Firewall filtering


There are troubling logs on my site. Strings that are injection attempts that get passed the WAF.
I see strings like:





Which are from injection attempts that I was expecting the WAF to filter or block but they get to the log which means they pass the WAF.

What am I missing here? Isn’t this something I should get by default when WAF is enabled?