This section discusses setting Up WAF in Anomaly Scoring mode.

Changing the Default Behavior of WAF Profile


A rule can have different disruptive actions. Most of the rules use block as the disruptive action. Block triggers the rule engine to execute the default action mentioned in the WAF Profile attached to the policy. This default action contains the deny action that then triggers the flag (Detection) or reject (Enforcement) of the request.

For example: Default Action phase:1,pass,status:403,log,auditlog.

The new default action needs to be pass. It needs to be changed for all phases of the WAF handling.

To modify the default action:

  1. From the NSX Advanced Load Balancer UI, navigate to Templates > WAF > WAF Profile.

  2. Click the Edit icon against the required policy.

  3. Modify the Default Actions in the Edit WAF Profile screen as shown below.

Changing individual thresholds and blocking of different threshold variables (by group, for example)

Threshold or score variable can be changed using Pre-CRS custom rule.

SecRule REMOTE_ADDR "@unconditionalMatch" "id:4099803,phase:1,pass,setvar:tx.rfi_score_threshold=2"

For blocking by using different thresholds, a custom Post-CRS rule is required.


It is recommended to disable the CRS rule 949110, which denies the request on the overall score.

This following rule is for blocking the rule.

SecRule TX:RFI_SCORE "@ge %{tx.rfi_score_threshold}""msg:'Inbound
RFI-Anomaly Score Exceeded (Total Score: %{tx.rfi_score})',

This rule blocks only on the tx.rfi_score_threshold and the accumulated tx.rfi_score variable.

Similar rules can be created for all other groups of attacks.


Within ModSecurity language, the variable (for example, TX:RFI_SCORE) must be written with a “:” (colon).

In the Actions list and in the Operator, it is written using a . (dot). (For example, tx.rfi_score). If this is not done correctly, the rule will not match as intended.