The WAF subsystem uses a significant amount of system resources. When enabling WAF, you should avoid overconsuming system resources that are needed for load balancing Virtual Services. When WAF starts to consume resources at a level that impacts overall system performance, one or more of these symptoms can be observed:

  • High CPU utilization
  • High memory utilization
  • InterProcess Communication (IPC) issues between Layer 7 and WAF processes
  • Decreased Virtual Service throughput
  • Increased Virtual Service latency

There are essentially two ways of dealing with these issues:

  • Disable WAF completely on one or more Virtual Services.
  • Tailor the applied rulesets used on each Virtual Service to reduce the rules applied to the minimum necessary for secure operation.

The best practice for WAF rulesets is to avoid a blanket application of a ruleset and instead, enable only those rules in the ruleset that are specifically required for your application.

Note that internal processing and communication between WAF and Layer 7 in version 7.2.36 is enhanced to help mitigate resource exhausting issues through smarter thread and resource management. The best practice is still to enable a minimum set of rules instead of enabling the entire ruleset.