A scenario that enterprise systems may implement is to limit access to a web server restricting the users. Currently, the WAF offers the functionality of limiting access to a site by only allowing specific IP addresses or by a client-side certificate. However, for the same service, both options cannot be used. A web service can have only one layer, either IP address check or a client-side check.
The scenario in this case would be that a client must provide one of two options. Either provide an IP address for whitelisting, or if that is not feasible, provide a client-side certificate. Currently, this is not possible in WAF.