N1 waf signature sets release (#1251)

* n1c: add docs for adding signature sets and exceptions

* add instructions for urls/cookies/parameters

* add titles for all instruction files

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Mike Jang <[email protected]>

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Mike Jang <[email protected]>

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Mike Jang <[email protected]>

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Mike Jang <[email protected]>

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Mike Jang <[email protected]>

* address feedback

* reassign weights for pages

* update links to doc ref

* remove unnecessary top-level titles

* Update content/nginx-one/nap-integration/add-cookies.md

Co-authored-by: Travis Martin <[email protected]>

* Update content/nginx-one/nap-integration/add-urls.md

Co-authored-by: Travis Martin <[email protected]>

* Update content/nginx-one/nap-integration/add-parameters.md

Co-authored-by: Travis Martin <[email protected]>

* Update content/nginx-one/nap-integration/add-parameters.md

Co-authored-by: Travis Martin <[email protected]>

* Update content/nginx-one/nap-integration/add-signature-sets.md

Co-authored-by: Travis Martin <[email protected]>

* Update content/nginx-one/nap-integration/add-urls.md

Co-authored-by: Travis Martin <[email protected]>

* address feedback

* change headings

* address feedback

* add changelog for new WAF release

---------

Co-authored-by: Mike Jang <[email protected]>
Co-authored-by: Travis Martin <[email protected]>

Author: 3 people

content/nginx-one/changelog.md

@@ -30,6 +30,19 @@ h2 {
 
 Stay up-to-date with what's new and improved in the F5 NGINX One Console.
 
+## October 6, 2025
+
+### Expanded features for configuring NGINX security policies with F5 WAF
+
+You can now configure the following for F5 WAF policies directly in the NGINX One Console:
+- [Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md" >}})
+- [Signature Exceptions]({{< ref "/nginx-one/nap-integration/add-signature-sets.md#exceptions" >}})
+- [Parameters]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-parameters" >}})
+- [URLs]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-urls" >}})
+- [Cookies]({{< ref "/nginx-one/nap-integration/cookies-params-urls.md#add-cookies" >}})
+
+For more details, see the [F5 WAF Integration Guide ]({{< ref "/nginx-one/nap-integration/" >}}).
+
 ## October 2, 2025
 
 ### You can now set up config templates

content/nginx-one/nap-integration/add-signature-sets.md

@@ -0,0 +1,132 @@
+---
+title: "Add signature sets and exceptions"
+weight: 300
+toc: true
+nd-content-type: how-to
+nd-product: NGINX One Console
+---
+
+This document describes how you can configure signature sets and signature exceptions in F5 WAF for NGINX policies. When you add a policy, NGINX One Console provides options to customize attack signatures to better protect your applications.
+
+## Understanding signature sets and exceptions
+
+Attack signatures are rules or patterns that identify attack sequences or classes of attacks on a web application. F5 WAF for NGINX includes predefined attack signatures grouped into signature sets.
+
+### Signature set
+
+A **signature set** is a collection of attack signatures with a specific name and purpose. These sets are predefined and can be enabled or disabled in your policy. 
+
+For example, you might have sets for SQL Injection Signatures, Cross-Site Scripting Signatures, or Buffer Overflow Signatures.
+
+### Signature exception
+
+A **signature exception** allows you to explicitly enable or disable individual attack signatures within a set. This gives you granular control over your policy. For example:
+- If a signature in a set causes false positives (blocking legitimate traffic), you can create an exception to disable just that signature while keeping the rest of the set active.
+- If you want to enable blocking for one specific attack signature rather than an entire set, you can create an exception to enable just that signature.
+
+## Add signature sets
+
+From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can:
+
+1. In **General Settings**, name and describe the policy.
+1. Go to the **Web Protection** section and select **Attack Signature Sets**. Here, you can:
+   - View all enabled attack signature sets, including the default ones
+   - Add new signature sets
+   - Modify existing signature sets
+
+### Configure signature sets
+
+For each signature set, you can configure:
+- **Alarm**: When enabled, matching requests are logged
+- **Block**: When enabled, matching requests are blocked
+
+For example, to configure Buffer Overflow Signatures to log but not block:
+
+```json
+{
+    "policy": {
+        "name": "buffer_overflow_signature",
+        "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
+        "signature-sets": [
+            {
+                "name": "Buffer Overflow Signatures",
+                "alarm": true,
+                "block": false
+            }
+        ]
+    }
+}
+```
+
+### Remove signature sets
+
+To remove a signature set from your policy, you have two options:
+
+1. Disable the set by setting both `alarm` and `block` to `false`:
+
+    ```json
+    {
+        "policy": {
+            "name": "no_xpath_policy",
+            "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
+            "signature-sets": [
+                {
+                    "name": "XPath Injection Signatures",
+                    "block": false,
+                    "alarm": false
+                }
+            ]
+        }
+    }
+    ```
+
+1. Use the `$action` meta-property to delete the set (preferred for better performance):
+
+    ```json
+    {
+        "policy": {
+            "name": "no_xpath_policy",
+            "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" },
+            "signature-sets": [
+                {
+                    "name": "XPath Injection Signatures",
+                    "$action": "delete"
+                }
+            ]
+        }
+    }
+    ```
+
+## Add signature exceptions
+
+From the **Web Protection** section, select **Attack Signature Exceptions**. This allows you to override settings for individual signatures.
+
+1. Click **Add Item** to create a new exception.
+1. Select the signature(s) you want to modify.
+1. Configure the exception. For example, to disable a specific signature:
+
+    ```json
+    {
+        "signatures": [
+            {
+                "name": "_mem_bin access",
+                "enabled": false,
+                "signatureId": 200100022
+            }
+        ]
+    }
+    ```
+
+## Add and deploy your policy
+
+After configuring signature sets and exceptions:
+
+1. Select **Add Policy**. The policy JSON will be updated with your changes.
+1. Your policy will appear in the list under the name you provided.
+1. You can then [deploy]({{< ref "/nginx-one/nap-integration/deploy-policy.md/" >}}) the policy to either:
+   - An instance
+   - A Config Sync Group
+
+From NGINX One Console, you can [review and modify]({{< ref "/nginx-one/nap-integration/review-policy.md/" >}}) your saved policies at any time by selecting **App Protect > Policies**.
+
+For a complete list of available signature sets and detailed information about attack signatures, see the [Attack Signatures]({{< ref "/waf/policies/attack-signatures.md" >}}) documentation.

content/nginx-one/nap-integration/cookies-params-urls.md

@@ -0,0 +1,197 @@
+---
+title: "Add cookies, parameters and URLs"
+weight: 400
+toc: true
+nd-content-type: how-to
+nd-product: NGINX One Console
+---
+
+# Add cookies
+
+Cookie protections can be configured and managed directly within the policy editor by selecting the **Cookies** option.
+
+## Cookie properties and types
+
+Each cookie configuration includes:
+- `Cookie Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section.
+- `Cookie Name`: The name of the cookie to be monitored or protected
+- `Enforcement Type`: 
+  - **Allow**: Specifies that this cookie may be changed by the client. The cookie is not protected from modification
+  - **Enforce**: Specifies that this cookie may not be changed by the client
+- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable
+- `Mask value in logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy
+
+For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section.
+
+## Cookie violations
+
+Select **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies:
+
+- `VIOL_COOKIE_EXPIRED`: Triggered when a cookie's timestamp is expired
+- `VIOL_COOKIE_LENGTH`: Triggered when cookie length exceeds the configured limit
+- `VIOL_COOKIE_MALFORMED`: Triggered when cookies are not RFC-compliant
+- `VIOL_COOKIE_MODIFIED`: Triggered when domain cookies have been tampered with
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details.
+
+## Add a cookie to your policy
+
+1. Choose Cookie Type:
+   - Select either `Explicit` for exact cookie matching or `Wildcard` for pattern-based matching
+
+1. Configure Basic Properties:
+   - Enter the `Cookie Name`
+   - Choose whether to mask the cookie value in logs
+
+1. Set Enforcement Type:
+   - Choose either `Allow` or `Enforce`
+
+1. Optional: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific cookie
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+1. Select **Add Cookie** to save your configuration
+
+# Add parameters
+
+Parameter protections can be configured and managed directly within the policy editor by selecting the **Parameters** option.
+
+## Parameter properties and types
+
+Each parameter configuration includes:
+- `Parameter Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section.
+- `Parameter Name`: The name of the parameter
+- `Location`: Where the parameter is expected (URL query string, POST data, etc.)
+- `Value Type`: The expected type of the parameter value (e.g., alpha-numeric, integer, email)
+- `Attack Signatures`: Whether attack signature checking is enabled for this parameter
+- `Mask value in logs`: When enabled, the parameter's value will be masked in the request log for enhanced security and privacy. This sets `sensitiveParameter` property of the parameter item.
+
+For a complete list of configurable parameter properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section.
+
+## Parameter violations
+
+Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters:
+
+- `VIOL_PARAMETER`: Triggered when an illegal parameter is detected
+- `VIOL_PARAMETER_ARRAY_VALUE`: Triggered when an array parameter value is illegal
+- `VIOL_PARAMETER_DATA_TYPE`: Triggered when parameter data type doesn't match configured security policy
+- `VIOL_PARAMETER_EMPTY_VALUE`: Triggered when a parameter value is empty but shouldn't be
+- `VIOL_PARAMETER_LOCATION`: Triggered when a parameter is found in wrong location
+- `VIOL_PARAMETER_MULTIPART_NULL_VALUE`: Triggered when the multi-part request has a parameter value that contains the NULL character (0x00)
+- `VIOL_PARAMETER_NAME_METACHAR`: Triggered when illegal meta characters are found in parameter name
+- `VIOL_PARAMETER_NUMERIC_VALUE`: Triggered when numeric parameter value is outside allowed range
+- `VIOL_PARAMETER_REPEATED`: Triggered when a parameter name is repeated illegally
+- `VIOL_PARAMETER_STATIC_VALUE`: Triggered when a static parameter value doesn't match configured security policy
+- `VIOL_PARAMETER_VALUE_BASE64`: Triggered when the value is not a valid Base64 string
+- `VIOL_PARAMETER_VALUE_LENGTH`: Triggered when parameter value length exceeds limits
+- `VIOL_PARAMETER_VALUE_METACHAR`: Triggered when illegal meta characters are found in parameter value
+- `VIOL_PARAMETER_VALUE_REGEXP`: Triggered when parameter value doesn't match required pattern
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details.
+
+## Add a parameter to your policy
+
+1. Choose Parameter Type:
+   - Select either `Explicit` for exact parameter matching or `Wildcard` for pattern-based matching
+
+1. Configure Basic Properties:
+   - Enter the parameter `Parameter Name`
+   - Select the `Location` where the parameter is expected
+   - Choose the `Value Type` (alpha-numeric, integer, email, etc.)
+   - Set the `Data Type` if applicable
+
+1. Set Security Options:
+   - Choose whether to enable attack signatures
+   
+   {{< call-out "important" >}}
+
+   Attack Signatures are only applicable when the Value Type is `User Input` or `Array` **and** the Data Type is either `Alphanumeric` or `Binary`
+
+   {{< /call-out >}}
+
+   - Decide if parameter value should be masked in logs which sets `sensitiveParameter` in [Parameter Configuration Reference]({{< ref "/waf/policies/parameter-reference.md" >}})
+
+1. Optional: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific parameter
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+1. Select **Add Parameter** to save your configuration
+
+# Add URLs
+
+URL protections can be configured and managed directly within the policy editor by selecting the **URLs** option.
+
+## URL properties and types
+
+Each URL configuration includes:
+- `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section.
+- `Method`: Specifies the HTTP method(s) for the URL (`GET`, `POST`, `PUT`, etc.)
+- `Protocol`: The protocol for the URL (`HTTP`/`HTTPS`)
+- `Enforcement Type`: 
+  - **Allow**: Permits access to the URL with optional attack signature checks
+  - **Disallow**: Blocks access to the URL entirely
+- `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable
+
+{{< call-out "important" >}}
+
+**⚠️ Important:** Attack Signatures are automatically shown as "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary.
+
+{{< /call-out >}}
+
+For a complete list of configurable URL properties and options, see the [URL Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `urls` section.
+
+## URL violations
+
+Select **Edit Configuration** to configure URL violations. The following violations can be configured for URLs:
+
+- `VIOL_URL`: Triggered when an illegal URL is accessed
+- `VIOL_URL_CONTENT_TYPE`: Triggered when there's an illegal request content type
+- `VIOL_URL_LENGTH`: Triggered when URL length exceeds the configured limit
+- `VIOL_URL_METACHAR`: Triggered when illegal meta characters are found in the URL
+
+For each violation type, you can:
+- Set the enforcement action
+- Toggle `Alarm`, `Alarm and Block`, or `Disabled` settings
+
+For more details about enforcement modes, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**.
+
+See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details.
+
+## Add a URL to your policy
+
+1. Choose URL Type:
+   - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching
+
+1. Configure Basic Properties:
+   - Enter the `URL` path (e.g., `/index.html`, `/api/data`)
+      - The URL path must start with `/`
+   - Select HTTP `Method(s)` (e.g., `GET`, `POST`, *)
+   - Choose the `Protocol` (`HTTP`/`HTTPS`)
+
+1. Set Enforcement:
+   - Choose whether to allow or disallow the URL
+   - If `Allow URL` is selected, you can optionally enable attack signatures
+
+   {{< call-out "important" >}}
+
+   **⚠️ Important:** Attack signatures cannot be enabled for disallowed URLs.
+
+   {{< /call-out >}}
+
+1. **Optional**: Configure Attack Signatures
+   - If enabled, you can overwrite attack signatures for this specific URL
+   - For details on signature configuration, refer to the documentation on [Add Signature Sets]({{< ref "/nginx-one/nap-integration/add-signature-sets.md/" >}})
+
+1. Select **Add URL** to save your configuration

content/nginx-one/nap-integration/deploy-policy.md

@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Deploy policy"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 400
+weight: 600
 # Creates a table of contents and sidebar, useful for large documents
 toc: false
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this

content/nginx-one/nap-integration/overview.md

@@ -43,4 +43,4 @@ F5 WAF for NGINX has specific requirements for the configuration with Docker con
   - You'll need to set a policy bundle (in compressed tar format) in a configured `volume`.
   - Make sure the directory for [NGINX Agent]({{< ref "/agent/configuration/" >}}) includes `/etc/nginx/app_protect_policies`.
 
-When  you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance.
+When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance.

content/nginx-one/nap-integration/review-policy.md

@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Review policy"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 300
+weight: 500
 # Creates a table of contents and sidebar, useful for large documents
 toc: false
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
@@ -37,4 +37,3 @@ From the NGINX One Console, you can also manage existing policies. In the Polici
 {{< call-out "note" >}}
 If you use **Save As** to create a new policy, include the `app_protect_cookie_seed` [directive]({{< ref "/nap-waf/v5/configuration-guide/configuration.md#directives" >}}).
 {{< /call-out >}}
-

content/nginx-one/nap-integration/security-policy-api.md

@@ -1,6 +1,6 @@
 ---
 title: "Set security policies through the API"
-weight: 700
+weight: 800
 toc: true
 type: reference
 product: NGINX One