Fortinet black logo

External Systems Configuration Guide

Barracuda Web Application Firewall

Barracuda Web Application Firewall

Support Added: FortiSIEM 6.3.2

Vendor: Barracuda

Product Information: https://www.barracuda.com/products/webapplicationfirewall

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Barracuda Web Application Firewall (WAF).

Protocol

Metrics Collected

Used For

Syslog

System logs, Web Firewall logs, Access logs, Audit logs and Network Firewall logs

Security and Compliance

Configuration

To configure syslog from your Barracuda WAF, take the following steps:

  1. Navigate to Advanced > Export Logs > Syslog.

  2. Configure the following fields in the table.

    Field

    Description

    Name Enter the name of the syslog server.
    Syslog Server Enter the IP address of the syslog server.
    Log Time Stamp Select "Yes" to log the date and time of system events.
    Lot Unit Name Select "Yes" to log the name of the Barracuda Web Application Firewall unit. The unit name is the same as the Default Host name located on the BASIC > IP Configuration page.
    Comment Enter any comments about the syslog server.
    Select appropriate facility Leave as Local7 or default option.
  3. When done, click Add to add the settings.

Sample Events

<134>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.163 -0600 nlb_lab NF INFO TCP 192.0.2.105 443 ALLOW traffic:allow
<132>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.550 -0600 nlb_lab WF WARN UNRECOGNIZED_COOKIE 98.98.98.22 51415 192.0.2.110 443 global GLOBAL LOG NONE [Cookie\="_derived_epik" Service-created\="1565 days back" Reason\="No valid encrypted pair"] GET test.example.com/random_page TLSv1.2 "-" "Mozilla/5.0 (Linux; Android 11; SAMSUNG SM-G991U) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/15.0 Chrome/90.0.4430.210 Mobile Safari/537.36" 98.98.98.22 51415 "-" https://test.example.com/
<134>Sep 1 13:10:11 nlb_lab 2021-09-01 13:10:11.342 -0600 nlb_lab TR 192.0.2.105 443 192.0.2.134 53619 "-" "-" POST TLSv1.2 test.example.com HTTP/1.1 200 736974 439 0 104 10.20.20.102 443 103 "-" SERVER DEFAULT PASSIVE VALID /json/reply/TicketingEventsGetAvailableByEventTypeName "-" "-" "-" "ServiceStack .NET Client 5.40" 192.0.2.134 53619 "-" "-" "-" "-"

Barracuda Web Application Firewall

Support Added: FortiSIEM 6.3.2

Vendor: Barracuda

Product Information: https://www.barracuda.com/products/webapplicationfirewall

What is Discovered and Monitored

The following protocols are used to discover and monitor various aspects of Barracuda Web Application Firewall (WAF).

Protocol

Metrics Collected

Used For

Syslog

System logs, Web Firewall logs, Access logs, Audit logs and Network Firewall logs

Security and Compliance

Configuration

To configure syslog from your Barracuda WAF, take the following steps:

  1. Navigate to Advanced > Export Logs > Syslog.

  2. Configure the following fields in the table.

    Field

    Description

    Name Enter the name of the syslog server.
    Syslog Server Enter the IP address of the syslog server.
    Log Time Stamp Select "Yes" to log the date and time of system events.
    Lot Unit Name Select "Yes" to log the name of the Barracuda Web Application Firewall unit. The unit name is the same as the Default Host name located on the BASIC > IP Configuration page.
    Comment Enter any comments about the syslog server.
    Select appropriate facility Leave as Local7 or default option.
  3. When done, click Add to add the settings.

Sample Events

<134>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.163 -0600 nlb_lab NF INFO TCP 192.0.2.105 443 ALLOW traffic:allow
<132>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.550 -0600 nlb_lab WF WARN UNRECOGNIZED_COOKIE 98.98.98.22 51415 192.0.2.110 443 global GLOBAL LOG NONE [Cookie\="_derived_epik" Service-created\="1565 days back" Reason\="No valid encrypted pair"] GET test.example.com/random_page TLSv1.2 "-" "Mozilla/5.0 (Linux; Android 11; SAMSUNG SM-G991U) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/15.0 Chrome/90.0.4430.210 Mobile Safari/537.36" 98.98.98.22 51415 "-" https://test.example.com/
<134>Sep 1 13:10:11 nlb_lab 2021-09-01 13:10:11.342 -0600 nlb_lab TR 192.0.2.105 443 192.0.2.134 53619 "-" "-" POST TLSv1.2 test.example.com HTTP/1.1 200 736974 439 0 104 10.20.20.102 443 103 "-" SERVER DEFAULT PASSIVE VALID /json/reply/TicketingEventsGetAvailableByEventTypeName "-" "-" "-" "ServiceStack .NET Client 5.40" 192.0.2.134 53619 "-" "-" "-" "-"