feat: Push updates

ADubhlaoich · ADubhlaoich · commit 98a9e3940bde · 2025-09-19T17:00:44.000+01:00
diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md
@@ -14,10 +14,16 @@ nd-product: NAP-WAF
 
 This document describes how to use the F5 WAF for NGINX compiler, a tool for converting security policies and logging profiles from JSON to a bundle file that F5 WAF can process and apply.
 
-You can use it to get the latest security updates for Attack Signatures, Threat Campaigns and Bot Signatures. The compiler is packaged as a Docker image and can executed using the Docker CLI or as part of a continuous integration/continuous delivery (CI/CD) pipeline.
+You can use it to get the latest security updates for [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}}), Threat campaigns and Bot signatures. 
+
+The compiler is packaged as a Docker image and can executed using the Docker CLI or as part of a continuous integration/continuous delivery (CI/CD) pipeline.
+
+With a virtual machine/bare-metal installation, read the [Update F5 WAF for NGINX signatures]({{< ref "/waf/install/update-signatures.md" >}}) topic.
 
 One or more bundle files can be referenced in the NGINX configuration file, and you can configure global settings such as the cookie seed and user-defined signatures.
 
+For more information about policies, read the [Configure policies]({{< ref "/waf/policies/configuration.md" >}}) topic.
+
 ## Before you begin
 
 To complete this guide, you will need the following prerequisites:
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
@@ -16,7 +16,7 @@ This document shows example of how to modify your NGINX configuration to enable
 
 It is intended as a reference for, small self-contained examples of how F5 WAF for NGINX is configured. 
 
-Certain features do not work well with F5 NGINX, such as modules requiring _subrequest_ when calling or being called from a scope that contains `app_protect_enable on`.
+Certain features do not work well with NGINX, such as modules requiring _subrequest_ when calling or being called from a scope that contains `app_protect_enable on`.
 
 Modules requiring the _Range_ header (Such as _Slice_) are also unsupported in a scope which enables F5 WAF for NGINX.
 
diff --git a/content/waf/install/disconnected-environment.md b/content/waf/install/disconnected-environment.md
@@ -14,13 +14,71 @@ nd-product: NAP-WAF
 
 {{< call-out "warning" "Information architecture note" >}}
 
-The term _disconnected environment_ has become the more commmon synonym for an air-gapped or offline installation. It follows the precedent set by NGINX Instance Manager: [Deploy in a disconnected environment -> Install the latest NGINX Instance Manager with a script (disconnected)]({{< ref "/nim/disconnected/offline-install-guide.md" >}}).
-
 The design intention for this page is as a standalone page for the operating system specific installation use cases:
 
 - [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#offline-installation" >}})
 - [v5]({{< ref "/nap-waf/v5/admin-guide/install.md#air-gap-install-secure-offline-installation" >}})
 
-Instead of having separate top level folders, differences between v4 and v5 will be denoted with whole page sections, tabs, or other unique signifiers.
+{{</ call-out>}}
+
+This topic describes how to install F5 WAF for NGINX in a disconnected or air-gapped environment.
+
+Many of the steps involved are similar to other installation methods: this document will refer to them when appropriate.
+
+## Before you begin
+
+To complete this guide, you will need the following prerequisites:
+
+- The requirements of your installation method:
+    - [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md#before-you-begin" >}})
+    - [Docker]({{< ref "/waf/install/docker.md#before-you-begin" >}})
+    - [Kubernetes]({{< ref "/waf/install/kubernetes.md#before-you-begin" >}})
+- An active F5 WAF for NGINX subscription (Purchased or trial).
+- A connected environment with similar architecture
+- A method to transfer files between two environments
+
+These instructions outline the broad, conceptual steps involved with working with a disconnected environment. You will need to make adjustments based on your specific security requirements.
+
+Some users may be able to use a USB stick to transfer necessary set-up artefacts, whereas other users may be able to use tools such as SSH or SCP.
+
+In the following sections, the term _connected environment_ refers to the environment with access to the internet you will use to download set-up artefacts.
+
+The term _disconnected environment_ refers to the final environment the F5 WAF for NGINX installation is intended to run in, and is the target to transfer set-up artefacts from the connected environment.
+
+## Download and run the documentation website locally
+
+For a disconnected environment, you may want to browse documentation offline.
+
+This is possible by cloning the repository and the binary file for Hugo.
+
+In addition to accessing F5 WAF for NGINX documentation, you will be able to access any supporting documentation you may need from other products.
+
+You will need `git` and `wget` in your connected environment.
+
+Run the following two commands: replace `<hugo-release>` with the tarball appropriate to the environment from [the release page](https://github.com/gohugoio/hugo/releases/tag/v0.147.8):
+
+```shell
+git clone git@github.com:nginx/documentation.git
+wget <hugo-release>
+```
+
+Move the repository folder and the tarball to your disconnected environment.
+
+In your disconnected environment, extract the tarball archive, then move the `hugo` binary somewhere on your PATH.
+
+Change into the cloned repository and run Hugo: you should be able to access the documentation on localhost.
+
+```shell
+cd documentation
+hugo server
+```
+
+## Download package files
+
+
+## Download Docker images
+
+
+## Download Kubernetes files
+
 
-{{</ call-out>}}
diff --git a/content/waf/install/kubernetes.md b/content/waf/install/kubernetes.md
@@ -373,16 +373,14 @@ kubectl create secret docker-registry regcred --docker-server=private-registry.n
 
 The `<JWT Token>` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace.
 
-
-### Edit Manifest files
+### Create Manifest files
 
 The default configuration provided creates two replicas, each hosting NGINX and WAF services together in a single Kubernetes pod.
 
 Create all of these files in a single folder (Such as `/manifests`).
 
 In each file, replace `<your-private-registry>/waf:<your-tag>` with your actual image tag.
 
-
 {{< tabs name="manifest-files" >}}
 
 {{% tab name="waf-storage.yaml" %}}
diff --git a/content/waf/install/update-signatures.md b/content/waf/install/update-signatures.md
@@ -0,0 +1,39 @@
+---
+# We use sentence case and present imperative tone
+title: "Update F5 WAF for NGINX signatures"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 500
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NAP-WAF
+---
+
+This topic describes how to update F5 WAF for NGINX signatures in a [virtual machine or bare-metal environment]({{< ref "/waf/install/virtual-environment.md" >}}).
+
+For other deployment methods, you should read [Build and use the compiler tool]({{< ref "/waf/configure/compiler.md" >}}).
+
+Signatures are divided into three groups:
+
+- [Attack signatures]({{< ref "/waf/policies/attack-signatures.md" >}})
+- Threat campaigns
+- Bot signatures
+
+F5 WAF for NGINX signature updates are released at a higher frequency than F5 WAF for NGINX itself, and are subsequently available in their own packages.
+
+A new installation will have the latest signatures available, but F5 WAF for NGINX and the signature packages can be updated independently afterwards.
+
+## Identify and update packages
+
+During installation, the [Platform-specific instructions]({{< ref "/waf/install/virtual-environment.md#platform-specific-instructions" >}}) were used to add the F5 WAF for NGINX repositories to your chosen operating system.
+
+Installing these packages also installed their dependencies, which includes the signature packages. You can use your environment's package manager to update these packages.
+
+They will be named something in the following list:
+
+- `app-protect-attack-signatures`
+- `app-protect-threat-campaigns`
+- `app-protect-bot-signatures`
diff --git a/content/waf/install/update.md b/content/waf/install/update.md
diff --git a/content/waf/install/upgrade.md b/content/waf/install/upgrade.md
@@ -19,4 +19,56 @@ The design intention for this page is as a standalone page for the operating sys
 - [v4]({{< ref "/nap-waf/v4/admin-guide/install.md#upgrading-app-protect-to-the-latest-version" >}})
 - [v5]({{< ref "/nap-waf/v5/admin-guide/upgrade-nap-waf.md" >}})
 
-{{</ call-out>}}
+{{</ call-out>}}
+
+This document describes how to upgrade F5 WAF for NGINX.
+
+Security updates can be managed independently from F5 WAF for NGINX versions: based on your installation method, you should read the [Update F5 WAF for NGINX signatures]({{< ref "/waf/install/update-signatures.md" >}}) or [Build and use the compiler tool]({{< ref "/waf/configure/compiler.md" >}}) topics.
+
+## Virtual environment packages
+
+Depending on your method, you may have installed virtual environment packages as part of a virtual machine/bare metal installation or a hybrid Docker configuration deployment.
+
+You can update the F5 WAF for NGINX packages using the environment's package manager, used during the [Platform-specific instructions]({{< ref "/waf/install/virtual-environment.md#platform-specific-instructions" >}}) of installation.
+
+An operating system using `dnf` might update the package with this command:
+
+```shell
+sudo dnf -y update app-protect
+```
+
+While an `apt` based system would use the following instead:
+
+```shell
+sudo apt-get update && apt-get install -y app-protect
+```
+
+## Docker deployments
+
+You can upgrade packages within Docker containers the same way as in the [Virtual environment packages](#virtual-environment-packages) section.
+
+Otherwise, you can update the version of F5 WAF components you are using by changing the tag prefixed to the `image:` key in your _docker-compose_ files.
+
+## Kubernetes deployments
+
+In a Kubernetes deployment, your approach for upgrading F5 WAF for NGINX depends on your installation method.
+
+For Helm, first `pull` the chart:
+
+```shell
+helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <release-name> --untar
+```
+
+Then use the `upgrade` argument with the release name.
+
+```shell
+helm upgrade <release-name> .
+```
+
+For Manifests you can update the tagged `image:` in your [created Manifest files]({{< ref "/waf/install/kubernetes.md#create-manifest-files" >}}).
+
+Then you can use `apply` to upgrade:
+
+```shell
+kubectl apply -f manifests/
+```
diff --git a/content/waf/policies/attack-signatures.md b/content/waf/policies/attack-signatures.md
diff --git a/content/waf/policies/configuration.md b/content/waf/policies/configuration.md
