diff --git a/calico-enterprise/threat/web-application-firewall.mdx b/calico-enterprise/threat/web-application-firewall.mdx
index 985779b19..19d41bfc1 100644
--- a/calico-enterprise/threat/web-application-firewall.mdx
+++ b/calico-enterprise/threat/web-application-firewall.mdx
@@ -342,7 +342,7 @@ For the ApplicationLayer custom resource to be valid, at least one of these feat
 
 #### Valid YAML
 
-WAF enabled, ALP disabled, and Log collection is unspecified (and the default is disabled)
+WAF disabled, ALP enabled (using per-host proxy), and Log collection is unspecified (and the default is disabled)
 
 ```yaml
 apiVersion: operator.tigera.io/v1