diff --git a/content/_index.md b/content/_index.md index 0fdb961ed4..d6a3bd5840 100644 --- a/content/_index.md +++ b/content/_index.md @@ -3,8 +3,8 @@ title: F5 NGINX Product Documentation description: Learn how to deliver, manage, and protect your applications using F5 NGINX products. --- -# F5 NGINX Product Documentation -Learn how to deliver, manage, and protect your applications using F5 NGINX products. +# F5 NGINX Product Documentation +Learn how to deliver, manage, and protect your applications using F5 NGINX products. {{}} {{}} diff --git a/content/waf/_index.md b/content/waf/_index.md index cbb7025118..8824d6559a 100644 --- a/content/waf/_index.md +++ b/content/waf/_index.md @@ -1,25 +1,16 @@ --- -# The title is the product name title: "F5 WAF for NGINX" -# The URL is the base of the deployed path, becoming "docs.nginx.com//" url: /waf/ -# The cascade directive applies its nested parameters down the page tree until overwritten cascade: - # The logo file is resolved from the theme, in the folder /static/images/icons/ logo: NGINX-App-Protect-WAF-product-icon.svg -# The subtitle displays directly underneath the heading of a given page nd-banner: enabled: true start-date: 2025-08-30 md: /_banners/waf-unification-notice.md nd-subtitle: A lightweight, high-performance web application firewall for protecting APIs and applications -# Indicates that this is a custom landing page nd-landing-page: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: landing-page -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- ## About diff --git a/content/waf/changelog/2023.md b/content/waf/changelog/2023.md index 402f23499b..c2f8913a67 100644 --- a/content/waf/changelog/2023.md +++ b/content/waf/changelog/2023.md @@ -1,12 +1,8 @@ --- title: "2023 archive" -# Weights are assigned in increments of 100: determines sorting order weight: 200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: nd-product: F5WAFN --- @@ -151,7 +147,7 @@ This release includes new signatures for Anti Automation (bot defense): ### **Important Notes** -- Starting with this release, the `app_protect_compressed_requests_action` directive has been deprecated from the nginx configuration. Now by default the enforcer will decompress all the HTTP compressed payload request and will apply the enforcement. +- Starting with this release, the `app_protect_compressed_requests_action` directive has been deprecated from the nginx configuration. Now by default the enforcer will decompress all the HTTP compressed payload request and will apply the enforcement. - The F5 NGINX App Protect WAF has been enhanced to include response signature checks within the "filetypes" section. You have an option to enable the signature verification in the response by setting the `responseCheck` parameter to true. By default, this parameter is set to false. See [Restrict Response Signatures]({{< ref "/waf/policies/response-signatures.md" >}}) for more details. diff --git a/content/waf/changelog/2024.md b/content/waf/changelog/2024.md index 61e948a4eb..f1e84eb14f 100644 --- a/content/waf/changelog/2024.md +++ b/content/waf/changelog/2024.md @@ -1,13 +1,8 @@ --- title: "2024 archive" -# Weights are assigned in increments of 100: determines sorting order weight: 100 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit nd-product: F5WAFN --- diff --git a/content/waf/changelog/_index.md b/content/waf/changelog/_index.md index 012e1d350b..ea7cc5fcb7 100644 --- a/content/waf/changelog/_index.md +++ b/content/waf/changelog/_index.md @@ -1,14 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Changelog" url: /waf/changelog/ -# Weights are assigned in increments of 100: determines sorting order weight: 600 -# Creates a table of contents and sidebar, useful for large documents nd-landing-page: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: nd-product: F5WAFN --- diff --git a/content/waf/configure/apreload.md b/content/waf/configure/apreload.md index 7f6dfe1f70..7dcdd69977 100644 --- a/content/waf/configure/apreload.md +++ b/content/waf/configure/apreload.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Apply security policy updates without reloading NGINX using apreload" -# Weights are assigned in increments of 100: determines sorting order weight: 100 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This document describes how to use `apreload`, a tool for updating F5 WAF for NGINX configuration without reloading NGINX. @@ -61,7 +55,7 @@ When calling _apreload_ directly, it is possible to run it while the previous ex The new execution will will apply a new configuration, and the most recent configuration will only apply during during the execution period. -In a scenario where an execution from an NGINX reload is followed by a direct _ap_reload_ call, the NGINX workers with the new NGINX configuration will be loaded as soon as the Enforcer finishes processing the existing configuration. +In a scenario where an execution from an NGINX reload is followed by a direct _ap_reload_ call, the NGINX workers with the new NGINX configuration will be loaded as soon as the Enforcer finishes processing the existing configuration. Once complete, the most recent F5 WAF for NGINX configuration will be loaded using with the same NGINX worker instances. @@ -77,10 +71,10 @@ If you want to apply either of the two, reload NGINX instead of using _apreload_ ## apreload events -_apreload_ events use the same format as operation log events written in the NGINX error log, reporting `configuration_load_success` or `configuration_load_failure` with JSON formatted details. +_apreload_ events use the same format as operation log events written in the NGINX error log, reporting `configuration_load_success` or `configuration_load_failure` with JSON formatted details. -If any of the configuration files are invalid, _apreload_ will discover that and return the proper error message in the `configuration_load_failure event`. +If any of the configuration files are invalid, _apreload_ will discover that and return the proper error message in the `configuration_load_failure event`. -The enforcer will continue to run with the previous working configuration. +The enforcer will continue to run with the previous working configuration. For more information, see the [Operation logs]({{< ref "/waf/logging/operation-logs.md">}}) topic. \ No newline at end of file diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md index 7c5a562529..b1b3035566 100644 --- a/content/waf/configure/compiler.md +++ b/content/waf/configure/compiler.md @@ -1,18 +1,14 @@ --- -# We use sentence case and present imperative tone title: "Build and use the compiler tool" -# Weights are assigned in increments of 100: determines sorting order weight: 200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to nd-product: F5WAFN --- This document describes how to use the F5 WAF for NGINX compiler, a tool for converting security policies and logging profiles from JSON to a bundle file that F5 WAF can process and apply. -You can use it to get the latest security updates for [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}), Threat campaigns and Bot signatures. +You can use it to get the latest security updates for [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}), Threat campaigns and Bot signatures. The compiler is packaged as a Docker image and can executed using the Docker CLI or as part of a continuous integration/continuous delivery (CI/CD) pipeline. @@ -106,7 +102,7 @@ You can can upgrade or downgrade one of the Signatures by specifying a specific You can use the Docker registry API to list the available image tags. -Replace `` with the location of your client key and `` with the location of your client certificate. +Replace `` with the location of your client key and `` with the location of your client certificate. ```shell curl -s https://private-registry.nginx.com/v2/nap/waf-compiler/tags/list --key --cert @@ -150,7 +146,7 @@ Ensure that the output directory is writable, otherwise you may encounter a perm {{< /call-out >}} -To use multiple policy bundles within a single NGINX configuration, you must supply a [global settings](#global-settings) JSON file. +To use multiple policy bundles within a single NGINX configuration, you must supply a [global settings](#global-settings) JSON file. This ensures that all bundles have a common foundation such as cookie seed and user-defined signatures. @@ -184,7 +180,7 @@ docker run --rm \ -include-source -full-export -g $(pwd)/global_settings.json -p $(pwd)/policy.json -o $(pwd)/compiled_policy.tgz ``` -This will transform any configuration that relies on external references into an inline configuration within the bundled source. +This will transform any configuration that relies on external references into an inline configuration within the bundled source. Additionally, when `-include-source` is combined with `-full-export`, the policy.json within the bundle will contain the entire source policy, including any default settings from the base template. diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md index 5d265b7019..72e559c573 100644 --- a/content/waf/configure/converters.md +++ b/content/waf/configure/converters.md @@ -1,18 +1,12 @@ --- -# We use sentence case and present imperative tone title: "Build and use the converter tools" -# Weights are assigned in increments of 100: determines sorting order weight: 300 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- -This document describes the tools F5 WAF for NGINX has to convert existing resources or configuration files from a BIG-IP environment for use with F5 WAF for NGINX. +This document describes the tools F5 WAF for NGINX has to convert existing resources or configuration files from a BIG-IP environment for use with F5 WAF for NGINX. {{< call-out "important" >}} @@ -158,10 +152,10 @@ docker run -it --rm \ waf-compiler-:custom \ -i /tmp/convert/policy.xml \ -o /tmp/convert/policy.json \ - --full-export + --full-export ``` -### Keep full configuration (retain elements that may be invalid or irrelevant): +### Keep full configuration (retain elements that may be invalid or irrelevant) ```shell docker run -it --rm \ -v "$(pwd)":/tmp/convert \ diff --git a/content/waf/configure/kubernetes-read-only.md b/content/waf/configure/kubernetes-read-only.md index 50d8b6bd97..00d6146c13 100644 --- a/content/waf/configure/kubernetes-read-only.md +++ b/content/waf/configure/kubernetes-read-only.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Add a read-only filesystem for Kubernetes " -# Weights are assigned in increments of 100: determines sorting order weight: 600 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page describes how to add a read-only filesystem when deploying F5 WAF for NGINX when using Kubernetes. diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md index ba1a5012c5..933379ce14 100644 --- a/content/waf/configure/nginx-features.md +++ b/content/waf/configure/nginx-features.md @@ -1,19 +1,13 @@ --- -# We use sentence case and present imperative tone title: "Configure NGINX features with F5 WAF" -# Weights are assigned in increments of 100: determines sorting order weight: 700 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- -This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features. +This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features. -It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured. +It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured. Important constraints when F5 WAF for NGINX is enabled: @@ -24,7 +18,7 @@ For additional information on configuring NGINX, you should view the [NGINX docu ## Subrequest-based modules -F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules. +F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules. Examples of subrequest-based modules: diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md index 9b0c37da06..ce490553e6 100644 --- a/content/waf/configure/secure-mtls.md +++ b/content/waf/configure/secure-mtls.md @@ -1,22 +1,16 @@ --- -# We use sentence case and present imperative tone title: "Secure traffic using mTLS" -# Weights are assigned in increments of 100: determines sorting order weight: 500 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This document describes how to secure traffic between NGINX and the F5 WAF enforcer using mTLS. It explains how to generate the necessary certificates, then update configuration files to use them. -A mutual TLS (mTLS) connection creates authentication between both NGINX (client) and F5 WAF Enforcer (server). +A mutual TLS (mTLS) connection creates authentication between both NGINX (client) and F5 WAF Enforcer (server). This adds an extra layer of security, ensuring that both parties are who they claim to be. @@ -26,7 +20,7 @@ To enable mTLS, you must first create certificates. {{< call-out "note" >}} -The following commands will generate self-signed certificates in _/etc/ssl/certs/_ valid for the default period of 30 days. You can adjust the command to fit your needs. +The following commands will generate self-signed certificates in _/etc/ssl/certs/_ valid for the default period of 30 days. You can adjust the command to fit your needs. For instance, to specify a different validity period, add the _-days_ option followed by the number of days you want the certificate to be valid (Such as _-days 90_). diff --git a/content/waf/configure/selinux.md b/content/waf/configure/selinux.md index 38ed6897ea..99da0f7c83 100644 --- a/content/waf/configure/selinux.md +++ b/content/waf/configure/selinux.md @@ -1,20 +1,14 @@ --- -# We use sentence case and present imperative tone title: "Configure SELinux" -# Weights are assigned in increments of 100: determines sorting order weight: 400 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- The default settings for Security-Enhanced Linux (SELinux) on modern Red Hat Enterprise Linux (RHEL) and related distros can be very strict, prioritizing security over user convenience. -To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. +To ensure F5 WAF for NGINX operates smoothly without compromising security, consider setting up a custom SELinux policy or AppArmor profile. For troubleshooting, you may use permissive (SELinux) or complain (AppArmor) mode to avoid these restrictions, but this is inadvisable for prolonged use. diff --git a/content/waf/fundamentals/overview.md b/content/waf/fundamentals/overview.md index 9eaa40541b..5ec51db8b3 100644 --- a/content/waf/fundamentals/overview.md +++ b/content/waf/fundamentals/overview.md @@ -1,18 +1,12 @@ --- -# We use sentence case and present imperative tone title: "Overview" -# Weights are assigned in increments of 100: determines sorting order weight: 100 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- -[F5 WAF for NGINX](https://www.f5.com/products/nginx/nginx-app-protect) (formerly NGINX App Protect WAF) is an advanced, lightweight and high-performance web application firewall (WAF) for applications and APIs. +[F5 WAF for NGINX](https://www.f5.com/products/nginx/nginx-app-protect) (formerly NGINX App Protect WAF) is an advanced, lightweight and high-performance web application firewall (WAF) for applications and APIs. It provides protection for the OWASP Top 10, with additional functionality: @@ -37,4 +31,4 @@ It is platform-agnostic and supports a range of deployment options: For more details, see the [Technical specifications]({{< ref "/waf/fundamentals/technical-specifications.md" >}}). -F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). +F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). diff --git a/content/waf/fundamentals/technical-specifications.md b/content/waf/fundamentals/technical-specifications.md index f8f9d7dd94..6dc0b3ac2f 100644 --- a/content/waf/fundamentals/technical-specifications.md +++ b/content/waf/fundamentals/technical-specifications.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Technical specifications" -# Weights are assigned in increments of 100: determines sorting order weight: 200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page outlines the technical specifications for F5 WAF for NGINX, which includes the minimum requirements and supported platforms. diff --git a/content/waf/fundamentals/terminology.md b/content/waf/fundamentals/terminology.md index 72147846e7..bee36383dc 100644 --- a/content/waf/fundamentals/terminology.md +++ b/content/waf/fundamentals/terminology.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Terminology" -# Weights are assigned in increments of 100: determines sorting order weight: 300 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page defines terminology used when describing functionality of F5 WAF for NGINX. diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md index 88e1a8bc98..47c3f246a8 100644 --- a/content/waf/install/disconnected-environment.md +++ b/content/waf/install/disconnected-environment.md @@ -1,11 +1,7 @@ --- -# We use sentence case and present imperative tone title: "Disconnected or air-gapped environments" -# Weights are assigned in increments of 100: determines sorting order weight: 500 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to nd-product: F5WAFN --- diff --git a/content/waf/install/docker.md b/content/waf/install/docker.md index 437440c51f..cc7970c3e1 100644 --- a/content/waf/install/docker.md +++ b/content/waf/install/docker.md @@ -1,16 +1,12 @@ --- -# We use sentence case and present imperative tone title: "Docker" -# Weights are assigned in increments of 100: determines sorting order weight: 400 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to nd-product: F5WAFN --- -This page describes how to install F5 WAF for NGINX using Docker. +This page describes how to install F5 WAF for NGINX using Docker. ## Before you begin diff --git a/content/waf/install/kubernetes-plm.md b/content/waf/install/kubernetes-plm.md index be83573103..db5057f303 100644 --- a/content/waf/install/kubernetes-plm.md +++ b/content/waf/install/kubernetes-plm.md @@ -1,15 +1,11 @@ --- -# We use sentence case and present imperative tone title: "Kubernetes operations improvements (Early access)" -# Weights are assigned in increments of 100: determines sorting order weight: 300 -# Creates a table of contents and sidebar, useful for large documents toc: true nd-banner: enabled: true start-date: 2025-08-30 md: /_banners/waf-early-availability.md -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference nd-product: F5WAFN --- @@ -22,7 +18,7 @@ There are two new features available for Kubernetes through early access: This extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach for policy orchestration. -These features revolve around a _Policy Controller_ which uses the Kubernetes operator pattern to manage the lifecycle of WAF security artifacts. +These features revolve around a _Policy Controller_ which uses the Kubernetes operator pattern to manage the lifecycle of WAF security artifacts. It handles policy distribution at scale by removing manual steps and providing a declarative configuration model with Custom Resource Definitions (CRDs) for policies, logging profiles and signatures. @@ -128,7 +124,7 @@ If you do this, ensure that all corresponding values for persistent volumes poin ### Download and apply CRDs -These enhancements require specific CRDs to be applied before deployment. +These enhancements require specific CRDs to be applied before deployment. These CRDs define the resources that the Policy Controller manages: @@ -153,7 +149,7 @@ kubectl apply -f crds/ ### Update NGINX configuration -To activate these enhancements, NGINX requires configuration to integrate with the Policy Controller. +To activate these enhancements, NGINX requires configuration to integrate with the Policy Controller. The directive `app_protect_default_config_source` must be set to `"custom-resource"` to enable the features. @@ -223,7 +219,7 @@ These are the directives: ## Update Helm configuration -These new enhancements are deployed as part of the F5 WAF for NGINX Helm chart. +These new enhancements are deployed as part of the F5 WAF for NGINX Helm chart. To enable them, you must configure the Policy Controller settings in your `values.yaml` file: @@ -624,7 +620,7 @@ If you are using the IP intelligence feature, you will have a 4th F5 WAF for NGI ### Create custom policy resources -During installation, you can create policy resources using Kubernetes manifests. +During installation, you can create policy resources using Kubernetes manifests. Here are two examples, which you can use to create your own: @@ -881,7 +877,7 @@ kubectl get all -n Look for the fields _CLUSTER-IP_ and the full deployment name: -``` +```shell NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/localenv-plm-nginx-app-protect-nginx NodePort 10.43.205.101 80:30970/TCP 21h @@ -951,7 +947,7 @@ spec: ``` {{< call-out "warning" >}} -The APSignatures `metadata.name` argument _must_ be `signatures`. +The APSignatures `metadata.name` argument _must_ be `signatures`. Only one APSignatures instance can exist. {{< /call-out >}} @@ -1083,7 +1079,7 @@ For more information relevant to this type of deployment, see the [Disconnected ## Policy types -F5 WAF for NGINX supports multiple ways to define and reference security policies through APPolicy Custom Resources. +F5 WAF for NGINX supports multiple ways to define and reference security policies through APPolicy Custom Resources. This flexibility allows you to choose the most appropriate approach based on your requirements. @@ -1095,7 +1091,7 @@ There are three distinct approaches for defining WAF policies: ### Inline policy definition -Inline policy definition allows you to specify the complete WAF policy configuration directly within the APPolicy Custom Resource. +Inline policy definition allows you to specify the complete WAF policy configuration directly within the APPolicy Custom Resource. This method provides full declarative management through Kubernetes manifests and is ideal for version-controlled policy configurations. @@ -1139,7 +1135,7 @@ kubectl apply -f inline-policy.yaml ### JSON policy reference -JSON policy reference allows you to store your policy configuration as a separate JSON file in the shared persistent volume and reference it from the APPolicy Custom Resource. +JSON policy reference allows you to store your policy configuration as a separate JSON file in the shared persistent volume and reference it from the APPolicy Custom Resource. This method separates policy content from Kubernetes resource management while maintaining compilation automation. @@ -1154,7 +1150,7 @@ The Policy Controller can automatically monitor policy files for changes and tri - **`tracking.enabled`**: Enable/disable automatic file monitoring (default: true) - **`tracking.intervalInSeconds`**: Polling interval for file changes (default: 5 seconds) -To exemplify how this works, first create a policy JSON file in the shared volume. +To exemplify how this works, first create a policy JSON file in the shared volume. This policy file is `/mnt/nap5_bundles_pv_data/dg_policy.json`: @@ -1247,7 +1243,7 @@ The Policy Controller will detect the file changes and recompile automatically. ### Precompiled bundle reference -Precompiled bundle reference allows you to use policy bundles that have been pre-compiled using external WAF compiler tools. +Precompiled bundle reference allows you to use policy bundles that have been pre-compiled using external WAF compiler tools. This approach is useful for policies compiled outside of the Kubernetes environment or when integrating with external policy management systems. @@ -1270,7 +1266,7 @@ The Policy Controller performs validation of precompiled bundles using `apcompil - **Version compatibility**: Confirmation that the bundle works with current enforcer - **Content validation**: Basic checks on policy structure and syntax -To exemplify how this works, first ensure your precompiled policy bundle is available in the shared volume. +To exemplify how this works, first ensure your precompiled policy bundle is available in the shared volume. For example, place `policy2.tgz` in `/mnt/nap5_bundles_pv_data/`. diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md index 1be48c5e56..6eed94d272 100644 --- a/content/waf/install/kubernetes.md +++ b/content/waf/install/kubernetes.md @@ -1,11 +1,7 @@ --- -# We use sentence case and present imperative tone title: "Kubernetes" -# Weights are assigned in increments of 100: determines sorting order weight: 200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to nd-product: F5WAFN --- diff --git a/content/waf/install/uninstall.md b/content/waf/install/uninstall.md index 12e3e5504b..2b057ea2bd 100644 --- a/content/waf/install/uninstall.md +++ b/content/waf/install/uninstall.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Uninstall F5 WAF for NGINX" -# Weights are assigned in increments of 100: determines sorting order weight: 800 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This document describes how to uninstall F5 WAF for NGINX. diff --git a/content/waf/install/update-signatures.md b/content/waf/install/update-signatures.md index 0173fd6043..3399b61309 100644 --- a/content/waf/install/update-signatures.md +++ b/content/waf/install/update-signatures.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Update F5 WAF for NGINX signatures" -# Weights are assigned in increments of 100: determines sorting order weight: 600 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes how to update F5 WAF for NGINX signatures in a [virtual machine or bare-metal environment]({{< ref "/waf/install/virtual-environment.md" >}}). diff --git a/content/waf/install/upgrade.md b/content/waf/install/upgrade.md index 30f13cc5b8..c872b0350d 100644 --- a/content/waf/install/upgrade.md +++ b/content/waf/install/upgrade.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Upgrade F5 WAF for NGINX" -# Weights are assigned in increments of 100: determines sorting order weight: 700 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This document describes how to upgrade F5 WAF for NGINX. diff --git a/content/waf/install/virtual-environment.md b/content/waf/install/virtual-environment.md index 4b01e1634d..30317ce7fa 100644 --- a/content/waf/install/virtual-environment.md +++ b/content/waf/install/virtual-environment.md @@ -1,22 +1,16 @@ --- -# We use sentence case and present imperative tone title: "Virtual machine or bare metal" -# Weights are assigned in increments of 100: determines sorting order weight: 100 -# Creates a table of contents and sidebar, useful for large documents toc: true nd-banner: enabled: true start-date: 2025-08-30 md: /_banners/waf-virtual-restriction.md -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- -This page describes how to install F5 WAF for NGINX in a virtual machine or bare metal environment. +This page describes how to install F5 WAF for NGINX in a virtual machine or bare metal environment. ## Before you begin diff --git a/content/waf/logging/access-logs.md b/content/waf/logging/access-logs.md index 8bce7340b0..b8e919f141 100644 --- a/content/waf/logging/access-logs.md +++ b/content/waf/logging/access-logs.md @@ -3,16 +3,16 @@ title: Access logs toc: false weight: 500 nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- -Access logs are NGINX's mechanism for logging requests. +Access logs are NGINX's mechanism for logging requests. It is controlled by two directives: **log_format** -This directive determines the format of the log messages using predefined variables. +This directive determines the format of the log messages using predefined variables. F5 WAF for NGINX can extend this set of variables with several security log attributes available for inclusion in `log_format`. @@ -22,9 +22,9 @@ If `log_format` is not specified then the built-in format `combined` is used, wh **access_log** -This directive determines the destination of the _access_log_ and the formatted name. +This directive determines the destination of the _access_log_ and the formatted name. -The default configuration is the file `/etc/nginx/log/access.log` using the combined format. +The default configuration is the file `/etc/nginx/log/access.log` using the combined format. Use this directive in order to create a customized format which can include the F5 WAF for NGINX variables. @@ -41,7 +41,7 @@ These are the variables added to Access Log. They are a subset of the Security l |$app_protect_policy_name | The name of the policy that enforced the request. | | |$app_protect_version | The F5 WAF for NGINX version string: major.minor.build format. | Does not include the F5 NGINX plus version (e.g. R21). The latter is available in `$version` variable. | -Note that many of the other security log attributes that are not included here have exact or similar parallels among the NGINX variables also available for access log. +Note that many of the other security log attributes that are not included here have exact or similar parallels among the NGINX variables also available for access log. For example, **$request** is parallel to the **request** security log attribute. diff --git a/content/waf/logging/custom-dimensions.md b/content/waf/logging/custom-dimensions.md index 8f74ffded4..c8126a9129 100644 --- a/content/waf/logging/custom-dimensions.md +++ b/content/waf/logging/custom-dimensions.md @@ -10,7 +10,7 @@ F5 WAF for NGINX can configure custom dimensions for log entries using the direc This directive can be added to the NGINX configuration file in the `http`, `server` and `location` scopes. The custom dimensions become part of every request in the [Security logs]({{< ref "/waf/logging/security-logs.md" >}}) based on the scope used. -The `app_protect_custom_log_attribute` directive takes a key/value pair, such as `app_protect_custom_log_attribute 'customDimension' '1'`. The directive can cascade and override entries based on scope order: _location_, _server_ then _http_. +The `app_protect_custom_log_attribute` directive takes a key/value pair, such as `app_protect_custom_log_attribute 'customDimension' '1'`. The directive can cascade and override entries based on scope order: _location_, _server_ then _http_. For example, attributes at the _http_ level apply to all servers and locations unless a specific server or location overrides the same key with a different value. diff --git a/content/waf/logging/debug-logs.md b/content/waf/logging/debug-logs.md index 413645d373..afccaed4c8 100644 --- a/content/waf/logging/debug-logs.md +++ b/content/waf/logging/debug-logs.md @@ -3,7 +3,7 @@ title: Debug logs toc: false weight: 500 nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- ## Debug Logs diff --git a/content/waf/logging/logs-overview.md b/content/waf/logging/logs-overview.md index dabd401537..9cb2dc6e93 100644 --- a/content/waf/logging/logs-overview.md +++ b/content/waf/logging/logs-overview.md @@ -3,7 +3,7 @@ title: Log types toc: true weight: 100 nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- F5 WAF for NGINX generates three types of logs: diff --git a/content/waf/logging/operation-logs.md b/content/waf/logging/operation-logs.md index a3492eb880..81ec7c9ef9 100644 --- a/content/waf/logging/operation-logs.md +++ b/content/waf/logging/operation-logs.md @@ -3,7 +3,7 @@ title: Operation logs toc: false weight: 400 nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- diff --git a/content/waf/policies/allowed-methods.md b/content/waf/policies/allowed-methods.md index 2b152851af..2271c64990 100644 --- a/content/waf/policies/allowed-methods.md +++ b/content/waf/policies/allowed-methods.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Allowed methods" -# Weights are assigned in increments of 100: determines sorting order weight: 400 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the allowed HTTP methods for F5 WAF for NGINX. @@ -18,7 +12,7 @@ You can use policies to specify what methods are allowed or disallowed. ## Allowed by default -To disable a method allowed by default, you can use `"$action": "delete"`. +To disable a method allowed by default, you can use `"$action": "delete"`. The following example changes the default allowed method _PUT_ by removing it from the default enforcement. @@ -70,7 +64,7 @@ The example includes the other methods that are allowed by default for reference ## Custom method enforcement -To enable any custom method other than the above mentioned HTTP standard methods, the user must configure the specific modules that allow those methods. +To enable any custom method other than the above mentioned HTTP standard methods, the user must configure the specific modules that allow those methods. NGINX will reject any custom method other than the standard allowed HTTP methods GET, POST, PUT, DELETE, HEAD, and OPTIONS. diff --git a/content/waf/policies/attack-signatures.md b/content/waf/policies/attack-signatures.md index 36ca18bb05..8884c06e7e 100644 --- a/content/waf/policies/attack-signatures.md +++ b/content/waf/policies/attack-signatures.md @@ -1,18 +1,12 @@ --- -# We use sentence case and present imperative tone title: "Attack signatures" -# Weights are assigned in increments of 100: determines sorting order weight: 500 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- -Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application and its components. You can apply attack signatures to both requests and responses. +Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application and its components. You can apply attack signatures to both requests and responses. F5 WAF for NGINX includes predefined attack signatures to protect your application against all attack types identified by the system. @@ -77,11 +71,11 @@ In this example, only high accuracy signatures are configured to be enforced, bu } ``` -Since the "All Signatures" set is not included in the default policy, turning OFF for both alarm and block has no effect because all the other sets with alarm turned ON (and high accuracy signatures with block enabled) are still in place, and a signature that is a member of multiple sets behaves in accordance with the strict settings of all sets it belongs to. +Since the "All Signatures" set is not included in the default policy, turning OFF for both alarm and block has no effect because all the other sets with alarm turned ON (and high accuracy signatures with block enabled) are still in place, and a signature that is a member of multiple sets behaves in accordance with the strict settings of all sets it belongs to. The only way to remove signature sets is to remove or disable sets that are part of the [default policy]({{< ref "/waf/policies/configuration.md#default-policy" >}}). -For example, in the below default policy, even though all signature alarm and block settings are set to false, attack signatures enforcement cannot be ignored as some of the signature sets will be enabled in their strict policy. +For example, in the below default policy, even though all signature alarm and block settings are set to false, attack signatures enforcement cannot be ignored as some of the signature sets will be enabled in their strict policy. If you want to remove a specific signature set, you must explicitly mention it under the [strict policy]({{< ref "/waf/policies/configuration.md#strict-policy" >}}). @@ -106,7 +100,7 @@ If you want to remove a specific signature set, you must explicitly mention it u } ``` -A signature may belong to more than one set in the policy: tts behavior is determined by the most severe action across all the sets that contain it. +A signature may belong to more than one set in the policy: tts behavior is determined by the most severe action across all the sets that contain it. In the above example, a high accuracy SQL injection signature will both alarm and block, because the `High Accuracy Signatures` set is blocking and both sets trigger alarm. @@ -201,13 +195,13 @@ To exclude multiple attack signatures, each signature ID needs to be added as a } ``` -In the previous examples, the signatures were disabled for all the requests that are inspected by the respective policy. You can also exclude signatures for specific URLs or parameters, while still enable them for the other URLs and parameters. +In the previous examples, the signatures were disabled for all the requests that are inspected by the respective policy. You can also exclude signatures for specific URLs or parameters, while still enable them for the other URLs and parameters. The topic [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) has more details. -In some cases, you may want to remove a whole signature set that was included in the default policy. For example, a protected application may not use XML and is not vulnerable to XPath injection. +In some cases, you may want to remove a whole signature set that was included in the default policy. For example, a protected application may not use XML and is not vulnerable to XPath injection. -If you wanted to remove `XPath Injection Signatures`, there are two methods. +If you wanted to remove `XPath Injection Signatures`, there are two methods. The first is to set the `alarm` and `block` flags to `false` for this signature set, overriding the base template: @@ -248,9 +242,9 @@ Although the two methods are functionally equivalent, the second one is preferab ## Default signature sets -The following signature sets are included in the default policy. +The following signature sets are included in the default policy. -Most sets are defined by the attack type they protect from. +Most sets are defined by the attack type they protect from. In all sets the **Alarm** flag is enabled and **Block** disabled except High Accuracy Signatures, which are set to **blocked** (`block` parameter is enabled). diff --git a/content/waf/policies/bot-signatures.md b/content/waf/policies/bot-signatures.md index f661990c90..3822fecba0 100644 --- a/content/waf/policies/bot-signatures.md +++ b/content/waf/policies/bot-signatures.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Bot signatures" -# Weights are assigned in increments of 100: determines sorting order weight: 550 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- Bot signatures are a feature that protects applications by detecting signatures and clients that falsely claim to be browsers or search engines. @@ -71,7 +65,7 @@ This example enables bot signatures using the default bot configuration: } ``` -The default actions for classes are: `detect` for `trusted-bot`, `alarm` for `untrusted-bot`, and `block` for `malicious-bot`. +The default actions for classes are: `detect` for `trusted-bot`, `alarm` for `untrusted-bot`, and `block` for `malicious-bot`. The next example enables bot defense, configuring a violation for `trusted-bot`, and block for `untrusted-bot`. @@ -162,7 +156,7 @@ Each request receives a score and anomaly category, and is enforced according to | 100 and above | Invalid HTTP Headers Presence or Order | Block | Malicious Bot | | Non Applicable | SEARCH_ENGINE_VERIFICATION_FAILED | Block | Malicious Bot | -The default scores for each anomaly can be changed. +The default scores for each anomaly can be changed. In this example, the score and action of the default bot configuration has been overrided: diff --git a/content/waf/policies/brute-force-attacks.md b/content/waf/policies/brute-force-attacks.md index c22b493738..783177f3dd 100644 --- a/content/waf/policies/brute-force-attacks.md +++ b/content/waf/policies/brute-force-attacks.md @@ -1,24 +1,18 @@ --- -# We use sentence case and present imperative tone title: "Brute force attack preventions" -# Weights are assigned in increments of 100: determines sorting order weight: 600 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the brute force attack prevention feature of F5 WAF for NGINX. -Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. +Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, username/password combinations to discover legitimate authentication credentials. -To prevent brute force attacks, F5 WAF for NGINX monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. +To prevent brute force attacks, F5 WAF for NGINX monitors IP addresses, usernames, and the number of failed login attempts beyond a maximum threshold. -When brute force patterns are detected, F5 WAF for NGINX policy either triggers an alarm or blocks the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. +When brute force patterns are detected, F5 WAF for NGINX policy either triggers an alarm or blocks the attack if the failed login attempts reached a maximum threshold for a specific username or coming from a specific IP address. ## User-defined URLs @@ -37,7 +31,7 @@ In order to create a brute force configuration for a specific URL in F5 WAF for ## Login pages -A login page specifies the URL that users must pass through to get authenticated. +A login page specifies the URL that users must pass through to get authenticated. The configuration of a login-pages includes the URL itself, the username and password parameters, and the validation criteria (Defining if a login was successful or failed). diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md index 4946da30a0..d131a299b9 100644 --- a/content/waf/policies/configuration.md +++ b/content/waf/policies/configuration.md @@ -1,16 +1,12 @@ --- -# We use sentence case and present imperative tone title: "Configure policies" -# Weights are assigned in increments of 100: determines sorting order weight: 100 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to nd-product: F5WAFN --- -This page describes the security features available with F5 WAF for NGINX and how to configure policies. +This page describes the security features available with F5 WAF for NGINX and how to configure policies. To convert policies from an existing F5 WAF solution, read the [Build and use the converter tools]({{< ref "/waf/configure/converters.md" >}}). @@ -48,17 +44,17 @@ You can use these policies as-is, but they are often the starting points for cus ### Configuration overview -The F5 WAF for NGINX security policy configuration uses a declarative format based on a pre-defined base template. +The F5 WAF for NGINX security policy configuration uses a declarative format based on a pre-defined base template. -The policy is represented in a JSON file which you can edit to add, modify and remove security capabilities in reference to the base template. +The policy is represented in a JSON file which you can edit to add, modify and remove security capabilities in reference to the base template. The way the policy is integrated into the NGINX configuration is through referencing the JSON file (Using the full path) in the `nginx.conf` file. {{< call-out "note" >}} -F5 WAF for NGINX provides a [JSON Schema](https://json-schema.org/) which can be used to validate a JSON policy file for format compliance. +F5 WAF for NGINX provides a [JSON Schema](https://json-schema.org/) which can be used to validate a JSON policy file for format compliance. -The schema file can be generated using a script once F5 WAF for NGINX is installed: `sudo /opt/app_protect/bin/generate_json_schema.pl`. +The schema file can be generated using a script once F5 WAF for NGINX is installed: `sudo /opt/app_protect/bin/generate_json_schema.pl`. This script will output the schema to a file named `policy.json` into the current working directory. Once the schema file is generated, you can use validation tools such as [AJV](https://ajv.js.org/standalone.html) to validate a JSON policy file. @@ -108,7 +104,7 @@ http { The base template is the common starting point for any policy you write. -The default policy reflects the base template without any further modifications, so the terms _base template_ and _default policy_ are used interchangeably. +The default policy reflects the base template without any further modifications, so the terms _base template_ and _default policy_ are used interchangeably. The default policy appears as follows: @@ -128,13 +124,13 @@ The default policy enforces violations by **Violation Rating**, the F5 WAF for N - 3: Needs examination - 4-5: Threat -The default policy enables most of the violations and signature sets with Alarm turned **ON**, but not **Block**. +The default policy enables most of the violations and signature sets with Alarm turned **ON**, but not **Block**. -These violations and signatures, when detected in a request, affect the violation rating. By default, if the violation rating is calculated to be malicious (4-5) the request will be blocked by the `VIOL_RATING_THREAT` violation. +These violations and signatures, when detected in a request, affect the violation rating. By default, if the violation rating is calculated to be malicious (4-5) the request will be blocked by the `VIOL_RATING_THREAT` violation. -This is true even if the other violations and signatures detected in that request have the Block flag turned OFF. It is the `VIOL_RATING_THREAT` violation having the Block flag turned ON that caused the blocking, but indirectly the combination of all the other violations and signatures in Alarm caused the request to be blocked. +This is true even if the other violations and signatures detected in that request have the Block flag turned OFF. It is the `VIOL_RATING_THREAT` violation having the Block flag turned ON that caused the blocking, but indirectly the combination of all the other violations and signatures in Alarm caused the request to be blocked. -By default, other requests which have a lower violation rating are not blocked, except for some specific violations described below. This is to minimize false positives. However, you can change the default behavior. +By default, other requests which have a lower violation rating are not blocked, except for some specific violations described below. This is to minimize false positives. However, you can change the default behavior. For example, if you want to add blocking on a violation rating of 3 as well, enable blocking for the `VIOL_RATING_NEED_EXAMINATION` violation. @@ -209,7 +205,7 @@ app_protect_policy_file /policies_mount/new_default_policy.tgz; ### Strict policy -The strict policy is recommended as a starting point for applications requiring a higher level of security. +The strict policy is recommended as a starting point for applications requiring a higher level of security. Similar to policies, it is customized from the base template, so it detects and blocks everything the default policy does. diff --git a/content/waf/policies/cookie-enforcement.md b/content/waf/policies/cookie-enforcement.md index c50d611506..f6e5cbc37a 100644 --- a/content/waf/policies/cookie-enforcement.md +++ b/content/waf/policies/cookie-enforcement.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Cookie enforcement" -# Weights are assigned in increments of 100: determines sorting order weight: 700 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the cookie enforcement feature for F5 WAF for NGINX. diff --git a/content/waf/policies/data-guard.md b/content/waf/policies/data-guard.md index 297a01923e..f2ada9bc13 100644 --- a/content/waf/policies/data-guard.md +++ b/content/waf/policies/data-guard.md @@ -1,22 +1,16 @@ --- -# We use sentence case and present imperative tone title: "Data guard" -# Weights are assigned in increments of 100: determines sorting order weight: 800 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page describes the data guard feature of F5 WAF for NGINX. -Data guard is a security feature that can be used to prevent the leakage of sensitive information from an application. +Data guard is a security feature that can be used to prevent the leakage of sensitive information from an application. -Examples include credit card numbers (CCN), Social Security numbers (SSN) or custom-defined patterns. +Examples include credit card numbers (CCN), Social Security numbers (SSN) or custom-defined patterns. Sensitive data is either blocked or masked based on configuration. diff --git a/content/waf/policies/deny-allow-ip.md b/content/waf/policies/deny-allow-ip.md index 63d0b58c17..b6b8239f11 100644 --- a/content/waf/policies/deny-allow-ip.md +++ b/content/waf/policies/deny-allow-ip.md @@ -1,13 +1,8 @@ --- -# We use sentence case and present imperative tone title: "Deny and Allow IP lists" -# Weights are assigned in increments of 100: determines sorting order weight: 900 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: nd-product: F5WAFN --- @@ -82,9 +77,9 @@ In this IPv4 example, the default configuration is used while enabling the deny ``` {{< call-out "note" >}} -The above configuration assumes the IP address represents the original requestor. +The above configuration assumes the IP address represents the original requestor. -It is common that the client address may instead represent a downstream proxy device as opposed to the original requestor's IP address. +It is common that the client address may instead represent a downstream proxy device as opposed to the original requestor's IP address. In this case, you may need to configure F5 WAF for NGINX to prefer the use of an `X-Forwarded-For` (or similar) header injected to the request by a downstream proxy in order to more accurately identify the *actual* originator of the request. @@ -93,7 +88,7 @@ Read the [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) topic This next example uses IPv6 notation with a single address and an IP subnet with a 120-bit prefix. -The first address is a single IP address, identifiable by the mask which is all f's. Since this is a default value, there is no need to specify the mask. +The first address is a single IP address, identifiable by the mask which is all f's. Since this is a default value, there is no need to specify the mask. The second address is a subnet of 120 bits (out of the 128 of an IPv6 address). The trailing 8 bits (128-120) must be **zero** in both the mask and the address itself. diff --git a/content/waf/policies/directives.md b/content/waf/policies/directives.md index 8b8602006d..abf24d9f7b 100644 --- a/content/waf/policies/directives.md +++ b/content/waf/policies/directives.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Directives" -# Weights are assigned in increments of 100: determines sorting order weight: 150 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the global NGINX directives and directives specific to F5 WAF for NGINX. @@ -19,11 +13,11 @@ This topic describes the global NGINX directives and directives specific to F5 W Global configuration consists of a series of `nginx.conf` directives at the `http` context controlling aspects that are not specific to a specific application. When applied to a cluster, all cluster members will get the same globals. -The URL in a request determines whether or not it will be inspected by F5 WAF for NGINX. This is defined by `app_protect_enable` and `app_protect_policy_file` directives in the `location` scope. +The URL in a request determines whether or not it will be inspected by F5 WAF for NGINX. This is defined by `app_protect_enable` and `app_protect_policy_file` directives in the `location` scope. -In the case that the URL itself has violations such as *bad unescape* or *illegal metacharacter*, the request may be assigned to a location in which F5 WAF for NGINX is disabled or has a relaxed policy that does not detect these violations. +In the case that the URL itself has violations such as *bad unescape* or *illegal metacharacter*, the request may be assigned to a location in which F5 WAF for NGINX is disabled or has a relaxed policy that does not detect these violations. -Such malicious requests will be allowed without inspection. +Such malicious requests will be allowed without inspection. In order to avoid this, it is recommended to have a basic policy enabled at the `http` scope or at least at the `server` scope to process malicious requests in a more complete manner. @@ -59,9 +53,9 @@ In order to avoid this, it is recommended to have a basic policy enabled at the ### Horizontal scaling -F5 WAF for NGINX can be deployed in multiple instances that share the traffic to the same applications. +F5 WAF for NGINX can be deployed in multiple instances that share the traffic to the same applications. -In this case, all instances must share the same configuration files. +In this case, all instances must share the same configuration files. It is your responsibility to synchronize the files on all instances. You must also load balancing each of those instances, such as using additional NGINX instances. @@ -80,11 +74,11 @@ http { ... ``` -The argument for the directive should be a random alphanumeric string of at least 20 characters (Maximum 1000 characters). +The argument for the directive should be a random alphanumeric string of at least 20 characters (Maximum 1000 characters). This is a seed used by F5 WAF for NGINX to generate the encryption key for the cookies it creates. These cookies are used for various purposes such as validating the integrity of the cookies generated by the application. -In the absence of this directive, F5 WAF for NGINX generates a random string by itself. In that case, each instance will have a different seed. +In the absence of this directive, F5 WAF for NGINX generates a random string by itself. In that case, each instance will have a different seed. A cookie created and encrypted on one instance of F5 WAF for NGINX will fail to be decrypted when sent by the same client to another F5 WAF for NGINX instance having a different encryption key. @@ -122,9 +116,9 @@ When configuring this directive in the `nginx.conf` file, F5 WAF for NGINX disre {{< /call-out >}} -By default, the enforcer will now decompress the whole HTTP compressed payload request and will apply the enforcement. +By default, the enforcer will now decompress the whole HTTP compressed payload request and will apply the enforcement. -The supported compression algorithms for this feature are "**gzip**" and "**deflate**". +The supported compression algorithms for this feature are "**gzip**" and "**deflate**". Decompression may fail under certain conditions: diff --git a/content/waf/policies/disallowed-extensions.md b/content/waf/policies/disallowed-extensions.md index 79906d44c5..e7262ef6fe 100644 --- a/content/waf/policies/disallowed-extensions.md +++ b/content/waf/policies/disallowed-extensions.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Disallowed file type extensions" -# Weights are assigned in increments of 100: determines sorting order weight: 1000 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page describes the disallowed file type extensions feature for F5 WAF by NGINX. diff --git a/content/waf/policies/do-nothing.md b/content/waf/policies/do-nothing.md index 92d87b7eae..b9c470fd7b 100644 --- a/content/waf/policies/do-nothing.md +++ b/content/waf/policies/do-nothing.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Do-nothing" -# Weights are assigned in increments of 100: determines sorting order weight: 1050 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the do-nothing policy feature of F5 WAF for NGINX. diff --git a/content/waf/policies/evasion-techniques.md b/content/waf/policies/evasion-techniques.md index 3de8e7145e..610215eaae 100644 --- a/content/waf/policies/evasion-techniques.md +++ b/content/waf/policies/evasion-techniques.md @@ -1,26 +1,20 @@ --- -# We use sentence case and present imperative tone title: "Evasion techniques" -# Weights are assigned in increments of 100: determines sorting order weight: 1100 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the evasion techniques feature for F5 WAF for NGINX. -Evasion techniques are used by hackers to attempt to access resources or evade what would otherwise be identified as an attack. +Evasion techniques are used by hackers to attempt to access resources or evade what would otherwise be identified as an attack. Like HTTP compliance, evasion techniques have a list of sub-violations that can be configured for additional granularity and to reduce false positives. -In the following example, the evasion technique violation is enabled with the blocking enforcement mode. +In the following example, the evasion technique violation is enabled with the blocking enforcement mode. -It also configures all sub-violations in their relevant sections, which you can add or remove to create your desired configurations. +It also configures all sub-violations in their relevant sections, which you can add or remove to create your desired configurations. When you do not customize a sub-violation, it retains its default settings. diff --git a/content/waf/policies/external-references.md b/content/waf/policies/external-references.md index 0cdace6800..46cf28e800 100644 --- a/content/waf/policies/external-references.md +++ b/content/waf/policies/external-references.md @@ -1,22 +1,16 @@ --- -# We use sentence case and present imperative tone title: "External references" -# Weights are assigned in increments of 100: determines sorting order weight: 200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the external references feature for F5 WAF for NGINX. -External references in policy are code blocks that can be used as part of a policy without being part of the policy file. This means that you can have a set of pre-defined configurations for parts of the policy, and you can incorporate them as part of the policy by simply referencing them. +External references in policy are code blocks that can be used as part of a policy without being part of the policy file. This means that you can have a set of pre-defined configurations for parts of the policy, and you can incorporate them as part of the policy by simply referencing them. -It allows you to separate policy information into smaller files, which can be easier to maintain for a large, complex policy. Another use case for external references is to build a dynamic policy that requires replaceable files. +It allows you to separate policy information into smaller files, which can be easier to maintain for a large, complex policy. Another use case for external references is to build a dynamic policy that requires replaceable files. You can create and populate specific files with the configuration relevant to your policy, and then compile the policy to include the latest version of these files, ensuring that your policy is always up to date when it comes to a constantly changing environment. @@ -26,7 +20,7 @@ Updating a single file referenced in the policy will not trigger a policy compil {{< /call-out >}} -To use external references, replace the direct property in the policy file with the _\Reference_ property, where _\_ defines the replacement text for the property changed to singular (if originally plural) and notation converted from snake case to camelCase. +To use external references, replace the direct property in the policy file with the _\Reference_ property, where _\_ defines the replacement text for the property changed to singular (if originally plural) and notation converted from snake case to camelCase. For example, a `modifications` section could be replaced by `modificationsReference` and `data-guard` could be replaced by `dataGuardReference`. @@ -36,17 +30,17 @@ There are different implementations based on the type of references that are bei ### URL references -URL reference is the method of referencing an external source by providing its full URL. +URL reference is the method of referencing an external source by providing its full URL. This is a useful method when trying to combine or consolidate parts of the policy that are present on different host machines. -{{< call-out "note" >}} +{{< call-out "note" >}} You need to make sure that the server where the resource files are located is always available when you are compiling your policy. {{< /call-out >}} -This example creates a skeleton policy, enabling the file type violation. +This example creates a skeleton policy, enabling the file type violation. It does not specify the file types as these file types depend on a separate application that defines these types. It populates this section from an external reference instead. @@ -115,7 +109,7 @@ HTTPS references are a special case of URL references. It uses the HTTPS protoco - For Self-signed certificates, you need to make sure to add your certificates to the trusted CA of the machine where F5 WAF for NGINX is installed. - Certificates must use the exact domain name that the certificate was issued for. For example, SSL will differentiate between domain.com and www.domain.com, considering each a different domain name. -The following configuration builds on the default policy by defining a custom response page using an external file located on an HTTPS web server. +The following configuration builds on the default policy by defining a custom response page using an external file located on an HTTPS web server. The external reference file contains the custom response page configuration. @@ -196,7 +190,7 @@ File references access local resources on the same machine, as opposed to access File references do not work with remote hosts. -You can specify any location that is accessible by F5 WAF for NGINX except for the root folder ("/"). +You can specify any location that is accessible by F5 WAF for NGINX except for the root folder ("/"). If a full path is not provided, the default path (_/etc/app_protect/conf_) will be used for resolution. @@ -285,7 +279,7 @@ Configuring and referencing OpenAPI specification files are similar to other ext ### URL references -This example adds an OpenAPI specification file reference using the link `http://127.0.0.1:8088/myapi.yaml`. +This example adds an OpenAPI specification file reference using the link `http://127.0.0.1:8088/myapi.yaml`. The referenced file configures the allowed data types for `query_int` and `query_str` parameter values. @@ -536,7 +530,7 @@ Content of the referenced file `myapi2.json`: The following request will trigger an `Illegal repeated parameter name` violation, as the OpenAPI specification doesn't allow repeated parameters. -``` +```text http://localhost/query?a=true&a=false ``` diff --git a/content/waf/policies/filetypes.md b/content/waf/policies/filetypes.md index cbdc5ee5db..7a2410ca0a 100644 --- a/content/waf/policies/filetypes.md +++ b/content/waf/policies/filetypes.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Filetypes" -# Weights are assigned in increments of 100: determines sorting order weight: 1125 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page describes the filetype feature of F5 WAF for NGINX. diff --git a/content/waf/policies/geolocation.md b/content/waf/policies/geolocation.md index 5c0f61c2dd..b4cb9af49a 100644 --- a/content/waf/policies/geolocation.md +++ b/content/waf/policies/geolocation.md @@ -1,32 +1,26 @@ --- -# We use sentence case and present imperative tone title: "Geolocation" -# Weights are assigned in increments of 100: determines sorting order weight: 1150 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the geolocation feature for F5 WAF for NGINX. Geolocation refers to the process of assessing or determining the geographic location of an object. This feature helps in identifying the geographic location of a client or web application user. -The Enforcer will look up the client IP address in the Geolocation file included in the F5 WAF for NGINX, and extract the corresponding [ISO 3166](https://www.iso.org/obp/ui/#search) two-letter code, representing the country. +The Enforcer will look up the client IP address in the Geolocation file included in the F5 WAF for NGINX, and extract the corresponding [ISO 3166](https://www.iso.org/obp/ui/#search) two-letter code, representing the country. For instance, "IL" denotes Israel. This information is denoted as "geolocation" in the condition and reported in the request.. -Applications protected by F5 WAF for NGINX can use geolocation enforcement to restrict or allow application use in specific countries. You can adjust the lists of which countries or locations are allowed or disallowed with a security policy. +Applications protected by F5 WAF for NGINX can use geolocation enforcement to restrict or allow application use in specific countries. You can adjust the lists of which countries or locations are allowed or disallowed with a security policy. If the user tries to access the web application from a location that is not allowed, the `VIOL_GEOLOCATION` violation will be triggered. By default, all locations are allowed, and the alarm and block flags are enabled. -Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do not include a valid country code. +Requests from certain locations, such as RFC-1918 addresses or unassigned global addresses, do not include a valid country code. The geolocation is shown as _N/A_ in both the request and the list of geolocations. You can disallow N/A requests whose country of origination is unknown. @@ -58,9 +52,9 @@ This indicates that requests originating from these locations should raise an al ``` -The next example represents a security policy override for a web application. The policy is named "_override_rule_example_" and is based on a template called "_POLICY_TEMPLATE_NGINX_BASE_". +The next example represents a security policy override for a web application. The policy is named "_override_rule_example_" and is based on a template called "_POLICY_TEMPLATE_NGINX_BASE_". -The policy is set to operate in _blocking mode_, which means it will prevent certain activities. The policy is configured to trust headers configured under _general_ that deal with custom headers for cross-origin requests, specifically the _xff_ header. +The policy is set to operate in _blocking mode_, which means it will prevent certain activities. The policy is configured to trust headers configured under _general_ that deal with custom headers for cross-origin requests, specifically the _xff_ header. In the "_override-rules_" section there is one override rule named "_myFirstRule_". This rule is configured to trigger when the geolocation of a request is identified as 'IL' (Israel). When this condition is met, the action taken is to extend the policy, but with a change in enforcement mode to "transparent." diff --git a/content/waf/policies/graphql-protection.md b/content/waf/policies/graphql-protection.md index 69ffb04206..527e82c872 100644 --- a/content/waf/policies/graphql-protection.md +++ b/content/waf/policies/graphql-protection.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "GraphQL protection" -# Weights are assigned in increments of 100: determines sorting order weight: 1190 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the GraphQL protection feature for F5 WAF for NGINX. @@ -22,7 +16,7 @@ GraphQL is designed for APIs to use in the development of client applications th It also allows the client to specify exactly what data it needs, reducing the amount of data transferred over the network and improving the overall performance of the application. -Securing GraphQL APIs with F5 WAF for NGINX involves using WAF to monitor and protect against security threats and attacks. +Securing GraphQL APIs with F5 WAF for NGINX involves using WAF to monitor and protect against security threats and attacks. GraphQL, like REST, is usually [served over HTTP](http://graphql.org/learn/serving-over-http/), using GET and POST requests and a proprietary [query language](https://graphql.org/learn/schema/#the-query-and-mutation-types). It is vulnerable to common web API security vulnerabilities, such as injection attacks, Denial of Service (DoS) attacks and abuse of flawed authorization. @@ -130,7 +124,7 @@ Under the "_blocking-settings_", you can selectively enable or disable these vio Any changes to these violation settings will override the default settings, and the violation details will be recorded in the security log. -Since the GraphQL violations are enabled by default, you can change the GraphQL violations settings i.e. alarm: `true` and block: `false` under the "blocking settings". +Since the GraphQL violations are enabled by default, you can change the GraphQL violations settings i.e. alarm: `true` and block: `false` under the "blocking settings". With this configuration the GraphQL profile detects violations but does not block the request. They may still contribute to the Violation Rating, which, if raised above 3, will automatically block the request. @@ -176,7 +170,7 @@ To block violating requests, set the alarm and block to `true`. The GraphQL profile defines the GraphQL properties that are enforced by the security policy. -The profile can be added by the security engineers to make sure that GraphQL applications are bound to the same security settings defined in the profile. +The profile can be added by the security engineers to make sure that GraphQL applications are bound to the same security settings defined in the profile. Different GraphQL applications can have different profiles based on their security needs. @@ -186,7 +180,7 @@ GraphQL profiles include: - **Defense attributes**: Special restrictions applied to the GraphQL traffic. - **responseEnforcement**: Whether to block Disallowed patterns and the list of patterns for the `disallowedPatterns` property. -In the following GraphQL profile example, the "_defenseAttributes_" have been given custom values. +In the following GraphQL profile example, the "_defenseAttributes_" have been given custom values. You can also add a list of disallowed patterns to the "_disallowedPatterns_" field, also visible in the example: @@ -216,9 +210,9 @@ You can also add a list of disallowed patterns to the "_disallowedPatterns_" fie ### URL settings -The second part of configuring GraphQL protection is to define the URL settings. +The second part of configuring GraphQL protection is to define the URL settings. -Set the values for "isAllowed": **true**, "name": **/graphql** in the URLs section. +Set the values for "isAllowed": **true**, "name": **/graphql** in the URLs section. This means URLs with **/graphql** name are permitted, and will be used for all GraphQL API requests. @@ -260,9 +254,9 @@ There are no restrictions on the number of GraphQL profiles that can be added by ### Associate GraphQL profiles with URLs -In order for a GraphQL profile to become effective, it has to be associated with a URL that represents the service. +In order for a GraphQL profile to become effective, it has to be associated with a URL that represents the service. -Add the GraphQL profile name which you defined previously under the GraphQL profiles in the name field. +Add the GraphQL profile name which you defined previously under the GraphQL profiles in the name field. This example has two GraphQL profiles with the "name": "Default" and "My Custom Profile" under the urlContentProfiles. @@ -365,9 +359,9 @@ This example has two GraphQL profiles with the "name": "Default" and "My Custom ### Response pages -A GraphQL error response page is returned when a request is blocked. +A GraphQL error response page is returned when a request is blocked. -This GraphQL response page can be customized, but the GraphQL JSON syntax must be preserved for them to be displayed correctly. +This GraphQL response page can be customized, but the GraphQL JSON syntax must be preserved for them to be displayed correctly. The default page returns the GraphQL status code Blocking Response Page (BRP) and a short JSON error message which includes the support ID. diff --git a/content/waf/policies/grpc-protection.md b/content/waf/policies/grpc-protection.md index 53db568b43..6d7a3b1f9e 100644 --- a/content/waf/policies/grpc-protection.md +++ b/content/waf/policies/grpc-protection.md @@ -1,24 +1,20 @@ --- -# We use sentence case and present imperative tone title: "gRPC protection" -# Weights are assigned in increments of 100: determines sorting order weight: 1200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference nd-product: F5WAFN --- This topic describes the gRPC protection feature for F5 WAF for NGINX. -gRPC is a remote API standard and is an alternative to OpenAPI. +gRPC is a remote API standard and is an alternative to OpenAPI. F5 WAF for NGINX can protect applications exposing gRCP APIs by parsing their messages, ensuring sure they are compliant with the API specification and and enforcing security restrictions. These security restrictions include size limits, detecting attack signatures, threat campaigns, and suspicious metacharacters in message string field values. -Only protocol buffer version 3 is supported. Any obsolete features of version 2, such as message extensions in the IDL files, will be rejected. +Only protocol buffer version 3 is supported. Any obsolete features of version 2, such as message extensions in the IDL files, will be rejected. IDL files that have the syntax = "proto2"; statement are also rejected. @@ -26,7 +22,7 @@ IDL files that have the syntax = "proto2"; statement are also rejected. ### Content profiles -gRPC content profiles contain all the definitions for protecting a gRPC service, and are similar to [JSON and XML profiles]({{< ref "/waf/policies/xml-json-content.md##xml-and-json-content-profiles" >}}). +gRPC content profiles contain all the definitions for protecting a gRPC service, and are similar to [JSON and XML profiles]({{< ref "/waf/policies/xml-json-content.md##xml-and-json-content-profiles" >}}). They include: @@ -115,7 +111,7 @@ Both files need to be referenced in the gRPC content profile: } ``` -The profile in this example enables checking of attack signatures and disallowed metacharacters in the string-typed fields within the service messages, with two signatures disabled. +The profile in this example enables checking of attack signatures and disallowed metacharacters in the string-typed fields within the service messages, with two signatures disabled. The profile also limits the size of the messages to 100KB and disallows fields that are not defined in the IDL files. @@ -123,9 +119,9 @@ The main IDL file, `album.proto`, is marked as `primary`. The file it imports, ` In order for F5 WAF for NGINX to match it to the import statement, the file location should be specified using the `importUrl` property such as in the example. -There is an alternative way to specify to all IDL files (Including their direct and indirect imports) by bundling them into a single tar file with the same directory structure expected by the import statements. +There is an alternative way to specify to all IDL files (Including their direct and indirect imports) by bundling them into a single tar file with the same directory structure expected by the import statements. -With this method, you will have to specify which of the files in the tarball is the primary one. The supported formats are `tar` and `tgz`. +With this method, you will have to specify which of the files in the tarball is the primary one. The supported formats are `tar` and `tgz`. F5 WAF for NGINX will identify the file type automatically and handle it accordingly: @@ -138,7 +134,7 @@ F5 WAF for NGINX will identify the file type automatically and handle it accordi }] ``` -Note the deletion of the `*` URL in the previous example. This is required to accept only requests to the gRPC services exposed by your applications. +Note the deletion of the `*` URL in the previous example. This is required to accept only requests to the gRPC services exposed by your applications. If you leave the wildcard URL, F5 WAF for NGINX will accept other traffic including gRPC requests, applying policy checks such as signature detection. @@ -146,7 +142,7 @@ However, it will not apply to any gRPC-specific protection to them. ### Associate profiles with URLs -In order for a gRPC content profile to be effective, it has to be associated with a URL that represents the service. +In order for a gRPC content profile to be effective, it has to be associated with a URL that represents the service. In the previous example, the profile was not associated with any URL and remained functional due to `associateUrls` being set to `true`. @@ -210,15 +206,15 @@ In the following example, the URL is `/myorg.services.photo_album/*`. As a wildc } ``` -You can override the properties of the URL with the gRPC content profile even if you use `associateUrls` to `true`. +You can override the properties of the URL with the gRPC content profile even if you use `associateUrls` to `true`. For example, you can turn off meta character checks by adding `"metacharsOnUrlCheck": false` within the respective URL entry. ### Response pages -A gRPC error response page is returned when a request is blocked. +A gRPC error response page is returned when a request is blocked. -The default page returns gRPC status code `UNKNOWN` (numeric value of 2) and a short text message that includes the support ID. +The default page returns gRPC status code `UNKNOWN` (numeric value of 2) and a short text message that includes the support ID. You can customize both two by adding a custom gRPC response page in your policy. @@ -241,13 +237,13 @@ The `grpcStatusCode` expects one of the [standard gRPC status code values](https ### Detect Base64 in string values -F5 WAF for NGINX to can detect if values in string fields in gRPC payload are Base64 encoded. +F5 WAF for NGINX to can detect if values in string fields in gRPC payload are Base64 encoded. When a value is detected as Base64 encoded F5 WAF for NGINX will enforce the configured signatures on the decoded value **and** the original value. This feature is disabled by default and can be enabled by setting `decodeStringValuesAsBase64` to `enabled`. -gRPC protocol buffers are intended to carry binary fields of "bytes" type and trying to decode strings as Base64 may lead to false positives. +gRPC protocol buffers are intended to carry binary fields of "bytes" type and trying to decode strings as Base64 may lead to false positives. Using Base64-encoded strings for binary data is not considered good practice, but Base64 detection can be enabled for applications that do so. @@ -284,9 +280,9 @@ Using Base64-encoded strings for binary data is not considered good practice, bu ### Server reflection -[gRPC server reflection](https://grpc.github.io/grpc/core/md_doc_server_reflection_tutorial.html) provides information about publicly-accessible gRPC services on a server, and assists clients at runtime to construct RPC requests and responses without precompiled service information. +[gRPC server reflection](https://grpc.github.io/grpc/core/md_doc_server_reflection_tutorial.html) provides information about publicly-accessible gRPC services on a server, and assists clients at runtime to construct RPC requests and responses without precompiled service information. -gRPC server reflection is not currently supported by F5 WAF for NGINX. +gRPC server reflection is not currently supported by F5 WAF for NGINX. If server reflection support is required, F5 WAF for NGINX must be disabled on the reflection URIs by adding a location block: @@ -301,7 +297,7 @@ server { ## Bidirectional streaming -gRPC can have a stream of messages on each side: client, server, or both. +gRPC can have a stream of messages on each side: client, server, or both. Bidirectional streaming leverages HTTP/2 streaming capability, namely the ability to send multiple gRPC messages from either side ended by the message having the `END_STREAM` flag set to 1. @@ -330,7 +326,7 @@ rpc LotsOfGreetings(stream HelloRequest) returns (HelloResponse); #### Server stream -The client sends a request to the server and gets a stream to read a sequence of messages back. +The client sends a request to the server and gets a stream to read a sequence of messages back. The client reads from the returned stream until there are no more messages. gRPC guarantees message ordering within an individual RPC call. @@ -340,9 +336,9 @@ rpc LotsOfReplies(HelloRequest) returns (stream HelloResponse); #### Bidirectional streams -Both sides send a sequence of messages using a read-write stream. +Both sides send a sequence of messages using a read-write stream. -The two streams operate independently, so clients and servers can read and write in whatever order they like: for example, the server could wait to receive all the client messages before writing its responses, or it could alternately read a message and then write a message, or some other combination of reads and writes. +The two streams operate independently, so clients and servers can read and write in whatever order they like: for example, the server could wait to receive all the client messages before writing its responses, or it could alternately read a message and then write a message, or some other combination of reads and writes. The order of messages in each stream is preserved. @@ -369,7 +365,7 @@ message HelloReply { ### Enable gRPC protection for bidirectional streaming -To enable gRPC protection, an HTTP/2 server definition needs to be applied with the `grpc_pass` location in the `nginx.conf` file. In addition, the `app_protect_policy_file` directive points to a policy specific to gRPC. +To enable gRPC protection, an HTTP/2 server definition needs to be applied with the `grpc_pass` location in the `nginx.conf` file. In addition, the `app_protect_policy_file` directive points to a policy specific to gRPC. All gRPC messages will be in the security logs under the `log_grpc_all.json` file: for more details, refer to the [gRPC logging](#grpc-logging) section. @@ -436,13 +432,13 @@ When receiving a client event: gRPC server messages are not processed. All gRPC messages (unary or streaming) including the headers and trailer messages, are sent directly to the client (without sending them to the Enforcer). -With bidirectional streaming, the blocking response comes as the trailers message is sent to the client on behalf of the server. +With bidirectional streaming, the blocking response comes as the trailers message is sent to the client on behalf of the server. At the same time, the server gets the END_STREAM frame to ensure streams on both sides are closed. #### Size limits -The maximum total request size is applied to each message on its own, rather than to the total stream messages. +The maximum total request size is applied to each message on its own, rather than to the total stream messages. By default, the maximum gRPC message size is 4MB. You can configure different sizes in the declarative policy, like the 100KB in the [content profiles example](#content-profiles). @@ -452,13 +448,13 @@ There is no limit to the number of messages in a stream. #### Message compression -Message compression is not currently supported. +Message compression is not currently supported. It will trigger the violation _VIOL_GRPC_MALFORMED_ and the connection will be blocked if a compressed message is sent. #### Slow POST attacks -A Slow POST attack or Slow HTTP POST attack is a type of denial of service attack. +A Slow POST attack or Slow HTTP POST attack is a type of denial of service attack. The attacker sends a legitimate HTTP POST request with the header Content-Length specified. The attacker then proceeds to send this content slowly. The server establishes a connection to the client and keeps it open to receive the request that it thinks is legitimate. @@ -466,7 +462,7 @@ The attacker sends several such requests and effectively occupies the server’s To mitigate this, a client sending messages very slowly for a long time may be cut off by resetting the connection. -In gRPC, a connection is considered “slow” if a message takes more than 10 seconds to process. The slow connection timer will be reset when a message ends and not when the whole request ends. +In gRPC, a connection is considered “slow” if a message takes more than 10 seconds to process. The slow connection timer will be reset when a message ends and not when the whole request ends. This way, a limit is applied on the number of concurrent messages rather than the number of concurrent gRPC connections (streams), as many of them may be idle. @@ -482,7 +478,7 @@ There are three violations specific to gRPC, which are all enabled in the defaul The violation `VIOL_METHOD` (not to be confused with the above `VIOL_GRPC_METHOD`) is not unique to gRPC, but in the context of a gRPC content profile, it is issued in special circumstances. -Since gRPC mandates the `POST` method on any gRPC request over HTTP, any other HTTP method on a request to URL with gRPC content profile will trigger this violation, even if the respective HTTP method is allowed in the policy. +Since gRPC mandates the `POST` method on any gRPC request over HTTP, any other HTTP method on a request to URL with gRPC content profile will trigger this violation, even if the respective HTTP method is allowed in the policy. In an earlier example, the request `GET /myorg.services.photo_album/get_photos` will trigger `VIOL_METHOD` even though `GET` is among the allowed HTTP methods in the policy (by the base template). @@ -490,13 +486,13 @@ In an earlier example, the request `GET /myorg.services.photo_album/get_photos` Security logs for gRPC requests have three unique fields: `uri`, `grpc_method`, and `grpc_service`. -Since the content of gRPC requests is binary (protocol buffers), they are transferred with Base64 encoding. As a result, it is recommended to use the `headers` and `request_body_base64` fields instead of the `request` field. +Since the content of gRPC requests is binary (protocol buffers), they are transferred with Base64 encoding. As a result, it is recommended to use the `headers` and `request_body_base64` fields instead of the `request` field. A new predefined log format called `grpc` should be used in all gRPC locations that also use policies with gRPC content profiles. View the [available security log attributes]({{< ref "/waf/logging/security-logs.md#available-security-log-attributes" >}}) topic for more information. -F5 WAF for NGINX provides three security log bundles for gRPC using the new format: `log_grpc_all`, `log_grpc_illegal` and `log_grpc_blocked` for all requests, illegal requests, and blocked requests respectively. +F5 WAF for NGINX provides three security log bundles for gRPC using the new format: `log_grpc_all`, `log_grpc_illegal` and `log_grpc_blocked` for all requests, illegal requests, and blocked requests respectively. Unless you have special requirements, the best practice is to use one of these bundles in all gRPC locations with the `app_protect_security_log` directive. diff --git a/content/waf/policies/http-compliance.md b/content/waf/policies/http-compliance.md index 2e970daa5f..e92e9e2778 100644 --- a/content/waf/policies/http-compliance.md +++ b/content/waf/policies/http-compliance.md @@ -1,24 +1,18 @@ --- -# We use sentence case and present imperative tone title: "HTTP compliance" -# Weights are assigned in increments of 100: determines sorting order weight: 1300 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This topic describes the HTTP compliance feature for F5 WAF for NGINX. It validates a HTTP request and also prevents the use of the HTTP protocol as an entry point to an application. -In the following example, the HTTP compliance violation is enabled with the blocking enforcement mode. +In the following example, the HTTP compliance violation is enabled with the blocking enforcement mode. -It also configures all sub-violations in their relevant sections, which you can add or remove to create your desired configurations. +It also configures all sub-violations in their relevant sections, which you can add or remove to create your desired configurations. When you do not customize a sub-violation, it retains its default settings. diff --git a/content/waf/policies/ip-address-lists.md b/content/waf/policies/ip-address-lists.md index 94f372edc4..5288725b55 100644 --- a/content/waf/policies/ip-address-lists.md +++ b/content/waf/policies/ip-address-lists.md @@ -3,7 +3,7 @@ title: IP address lists weight: 1500 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- diff --git a/content/waf/policies/ip-intelligence.md b/content/waf/policies/ip-intelligence.md index 566f37711a..dddb483b48 100644 --- a/content/waf/policies/ip-intelligence.md +++ b/content/waf/policies/ip-intelligence.md @@ -1,16 +1,12 @@ --- -# We use sentence case and present imperative tone title: "IP intelligence" -# Weights are assigned in increments of 100: determines sorting order weight: 1600 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference nd-product: F5WAFN --- -F5 WAF for NGINX has an IP intelligence feature which allows you to customize enforcement based on the source IP address of a request. This allows you to limit access from specific IP addresses. +F5 WAF for NGINX has an IP intelligence feature which allows you to customize enforcement based on the source IP address of a request. This allows you to limit access from specific IP addresses. It is _**disabled** by default_, requiring extra steps to enable and configure. @@ -27,7 +23,7 @@ To complete this guide, you will need the following prerequisites: A proxy server can be configured in the file `/etc/app_protect/tools/iprepd.cfg`: ```shell -EnableProxy=True +EnableProxy=True= ProxyHost=5.1.2.4 ProxyPort=8080 ProxyUsername=admin # Optional @@ -100,7 +96,7 @@ sudo chown -R 101:101 /var/IpRep Modify the _original docker-compose.yml_ file to include the IP intelligence container, replacing image tags as appropriate: -``` +```yaml services: waf-enforcer: container_name: waf-enforcer @@ -337,7 +333,7 @@ The following policy shows examples of both, with all IP intelligence categories This policy will block all IP addresses that are part of any threat category (`"block": true`) and add a log entry (`"alarm": true`) for the transaction. -The IP address database is managed by an external provider and is constantly updated (every 1 minute by default). +The IP address database is managed by an external provider and is constantly updated (every 1 minute by default). The database categorizes IP addresses into one or more threat categories. These are the same categories that can be configured individually in the IP intelligence section: diff --git a/content/waf/policies/jwt-protection.md b/content/waf/policies/jwt-protection.md index 35b0b043f2..b2dab6a135 100644 --- a/content/waf/policies/jwt-protection.md +++ b/content/waf/policies/jwt-protection.md @@ -3,7 +3,7 @@ title: JWT protection weight: 1700 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- JSON Web Tokens (JWTs) are a compact and self-contained way to represent information between two parties in JSON format, commonly used for authentication and authorization. diff --git a/content/waf/policies/override-rules.md b/content/waf/policies/override-rules.md index db0f18e049..d61ee1ff23 100644 --- a/content/waf/policies/override-rules.md +++ b/content/waf/policies/override-rules.md @@ -3,7 +3,7 @@ title: Override rules weight: 1800 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- @@ -11,7 +11,7 @@ This topic describes override rules feature of F5 WAF for NGINX. Override rules allow you to replace **default policy** settings. These override rules can be included as part of a declarative policy so that all incoming requests are verified against those rules. -Each override rule consists of a condition followed by changes to the original policy which will apply to requests that meet the condition. +Each override rule consists of a condition followed by changes to the original policy which will apply to requests that meet the condition. You can apply this feature to apply unique policy settings to incoming requests with one or more rules based on multiple parameters: @@ -116,7 +116,7 @@ The _override_rules_example_ example policy contains five override rules: 1. The **"login_page"** rule is triggered by POST requests to URIs containing "/login/". Since the "actionType" field is set to "replace-policy", it overrides the policy with a new one named "login_page_block_redirect". This new policy is independent of the "override_rules_example" policy. It enables all signature sets and redirects the user to a rejection page. This is another example of an **Inline Policy Reference** with a different condition. 1. The **"api-strict"** rule is applied for requests with "api4" in the URI, except for client IP addresses matching the "fd00:1::/48" range and user agents starting with "Mozilla". It references an external policy file named "NginxStrictPolicy.json" located at "/etc/app_protect/conf/" to override the current policy. The "actionType" field is set to "replace-policy" and the external policy can be specified using a reference to its file using **$ref**. The file is the JSON policy source of that policy. This type of policy switching is known as **External Policy Reference**. 1. The **"strict-post"** rule is triggered when POST requests include a session token in the cookies that is not equal to "c2Vzc2lvblRva2Vu" or when the "gzip" value is found in the content-encoding headers. This rule follows a similar approach to referencing an external policy file, just like the **api-strict** rule mentioned above. -1. The **"usa-only"** rule is triggered when a request coming from a country other than the USA. The actionType is set to "violation", meaning that `VIOL_RULE` violation is triggered for such a request. This violation will block and mark the request as illegal with regard to the "block" and "alarm" attributes. There is no change in policy for this rule. +1. The **"usa-only"** rule is triggered when a request coming from a country other than the USA. The actionType is set to "violation", meaning that `VIOL_RULE` violation is triggered for such a request. This violation will block and mark the request as illegal with regard to the "block" and "alarm" attributes. There is no change in policy for this rule. These five rules demonstrate how the override rules feature allows for customization and the ability to modify specific aspects of the original policy based on predefined conditions. @@ -124,7 +124,7 @@ For more details about the **Geolocation** feature, view the [Geolocation]({{< r {{< call-out "note" >}} -By default, the actionType field is configured to "extend-policy". +By default, the actionType field is configured to "extend-policy". External references are supported for any policy reference. @@ -132,11 +132,11 @@ External references are supported for any policy reference. ### First match principle -Policy enforcement operates on the **first match** principle. This principle is applied when multiple conditions match or are similar, indicating that any incoming requests that match the first condition will be processed. +Policy enforcement operates on the **first match** principle. This principle is applied when multiple conditions match or are similar, indicating that any incoming requests that match the first condition will be processed. -In the following example, the _override_rules_example2_ policy uses two override rules: `this_rule_will_match` and `non_matching_rule`. +In the following example, the _override_rules_example2_ policy uses two override rules: `this_rule_will_match` and `non_matching_rule`. -Since both conditions match, the first match principle will be applied, and requests with "_api_" in the URI will be processed. +Since both conditions match, the first match principle will be applied, and requests with "_api_" in the URI will be processed. It will reference the external policy file named _NginxStrictPolicy.json_ to override the current policy. @@ -173,7 +173,7 @@ It will reference the external policy file named _NginxStrictPolicy.json_ to ove ### Logging & reporting override rules -If a request matches an override rule, the `json_log` field will include a new block named 'overrideRule'. However, if no rules match the request, the log will not contain any related information. +If a request matches an override rule, the `json_log` field will include a new block named 'overrideRule'. However, if no rules match the request, the log will not contain any related information. When the 'actionType' flag is set to _replace-policy_, the _originalPolicyName_ field in the log will reflect the name of the original policy name (Which contains override rules), and the `policy_name` field will reflect the policy that was enforced. @@ -228,9 +228,9 @@ If the matching override rule is called _usa-only_: #### Missing policy name -Every policy must have a name if the actionType is `extend-policy` or `replace-policy`. +Every policy must have a name if the actionType is `extend-policy` or `replace-policy`. -If the policy `name` is not provided in the override section, an error message will be displayed indicating the missing policy 'name' within that specific override rule. +If the policy `name` is not provided in the override section, an error message will be displayed indicating the missing policy 'name' within that specific override rule. For instance, in the override rule below, the policy name is not specified. diff --git a/content/waf/policies/parameter-reference.md b/content/waf/policies/parameter-reference.md index 9e2ee88d72..f743ca1d98 100644 --- a/content/waf/policies/parameter-reference.md +++ b/content/waf/policies/parameter-reference.md @@ -2,6 +2,8 @@ title: Policy parameter reference toc: true weight: 300 +nd-content-type: reference +nd-product: F5WAFN --- {{< include "waf/policy.html" >}} diff --git a/content/waf/policies/response-signatures.md b/content/waf/policies/response-signatures.md index f7c48e5bd9..5af97ea7b5 100644 --- a/content/waf/policies/response-signatures.md +++ b/content/waf/policies/response-signatures.md @@ -3,7 +3,7 @@ title: Response signatures weight: 1850 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- @@ -19,7 +19,7 @@ F5 WAF for NGINX can be configured to selectively allow response codes while blo The `allowedResponseCodes` attribute is used to define which response codes are allowed as part of a comma-sepated list in the `general` block. -The following example enables the response status codes violation in blocking mode. +The following example enables the response status codes violation in blocking mode. ```json { @@ -59,7 +59,7 @@ Restrictions on known signatures will be enforced by policies independently of r To enable this, set the `responseCheck` parameter to `true`. Add the `responseCheckLength` attribute to set an alternative length to the default value. -The response length checked refers to the number of uncompressed bytes in the response body. +The response length checked refers to the number of uncompressed bytes in the response body. Usually F5 WAF for NGINX will buffer only that part of the response saving memory and CPU, but in some conditions the whole response may have to be buffered, such as when the response body is compressed. diff --git a/content/waf/policies/server-technology-signatures.md b/content/waf/policies/server-technology-signatures.md index 3fde360085..360760da7b 100644 --- a/content/waf/policies/server-technology-signatures.md +++ b/content/waf/policies/server-technology-signatures.md @@ -3,7 +3,7 @@ title: Server technology signatures weight: 1900 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- diff --git a/content/waf/policies/threat-campaigns.md b/content/waf/policies/threat-campaigns.md index f09d14e59d..6c270035e0 100644 --- a/content/waf/policies/threat-campaigns.md +++ b/content/waf/policies/threat-campaigns.md @@ -3,7 +3,7 @@ title: "Threat campaigns" weight: 2000 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- diff --git a/content/waf/policies/time-based-signature-staging.md b/content/waf/policies/time-based-signature-staging.md index cfd0fb3571..e6bee2884e 100644 --- a/content/waf/policies/time-based-signature-staging.md +++ b/content/waf/policies/time-based-signature-staging.md @@ -3,7 +3,7 @@ title: Time-based signature staging weight: 1950 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN nd-docs: DOCS-000 --- diff --git a/content/waf/policies/user-browers.md b/content/waf/policies/user-browers.md index 1a9a7ef1c8..74edd27e32 100644 --- a/content/waf/policies/user-browers.md +++ b/content/waf/policies/user-browers.md @@ -1,13 +1,8 @@ --- -# We use sentence case and present imperative tone title: "User-defined browser control" -# Weights are assigned in increments of 100: determines sorting order weight: 2050 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: nd-product: F5WAFN --- @@ -22,7 +17,7 @@ There are two primary uses for this feature: ## Configure user-defined browsers -User-defined browsers can be configured in the `browser-definitions` section of a policy. +User-defined browsers can be configured in the `browser-definitions` section of a policy. These are the properties that can be configured for each user-defined browser: diff --git a/content/waf/policies/user-headers.md b/content/waf/policies/user-headers.md index 2725b11560..68c2203910 100644 --- a/content/waf/policies/user-headers.md +++ b/content/waf/policies/user-headers.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "User-defined HTTP headers" -# Weights are assigned in increments of 100: determines sorting order weight: 2100 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- HTTP header enforcement occurs in the headers section as part of a HTTP request: the header elements are parsed to check criteria used for enforcement. diff --git a/content/waf/policies/user-urls-parameters.md b/content/waf/policies/user-urls-parameters.md index ab498b5973..42026c0ce1 100644 --- a/content/waf/policies/user-urls-parameters.md +++ b/content/waf/policies/user-urls-parameters.md @@ -1,11 +1,7 @@ --- -# We use sentence case and present imperative tone title: "User-defined URLs and parameters" -# Weights are assigned in increments of 100: determines sorting order weight: 2150 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference nd-product: F5WAFN --- @@ -73,9 +69,9 @@ This example configures allowed meta-characters for a user-defined URL: } ``` -This next example disables the detection of a specific signature (`200010093`) and enables another (`200010008`) for the user-defined URL `/Common/user_defined_URL`. +This next example disables the detection of a specific signature (`200010093`) and enables another (`200010008`) for the user-defined URL `/Common/user_defined_URL`. -These signature settings take effect only in requests to that URL. +These signature settings take effect only in requests to that URL. For other requests, the signature behavior is determined by the signature sets these signatures belong to. View [signature sets]({{< ref "/waf/policies/attack-signatures.md#signature-sets" >}}) for more details. @@ -276,7 +272,7 @@ This final example shows how to configure json/xml/form-data content types for a User-defined parameters allow you to give specific attributes to specific parameters. -This feature gives you full control over what the parameter should include and where it should be located, allowing for granularity to configure every parameter. +This feature gives you full control over what the parameter should include and where it should be located, allowing for granularity to configure every parameter. With user-defined parameters you can:: @@ -289,7 +285,7 @@ With user-defined parameters you can:: - Define whether to inspect a parameter for violations, attack signatures, or meta-characters - Decide whether to exclude certain violations, attack signatures, or meta-characters for a parameter -The following example has two user-defined parameters. +The following example has two user-defined parameters. The first one, `text`, takes string values (here configured as alpha-numeric), and limits the length of the allowed string between 4 and 8 characters. Any string below or above these values will trigger the violation `VIOL_PARAMETER_VALUE_LENGTH`. Note that we enable this violation to *block* the violating request. @@ -346,11 +342,11 @@ This allows you to create exceptions on known false positives _only_ within the } ``` -This next example uses a numeric parameter which accepts only integer values and allows values between 9 and 99 (non-inclusive). +This next example uses a numeric parameter which accepts only integer values and allows values between 9 and 99 (non-inclusive). -If the request includes anything other than an integer, it will trigger the `VIOL_PARAMETER_DATA_TYPE` violation. +If the request includes anything other than an integer, it will trigger the `VIOL_PARAMETER_DATA_TYPE` violation. -If the parameter value falls beyond or below the desired values, it will trigger the `VIOL_PARAMETER_NUMERIC_VALUE` violation. +If the parameter value falls beyond or below the desired values, it will trigger the `VIOL_PARAMETER_NUMERIC_VALUE` violation. If you change the values of `exclusiveMin` and `exclusiveMax` to false, values equal to the boundary values will be accepted (namely 9 and 99). @@ -408,11 +404,11 @@ If you change the values of `exclusiveMin` and `exclusiveMax` to false, values e } ``` -For increased granularity, you can configure whether the parameter value is also a multiple of a specific number. +For increased granularity, you can configure whether the parameter value is also a multiple of a specific number. -This is useful when you wish to limit the input to specific values. +This is useful when you wish to limit the input to specific values. -The following example configures a parameter that accepts values in the range of 0 to 10 and are only multiples of 3. +The following example configures a parameter that accepts values in the range of 0 to 10 and are only multiples of 3. This means that the accepted values are 3, 6 and 9. Any other value will trigger the `VIOL_PARAMETER_NUMERIC_VALUE` violation. @@ -470,7 +466,7 @@ This means that the accepted values are 3, 6 and 9. Any other value will trigger } ``` -Another useful example is limiting the parameter to a single context, such as in a header or a query string. +Another useful example is limiting the parameter to a single context, such as in a header or a query string. If the same variable appears in a different location, it will trigger the `VIOL_PARAMETER_LOCATION` violation. diff --git a/content/waf/policies/violations.md b/content/waf/policies/violations.md index bb160c62ee..e35e08ad7e 100644 --- a/content/waf/policies/violations.md +++ b/content/waf/policies/violations.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Violations" -# Weights are assigned in increments of 100: determines sorting order weight: 250 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- This page describes the violations in F5 WAF for NGINX and how they are rated. @@ -18,9 +12,9 @@ Violations are rated by the F5 WAF for NGINX algorithms to help distinguish betw A violation rating is a numerical rating that our algorithms give to requests based on the presence of violation(s). Each violation type and severity contributes to the calculation of the final rating. -The final rating then defines the action taken for the specific request. +The final rating then defines the action taken for the specific request. -Based on the default policy, any violation rating of 1, 2 and 3 will not cause the request to be blocked and only a log will be generated with **alerted** status. +Based on the default policy, any violation rating of 1, 2 and 3 will not cause the request to be blocked and only a log will be generated with **alerted** status. If the violation rating is 4 or 5, the request is blocked: a blocking page is displayed and a log generated for the transaction with **blocked** status. Violation ratings are displayed in the logs by default. @@ -101,7 +95,7 @@ Violations can be enabled by turning on the **alarm** and/or **block** flags. ## HTTP compliance sub-violations -The following table specifies the HTTP compliance sub-violation settings: not all are enabled in the default F5 WAF for NGINX security template. +The following table specifies the HTTP compliance sub-violation settings: not all are enabled in the default F5 WAF for NGINX security template. Some of the checks are enforced by NGINX Plus: F5 WAF for NGINX only gets a notification. In this case, the request is **always** blocked regardless of the F5 WAF for NGINX policy. diff --git a/content/waf/policies/xff-headers.md b/content/waf/policies/xff-headers.md index 79b8fc840b..d6942d23f2 100644 --- a/content/waf/policies/xff-headers.md +++ b/content/waf/policies/xff-headers.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "XFF trusted headers" -# Weights are assigned in increments of 100: determines sorting order weight: 2200 -# Creates a table of contents and sidebar, useful for large documents toc: true -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: reference -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- XFF trusted headers are disabled by default. diff --git a/content/waf/policies/xml-json-content.md b/content/waf/policies/xml-json-content.md index 2aedb47280..d771529695 100644 --- a/content/waf/policies/xml-json-content.md +++ b/content/waf/policies/xml-json-content.md @@ -3,7 +3,7 @@ title: "XML and JSON content" weight: 2300 toc: true nd-content-type: reference -nd-product: NAP-WAF +nd-product: F5WAFN --- This guide explains how to configure XML and JSON content profiles in an F5 WAF for NGINX policy. The examples below use JSON for illustration, but the same concepts apply to XML profiles unless noted otherwise. diff --git a/content/waf/support.md b/content/waf/support.md index a2e7d654a2..0e660531a8 100644 --- a/content/waf/support.md +++ b/content/waf/support.md @@ -1,15 +1,9 @@ --- -# We use sentence case and present imperative tone title: "Support" -# Weights are assigned in increments of 100: determines sorting order weight: 700 -# Creates a table of contents and sidebar, useful for large documents toc: false -# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this nd-content-type: how-to -# Intended for internal catalogue and search, case sensitive: -# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit -nd-product: NAP-WAF +nd-product: F5WAFN --- F5 WAF for NGINX adheres to the support policy detailed in the following MyF5 knowledge base article: [K000140156](https://my.f5.com/manage/s/article/K000140156).