Update policy.html

kudriavitsky · web-flow · commit 605bc02a09b4 · 2025-06-23T09:39:03.000+03:00
update override-rules and ip-address-lists
diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
@@ -2856,13 +2856,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <td><dl>
 <dt>Specifies how the system responds to blocking requests sent from this IP address list.</dt>
 <dd><ul>
-<li><strong>Policy Default:</strong> Specifies that the Policy Blocking Settings will be used for requests from this IP address list.</li>
+<li><strong>Policy Default:</strong> Specifies that thepolicy enforcementMode will be used for requests from this IP address list.</li>
 <li><strong>Never Block:</strong> Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.</li>
 <li><strong>Always Block:</strong> Specifies that the system blocks requests sent from this IP address list.</li>
 </ul>
 </dd>
 </dl>
-<p>Optional</p></td>
+<p>Optional, if absent Policy Default is used.</p></td>
 <td><ul>
 <li>always</li>
 <li>never</li>
@@ -2878,13 +2878,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <tr class="odd">
 <td><a href="#policy/ip-address-lists/ipAddresses">ipAddresses</a></td>
 <td>array of objects</td>
-<td>Specifies the IP addresses.</td>
+<td>Specifies the IP addresses. Use CIDR notation for subnet definition.</td>
 <td></td>
 </tr>
 <tr class="even">
 <td><code>matchOrder</code></td>
 <td>integer</td>
-<td>Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder.</td>
+<td>Specifies the order matching index between different IP Address Lists. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Lists with a lower matchOrder will be checked for a match prior to items with higher matchOrder.</td>
 <td></td>
 </tr>
 <tr class="odd">
@@ -2896,13 +2896,13 @@ <h2 id="policy/ip-address-lists">ip-address-lists</h2>
 <tr class="even">
 <td><code>neverLogRequests</code></td>
 <td>boolean</td>
-<td>Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.</td>
+<td>Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. Optional, if absent default value is false.</td>
 <td></td>
 </tr>
 <tr class="odd">
 <td><code>setGeolocation</code></td>
 <td>string</td>
-<td>Specifies a geolocation to be associated for this IP address list. Optional</td>
+<td>Specifies a geolocation to be associated for this IP address list. This will force the IP addresses in the list to be considered as though they are in that geolocation. This applies to blocking via "disallowed-geolocations" and to logging. Optional</td>
 <td></td>
 </tr>
 </tbody>
@@ -2927,7 +2927,7 @@ <h3 id="policy/ip-address-lists/ipAddresses">ipAddresses</h3>
 <tr class="odd">
 <td><code>ipAddress</code></td>
 <td>string</td>
-<td></td>
+<td>Specifies the IP address. Use CIDR notation for subnet definition.</td>
 <td></td>
 </tr>
 </tbody>
@@ -3694,7 +3694,7 @@ <h2 id="policy/override-rules">override-rules</h2>
 <p>Request Attributes:</p>
 <blockquote>
 <ul>
-<li><strong>clientIp</strong>: Client IP address in canonical IPv4 or IPv6 format. Use CIDR notation for subnet definition. Example: <em>192.168.1.2</em> or <em>fd00:1::/48</em>. If <em>trustXff</em> (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is <em>matches</em>.</li>
+<li><strong>clientIp</strong>: Client IP address in canonical IPv4 or IPv6 format or ip-address-list. Use CIDR notation for subnet definition. Example: <em>192.168.1.2</em> or <em>fd00:1::/48</em>. If <em>trustXff</em> (X-Forwarded-For) is enabled in the containing policy, then the value is taken from the configured header (XFF or other). The only supported boolean function for the clientIP attribute is <em>matches</em>.</li>
 <li><strong>host</strong>: The value of the Host header</li>
 <li><strong>method</strong>: The HTTP method in the request</li>
 <li><strong>uri</strong>: The URI (path part) of the request</li>
@@ -3705,7 +3705,7 @@ <h2 id="policy/override-rules">override-rules</h2>
 <li><strong>headers['&lt;name&gt;']</strong>: (map-type) The value of the specified header name. Example: "headers['Accept'].startsWith('application')"</li>
 </ul>
 </blockquote>
-<p><strong>Note</strong>: The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name.</p></td>
+<p><strong>Note</strong>: The "headers['&lt;name&gt;']" attribute does not support 'Cookie' as a header name. Attribute "clientIp" supports using "ipAddressLists" in condition: "clientIp.matches(ipAddressLists['<name>'])</p></td>
 <td></td>
 </tr>
 <tr class="odd">
