diff --git a/content/includes/waf/dockerfiles/alpine-oss.md b/content/includes/waf/dockerfiles/alpine-oss.md
index 6c4cb614b..9e5c9a4dc 100644
--- a/content/includes/waf/dockerfiles/alpine-oss.md
+++ b/content/includes/waf/dockerfiles/alpine-oss.md
@@ -7,8 +7,8 @@ nd-files:
```dockerfile
# syntax=docker/dockerfile:1
-# Supported OS_VER's are 3.16/3.17/3.19
-ARG OS_VER="3.19"
+# Supported OS_VER's are 3.22
+ARG OS_VER="3.22"
# Base image
FROM alpine:${OS_VER}
diff --git a/content/includes/waf/dockerfiles/alpine-plus.md b/content/includes/waf/dockerfiles/alpine-plus.md
index 07551a6cd..6fe7111c5 100644
--- a/content/includes/waf/dockerfiles/alpine-plus.md
+++ b/content/includes/waf/dockerfiles/alpine-plus.md
@@ -7,8 +7,8 @@ nd-files:
```dockerfile
# syntax=docker/dockerfile:1
-# Supported OS_VER's are 3.16/3.17/3.19
-ARG OS_VER="3.19"
+# Supported OS_VER's are 3.22
+ARG OS_VER="3.22"
# Base image
FROM alpine:${OS_VER}
diff --git a/content/includes/waf/policy.html b/content/includes/waf/policy.html
index 1de75add6..2fc78343a 100644
--- a/content/includes/waf/policy.html
+++ b/content/includes/waf/policy.html
@@ -3847,7 +3847,7 @@ parameters
pipe: pipe-separated values. Array color=["blue","black"] -> color=blue|black.
form: ampersand-separated values. Array color=["blue","black"] -> color=blue,black.
matrix: semicolon-prefixed values. Array color=["blue","black"] -> ;color=blue,black.
-tsv: tab-separated values. Array color=["blue","black"] -> color=blue black.
+tsv: tab-separated values. Array color=["blue","black"] -> color=bluetblack.
csv: comma-separated values. Array color=["blue","black"] -> color=blue,black.
label: dot-prefixed values. Array color=["blue","black"] -> .blue.black.
multi: multiple parameter instances rather than multiple values. Array color=["blue","black"] -> color=blue&color=black.
diff --git a/content/includes/waf/table-policy-features.md b/content/includes/waf/table-policy-features.md
index aba7a42b9..cf386df45 100644
--- a/content/includes/waf/table-policy-features.md
+++ b/content/includes/waf/table-policy-features.md
@@ -14,7 +14,7 @@ nd-files:
| [Brute force attack preventions]({{< ref "/waf/policies/brute-force-attacks.md" >}}) | Configure parameters to secure areas of a web application from brute force attacks. |
| [Cookie enforcement]({{< ref "/waf/policies/cookie-enforcement.md" >}}) | By default all cookies are allowed and not enforced for integrity. The user can add specific cookies, wildcards or explicit, that will be enforced for integrity. It is also possible to set the cookie attributes: HttpOnly, Secure and SameSite for cookies found in the response. |
| [Data guard]({{< ref "/waf/policies/data-guard.md" >}}) | Detects and masks Credit Card Number (CCN) and/or U.S. Social Security Number (SSN) and/or custom patterns in HTTP responses. Disabled by default. |
-| [Deny and Allow IP lists]({{< ref "/waf/policies/deny-allow-ip.md" >}}) | Manually define denied & allowed IP addresses as well as IP addresses to never log. |
+| [Deny and Allow IP lists]({{< ref "/waf/policies/deny-allow-ip.md" >}}) | **Deprecated**. See [IP address lists]({{< ref "/waf/policies/ip-address-lists.md" >}}) |
| [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to avoid inspecting or parsing a URL. |
| [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default |
| [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. |
@@ -31,6 +31,7 @@ nd-files:
| [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. |
| [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. |
| [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |
+| [User-defined browser control]({{< ref "/waf/policies/user-browers.md" >}}) | Allow or deny specific browsers, and define custom browsers |
| [User-defined HTTP headers]({{< ref "/waf/policies/user-headers.md" >}}) | Handling headers as a special part of requests |
| [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) | Use user-defined properties when configuring violations. |
| [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. |
diff --git a/content/includes/waf/f5-waf-for-nginx-compiler-compatibility.md b/content/includes/waf/waf-nim-compiler-support.md
similarity index 94%
rename from content/includes/waf/f5-waf-for-nginx-compiler-compatibility.md
rename to content/includes/waf/waf-nim-compiler-support.md
index 3060cd83f..687acaccc 100644
--- a/content/includes/waf/f5-waf-for-nginx-compiler-compatibility.md
+++ b/content/includes/waf/waf-nim-compiler-support.md
@@ -5,8 +5,6 @@ nd-files:
- content/nim/waf-integration/configuration/install-waf-compiler/install.md
---
-{{}}
-
| F5 WAF for NGINX version | WAF compiler version |
|---------------------------|----------------------------|
| 5.9.0 | nms-nap-compiler-v5.527.0 |
@@ -27,5 +25,3 @@ nd-files:
| 4.10.0 | nms-nap-compiler-v5.48.0 |
| 4.9.0 | nms-nap-compiler-v5.17.0 |
| 4.8.1 | nms-nap-compiler-v4.815.0 |
-
-{{}}
\ No newline at end of file
diff --git a/content/nim/waf-integration/configuration/install-waf-compiler/install-disconnected.md b/content/nim/waf-integration/configuration/install-waf-compiler/install-disconnected.md
index 18beeeb6c..87481028b 100644
--- a/content/nim/waf-integration/configuration/install-waf-compiler/install-disconnected.md
+++ b/content/nim/waf-integration/configuration/install-waf-compiler/install-disconnected.md
@@ -13,19 +13,15 @@ You can install the WAF compiler on a system without internet access by creating
- **Step 1:** Generate the WAF compiler package on a system with internet access.
- **Step 2:** Move the generated package to the offline target system and install it.
----
-
## Before you begin
{{< include "/nim/waf/nim-waf-before-you-begin.md" >}}
----
-
## WAF compiler version support
Use the table below to find the correct WAF compiler version for each release of F5 WAF for NGINX:
-{{< include "/waf/f5-waf-for-nginx-compiler-compatibility.md" >}}
+{{< include "/waf/waf-nim-compiler-support.md" >}}
{{< call-out "note" >}}
Beginning with version 5.9.0, both the virtual machine and container installation packages are categorized under the 5.x.x tag.
diff --git a/content/nim/waf-integration/configuration/install-waf-compiler/install.md b/content/nim/waf-integration/configuration/install-waf-compiler/install.md
index 5c16b08a2..9e0acb4ee 100644
--- a/content/nim/waf-integration/configuration/install-waf-compiler/install.md
+++ b/content/nim/waf-integration/configuration/install-waf-compiler/install.md
@@ -24,27 +24,21 @@ To organize instances running the same version, you can create [instance groups]
For an overview of how the compiler works, see [Security bundle compilation]({{< ref "/nim/waf-integration/overview#security-bundle" >}}).
----
-
## Before you begin
{{< include "/nim/waf/nim-waf-before-you-begin.md" >}}
----
-
## WAF compiler version support
Use the table below to find the correct WAF compiler version for each release of F5 WAF for NGINX:
-{{< include "/waf/f5-waf-for-nginx-compiler-compatibility.md" >}}
+{{< include "/waf/waf-nim-compiler-support.md" >}}
{{< call-out "note" >}}
Beginning with version 5.9.0, both the virtual machine and container installation packages are categorized under the 5.x.x tag.
Earlier releases used 4.x.x for VM packages (for example, NAP 4.15.0, NAP 4.16.0) and 5.x.x for container packages (for example, NAP 5.7.0, NAP 5.8.0).
{{< /call-out >}}
----
-
## Install the WAF compiler
{{< tabs name="install-waf-compiler" >}}
diff --git a/content/waf/changelog/2023.md b/content/waf/changelog/2023.md
new file mode 100644
index 000000000..402f23499
--- /dev/null
+++ b/content/waf/changelog/2023.md
@@ -0,0 +1,466 @@
+---
+title: "2023 archive"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 200
+# Creates a table of contents and sidebar, useful for large documents
+toc: true
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: reference
+# Intended for internal catalogue and search, case sensitive:
+nd-product: F5WAFN
+---
+
+This page is an archive of changelog entries for 2023.
+
+For the current year, view [the top-level changelog]({{< ref "/waf/changelog/">}}) topic.
+
+## F5 NGINX App Protect WAF 4.7
+
+December 19, 2023
+
+In this release, F5 NGINX App Protect WAF supports NGINX Plus R31.
+
+### New Features
+
+- RHEL 9+ Support
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Alpine 3.16
+
+- app-protect-31.4.641.0-r1.apk
+
+##### Alpine 3.17
+
+- app-protect-31.4.641.0-r1.apk
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-31+4.641.0-1.el7.ngx.x86_64.rpm
+
+##### Debian 11
+
+- app-protect_31+4.641.0-1~bullseye_amd64.deb
+
+##### Oracle Linux 8.1+
+
+- app-protect-31+4.641.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-31+4.641.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 9+
+
+- app-protect-31+4.641.0-1.el9.ngx.x86_64.rpm
+
+##### Ubuntu 20.04
+
+- app-protect_31+4.641.0-1~focal_amd64.deb
+
+##### Ubuntu 22.04
+
+- app-protect_31+4.641.0-1~jammy_amd64.deb
+
+#### NGINX Plus
+
+- NGINX Plus R31
+
+### Resolved Issues
+
+- 9065 Fixed - Increasing the limit for "max_request_size" in log configuration from 2k to 10k. The default will change from "any" to 2k to maintain the old behaviour.
+- 9297 Fixed - Add new limit from `responseCheckLength` to response ingress event handling in order to reduce the memory used for buffering.
+
+### Limitation
+
+- 9992 - There is a limitation on Edwards-curve Digital Signature Algorithm (EdDSA) protocol on CentOS 7 as the Enforcer does not support this protocol on this Operating System (OS). When a JSON Web Token (JWT) signed with EdDSA is used on CentOS 7, it results in a `VIOL_ACCESS_INVALID` error.
+
+### **Important Notes**
+
+- Starting with this release, the bot signatures list is generated automatically as a part of the **app-protect-bot-signatures** package, which is a dependency of the **app-protect-compiler** package. It resembles a format similar to the README-style text file found in the attack signature.
+Refer to the [Bot Signatures Update File]({{< ref "/waf/policies/bot-signatures.md" >}}) for more details.
+
+- Starting with the next release version of F5 NGINX App Protect WAF, the existing bot signatures file `included_bot_signatures` which is located at the following path: `/opt/app-protect/var/update_files/included_bot_signatures` will be removed from the **app-protect-compile** package.
+
+## F5 NGINX App Protect WAF 4.6
+
+October 17, 2023
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Crawler bot signature: CheckMarkNetwork, FileHound, ReverseEngineeringBot, University Of Edinburgh, Audisto, crawler eb germany, FAST Enterprise, AASA-Bot, Neticle, newslookup-bot, MYIP.MS, Boomtrain Content Bot, Ads Standards Bot, Seamless Link Tester, CMS detector bot, Aesop, BullsEye, Drip, EyeNetIE Scanner, IIS bot, OWLer, RetrevoPageAnalyzer, criteo-crawler, trafilatura
+- Added the following HTTP Library bot signatures: libtorrent, Apache-HttpAsyncClient, RobotsTxtParser-VIPnytt, OpenAI Python Library, OpenAPI Generator, ServiceNow Http Client, CarrierWave
+- Added the following Service Agent bot signatures: Symbolicator, admantx-sap, SISTRIX Optimizer, anomify.ai ssl_check, CyberPatrol SiteCat Webbot, DaniBot, SiteMonitor Enterprise, GumGum
+- Added the following Vulnerability Scanner bot signatures: interact.sh bot, AcuMonitor bot, interact.sh 2 bot
+- Added the following Exploit Tool bot signatures: feroxbuster, WebApp Attacker
+- Added the following Site Monitor bot signature: Allmystery, httpstatus
+- Added the following Web Downloader bot signatures: FlashGet
+- Updated the following Vulnerability Scanner bot signature: OpenVAS
+- Updated the following HTTP Library bot signature: DynatraceSynthetic
+
+### New Features
+
+- Ubuntu 22.04 Support
+- JSON Web Token Protection]({{< ref "/waf/policies/jwt-protection.md" >}})
+- [Custom Dimensions Log Entries]({{< ref "/waf/logging/custom-dimensions.md" >}})
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Alpine 3.16
+
+- app-protect-30.4.583.0-r1.apk
+
+##### Alpine 3.17
+
+- app-protect-30.4.583.0-r1.apk
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-30+4.583.0-1.el7.ngx.x86_64.rpm
+
+##### Debian 11
+
+- app-protect_30+4.583.0-1~bullseye_amd64.deb
+
+##### Oracle Linux 8.1+
+
+- app-protect-30+4.583.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-30+4.583.0-1.el8.ngx.x86_64.rpm
+
+##### Ubuntu 20.04
+
+- app-protect_30+4.583.0-1~focal_amd64.deb
+
+##### Ubuntu 22.04
+
+- app-protect_30+4.583.0-1~jammy_amd64.deb
+
+### Resolved Issues
+
+- 8264 Fixed - Implemented the capability to turn enforcer debug logs on/off without the need for a system reload to apply the changes.
+- 9060 Fixed - Default uri size is changed from 2k to 8k so that the user can send bigger uri without any configuration change. Now the user will be able to control the size by using policy configuration.
+- 9185 Fixed - Unparsable requests, rejected by NGINX are now flagged with `SECURITY_WAF_VIOLATION` instead of `SECURITY_WAF_VIOLATION_TRANSPARENT`.
+- 8339 Fixed - Attack signatures accuracy is now available for configuration in the security log.
+
+### **Important Notes**
+
+- Starting with this release, the `app_protect_compressed_requests_action` directive has been deprecated from the nginx configuration. Now by default the enforcer will decompress all the HTTP compressed payload request and will apply the enforcement.
+
+- The F5 NGINX App Protect WAF has been enhanced to include response signature checks within the "filetypes" section. You have an option to enable the signature verification in the response by setting the `responseCheck` parameter to true. By default, this parameter is set to false. See [Restrict Response Signatures]({{< ref "/waf/policies/response-signatures.md" >}}) for more details.
+
+## F5 NGINX App Protect WAF 4.5
+
+August 15, 2023
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Crawler bot signatures: SEOChecker, ev-crawler, FFZBot ImageGrabber, ConveraCrawler, EveryoneSocialBot, Google Ads Bot
+- Added the following HTTP Library bot signatures: Airbnb calendar importer
+- Added the following Exploit Tool bot signatures: ThinkPHP Malicious Bot, KPLR-requests
+- Added the following Service Agent bot signatures: Pleroma, ChatGPT-User, Netflix Media Player, KickFire Extension
+- Added the following Social Media Agent bot signatures: Misskey Agent, Lemmy Agent
+- Added the following Site Monitor bot signatures: StatusCake Monitor
+- Added the following Web Downloader bot signatures: Transmission Bot
+
+### New Feature
+
+In this release, F5 NGINX App Protect WAF supports NGINX Plus R30.
+
+- Alpine 3.17 Support
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Alpine 3.16
+
+- app-protect-30.4.457.0-r1.apk
+
+##### Alpine 3.17
+
+- app-protect-30.4.457.0-r1.apk
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-30+4.457.0-1.el7.ngx.x86_64.rpm
+
+##### Debian 11
+
+- app-protect_30+4.457.0-1~bullseye_amd64.deb
+
+##### Oracle Linux 8.1+
+
+- app-protect-30+4.457.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-30+4.457.0-1.el8.ngx.x86_64.rpm
+
+##### Ubuntu 20.04
+
+- app-protect_30+4.457.0-1~focal_amd64.deb
+
+#### NGINX Plus
+
+- NGINX Plus R30
+
+### Resolved Issues
+
+- 8976 Fixed - When using multiple arcsight remote loggers for F5 NGINX App Protect WAF policy, some requests may cause enforcer to crash.
+- 8312 Fixed - Running the get-signatures utility writes output to a different location.
+- 8936 Fixed - To reduce potential false positives, user defined Headers and Cookies that do not specify whether their decodeValueAsBase64 value, are now `disabled` instead of `enabled` by default.
+- 8939 Fixed - The issue with rejected gRPC request support id logged as "Passed" has been fixed.
+- 8821 Fixed - The Override Rules now support gRPC traffic. The previous limitation regarding the use of [Override Rules]({{< ref "/waf/policies/override-rules.md" >}}) with gRPC traffic has been resolved.
+- 9061 Fixed - Evasions configuration does not work in an Override Rule policy.
+
+### **Important Note**
+
+- Starting with this release, Ubuntu 18.04 support has been deprecated.
+
+## F5 NGINX App Protect WAF 4.4
+
+July 5, 2023
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Crawler bot signatures: IAS Crawler, Bing Crawler, DIS Group Crawler, WebBot Scrapper, AddSearch Bot, WPWS bot, iSec_Bot, Newstral Crawler, layoftheland.online Crawler, Quantcastbot, Spiceworks Crawlers, CYRATING Crawler, Jooblebot, YouBot, MetaJobBot, ScooperBot, WebwikiBot, JusProg - Domain Crawler, TinEye-Web, PEER39 Crawler, AMPPARIT Crawler, RuxitSynthetic
+- Added the following HTTP Library bot signatures: Atoka Logo Fetcher, Zend Http Client Class, Home Assistant API, Probe Image Size, Webpage.rs, Okta Open ID Connect Library, MetadataScraper, node-openid-client, Embed PHP Library, PHP-SOAP
+- Added the following Service Agent bot signatures: OpenSearch Service, Plesk screenshot bot, EasyBib+AutoCite
+- Added the following Site Monitor bot signatures: Nx Witness Monitor, Newslitbot, Mattermost Bot
+- Added the following RSS Reader bot signatures: RSStT, w1NewsBot-RSS, RSS Guard, FeedViewer
+- Added the following Spam Bot bot signatures: Ixquick.com
+- Added the following Search Bot bot signatures: Xpanse Search Bot
+
+### New Feature
+
+- [Override Rules]({{< ref "/waf/policies/override-rules.md" >}})
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Debian 11
+
+- app-protect_29+4.402.0-1~bullseye_amd64.deb
+
+##### Ubuntu 18.04
+
+- app-protect_29+4.402.0-1~bionic_amd64.deb
+
+##### Ubuntu 20.04
+
+- app-protect_29+4.402.0-1~focal_amd64.deb
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-29+4.402.0-1.el7.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-29+4.402.0-1.el8.ngx.x86_64.rpm
+
+##### Alpine 3.16
+
+- app-protect-29.4.402.0-r1.apk
+
+##### Oracle Linux 8.1+
+
+- app-protect-29+4.402.0-1.el8.ngx.x86_64.rpm
+
+### Resolved Issues
+
+- 8302 Fixed - Remote logging destinations when IPv6 is disabled system-wide.
+- 7819 Fixed - The login issue encountered on the iOS client when using the AJAX Response Page has been resolved. This problem specifically occurs on iOS devices when NGINX's `proxy_buffering` is disabled.
+- 8261 Fixed - Binaries have been upgraded with module and version updates to address and resolve identified vulnerabilities.
+- 8477 Fixed - TCP connections in the CLOSE_WAIT state for specific types of requests.
+
+### **Important Notes**
+
+- There is a limitation when using [Override Rules]({{< ref "/waf/policies/override-rules.md" >}}) with gRPC. The Override Rules do not provide support for gRPC traffic. If the Override Rules are configured to match gRPC traffic, it will result in the blocking of such traffic.
+
+- Starting with the upcoming release version of NGINX Plus R30, Ubuntu 18.04 will no longer be supported and will be deprecated.
+
+## F5 NGINX App Protect WAF 4.3
+
+May 2, 2023
+
+In this release, F5 NGINX App Protect WAF supports NGINX Plus R29.
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Crawler bot signatures: YOURLS Crawler, Atomseo broken link checker, proxylist.to Checker, Aspiegel Crawler, digitalshadowsbot, idealo-bot pricevalidator
+- Added the following Exploit Tool bot signatures: BackDoorBot
+- Added the following Site Monitor bot signatures: RWTH Aachen University Scanner
+- Added the following Service Agent bot signatures: AirPlay Server Info, WP Rocket Preload
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Debian 11
+
+- app-protect_29+4.279.0-1~bullseye_amd64.deb
+
+##### Ubuntu 18.04
+
+- app-protect_29+4.279.0-1~bionic_amd64.deb
+
+##### Ubuntu 20.04
+
+- app-protect_29+4.279.0-1~focal_amd64.deb
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-29+4.279.0-1.el7.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-29+4.279.0-1.el8.ngx.x86_64.rpm
+
+##### Alpine 3.16
+
+- app-protect-29.4.279.0-r1.apk
+
+##### Oracle Linux 8.1+
+
+- app-protect-29+4.279.0-1.el8.ngx.x86_64.rpm
+
+#### NGINX Plus
+
+- NGINX Plus R29
+
+### Resolved Issues
+
+- 7987 Fixed - Fixed Violation Rating calculation for trusted bots, untrusted bots and malicious bots.
+- 8010 Fixed - Handling of response headers.
+
+### **Important Note**
+
+This release introduces a change in the `json_log` field output for Violation details. Starting with F5 NGINX App Protect WAF release 4.3, the Security Log's `json_log` field will include all available information regarding Violation details in JSON format. Refer to the [Security Log]({{< ref "/waf/logging/security-logs.md" >}}) document for more details.
+
+## F5 NGINX App Protect WAF 4.2
+
+March 29, 2023
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Site Monitor bot signatures: 404enemy, Munin Monitor
+- Added the following Spam Bot bot signatures: 01h4x, AIBOT
+- Added the following Service Agent bot signatures: 404checker, Adyen, Autohost Threat Intel API, Paystack, Pixalate, PureRef, TwilioProxy, SpamExperts
+- Added the following Crawler bot signatures: FullStoryBot, GeedoBot, infoobot, IonCrawl, MuscatFerret Crawler, NETVIBES Crawler, SeobilityBot, SMTBot, Summify, WEDOS Crawler, Yahoo Ad monitoring
+- Added the following RSS Reader bot signatures: Feed Wrangler, flusio, Page2RSS, Unread RSS Reader
+- Added the following Vulnerability Scanner bot signature: Node.js, zerodium Tester
+- Added the following DoS Tool bot signature: Siege DoS Tool
+- Added the following Exploit Tool bot signature: Criptonize Mirai Installer
+
+### New Features
+
+- [GraphQL Protection]({{< ref "/waf/policies/graphql-protection.md" >}})
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Debian 11
+
+- app-protect_28+4.218.0-1~bullseye_amd64.deb
+
+##### Ubuntu 18.04
+
+- app-protect_28+4.218.0-1~bionic_amd64.deb
+
+##### Ubuntu 20.04
+
+- app-protect_28+4.218.0-1~focal_amd64.deb
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-28+4.218.0-1.el7.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-28+4.218.0-1.el8.ngx.x86_64.rpm
+
+##### Alpine 3.16
+
+- app-protect-28.4.218.0-r1.apk
+
+##### Oracle Linux 8.1+
+
+- app-protect-28+4.218.0-1.el8.ngx.x86_64.rpm
+
+### Resolved Issues
+
+- 7411 Fixed - The Protocol Buffers library has been updated to enable the usage of keywords that were previously unsupported in gRPC IDL files.
+- 7986 Fixed - When converting a policy from BIG-IP, collections with wildcardOrder, such as "urls", may result with the default "*" element being in the wrong order relative to the other wildcard entries. This lead to unexpected and incorrect policy enforcement.
+convert-policy now writes these elements in the correct order. Importing a policy with an unexpected order also works as expected.
+- 7939 Fixed - Requests blocked due to `VIOL_ATTACK_SIGNATURE` although all signatures disabled.
+- 7199 Fixed - Alignment of notification and availability of NGINX F5 NGINX App Protect WAF Signature updates.
+
+### **Important Note**
+
+- This release introduces a change in the package dependencies for F5 NGINX App Protect WAF. Customers who work in a SELinux-enforced environment should now explicitly list `app-protect-selinux` package when performing F5 NGINX App Protect WAF clean install and upgrade.
+- F5 NGINX App Protect WAF’s SELinux module is now an optional package (meaning - **not included in default installation**). In order to install `app-protect` with `app-protect-selinux` package, use the following command:
+
+```shell
+yum install app-protect app-protect-selinux
+```
+
+## F5 NGINX App Protect WAF 4.2
+
+January 31, 2023
+
+This release includes new signatures for Anti Automation (bot defense):
+
+- Added the following Site Monitor bot signatures: OhDear, Cloudflare Monitor, Google Uptime Monitor, NIXStatsbot
+- Added the following Service Agent bot signatures: semanticbot, Datafeedwatch, W3C_Unicorn
+- Added the following Crawler bot signatures: SearchAtlas, Baidu-YunGuanCe-Bot, Capsulink Crawler, arocom Crawler, sovrn Crawler, TangibleeBot Crawler, Curebot Crawler, DnyzBot Crawler, bitbot Crawler, Botify Crawler, myUsage Cralwer, RepoLookoutBot, Grafana Crawler
+
+### New Features
+
+- Alpine 3.16 Support
+- [Apreload - F5 NGINX App Protect WAF Standalone Configuration]({{< ref "/waf/configure/apreload.md" >}})
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Debian 11
+
+- app-protect_28+4.100.1-1~bullseye_amd64.deb
+
+##### Ubuntu 18.04
+
+- app-protect_28+4.100.1-1~bionic_amd64.deb
+
+##### Ubuntu 20.04
+
+- app-protect_28+4.100.1-1~focal_amd64.deb
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-28+4.100.1-1.el7.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-28+4.100.1-1.el8.ngx.x86_64.rpm
+
+##### Alpine 3.16
+
+- app-protect-28.4.100.0-r1.apk
+
+##### Oracle Linux 8.1+
+
+- app-protect-28+4.100.1-1.el8.ngx.x86_64.rpm
+
+### Resolved Issues
+
+- 7298 Fixed - decodeValueAsBase64 feature is now disabled and the default value for `decodeValueAsBase64` is set to `disabled` to avoid high chance of false positive violations.
+- 7238 Fixed - Hyphen metacharacter is now allowed by default in JSON and XML Profiles.
\ No newline at end of file
diff --git a/content/waf/changelog/2024.md b/content/waf/changelog/2024.md
index 4296f32e5..61e948a4e 100644
--- a/content/waf/changelog/2024.md
+++ b/content/waf/changelog/2024.md
@@ -8,21 +8,21 @@ toc: true
nd-content-type: reference
# Intended for internal catalogue and search, case sensitive:
# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
-nd-product: NAP-WAF
+nd-product: F5WAFN
---
This page is an archive of changelog entries for 2024.
For the current year, view [the top-level changelog]({{< ref "/waf/changelog/">}}) topic.
-## F5 WAF for NGINX 5.4 / 4.12
+## F5 NGINX App Protect WAF 5.4 / 4.12
Released _November 19th, 2024_.
### New features
- Added support for Amazon Linux 2023
-- NGINX App Protect WAF now supports NGINX Plus R33.
+- F5 NGINX App Protect WAF now supports NGINX Plus R33.
- **5.4 Only:** Added support for [readOnlyFileSystem in Kubernetes deployments]({{< ref "/waf/configure/kubernetes-read-only/" >}})
- **5.4 Only:** Added a [a policy converter to the compiler]({{< ref "/waf/configure/converters.md#policy-converter">}})
@@ -39,7 +39,7 @@ Please read the [subscription licenses]({{< ref "/solutions/about-subscription-l
### Known issues
-On Ubuntu 24.04, you may receive the following error when uninstalling an old version of NGINX App Protect and installing a newer version:
+On Ubuntu 24.04, you may receive the following error when uninstalling an old version of F5 NGINX App Protect WAF and installing a newer version:
```text
APP_PROTECT failed to open /opt/app_protect/config/config_set.json
@@ -74,14 +74,14 @@ sudo service nginx restart
{{< /table >}}
-## F5 WAF for NGINX 5.3 / 4.11
+## F5 NGINX App Protect WAF 5.3 / 4.11
Released _September 25, 2024_.
### New features
- Ubuntu 24.04 support
-- **5.3 Only:** [Secure Traffic Between NGINX and App Protect Enforcer]({{< ref "/waf/configure/secure-mtls.md" >}})
+- **5.3 Only:** [Secure traffic using mTLS]({{< ref "/waf/configure/secure-mtls.md" >}})
### Important notes
@@ -114,7 +114,7 @@ Released _September 25, 2024_.
{{< /table >}}
-## F5 WAF for NGINX 5.2 / 4.10
+## F5 NGINX App Protect WAF 5.2 / 4.10
Released _May 29, 2024_.
@@ -147,7 +147,7 @@ Released _May 29, 2024_.
{{< /table >}}
-## F5 WAF for NGINX 5.1 / 4.9
+## F5 NGINX App Protect WAF 5.1 / 4.9
Released _April 18, 2024_.
@@ -186,7 +186,7 @@ Released _April 18, 2024_.
{{< /table >}}
-## F5 WAF for NGINX 5.0 / 4.8.1
+## F5 NGINX App Protect WAF 5.0 / 4.8.1
Released _March 19, 2024_.
@@ -212,4 +212,68 @@ Released _March 19, 2024_.
| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.25.4+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el8.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el8.ngx.x86_64.rpm_ |
| RHEL 9 | _app-protect-module-oss-1.25.4+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-31+4.815.0-1.el9.ngx.x86_64.rpm_ | _app-protect-31+4.815.0-1.el9.ngx.x86_64.rpm_ |
-{{< /table >}}
\ No newline at end of file
+{{< /table >}}
+
+## F5 NGINX App Protect WAF 4.8
+
+Released _February 6, 2024_.
+
+### New Features
+
+- Debian 12 Support
+- [Actionable Rules in Override Rules Policy]({{< ref "/waf/policies/override-rules.md" >}})
+- [Geolocation Enforcement]({{< ref "/waf/policies/geolocation.md" >}})
+- [Partial Masking of Data using Data Guard]({{< ref "/waf/policies/data-guard.md" >}})
+
+### Supported Packages
+
+#### F5 NGINX App Protect WAF
+
+##### Alpine 3.16
+
+- app-protect-31.4.762.0-r1.apk
+
+##### Alpine 3.17
+
+- app-protect-31.4.762.0-r1.apk
+
+##### CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
+
+- app-protect-31+4.762.0-1.el7.ngx.x86_64.rpm
+
+##### Debian 11
+
+- app-protect_31+4.762.0-1~bullseye_amd64.deb
+
+##### Debian 12
+
+- app-protect_31+4.762.0-1~bookworm_amd64.deb
+
+##### Oracle Linux 8.1+
+
+- app-protect-31+4.762.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 8.1+
+
+- app-protect-31+4.762.0-1.el8.ngx.x86_64.rpm
+
+##### RHEL 9+
+
+- app-protect-31+4.762.0-1.el9.ngx.x86_64.rpm
+
+##### Ubuntu 20.04
+
+- app-protect_31+4.762.0-1~focal_amd64.deb
+
+##### Ubuntu 22.04
+
+- app-protect_31+4.762.0-1~jammy_amd64.deb
+
+### Resolved Issues
+
+- 10063 Fixed - In some cases request could hang in when urlContentProfiles type set to "do-nothing".
+- 10156 Fixed - Chunked requests connection is stuck in CLOSE_WAIT state.
+
+### **Important Note**
+
+- Actionable Rules and Geolocation are now supported in [Policy Override Rules]({{< ref "/waf/policies/override-rules.md" >}}).
\ No newline at end of file
diff --git a/content/waf/changelog/_index.md b/content/waf/changelog/_index.md
index c169cf58b..012e1d350 100644
--- a/content/waf/changelog/_index.md
+++ b/content/waf/changelog/_index.md
@@ -9,13 +9,50 @@ nd-landing-page: true
# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
nd-content-type: reference
# Intended for internal catalogue and search, case sensitive:
-# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
-nd-product: NAP-WAF
+nd-product: F5WAFN
---
This changelog lists all of the information for F5 WAF for NGINX releases in 2025.
-For older releases, check the changelogs for previous years: [2024]({{< ref "/waf/changelog/2024.md" >}}).
+For older releases, check the changelogs for previous years: [2024]({{< ref "/waf/changelog/2024.md" >}}), [2023]({{< ref "/waf/changelog/2023.md" >}}).
+
+## F5 WAF for NGINX 5.10
+
+Released _December 1st, 2025_.
+
+### New features
+
+- Added support for NGINX Plus R36
+- Added support for Alpine 3.22
+
+### Important notes
+
+- Alpine 3.19 is no longer supported
+- Upgrade Go compiler to 1.24.10
+
+### Resolved issues
+
+- 13117 - Severity Field should contain a value based on the violation highest severity
+- 13138 - Ability to bypass request when there is a 444 scenario
+- 13130 - add --all-policy-signatures option to include all policy signatures in the conversion output
+
+### Packages
+
+{{< table >}}
+
+| Distribution name | NGINX Open Source (5.10) | NGINX Plus (5.10) | NGINX Plus (5.10) |
+| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |----------------------------------------------------|
+| Alpine 3.22 | _app-protect-module-oss-1.29.3+5.550.0-r1.apk_ | _app-protect-module-plus-36+5.550.0-r1.apk_ | _app-protect-36.5.550.0-r1.apk_ |
+| Amazon Linux 2023 | _app-protect-module-oss-1.29.3+5.550.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-36+5.550.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-36+5.550.0-1.amzn2023.ngx.x86_64.rpm_ |
+| Debian 11 | _app-protect-module-oss_1.29.3+5.550.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_36+5.550.0--1\~bullseye_amd64.deb_ | _app-protect_36+5.550.0-1\~bullseye_amd64.deb_ |
+| Debian 12 | _app-protect-module-oss_1.29.3+5.550.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_36+5.550.0--1\~bookworm_amd64.deb_ | _app-protect_36+5.550.0-1\~bookworm_amd64.deb_ |
+| Oracle Linux 8.1 | _app-protect-module-oss-1.29.3+5.550.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-36+5.550.0-1.el8.ngx.x86_64.rpm_ | _app-protect-36+5.550.0-1.el8.ngx.x86_64.rpm_ |
+| Ubuntu 22.04 | _app-protect-module-oss_1.29.3+5.550.0-1\~jammy_amd64.deb_ | _app-protect-module-plus_36+5.550.0--1\~jammy_amd64.deb_ | _app-protect_36+5.550.0-1\~jammy_amd64.deb_ |
+| Ubuntu 24.04 | _app-protect-module-oss_1.29.3+5.550.0-1\~noble_amd64.deb_ | _app-protect-module-plus_36+5.550.0--1\~noble_amd64.deb_ | _app-protect_36+5.550.0-1\~noble_amd64.deb_ |
+| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.29.3+5.550.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-36+5.550.0-1.el8.ngx.x86_64.rpm_ | _app-protect-36+5.550.0-1.el8.ngx.x86_64.rpm_ |
+| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.29.3+5.550.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-36+5.550.0-1.el9.ngx.x86_64.rpm_ | _app-protect-36+5.550.0-1.el9.ngx.x86_64.rpm_ |
+
+{{< /table >}}
## F5 WAF for NGINX 5.9
@@ -27,7 +64,7 @@ Released _September 29th, 2025_.
### Important notes
-- Renamed NGINX App Protect WAF to F5 WAF for NGINX
+- Renamed F5 NGINX App Protect WAF to F5 WAF for NGINX
- Aligned F5 WAF for NGINX versions
- Package and container artifacts now share the same version numbers
- Upgrade processes remain the same as earlier releases
@@ -57,9 +94,9 @@ Released _September 29th, 2025_.
{{< table >}}
-| Distribution name | NGINX Open Source | NGINX Plus | NGINX Plus (Virtual/Single container) |
-| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |------------------ |
-| Alpine 3.19 | _app-protect-module-oss-1.29.0+5.527.0-r1.apk_ | _app-protect-module-plus-35+5.527.0-r1.apk_ | _app-protect-35.5.527.0-r1.apk_ |
+| Distribution name | NGINX Open Source (5.9) | NGINX Plus (5.9) | NGINX Plus (5.9) |
+| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |------------------ |
+| Alpine 3.19 | _app-protect-module-oss-1.29.0+5.527.0-r1.apk_ | _app-protect-module-plus-35+5.527.0-r1.apk_ | _app-protect-35.5.527.0-r1.apk_ |
| Amazon Linux 2023 | _app-protect-module-oss-1.29.0+5.527.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-35+5.527.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-35+5.527.0-1.amzn2023.ngx.x86_64.rpm_ |
| Debian 11 | _app-protect-module-oss_1.29.0+5.527.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_35+5.527.0-1\~bullseye_amd64.deb_ | _app-protect_35+5.527.0-1\~bullseye_amd64.deb_ |
| Debian 12 | _app-protect-module-oss_1.29.0+5.527.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_35+5.527.0-1\~bookworm_amd64.deb_ | _app-protect_35+5.527.0-1\~bookworm_amd64.deb_ |
@@ -71,7 +108,7 @@ Released _September 29th, 2025_.
{{< /table >}}
-## NGINX App Protect WAF 5.8 / 4.16
+## F5 NGINX App Protect WAF 5.8 / 4.16
Released _August 13th, 2025_.
@@ -83,9 +120,9 @@ Released _August 13th, 2025_.
{{< table >}}
-| Distribution name | NGINX Open Source (5.8) | NGINX Plus (5.8) | NGINX Plus (4.16) |
-| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |------------------ |
-| Alpine 3.19 | _app-protect-module-oss-1.29.0+5.498.0-r1.apk_ | _app-protect-module-plus-35+5.498.0-r1.apk_ | _app-protect-35.5.498.0-r1.apk_ |
+| Distribution name | NGINX Open Source (5.8) | NGINX Plus (5.8) | NGINX Plus (4.16) |
+| ------------------------ | ----------------------------------------------------------------- | -------------------------------------------------------------- |------------------ |
+| Alpine 3.19 | _app-protect-module-oss-1.29.0+5.498.0-r1.apk_ | _app-protect-module-plus-35+5.498.0-r1.apk_ | _app-protect-35.5.498.0-r1.apk_ |
| Amazon Linux 2023 | _app-protect-module-oss-1.29.0+5.498.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-module-plus-35+5.498.0-1.amzn2023.ngx.x86_64.rpm_ | _app-protect-35+5.498.0-1.amzn2023.ngx.x86_64.rpm_ |
| Debian 11 | _app-protect-module-oss_1.29.0+5.498.0-1\~bullseye_amd64.deb_ | _app-protect-module-plus_35+5.498.0-1\~bullseye_amd64.deb_ | _app-protect_35+5.498.0-1\~bullseye_amd64.deb_ |
| Debian 12 | _app-protect-module-oss_1.29.0+5.498.0-1\~bookworm_amd64.deb_ | _app-protect-module-plus_35+5.498.0-1\~bookworm_amd64.deb_ | _app-protect_35+5.498.0-1\~bookworm_amd64.deb_ |
@@ -97,7 +134,7 @@ Released _August 13th, 2025_.
{{< /table >}}
-## NGINX App Protect WAF 5.7 / 4.15
+## F5 NGINX App Protect WAF 5.7 / 4.15
Released _June 24th, 2025_.
@@ -136,10 +173,11 @@ Released _June 24th, 2025_.
| Ubuntu 24.04 | _app-protect-module-oss_1.27.4+5.442.0-1\~noble_amd64.deb_ | _app-protect-module-plus_34+5.442.0-1\~noble_amd64.deb_ | _app-protect_34+5.442.0-1\~noble_amd64.deb_ |
| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el8.ngx.x86_64.rpm_ |
| RHEL 9 and Rocky Linux 9 | _app-protect-module-oss-1.27.4+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.442.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.442.0-1.el9.ngx.x86_64.rpm_ |
+ |
{{< /table >}}
-## NGINX App Protect WAF 5.6 / 4.14
+## F5 NGINX App Protect WAF 5.6 / 4.14
Released _April 1st, 2025_.
@@ -179,7 +217,7 @@ Released _April 1st, 2025_.
{{< /table >}}
-## NGINX App Protect WAF 5.5 / 4.13
+## F5 NGINX App Protect WAF 5.5 / 4.13
Released _January 30th, 2025_.
@@ -208,4 +246,4 @@ Released _January 30th, 2025_.
| RHEL 8 and Rocky Linux 8 | _app-protect-module-oss-1.27.4+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el8.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el8.ngx.x86_64.rpm_ |
| RHEL 9 | _app-protect-module-oss-1.27.4+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-module-plus-34+5.210.0-1.el9.ngx.x86_64.rpm_ | _app-protect-34+5.210.0-1.el9.ngx.x86_64.rpm_ |
-{{< /table >}}
\ No newline at end of file
+{{< /table >}}
diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md
index 7b6000add..2b180499a 100644
--- a/content/waf/configure/converters.md
+++ b/content/waf/configure/converters.md
@@ -22,22 +22,33 @@ These tools are available in the [compiler image]({{< ref "/waf/configure/compil
## Policy converter
-The F5 WAF for NGINX policy converter tool is used to convert policies from XML to JSON format.
+The F5 WAF for NGINX policy converter tool is used to convert BIG-IP ASM and Advanced WAF policies into F5 WAF for NGINX policy format. The tool is located at /opt/app_protect/bin/convert-policy. By default, the output is JSON based on the NAP-WAF base policy defaults and includes only the minimal differences from those defaults.
-It is a script located on on the path `/opt/app_protect/bin/convert-policy`.
+It also converts older versions of NAP policies into their current version representation (where needed).
-The converted policy is based on the F5 WAF for NGINX [base template]({{< ref "/waf/policies/configuration.md#base-template" >}}) and contains the minimal differences required for the JSON policy format.
+Unsupported or irrelevant elements for the F5 WAF for NGINX environment generate warnings and are removed by default. If you need a fuller export for auditing or troubleshooting, you can retain more content with the options below.
-You can obtain the XML policy file by exporting it from the BIG-IP system on which the policy is currently deployed.
+We recommend converting with the version of the policy converter that matches the F5 WAF for NGINX version you are running. This ensures any newly supported configuration items are properly included.
+
+Required arguments
+| Argument | Alias | Description | Environment Variable | Notes |
+| ----------- | ----------- | ----------- | ----------- | ----------- |
+| --outfile | o | File name for where to write the exported policy. | EXPORT_FILE |
+| --infile | i | ASM/Advanced WAF security policy file to convert. | IMPORT_FILE |
-| Option | Description |
-| ---------| ----------- |
-| _-i_ | Filename of input WAF or ASM binary policy |
-| _-o_ | Filename of output declarative policy |
-| _--bot-profile_ | Filename of JSON Bot Profile (pre-converted to JSON from tmsh syntax) |
-| _--logging-profile_ | Filename of JSON Logging Profile (pre-converted to JSON from tmsh syntax) |
-| _--dos-profile_ | Filename of JSON DoS Profile (pre-converted to JSON from tmsh syntax) |
-| _--full-export_ | If specified, the full policy with all entities will be exported. Otherwise, only entities that differ from the template will be included.
Default for the CLI is not specific (only differing entities).
Default for the REST endpoint above is "--full-export" (you can not override this).|
+Optional arguments
+| Argument | Alias | Description | Environment Variable | Notes |
+| ----------- | ----------- | ----------- | ----------- | ----------- |
+| --format | f | Desired output format. | | Default: json; supported formats: json. |
+| --keep-full-configuration | | Retain the full configuration, including elements that may be invalid for this environment. || By default, only differences from the base template are exported; warnings for unsupported elements may be omitted when this is enabled. |
+| --full-export | | Include all policy entities, even if identical to the base template. | | By default, only differences from the base template are exported; warnings for unsupported elements may be omitted when this is enabled. |
+| --all-fields | | Include fields that would otherwise be ineffectual due to other settings, along with their default values. || Relevant only for JSON output. |
+| --include-all-signatures | | Include all signatures enforced by the policy’s signature sets. || By default, only modified (disabled) signatures are listed; relevant only for JSON output. |
+
+--infile is optional if you provide only --bot-profile or --dos-profile (those can be the sole input).
+
+### Convert an ASM/Advanced WAF XML policy to JSON (default behavior: differences only):
+You can obtain the XML policy file by exporting it from the BIG-IP system on which the policy is currently deployed.
To convert a policy, first create a temporary folder and copy your XML file to it:
@@ -54,14 +65,15 @@ Replace `waf-compiler-\:custom` with your compiler image.
{{< /call-out >}}
-```docker
+```shell
docker run -it --rm \
-v $(pwd):/tmp/convert \
--entrypoint="/opt/app_protect/bin/convert-policy" \
- waf-compiler-:custom -i test.json -o test.xml
+ waf-compiler-:custom
-i /tmp/convert/policy.xml \
-o /tmp/convert/policy.json \
- --full-export
+ --full-export \
+ | jq
```
```json
@@ -138,6 +150,39 @@ total 848
-rw-r--r-- 1 root root 841818 Dec 20 11:10 policy.xml # Original XML policy file
```
+### Export full policy
+```shell
+docker run -it --rm \
+ -v "$(pwd)":/tmp/convert \
+ --entrypoint="/opt/app_protect/bin/convert-policy" \
+ waf-compiler-:custom \
+ -i /tmp/convert/policy.xml \
+ -o /tmp/convert/policy.json \
+ --full-export
+```
+
+### Keep full configuration (retain elements that may be invalid or irrelevant):
+```shell
+docker run -it --rm \
+ -v "$(pwd)":/tmp/convert \
+ --entrypoint="/opt/app_protect/bin/convert-policy" \
+ waf-compiler-:custom \
+ -i /tmp/convert/policy.xml \
+ -o /tmp/convert/policy.json \
+ --keep-full-configuration
+```
+
+### Include all enforced signatures
+```shell
+docker run -it --rm \
+ -v "$(pwd)":/tmp/convert \
+ --entrypoint="/opt/app_protect/bin/convert-policy" \
+ waf-compiler-:custom \
+ -i /tmp/convert/policy.xml \
+ -o /tmp/convert/policy.json \
+ --include-all-signatures
+```
+
## User Defined Signatures converter
The User Defined Signatures converter tool is used to convert a User Defined Signatures file from XML to JSON format.
@@ -183,7 +228,14 @@ Replace `waf-compiler-\:custom` with your compiler image.
{{< /call-out >}}
```shell
-docker run -v `pwd`:`pwd` -w `pwd` --entrypoint /opt/app_protect/bin/convert-signatures waf-compiler-:custom -i /path/to/signatures.xml -o /path/to/signatures.json | jq
+docker run \
+ -v "$(pwd):$(pwd)" \
+ -w "$(pwd)" \
+ --entrypoint /opt/app_protect/bin/convert-signatures \
+ waf-compiler-:custom \
+ -i /path/to/signatures.xml \
+ -o /path/to/signatures.json \
+| jq
```
```json
@@ -312,7 +364,14 @@ The [jq](https://jqlang.github.io/jq/) command was used to format the example ou
This is an example of how to convert a single XML file (With a custom tag):
```shell
-docker run -v `pwd`:`pwd` -w `pwd` --entrypoint /opt/app_protect/bin/convert-signatures waf-compiler-:custom -i /path/to/signatures.xml -o /path/to/signatures.json --tag "MyTag"
+docker run \
+ -v "$(pwd):$(pwd)" \
+ -w "$(pwd)" \
+ --entrypoint /opt/app_protect/bin/convert-signatures \
+ waf-compiler-:custom \
+ -i /path/to/signatures.xml \
+ -o /path/to/signatures.json \
+ --tag "MyTag"
```
## Attack Signature Report tool
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 23b33a941..60e763138 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -4,7 +4,7 @@ title: "Configure NGINX features with F5 WAF"
# Weights are assigned in increments of 100: determines sorting order
weight: 100
# Creates a table of contents and sidebar, useful for large documents
-toc: false
+toc: true
# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
nd-content-type: reference
# Intended for internal catalogue and search, case sensitive:
@@ -16,12 +16,122 @@ This document shows example of how to modify your NGINX configuration to enable
It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured.
-F5 WAF for NGINX will secure and inspect client-facing requests, but will not inspect internal subrequests triggered by modules.
-
-Modules requiring the _Range_ header (Such as _Slice_) are also unsupported in a scope which enables F5 WAF for NGINX. The examples below work around the contraints of these modules.
+Modules requiring the _Range_ header (Such as _Slice_) are unsupported in a scope which enables F5 WAF for NGINX. The examples below work around the contraints of these modules.
For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
+## Internal subrequests
+
+F5 WAF for NGINX will secure and inspect direct client-facing requests, but will not inspect internal subrequests triggered by modules.
+
+This applies to:
+
+* Client authorization (auth_request)
+* Mirror (mirror)
+* SSI (virtual include)
+* njs (r.subrequest)
+
+The following example demonstrates the general rule:
+
+{{< tabs name="subrequest-example" >}}
+
+{{% tab name="nginx.js" %}}
+
+```nginx
+user nginx;
+worker_processes 4;
+#daemon off;
+
+load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_js_module.so;
+
+error_log /var/log/nginx/error.log warn;
+
+events {
+ worker_connections 65536;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+ js_import main from example.js;
+
+ server {
+ listen 80;
+ server_name localhost;
+ proxy_http_version 1.1;
+ app_protect_enable on;
+
+ location / {
+ proxy_pass http://127.0.0.1:8080/foo/$request_uri;
+ }
+ }
+ server {
+ listen 127.0.0.1:8080;
+ server_name localhost;
+ proxy_http_version 1.1;
+
+ location /foo {
+ js_content main.fetch_subrequest;
+ }
+
+ location / {
+ internal;
+ return 200 "Hello! I got your URI request - $request_uri\n";
+ }
+ }
+}
+```
+
+{{% /tab %}}
+
+{{% tab name="example.js" %}}
+
+```js
+async function fetch_subrequest(r) {
+ let reply = await r.subrequest('/