Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 11-11-2020 03:45

    We are running Imperva WAF X2010 which is one physical appliance, and I have been tasked with installing patches on our Imperva WAF X2010.

    I have been told that if the Imperva WAF is running some modes, there will be no impact on traffic flow during a patch installation/software upgrade. Is that true? And what modes/settings would allow this to happen?

    How about the impact on traffic flow in case of a reboot? Or even when the WAF is powered off?

    One more question, the WAF's Software Update screen shows as follows. Does it mean I need to install patches twice, one for MX, and another for Gateway, though they are in on physical appliance?

    Component type: MX
    Currently installed: v11.5.0.30
    Target version: v11.5.0.95 (SecureSphereV11.5.0-x86_64-Patch95_0.x)

    Component type: Gateway
    Currently installed: v11.5.0.30
    Target version: v11.5.0.95  (SecureSphereV11.5.0-x86_64-Patch95_0.x)

    Any advice would be appreciated.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Louis WAF
    ------------------------------


  • 2.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?
    Best Answer

    Posted 11-11-2020 10:39
    Hi Louis,

    The first point to note is that the v11 codeline is End of Life and does not qualify for any official support.

    I am not aware of any configuration that is 100% guaranteed to not have any service impact during patching, especially as the services do need to be restarted. Bear in mind that only the restarting of the Gateway service restarts are potentially service affecting. To minimise potential impact, we would recommend having the GW fail open, so that in case of service restart or power cycles, the traffic would still pass through. How effective this is depends on whether you are working in Bridge or TRP mode, or in KRP mode which by it's nature is more likely to be service affecting as it requires the reverse proxy to be operational for traffic to pass.

    In general, we recommend taking a full system export before any patching activity, and applying the patch in a maintenance window.

    On a Onebox system, applying the patch should apply both MX and GW elements in one go.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------

    Original Message


  • 3.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 11-12-2020 03:27
    Edited by Louis WAF 11-13-2020 02:44


  • 4.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 11-11-2020 11:20
    Hi Louis,

    The mode is Bridge mode. This is where the WAF is inline at Layer 2. If the hardware is equipped with fail-open NICs (it's rare that they aren't) then the device can and will fail open.

    However, please note there will be an interruption in traffic flow during a graceful reboot or shutdown, as is the case after patching.

    A few things that can trigger an immediate bypass state:

    • Unexpected kernel crash
    • Power outage
    • Specific commands issued designed to create a failopen state (not going to list those here)

    At the end of the patching process you must initiate a graceful reboot, at which point traffic will temporarily be interrupted.

    For more information, please reference the following:

    • https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Gateway-fail-open-timeframe-during-device-reboot-or-shutdown
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Upgrade--Is-there-any-traffic-downtime-during-gateway-upgrade
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Procedure/Using-linux-shutdown-to-test-bypass
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Concept/Connectivity--Will-connectivity-be-maintained-if-gateway-is-stopped-or-process-is-rebooted


    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------

    Original Message


  • 5.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 06-01-2022 07:14
    Hi Anderson,

    Just would like to know even when the gateway is configured as fail-open, the graceful reboot will still cause interruption in traffic flow?

    Also, the links of reference documents seems to be obsolete. Do you have other latest doc to share?

    Thank you.

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------

    Original Message


  • 6.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 06-01-2022 09:27
    Hi Ken,

    That is correct; a graceful reboot will still cause interruption in traffic flow when the gateway is configured in fail-open.

    Please see the following articles:

    • https://docs.imperva.com/howto/514f8958
    • https://docs.imperva.com/howto/033e4c45
    • https://docs.imperva.com/howto/5c4f4d77

    Please note that you must be signed in to the docs portal (top right) to view the links referenced above.
    Original Message


  • 7.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 11-11-2020 21:34

    Hi Stefan, and Anderson,

    Thank you very much for your prompt reply.

    We target to upgrade to at least v13 which will fix several vulnerabilities detected by Nessus.

    As far as I understand your advice, generally speaking:

    There shall be no service impact during running the patch as following example:
    >>> "Run the patch by typing ./[patch filename]
    For example: ./SecureSphereV11.5-x86_64-Patch1_0.x"

    A graceful reboot would inevitably cause traffic to be temporarily interrupted because "because the OS has to process the orderly shutdown of the kernel processes and the network interfaces. It then has to bring up the network interfaces, auto-negotiate speed and duplex"
    >>>"Reboot the machine only after receiving the message that the patch has been successfully installed."

    To minimise potential impact, I have to configure the GW to fail-open the bridge connection because "If the gateway is in fail-open mode (bypass mode), during upgrade, traffic will be down only for up to 10 seconds while the gateway is being rebooted once time at the end of the upgrade."

    I observe that we are working in IMPVHA Bride mode as what is shown in Main>Setup>Gateways>Filter>By Mode

    STP Bride
    Gateway
    No data found

    IMPVGA Bride
    Gateway Status Active .. .. Model Appliance Type
    ERBWAF01 Running Yes .. .. X2010 Physical

    Sniffing
    Gateway
    No data found

    Reverse Proxy (Apache)
    Gateway
    No data found

    Reverse Proxy Kernel
    Gateway
    No data found

    With reference to the Admin Guide, under the Gateway Groups section, I tried in vain to configure the GW to fail-open the bridge connection because there is no option for me to select a fail mode as the attachment shows. Could you advise too? Thanks again.



    ------------------------------
    Louis WAF
    ------------------------------

    Original Message


  • 8.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 11-12-2020 03:34
    problem resolved by enabling the Activate Settings.

    ------------------------------
    Louis WAF
    ------------------------------

    Original Message