N1 waf signature sets release #1251
Conversation
Co-authored-by: Mike Jang <[email protected]>
Co-authored-by: Mike Jang <[email protected]>
Co-authored-by: Mike Jang <[email protected]>
Co-authored-by: Mike Jang <[email protected]>
Co-authored-by: Mike Jang <[email protected]>
github-actions
bot
added
documentation
|
✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
✅ Deploy Preview will be available once build job completes!
|
|
I have hereby read the F5 CLA and agree to its terms |
Co-authored-by: Travis Martin <[email protected]>
Co-authored-by: Travis Martin <[email protected]>
Co-authored-by: Travis Martin <[email protected]>
Co-authored-by: Travis Martin <[email protected]>
Co-authored-by: Travis Martin <[email protected]>
Co-authored-by: Travis Martin <[email protected]>
|
All the feedback can be found in this PR (from |
|
|
||
| For more complex scenarios, you can use the `modifications` section: | ||
|
|
||
| ```json |
There was a problem hiding this comment.
Non-blocking formatting: As you can see from previous lines, if you include indentation, the format is nicer.
| nd-product: NGINX One Console | ||
| --- | ||
|
|
||
| # Add cookies |
There was a problem hiding this comment.
It's a markdown standard to include a blank line after each header
| - `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable | ||
| - `Mask Value in Logs`: When enabled, the cookie's value will be masked in the request log for enhanced security and privacy | ||
|
|
||
| **⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. |
There was a problem hiding this comment.
| **⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. | |
| {{< call-out "important" >}} | |
| **⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. | |
| {{< /call-out >}} |
| For a complete list of configurable cookie properties and options, see the [Cookie Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `cookies` section. | ||
|
|
||
| ## Cookie violations | ||
| Click on **Edit Configuration** to configure cookie violations. The following violations can be configured for cookies: |
There was a problem hiding this comment.
Our style guide pushes "Submit" over "Click"
There was a problem hiding this comment.
I think you mean "Select" and not "Submit"? e.g. Select **Edit Configuration**
There was a problem hiding this comment.
yeah I believe it should be "Select", as Travis suggested the same. Thanks for catching this.
|
|
||
| See the [Supported Violations]({{< ref "/waf/policies/violations.md#supported-violations" >}}) for additional details. | ||
|
|
||
| ## Adding a cookie to your policy |
There was a problem hiding this comment.
I know this has been noted before -- avoid the "ing" nouns like "Adding"
| ## Adding a cookie to your policy | |
| ## Add a cookie to your policy |
| 1. Set Enforcement: | ||
| - Choose whether to allow or disallow the cookie | ||
| - If `Allow Cookie` is selected, you can optionally enable attack signatures | ||
| - **⚠️ Important:** Attack signatures cannot be enabled for disallowed cookies. |
There was a problem hiding this comment.
Also see previous formatting for "Important"
| For a complete list of configurable cookie properties and options, see the [Parameter Configuration Parameters]({{< ref "/waf/policies/parameter-reference.md" >}}) documentation under the `parameters` section. | ||
|
|
||
| ## Parameter violations | ||
| Select **Edit Configuration** to configure parameter violations. The following violations can be configured for parameters: |
There was a problem hiding this comment.
Future issue: we need to set up common content with content/includes/nap-waf/config/common/supported-violations.md
There was a problem hiding this comment.
I think Alan already added this, which can be accessed through https://frontdoor-test-docs.nginx.com/previews/docs/1251/waf/policies/violations/#supported-violations
|
|
||
| 1. Select **Add Parameter** to save your configuration | ||
|
|
||
| # Add urls |
There was a problem hiding this comment.
| # Add urls | |
| # Add URLs |
| @@ -0,0 +1,173 @@ | |||
| --- | |||
| title: "Add cookies, parameters and urls" | |||
There was a problem hiding this comment.
| title: "Add cookies, parameters and urls" | |
| title: "Add cookies, parameters and URLs" |
| From NGINX One Console, select **App Protect > Policies**. In the screen that appears, select **Add Policy**. That action opens a screen where you can: | ||
|
|
||
| 1. In **General Settings**, name and describe the policy. | ||
| 1. Go to the **Web Protection** tab and select **Attack Signature Sets**. Here, you can: |
There was a problem hiding this comment.
nit: instead of the word tab I'd suggest suggest calling it a section
|
|
||
| ## Add signature exceptions | ||
|
|
||
| From the **Web Protection** tab, select **Attack Signature Exceptions**. This section allows you to override settings for individual signatures. |
There was a problem hiding this comment.
nit: same thing here. I'd suggest section instead of tab
| } | ||
| ``` | ||
|
|
||
| ### Advanced exception configuration |
There was a problem hiding this comment.
I'd suggest removing this entire Advanced exception configuration section. The App Protect schema that we're using to validate policies doesn't include the top-level modifications section so the UI doesn't use or respect data defined there.
|
|
||
| After configuring signature sets and exceptions: | ||
|
|
||
| 1. Select **Save Policy**. The policy JSON will be updated with your changes. |
There was a problem hiding this comment.
nit: the steps outlined here start by creating a new policy. The CTA text when creating a new policy is "Add Policy". The CTA text is "Save Policy" when editing an existing policy.
|
|
||
| In addition to the shared options, cookies support the following advanced configurations: | ||
|
|
||
| - **Mask Value in Logs**: Enable masking of cookie values in logs for enhanced security and privacy. |
There was a problem hiding this comment.
Since you called this out explicitly for cookies, parameters also supports a similar option which is also called "Mask value in logs" for consistency in the UI and that controls the sensitiveParameter property of the parameter item.
| nd-product: NGINX One Console | ||
| --- | ||
|
|
||
| URLs can be configured and managed directly within the policy editor by selecting the **URLs** option. |
There was a problem hiding this comment.
I'd suggest "URL protections can be configured..."
| ## URL Properties and Types | ||
| Each URL configuration includes: | ||
| - `URL Type`: `Explicit` or `Wildcard`. For details on explicit and wildcard matching, see the [Matching Types: Explicit vs Wildcard]({{< ref "/nginx-one/nap-integration/waf-policy-matching-types.md" >}}) section. | ||
| - `Method`: Specifies which HTTP methods are allowed (`GET`, `POST`, `PUT`, etc.) |
There was a problem hiding this comment.
Since allowed/disallowed will depend on the enforcement type for the URL, I'd suggest: "Specifies the HTTP method(s) for the URL (GET, POST, PUT, etc.)"
| - **Disallow**: Blocks access to the URL entirely | ||
| - `Attack Signatures`: Indicates whether attack signatures and threat campaigns are enabled, disabled, or not applicable | ||
|
|
||
| **⚠️ Important:** Attack Signatures are automatically set to "Not Applicable" when Enforcement Type is set to `Disallow` since the URL is explicitly blocked and signature checking is unnecessary. |
There was a problem hiding this comment.
nit: Attack Signatures are automatically shown as "Not Applicable" when...
| - Select either `Explicit` for exact URL matching or `Wildcard` for pattern-based matching | ||
|
|
||
| 1. Configure Basic Properties: | ||
| - Enter the `URL` path |
There was a problem hiding this comment.
It would be good to include details that an explicit path should start with a / and/or provide example(s) for explicit and wildcard so it's clear to the user what they should enter for the path
|
|
||
| 1. Configure Basic Properties: | ||
| - Enter the `URL` path | ||
| - Select allowed `Method(s)` (e.g., `GET`, `POST`, *) |
Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩