Development version. This documentation is for unreleased features on the main branch. View the latest stable documentation.

Configuring Failure Policies

Choose how the WAF behaves when it is not ready or encounters errors.

The Engine failurePolicy field determines how traffic is handled when the WAF is not ready or encounters an error during rule evaluation.

Available Policies

Policy	Behavior
`fail` (default)	Block all traffic when the WAF is not ready or encounters an error. This prioritizes security.
`allow`	Allow traffic through when the WAF is not ready or encounters an error. This prioritizes availability.

Setting the Failure Policy

apiVersion: waf.k8s.coraza.io/v1alpha1
kind: Engine
metadata:
  name: my-engine
spec:
  failurePolicy: fail
  ruleSet:
    name: my-ruleset
  target:
    type: Gateway
    name: my-gateway
    provider: Istio

When to Use Each Policy

Use `fail` when:

Security is the highest priority.
You prefer to block traffic rather than risk allowing unfiltered requests.
The application behind the Gateway can tolerate brief outages during WAF startup or rule updates.

Use `allow` when:

Availability is the highest priority.
You prefer to serve traffic unfiltered rather than block it during WAF startup.
The WAF provides defense-in-depth alongside other security controls.

Changing the Policy

You can change the failure policy on an existing Engine at any time:

kubectl patch engine my-engine -n my-namespace \
  --type merge \
  -p '{"spec":{"failurePolicy":"allow"}}'

The change takes effect at the next reconciliation cycle.