nginx · ADubhlaoich · Oct 7, 2025 · Oct 3, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -0,0 +1,7 @@
+{{< banner "note" "Policy parameter reference" >}}
+
+You can explore the parameters for each F5 WAF for NGINX feature on the [Policy parameter reference]({{< ref "/waf/policies/parameter-reference.md" >}}) page.
+
+This page was previously referred to as the "Declarative Policy".
+
+{{< /banner >}}
@@ -11,6 +11,7 @@
 | [Cookie enforcement]({{< ref "/waf/policies/cookie-enforcement.md" >}}) | By default all cookies are allowed and not enforced for integrity. The user can add specific cookies, wildcards or explicit, that will be enforced for integrity. It is also possible to set the cookie attributes: HttpOnly, Secure and SameSite for cookies found in the response. |
 | [Data guard]({{< ref "/waf/policies/data-guard.md" >}}) | Detects and masks Credit Card Number (CCN) and/or U.S. Social Security Number (SSN) and/or custom patterns in HTTP responses. Disabled by default. |
 | [Deny and Allow IP lists]({{< ref "/waf/policies/deny-allow-ip.md" >}}) | Manually define denied & allowed IP addresses as well as IP addresses to never log. |
+| [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. |
 | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default |
 | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. |
 | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | 
@@ -20,10 +21,13 @@
 | [IP address lists]({{< ref "/waf/policies/ip-address-lists.md" >}}) | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. |
 | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. |
 | [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | 
+| [Override rules]({{< ref "/waf/policies/override-rules.md" >}}) | Override rules allow you to override default policy settings under specific conditions. |
 | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. |
 | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. |
 | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |
 | [User-defined HTTP headers]({{< ref "/waf/policies/user-headers.md" >}}) | Handling headers as a special part of requests |
+| [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) | Use user-defined properties when configuring violations. |
 | [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. |
 | [XML and JSON content]({{< ref "/waf/policies/xml-json-content.md" >}}) | XML content and JSON content profiles detect malformed content and signatures in the element values. Default policy checks maximum structure depth. It is possible to enable more size restrictions: maximum total length of XML/JSON data, maximum number of elements and more. |
+
 {{< /table >}}
@@ -3,7 +3,7 @@
 title: "Changelog"
 url: /waf/changelog/
 # Weights are assigned in increments of 100: determines sorting order
-weight: 500
+weight: 600
 # Creates a table of contents and sidebar, useful for large documents
 nd-landing-page: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
@@ -27,9 +27,9 @@ _September 29th, 2025_
 
 ### Important notes
 
-- Renamed NGINX App Protect WAF to F5 for NGINX
+- Renamed NGINX App Protect WAF to F5 WAF for NGINX
 - Aligned F5 WAF for NGINX versions
-    - Package and container artefacts now share the same version numbers
+    - Package and container artifacts now share the same version numbers
     - Upgrade processes remain the same as earlier releases
     - No breaking changes
 - Restructured documentation

@@ -162,10 +162,10 @@ Add F5 WAF for NGINX dependencies:
 sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
 ```
 
-Enable the _codeready-builder_ repository:
+Enable F5 WAF for NGINX dependencies:
 
 ```shell
-sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
+sudo dnf config-manager --set-enabled crb
 ```
 
 Install the F5 WAF for NGINX package and its dependencies:

@@ -0,0 +1,91 @@
+---
+title: Custom dimensions for log entries
+toc: false
+weight: 200
+nd-content-type: reference
+nd-product: NAP-WAF
+---
+
+F5 WAF for NGINX can configure custom dimensions for log entries using the directive `app_protect_custom_log_attribute`.
+
+This directive can be added to the NGINX configuration file in the `http`, `server` and `location` scopes. The custom dimensions become part of every request in the [Security logs]({{< ref "/waf/logging/security-logs.md" >}}) based on the scope used.
+
+The `app_protect_custom_log_attribute` directive takes a key/value pair, such as `app_protect_custom_log_attribute 'customDimension' '1'`. The directive can cascade and override entries based on scope order: _location_, _server_ then _http_. 
+
+For example, attributes at the _http_ level apply to all servers and locations unless a specific server or location overrides the same key with a different value.
+
+When a custom dimension is assigned to a scope, it appears in the `json_log` field as a new JSON property called "customLogAttributes" at the top level. This properly appears if the `app_protect_custom_log_attribute` directive is used.
+
+In the configuration example, the "environment" attribute appears in logs of all locations under that server block.
+
+```json
+""customLogAttributes"":[{""name"":""component"",""value"":""comp1""},{""name"":""gateway"",""value"":""gway1""}]}"
+```
+
+The following example defines the `app_protect_custom_log_attribute` directive at the server and location level, with key/value pairs as strings.
+
+```nginx
+user nginx;
+load_module modules/ngx_http_app_protect_module.so;
+error_log /var/log/nginx/error.log debug;
+
+events {
+    worker_connections  65536;
+}
+server {
+
+        listen       80;
+
+        server_name  localhost;
+        proxy_http_version 1.1;
+        app_protect_custom_log_attribute 'environment' 'env1';
+
+        location / {
+
+            app_protect_enable on;
+            app_protect_custom_log_attribute gateway gway1;
+            app_protect_custom_log_attribute component comp1;
+            proxy_pass http://172.29.38.211:80$request_uri;
+        }
+    }
+```
+
+The key/value pairs are 'environment env1', 'gateway gway1' and 'component comp1' in the above examples:
+
+- app_protect_custom_log_attribute environment env1;
+- app_protect_custom_log_attribute gateway gway1;
+- app_protect_custom_log_attribute component comp1;
+
+The key/value pairs are parsed as follows:
+
+```shell
+"customLogAttributes": [
+    {
+        "name": "gateway",
+        "value": "gway1"
+    },
+    {
+        "name": "component",
+        "value": "comp1"
+    },
+]
+```
+
+The `app_protect_custom_log_attribute` directive has constraints you should keep in mind:
+
+- Key and value strings are limited to 64 chars
+- There are a maximum of 10 key/value pairs in each scope
+
+An error message beginning with "_'app_protect_custom_log_attribute' directive is invalid_" will be displayed in the security log if:
+
+1. The `app_protect_custom_log_attribute` exceeds the maximum number of 10 directives
+1. The `app_protect_custom_log_attribute` exceeds the maximum name length of 64 chars
+1. The `app_protect_custom_log_attribute` exceeds the maximum value of 64 chars
+
+The log will specify the precise issue:
+
+```text
+app_protect_custom_log_attribute directive is invalid. Number of app_protect_custom_log_attribute directives exceeds maximum
+```
+
+
@@ -1,7 +1,7 @@
 ---
 title: Debug logs
 toc: false
-weight: 400
+weight: 500
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,7 +1,7 @@
 ---
 title: Operation logs
 toc: false
-weight: 300
+weight: 400
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,7 +1,7 @@
 ---
 title: Security logs
 toc: true
-weight: 200
+weight: 300
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,5 +1,11 @@
 ---
 title: "Policies"
 url: /waf/policies/
+cascade:
+  nd-banner:
+    enabled: true
+    type: deprecation
+    start-date: 2025-09-30
+    md: /_banners/waf-parameter-reference.md
 weight: 400
 ---
@@ -203,7 +203,7 @@ To exclude multiple attack signatures, each signature ID needs to be added as a
 
 In the previous examples, the signatures were disabled for all the requests that are inspected by the respective policy. You can also exclude signatures for specific URLs or parameters, while still enable them for the other URLs and parameters. 
 
-The topics [User-defined URLs]() and [User-defined parameters]() have more details.
+The topic [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) has more details.
 
 In some cases, you may want to remove a whole signature set that was included in the default policy. For example, a protected application may not use XML and is not vulnerable to XPath injection.