WAFs commonly block SQL keywords to prevent SQL injection, so it still holds that the WAF could do it.