Nap usecase stage1 (#817)

* feat: Integration steps: NAP-WAF into NGINX One Console

- Basic transparant v. blocking policies
- Strict policy
- Adjustments
- API info
- Changelog

Co-authored-by: yar <[email protected]>

Apply suggestions from code review

Co-authored-by: Daniel Edgar <[email protected]>

Apply suggestions from code review

* Update changelog release date

Author: mjang

content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md

@@ -1,5 +1,8 @@
 ---
 nd-docs: "DOCS-1605"
+files:
+  - content/nap-waf/v5/configuration-guide/configuration.md
+  - content/nginx-one/glossary.md
 ---
 
 This guide assumes that you have some familiarity with various Layer 7 (L7) Hypertext Transfer Protocol (HTTP) concepts, such as Uniform Resource Identifier (URI)/Uniform Resource Locator (URL), method, header, cookie, status code, request, response, and parameters.
@@ -26,4 +29,4 @@ This guide assumes that you have some familiarity with various Layer 7 (L7) Hype
 |Tuning | Making manual changes to an existing security policy to reduce false positives and increase the policy’s security level. |
 |URI/URL | The Uniform Resource Identifier (URI) specifies the name of a web object in a request. A Uniform Resource Locator (URL) specifies the location of an object on the Internet. For example, in the web address, `http://www.siterequest.com/index.html`, index.html is the URI, and the URL is `http://www.siterequest.com/index.html`. In NGINX App Protect WAF, the terms URI and URL are used interchangeably. |
 |Violation | Violations occur when some aspect of a request or response does not comply with the security policy. You can configure the blocking settings for any violation in a security policy. When a violation occurs, the system can Alarm or Block a request (blocking is only available when the enforcement mode is set to Blocking). |
-{{</bootstrap-table>}}
+{{</bootstrap-table>}}

content/nginx-one/_index.md

@@ -19,6 +19,7 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
 [//]: # "You can add a maximum of three cards: any extra will not display."
 [//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid."
 [//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature."
+
 {{<card-layout>}}
   {{<card-section showAsCards="true" isFeaturedSection="true">}}
     {{<card title="Get started" titleUrl="/nginx-one/getting-started/" isFeatured="true" icon="unplug">}}
@@ -36,6 +37,9 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
     {{<card title="Manage your NGINX instances" titleUrl="/nginx-one/nginx-configs/" >}}
       Manage one instance or groups of instances. Monitor certificates. Set up metrics.
     {{</card>}}
+    {{<card title="Secure with NGINX App Protect" titleUrl="/nginx-one/nap-integration/" >}}
+      Manage one instance or groups of instances. Monitor certificates. Set up metrics.
+    {{</card>}}
     {{<card title="Organize users with RBAC" titleUrl="/nginx-one/rbac/" >}}
       Assign responsibilities with role-based access control 
     {{</card>}}
@@ -58,10 +62,23 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
   {{</card-section>}}
 {{</card-layout>}}
 
+### More information
+
+{{<card-layout>}}
+  {{<card-section showAsCards="true" >}}
+    {{<card title="Glossary" titleUrl="/nginx-one/glossary/" >}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+    {{<card title="Changelog" titleUrl="/nginx-one/changelog/" icon="clock-alert">}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+  {{</card-section>}}
+{{</card-layout>}}
+
 ## NGINX One components
 [//]: # "You can add any extra content for the page here, such as additional cards, diagrams or text."
 
-{{< card-layout >}}
+{{<card-layout>}}
   {{< card-section title="Kubernetes Solutions">}}
     {{< card title="NGINX Ingress Controller" titleUrl="/nginx-ingress-controller/" brandIcon="NGINX-Ingress-Controller-product-icon">}}
       Kubernetes traffic management with API gateway, identity, and observability features.

content/nginx-one/changelog.md

@@ -30,6 +30,17 @@ h2 {
 
 Stay up-to-date with what's new and improved in the F5 NGINX One Console.
 
+## July 15, 2025
+
+### Set up F5 NGINX App Protect WAF security policies
+
+You can now incorporate [NGINX App Protect WAF]({{< ref "/nap-waf/" >}}) in NGINX One Console UI. For details, see [Secure with NGINX App Protect]({{< ref "/nginx-one/nap-integration/" >}}).
+
+In NGINX One Console, you can:
+
+- Toggle between [Default policy bundles]({{< ref "/nap-waf/v5/configuration-guide/configuration/#updating-default-policy-bundles" >}})
+- Set a blocking or transparant [Policy enforcement mode]({{< ref "/nap-waf/v5/configuration-guide/configuration/#policy-enforcement-modes" >}})
+
 ## July 1, 2025
 
 ### NGINX Agent version 3 support

content/nginx-one/glossary.md

@@ -10,6 +10,7 @@ type:
 
 This glossary defines terms used in the F5 NGINX One Console and F5 Distributed Cloud.
 
+## General terms
 
 {{<bootstrap-table "table table-striped table-bordered">}}
 | Term        | Definition |
@@ -24,6 +25,10 @@ This glossary defines terms used in the F5 NGINX One Console and F5 Distributed
 | **Tenant** | A tenant in F5 Distributed Cloud is an entity that owns a specific set of configuration and infrastructure. It is fundamental for isolation, meaning a tenant cannot access objects or infrastructure of other tenants. Tenants can be either individual or enterprise, with the latter allowing multiple users with role-based access control (RBAC). |
 {{</bootstrap-table>}}
 
+## NGINX App Protect WAF terminology
+
+{{< include "nap-waf/config/common/nginx-app-protect-waf-terminology.md" >}}
+
 ## Legal notice: Licensing agreements for NGINX products
 
 Using NGINX One is subject to our End User Service Agreement (EUSA). For [NGINX Plus]({{< ref "/nginx" >}}), usage is governed by the End User License Agreement (EULA). Open source projects, including [NGINX Agent](https://github.com/nginx/agent) and [NGINX Open Source](https://github.com/nginx/nginx), are covered under their respective licenses. For more details on these licenses, follow the provided links.

content/nginx-one/nap-integration/_index.md

@@ -0,0 +1,6 @@
+---
+title: Secure with NGINX App Protect
+description:
+weight: 400
+url: /nginx-one/nap-integration
+---

content/nginx-one/nap-integration/configure-policy.md

@@ -0,0 +1,48 @@
+---
+# We use sentence case and present imperative tone
+title: "Add and configure a policy"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 200
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+This document describes how you can configure a security policy in the F5 NGINX One Console. When you add a policy, NGINX One Console includes several UI-based options and presets, based on NGINX App Protect WAF.
+
+
+If you already know NGINX App Protect WAF, you can go beyond the options available in the UI. 
+
+## Add a policy
+
+From NGINX One Console, select App Protect > Policies. In the screen that appears, select **Add Policy**. That action opens a screen where you can:
+
+- In General Settings, name and describe the policy.
+  - You can also set one of the following enforcement modes:
+    - Transparent
+    - Blocking
+
+For details, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. You'll see this in the associated configuration file,
+with the `enforcementMode` property.
+
+You can also set a character encoding. The default encoding is `Unicode (utf-8)`. To set a different character encoding, select **Show Advanced Fields** and select the **Application Language** of your choice.
+
+## Configure a policy
+
+With NGINX One Console User Interface, you get a default policy. You can also select **NGINX Strict** for a more rigorous policy:
+
+### Basic Configuration and the Default Policy
+
+{{< include "/nap-waf/concept/basic-config-default-policy.md" >}}
+
+## Save your policy
+
+NGINX One Console includes a Policy JSON section which displays your policy in JSON format. What you configure here is written to your instance of NGINX App Protect WAF. 
+
+With the **Edit** option, you can customize this policy. It opens the JSON file in a local editor. When you select **Save Policy**, it saves the latest version of what you've configured. You'll see your new policy under the name you used.
+
+From NGINX One Console, you can review the policies that you've saved, along with their versions. Select **App Protect** > **Policies**. Select the policy that you want to review or modify.

content/nginx-one/nap-integration/deploy-policy.md

@@ -0,0 +1,28 @@
+---
+# We use sentence case and present imperative tone
+title: "Deploy policy"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 400
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+After you've set up a policy, it won't do anything, until you deploy it to one or more instances and Config Sync Groups.
+
+This page assumes you've created a policy in NGINX One Console that you're ready to deploy.
+
+## Deploy a policy
+
+To deploy a policy from NGINX One Console, take the following steps:
+
+1. Select **App Protect** > **Policies**.
+1. Select the policy that you're ready to deploy.
+1. Select the **Details** tab.
+1. In the **Deploy Policy** window that appears, you can confirm the name of the current policy and the version to deploy. NGINX One Console defaults to the selected policy and latest version.
+1. In the **Target** section, select Instance or Config Sync Group.
+1. In the drop-down menu that appears, select the instance or Config Sync Group available in the current NGINX One Console.

content/nginx-one/nap-integration/overview.md

@@ -0,0 +1,56 @@
+---
+# We use sentence case and present imperative tone
+title: "NGINX App Protect integration overview"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 100
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: concept
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+You can now integrate the features of F5 NGINX App Protect WAF v4 and v5 in F5 NGINX One Console. NGINX App Protect offers advanced Web Application Firewall (WAF) capabilities.
+Through the NGINX One Console UI, you can now set up the [NGINX App Protect WAF]({{< ref "/nap-waf/" >}}) firewall. This solution provides robust security and scalability.
+
+## Features
+
+Once you've connected to the NGINX One Console, select **App Protect > Policies**. You can add new policies or edit existing policies, as defined in the [NGINX App Protect WAF Administration Guide]({{< ref "/nap-waf/v5/admin-guide/overview.md" >}})
+
+Through the NGINX One Console UI, you can:
+
+- [Add and configure a policy]({{< ref "/nginx-one/nap-integration/configure-policy.md/" >}})
+- [Review existing policies]({{< ref "/nginx-one/nap-integration/review-policy.md/" >}})
+- [Deploy policies]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) on instances and Config Sync Groups
+
+You can also set up policies through the [NGINX One Console API]({{< ref "/nginx-one/nap-integration/security-policy-api.md/" >}}).
+
+## Set up NGINX App Protect
+
+You can install and upgrade NGINX App Protect:
+
+Version 4:
+
+- [Install]({{< ref "/nap-waf/v4/admin-guide/install.md" >}})
+- [Upgrade]({{< ref "/nap-waf/v4/admin-guide/upgrade-nap-waf.md" >}})
+
+Version 5:
+
+- [Install]({{< ref "/nap-waf/v5/admin-guide/install.md" >}})
+- [Upgrade]({{< ref "/nap-waf/v5/admin-guide/upgrade-nap-waf.md" >}})
+
+### Container-related configuration requirements
+
+NGINX App Protect WAF Version 5 has specific requirements for the configuration with Docker containers:
+
+- Directory associated with the volume, which you may configure in a `docker-compose.yaml` file.
+  - You may set it up with the `volumes` directive with a directory like `/etc/nginx/app_protect_policies`.
+  - You need to set up the container volume. So when the policy bundle is referenced in the `nginx` directive, the file path is what the container sees.
+  - You need to also include an `app_protect_policy_file`, as described in [App Protect Specific Directives]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#app-protect-specific-directives" >}})
+
+  - You'll need to set a policy bundle (in compressed tar format) in a configured `volume`.
+  - Make sure the directory for [NGINX Agent]({{< ref "/agent/configuration/" >}}) includes `/etc/nginx/app_protect_policies`.
+
+When  you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance.

content/nginx-one/nap-integration/review-policy.md

@@ -0,0 +1,40 @@
+---
+# We use sentence case and present imperative tone
+title: "Review policy"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 300
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+Before you implement a policy on an NGINX instance or Config Sync Group, you may want to review it. F5 NGINX One Console creates a policy for your NGINX App Protect WAF system.
+
+## Review NGINX App Protect policies
+
+From NGINX One Console, select **App Protect** > **Policies**. Select the name of the policy that you want to review. You'll see the following tabs:
+
+- Details, which includes:
+  - Policy Details: Descriptions, status, enforcement type, latest version, and last deployed time.
+  - Deployments: List of instances and Config Sync Groups where the NGINX App Protect policy is deployed.
+- Policy JSON: The policy, in JSON format. With the **Edit** button, you can modify this policy.
+- Versions: Policy versions that you've written. You can apply an older policy to your deployments.
+
+## Modify existing policies
+
+From the NGINX One Console, you can also manage existing policies. In the Policies screen, identify a policy, and select **Actions**. From the menu that appears, you can:
+
+- **Edit** an existing policy.
+- **Save As** to save an existing policy with a new name. You can use an existing policy as a baseline for further customization.
+- **Deploy Latest Version** to apply the latest revision of an existing policy to the configured instances and Config Sync Groups.
+- **Export** the policy in JSON format.
+- **Delete** the policy. Once confirmed, you'll lose all work you've done on that policy.
+
+{{< note >}}
+If you use **Save As** to create a new policy, include the `app_protect_cookie_seed` [directive]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#directives" >}}).
+{{< /note >}}
+

content/nginx-one/nap-integration/security-policy-api.md

@@ -0,0 +1,26 @@
+---
+title: "Set security policies through the API"
+weight: 700
+toc: true
+type: reference
+product: NGINX One
+docs: DOCS-000
+---
+
+You can use F5 NGINX One Console API to manage security policies. With our API, you can:
+
+- [List existing policies]({{< ref "/nginx-one/api/api-reference-guide/#operation/listNapPolicies" >}})
+  - You can set parameters to sort policies by type.
+- [Create a new policy]({{< ref "/nginx-one/api/api-reference-guide/#operation/createNapPolicy" >}})
+  - You need to translate the desired policy.json file to base64 format.
+- [Get policy details]({{< ref "/nginx-one/api/api-reference-guide/#operation/getNapPolicy" >}})
+  - Returns details of the policy you identified with the policy `object_id`.
+- [List NGINX App Protect Deployments]({{< ref "/nginx-one/api/api-reference-guide/#operation/listNapPolicyDeployments" >}})
+  - The output includes:
+    - Target of the deployment
+    - Time of deployment
+    - Enforcement mode
+    - Policy version
+    - Threat campaign
+    - Attack signature
+    - Bot signature