In LoadMaster firmware version 7.2.61, legacy WAF was deprecated. If you use legacy WAF and want to upgrade to LoadMaster version 7.2.61 or above, refer to the following guidelines:

  • If you use legacy WAF, take a full configuration backup (in System Configuration > System Administration > Backup/Restore in the LoadMaster User Interface (UI)) before attempting to update the LoadMaster firmware.
  • If you use legacy WAF, go to Web Application Firewall > Custom Rules and check if any Legacy Custom Rules or Legacy Custom Rule Data files are in use. These custom legacy WAF files will be inaccessible after upgrading to 7.2.61 (or above). You should download any custom legacy WAF rules and back them up to a safe location before attempting to update.
  • If you have legacy WAF custom rules, keep the following points in mind:
    • Rule exclusions or custom rules that include rule exclusions (for example, as ‘ctl’ statements) will most likely become irrelevant post-update. The underlying rule set that powered the legacy WAF functionality has been retired. The new LoadMaster WAF functionality is powered by the rule set from the OWASP CRS project. The rules are different and the rule ID numbers are completely different, hence any existing rule exclusions from the legacy WAF will refer to rules and ID numbers that no longer exist.
    • Custom rules that implement specific detections or specific blocking conditions (for example, "block all requests from the subnet 10.2.0.0/16" or "block all POST requests to the location /admin.php") should be re-usable with the new WAF functionality. You can upload these custom rules in Web Application Firewall > Custom Rules and you can re-apply them to new WAF services.

      If you need personalized advice about your custom WAF rules, contact the Progress Kemp Professional Services team.

  • Virtual Services that currently have the legacy WAF functionality enabled will be automatically transitioned to use the new OWASP CRS WAF system post-update. The default settings for the new WAF service ensure that web traffic continues to flow without issue. You are advised to monitor any auto-converted WAF services for false positives and to tune the new WAF services for the applications they are protecting. For further details, refer to the following article: False Positive Handling on LoadMaster or contact Progress Kemp Support.