Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Web Application Firewall/ Protective Action for WAF Instance Protection Policies Must Be "Block"
Updated on 2025-08-25 GMT+08:00

Protective Action for WAF Instance Protection Policies Must Be "Block"

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

waf-instance-enable-block-policy

Identifier

Protective Action for WAF Instance Protection Policies Must Be "Block"

Description

If the protective action for a WAF instance protection policy is not Block, the check result is non-compliant.

Tag

waf

Trigger Type

Configuration change

Filter Type

waf.instance

Rule Parameters

None

Application Scenarios

Web protection has two modes: Block and Log only. In Log only mode, WAF logs attacks only. In Block mode, WAF blocks and records every attack detected. For details, see Protection Configuration Overview.

Solution

Set the protective action of a WAF instance protection policy to Block.

Normal traffic of the protected website may be blocked by the built-in rules of WAF. You can configure a global whitelist to avoid this. For details, see Configuring a Global Protection Whitelist Rule to Ignore False Alarms.

Rule Logic

  • If the protective action for a WAF instance protection policy is not Block, the check result is non-compliant.
  • If the protective action for a WAF instance protection policy is Block, the check result is compliant.