diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md deleted file mode 100644 index 5ad373350..000000000 --- a/content/includes/nap-waf/config/common/ip-groups-override-rules.md +++ /dev/null @@ -1,73 +0,0 @@ -#### IP-Groups feature as part of Override Rules feature. - -The Override Rules feature allows you to modify original or parent policy settings. - -Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema. - -When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function. - -'clientIp.matches(ipAddressLists["standalone"])' - -Here is a policy example: - -```json -{ - "policy": { - "name": "ip_group_override_rule", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "caseInsensitive": false, - "enforcementMode": "blocking", - "ip-address-lists": [ - { - "name": "standalone", - "description": "This is my list of IP addresses", - "ipAddresses": [ - { - "ipAddress": "6.5.3.3/32" - }, - { - "ipAddress": "6.5.4.2" - } - ] - } - ], - "override-rules": [ - { - "name": "myFirstRule", - "condition": "clientIp.matches(ipAddressLists['standalone'])", - "actionType": "violation", - "violation": { - "block": true, - "alarm": true, - "attackType": { - "name": "Forceful Browsing" - }, - "description": "Attempt to access from clientIp", - "rating": 4 - } - } - ], - "general": { - "trustXff": true - } - } -} -``` - -The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])". -The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". -The value used for the override condition must exist and exactly match the name in "ip-address-lists". - -#### Possible errors - -| Error text | Input | Explanation | -| -----------| ------------- | ------------ | -| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ | -| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided | -| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ | Used _ipAddressLists_ without the _clientIP_ attribute | - - - diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md deleted file mode 100644 index 635cd4c67..000000000 --- a/content/includes/nap-waf/config/common/ip-groups-overview.md +++ /dev/null @@ -1,86 +0,0 @@ -IP groups is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes. - -This allows you to control unique policy settings for incoming requests based on specific IP addresses. - -Each IP Group contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses. - - -An example of a declarative policy using IP Groups configuration: - -```json -{ - "policy": { - "name": "IpGroups_policy", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "caseInsensitive": false, - "enforcementMode": "blocking", - "ip-address-lists": [ - { - "name": "Standalone", - "description": "Optional Description", - "blockRequests": "policy-default", - "setGeolocation": "IN", - "ipAddresses": [ - { - "ipAddress": "1.2.3.4/32" - }, - { - "ipAddress": "1111:fc00:0:112::2" - } - ] - } - ] - } -} - -``` -The example with IP-Group definition in external file external_ip_groups.json: - -```json -{ - "policy": { - "name": "IpGroups_policy2", - "template": { - "name": "POLICY_TEMPLATE_NGINX_BASE" - }, - "applicationLanguage": "utf-8", - "caseInsensitive": false, - "enforcementMode": "blocking", - "ip-address-lists": [ - { - "name": "external_ip_groups", - "description": "Optional Description", - "blockRequests": "always", - "setGeolocation": "IL", - "ipAddresses": [ - { - "ipAddress": "31.8.194.27" - } - ], - "$ref": "file:///tmp/policy/external_ip_groups.json" - } - ] - } -} -``` -Example of the file external_ip_groups.json - -```json -{ - "name": "External Ip Groups List", - "description": "Optional Description", - "blockRequests": "always", - "setGeolocation": "IR", - "ipAddresses": [ - { - "ipAddress": "66.51.41.21" - }, - { - "ipAddress": "66.52.42.22" - } - ] -} -``` diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 4f709e149..025870d05 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -478,15 +478,6 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} -## IP Groups - -### Overview - -{{< include "nap-waf/config/common/ip-groups-overview.md" >}} - -### IP Groups in Policy Override Rules Conditions - -{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} ## JSON Web Token Protection diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index c936023fa..a17322367 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -475,16 +475,6 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} -## IP Groups - -### Overview - -{{< include "nap-waf/config/common/ip-groups-overview.md" >}} - -### IP Groups in Policy Override Rules Conditions - -{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} - ## JSON Web Token Protection ### Overview