This section explains how Anomaly Scoring mode works.

By default, WAF Policy can be configured to operate in either Detection mode or Enforcement mode. The policy flags or rejects a request based on the match of a rule. Alternatively, the Anomaly Scoring mode can be used. For more information, see WAF Mode and WAF Policy.


When using features like Anomaly Detection, the CRS Group CRS_901_Initialization must be enabled, without which the required anomaly thresholds are not configured to the defaults. It is recommended to keep this group enabled.