Imperva Cyber Community

Expand all | Collapse all

Does it have impact on traffic flow during a WAF patch installation/software upgrade?

Jump to Best Answer
  • 1.  Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 23 days ago

    We are running Imperva WAF X2010 which is one physical appliance, and I have been tasked with installing patches on our Imperva WAF X2010.

    I have been told that if the Imperva WAF is running some modes, there will be no impact on traffic flow during a patch installation/software upgrade. Is that true? And what modes/settings would allow this to happen?

    How about the impact on traffic flow in case of a reboot? Or even when the WAF is powered off?

    One more question, the WAF's Software Update screen shows as follows. Does it mean I need to install patches twice, one for MX, and another for Gateway, though they are in on physical appliance?

    Component type: MX
    Currently installed: v11.5.0.30
    Target version: v11.5.0.95 (SecureSphereV11.5.0-x86_64-Patch95_0.x)

    Component type: Gateway
    Currently installed: v11.5.0.30
    Target version: v11.5.0.95  (SecureSphereV11.5.0-x86_64-Patch95_0.x)

    Any advice would be appreciated.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Louis WAF
    ------------------------------


  • 2.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?
    Best Answer

    Imperva Employee
    Posted 23 days ago
    Hi Louis,

    The first point to note is that the v11 codeline is End of Life and does not qualify for any official support.

    I am not aware of any configuration that is 100% guaranteed to not have any service impact during patching, especially as the services do need to be restarted. Bear in mind that only the restarting of the Gateway service restarts are potentially service affecting. To minimise potential impact, we would recommend having the GW fail open, so that in case of service restart or power cycles, the traffic would still pass through. How effective this is depends on whether you are working in Bridge or TRP mode, or in KRP mode which by it's nature is more likely to be service affecting as it requires the reverse proxy to be operational for traffic to pass.

    In general, we recommend taking a full system export before any patching activity, and applying the patch in a maintenance window.

    On a Onebox system, applying the patch should apply both MX and GW elements in one go.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 22 days ago


  • 4.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Imperva Employee
    Posted 23 days ago
    Hi Louis,

    The mode is Bridge mode. This is where the WAF is inline at Layer 2. If the hardware is equipped with fail-open NICs (it's rare that they aren't) then the device can and will fail open.

    However, please note there will be an interruption in traffic flow during a graceful reboot or shutdown, as is the case after patching.

    A few things that can trigger an immediate bypass state:

    • Unexpected kernel crash
    • Power outage
    • Specific commands issued designed to create a failopen state (not going to list those here)

    At the end of the patching process you must initiate a graceful reboot, at which point traffic will temporarily be interrupted.

    For more information, please reference the following:

    • https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Gateway-fail-open-timeframe-during-device-reboot-or-shutdown
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Reference/Upgrade--Is-there-any-traffic-downtime-during-gateway-upgrade
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Procedure/Using-linux-shutdown-to-test-bypass
    • https://www.imperva.com/sign_in.asp?retURL=/articles/Concept/Connectivity--Will-connectivity-be-maintained-if-gateway-is-stopped-or-process-is-rebooted


    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------



  • 5.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 22 days ago

    Hi Stefan, and Anderson,

    Thank you very much for your prompt reply.

    We target to upgrade to at least v13 which will fix several vulnerabilities detected by Nessus.

    As far as I understand your advice, generally speaking:

    There shall be no service impact during running the patch as following example:
    >>> "Run the patch by typing ./[patch filename]
    For example: ./SecureSphereV11.5-x86_64-Patch1_0.x"

    A graceful reboot would inevitably cause traffic to be temporarily interrupted because "because the OS has to process the orderly shutdown of the kernel processes and the network interfaces. It then has to bring up the network interfaces, auto-negotiate speed and duplex"
    >>>"Reboot the machine only after receiving the message that the patch has been successfully installed."

    To minimise potential impact, I have to configure the GW to fail-open the bridge connection because "If the gateway is in fail-open mode (bypass mode), during upgrade, traffic will be down only for up to 10 seconds while the gateway is being rebooted once time at the end of the upgrade."

    I observe that we are working in IMPVHA Bride mode as what is shown in Main>Setup>Gateways>Filter>By Mode

    STP Bride
    Gateway
    No data found

    IMPVGA Bride
    Gateway Status Active .. .. Model Appliance Type
    ERBWAF01 Running Yes .. .. X2010 Physical

    Sniffing
    Gateway
    No data found

    Reverse Proxy (Apache)
    Gateway
    No data found

    Reverse Proxy Kernel
    Gateway
    No data found

    With reference to the Admin Guide, under the Gateway Groups section, I tried in vain to configure the GW to fail-open the bridge connection because there is no option for me to select a fail mode as the attachment shows. Could you advise too? Thanks again.



    ------------------------------
    Louis WAF
    ------------------------------



  • 6.  RE: Does it have impact on traffic flow during a WAF patch installation/software upgrade?

    Posted 22 days ago
    problem resolved by enabling the Activate Settings.

    ------------------------------
    Louis WAF
    ------------------------------