We are currently testing the the Application Firewall functionality with a temporary license. So far our tests are coming up with positive results and we are most likely going to purchase a license to continue using the feature but unfortunately that would take a while to organize. In the meantime we would like to know what would happen when the licese expires - would the feature stop working at all or would it continue to work like before but fail to update the signature databes? We are unable to find any documentation on the matter, so any help would be greatly appreciated.
In case of license expiry, the Application firewall or IDP would continue to inspect but the updates installation will not be allowed. Please go through the following KB for more details.
Let me see if i understand correctly, the AppFW will continue to work normally but we would not be able to install the latest signature database on the Firewall, is that right?
In this case, if we have an active license on another appliance, would we be able to download the latest signature databse, export the databse and then import it on another appliance that does not have the license?
The application firewalling functionality is currently honorbased. You must ensure that you have either a perpetual JSE license on your SRX device or an active CS-BUN or ATP-BUN subscription... but technically it will work without a license.
Even in the case of a subscription expiring your application firewall will continue to work including updates.
JSB and JSE licenses are currently not being installed on devices - you will just have an auth code which can be initialized when the functionality will be enforced by Junos on the SRX gateway.