From e6dc2ac1811e4a27e750d887516074d110b33e41 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 17 Oct 2025 11:39:18 +0100 Subject: [PATCH 1/3] Add the security log bundle to the NIC/NIM WAF integration --- .../compile-waf-policies.md | 50 ++++++++++++------- .../appprotect-compiler-version.html | 1 + 2 files changed, 34 insertions(+), 17 deletions(-) create mode 100644 layouts/shortcodes/appprotect-compiler-version.html diff --git a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md index c7ba92fc3..ad6efbaf9 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md +++ b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md @@ -105,7 +105,7 @@ Create the file `security-policy-bundles.json`: { "bundles": [ { - "appProtectWAFVersion": "4.815.0", + "appProtectWAFVersion": "{{< appprotect-compiler-version >}}", "policyName": "Nginxbundletest", "policyUID": "", "attackSignatureVersionDateTime": "latest", @@ -137,7 +137,7 @@ You should receive a response similar to the following: }, "content": "", "metadata": { - "appProtectWAFVersion": "4.815.0", + "appProtectWAFVersion": "{{< appprotect-compiler-version >}}", "attackSignatureVersionDateTime": "2024.02.21", "created": "2024-06-12T13:28:20.023775785-07:00", "modified": "2024-06-12T13:28:20.023775785-07:00", @@ -167,7 +167,7 @@ curl --location 'https://127.0.0.1/api/platform/v1/security/policies/bundles' \ }, "content": "", "metadata": { - "appProtectWAFVersion": "4.815.0", + "appProtectWAFVersion": "{{< appprotect-compiler-version >}}", "attackSignatureVersionDateTime": "2024.02.21", "created": "2024-06-13T09:09:10.809-07:00", "modified": "2024-06-13T09:09:20-07:00", @@ -191,7 +191,7 @@ It is one of two unique IDs we will use to download the bundle: it will be refer --- -## Download the security bundle +## Download the security policy bundle Use a GET request to download the security bundle using the policy and bundle IDs: @@ -207,6 +207,14 @@ curl -X GET -k 'https://127.0.0.1/api/platform/v1/security/policies/6af9f261-658 | jq -r '.content' | base64 -d > security-policy-bundle.tgz ``` +## Download the security log bundle + +Use a GET request to download the `secops_dashboard` security log bundle. The security log bundle adjusts the format of the policy events to be compatible with NGINX Instance Manager: + +```shell +curl -X GET "https://{NMS_FQDN}/api/platform/v1/security/logprofiles/secops_dashboard/{{< appprotect-compiler-version >}}/bundle" -H "Authorization: Bearer " | jq -r .compiledBundle | base64 -d > secops_dashboard.tgz +``` + --- ## Add volumes and volumeMounts @@ -312,11 +320,29 @@ spec: --- +## Upload the security log bundle + +Upload the security log bundle binary file to the NGINX Ingress Controller pods. + +```shell +kubectl cp /your/local/path/secops_dashboard.tgz /:etc/app_protect/bundles/secops_dashboard.tgz -c nginx-plus-ingress +``` + +## Upload the security policy bundle + +Upload the binary file to the NGINX Ingress Controller pods. + +```shell +kubectl cp /your/local/path/.tgz /:etc/app_protect/bundles.tgz -c nginx-plus-ingress +``` + +--- + ## Create WAF policy To process a bundle, you must create a new WAF policy. This policy is added to `/etc/app_protect/bundles`, allowing NGINX Ingress Controller to load it into WAF. -The example below shows the required WAF policy, and the *apBundle* and *apLogConf* fields you must use for the security bundle binary file (A tar ball). +The example below shows the required WAF policy, for the *apBundle* field you must use the [security bundle](#download-the-security-policy-bundle) binary file (a tarball). The *apLogBundle* field contains the `secops_dashboard.tgz` [file](#download-the-security-log-bundle). ```yaml apiVersion: k8s.nginx.org/v1 @@ -329,7 +355,7 @@ spec: apBundle: ".tgz" securityLogs: - enable: true - apLogBundle: ".tgz" + apLogBundle: "secops_dashboard.tgz" logDest: "" ``` @@ -358,14 +384,4 @@ spec: pass: webapp ``` ---- - -## Upload the security bundle - -To finish adding a security bundle, upload the binary file to the NGINX Ingress Controller pods. - -```shell -kubectl cp /your/local/path/.tgz /:etc/app_protect/bundles.tgz -c nginx-plus-ingress -``` - -Once the bundle has been uploaded to the cluster, NGINX Ingress Controller will detect and automatically load the new WAF policy. +Your `VirtualServer` should now apply the generated security policy to your traffic and emit security events to NGINX Instance Manager. diff --git a/layouts/shortcodes/appprotect-compiler-version.html b/layouts/shortcodes/appprotect-compiler-version.html new file mode 100644 index 000000000..b283499af --- /dev/null +++ b/layouts/shortcodes/appprotect-compiler-version.html @@ -0,0 +1 @@ +5.527.0 \ No newline at end of file From 5ddfbb234f38434f773216a461b0d5841c914a62 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 17 Oct 2025 12:09:26 +0100 Subject: [PATCH 2/3] Add helm/manifest tabs for upload commands --- .../compile-waf-policies.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md index ad6efbaf9..a8071e576 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md +++ b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md @@ -324,18 +324,51 @@ spec: Upload the security log bundle binary file to the NGINX Ingress Controller pods. +{{}} + +{{%tab name="Helm"%}} + +```shell +kubectl cp /your/local/path/secops_dashboard.tgz /:etc/app_protect/bundles/secops_dashboard.tgz -c nginx-ingress +``` + +{{% /tab %}} + +{{%tab name="Manifests"%}} + ```shell kubectl cp /your/local/path/secops_dashboard.tgz /:etc/app_protect/bundles/secops_dashboard.tgz -c nginx-plus-ingress ``` +{{% /tab %}} + +{{% /tabs %}} + + ## Upload the security policy bundle Upload the binary file to the NGINX Ingress Controller pods. +{{}} + +{{%tab name="Helm"%}} + +```shell +kubectl cp /your/local/path/.tgz /:etc/app_protect/bundles.tgz -c nginx-ingress +``` + +{{% /tab %}} + +{{%tab name="Manifests"%}} + ```shell kubectl cp /your/local/path/.tgz /:etc/app_protect/bundles.tgz -c nginx-plus-ingress ``` +{{% /tab %}} + +{{% /tabs %}} + --- ## Create WAF policy From b865073c4d1b548c00d57ca23ef77724edb39ef3 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 17 Oct 2025 12:15:33 +0100 Subject: [PATCH 3/3] correct spacing --- .../integrations/app-protect-waf-v5/compile-waf-policies.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md index 79907c332..fdb8b7233 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md +++ b/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md @@ -346,7 +346,6 @@ kubectl cp /your/local/path/secops_dashboard.tgz /:etc/app {{% /tabs %}} - ## Upload the security policy bundle Upload the binary file to the NGINX Ingress Controller pods.