WAF Policy can be configured to operate in either detection only or in enforcement mode.

With Mode Delegation option on NSX Advanced Load Balancer , the policies can be enabled to operate in any of the following three modes:

  • Detection

  • Enforcement

  • Mode Delegation

While in Detection mode, if a request matches a rule, then the request is flagged with an application log message and the request is allowed through.

While in Enforcement mode, if a request matches a rule it is blocked by the NSX Advanced Load Balancer Service Engine, and an application log message is generated.

With Mode Delegation, WAF rules can overwrite the policy mode, where specific action can be defined for a single rule, irrespective of the action defined for the rule set. This is also referred to as the mixed mode, and allows fine tuning to avoid legitimate requests from being blocked, due to enforcement mode.

Use Cases

The following section discusses a few use cases relevant for enabling Mode Delegation:

  1. Test new rules – You can configure manually written rules or new CRS rule updates with mixed mode enabled to avoid false positives. You will be able to introduce new rules to operate in detection mode, so that legitimate requests are not rejected.

  2. Partial detection – You can configure a few rules in enforcement mode, while still retaining the policy in detection mode. With this you will not need to entirely enforce WAF implementation in detection mode.

Enabling Mode Delegation

  1. In NSX ALB UI, navigate to Templates > WAF > WAF Policy.

  2. Click on Create Or Edit an existing WAF Policy.

  3. In the Settings tab, under Policy Mode, click on the checkbox for Allow Mode Delegation to enable mixed mode.

Enabling Policy Mode for a Rule

To enable policy mode for a certain rule, follow the below steps:

  1. Navigate to the Signatures tab and select the CRS version.

  2. Under RULE MODE, select the option as Use policy mode.