1) WAF is not supported when deployed inline.
2) WAF not supported if NAT/traffic is not terminated on the firewall
Ticket reported : [#7882861] WAF requirment
Sten Freund commented
1. you can use the WAF from the internal Network.
you must only change the Hosted Address Port to your Lan port and change the DNS for the Reverseproxy URL to the XG Firewall.