We've been analyzing an issue where we saw multiple 503s logged at the barracuda level. At the same time the end point that it was invoking was not throwing any 500s. The barracuda configuration is set to be passive however in the logs, the action is stated as blocked. Below is an example
Apr 2 19:04:07 DestinationIP 2019-04-02 12:04:07.156 -0700 WAFName TR DestinationIP DestPort ProxyIP ProxyPort "-" "-" GET TLSv1.2 ServiceDNSName HTTP/1.1 503 494 785 SERVER DEFAULT PASSIVE VALID uripath ProxyIP ProxyPort 2
The logs are captured in splunk and one of the above values is mapped to 503 & Blocked.