diff --git a/internal/nodes/http_request_waf.go b/internal/nodes/http_request_waf.go
index e2fb0b0..b801f4d 100644
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -53,7 +53,7 @@ func (this *HTTPRequest) doWAFRequest() (blocked bool) {
 
 func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFirewallPolicy) (blocked bool, breakChecking bool) {
 	// 检查配置是否为空
-	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn {
+	if firewallPolicy == nil || !firewallPolicy.IsOn || firewallPolicy.Inbound == nil || !firewallPolicy.Inbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass {
 		return
 	}
 
@@ -221,7 +221,7 @@ func (this *HTTPRequest) doWAFResponse(resp *http.Response) (blocked bool) {
 }
 
 func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFirewallPolicy, resp *http.Response) (blocked bool) {
-	if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn {
+	if firewallPolicy == nil || !firewallPolicy.IsOn || !firewallPolicy.Outbound.IsOn || firewallPolicy.Mode == firewallconfigs.FirewallModePass {
 		return
 	}
 
diff --git a/internal/nodes/waf_manager.go b/internal/nodes/waf_manager.go
index ac3ab19..4ca3943 100644
--- a/internal/nodes/waf_manager.go
+++ b/internal/nodes/waf_manager.go
@@ -61,6 +61,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) (
 		Id:   strconv.FormatInt(policy.Id, 10),
 		IsOn: policy.IsOn,
 		Name: policy.Name,
+		Mode: policy.Mode,
 	}
 
 	// inbound
diff --git a/internal/waf/rule_set.go b/internal/waf/rule_set.go
index 7a0e40b..cfb6286 100644
--- a/internal/waf/rule_set.go
+++ b/internal/waf/rule_set.go
@@ -1,6 +1,7 @@
 package waf
 
 import (
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
 	"github.com/iwind/TeaGo/lists"
@@ -117,6 +118,10 @@ func (this *RuleSet) ActionCodes() []string {
 }
 
 func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Request, writer http.ResponseWriter) bool {
+	if waf.Mode != firewallconfigs.FirewallModeDefend {
+		return true
+	}
+
 	// 先执行allow
 	for _, instance := range this.actionInstances {
 		if !instance.WillChange() {
diff --git a/internal/waf/waf.go b/internal/waf/waf.go
index 08c762c..3a744d2 100644
--- a/internal/waf/waf.go
+++ b/internal/waf/waf.go
@@ -2,6 +2,7 @@ package waf
 
 import (
 	"errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/checkpoints"
 	"github.com/TeaOSLab/EdgeNode/internal/waf/requests"
@@ -15,12 +16,13 @@ import (
 )
 
 type WAF struct {
-	Id             string       `yaml:"id" json:"id"`
-	IsOn           bool         `yaml:"isOn" json:"isOn"`
-	Name           string       `yaml:"name" json:"name"`
-	Inbound        []*RuleGroup `yaml:"inbound" json:"inbound"`
-	Outbound       []*RuleGroup `yaml:"outbound" json:"outbound"`
-	CreatedVersion string       `yaml:"createdVersion" json:"createdVersion"`
+	Id             string                       `yaml:"id" json:"id"`
+	IsOn           bool                         `yaml:"isOn" json:"isOn"`
+	Name           string                       `yaml:"name" json:"name"`
+	Inbound        []*RuleGroup                 `yaml:"inbound" json:"inbound"`
+	Outbound       []*RuleGroup                 `yaml:"outbound" json:"outbound"`
+	CreatedVersion string                       `yaml:"createdVersion" json:"createdVersion"`
+	Mode           firewallconfigs.FirewallMode `yaml:"mode" json:"mode"`
 
 	DefaultBlockAction *BlockAction