The following section compares the two modes of WAF configuration policy.

Detection and Enforcement are the two modes supported for a WAF Policy in NSX Advanced Load Balancer. Every policy runs in one of these modes to evaluate the requests and responses.





Logs alerts during an attack, but no deny action is taken.

Rejects requests when a policy is matched and deny action is taken.


Evaluates the whole policy without stopping at the first rule hit.

Matches the first rule that rejects the request and implements the default action or returns a rule specific error code.

Log files

Contains the WAF log section where the policy violation was found and entries for every rule that is matched.

Contains WAF log section which has the first rule that rejected the request.


This is to improve performance. If a request is already identified as an attack, further checks are not required.

Response Code

200 OK

Default is 403 Forbidden. This response code can be modified in the WAF Profile Default Actions section.

Selecting a WAF Policy Mode

You can select one of the following modes. The supported modes are:

  • Detection: In Detection Mode, a rule gets processed, but will not perform a blocking action.

  • Enforcement: In Enforcement mode a rule gets processed and blocking actions are executed based on the defined default action. This Default Action is configured in the WAF Profile. By default, the WAF rejects requests with attack vectors and the corresponding log entry is marked as REJECTED.


When a Rule is configured using Use Policy Mode, the overall Policy Mode (either Enforcement or Detection) will be used.

Usage Recommendations

Follow the steps provided to enable a suitable mode for different usage scenarios.

For new applications:

  1. Create a virtual service for the application.

  2. Add WAF Policy in Detection mode.

  3. Iterate through false positive mitigation.

  4. Once no legitimate traffic is flagged by WAF, change to Enforcement mode.

For existing applications:

  1. Add WAF Policy in Detection mode.

  2. Iterate through false positive mitigation.

  3. Once no legitimate traffic is flagged by WAF, change to Enforcement mode.


The time taken for evaluating Detection mode depends on several factors such as total number of requests seen, paranoia mode, and application coverage of request.