File-Based Configuration Management for Barracuda Web Application Firewall

Overview

Software Management life-cycle has drastically changed with the advent of Public Cloud Platforms and DevOps Environment. With these latest technologies, system administrators will now need an easy and elegant way to dynamically configure the system to keep up with the ever changing network and security requirements.

To make the DevOps task easier for the system and network administrators, the Barracuda Web Application Firewall delivers a simplistic solution by providing a file-based configuration management approach.

The following are the key highlights of the file-based configuration management approach:

Simplify the overall configuration management on the Barracuda Web Application firewall.
Simplistic yet comprehensive and robust solution which covers all the configuration objects on the Barracuda Web Application Firewall.
Organizes and maintains the Infrastructure as a code that can then be used for versioning, reviewing, and easy auditing.
Internally, it directly maps to the comprehensive Barracuda Web Application Firewall Version 3 REST API’s
In Cloud Platforms, this can be seamlessly used for system bootstrapping.

This approach uses the JSON based text configuration file to define all the configuration that are installed on the Barracuda Web Application Firewall.

The JSON configuration file is manually created by the administrator and is used to specify all the required configuration objects and the desired operations. The JSON file is then validated and installed on the Barracuda Web Application Firewall using the Graphical User Interface. In Cloud Platforms, the JSON file is also used for bootstrapping the system. The contents of the file are easily modified and the configuration is replicated to suit your requirements.

Using the JSON-Based Configuration File

The JSON-based configuration file can be used in the following ways:

Importing the Configuration on an Operational Barracuda WAF Instance: On a WAF that is already operational, JSON configuration files can be used to make an update to the WAF configuration. This is very similar to making a configuration change using the web interface (GUI) or through the WAF’s REST API. The JSON file import can be validated before applying the change.
Used for Bootstrapping a WAF Instance: In this case, the JSON configuration file can be used for loading the configuration into the Barracuda WAF instance when it is first provisioned. This is useful to implement a Continuous Integration (CI)/Continuous Delivery (CD) pipeline around WAF. This type of provisioning is very common in public cloud deployments where the instance is launched along with bootstrapping information.

To use the JSON configuration file in an Auto Scaling deployment of the Barracuda WAF on AWS, see Auto Scaling of Barracuda Web Application Firewall using CloudFormation Template on Amazon Web Services.

To use the JSON configuration file in VMSS deployments of the Barracuda WAF on Microsoft Azure, see Auto Scaling the Barracuda Web Application Firewall Instances in Microsoft Azure.

Configuration File Anatomy

The Barracuda Web Application Firewall configuration file is a JSON file with one major section “Config”. It includes parameters and attributes for the overall configuration. An example of the JSON configuration file structure is shown below.

{
       "config": [
              {
                    "type": “…”,
                    "operation": “…”,
                    "payload": {
                                                
                                "param1": “…”,
                                "param2": “…”,
                     }
              },
                         {
                     "type": “…”,
                     "operation": “…”,
                     "payload": {
                                                
                                "param1": “…”,
                                "param2": “…”,
                     }
              },
                        .
                        .
                        .
       ]
}

Attribute	Description		Example

Attribute

Description

Example

Operation

Defines the actions to be performed on the configuration objects.

Create, Edit and Delete are the operations supported in the Barracuda Web Application Firewall configuration management. See the table below to understand the mapping of each operation to the respective API type.

API request type	Operation
	CREATE
	EDIT
	DELETE

"type": “Certificates”,
"operation": “Create”,

performs an operation of creating a certificate

Type

Specifies the type of the object defined by the configuration file

"type": “Certificates”,
"operation": “Create”,

The type “certificates” can be created

Parent

(OPTIONAL)

Identifies the configuration hierarchy

"type":"parameter-profiles",
"parent": “/services/Prod_App/url-profiles/url1”

A parameter profile is configured for URL policy “url1” under services “Prod_App”

Payload

Parameters that define the configuration object.

Refer to example value of an object in REST API guide to know about the parameters.

"payload": {
             "name":"Prod_App",
             "type":"https",
             "ip-address":"bwaf::SYSTEM_IP",
             "port":"444",
             "certificate":"testcert",
             "group":"default",
             "vsite":"default",
             "status":"On",
             "address-version":"IPv4",
             "comments":"This
is the production service for the lab"
         }

Special Macros

SYSTEM_IP Macro - When SYSTEM_IP is specified for the ip-address parameter, the Barracuda Web Application Firewall will automatically use the system ip address while creating a service.
The following example payload shows the usage of the SYSTEM_IP macro while creating a service.
{ "type": "services", "operation" : "CREATE", "payload": { "name":"Prod_App", "type":"https", "ip-address":"bwaf::SYSTEM_IP", "port":"443", "certificate":"testcert", "group":"default", "vsite":"default", "status":"On", "address-version":"IPv4", "comments":"This is the production service for the lab" } },

Getting started with the configuration file-based approach

The JSON Configuration file is manually created by specifying the configuration objects and operations. This file is then used while configuring Barracuda Web Application Firewall. The flowchart visualizes the steps involved in manually creating a configuration file:

Creating a file - <filename>.json
Creating Objects for the JSON Configuration File
Validating the Configuration File
Bootstrapping using the Config.json file

Creating a file - <filename>.json

The JSON file is created or edited using any text editor. You can specify any name to your configuration file, but Barracuda Networks recommends you to save the file with a “.json” file extension only.

Creating Objects for the JSON Configuration File

The configuration objects of the JSON file is created by referring to the Barracuda Web Application Firewall REST API documentation. Perform the following steps to include the configuration objects and operations.

Click the Barracuda Web Application Firewall REST API documentation link to navigate to the list of APIs.
Select the object you intend to include in the JSON file. For example - Services, Server, and so on.
Select the operation you intend to perform. For Example - POST. Refer to the Configuration File Anatomy section to know more about API request types that you must select to perform the operation.
Copy the JSON content and paste it in the configuration file.

You can perform the same steps described above to add multiple configuration objects in the JSON file.

Validating the Configuration File

After creating the configuration JSON file, you should validate the file by uploading this in the Barracuda Web Application Firewall User interface. The Restore WAF Configuration File section allows you to upload the JSON file for validation and for restoring the configurations.