Impact: Disabling or re-enabling a module on a BIG-IP Next instance

When a managed BIG-IP Next instance is licensed for the Web Application Firewall (WAF) module, the module is enabled by default.

You can disable the WAF module to reduce the amount of resources dedicated to WAF.

Disabling a WAF module on a BIG-IP instance can impact WAF policies deployed to that instance.

The following describes behavior impact of disabling and/or re-enabling a WAF module on a BIG-IP Next instance.

Deploying WAF policy or WAF policy changes to an instance with disabled WAF module

Deployment of a new or updated WAF policy will not be blocked because the BIG-IP Next instance is still active.

The deployment attempt will fail, as BIG-IP Next Central Manager will be unable to access the WAF module.

Live Updates synchronization

Live Updates provide automatic security updates to known signatures and threats. These updates are provided by F5 downloads. Once an instance is managed by BIG-IP Next Central Manager, Live Updates is active and will attempt to update the instance details, whether WAF is deployed or not.

  • WAF module is disabled and a new Live Update is published. In this case, BIG-IP Next Central Manager will report the new Live Updates as failed if there is no endpoint for installation of file updates.

  • WAF is re-enabled after a disabled period: Live Updates will be out of sync with the Live Updates installed on the BIG-IP Next instance.

    • To synchronize a Live Updates: you need to manually update the Live Updates for Attack Signatures, Bot Signatures and Threat Campaigns. To manually install the newest Live Updates, see How To: Install Live Updates.

    • If you do not synchronize Live Updates and try to re-deploy WAF services:

      • If the outdated Live Updates file has old or removed signatures and threat campaigns, these outdated sigantures/threats will be enforced, while updates will not be applied. This reduces the effectiveness of WAF protection to your applications.

      • You will be unable to deploy a WAF policy if there are any signature overrides on signatures that were added, but do not exist on the on the BIG-IP Next instance.