WAF01-05 Web Application Firewall - Foundation
In the Bridge-Path operating mode...
*...the WAF only inspects traffic configured for inspection. All other traffic is allowed by default.* *...backend servers can see the source IP address of the client in the IP packet.* ...requests and responses are terminated at the WAF.
Select all the requirements for deploying the WAF in high availability.
*Both systems must have the same 'Cluster Shared Secret'.* Both systems must have the same hostname. *Both systems must be of the same model.* *Both systems must run the same firmware version.* Both systems must have at least one service configured.
Which of the following are NOT sub-policies?
*Brute Force Protection* (1,2) Request Limits URL Encryption (1,2) *Response Limits* (2) Parameter Profiles (1,2) URL Normalization (1) (F)
What is 'Sequential Match' in the rule evaluation order?
*It is used to evaluate Host and URL matches according to its sequence number.* It is used to evaluate only extended match rules using their sequence number, starting from a low number (1) to a high number (1000). It is used after hierarchical matching when multiple matches occur in the Host Header and URL Path fields. (F) (?)
What happens when you accept the suggestion of the "Fix button" of the Web Firewall logs?
*Multiple services might be affected by the triggered configuration change.* *The configuration of the WAF is changed according to the suggestion.* Changes to the WAF configuration will be applied but have to be confirmed within 24 hours. The associated security policy is copied, and changes will be applied to the copy.
The WAF configuration can be changed using:
*SSH* *The web interface* (1,2) *REST APIs* (2) *The local shell access* (1,2) (F)
Trusted Hosts can be used in which of the following cases?
*To exempt specific traffic from security checks.* To bypass traffic around the WAF To define which users or groups are allowed to log in during the authentication process.
Untrusted levels in Exception Profiling can be shared between multiple services.
*True. In fact, there are only 3 untrusted levels that can be associated to services.* True. Additional untrusted levels can be created and assigned to multiple services in the service configuration. False. Exception Profiling levels cannot be shared.
Client Fingerprints are enabled by default...
.. but can be disabled at the server. *... but can be disabled at the service.* ... and cannot be disabled. ... but can be disabled at the libraries.
If you want to create signed certificates with Let's Encrypt...
.. the domain of the service must be reachable at port 443. *... the service must be in active mode.* *... the domain of the service must be reachable at port 80.* ... the service must be in passive mode.
The Compression feature compresses...
....all content in HTTP requests for a specific service or content rule. ...only the configured content types in HTTP responses for a specific service or content rule. ...all content in HTTP responses for a specific service or content rule. (f) *...only the configured file types in HTTP requests for a specific service or content rule.* (F)
Logs can be exported to...
...Microsoft Windows System Events. *...the Microsoft Azure Event Hub.* *...Syslog servers.* *...AMQP(S) servers.* *...up to five different log servers.*
If you need to match a specific referer or parameter in an HTTP request, you need to use...
...a URL Match rule. ...a Host Match rule. *...an Extended Match rule.* Since the Referer is contained in the IP packet header, the WAF cannot retrieve this kind of information.
In the One-Arm Proxy deployment...
...a WAN and a LAN interface are used. *...only the WAN interface is used for traffic.* ...backend servers could be reached directly, bypassing the WAF. (f) (F)
When an 'action' is changed in the global ACLs...
...all services are affected. *...all services sharing the same security policy are affected.* ...all security policies are affected.
In the Reverse Proxy operating mode...
...all traffic is allowed by default. *...two different TCP connections are created for the request (Client>WAF and WAF>Server).* *...requests and responses are terminated at the WAF.* ...only requests are terminated at the WAF. Responses go directly to the clients (Direct Server Return).
The WAF active mode...
...allows traffic even if it triggers security violations. *...blocks traffic that triggers security violations.* *...logs traffic that triggers security violations.* ...can be configured as a global setting for all services.
URL Normalization...
...can be used to filter ambiguous FTP commands. (f) *...is only applied in HTTP requests.* ...must be enabled in the security policy in order to use it. ...corrects any transmission errors from the backend servers. (f) (F)
The predefined security policies...
...cannot be deleted. *...can be assigned to several services.* *...can be customized.*
Security policies...
...include only negative elements. *...include mostly negative and some positive elements.* ...include mostly positive and some negative elements. ...include only positive elements.
Data saved by the caching functionality is stored in the...
...internal MySQL database. ...hard disks. *...RAM.* ...SSDs and then moved to the hard disks after the max age is expired.
URL Protection...
...limits the number of cookies that can be present in an HTTP request. *...limits the number of file uploads.* *...specifies the allowed methods in HTTP requests headers.* ...limits the size of the file uploads.
In the 'Positive Security' model...
...only specific patterns are blocked. Everything else is allowed. ...changes to the web application not reflected in the WAF configuration might lead to false positives. ...everything is blocked unless explicitly allowed. (1) ...the WAF configuration is only changed during the initial setup. (1) (F)
In the Bridge-Path deployment...
...the LAN interface must face the Internet. *...the WAN and LAN interfaces must be connected to two separate network segments.* *...Real Servers can keep their existing IP addresses.*
In the 'Negative Security' model...
...the WAF configuration is only changed during the initial setup. ...everything is blocked unless explicitly allowed. *...only specific patterns are blocked. Everything else is allowed.* ...a very strict relationship is established between a web application and the WAF configuration.
Bot mitigation policies can be used...
...to enforce limits in the TCP window size. *...to enable credential stuffing protection.* *...to limit the amount of total requests to a specific part of a web application.* ...to enforce limits in HTTP headers.
In the Two-Arm Proxy deployment...
..only one network interface is used. *...a WAN and a LAN interface are used.* *...all traffic directed to the backend servers must go through the WAF.* ...all traffic is bridged between the WAN and LAN interfaces.
The WAF passive mode...
.can be configured as a global setting for all services. ...blocks traffic that triggers security violations. *...logs traffic that triggers security violations.* *...allows traffic even if it triggers security violations.* ...does not log traffic that triggers security violations.
incorrect cards
6, 12, 19, 25, 36, 37, 51, 54, 56, 62
What logs are available in the Barracuda WAF?
Attack logs *Access logs* *Audit logs* *System logs* *Network Firewall logs* *Web Firewall logs* Syslogs
What services are provided by the WAF's Access Control feature?
Authentication and credential stuffing protection. *Authentication and authorization.* Authentication, authorization, and auditing. Authentication, authorization, and accounting.
When protecting cookies, why can't Temper Proof mode, set to 'Encrypted', always be used?
Because not all browsers can decrypt encrypted cookies. Because this feature is not available on all models. *Because web applications might need to access the information stored inside cookies.* Because the technology is fairly new, so old browsers cannot process encrypted cookies.
What are the two operating modes available in the WAF physical appliances?
Bridge Proxy *Bridge-Path* *Reverse Proxy* Forward Proxy
What do you have to configure to enforce the antivirus scan for file uploads in some parts of your web applications?
Brute Force Prevention *Bot mitigation policies* Allow/Deny rules Data Theft policies
By using the WAF Access Control feature, Audit logs can be used to track the activity of users logged into the web application.
FALSE
The Barracuda WAF is licensed by the number of web applications protected.
FALSE
The unit from which the "Join Cluster" procedure is initiated pushes its configuration to the other unit.
FALSE
A security policy can be assigned to only one service. Additional security policies must be created if more services are added into the system.
False
Extended Match rules can only be used in Bot mitigation policies.
False
The default Bot mitigation policy created automatically for each service cannot be removed.
False
In which sub-policy is the 'Maximum Upload File Size' configured?
In Global ACLs. *In Parameter Protection.* Nowhere. The WAF does not regulate file uploads. In Request Limits. In the FTP sub-policy.
What is Brute Force protection?
It specifies the amount of successful login attempts from a single IP address. (2,3) It prevents attackers from forcefully breaking into the web application. (1,2,3) It limits the maximum number of requests either from all sources or from a single IP address to a specific part of a web application within a configured interval. (1,2,3) It is used to prevent SQL injection attacks. (1,3) (F)
Trusted hosts can be defined using:
Local users and groups. LDAP information (users, groups). LDAP information (users, groups, domains). *IP addresses / networks.*
The supported authentication methods for credential stuffing / spraying are:
NTML *HTTP basic authentication* *HTML form* *JSON / AJAX request*
A newly created service has the following security policy associated to it:
New services do not have any security policies by default. Passive Custom *Default* Active
What are security policies?
Pre-configured security settings to inspect HTTP requests only. *Pre-configured security settings to inspect HTTP requests and responses.* Standard rules created by the CSO to define what is allowed or not allowed in a specific company. Pre-configured security settings that can be associated to any type of service including FTP and FTPS services.
What happens when a second real server is added to a service?
The WAF puts the new server in maintenance mode, and after 10 seconds it starts load balancing the traffic using the least request scheduling policy. (f) The WAF starts load balancing the traffic using the round robin scheduling policy. The WAF starts load balancing the traffic using the least request scheduling policy. (f) *The WAF puts the new server in sticky mode, and after 10 seconds it starts load balancing the traffic using the least request scheduling policy.* (F)
What happens if a signed or encrypted cookie is tampered with before it is sent to the WAF?
The WAF terminates the TCP connection. The WAF terminates the HTTP session. *If the WAF service mode is set to active, the WAF removes the tampered cookie, but the request will still be forwarded to the backend servers.*
What happens if multi-domain authentication is enabled and the user does not specify the domain before the username?
The WAF will use the 'Best match' policy to find which domain the user belongs to. *The user will be authenticated against the default configured domain.* The WAF will prompt the user with the list of configured domains. The WAF will deny the authentication attempt (LDAP injection attack).
When Cookie Security is enabled and the Tamper Proof mode is set to 'Signed', the WAF sends the following to the client:
The encrypted cookies. *The plain-text cookies.* *The signed cookies.* A cookie hash that is used verify whether the cookie has changed.
Access logs are disabled by default and must be enabled on the Service Configuration page.
false
Antivirus signatures are updated even if the Energize Updates license has expired.
false
Changing the system time zone requires a system reboot only if services are configured.
false
When the Encryption Tamper Proof mode is enabled, legitimate cookies might be blocked if the Max Cookie Value Length limit, specified in the Request Limits, is not changed accordingly.
True
What are the available untrusted levels in Exception Profiling?
Trusted Hosts *High* *Low* *Medium* Very High
In which sub-policy is the 'Max Query Length' configured?
URL Protection URL Normalization *Request Limits* URL Limits URL Encryption
The WAF virtual appliance can be deployed using the following operating modes:
Virtual WAF Defense Bridge-Path *Reverse Proxy* Transparent Layer 2 Bridge
What is Connection Pooling?
A scheduling policy used by the WAF to balance requests to backend server pools. *A set of open TCP connections between the WAF and the real servers.* A WAF feature used to train the Exception Profiling engine. A scheduling policy used by the WAF to balance requests to backend servers.
The HTTP POST request generated by a user attempting to log into a protected web application is blocked by the WAF. In which of the following is this request logged?
Access logs System logs Network Firewall logs *Web Firewall logs* Audit logs Attack logs
The default password for the 'admin' user is:
Administrator *The serial number of your Barracuda WAF.* waf barracuda
When the active/active high availability deployment is used...
All Vsites are active on both units. *Different Vsites are active on different units.* All Vsites are active on both units, but using different VIPs.
What information is found in the Web Firewall logs?
All requests and responses. *HTTP requests and responses that generated a security violation.* (1) *The IP address of the client that generated the security violation.* *The action that was taken to prevent the attack.* (1) (F)
What is the correct process for creating Content Rules?
Create a new Content Rule in the Allow/Deny rules. Add the backend servers to the rule. Create a new Content Rule in the Bot mitigation policies. Add the backend servers to the rule. *Add the Content Rule to the service. Add the backend servers to the rule.* Create a new Content Rule in the Content Rules pool. Assign it to the service. Add the backend servers.
What is the default time interval in which heartbeats are sent in a WAF cluster?
Every 3 milliseconds Every 9 seconds *Every 3 seconds* Every 3 minutes Every 9 milliseconds
What changes should be made in a web application and web servers in order to use an Instant SSL service?
The web application code, especially if PHP and ASP are used, must have the iSSL option enabled. (f) Nothing. Communication between clients and the WAF will be in encrypted using SSL, but the communication between the WAF and the web application will remain unencrypted HTTP. Web servers must be configured to accept SSL connections. (f) The web application must accept SSL connections. *Two virtual hosts must be created in the web server: one to terminate HTTP connections and a second to terminate SSL connections.* (F)
What is the purpose of Exception Profiling?
To fine-tune security policies associated with a service using pre-configured pattern levels. *To fine-tune security policies associated with a service using a heuristic-based strategy.* To create a database of authorized users. To automatically mitigate vulnerabilities found in a web application protected by the WAF.
What is the purpose of the action policies?
To trigger the Access Control mechanism to authorize users. To analyze requests and make forwarding decisions based on the request's content. *To trigger an action when a violation occurs.* To define the flow of HTTP traffic so each backend server receives the same amount of requests. To trigger the Access Control mechanism to authenticate users.
If you want to protect your logins against credential stuffing, you require an ABP license.
True
Dual authentication is only available...
With the local authentication service. *If LDAP is used as primary authentication service.* If KERBEROS is used as primary authentication service. If LDAP and KERBEROS are used as primary authentication services.
Clustering is initiated using which interface?
br0 *WAN* LAN MANAGEMENT
