WAF Policy can be configured to operate in either Detection or Enforcement mode.

With Mode Delegation option on NSX Advanced Load Balancer, the policies can be enabled to operate in the following two modes:

  • Detection

  • Enforcement

In Detection mode, if a request matches a rule, the request is flagged with an application log message (marked FLAGGED) and allowed through.

In Enforcement mode, if a request matches a rule, it is blocked by NSX Advanced Load BalancerService Engine, and an application log message (marked REJECTED) is generated.

With Mode Delegation, individual WAF rules can overwrite the Policy Mode, resulting in different behavior from the rest of the rules.This is also sometimes called as mixed mode, and is another way of fine tuning to avoid legitimate requests from being blocked due to Enforcement mode.

Use Cases

The following section discusses a few use cases relevant for enabling Mode Delegation:

  1. Test new rules: You can configure manually written rules or new CRS rule updates with mixed mode enabled to avoid false positives. You will be able to introduce new rules to operate in Detection mode to ensure that legitimate requests are not rejected.

  2. Partial Detection: You can configure a few rules in Enforcement mode, while still retaining the whole WAF Policy in Detection mode.

Enabling Mode Delegation

  1. In NSX Advanced Load Balancer UI, navigate to Templates > WAF > WAF Policy.

  2. Click Create Or Edit an existing WAF Policy.

  3. In the Settings tab, under Policy Mode, select the checkbox for Allow Mode Delegation to enable mixed mode.

Enabling Policy Mode for a Rule

To enable Policy Mode for a certain rule:

  1. Navigate to the Signatures tab and select the CRS Version.



  2. Expand the Group that the Rule to be edited is part of.

  3. Click the edit icon for the Rule to be edited.

  4. Under Rule Mode, select the option Use Policy Mode.



  5. Click Save.