diff --git a/content/nginx-one/changelog.md b/content/nginx-one/changelog.md index 871dd59a5..88e943bcd 100644 --- a/content/nginx-one/changelog.md +++ b/content/nginx-one/changelog.md @@ -30,6 +30,19 @@ h2 { Stay up-to-date with what's new and improved in the F5 NGINX One Console. +## October 6, 2025 + +### Expanded features for configuring NGINX security policies with F5 WAF + +You can now configure the following for F5 WAF policies directly in the NGINX One Console: +- [Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md" >}}) +- [Signature Exceptions]({{< ref "/nginx-one/nap-integration/add-signature-sets.md#exceptions" >}}) +- [Parameters]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-parameters" >}}) +- [URLs]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-urls" >}}) +- [Cookies]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-cookies" >}}) + +For more details, see the [F5 WAF Integration Guide ]({{< ref "/nginx-one/nap-integration/" >}}). + ## October 2, 2025 ### You can now set up config templates diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md new file mode 100644 index 000000000..b56ff66b8 --- /dev/null +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -0,0 +1,132 @@ +--- +title: "Add signature sets and exceptions" +weight: 300 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + +This document describes how you can configure signature sets and signature exceptions in F5 WAF for NGINX policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications. + +## Understanding signature sets and exceptions + +Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application. F5 WAF for NGINX includes predefined attack signatures grouped into signature sets. + +### Signature set + +A **signature set** is a collection of attack signatures with a specific name and purpose. These sets are predefined and can be enabled or disabled in your policy. + +For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures. + +### Signature exception + +A **signature exception** allows you to explicitly enable or disable individual attack signatures within a set. This gives you granular control over your policy. For example: +- If a signature in a set causes false positives (blocking legitimate traffic), you can create an exception to disable just that signature while keeping the rest of the set active. +- If you want to enable blocking for one specific attack signature rather than an entire set, you can create an exception to enable just that signature. + +## Add signature sets + +From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: + +1. In **General Settings**, name and describe the policy. +1. Go to the **Web Protection** section and select **Attack Signature Sets**. Here, you can: + - View all enabled attack signature sets, including the default ones + - Add new signature sets + - Modify existing signature sets + +### Configure signature sets + +For each signature set, you can configure: +- **Alarm**: When enabled, matching requests are logged +- **Block**: When enabled, matching requests are blocked + +For example, to configure Buffer Overflow Signatures to log but not block: + +```json +{ + "policy": { + "name": "buffer_overflow_signature", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "Buffer Overflow Signatures", + "alarm": true, + "block": false + } + ] + } +} +``` + +### Remove signature sets + +To remove a signature set from your policy, you have two options: + +1. Disable the set by setting both `alarm` and `block` to `false`: + + ```json + { + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "block": false, + "alarm": false + } + ] + } + } + ``` + +1. Use the `$action` meta-property to delete the set (preferred for better performance): + + ```json + { + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "$action": "delete" + } + ] + } + } + ``` + +## Add signature exceptions + +From the **Web Protection** section, select **Attack Signature Exceptions**. This allows you to override settings for individual signatures. + +1. Click **Add Item** to create a new exception. +1. Select the signature(s) you want to modify. +1. Configure the exception. For example, to disable a specific signature: + + ```json + { + "signatures": [ + { + "name": "_mem_bin access", + "enabled": false, + "signatureId": 200100022 + } + ] + } + ``` + +## Add and deploy your policy + +After configuring signature sets and exceptions: + +1. Select **Add Policy**. The policy JSON will be updated with your changes. +1. Your policy will appear in the list under the name you provided. +1. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either: + - An instance + - A Config Sync Group + +From NGINX One Console, you can [review and modify]({{< ref "/nginx-one/nap-integration/review-policy.md/" >}}) your saved policies at any time by selecting **App Protect > Policies**. + +For a complete list of available signature sets and detailed information about attack signatures, see the [Attack Signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) documentation. diff --git a/content/nginx-one/nap-integration/cookies-params-urls.md b/content/nginx-one/nap-integration/cookies-params-urls.md new file mode 100644 index 000000000..e4b89e47a --- /dev/null +++ b/content/nginx-one/nap-integration/cookies-params-urls.md @@ -0,0 +1,197 @@ +--- +title: "Add cookies, parameters and URLs" +weight: 400 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + +# Add cookies + +Cookie protections can be configured and managed directly within the policy editor by selecting the **Cookies** option. + +## Cookie properties and types + +Each cookie configuration includes: +- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Cookie Name`: The name of the cookie to be monitored or protected +- `Enforcement Type`: + - **Allow**: Specifies that this cookie may be changed by the client. The cookie is not protected from modification + - **Enforce**: Specifies that this cookie may not be changed by the client +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable +- `Mask value in logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy + +For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. + +## Cookie violations + +Select **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: + +- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired +- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit +- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant +- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with + +For each violation type, you can: +- Set the enforcement action +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +## Add a cookie to your policy + +1. Choose Cookie Type: + - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the `Cookie Name` + - Choose whether to mask the cookie value in logs + +1. Set Enforcement Type: + - Choose either `Allow` or `Enforce` + +1. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific cookie + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add Cookie** to save your configuration + +# Add parameters + +Parameter protections can be configured and managed directly within the policy editor by selecting the **Parameters** option. + +## Parameter properties and types + +Each parameter configuration includes: +- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Parameter Name`: The name of the parameter +- `Location`: Where the parameter is expected (URL query string, POST data, etc.) +- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) +- `Attack Signatures`: Whether attack signature checking is enabled for this parameter +- `Mask value in logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy. This sets `sensitiveParameter` property of the parameter item. + +For a complete list of configurable parameter properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. + +## Parameter violations + +Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: + +- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected +- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal +- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configured security policy +- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be +- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location +- `VIOL_PARAMETER_MULTIPART_NULL_VALUE`: Triggered when the multi-part request has a parameter value that contains the NULL character (0x00) +- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name +- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range +- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally +- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configured security policy +- `VIOL_PARAMETER_VALUE_BASE64`: Triggered when the value is not a valid Base64 string +- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits +- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value +- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern + +For each violation type, you can: +- Set the enforcement action +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +## Add a parameter to your policy + +1. Choose Parameter Type: + - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the parameter `Parameter Name` + - Select the `Location` where the parameter is expected + - Choose the `Value Type` (alpha-numeric, integer, email, etc.) + - Set the `Data Type` if applicable + +1. Set Security Options: + - Choose whether to enable attack signatures + + {{< call-out "important" >}} + + Attack Signatures are only applicable when the Value Type is `User Input` or `Array` **and** the Data Type is either `Alphanumeric` or `Binary` + + {{< /call-out >}} + + - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) + +1. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific parameter + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add Parameter** to save your configuration + +# Add URLs + +URL protections can be configured and managed directly within the policy editor by selecting the **URLs** option. + +## URL properties and types + +Each URL configuration includes: +- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Method`: Specifies the HTTP method(s) for the URL (`GET`, `POST`, `PUT`, etc.) +- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) +- `Enforcement Type`: + - **Allow**: Permits access to the URL with optional attack signature checks + - **Disallow**: Blocks access to the URL entirely +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable + +{{< call-out "important" >}} + +**⚠️ Important:** Attack Signatures are automatically shown as "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + +{{< /call-out >}} + +For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. + +## URL violations + +Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: + +- `VIOL_URL`: Triggered when an illegal URL is accessed +- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type +- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit +- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL + +For each violation type, you can: +- Set the enforcement action +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +## Add a URL to your policy + +1. Choose URL Type: + - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the `URL` path (e.g., `/index.html`, `/api/data`) + - The URL path must start with `/` + - Select HTTP `Method(s)` (e.g., `GET`, `POST`, *) + - Choose the `Protocol` (`HTTP`/`HTTPS`) + +1. Set Enforcement: + - Choose whether to allow or disallow the URL + - If `Allow URL` is selected, you can optionally enable attack signatures + + {{< call-out "important" >}} + + **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. + + {{< /call-out >}} + +1. **Optional**: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific URL + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add URL** to save your configuration diff --git a/content/nginx-one/nap-integration/deploy-policy.md b/content/nginx-one/nap-integration/deploy-policy.md index 884c1a86f..0699937f6 100644 --- a/content/nginx-one/nap-integration/deploy-policy.md +++ b/content/nginx-one/nap-integration/deploy-policy.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Deploy policy" # Weights are assigned in increments of 100: determines sorting order -weight: 400 +weight: 600 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this diff --git a/content/nginx-one/nap-integration/overview.md b/content/nginx-one/nap-integration/overview.md index 15b95eaff..3e9459772 100644 --- a/content/nginx-one/nap-integration/overview.md +++ b/content/nginx-one/nap-integration/overview.md @@ -43,4 +43,4 @@ F5 WAF for NGINX has specific requirements for the configuration with Docker con - You'll need to set a policy bundle (in compressed tar format) in a configured `volume`. - Make sure the directory for [NGINX Agent]({{< ref "/agent/configuration/" >}}) includes `/etc/nginx/app_protect_policies`. -When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance. +When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance. diff --git a/content/nginx-one/nap-integration/review-policy.md b/content/nginx-one/nap-integration/review-policy.md index faa0ea47a..e49073048 100644 --- a/content/nginx-one/nap-integration/review-policy.md +++ b/content/nginx-one/nap-integration/review-policy.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Review policy" # Weights are assigned in increments of 100: determines sorting order -weight: 300 +weight: 500 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this @@ -37,4 +37,3 @@ From the NGINX One Console, you can also manage existing policies. In the Polici {{< call-out "note" >}} If you use **Save As** to create a new policy, include the `app_protect_cookie_seed` [directive]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#directives" >}}). {{< /call-out >}} - diff --git a/content/nginx-one/nap-integration/security-policy-api.md b/content/nginx-one/nap-integration/security-policy-api.md index 3a9b91d36..8677cc480 100644 --- a/content/nginx-one/nap-integration/security-policy-api.md +++ b/content/nginx-one/nap-integration/security-policy-api.md @@ -1,6 +1,6 @@ --- title: "Set security policies through the API" -weight: 700 +weight: 800 toc: true type: reference product: NGINX One diff --git a/content/nginx-one/nap-integration/waf-policy-matching-types.md b/content/nginx-one/nap-integration/waf-policy-matching-types.md new file mode 100644 index 000000000..6fd4da489 --- /dev/null +++ b/content/nginx-one/nap-integration/waf-policy-matching-types.md @@ -0,0 +1,32 @@ +--- +title: "Matching types: Explicit vs Wildcard" +weight: 700 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + +In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways: + +## Explicit Matching + +Explicit matching refers to direct matches to specific names or paths in your application. For example: +- URLs: `/index.html`, `/api/data` +- Cookies: `sessionId`, `userPrefs` +- Parameters: `username`, `email` + +Use explicit matching when you need to protect specific, known entities. + +## Wildcard Matching + +Wildcard matching uses patterns to match multiple similar names or paths. For example: +- URLs: `/test*` matches `/test`, `/test123`, `/testing` +- Cookies: `test*` matches `test`, `test123`, `testing` +- Parameters: `user*` matches `username`, `user_id`, `userEmail` + +Wildcard matching is useful when: +- You need to protect multiple similar entities +- You want to apply the same security controls to a group +- The exact names or paths may vary or are dynamically generated + +Both explicit and wildcard matching allow you to configure additional properties, such as enforcement type, attack signatures, and more, depending on the entity being protected.