Hi
So is it required to have the WAF Cpanel plugin installed in order to use the ModSecurity Vendor setup or does it just add a few nice extra features? I installed the Vendor and all works great. Just wondering if I need WAF as well since I use COnfigServer Firewall on this machine. Also, will updates happen automatically I assume for the Vendor rules?
You don't need CWAF plugin to use the ModSecurity Vendor. Moreover it's impossible to use Comodo rules as ModSecurity Vendor with CWAF plugin installed because it overwrites mod_security config.
We need to choose either Vendor or Plugin. So I guess ModSecurity Vendor plus ConfigServer Firewall will be enough

Vendor rules updated automatically once a day by cPanel.
We manage whitelisting using ConfigServer ModSecurity Control. Do we need the WAF cpanel plugin if we use that with the Vendor Rule setup?
No, plugin is not required.