If the WAF is working and you upload a malicious file (like EICAR), you should see a 403 Forbidden page or the request being blocked.