For WAF we are referring to either reverse proxy or bridge mode and both need to be addressed within the context of your question.
In bridge mode the traffic will pass through the GW with no impact due to expired keys
What may be impacted is inspection
If the key pair used in the expired cert is still valid then decryption will occur
If there have been changes to how the cert is generated which impact the key pair then decryption is not possible
You would see alerts in the MX UI indicating decryption failed due to the cert used
If you are in RP then the end customer will see a warning that the certificate used for this connection has expired.
Typically this is not a desirable situation and will typically generate customer calls/complaints
The rules around decrypt are the same as above. If the keys still work then we can decrypt.