nginx · ADubhlaoich · Oct 3, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -0,0 +1,7 @@
+{{< banner "note" "Policy parameter reference" >}}
+
+You can explore the parameters for each F5 WAF for NGINX feature on the [Policy parameter reference]({{< ref "/waf/policies/parameter-reference.md" >}}) page.
+
+This page was previously referred to as the "Declarative Policy".
+
+{{< /banner >}}
@@ -11,6 +11,7 @@
 | [Cookie enforcement]({{< ref "/waf/policies/cookie-enforcement.md" >}}) | By default all cookies are allowed and not enforced for integrity. The user can add specific cookies, wildcards or explicit, that will be enforced for integrity. It is also possible to set the cookie attributes: HttpOnly, Secure and SameSite for cookies found in the response. |
 | [Data guard]({{< ref "/waf/policies/data-guard.md" >}}) | Detects and masks Credit Card Number (CCN) and/or U.S. Social Security Number (SSN) and/or custom patterns in HTTP responses. Disabled by default. |
 | [Deny and Allow IP lists]({{< ref "/waf/policies/deny-allow-ip.md" >}}) | Manually define denied & allowed IP addresses as well as IP addresses to never log. |
+| [Do-nothing]({{< ref "/waf/policies/do-nothing.md" >}}) | Do-nothing allows you to configure the avoidance of inspecting or parsing content of a URL. |
 | [Disallowed file type extensions]({{< ref "/waf/policies/disallowed-extensions.md" >}}) | Support any file type, and includes a predefined list of file types by default |
 | [Evasion techniques]({{< ref "/waf/policies/evasion-techniques.md" >}}) | All evasion techniques are enabled by default, and can be disabled individually. These include directory traversal, bad escaped characters and more. |
 | [Geolocation]({{< ref "/waf/policies/geolocation.md" >}}) | The geolocation feature allows you to configure enforcement based on the location of an object using the two-letter ISO code representing a country. | 
@@ -20,10 +21,13 @@
 | [IP address lists]({{< ref "/waf/policies/ip-address-lists.md" >}}) | Organize lists of allowed and forbidden IP addresses across several lists with common attributes. |
 | [IP intelligence]({{< ref "/waf/policies/ip-intelligence.md" >}}) | Configure the IP Intelligence feature to customize enforcement based on the source IP of the request, limiting access from IP addresses with questionable reputation. |
 | [JWT protection]({{< ref "/waf/policies/jwt-protection.md" >}}) | JWT protection allows you to configure policies based on properties of JSON web tokens, such as their header and signature properties. | 
+| [Override rules]({{< ref "/waf/policies/override-rules.md" >}}) | Override rules allow you to override default policy settings under specific conditions. |
 | [Server technology signatures]({{< ref "/waf/policies/server-technology-signatures.md" >}}) | Support adding signatures per added server technology. |
 | [Time-based signature staging]({{< ref "/waf/policies/time-based-signature-staging.md" >}}) | Time-based signature staging allows you to stage signatures for a specific period of time. During the staging period, violations of staged signatures are logged but not enforced. After the staging period ends, violations of staged signatures are enforced according to the policy's enforcement mode. |
 | [Threat campaigns]({{< ref "/waf/policies/threat-campaigns.md" >}}) | These are patterns that detect all the known attack campaigns. They are very accurate and have almost no false positives, but are very specific and do not detect malicious traffic that is not part of those campaigns. The default policy enables threat campaigns but it is possible to disable it through the respective violation. |
 | [User-defined HTTP headers]({{< ref "/waf/policies/user-headers.md" >}}) | Handling headers as a special part of requests |
+| [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) | Use user-defined properties when configuring violations. |
 | [XFF trusted headers]({{< ref "/waf/policies/xff-headers.md" >}}) | Disabled by default, and can accept an optional list of custom XFF headers. |
 | [XML and JSON content]({{< ref "/waf/policies/xml-json-content.md" >}}) | XML content and JSON content profiles detect malformed content and signatures in the element values. Default policy checks maximum structure depth. It is possible to enable more size restrictions: maximum total length of XML/JSON data, maximum number of elements and more. |
+
 {{< /table >}}
@@ -162,10 +162,10 @@ Add F5 WAF for NGINX dependencies:
 sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
 ```
 
-Enable the _codeready-builder_ repository:
+Enable F5 WAF for NGINX dependencies:
 
 ```shell
-sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
+sudo dnf config-manager --set-enabled crb
 ```
 
 Install the F5 WAF for NGINX package and its dependencies:

@@ -0,0 +1,100 @@
+---
+title: Custom dimensions for log entries
+toc: false
+weight: 200
+nd-content-type: reference
+nd-product: NAP-WAF
+---
+
+Custom dimensions log entries feature refers to the new configuration in F5 WAF for NGINX, where the new directive called `app_protect_custom_log_attribute` is assigned to a particular location or server or http level in the `nginx.conf` file. The need is to be able to add custom identifiers to the respective location and/or server and identify requests in the Security Log by those identifiers.
+
+The `app_protect_custom_log_attribute` directive will be used to track the assigned location/server/http dimension of each request by adding the `app_protect_custom_log_attribute` to the **Security Logs** a.k.a **Request Logs**. Since it is a custom attribute a customer can set, that custom attribute will appear for every request log entry that was handled by that location/server.
+
+### Configuration
+
+A new directive `app_protect_custom_log_attribute` will be added to the `nginx.conf` file. You can set this directive at all scopes: http, server and location. The setting at the location scope overrides the setting in the server and/or http scopes and the server scope overrides the http scope. The `app_protect_custom_log_attribute` directive syntax will consist of a **name/value** or **key/value** pair i.e. "app_protect_custom_log_attribute <name> <value>".
+
+Example Configuration:
+
+In the below example, we are configuring the `app_protect_custom_log_attribute` directive at the server and location level where we define the **key/value** pair as one string.
+
+```nginx
+
+user nginx;
+load_module modules/ngx_http_app_protect_module.so;
+error_log /var/log/nginx/error.log debug;
+
+events {
+    worker_connections  65536;
+}
+server {
+
+        listen       80;
+
+        server_name  localhost;
+        proxy_http_version 1.1;
+        app_protect_custom_log_attribute ‘environment' 'env1';
+
+        location / {
+
+            app_protect_enable on;
+            app_protect_custom_log_attribute gateway gway1;
+            app_protect_custom_log_attribute component comp1;
+            proxy_pass http://172.29.38.211:80$request_uri;
+        }
+    }
+```
+
+The **key/value** pair will be 'environment env1', ‘gateway gway1’ and ‘component comp1’ in the above examples, i.e.
+
+- app_protect_custom_log_attribute environment env1;
+- app_protect_custom_log_attribute gateway gway1;
+- app_protect_custom_log_attribute component comp1;
+
+The above key/value pair will be parsed as below:
+
+```shell
+"customLogAttributes": [
+    {
+        "name": "gateway",
+        "value": "gway1"
+    },
+    {
+        "name": "component",
+        "value": "comp1"
+    },
+]
+```
+
+### Things to Remember While Configuring the Custom Dimensions Log Entries
+
+The `app_protect_custom_log_attribute` directive has a few limitations which should be kept in mind while configuring this directive:
+
+- Key and value strings are limited to 64 chars
+- Maximum possible directive numbers are limited to 10 (in total) in each context i.e. Limit of 10 keys and values
+
+### Errors and Warnings
+
+An error message "`app_protect_custom_log_attribute` directive is invalid" will be displayed in the Security Log if the below conditions are met:
+
+1. If the `app_protect_custom_log_attribute` exceeds the maximum number of 10 directives
+2. If the `app_protect_custom_log_attribute` exceeds the maximum name length of 64 chars
+3. If the `app_protect_custom_log_attribute` exceeds the maximum value of 64 chars
+
+Error message example:
+
+```shell
+app_protect_custom_log_attribute directive is invalid. Number of app_protect_custom_log_attribute directives exceeds maximum
+```
+
+### Logging and Reporting
+
+When `app_protect_custom_log_attribute` is assigned to a particular location/server/http context, it will appear in the `json_log` field as a new JSON property called "customLogAttributes" at the top level. The property will not appear if no `app_protect_custom_log_attribute` directive was assigned.
+
+Attributes at the http level applies to all servers and locations unless a specific server or location overrides the same key with a different value. Same goes for the server level and all locations under it. In the below example, the "environment" attribute will appear in logs of all locations under that server.
+
+Security logging example in json_log:
+
+```json
+""customLogAttribute"":[{""name"":""component"",""value"":""comp1""},{""name"":""gateway"",""value"":""gway1""}]}"
+```
@@ -1,7 +1,7 @@
 ---
 title: Debug logs
 toc: false
-weight: 400
+weight: 500
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,7 +1,7 @@
 ---
 title: Operation logs
 toc: false
-weight: 300
+weight: 400
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,7 +1,7 @@
 ---
 title: Security logs
 toc: true
-weight: 200
+weight: 300
 nd-content-type: reference
 nd-product: NAP-WAF
 ---

@@ -1,5 +1,11 @@
 ---
 title: "Policies"
 url: /waf/policies/
+cascade:
+  nd-banner:
+    enabled: true
+    type: deprecation
+    start-date: 2025-09-30
+    md: /_banners/waf-parameter-reference.md
 weight: 400
 ---
@@ -203,7 +203,7 @@ To exclude multiple attack signatures, each signature ID needs to be added as a
 
 In the previous examples, the signatures were disabled for all the requests that are inspected by the respective policy. You can also exclude signatures for specific URLs or parameters, while still enable them for the other URLs and parameters. 
 
-The topics [User-defined URLs]() and [User-defined parameters]() have more details.
+The topic [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}) has more details.
 
 In some cases, you may want to remove a whole signature set that was included in the default policy. For example, a protected application may not use XML and is not vulnerable to XPath injection.