Barracuda Web Application Firewall: Overview and Analysis

See our complete list of Top Web Application Firewall Vendors

Bottom line

The Barracuda Web Application Firewall combines a reverse-proxy?security architecture with application acceleration. SMEs and other enterprises looking for a good-enough WAF at a decent price point should consider this product, along with those seeking support for public cloud platforms.

Product Description

The Barracuda Web Application Firewall can deal with complex threats with inspection capabilities that don’t affect throughput. It combines a reverse-proxy?security architecture with application acceleration. Features include web application security, API security, mobile application security, app backend security, application acceleration and delivery, and identity and access control. The company offers a series of appliances for SMEs through large enterprises. The vendor delivers its Web Application Firewall line in physical or virtual appliances. It is also available on the Microsoft Azure, AWS and VMware vCloud Air platforms.

Barracuda WAF Features Rated

Security: Good. Barracuda WAF protects applications from the attacks that are categorized by OWASP, as well as additional attacks such as DDoS, Slow Client, session hijacking, and XML/SOAP-based attacks. This is applicable to both HTTP and HTTPS application traffic. Security Policies define matching criteria for requests and specify what actions to take when a request matches.

Performance: Good. The company reports 190,000 transactions and 70,000 connections per second, as well as 2.8 million concurrent connections and throughput of 10 Gbps for the highest end model. Testing by Miercom, a third party testing organization, achieved the numbers claimed in the hardware datasheet. Miercom also said the WAF detected 100% of cross-site scripting, SQL injection, system command injection and file inclusion vulnerabilities; and achieved HTTP performance of 7.6 Gbps throughput (this was not for its highest end model).

Value: Very Good. Barracuda offers good performance for the price.

Implementation: Very good. The average time to onboard an application in passive security enforcement is two minutes. The time taken to fine-tune the security policy depends on the complexity of the application but on average is less than one hour. Miercom tests noted the WAF can be deployed in one hour from unboxing to full operation.

Management: Good. Gartner clients give mixed feedback on the management interface’s ease of use for daily tuning of WAF configurations. Some of the feedback is that the UI is non-intuitive and disorganized.

Support: Best in class. Barracuda WAF has a variety of support packages. Gartner said: “Gartner clients consistently give good marks to Barracuda’s post-sale customer support. Barracuda partners cite the vendor’s focus on customer satisfaction as a reason they choose to sell Barracuda WAF.”

“Working with other vendors such as Imperva, Cisco, Big-IP, Sophos, Palo Alto, name it; pails in comparison to working with Barracuda. Never have I worked with a vendor that felt like side by side partnerships to their level,” said an executive manager in the communications industry.

Cloud features: Very good. The product is delivered as an appliance, virtual machine for on-premises deployments and also supports public cloud providers like AWS, Microsoft Azure and GCP. A new CloudGen WAF is purpose-built for public cloud and can be automated by DevOps and SecOps teams.

Barracuda WAF

Security Qualifications

PCI and HIPAA compliance, ICSA certified.


The product is delivered as an appliance, virtual machine for on-premises deployments and also supports public cloud providers like AWS, Microsoft Azure and GCP.


List prices for appliances range from just a few thousand dollars to tens of thousands of dollars for the highest-performance enterprise-ready models.

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

Top Products

Related articles