for dynamic scaling. With the VMSS integration, the Barracuda Web Application Firewall can be configured to bootstrap based on a service configuration defined in the ARM Template at launch. Alternatively, an existing configuration backup can be placed in an Azure Blob, and the Barracuda Web Application Firewall VMSS instances can bootstrap from this configuration. This capability is now available only for hourly models at this time. The ARM template for deploying the Barracuda Web Application Firewall in available on the Azure Marketplace at this time.

• Support for configuration backup to Azure Blob Storage: It is now possible to export configuration backups to Azure Blob Storage. This is possible with both manual backups and scheduled backups.