Professional Documents
Culture Documents
LabGuide
Official learning material for Barracuda Campus training courses.
Table of Contents
Task 1 Connect to Environment............................................................................... 2
Task 2 Creating Allow/Deny/Redirect URL ACLs ................................................. 3
Task 3 Adaptive Profiling ........................................................................................... 6
Task 4 JSON Security .................................................................................................. 9
Task 5 Client-Side Protection ..................................................................................13
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Step-by-Step Guide
1 Connect to the Admin Client
1. Open an RDP client.
2. Navigate to the Admin Client.
3. Use the following credentials to log into the system:
• Username: student
• Password: CudaL3aner!
Barracuda Campus | 2
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Step-by-Step Guide
1 Create a service
1. From the Admin Client, open Firefox, and navigate to: http://wafa.cudau.org:8000
2. Log in with the WAF credentials:
• Username: admin
• Password: CudaL3arner!
3. Navigate to BASIC > Services.
4. Create a new service with the following settings:
• Service Name: badstore
• Type: HTTP
• Virtual IP Address: <VIP1>
• Port: 80
• Real Servers: <Badstore IP>
• Create Group: No
• Service Groups: default
5. Click Add.
8. In the WAF interface, go to WEBSITES > Allow/Deny/Redirect. Notice that a new rule allowing the
Badstore PDF manual has been added.
9. In the Badstore site, access the Badstore PDF manual. This time, the manual download loads
successfully.
10. Try to access the following directories:
• /backup/
• /supplier/
Notice that these attempts at forceful browsing are now blocked by the Barracuda Web
Application Firewall.
Barracuda Campus | 5
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Step-by-Step Guide
1 Configure Adaptive Profiling
1. In the WAF web interface, go to WEBSITES > Website Profiles.
2. From the Website drop-down menu, select the Badstore service.
3. Click Start Learning. A prompt appears.
4. Click OK.
5. On the Attack Client, close all the Firefox_dev instances.
6. Open firefox_dev and navigate to: http://www.bigfishinc.org
7. This will clear any user session that you currently have on the Badstore website so that you are
seen as an unregistered user.
8. Click the first seven links in the left-hand navigational bar.
9. On the Login/Register page, register as a new user and log in.
10. While you are logged in as the new user, click the first seven links in the left-hand navigational bar
again.
Barracuda Campus | 6
WAF0201 - Barracuda Web Application Firewall - Advanced Features
it was marked as read-only because there is no interface for the user to change the value of the
variable.
6. Click Stop Learning.
7. Click OK.
Barracuda Campus | 7
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Barracuda Campus | 8
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Step-by-Step Guide
1 View the available API calls on the API server
1. On the Admin Client, in Firefox navigate to http://backend.cudau.org:8080/api/petstore/1.0.0/ui.
Different methods are supported for different actions. E.g. updates to pets are done via the PUT
method while states are requested via the GET method, the POST method is used for tasks such as
uploading images ore placing an order.
Per default the port used for communication to the server is port 80, it needs to be changed.
Barracuda Campus | 9
WAF0201 - Barracuda Web Application Firewall - Advanced Features
The API Discovery Wizard shows the JSON profiles that will be configured.
18. View the JSON profiles the Wizard will create for the Service.
19. Click Next.
20. Make sure the JSON profile is set to active.
21. Choose the default-policy.
22. Click Next.
23. View the summary and click Apply.
24. In the pop-up window click OK.
The JSON profiles will be applied… this might take some minutes.
We are going to disable client profiling for this lab. Otherwise it will be marking request coming
from Insomnia as suspicious and challenge the client.
Barracuda Campus | 10
WAF0201 - Barracuda Web Application Firewall - Advanced Features
5. Click Send.
The WAF returns a 404 error. That should look similar to this.
Barracuda Campus | 11
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Barracuda Campus | 12
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Step-by-Step Guide
1 Add a Client-Side Protection Rule for the Badstore's Login Page
1. In the WAF web interface, go to Websites > Client-Side Protection.
2. On this page, click Add Rule, next to the Badstore service.
3. Enter the following:
• Rulename: loginregister
• URL Match: /cgi-bin/badstore.cgi
• Host Match: *
4. For Extended Match, click the Edit icon to display the Extended Match widget:
• Element Type: Parameter
• Element Name: Select the Others check box and enter action
• Operation: is equal to
• Value: loginregister
• Click Insert. The Header Expression field displays: Parameter action eq loginregister
• Click Apply.
• Click Save.
After the page has reloaded, the rule including the default content security policy appears in the table.
Note that the default CSP policy is in report-only mode. Only change the mode to block when you are
sure your configuration is working!
Barracuda Campus | 13
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Barracuda Campus | 14
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Barracuda Campus | 15
© Barracuda Networks Inc., Revision: 8/18/2022Barracuda Networks Inc., 2021.
The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of
this document may be copied, distributed, publicized or used for other than internal documentary purposes without the
written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without
notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc.
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.