This section discusses how to configure Web Application Firewall (WAF) on the Avi Load Balancer. What to read next Enabling WAF on Virtual ServerEach virtual service can have one WAF Policy attached to it. This topic details the steps to configure WAF for a virtual service. WAF ProfileA WAF Profile contains the settings for WAF functionality and is attached to a WAF Policy. WAF PolicyThis section discusses the WAF Policy on Avi Load Balancer. WAF AllowlistThe Allowlist functionality allows the definition of match conditions for requests to perform associated actions. This section discusses examples and use cases for configuring Allowlist Rules in Avi Load Balancer. Positive Security and LearningThis section discusses Positive Security and Learning feature for WAF. Configuring CRS Rules for WAF SignaturesCore Rule set is a set of protection rules that the WAF Policy uses. This section discusses how to configure and update CRS rules. Mixed Mode and Enabling Mode DelegationWAF Policy can be configured to operate in either Detection or Enforcement mode. WAF Rate LimitingThough rate limiting is primarily done outside WAF, owing to specific customer requirements, it is also included as part of WAF. The following topic explains Rate Limiting with respect to WAF. CSRF ProtectionCSRF is a security vulnerability where an attacker can induce legitimate users to perform unwarranted actions without their knowledge. Legit users usually authenticate themselves before accessing backend applications and maintain their sessions using the session cookie provided by the application.