Step 6: Navigate to Application Firewall > Policies and change the action from reset/drop to the new custom action.
If you wish to display a block page instead, create a new action with HTTP Block Page. You can either insert text in the content or html markup to customize it further. Select the action under the Policy to use the new HTTP Block Page action.
Blocking All Websites except a Select Few with Application Firewall
Building a list of only allowed websites is often easier than creating a list of blocked sites for many organizations. A common request is to create a white list of allowed domains and deny everything else. Application Firewall gives you the ability to do this, as well as creating different lists and applying them to different groups/users. The process is virtually identical to the steps shown above with one slight exception. Under the Application Object select the box for Negative Matching. In the below example, only domains that match monster, jobs, facebook, and myspace would be allowed. All other domains will be denied.
49