All Products
Search
Document Center

Web Application Firewall:WAF log fields

Last Updated:Apr 23, 2026

This document describes the proprietary fields in WAF logs.

Field index

The following table lists the fields available in WAF logs. You can search by field name to find a specific field.

Initial

Field

a

b

c

d

f

Final decision fields: final_action | final_plugin | final_rule_id | final_rule_type

h

i

Threat intelligence fields: intelligence_action | intelligence_rule_id | intelligence_test

m

Matched domain protected by WAF: matched_host

n

Normalization-related fields: normalized_action | normalized_rule_id | normalized_rule_type | normalized_test

q

Query string: querystring

r

s

t

Timestamp of the log entry: time

u

w

WAF actions

The following table describes all actions supported by WAF.

Actions

Description

block

Blocks the client request and returns a 405 page to the client.

captcha_strict

Presents a strict CAPTCHA challenge. If the client successfully completes the challenge, WAF passes the request; otherwise, WAF blocks the request. In this mode, every request from the client requires verification.

captcha

Presents a normal CAPTCHA challenge. If the client successfully completes the challenge, WAF passes all subsequent requests from that client for a specific period (30 minutes by default) without further verification. Otherwise, WAF blocks the request.

sigchl

Performs dynamic token verification. The client uses a WAF-provided web SDK to sign the request and includes the signature in the request. If the signature is valid, WAF forwards the request to the origin server. Otherwise, WAF returns a code snippet that requires the client to re-sign the request.

js

Initiates a JavaScript challenge. WAF returns JavaScript code that a standard browser executes automatically. If the client executes the code successfully, WAF passes all subsequent requests from that client for a specific period (30 minutes by default) without further challenges. Otherwise, WAF blocks the request.

pass

Forwards the client request to the origin server.

captcha_strict_pass

Indicates that the client passed the strict CAPTCHA challenge.

captcha_pass

Indicates that the client passed the normal CAPTCHA challenge.

sigchl_pass

Indicates that the client passed the dynamic token verification.

js_pass

Indicates that the client passed the JavaScript challenge.

mask

Masks sensitive data in the origin server's response before returning it to the client. This action is supported only by the sensitive data leakage prevention module.

continue

Allows the request to proceed to the next stage of evaluation. This action's behavior varies by protection module. For more information, see the descriptions of the normalized_action and wxbb_action fields.

Required fields

The following fields are included in every WAF log entry.

Parameter

Description

Example

acl_rule_type

The type of the matched rule in the IP address blacklist or custom protection policy (ACL). Valid values:

  • custom: Specifies a custom protection policy (ACL) rule.

  • blacklist: Specifies an IP address blacklist rule.

custom

bypass_matched_ids

The ID of the matched allow rule. Allow rules include whitelist rules and custom protection policy rules that are configured with the "Allow" action.

If a request matches multiple allow rules, this field contains a comma-separated list of all matched rule IDs.

283531

cc_rule_type

The type of the matched rule in the HTTP flood protection module or a custom protection policy (for HTTP flood protection). Valid values:

  • custom: Indicates custom protection policy (HTTP flood protection) rules.

  • system: Indicates an HTTP flood protection rule.

custom

content_type

The value of the Content-Type request header.

application/x-www-form-urlencoded

dst_port

The destination port of the request.

443

final_action

The final action that WAF performed on the request. Valid values:

  • block: Blocks the operation.

  • captcha_strict: Indicates strict CAPTCHA.

  • captcha: Indicates normal CAPTCHA.

  • sigchl: Indicates dynamic token authentication.

  • js: Indicates the JavaScript challenge.

For more information about WAF actions, see WAF actions.

This field is omitted if the request does not trigger any protection module, for example, if the request matches an allow rule or the client passes a captcha or JS verification.

If a request triggers multiple protection modules at the same time, only the final action performed is logged. The priority of actions from highest to lowest is: block (block) > strict CAPTCHA (captcha_strict) > normal CAPTCHA (captcha) > dynamic token verification (sigchl) > JavaScript challenge (js).

block

final_plugin

The protection module that performed the final action (final_action). Valid values:

  • waf: Rules engine

  • deeplearning: Deep learning engine

  • dlp: Data Loss Prevention (DLP)

  • account: Account security

  • normalized: Proactive defense

  • acl: IP address blacklist and custom protection policy (ACL)

  • cc: HTTP flood protection and custom protection policy (HTTP flood)

  • antiscan: Scan protection

  • scene: Scenario-based protection

  • antifraud: Anti-fraud

  • intelligence: Crawler threat intelligence

  • algorithm: Crawler behavior recognition

  • wxbb: App protection

You can configure these protection modules in the WAF console on the Protection Configurations > Website Protection page. For more information about these modules, see Overview of website protection configurations.

This field is omitted if the request does not trigger any protection module, for example, if the request matches an allow rule or the client passes a captcha or JS verification.

If a request simultaneously triggers multiple protection modules, only the protection module corresponding to the final action (final_action) is logged.

waf

final_rule_id

The ID of the protection rule that WAF finally applies to a client request. The rule is the one that corresponds to final_action.

115341

final_rule_type

The subtype of the protection rule (final_rule_id) that WAF finally applies to a client request.

For example, under the final_plugin:waf type, there are granular rule types such as final_rule_type:sqli and final_rule_type:xss.

xss/webshell

host

The value of the Host request header, which specifies the requested domain name or IP address.

api.example.com

http_referer

The value of the Referer request header, which specifies the source URL of the request.

If the request contains no source URL information, this field displays -.

http://example.com

http_user_agent

The value of the User-Agent request header, which contains information about the client's browser and operating system.

Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86 Build/QSR1.200715.002)

http_x_forwarded_for

The value of the X-Forwarded-For (XFF) request header. This header identifies the original IP address of a client that connects to a web server through a proxy server or load balancer.

47.100.XX.XX

https

Indicates whether the request uses HTTPS.

  • If the value is on, the request is an HTTPS request.

  • If the field is empty, the request is an HTTP request.

on

matched_host

The protected domain name that the request matched.

Note

WAF supports wildcard domain names. For example, if you add *.aliyun.com to WAF as a protected domain name, a request for www.aliyun.com matches this entry.

*.aliyun.com

real_client_ip

The client's real IP address, as determined by WAF's request analysis.

If WAF cannot determine the real client IP (for example, because the request is sent from a proxy server or the IP field in the request header is incorrect), the field displays -.

192.0.XX.XX

request_length

The size of the client request, including the request line, request header, and request body. Unit: byte.

111111

request_method

The HTTP method of the client request.

GET

request_time_msec

The time WAF takes to process a client request. Unit: millisecond.

44

request_traceid

A unique identifier that WAF generates for the client request.

7837b11715410386943437009ea1f0

request_uri

The request path and query string.

/news/search.php?id=1

server_protocol

The protocol used for the connection between the client and WAF.

HTTP/1.1

status

The HTTP status code that WAF returns to the client. For example, 200 (indicates a successful request).

200

src_port

The source port of the connection to WAF.

If the client connects directly to WAF, this field indicates the client's port. If another Layer 7 proxy (such as a CDN) is deployed in front of WAF, this field indicates the port of the upstream proxy.

80

src_ip

The source IP address of the connection to WAF.

If the client connects directly to WAF, this field indicates the client's IP address. If another Layer 7 proxy (such as a CDN) is deployed in front of WAF, this field indicates the IP address of the upstream proxy.

198.51.XX.XX

start_time

The time the client request was initiated, as a Unix timestamp. Unit: second.

1696534058

time

The time when the client request is initiated. It is expressed in the ISO 8601 standard and must be in UTC, in the format yyyy-MM-ddTHH:mm:ss+08:00.

2018-05-02T16:03:59+08:00

upstream_addr

The IP address and port of the origin server. The format is IP:Port. Use a comma (,) to separate multiple records.

198.51.XX.XX:443

upstream_response_time

The time elapsed from when the origin server responds to WAF's request until WAF forwards the response to the client. Unit: second.

0.044

upstream_status

The HTTP status code that the origin server returns in response to a WAF request to origin. For example, 200 indicates that the request was successful.

200

Optional fields

Optional fields are fields that you can choose to include in WAF logs. WAF records only the optional fields that you have enabled.

Enabling optional fields consumes more storage capacity. If you have sufficient storage capacity, we recommend enabling more optional fields for more comprehensive log analysis. For more information about how to configure optional fields, see Modify log settings.

Parameter

Description

Example

acl_action

The action taken on a request that matches an IP address blacklist rule or a custom protection policy (access control list (ACL)) rule. Valid values:

  • block: Blocks the action.

  • captcha_strict: Indicates strict CAPTCHA.

  • captcha: Indicates normal CAPTCHA.

  • js: Specifies a JavaScript challenge.

  • captcha_strict_pass: Indicates that the client passed the strict CAPTCHA, and WAF passes the client request.

  • captcha_pass: Indicates that the client passed the normal CAPTCHA, and WAF passes the client request.

  • js_pass: Indicates that the client passed the JavaScript challenge, and WAF passes the client request.

For more information about WAF actions, see WAF actions.

block

acl_rule_id

The ID of the matched IP address blacklist rule or custom protection policy (access control list (ACL)) rule.

151235

acl_test

The protection mode of the matched IP address blacklist rule or custom protection policy (access control list (ACL)) rule. Valid values:

  • true: Indicates observation mode, where the system only records logs and does not trigger any actions, such as blocking.

  • false: Specifies prevention mode, where WAF performs actions such as blocking on requests that match protection rules.

false

algorithm_action

The action taken on a request that matches a typical crawler behavior rule. Valid values:

  • block: Blocks the action.

  • captcha: Indicates normal CAPTCHA.

  • js: Indicates a JavaScript challenge.

  • captcha_pass: Indicates that the client has passed the normal CAPTCHA, and WAF passes the client request.

  • js_pass: Indicates that the client passed the JavaScript challenge, and WAF passes the client request.

For more information about WAF actions, see WAF actions.

block

algorithm_rule_id

The ID of the matched typical crawler behavior rule.

151235

algorithm_test

The protection mode of the matched typical crawler behavior rule. Valid values:

  • true: Enables observation mode. The system only records logs and does not trigger actions such as blocking.

  • false: In prevention mode, WAF performs actions, such as blocking, on requests that match the protection rules.

false

antifraud_action

The action taken on a request that matches a data risk control rule. Valid values:

  • pass: The request is passed.

  • block: Blocks access.

  • captcha: Indicates normal CAPTCHA.

For more information about WAF actions, see WAF actions.

block

antifraud_test

The protection mode of the matched data risk control rule. Valid values:

  • true: Enables observation mode. In this mode, only logs are recorded and no protective actions, such as blocking, are triggered.

  • false: Prevention mode. WAF performs actions such as blocking on requests that match protection rules.

false

antiscan_action

The action for the scan protection rule that is matched by a client request. The value can only be block, which blocks the request.

For more information about WAF actions, see WAF actions.

block

antiscan_rule_id

The ID of the matched scan protection rule.

151235

antiscan_rule_type

The type of the matched scan protection rule. Valid values:

  • highfreq: Specifies the blocking rule for high-frequency web attacks.

  • dirscan: Specifies the directory traversal protection rule.

  • scantools: Indicates the blocking rules for scanning tools.

  • collaborative: Indicates collaborative defense rules.

highfreq

antiscan_test

The protection mode of the matched scan protection rule. Valid values:

  • true: Specifies observation mode. In this mode, only logs are recorded and actions such as blocking are not triggered.

  • false: Indicates prevention mode. In this mode, WAF performs actions, such as block, on requests that match protection rules.

false

block_action

Important

This field is deprecated due to a WAF feature upgrade and is replaced by the new final_plugin field. If you use block_action in your services, replace it with final_plugin as soon as possible.

The WAF protection module that triggered the block action. These values map to the values of the final_plugin field as follows:

  • tmd: Indicates HTTP flood protection, which corresponds to setting the final_plugin parameter to cc.

  • waf: Stands for Web Application Firewall, which corresponds to the final_plugin parameter being set to waf.

  • acl: Specifies precise access control, corresponding to the final_plugin parameter value acl.

  • deeplearning: Indicates the deep learning engine and corresponds to the value deeplearning for the final_plugin parameter.

  • antiscan: Represents scan protection and corresponds to the value antiscan for the final_plugin parameter.

  • antifraud: Represents data risk control, which corresponds to setting the final_plugin parameter to antifraud.

  • antibot: Indicates bot blocking. This occurs when the final_plugin parameter is set to intelligence, algorithm, wxbb, or scene.

waf

body_bytes_sent

The size of the response body, excluding the response header. Unit: bytes.

1111

cc_action

The action taken on a request that matches an HTTP flood protection rule or a custom protection policy (for HTTP flood protection) rule. Valid values:

  • block: Block.

  • captcha: Indicates normal CAPTCHA.

  • js: Specifies a JavaScript challenge.

  • captcha_pass: The client passed the normal CAPTCHA, and WAF passes the client request.

  • js_pass: The client has passed the JavaScript challenge, and the WAF passes the client request.

For more information about WAF actions, see WAF actions.

block

cc_rule_id

The ID of the matched HTTP flood protection rule or custom protection policy (for HTTP flood protection) rule.

151234

cc_test

The protection mode of the matched HTTP flood protection rule or custom protection policy (for HTTP flood protection) rule. Valid values:

  • true: Specifies observation mode, in which the system only records logs and does not trigger actions such as blocking.

  • false: Specifies prevention mode, where WAF performs actions such as blocking on requests that match protection rules.

false

deeplearning_action

The action that is triggered when a client request matches a deep learning engine rule. The only value is block, which indicates that the request is blocked.

For more information about WAF actions, see WAF actions.

block

deeplearning_rule_id

The ID of the matched deep learning engine rule.

151238

deeplearning_rule_type

The type of the matched deep learning engine rule. Valid values:

  • xss: Refers to the cross-site scripting protection rule.

  • code_exec: Indicates a code execution protection rule.

  • webshell: Indicates the webshell protection rules.

  • sqli: Indicates SQL injection protection rules.

  • lfilei: Indicates the protection rule for Local File Inclusion.

  • rfilei: Indicates the protection rule for Remote File Inclusion.

  • other: Indicates other protection rules.

xss

deeplearning_test

The protection mode of the matched deep learning engine rule. Valid values:

  • true: Specifies observation mode, where only logs are recorded and no actions such as blocking are triggered.

  • false: Indicates prevention mode, in which WAF blocks requests that match protection rules.

false

dlp_action

The action taken on a request that matches a data leakage prevention (DLP) rule. Valid values:

  • block: Blocks.

  • mask: Masks sensitive information.

For more information about WAF actions, see WAF actions.

mask

dlp_rule_id

The ID of the matched data leakage prevention (DLP) rule.

151245

dlp_test

The protection mode of the matched data leakage prevention (DLP) rule. Valid values:

  • true: Enables observation mode, in which the system only records logs and does not trigger actions such as blocking.

  • false: Indicates prevention mode. WAF performs protective actions, such as blocking, on requests that match the protection rules.

false

intelligence_action

The action taken on a request that matches a bot threat intelligence rule. Valid values:

  • block: Indicates a block.

  • captcha_strict: Indicates strict CAPTCHA.

  • captcha: Indicates normal CAPTCHA.

  • js: Specifies a JavaScript challenge.

  • captcha_strict_pass: The client passed the strict CAPTCHA, and WAF passes the client request.

  • captcha_pass: Indicates that the client passed the normal CAPTCHA and WAF passes the client request.

  • js_pass: Indicates that the client passed the JavaScript challenge and WAF passes the client request.

For more information about WAF actions, see WAF actions.

block

intelligence_rule_id

The ID of the matched bot threat intelligence rule.

152234

intelligence_test

The protection mode of the matched bot threat intelligence rule. Valid values:

  • true: Specifies observation mode, in which only logs are recorded and no blocking or other actions are triggered.

  • false: Indicates prevention mode. WAF executes actions, such as blocking, on requests that match the protection rules.

false

normalized_action

The action taken on a request that matches a positive security model rule. Valid values:

  • block: The request is abnormal and is blocked by the proactive defense module.

  • continue: indicates that no anomalies are detected in the request, and the proactive defense module passes the request.

For more information about WAF actions, see WAF actions.

block

normalized_rule_id

The ID of the matched positive security model rule.

151266

normalized_rule_type

The component of the request that matched a positive security model rule, indicating a deviation from the established baseline. Valid values:

  • User-Agent: Indicates the User-Agent baseline rule (i.e., the User-Agent field of the request header is outside the baseline range. Other rule types are defined similarly).

  • Referer: Indicates the Referer baseline rule.

  • URL: Specifies the URL baseline rule.

  • Cookie: Represents the Cookie baseline rule.

  • Body: Specifies the Body baseline rule.

User-Agent

normalized_test

The protection mode of the matched positive security model rule. Valid values:

  • true: Indicates observation mode, which only records logs and does not trigger actions such as blocking.

  • false: Indicates prevention mode, in which WAF performs actions, such as blocking, on requests that match protection rules.

false

querystring

The query string of the request URL, which is the part after the question mark (?).

title=tm_content%3Darticle&pid=123

region

The ID of the region where the WAF instance is deployed. Valid values:

  • cn: Represents the Chinese mainland.

  • int: Indicates regions outside the Chinese mainland.

cn

remote_addr

The source IP address of the connection to WAF.

If a client connects to WAF directly, this field indicates the client IP address. If a Layer 7 proxy, such as a Content Delivery Network (CDN) instance, is deployed in front of WAF, this field indicates the IP address of the proxy.

198.51.XX.XX

remote_port

The source port of the connection to WAF.

If a client connects to WAF directly, this field indicates the client port. If a Layer 7 proxy, such as a CDN instance, is deployed in front of WAF, this field indicates the port of the proxy.

80

request_body

The request body.

i am the request body, encrypted or not!

request_path

The path of the request URL, which is the part after the domain name and before the question mark (?).

/news/search.php

scene_action

The action taken on a request that matches a scenario-specific configuration rule. Valid values:

  • block: Indicates a block.

  • captcha: Indicates normal CAPTCHA.

  • sigchl: Indicates dynamic token authentication.

  • js: Specifies a JavaScript challenge.

  • captcha_pass: Indicates that the client passed the normal CAPTCHA, and WAF passes the client request.

  • sigchl_pass: Indicates that the client passed dynamic token authentication and WAF passes the client request.

  • js_pass: The client passed the JavaScript challenge, and WAF passes the client request.

For more information about WAF actions, see WAF actions.

block

scene_id

The scenario ID of the matched scenario-specific configuration rule.

151235

scene_rule_id

The ID of the matched scenario-specific configuration rule.

153678

scene_rule_type

The type of the matched scenario-specific configuration rule. Valid values:

  • bot_aialgo: Indicates AI-powered protection rules.

  • js: Specifies a simple script filtering rule.

  • intelligence: Represents matching against the crawler threat intelligence database and blocking rules based on the IDC blacklist.

  • sdk: Represents rules for signature anomalies of apps with the SDK integrated and device feature anomalies.

  • cc: Indicates IP rate limiting and custom session rate limiting rules.

  • sigchl: Specifies the dynamic token challenge rule.

bot_aialgo

sigchl_invalid_type

The reason a request was flagged as anomalous during a dynamic token authentication challenge. Valid values:

  • sigchl_invalid_sig: Signature verification failed. Common failure reasons include:

    • The request does not include a signature.

    • The parameters used for signing do not match the actual content received by WAF.

  • sigchl_is_replay: Indicates an invalid signature timestamp, which may be a replay attack.

  • sigchl_is_driver: Indicates a WebDriver attack.

sigchl_invalid_sig

scene_test

The protection mode of the matched scenario-specific configuration rule. Valid values:

  • true: Enables observation mode, in which only logs are recorded and no actions, such as blocking, are triggered.

  • false: In prevention mode, WAF performs an action, such as blocking, on requests that match the protection rules.

false

server_port

The WAF port that received the request.

443

ssl_cipher

The cipher suite that is used by the client request.

ECDHE-RSA-AES128-GCM-SHA256

ssl_protocol

The SSL/TLS protocol and version that are used by the client request.

TLSv1.2

ua_browser

The name of the browser that sent the request.

Important

This field has not been supported in WAF logs since December 15, 2021 (the field is not recorded in WAF logs even if you enable this optional field in Log Settings). We recommend that you use the http_user_agent (required field) to obtain User-Agent information for client requests.

ie9

ua_browser_family

The family of the browser that sent the request.

Important

WAF logs have not supported this field since December 15, 2021. (Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs). We recommend that you use the http_user_agent field (a required field) to obtain the User-Agent information of client requests.

internet explorer

ua_browser_type

The type of the browser that sent the request.

Important

WAF logs have not supported this field since December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain the User-Agent of client requests.

web_browser

ua_browser_version

The version of the browser that sent the request.

Important

This field is no longer supported in WAF logs as of December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain User-Agent information from client requests.

9.0

ua_device_type

The device type of the client that sent the request.

Important

WAF logs have not supported this field since December 15, 2021 (even if you enable this optional field in Log Settings, the field is not recorded in WAF logs). We recommend that you use the http_user_agent (required field) to obtain information about the User-Agent from client requests.

computer

ua_os

The operating system of the client that sent the request.

Important

Support for this field in WAF logs was discontinued on December 15, 2021. Even if you enable this optional field in Log Settings, the field is not recorded in WAF logs. We recommend that you use the http_user_agent field (a required field) to obtain User-Agent information from client requests.

windows_7

ua_os_family

The operating system family of the client that sent the request.

Important

As of December 15, 2021, this field is deprecated and is no longer recorded in WAF logs, even if you enable it as an optional field in Log Settings. We recommend that you obtain User-Agent information for client requests from the http_user_agent field, which is a required field.

windows

user_id

The ID of the Alibaba Cloud account that owns the WAF instance.

17045741********

waf_action

The action that is taken when a client request matches a rule in the protection rules engine. The value can only be block, which means to block the request.

For more information about WAF actions, see WAF actions.

block

waf_rule_id

The ID of the matched protection rules engine rule.

113406

waf_rule_type

The type of the matched protection rules engine rule. Valid values:

  • sqli: SQL injection

  • xss: cross-site scripting (XSS)

  • code_exec: code execution

  • crlf: CRLF injection

  • lfilei: local file inclusion (LFI)

  • rfilei: remote file inclusion (RFI)

  • webshell: webshell

  • csrf: cross-site request forgery (CSRF)

  • other: other attack types

  • cmdi: OS command injection

  • expression_injection: expression language injection

  • java_deserialization: Java deserialization

  • php_deserialization: PHP deserialization

  • ssrf: server-side request forgery (SSRF)

  • path_traversal: path traversal

  • protocol_violation: protocol violation

  • arbitrary_file_uploading: arbitrary file upload

  • dot_net_deserialization: .NET deserialization

  • scanner_behavior: scanner behavior

  • logic_flaw: business logic vulnerability

  • arbitrary_file_reading: arbitrary file read

  • arbitrary_file_download: arbitrary file download

  • xxe: XML external entity (XXE) injection

xss

waf_test

The protection mode of the matched protection rules engine rule. Valid values:

  • true: Enables observation mode, which only records logs and does not trigger actions such as blocking.

  • false: Indicates prevention mode, where WAF performs actions such as blocking on requests that match protection rules.

false

wxbb_action

The action taken on a request that matches an app protection rule. Valid values:

  • block: The App protection module blocks requests that fail signature verification.

  • captcha: Indicates normal CAPTCHA.

  • js: Indicates a JavaScript challenge.

  • continue: The signature verification is successful, and the App protection module passes the request.

For more information about WAF actions, see WAF actions.

block

wxbb_invalid_wua

The reason an app protection rule flagged a request as anomalous. Valid values:

  • wxbb_simulator: Indicates that a simulator is used.

  • wxbb_proxy: Indicates that a proxy is used.

  • wxbb_root: Specifies the Root device.

  • wxbb_hook: Indicates a hooking behavior.

  • wxbb_antireplay: Indicates a replay attack on the signature string (wToken).

  • wxbb_virtual: Indicates that an app integrated with the WAF SDK is running in multiple instances on the device.

  • wxbb_debugged: Indicates that the device is in debug mode.

  • wxbb_invalid_sign: Indicates that the signature verification failed.

    Common causes:

    • The request does not include a signature.

    • The parameters passed for signature generation are inconsistent with the actual content received by the WAF. For example, the signing parameters are a=1&b=2, but the WAF receives the request parameters as b=2&a=1. In another case, the signing parameters are not encoded, but the request received by the WAF is Base64-encoded.

wxbb_invalid_sign

wxbb_rule_id

The ID of the matched app protection rule.

156789

wxbb_test

The protection mode of the matched app protection rule. Valid values:

  • true: Enables observation mode, which only records logs and does not trigger actions such as blocking.

  • false: Indicates prevention mode, where WAF performs actions such as blocking on requests that match protection rules.

false