A saved template can be imported on the configuration tree using Add or Modify. In both cases matching key parameters (see Table 21.1) are checked for each object type as follows:
• For an Add operation, the existing key parameters should not match because if the configuration already exists it is considered an error. As long as the key parameters don’t match, it adds the values of the saved template to the selected parent nodes or child nodes of the configuration tree.
• For a Modify operation, the existing configuration key parameters should match, and are blindly replaced with the new values from the saved template configuration. If they do not match, it is considered an error.
• When a service template is imported, you can specify an IP address and port on which to create a service from the template during an Add operation. Similarly, for a Modify operation, the template would modify a service existing on the box with that IP address and port. Doing this makes sense only if the source template is generated from a single service. This offers the flexibility to incrementally patch a service with template values.
Table 21.1: Object types and its Key Parameters
Object Type Key Parameters
Service IP, Port
Server IP, Port
Templates 189
Add
The Add operation adds a new configuration to the selected parent nodes or child nodes by using the values from the saved template. For example, suppose an object of type Server with values Server IP=192.168.128.10 and Server Port=80 already exists. Attempting to add a template with the same values is an error because the configuration already exists.
To add a new template use ADVANCED > Templates and select Import Template as the Template Operation. Select a suitable Template Type and specify the Add Operation. Use Specify to select parent nodes and child nodes you want to add to and click Add. Remove deletes a selection. Browse to locate the Template file path and Import the template file to the selected destination box.
Modify
The Modify operation modifies the existing configuration of selected parent nodes or child nodes by using the values from the saved template. For example, suppose an object of type Server with values Server IP=192.168.128.10 and Server Port=80 already exists. When you attempt to modify a template with the values Server IP=192.168.128.10 and Server Port=223, it simply replaces the Server Port value with 223 since the Server IP address value already matches.
To modify an existing template, use ADVANCED > Templates to select Import Template as the Template Operation.Select a suitable Template Type, then specify the Modify Operation. Specify the parent nodes and child nodes to which you want templates imported by clicking the Add button.
Use the Remove button to delete a selection. Click Browse to select the Template file path from which to import the template file. Clicking Import patches the existing template.
Points to Remember
1. When importing an SSL based service, note that the service is imported with SSL Status set to On for the front-end and set to Off for the back-end. You need to create relevant certificates, bind them, and set SSL Status to On to complete the service creation.
URL Policies Domain, URL, Header, Header Weight
URL Profile URL, Extended Match, Extended Match
Sequence
Allow/Deny Rules URL, Host Match, Extended Match, Extended Match Sequence
Request Rewrite Rules Request Rewrite Sequence Response Rewrite Rules Response Rewrite Sequence Response Body Rewrite Rules Response Body Rewrite Sequence
Security Policy Web Firewall Policy Name
Global ACL URL Match, Extended Match, Extended
Match Sequence
Custom Parameter Class Custom Parameter Class Name
Attack Types Attack Type Name
Identity Theft Patterns Identity Theft Pattern Name
Input Types Input Type Name
Object Type Key Parameters
2. A Modify operation blindly replaces any value of the object's parameters with the value found in the template. However, for the parameters which have multi-valued inputs (for example, Allowed Methods in SECURITY POLICIES > URL Protection), the modify operation results in a union of the existing values and the template values.
3. Template generation does not recursively copy the objects. If you have a policy bound to a service, make sure the policy exists on the destination box before importing the service on the destination box. The most common cases of objects like these within a service are: Policy, Response Pages, Certificates, Parameter Classes, Rate Control pool, Trusted Hosts.
Threat Control Manager 191
Chapter 22 Threat Control Manager
This chapter describes how the Barracuda Web Application Firewall integrates with Web Application Vulnerability Scanners to mitigate uncovered vulnerabilities until Web site fixes are released:
Overview ... 192 Steps to Mitigate Web site Vulnerabilities ... 193
Overview
The Barracuda Web Application Firewall integrates with Web Application Vulnerability Scanners (IBM AppScan Version 7.9 is the only currently supported type) to address Web application vulnerabilities detected by the scanning tools. The vulnerable part of the Web application can be patched quickly and easily using the Barracuda Web Application Firewall, so the optimal engineering solution can be designed and incorporated through the regular code release cycle without incurring continued risk.
Administrators use vulnerability scanners which detect and report Web site vulnerabilities in a variety of report formats. Vulnerability reports can be imported using the ADVANCED > Threat Control Manager > Import Vulnerability Report section. The Barracuda Web Application Firewall uses imported reports to provide Recommendation(s) for Vulnerability Assessment, which, if applied by the administrator, modify applicable security policy settings or configuration to mitigate the reported vulnerabilities.