Configuring and Managing the Barracuda WAF solution with Puppet

Tweet
Share
Share
Print Friendly, PDF & Email

Configuring and Managing the Barracuda WAF solution with Puppet

Contents:

Introduction

Automating the management of network devices is extremely crucial in agile environments and Puppet modules can be used build on the existing framework using the Puppet Device feature to provide support for administering the Barracuda WAF.

There is no need to install an agent on the WAF with this approach, and takes advantage of the Puppet Device subcommand that’s operated from a standalone Puppet Agent that communicates with the Barracuda WAF REST API v3.


Barracuda WAF can be configured to process traffic for a Web Application, block malicious traffic, Load balance backend servers etc, using this module.

Puppet bridges the gap between an UI driven management process and a script driven API invocation and provides some inherent benefits that are part of the Puppet Enterprise suite to the forefront for a barracuda WAF administrator.

This includes querying the WAF for custom facts using the Facter daemon, using the Puppet resource subcommand to query the WAF for a particular piece of configuration.

In this blog post, we will explain the process of installing the cudawaf module, configuring the connectivity and using Puppet manifests to manage the WAF.

The Puppet device subcommand is a feature in Puppet that allows managing devices that cannot install Puppet agents on themselves.

The following diagram shows the process of communication:

The WAF units are managed through intermediate proxies which are actually Agents connected to the Puppet Master.

The agent has the certificate for the WAF unit to be managed and authenticates on behalf of the WAF to apply the catalog rendered from the Puppet master.

About the Puppet module for Barracuda WAF

You may download the module using the following command:

“puppet  module install barracuda/cudawaf”

The default location for the module would be /etc/puppetlabs/code/environments/production/modules/

For installing the module in a specific environment, use the following command:

“puppet  module install barracuda/cudawaf –environment=<env name>”

You may also access the Barracuda Networks github account, to get the development release for the module. With this approach, please ensure that you rename the module upon downloading to “cudawaf”

Handling Dependencies

Handling dependencies is critical to work with the module. We need to install the dependencies on both the master and the agents before running the puppet commands.

Handling dependencies on the Puppet Master:

Install typhoeus v1.3.0 and rest-client v1.8.0

/opt/puppetlabs/bin/puppetserver  gem install typhoeus –v 1.3.0
/opt/puppetlabs/bin/puppetserver  gem install rest-client –v 1.8.0

Also, install the gems using the puppet agent gem binary:

/opt/puppetlabs/puppet/bin/gem  install typhoeus –v 1.3.0

/opt/puppetlabs/puppet/bin/gem  install rest-client –v 1.8.0

Changing the permissions for the gemspec files

In some cases, external dependencies can cause errors such as "Error in retreiving resource statement". Increasing read and execute permissions to the gemspec on the master can help solve this problem.

Default Location of the ‘gemspec’ files

/opt/puppetlabs/puppet/lib/ruby/gems/2.0.1/specifications

To change permissions:

chmod 777  rest-client-1.8.0.gemspec
chmod 777 typhoeus-1.*

Please note: After you are changing permissions, please remember to restart the puppetserver daemon.

/opt/puppetlabs/bin/puppetserver  stop
/opt/puppetlabs/bin/puppetserver  start

Handling dependencies on the Puppet agent:

The best way to handle these is to use the ‘Package' resource and run the puppet agent command on the target node. Sample manifest of the Package resource:

  package { 'typhoeus' :
    ensure => present,
    provider => 'puppet_gem',
  }
    package { 'rest-client' :
    ensure => '1.8.0',
    provider => 'puppet_gem',
  }

This manifest can be uploaded to the manifests directory in the cudawaf module. Please note that this directory has to be manually created in the module. For example,

mkdir  /etc/puppetlabs/code/environments/production/modules/cudawaf/manifests/

Setting up the communication channel on the agent

To use the module, first configure a Puppet agent that is able to run puppet device. This agent will be used to act as a "proxy system" for the puppet device subcommand.

Create a ‘device.conf’ file on the Puppet Agent node:

The location of the file is:

/etc/puppetlabs/puppet/device.conf

device.conf is organized in INI-like sections, with one section per device: 

Example "device.conf" file

[waf-1]
   type cudawaf
   url http://admin:<password>@<ip_address>:8000/

The name of each section should be the name that will be used with Puppet device to access the device.

The body of the section should contain a type directive (use cudawaf) and a url directive (which should be an HTTP URL pointing to port 8000 to the device’s interface, typically the WAN interface).

WAF configuration manifest

                    cudawaf_service  { 'DemoService2':
                      ensure                               => present,
                      name              => 'MyService2',
                      type              => 'HTTP',
                      ip_address        => '10.11.2.2',
                      port              => 8000,
                      group             => 'default',
                      vsite             => 'default',
                      status            => 'On',
                      address_version   => 'IPv4',
                      comments          => 'Demo service',
                    }
 
        cudawaf_cloudcontrol  {  'CloudControl':
          ensure            => present,
          state             => 'not_connected',
          connect_mode      => 'cloud',
          username          => '[email protected]',
          password          => 'password' 
        }
 
        cudawaf_rule_group {  'RuleGroup-1':
          ensure            => present,
          name              => 'ContentRule1',
          service_name      => 'MyService2',
          url_match         => '/testing.html',
          host_match        => 'www.example.com' 
        }
 
        cudawaf_rule_group_server  { 'RuleGroupServer-1':
          ensure        => absent,
          name          => 'rgServer1',
          service_name  => 'MyService2',
          rule_group_name => 'ContentRule1',
          identifier    => 'Hostname',
          hostname      => 'barracuda.com' 
        }

 

With this manifest, a service with the name “Myservice2” will be created on the WAF under which there will be a content rule called “ContentRule1” and a backend server for the content rule called “rgServer1”. The WAF is also connected to the Barracuda Cloud Control for the administrator to use other additional cloud services available on the BCC portal.

You may visit the WAF documentation website, campus.barracuda.com for more information on each of these configuration items.

Command to run puppet device

puppet device -v --user=root

At this point, you may login to the Barracuda WAF web interface to verify if the configuration has been updated as per the manifest.

You may also reach out to our team for any concerns regarding this module by sending an email to [email protected]

Additional resources

https://github.com/barracudanetworks/barracuda-cudawaf
https://forge.puppet.com/barracuda/cudawaf
https://campus.barracuda.com


Related Posts:

Tweet
Share
Share
Scroll to top
Tweet
Share
Share