From 0b1006a21878332587962841bec93eaaf3f97c2b Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Wed, 1 Oct 2025 10:12:19 -0700 Subject: [PATCH 01/22] n1c: add docs for adding signature sets and exceptions --- .../nap-integration/signature-sets.md | 180 ++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100644 content/nginx-one/nap-integration/signature-sets.md diff --git a/content/nginx-one/nap-integration/signature-sets.md b/content/nginx-one/nap-integration/signature-sets.md new file mode 100644 index 000000000..c65d0b9cd --- /dev/null +++ b/content/nginx-one/nap-integration/signature-sets.md @@ -0,0 +1,180 @@ +--- +title: "Add signature sets and exceptions" +weight: 300 +toc: true +nd-content-type: how-to +nd-product: NGINX One +--- + +This document describes how you can configure signature sets and signature exceptions in F5 NGINX App Protect (NAP) policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications. + +## Understanding signature sets and exceptions + +Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application. F5 WAF for NGINX includes predefined attack signatures grouped into signature sets. + +### Signature Set +A **signature set** is a collection of attack signatures with a specific name and purpose. These sets are predefined and can be enabled or disabled in your policy. + +For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures. + +### Signature Exception +A **signature exception** allows you to explicitly enable or disable individual attack signatures within a set. This gives you granular control over your policy. For example: +- If a signature in a set causes false positives (blocking legitimate traffic), you can create an exception to disable just that signature while keeping the rest of the set active. +- If you want to enable blocking for one specific attack signature rather than an entire set, you can create an exception to enable just that signature. + +## Add signature sets + +From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: + +1. In **General Settings**, name and describe the policy. +2. Navigate to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: + - View all enabled attack signature sets, including the default ones + - Add new signature sets + - Modify existing signature sets + +### Configure signature sets + +For each signature set, you can configure: +- **Alarm**: When enabled, matching requests are logged +- **Block**: When enabled, matching requests are blocked + +For example, to configure Buffer Overflow Signatures to log but not block: + +```json +{ + "policy": { + "name": "buffer_overflow_signature", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "Buffer Overflow Signatures", + "alarm": true, + "block": false + } + ] + } +} +``` + +### Remove signature sets + +To remove a signature set from your policy, you have two options: + +1. Disable the set by setting both `alarm` and `block` to `false`: + +```json +{ + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "block": false, + "alarm": false + } + ] + } +} +``` + +2. Use the `$action` meta-property to delete the set (preferred for better performance): + +```json +{ + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "$action": "delete" + } + ] + } +} +``` + +## Add signature exceptions + +From the **Web Protection** tab, select **Attack Signature Exceptions**. This section allows you to override settings for individual signatures. + +1. Click **Add Item** to create a new exception. +2. Select the signature(s) you want to modify. +3. Configure the exception. For example, to disable a specific signature: + +```json +{ + "signatures": [ + { + "name": "_mem_bin access", + "enabled": false, + "signatureId": 200100022 + } + ] +} +``` + +### Advanced exception configuration + +For more complex scenarios, you can use the `modifications` section: + +```json +{ + "modifications": [ + { + "entityChanges": { + "enabled": false + }, + "entity": { + "signatureId": 200001834 + }, + "entityType": "signature", + "action": "add-or-update" + } + ] +} +``` + +To exclude multiple signatures, add each as a separate entity: + +```json +{ + "modifications": [ + { + "entityChanges": { + "enabled": false + }, + "entity": { + "signatureId": 200001834 + }, + "entityType": "signature", + "action": "add-or-update" + }, + { + "entityChanges": { + "enabled": false + }, + "entity": { + "signatureId": 200004461 + }, + "entityType": "signature", + "action": "add-or-update" + } + ] +} +``` + +## Save and deploy your policy + +After configuring signature sets and exceptions: + +1. Select **Save Policy**. The policy JSON will be updated with your changes. +2. Your policy will appear in the list under the name you provided. +3. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either: + - An instance + - A Config Sync Group + +From NGINX One Console, you can [review and modify]({{< ref "/nginx-one/nap-integration/review-policy.md/" >}}) your saved policies at any time by selecting **App Protect > Policies**. + +For a complete list of available signature sets and detailed information about attack signatures, see the [Attack Signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) documentation. From fd22e59a1b0b62adbccb1e6c2bad27fcbbd6e1df Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Thu, 2 Oct 2025 15:09:15 -0700 Subject: [PATCH 02/22] add instructions for urls/cookies/parameters --- .../nginx-one/nap-policy-matching-types.md | 24 ++++++++ .../nginx-one/nap-integration/add-cookies.md | 51 +++++++++++++++++ .../nap-integration/add-parameters.md | 57 +++++++++++++++++++ ...ignature-sets.md => add-signature-sets.md} | 0 content/nginx-one/nap-integration/add-urls.md | 52 +++++++++++++++++ .../advanced-configurations.md | 33 +++++++++++ 6 files changed, 217 insertions(+) create mode 100644 content/includes/nginx-one/nap-policy-matching-types.md create mode 100644 content/nginx-one/nap-integration/add-cookies.md create mode 100644 content/nginx-one/nap-integration/add-parameters.md rename content/nginx-one/nap-integration/{signature-sets.md => add-signature-sets.md} (100%) create mode 100644 content/nginx-one/nap-integration/add-urls.md create mode 100644 content/nginx-one/nap-integration/advanced-configurations.md diff --git a/content/includes/nginx-one/nap-policy-matching-types.md b/content/includes/nginx-one/nap-policy-matching-types.md new file mode 100644 index 000000000..b99ca80c8 --- /dev/null +++ b/content/includes/nginx-one/nap-policy-matching-types.md @@ -0,0 +1,24 @@ +# Matching Types: Explicit vs Wildcard + +In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways: + +## Explicit Matching +Explicit matching refers to direct matches to specific names or paths in your application. For example: +- URLs: `/index.html`, `/api/data` +- Cookies: `sessionId`, `userPrefs` +- Parameters: `username`, `email` + +Use explicit matching when you need to protect specific, known entities. + +## Wildcard Matching +Wildcard matching uses patterns to match multiple similar names or paths. For example: +- URLs: `/test*` matches `/test`, `/test123`, `/testing` +- Cookies: `test*` matches `test`, `test123`, `testing` +- Parameters: `user*` matches `username`, `user_id`, `userEmail` + +Wildcard matching is useful when: +- You need to protect multiple similar entities +- You want to apply the same security controls to a group +- The exact names or paths may vary or are dynamically generated + +Both explicit and wildcard matching allow you to configure additional properties, such as enforcement type, attack signatures, and more, depending on the entity being protected. diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md new file mode 100644 index 000000000..aa3e3bd02 --- /dev/null +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -0,0 +1,51 @@ +# Managing Cookies in NAP Policy +Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. + +## Cookie Properties and Types +Each cookie configuration includes: +- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section. +- `Cookie Name`: The name of the cookie to be monitored or protected +- `Enforcement Type`: + - **Allow**: Permits the cookie with optional attack signature checks + - **Disallow**: Blocks the use of the cookie entirely +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable +- `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy + +**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + +For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. + +## Cookie Violations +Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: + +- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired +- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit +- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant +- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +# Adding a Cookie to Your Policy + +1. Choose Cookie Type: + - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching + +2. Configure Basic Properties: + - Enter the `Cookie Name` + - Choose whether to mask the cookie value in logs + +3. Set Enforcement: + - Choose whether to allow or disallow the cookie + - If `Allow Cookie` is selected, you can optionally enable attack signatures + +**⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. + +4. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific cookie + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +5. Click **Add Cookie** to save your configuration diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md new file mode 100644 index 000000000..f35996f38 --- /dev/null +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -0,0 +1,57 @@ +# Managing Parameters in NAP Policy +Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. + +## Parameter Properties and Types +Each parameter configuration includes: +- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section. +- `Name`: The name of the parameter +- `Location`: Where the parameter is expected (URL query string, POST data, etc.) +- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) +- `Attack Signatures`: Whether attack signature checking is enabled for this parameter +- `Mask Value in Logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy + + +For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. + +## Parameter Violations +Click on **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: + +- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected +- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal +- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configuration +- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be +- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location +- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name +- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range +- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally +- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configuration +- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits +- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value +- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +# Adding a Parameter to Your Policy + +1. Choose Parameter Type: + - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching + +2. Configure Basic Properties: + - Enter the parameter `Name` + - Select the `Location` where the parameter is expected + - Choose the `Value Type` (alpha-numeric, integer, email, etc.) + - Set the `Data Type` if applicable + +3. Set Security Options: + - Choose whether to enable attack signatures + - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) + +4. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific parameter + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +5. Click **Add Parameter** to save your configuration diff --git a/content/nginx-one/nap-integration/signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md similarity index 100% rename from content/nginx-one/nap-integration/signature-sets.md rename to content/nginx-one/nap-integration/add-signature-sets.md diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md new file mode 100644 index 000000000..c58dd23cc --- /dev/null +++ b/content/nginx-one/nap-integration/add-urls.md @@ -0,0 +1,52 @@ +# Managing URLs in NAP Policy +URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. + +## URL Properties and Types +Each URL configuration includes: +- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section +- `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) +- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) +- `Enforcement Type`: + - **Allow**: Permits access to the URL with optional attack signature checks + - **Disallow**: Blocks access to the URL entirely +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable + +**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + +For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. + +## URL Violations +Click on **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: + +- `VIOL_URL`: Triggered when an illegal URL is accessed +- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type +- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit +- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +# Adding a URL to Your Policy + +1. Choose URL Type: + - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching + +2. Configure Basic Properties: + - Enter the `URL` path + - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) + - Choose the `Protocol` (`HTTP`/`HTTPS`) + +3. Set Enforcement: + - Choose whether to allow or disallow the URL + - If `Allow URL` is selected, you can optionally enable attack signatures + +**⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. + +4. **Optional**: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific URL + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +5. Click **Add URL** to save your configuration diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md new file mode 100644 index 000000000..3da389398 --- /dev/null +++ b/content/nginx-one/nap-integration/advanced-configurations.md @@ -0,0 +1,33 @@ +# Advanced Configuration for NAP Policies + +This document consolidates advanced configuration options for parameters, URLs, and cookies in NGINX App Protect (NAP) policies. These configurations allow for fine-tuning security settings to meet specific application requirements. By centralizing these options, this guide provides a unified reference for creating granular and robust security policies. + +## Shared Advanced Configuration Options + +The following advanced configuration options are common to parameters, URLs, and cookies: + +- **Length Restrictions**: Define maximum allowable lengths to prevent excessively long inputs that could indicate malicious activity. +- **Meta Character Overrides**: Specify allowed or disallowed meta characters to ensure compliance with application-specific requirements. +- **Custom Signature Sets**: Apply custom signature sets to tailor attack detection mechanisms for specific use cases. + +## Parameter-Specific Configuration Options + +In addition to the shared options, parameters support the following advanced configurations: + +- **Regular Expression Patterns**: Use regex patterns to validate parameter values against expected formats, enhancing security and reducing false positives. +- **Static Value Constraints**: Set fixed values for parameters to enforce strict compliance with predefined rules. +- **Numeric Value Ranges**: Define acceptable numeric ranges for parameters to prevent out-of-bound values. + +## URL-Specific Configuration Options + +In addition to the shared options, URLs support the following advanced configurations: + +- **Content Type Profiles**: Configure content type profiles (e.g., JSON, XML, form-data) to validate request payloads. + +## Cookie-Specific Configuration Options + +In addition to the shared options, cookies support the following advanced configurations: + +- **Mask Value in Logs**: Enable masking of cookie values in logs for enhanced security and privacy. + +These configurations help create a more granular and specific security policy for your application. For detailed instructions on implementing these options, refer to the [Policy Parameter Reference]({{< ref "/waf/policies/parameter-reference.md" >}}). From e6d2ca240a0cdf1842e44aa298ef390153d88566 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Fri, 3 Oct 2025 11:02:04 -0700 Subject: [PATCH 03/22] add titles for all instruction files --- content/nginx-one/nap-integration/add-cookies.md | 10 ++++++++++ content/nginx-one/nap-integration/add-parameters.md | 10 ++++++++++ content/nginx-one/nap-integration/add-urls.md | 10 ++++++++++ .../nap-integration/advanced-configurations.md | 8 ++++++++ 4 files changed, 38 insertions(+) diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index aa3e3bd02..acf47afd5 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -1,3 +1,11 @@ +--- +title: "Add cookies" +weight: 350 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + # Managing Cookies in NAP Policy Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. @@ -29,6 +37,8 @@ For each violation type, you can: For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + # Adding a Cookie to Your Policy 1. Choose Cookie Type: diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index f35996f38..ad97933ea 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -1,3 +1,11 @@ +--- +title: "Add parameters" +weight: 350 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + # Managing Parameters in NAP Policy Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. @@ -35,6 +43,8 @@ For each violation type, you can: For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + # Adding a Parameter to Your Policy 1. Choose Parameter Type: diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index c58dd23cc..8b2339444 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -1,3 +1,11 @@ +--- +title: "Add urls" +weight: 350 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + # Managing URLs in NAP Policy URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. @@ -29,6 +37,8 @@ For each violation type, you can: For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + # Adding a URL to Your Policy 1. Choose URL Type: diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md index 3da389398..fd3f9972d 100644 --- a/content/nginx-one/nap-integration/advanced-configurations.md +++ b/content/nginx-one/nap-integration/advanced-configurations.md @@ -1,3 +1,11 @@ +--- +title: "Advanced configuration for NAP policies" +weight: 350 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + # Advanced Configuration for NAP Policies This document consolidates advanced configuration options for parameters, URLs, and cookies in NGINX App Protect (NAP) policies. These configurations allow for fine-tuning security settings to meet specific application requirements. By centralizing these options, this guide provides a unified reference for creating granular and robust security policies. From 0b43b1a822cde9cf133dac48e37b699c12cee66c Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Thu, 2 Oct 2025 15:11:24 -0700 Subject: [PATCH 04/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index c65d0b9cd..f4bae5350 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -12,7 +12,7 @@ This document describes how you can configure signature sets and signature excep Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application. F5 WAF for NGINX includes predefined attack signatures grouped into signature sets. -### Signature Set +### Signature set A **signature set** is a collection of attack signatures with a specific name and purpose. These sets are predefined and can be enabled or disabled in your policy. For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures. From 77cf3614abbc62f84eda8b95293882136757e171 Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Thu, 2 Oct 2025 15:11:31 -0700 Subject: [PATCH 05/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index f4bae5350..258f4b984 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -3,7 +3,7 @@ title: "Add signature sets and exceptions" weight: 300 toc: true nd-content-type: how-to -nd-product: NGINX One +nd-product: NGINX One Console --- This document describes how you can configure signature sets and signature exceptions in F5 NGINX App Protect (NAP) policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications. From 960b8f802001a446ce71a1da1ee05978af96dbf5 Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Thu, 2 Oct 2025 15:11:38 -0700 Subject: [PATCH 06/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index 258f4b984..fdf4a172a 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -6,7 +6,7 @@ nd-content-type: how-to nd-product: NGINX One Console --- -This document describes how you can configure signature sets and signature exceptions in F5 NGINX App Protect (NAP) policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications. +This document describes how you can configure signature sets and signature exceptions in F5 WAF for NGINX policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications. ## Understanding signature sets and exceptions From 09f53a2a57116fab2f9834ebae3c251dca0421af Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Thu, 2 Oct 2025 15:11:45 -0700 Subject: [PATCH 07/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index fdf4a172a..dfff947a3 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -13,6 +13,7 @@ This document describes how you can configure signature sets and signature excep Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application. F5 WAF for NGINX includes predefined attack signatures grouped into signature sets. ### Signature set + A **signature set** is a collection of attack signatures with a specific name and purpose. These sets are predefined and can be enabled or disabled in your policy. For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures. From 7768199289d865e2cf70b337730e3c5749ac10cb Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Thu, 2 Oct 2025 15:11:54 -0700 Subject: [PATCH 08/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Mike Jang <3287976+mjang@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index dfff947a3..e854c694c 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -18,7 +18,8 @@ A **signature set** is a collection of attack signatures with a specific name an For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures. -### Signature Exception +### Signature exception + A **signature exception** allows you to explicitly enable or disable individual attack signatures within a set. This gives you granular control over your policy. For example: - If a signature in a set causes false positives (blocking legitimate traffic), you can create an exception to disable just that signature while keeping the rest of the set active. - If you want to enable blocking for one specific attack signature rather than an entire set, you can create an exception to enable just that signature. From 7fd62c0df19170fa96b073c65eb272747bb2527d Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Fri, 3 Oct 2025 11:19:27 -0700 Subject: [PATCH 09/22] address feedback --- ...-types.md => waf-policy-matching-types.md} | 0 .../nginx-one/nap-integration/add-cookies.md | 15 ++- .../nap-integration/add-parameters.md | 12 +-- .../nap-integration/add-signature-sets.md | 92 +++++++++---------- content/nginx-one/nap-integration/add-urls.md | 15 ++- 5 files changed, 66 insertions(+), 68 deletions(-) rename content/includes/nginx-one/{nap-policy-matching-types.md => waf-policy-matching-types.md} (100%) diff --git a/content/includes/nginx-one/nap-policy-matching-types.md b/content/includes/nginx-one/waf-policy-matching-types.md similarity index 100% rename from content/includes/nginx-one/nap-policy-matching-types.md rename to content/includes/nginx-one/waf-policy-matching-types.md diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index acf47afd5..5edd31d4e 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -6,12 +6,12 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing Cookies in NAP Policy +# Managing Cookies in F5 WAF Policy Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. ## Cookie Properties and Types Each cookie configuration includes: -- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section. +- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section. - `Cookie Name`: The name of the cookie to be monitored or protected - `Enforcement Type`: - **Allow**: Permits the cookie with optional attack signature checks @@ -44,18 +44,17 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi 1. Choose Cookie Type: - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching -2. Configure Basic Properties: +1. Configure Basic Properties: - Enter the `Cookie Name` - Choose whether to mask the cookie value in logs -3. Set Enforcement: +1. Set Enforcement: - Choose whether to allow or disallow the cookie - If `Allow Cookie` is selected, you can optionally enable attack signatures + - **⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. -**⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. - -4. Optional: Configure Attack Signatures +1. Optional: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific cookie - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -5. Click **Add Cookie** to save your configuration +1. Click **Add Cookie** to save your configuration diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index ad97933ea..bebaf3e3f 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -6,12 +6,12 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing Parameters in NAP Policy +# Managing Parameters in F5 WAF Policy Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. ## Parameter Properties and Types Each parameter configuration includes: -- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section. +- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section. - `Name`: The name of the parameter - `Location`: Where the parameter is expected (URL query string, POST data, etc.) - `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) @@ -50,18 +50,18 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi 1. Choose Parameter Type: - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching -2. Configure Basic Properties: +1. Configure Basic Properties: - Enter the parameter `Name` - Select the `Location` where the parameter is expected - Choose the `Value Type` (alpha-numeric, integer, email, etc.) - Set the `Data Type` if applicable -3. Set Security Options: +1. Set Security Options: - Choose whether to enable attack signatures - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) -4. Optional: Configure Attack Signatures +1. Optional: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific parameter - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -5. Click **Add Parameter** to save your configuration +1. Click **Add Parameter** to save your configuration diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index e854c694c..22688958d 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -29,7 +29,7 @@ A **signature exception** allows you to explicitly enable or disable individual From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: 1. In **General Settings**, name and describe the policy. -2. Navigate to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: +1. Navigate to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: - View all enabled attack signature sets, including the default ones - Add new signature sets - Modify existing signature sets @@ -64,58 +64,58 @@ To remove a signature set from your policy, you have two options: 1. Disable the set by setting both `alarm` and `block` to `false`: -```json -{ - "policy": { - "name": "no_xpath_policy", - "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, - "signature-sets": [ - { - "name": "XPath Injection Signatures", - "block": false, - "alarm": false - } - ] + ```json + { + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "block": false, + "alarm": false + } + ] + } } -} -``` - -2. Use the `$action` meta-property to delete the set (preferred for better performance): - -```json -{ - "policy": { - "name": "no_xpath_policy", - "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, - "signature-sets": [ - { - "name": "XPath Injection Signatures", - "$action": "delete" - } - ] + ``` + +1. Use the `$action` meta-property to delete the set (preferred for better performance): + + ```json + { + "policy": { + "name": "no_xpath_policy", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "signature-sets": [ + { + "name": "XPath Injection Signatures", + "$action": "delete" + } + ] + } } -} -``` + ``` ## Add signature exceptions From the **Web Protection** tab, select **Attack Signature Exceptions**. This section allows you to override settings for individual signatures. 1. Click **Add Item** to create a new exception. -2. Select the signature(s) you want to modify. -3. Configure the exception. For example, to disable a specific signature: +1. Select the signature(s) you want to modify. +1. Configure the exception. For example, to disable a specific signature: -```json -{ - "signatures": [ - { - "name": "_mem_bin access", - "enabled": false, - "signatureId": 200100022 - } - ] -} -``` + ```json + { + "signatures": [ + { + "name": "_mem_bin access", + "enabled": false, + "signatureId": 200100022 + } + ] + } + ``` ### Advanced exception configuration @@ -172,8 +172,8 @@ To exclude multiple signatures, add each as a separate entity: After configuring signature sets and exceptions: 1. Select **Save Policy**. The policy JSON will be updated with your changes. -2. Your policy will appear in the list under the name you provided. -3. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either: +1. Your policy will appear in the list under the name you provided. +1. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either: - An instance - A Config Sync Group diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index 8b2339444..1b780c57a 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -6,12 +6,12 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing URLs in NAP Policy +# Managing URLs in F5 WAF Policy URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. ## URL Properties and Types Each URL configuration includes: -- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-policy-matching-types.md" >}}) section +- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section - `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) - `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) - `Enforcement Type`: @@ -44,19 +44,18 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi 1. Choose URL Type: - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching -2. Configure Basic Properties: +1. Configure Basic Properties: - Enter the `URL` path - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) - Choose the `Protocol` (`HTTP`/`HTTPS`) -3. Set Enforcement: +1. Set Enforcement: - Choose whether to allow or disallow the URL - If `Allow URL` is selected, you can optionally enable attack signatures + - **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. -**⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. - -4. **Optional**: Configure Attack Signatures +1. **Optional**: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific URL - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -5. Click **Add URL** to save your configuration +1. Click **Add URL** to save your configuration From 39442b55f28f16fe1c49ac4d70f2d088b41391b2 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Fri, 3 Oct 2025 11:23:04 -0700 Subject: [PATCH 10/22] reassign weights for pages --- content/nginx-one/nap-integration/add-cookies.md | 2 +- content/nginx-one/nap-integration/add-parameters.md | 2 +- content/nginx-one/nap-integration/add-urls.md | 2 +- content/nginx-one/nap-integration/advanced-configurations.md | 2 +- content/nginx-one/nap-integration/deploy-policy.md | 2 +- content/nginx-one/nap-integration/security-policy-api.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index 5edd31d4e..bdc379703 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -1,6 +1,6 @@ --- title: "Add cookies" -weight: 350 +weight: 400 toc: true nd-content-type: how-to nd-product: NGINX One Console diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index bebaf3e3f..dbc3b37dd 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -1,6 +1,6 @@ --- title: "Add parameters" -weight: 350 +weight: 400 toc: true nd-content-type: how-to nd-product: NGINX One Console diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index 1b780c57a..a2f089f59 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -1,6 +1,6 @@ --- title: "Add urls" -weight: 350 +weight: 400 toc: true nd-content-type: how-to nd-product: NGINX One Console diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md index fd3f9972d..eb62853e2 100644 --- a/content/nginx-one/nap-integration/advanced-configurations.md +++ b/content/nginx-one/nap-integration/advanced-configurations.md @@ -1,6 +1,6 @@ --- title: "Advanced configuration for NAP policies" -weight: 350 +weight: 700 toc: true nd-content-type: how-to nd-product: NGINX One Console diff --git a/content/nginx-one/nap-integration/deploy-policy.md b/content/nginx-one/nap-integration/deploy-policy.md index 884c1a86f..0699937f6 100644 --- a/content/nginx-one/nap-integration/deploy-policy.md +++ b/content/nginx-one/nap-integration/deploy-policy.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Deploy policy" # Weights are assigned in increments of 100: determines sorting order -weight: 400 +weight: 600 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this diff --git a/content/nginx-one/nap-integration/security-policy-api.md b/content/nginx-one/nap-integration/security-policy-api.md index 3a9b91d36..8677cc480 100644 --- a/content/nginx-one/nap-integration/security-policy-api.md +++ b/content/nginx-one/nap-integration/security-policy-api.md @@ -1,6 +1,6 @@ --- title: "Set security policies through the API" -weight: 700 +weight: 800 toc: true type: reference product: NGINX One From b6f6f366c6648cfcddf60bdef96d2baf6adaba37 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Fri, 3 Oct 2025 11:33:53 -0700 Subject: [PATCH 11/22] update links to doc ref --- content/nginx-one/nap-integration/add-cookies.md | 2 +- content/nginx-one/nap-integration/add-parameters.md | 2 +- content/nginx-one/nap-integration/add-urls.md | 2 +- content/nginx-one/nap-integration/security-policy-api.md | 2 +- .../nap-integration}/waf-policy-matching-types.md | 8 ++++++++ 5 files changed, 12 insertions(+), 4 deletions(-) rename content/{includes/nginx-one => nginx-one/nap-integration}/waf-policy-matching-types.md (89%) diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index bdc379703..3aecf8abe 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -11,7 +11,7 @@ Cookies can be configured and managed directly within the policy editor by selec ## Cookie Properties and Types Each cookie configuration includes: -- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section. +- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. - `Cookie Name`: The name of the cookie to be monitored or protected - `Enforcement Type`: - **Allow**: Permits the cookie with optional attack signature checks diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index dbc3b37dd..f798df387 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -11,7 +11,7 @@ Parameters can be configured and managed directly within the policy editor by se ## Parameter Properties and Types Each parameter configuration includes: -- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section. +- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. - `Name`: The name of the parameter - `Location`: Where the parameter is expected (URL query string, POST data, etc.) - `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index a2f089f59..bd2967a6e 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -11,7 +11,7 @@ URLs can be configured and managed directly within the policy editor by selectin ## URL Properties and Types Each URL configuration includes: -- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/waf-policy-matching-types.md" >}}) section +- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. - `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) - `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) - `Enforcement Type`: diff --git a/content/nginx-one/nap-integration/security-policy-api.md b/content/nginx-one/nap-integration/security-policy-api.md index 8677cc480..fd42248cd 100644 --- a/content/nginx-one/nap-integration/security-policy-api.md +++ b/content/nginx-one/nap-integration/security-policy-api.md @@ -1,6 +1,6 @@ --- title: "Set security policies through the API" -weight: 800 +weight: 900 toc: true type: reference product: NGINX One diff --git a/content/includes/nginx-one/waf-policy-matching-types.md b/content/nginx-one/nap-integration/waf-policy-matching-types.md similarity index 89% rename from content/includes/nginx-one/waf-policy-matching-types.md rename to content/nginx-one/nap-integration/waf-policy-matching-types.md index b99ca80c8..159d7f5ea 100644 --- a/content/includes/nginx-one/waf-policy-matching-types.md +++ b/content/nginx-one/nap-integration/waf-policy-matching-types.md @@ -1,3 +1,11 @@ +--- +title: "Matching types: Explicit vs Wildcard" +weight: 800 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + # Matching Types: Explicit vs Wildcard In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways: From 1691ef3d0da2651a09041824c66e0be40cbe9232 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Fri, 3 Oct 2025 11:44:10 -0700 Subject: [PATCH 12/22] remove unnecessary top-level titles --- content/nginx-one/nap-integration/add-cookies.md | 1 - content/nginx-one/nap-integration/add-parameters.md | 1 - content/nginx-one/nap-integration/add-urls.md | 1 - content/nginx-one/nap-integration/advanced-configurations.md | 2 -- content/nginx-one/nap-integration/waf-policy-matching-types.md | 2 -- 5 files changed, 7 deletions(-) diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index 3aecf8abe..85e3eeba8 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -6,7 +6,6 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing Cookies in F5 WAF Policy Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. ## Cookie Properties and Types diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index f798df387..06132e8b3 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -6,7 +6,6 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing Parameters in F5 WAF Policy Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. ## Parameter Properties and Types diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index bd2967a6e..cb2013e6a 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -6,7 +6,6 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Managing URLs in F5 WAF Policy URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. ## URL Properties and Types diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md index eb62853e2..7dcf4147f 100644 --- a/content/nginx-one/nap-integration/advanced-configurations.md +++ b/content/nginx-one/nap-integration/advanced-configurations.md @@ -6,8 +6,6 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Advanced Configuration for NAP Policies - This document consolidates advanced configuration options for parameters, URLs, and cookies in NGINX App Protect (NAP) policies. These configurations allow for fine-tuning security settings to meet specific application requirements. By centralizing these options, this guide provides a unified reference for creating granular and robust security policies. ## Shared Advanced Configuration Options diff --git a/content/nginx-one/nap-integration/waf-policy-matching-types.md b/content/nginx-one/nap-integration/waf-policy-matching-types.md index 159d7f5ea..2ca09640b 100644 --- a/content/nginx-one/nap-integration/waf-policy-matching-types.md +++ b/content/nginx-one/nap-integration/waf-policy-matching-types.md @@ -6,8 +6,6 @@ nd-content-type: how-to nd-product: NGINX One Console --- -# Matching Types: Explicit vs Wildcard - In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways: ## Explicit Matching From 6ddd4a4a98987bce7aa023e41249e6bbea31c78d Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:32:54 -0700 Subject: [PATCH 13/22] Update content/nginx-one/nap-integration/add-cookies.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-cookies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md index 85e3eeba8..1eb6306ef 100644 --- a/content/nginx-one/nap-integration/add-cookies.md +++ b/content/nginx-one/nap-integration/add-cookies.md @@ -56,4 +56,4 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - If enabled, you can overwrite attack signatures for this specific cookie - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -1. Click **Add Cookie** to save your configuration +1. Select **Add Cookie** to save your configuration From e3498d1095c71023e41d23a91ecdbc3ad735c488 Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:33:23 -0700 Subject: [PATCH 14/22] Update content/nginx-one/nap-integration/add-urls.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-urls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index cb2013e6a..4b4044bf3 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -57,4 +57,4 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - If enabled, you can overwrite attack signatures for this specific URL - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -1. Click **Add URL** to save your configuration +1. Select **Add URL** to save your configuration From 9b94e6e0e78ac58f95513ae0a205322e2e7f2aa5 Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:33:31 -0700 Subject: [PATCH 15/22] Update content/nginx-one/nap-integration/add-parameters.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-parameters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index 06132e8b3..6a49de71b 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -21,7 +21,7 @@ Each parameter configuration includes: For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. ## Parameter Violations -Click on **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: +Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: - `VIOL_PARAMETER`: Triggered when an illegal parameter is detected - `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal From 74107950b731238f01f6f35a3d932650387463ff Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:35:53 -0700 Subject: [PATCH 16/22] Update content/nginx-one/nap-integration/add-parameters.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-parameters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md index 6a49de71b..911710407 100644 --- a/content/nginx-one/nap-integration/add-parameters.md +++ b/content/nginx-one/nap-integration/add-parameters.md @@ -63,4 +63,4 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - If enabled, you can overwrite attack signatures for this specific parameter - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) -1. Click **Add Parameter** to save your configuration +1. Select **Add Parameter** to save your configuration From 352cc00895ecb64b181d45d1beeecb6e1b096ce4 Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:36:03 -0700 Subject: [PATCH 17/22] Update content/nginx-one/nap-integration/add-signature-sets.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-signature-sets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index 22688958d..cf72f92af 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -29,7 +29,7 @@ A **signature exception** allows you to explicitly enable or disable individual From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: 1. In **General Settings**, name and describe the policy. -1. Navigate to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: +1. Go to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: - View all enabled attack signature sets, including the default ones - Add new signature sets - Modify existing signature sets From 7135341d326e55e5ba979d81541ced693f05c7ba Mon Sep 17 00:00:00 2001 From: Sylvia Wang <139922338+sylwang@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:36:10 -0700 Subject: [PATCH 18/22] Update content/nginx-one/nap-integration/add-urls.md Co-authored-by: Travis Martin <33876974+travisamartin@users.noreply.github.com> --- content/nginx-one/nap-integration/add-urls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md index 4b4044bf3..a128fde63 100644 --- a/content/nginx-one/nap-integration/add-urls.md +++ b/content/nginx-one/nap-integration/add-urls.md @@ -23,7 +23,7 @@ Each URL configuration includes: For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. ## URL Violations -Click on **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: +Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: - `VIOL_URL`: Triggered when an illegal URL is accessed - `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type From 9fcbf4ef21b7b626494fc53eba496c97b1bc1f29 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Mon, 6 Oct 2025 14:04:31 -0700 Subject: [PATCH 19/22] address feedback --- .../nginx-one/nap-integration/add-cookies.md | 59 ------ .../nap-integration/add-parameters.md | 66 ------- content/nginx-one/nap-integration/add-urls.md | 60 ------ .../nap-integration/cookies-params-urls.md | 173 ++++++++++++++++++ .../nap-integration/review-policy.md | 2 +- 5 files changed, 174 insertions(+), 186 deletions(-) delete mode 100644 content/nginx-one/nap-integration/add-cookies.md delete mode 100644 content/nginx-one/nap-integration/add-parameters.md delete mode 100644 content/nginx-one/nap-integration/add-urls.md create mode 100644 content/nginx-one/nap-integration/cookies-params-urls.md diff --git a/content/nginx-one/nap-integration/add-cookies.md b/content/nginx-one/nap-integration/add-cookies.md deleted file mode 100644 index 1eb6306ef..000000000 --- a/content/nginx-one/nap-integration/add-cookies.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: "Add cookies" -weight: 400 -toc: true -nd-content-type: how-to -nd-product: NGINX One Console ---- - -Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. - -## Cookie Properties and Types -Each cookie configuration includes: -- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. -- `Cookie Name`: The name of the cookie to be monitored or protected -- `Enforcement Type`: - - **Allow**: Permits the cookie with optional attack signature checks - - **Disallow**: Blocks the use of the cookie entirely -- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable -- `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy - -**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. - -For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. - -## Cookie Violations -Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: - -- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired -- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit -- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant -- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with - -For each violation type, you can: -- Set the enforcement action -- Toggle `alarm` and `block` settings - -For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. - -See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. - -# Adding a Cookie to Your Policy - -1. Choose Cookie Type: - - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching - -1. Configure Basic Properties: - - Enter the `Cookie Name` - - Choose whether to mask the cookie value in logs - -1. Set Enforcement: - - Choose whether to allow or disallow the cookie - - If `Allow Cookie` is selected, you can optionally enable attack signatures - - **⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. - -1. Optional: Configure Attack Signatures - - If enabled, you can overwrite attack signatures for this specific cookie - - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) - -1. Select **Add Cookie** to save your configuration diff --git a/content/nginx-one/nap-integration/add-parameters.md b/content/nginx-one/nap-integration/add-parameters.md deleted file mode 100644 index 911710407..000000000 --- a/content/nginx-one/nap-integration/add-parameters.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: "Add parameters" -weight: 400 -toc: true -nd-content-type: how-to -nd-product: NGINX One Console ---- - -Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. - -## Parameter Properties and Types -Each parameter configuration includes: -- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. -- `Name`: The name of the parameter -- `Location`: Where the parameter is expected (URL query string, POST data, etc.) -- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) -- `Attack Signatures`: Whether attack signature checking is enabled for this parameter -- `Mask Value in Logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy - - -For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. - -## Parameter Violations -Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: - -- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected -- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal -- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configuration -- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be -- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location -- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name -- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range -- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally -- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configuration -- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits -- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value -- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern - -For each violation type, you can: -- Set the enforcement action -- Toggle `alarm` and `block` settings - -For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. - -See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. - -# Adding a Parameter to Your Policy - -1. Choose Parameter Type: - - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching - -1. Configure Basic Properties: - - Enter the parameter `Name` - - Select the `Location` where the parameter is expected - - Choose the `Value Type` (alpha-numeric, integer, email, etc.) - - Set the `Data Type` if applicable - -1. Set Security Options: - - Choose whether to enable attack signatures - - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) - -1. Optional: Configure Attack Signatures - - If enabled, you can overwrite attack signatures for this specific parameter - - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) - -1. Select **Add Parameter** to save your configuration diff --git a/content/nginx-one/nap-integration/add-urls.md b/content/nginx-one/nap-integration/add-urls.md deleted file mode 100644 index a128fde63..000000000 --- a/content/nginx-one/nap-integration/add-urls.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: "Add urls" -weight: 400 -toc: true -nd-content-type: how-to -nd-product: NGINX One Console ---- - -URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. - -## URL Properties and Types -Each URL configuration includes: -- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. -- `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) -- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) -- `Enforcement Type`: - - **Allow**: Permits access to the URL with optional attack signature checks - - **Disallow**: Blocks access to the URL entirely -- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable - -**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. - -For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. - -## URL Violations -Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: - -- `VIOL_URL`: Triggered when an illegal URL is accessed -- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type -- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit -- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL - -For each violation type, you can: -- Set the enforcement action -- Toggle `alarm` and `block` settings - -For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. - -See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. - -# Adding a URL to Your Policy - -1. Choose URL Type: - - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching - -1. Configure Basic Properties: - - Enter the `URL` path - - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) - - Choose the `Protocol` (`HTTP`/`HTTPS`) - -1. Set Enforcement: - - Choose whether to allow or disallow the URL - - If `Allow URL` is selected, you can optionally enable attack signatures - - **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. - -1. **Optional**: Configure Attack Signatures - - If enabled, you can overwrite attack signatures for this specific URL - - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) - -1. Select **Add URL** to save your configuration diff --git a/content/nginx-one/nap-integration/cookies-params-urls.md b/content/nginx-one/nap-integration/cookies-params-urls.md new file mode 100644 index 000000000..9033d575e --- /dev/null +++ b/content/nginx-one/nap-integration/cookies-params-urls.md @@ -0,0 +1,173 @@ +--- +title: "Add cookies, parameters and urls" +weight: 400 +toc: true +nd-content-type: how-to +nd-product: NGINX One Console +--- + +# Add cookies +Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. + +## Cookie properties and types +Each cookie configuration includes: +- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Cookie Name`: The name of the cookie to be monitored or protected +- `Enforcement Type`: + - **Allow**: Permits the cookie with optional attack signature checks + - **Disallow**: Blocks the use of the cookie entirely +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable +- `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy + +**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + +For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. + +## Cookie violations +Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: + +- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired +- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit +- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant +- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +# Adding a cookie to your policy + +1. Choose Cookie Type: + - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the `Cookie Name` + - Choose whether to mask the cookie value in logs + +1. Set Enforcement: + - Choose whether to allow or disallow the cookie + - If `Allow Cookie` is selected, you can optionally enable attack signatures + - **⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. + +1. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific cookie + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add Cookie** to save your configuration + +# Add parameters +Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. + +## Parameter properties and types +Each parameter configuration includes: +- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Name`: The name of the parameter +- `Location`: Where the parameter is expected (URL query string, POST data, etc.) +- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) +- `Attack Signatures`: Whether attack signature checking is enabled for this parameter +- `Mask Value in Logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy + +For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. + +## Parameter violations +Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: + +- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected +- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal +- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configuration +- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be +- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location +- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name +- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range +- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally +- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configuration +- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits +- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value +- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +# Adding a parameter to your policy + +1. Choose Parameter Type: + - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the parameter `Name` + - Select the `Location` where the parameter is expected + - Choose the `Value Type` (alpha-numeric, integer, email, etc.) + - Set the `Data Type` if applicable + +1. Set Security Options: + - Choose whether to enable attack signatures + - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) + +1. Optional: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific parameter + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add Parameter** to save your configuration + +# Add urls +URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. + +## URL properties and types +Each URL configuration includes: +- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. +- `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) +- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) +- `Enforcement Type`: + - **Allow**: Permits access to the URL with optional attack signature checks + - **Disallow**: Blocks access to the URL entirely +- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable + +**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + +For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. + +## URL violations +Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: + +- `VIOL_URL`: Triggered when an illegal URL is accessed +- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type +- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit +- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL + +For each violation type, you can: +- Set the enforcement action +- Toggle `alarm` and `block` settings + +For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. + +See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. + +# Adding a URL to your policy + +1. Choose URL Type: + - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching + +1. Configure Basic Properties: + - Enter the `URL` path + - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) + - Choose the `Protocol` (`HTTP`/`HTTPS`) + +1. Set Enforcement: + - Choose whether to allow or disallow the URL + - If `Allow URL` is selected, you can optionally enable attack signatures + - **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. + +1. **Optional**: Configure Attack Signatures + - If enabled, you can overwrite attack signatures for this specific URL + - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}}) + +1. Select **Add URL** to save your configuration diff --git a/content/nginx-one/nap-integration/review-policy.md b/content/nginx-one/nap-integration/review-policy.md index faa0ea47a..747b4ae82 100644 --- a/content/nginx-one/nap-integration/review-policy.md +++ b/content/nginx-one/nap-integration/review-policy.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Review policy" # Weights are assigned in increments of 100: determines sorting order -weight: 300 +weight: 500 # Creates a table of contents and sidebar, useful for large documents toc: false # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this From fa2dedcb15a10c80b09986c1794f6c157b401acf Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Mon, 6 Oct 2025 14:16:48 -0700 Subject: [PATCH 20/22] change headings --- content/nginx-one/nap-integration/cookies-params-urls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/nginx-one/nap-integration/cookies-params-urls.md b/content/nginx-one/nap-integration/cookies-params-urls.md index 9033d575e..1a50ab3f7 100644 --- a/content/nginx-one/nap-integration/cookies-params-urls.md +++ b/content/nginx-one/nap-integration/cookies-params-urls.md @@ -39,7 +39,7 @@ For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -# Adding a cookie to your policy +## Adding a cookie to your policy 1. Choose Cookie Type: - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching @@ -97,7 +97,7 @@ For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -# Adding a parameter to your policy +## Adding a parameter to your policy 1. Choose Parameter Type: - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching @@ -151,7 +151,7 @@ For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -# Adding a URL to your policy +## Adding a URL to your policy 1. Choose URL Type: - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching From 1fec602675cea37bc3f561b74bd6aa5f2279aeed Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Tue, 7 Oct 2025 11:55:02 -0700 Subject: [PATCH 21/22] address feedback --- .../nap-integration/add-signature-sets.md | 58 +------------ .../advanced-configurations.md | 39 --------- .../nap-integration/cookies-params-urls.md | 82 +++++++++++-------- content/nginx-one/nap-integration/overview.md | 2 +- .../nap-integration/review-policy.md | 1 - .../nap-integration/security-policy-api.md | 2 +- .../waf-policy-matching-types.md | 4 +- 7 files changed, 59 insertions(+), 129 deletions(-) delete mode 100644 content/nginx-one/nap-integration/advanced-configurations.md diff --git a/content/nginx-one/nap-integration/add-signature-sets.md b/content/nginx-one/nap-integration/add-signature-sets.md index cf72f92af..b56ff66b8 100644 --- a/content/nginx-one/nap-integration/add-signature-sets.md +++ b/content/nginx-one/nap-integration/add-signature-sets.md @@ -29,7 +29,7 @@ A **signature exception** allows you to explicitly enable or disable individual From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: 1. In **General Settings**, name and describe the policy. -1. Go to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: +1. Go to the **Web Protection** section and select **Attack Signature Sets**. Here, you can: - View all enabled attack signature sets, including the default ones - Add new signature sets - Modify existing signature sets @@ -99,7 +99,7 @@ To remove a signature set from your policy, you have two options: ## Add signature exceptions -From the **Web Protection** tab, select **Attack Signature Exceptions**. This section allows you to override settings for individual signatures. +From the **Web Protection** section, select **Attack Signature Exceptions**. This allows you to override settings for individual signatures. 1. Click **Add Item** to create a new exception. 1. Select the signature(s) you want to modify. @@ -117,61 +117,11 @@ From the **Web Protection** tab, select **Attack Signature Exceptions**. This se } ``` -### Advanced exception configuration - -For more complex scenarios, you can use the `modifications` section: - -```json -{ - "modifications": [ - { - "entityChanges": { - "enabled": false - }, - "entity": { - "signatureId": 200001834 - }, - "entityType": "signature", - "action": "add-or-update" - } - ] -} -``` - -To exclude multiple signatures, add each as a separate entity: - -```json -{ - "modifications": [ - { - "entityChanges": { - "enabled": false - }, - "entity": { - "signatureId": 200001834 - }, - "entityType": "signature", - "action": "add-or-update" - }, - { - "entityChanges": { - "enabled": false - }, - "entity": { - "signatureId": 200004461 - }, - "entityType": "signature", - "action": "add-or-update" - } - ] -} -``` - -## Save and deploy your policy +## Add and deploy your policy After configuring signature sets and exceptions: -1. Select **Save Policy**. The policy JSON will be updated with your changes. +1. Select **Add Policy**. The policy JSON will be updated with your changes. 1. Your policy will appear in the list under the name you provided. 1. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either: - An instance diff --git a/content/nginx-one/nap-integration/advanced-configurations.md b/content/nginx-one/nap-integration/advanced-configurations.md deleted file mode 100644 index 7dcf4147f..000000000 --- a/content/nginx-one/nap-integration/advanced-configurations.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: "Advanced configuration for NAP policies" -weight: 700 -toc: true -nd-content-type: how-to -nd-product: NGINX One Console ---- - -This document consolidates advanced configuration options for parameters, URLs, and cookies in NGINX App Protect (NAP) policies. These configurations allow for fine-tuning security settings to meet specific application requirements. By centralizing these options, this guide provides a unified reference for creating granular and robust security policies. - -## Shared Advanced Configuration Options - -The following advanced configuration options are common to parameters, URLs, and cookies: - -- **Length Restrictions**: Define maximum allowable lengths to prevent excessively long inputs that could indicate malicious activity. -- **Meta Character Overrides**: Specify allowed or disallowed meta characters to ensure compliance with application-specific requirements. -- **Custom Signature Sets**: Apply custom signature sets to tailor attack detection mechanisms for specific use cases. - -## Parameter-Specific Configuration Options - -In addition to the shared options, parameters support the following advanced configurations: - -- **Regular Expression Patterns**: Use regex patterns to validate parameter values against expected formats, enhancing security and reducing false positives. -- **Static Value Constraints**: Set fixed values for parameters to enforce strict compliance with predefined rules. -- **Numeric Value Ranges**: Define acceptable numeric ranges for parameters to prevent out-of-bound values. - -## URL-Specific Configuration Options - -In addition to the shared options, URLs support the following advanced configurations: - -- **Content Type Profiles**: Configure content type profiles (e.g., JSON, XML, form-data) to validate request payloads. - -## Cookie-Specific Configuration Options - -In addition to the shared options, cookies support the following advanced configurations: - -- **Mask Value in Logs**: Enable masking of cookie values in logs for enhanced security and privacy. - -These configurations help create a more granular and specific security policy for your application. For detailed instructions on implementing these options, refer to the [Policy Parameter Reference]({{< ref "/waf/policies/parameter-reference.md" >}}). diff --git a/content/nginx-one/nap-integration/cookies-params-urls.md b/content/nginx-one/nap-integration/cookies-params-urls.md index 1a50ab3f7..394866cb3 100644 --- a/content/nginx-one/nap-integration/cookies-params-urls.md +++ b/content/nginx-one/nap-integration/cookies-params-urls.md @@ -1,5 +1,5 @@ --- -title: "Add cookies, parameters and urls" +title: "Add cookies, parameters and URLs" weight: 400 toc: true nd-content-type: how-to @@ -7,24 +7,25 @@ nd-product: NGINX One Console --- # Add cookies -Cookies can be configured and managed directly within the policy editor by selecting the **Cookies** option. + +Cookie protections can be configured and managed directly within the policy editor by selecting the **Cookies** option. ## Cookie properties and types + Each cookie configuration includes: - `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. - `Cookie Name`: The name of the cookie to be monitored or protected - `Enforcement Type`: - - **Allow**: Permits the cookie with optional attack signature checks - - **Disallow**: Blocks the use of the cookie entirely + - **Allow**: Specifies that this cookie may be changed by the client. The cookie is not protected from modification + - **Enforce**: Specifies that this cookie may not be changed by the client - `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable -- `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy - -**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. +- `Mask value in logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. ## Cookie violations -Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: + +Select **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: - `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired - `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit @@ -33,13 +34,13 @@ Click on **Edit Configuration** to configure cookie violations. The following vi For each violation type, you can: - Set the enforcement action -- Toggle `alarm` and `block` settings +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -## Adding a cookie to your policy +## Add a cookie to your policy 1. Choose Cookie Type: - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching @@ -48,10 +49,8 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - Enter the `Cookie Name` - Choose whether to mask the cookie value in logs -1. Set Enforcement: - - Choose whether to allow or disallow the cookie - - If `Allow Cookie` is selected, you can optionally enable attack signatures - - **⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. +1. Set Enforcement Type: + - Choose either `Allow` or `Enforce` 1. Optional: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific cookie @@ -60,56 +59,66 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi 1. Select **Add Cookie** to save your configuration # Add parameters -Parameters can be configured and managed directly within the policy editor by selecting the **Parameters** option. + +Parameter protections can be configured and managed directly within the policy editor by selecting the **Parameters** option. ## Parameter properties and types + Each parameter configuration includes: - `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. -- `Name`: The name of the parameter +- `Parameter Name`: The name of the parameter - `Location`: Where the parameter is expected (URL query string, POST data, etc.) - `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email) - `Attack Signatures`: Whether attack signature checking is enabled for this parameter -- `Mask Value in Logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy +- `Mask value in logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy. This sets `sensitiveParameter` property of the parameter item. -For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. +For a complete list of configurable parameter properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. ## Parameter violations + Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: - `VIOL_PARAMETER`: Triggered when an illegal parameter is detected - `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal -- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configuration +- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configured security policy - `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be - `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location +- `VIOL_PARAMETER_MULTIPART_NULL_VALUE`: Triggered when the multi-part request has a parameter value that contains the NULL character (0x00) - `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name - `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range - `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally -- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configuration +- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configured security policy +- `VIOL_PARAMETER_VALUE_BASE64`: Triggered when the value is not a valid Base64 string - `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits - `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value - `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern For each violation type, you can: - Set the enforcement action -- Toggle `alarm` and `block` settings +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -## Adding a parameter to your policy +## Add a parameter to your policy 1. Choose Parameter Type: - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching 1. Configure Basic Properties: - - Enter the parameter `Name` + - Enter the parameter `Parameter Name` - Select the `Location` where the parameter is expected - Choose the `Value Type` (alpha-numeric, integer, email, etc.) - Set the `Data Type` if applicable 1. Set Security Options: - Choose whether to enable attack signatures + + {{< call-out "important" >}} + Attack Signatures are only applicable when the Value Type is `User Input` or `Array` **and** the Data Type is either `Alphanumeric` or `Binary` + {{< /call-out >}} + - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) 1. Optional: Configure Attack Signatures @@ -118,24 +127,29 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi 1. Select **Add Parameter** to save your configuration -# Add urls -URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. +# Add URLs + +URL protections can be configured and managed directly within the policy editor by selecting the **URLs** option. ## URL properties and types + Each URL configuration includes: - `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. -- `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) +- `Method`: Specifies the HTTP method(s) for the URL (`GET`, `POST`, `PUT`, etc.) - `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`) - `Enforcement Type`: - **Allow**: Permits access to the URL with optional attack signature checks - **Disallow**: Blocks access to the URL entirely - `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable -**⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. +{{< call-out "important" >}} +**⚠️ Important:** Attack Signatures are automatically shown as "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. +{{< /call-out >}} For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. ## URL violations + Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs: - `VIOL_URL`: Triggered when an illegal URL is accessed @@ -145,26 +159,30 @@ Select **Edit Configuration** to configure URL violations. The following violati For each violation type, you can: - Set the enforcement action -- Toggle `alarm` and `block` settings +- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. -## Adding a URL to your policy +## Add a URL to your policy 1. Choose URL Type: - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching 1. Configure Basic Properties: - - Enter the `URL` path - - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) + - Enter the `URL` path (e.g., `/index.html`, `/api/data`) + - The URL path must start with `/` + - Select HTTP `Method(s)` (e.g., `GET`, `POST`, *) - Choose the `Protocol` (`HTTP`/`HTTPS`) 1. Set Enforcement: - Choose whether to allow or disallow the URL - If `Allow URL` is selected, you can optionally enable attack signatures - - **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. + + {{< call-out "important" >}} + **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. + {{< call-out "important" >}} 1. **Optional**: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific URL diff --git a/content/nginx-one/nap-integration/overview.md b/content/nginx-one/nap-integration/overview.md index 15b95eaff..3e9459772 100644 --- a/content/nginx-one/nap-integration/overview.md +++ b/content/nginx-one/nap-integration/overview.md @@ -43,4 +43,4 @@ F5 WAF for NGINX has specific requirements for the configuration with Docker con - You'll need to set a policy bundle (in compressed tar format) in a configured `volume`. - Make sure the directory for [NGINX Agent]({{< ref "/agent/configuration/" >}}) includes `/etc/nginx/app_protect_policies`. -When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance. +When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance. diff --git a/content/nginx-one/nap-integration/review-policy.md b/content/nginx-one/nap-integration/review-policy.md index 747b4ae82..e49073048 100644 --- a/content/nginx-one/nap-integration/review-policy.md +++ b/content/nginx-one/nap-integration/review-policy.md @@ -37,4 +37,3 @@ From the NGINX One Console, you can also manage existing policies. In the Polici {{< call-out "note" >}} If you use **Save As** to create a new policy, include the `app_protect_cookie_seed` [directive]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#directives" >}}). {{< /call-out >}} - diff --git a/content/nginx-one/nap-integration/security-policy-api.md b/content/nginx-one/nap-integration/security-policy-api.md index fd42248cd..8677cc480 100644 --- a/content/nginx-one/nap-integration/security-policy-api.md +++ b/content/nginx-one/nap-integration/security-policy-api.md @@ -1,6 +1,6 @@ --- title: "Set security policies through the API" -weight: 900 +weight: 800 toc: true type: reference product: NGINX One diff --git a/content/nginx-one/nap-integration/waf-policy-matching-types.md b/content/nginx-one/nap-integration/waf-policy-matching-types.md index 2ca09640b..6fd4da489 100644 --- a/content/nginx-one/nap-integration/waf-policy-matching-types.md +++ b/content/nginx-one/nap-integration/waf-policy-matching-types.md @@ -1,6 +1,6 @@ --- title: "Matching types: Explicit vs Wildcard" -weight: 800 +weight: 700 toc: true nd-content-type: how-to nd-product: NGINX One Console @@ -9,6 +9,7 @@ nd-product: NGINX One Console In F5 WAF for NGINX (formerly known as NGINX App Protect WAF), matching can be defined in two ways: ## Explicit Matching + Explicit matching refers to direct matches to specific names or paths in your application. For example: - URLs: `/index.html`, `/api/data` - Cookies: `sessionId`, `userPrefs` @@ -17,6 +18,7 @@ Explicit matching refers to direct matches to specific names or paths in your ap Use explicit matching when you need to protect specific, known entities. ## Wildcard Matching + Wildcard matching uses patterns to match multiple similar names or paths. For example: - URLs: `/test*` matches `/test`, `/test123`, `/testing` - Cookies: `test*` matches `test`, `test123`, `testing` From 86ada3f5524deb44cca6606c83b92ac76224f574 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Tue, 7 Oct 2025 12:38:32 -0700 Subject: [PATCH 22/22] add changelog for new WAF release --- content/nginx-one/changelog.md | 13 +++++++++++++ .../nap-integration/cookies-params-urls.md | 8 +++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/content/nginx-one/changelog.md b/content/nginx-one/changelog.md index 871dd59a5..88e943bcd 100644 --- a/content/nginx-one/changelog.md +++ b/content/nginx-one/changelog.md @@ -30,6 +30,19 @@ h2 { Stay up-to-date with what's new and improved in the F5 NGINX One Console. +## October 6, 2025 + +### Expanded features for configuring NGINX security policies with F5 WAF + +You can now configure the following for F5 WAF policies directly in the NGINX One Console: +- [Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md" >}}) +- [Signature Exceptions]({{< ref "/nginx-one/nap-integration/add-signature-sets.md#exceptions" >}}) +- [Parameters]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-parameters" >}}) +- [URLs]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-urls" >}}) +- [Cookies]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-cookies" >}}) + +For more details, see the [F5 WAF Integration Guide ]({{< ref "/nginx-one/nap-integration/" >}}). + ## October 2, 2025 ### You can now set up config templates diff --git a/content/nginx-one/nap-integration/cookies-params-urls.md b/content/nginx-one/nap-integration/cookies-params-urls.md index 394866cb3..e4b89e47a 100644 --- a/content/nginx-one/nap-integration/cookies-params-urls.md +++ b/content/nginx-one/nap-integration/cookies-params-urls.md @@ -116,7 +116,9 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - Choose whether to enable attack signatures {{< call-out "important" >}} + Attack Signatures are only applicable when the Value Type is `User Input` or `Array` **and** the Data Type is either `Alphanumeric` or `Binary` + {{< /call-out >}} - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}}) @@ -143,7 +145,9 @@ Each URL configuration includes: - `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable {{< call-out "important" >}} + **⚠️ Important:** Attack Signatures are automatically shown as "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. + {{< /call-out >}} For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section. @@ -181,8 +185,10 @@ See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-vi - If `Allow URL` is selected, you can optionally enable attack signatures {{< call-out "important" >}} + **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs. - {{< call-out "important" >}} + + {{< /call-out >}} 1. **Optional**: Configure Attack Signatures - If enabled, you can overwrite attack signatures for this specific URL