From 4547581d19da3194324d5e94ce4e82ed6e2e9e14 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 2 Oct 2025 16:57:59 +0100 Subject: [PATCH] feat: Minor WAF fixes Closes #1199, #1210, #1214, #125, #1218, #1219 --- content/includes/waf/table-policy-features.md | 6 +++--- content/waf/fundamentals/overview.md | 6 +++--- content/waf/fundamentals/technical-specifications.md | 2 +- content/waf/policies/geolocation.md | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/includes/waf/table-policy-features.md b/content/includes/waf/table-policy-features.md index 876993a48..464856a56 100644 --- a/content/includes/waf/table-policy-features.md +++ b/content/includes/waf/table-policy-features.md @@ -13,13 +13,13 @@ | [Deny and Allow IP lists]({{< ref "/waf/policies/deny-allow-ip.md" >}}) | Manually define denied & allowed IP addresses as well as IP addresses to never log. | | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default | | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. | -| [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | | -| [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | | +| [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | +| [GraphQL protection]({{< ref "/waf/policies/graphql-protection.md" >}}) | GraphQL protection allows you to configure enforcement for GraphQL, an API query language. | | [gRPC protection]({{< ref "/waf/policies/evasion-techniques.md" >}}) | gRPC protection detects malformed content, parses well-formed content, and extracts the text fields for detecting attack signatures and disallowed meta-characters. In addition, it enforces size restrictions and prohibition of unknown fields. The Interface Definition Language (IDL) files for the gRPC API must be attached to the profile. gRPC protection is available for unary or bidirectional traffic. | | [HTTP compliance]({{< ref "/waf/policies/http-compliance.md" >}}) | All HTTP protocol compliance checks are enabled by default except for GET with body and POST without body. It is possible to enable any of these two. Some of the checks enabled by default can be disabled, but others, such as bad HTTP version and null in request are performed by the NGINX parser and NGINX App Protect WAF only reports them. These checks cannot be disabled. | | [IP address lists]({{< ref "/waf/policies/ip-address-lists.md" >}}) | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. | | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. | -| [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | | +| [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. | | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. | | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. | diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md index 2d4d019be..9eaa40541 100644 --- a/content/waf/fundamentals/overview.md +++ b/content/waf/fundamentals/overview.md @@ -28,12 +28,12 @@ It is platform-agnostic and supports a range of deployment options: 1. [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md" >}}) - NGINX and WAF components operate on the host system - Ideal for existing NGINX virtual environments -1. [Kubernetes]({{< ref "/waf/install/kubernetes.md" >}}) - - Integrates NGINX and WAF components in a single pod - - Ideal for scalable, cloud-native environments 1. [Docker]({{< ref "/waf/install/docker.md" >}}) - NGINX and WAF components are deployed as containers - Ideal for environments with multiple deployment stages +1. [Kubernetes]({{< ref "/waf/install/kubernetes.md" >}}) + - Integrates NGINX and WAF components in a single pod + - Ideal for scalable, cloud-native environments For more details, see the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}). diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md index 03641c6e1..4ff64b097 100644 --- a/content/waf/fundamentals/technical-specifications.md +++ b/content/waf/fundamentals/technical-specifications.md @@ -30,8 +30,8 @@ You can deploy F5 WAF for NGINX in the following environments: | Amazon Linux | 2023 | | Debian | 11, 12 | | Oracle Linux | 8.1 | -| Ubuntu | 22.04, 24.04 | | RHEL / Rocky Linux | 8, 9 | +| Ubuntu | 22.04, 24.04 | For release-specific packages, view the [Changelog]({{< ref "/waf/changelog.md" >}}). diff --git a/content/waf/policies/geolocation.md b/content/waf/policies/geolocation.md index 0e1e70def..5c0f61c2d 100644 --- a/content/waf/policies/geolocation.md +++ b/content/waf/policies/geolocation.md @@ -66,7 +66,7 @@ In the "_override-rules_" section there is one override rule named "_myFirstRule ```json { - "policy": {T + "policy": { "name": "override_rule_example", "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, "enforcementMode": "blocking",