Add and configure a policy
This document describes how you can configure a security policy in the F5 NGINX One Console. When you add a policy, NGINX One Console includes several UI-based options and presets, based on NGINX App Protect WAF.
If you already know NGINX App Protect WAF, you can go beyond the options available in the UI.
From NGINX One Console, select App Protect > Policies. In the screen that appears, select Add Policy. That action opens a screen where you can:
- In General Settings, name and describe the policy.
- You can also set one of the following enforcement modes:
- Transparent
- Blocking
- You can also set one of the following enforcement modes:
For details, see the Glossary, specifically the entry: Enforcement mode. You’ll see this in the associated configuration file,
with the enforcementMode property.
You can also set a character encoding. The default encoding is Unicode (utf-8). To set a different character encoding, select Show Advanced Fields and select the Application Language of your choice.
With NGINX One Console User Interface, you get a default policy. You can also select NGINX Strict for a more rigorous policy:
The base template is the common starting point to any policy you write. The default policy just reflects that template without any further modifications, thus we use the terms base template and default policy interchangeably. The default policy appears as follows
{
"policy" : {
"name": "app_protect_default_policy",
"template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }
}
}The default policy enforces violations by Violation Rating, the App Protect computed assessment of the risk of the request based on the triggered violations.
- 0: No violation
- 1-2: False positive
- 3: Needs examination
- 4-5: Threat
The default policy enables most of the violations and signature sets with Alarm turned ON, but not Block. These violations and signatures, when detected in a request, affect the violation rating. By default, if the violation rating is calculated to be malicious (4-5) the request will be blocked by the VIOL_RATING_THREAT violation. This is true even if the other violations and signatures detected in that request had the Block flag turned OFF. It is the VIOL_RATING_THREAT violation having the Block flag turned ON that caused the blocking, but indirectly the combination of all the other violations and signatures in Alarm caused the request to be blocked. By default, other requests which have a lower violation rating are not blocked, except for some specific violations described below. This is to minimize false positives. However, you can change the default behavior. For example, if you want to add blocking on a violation rating of 3 as well, enable blocking for the VIOL_RATING_NEED_EXAMINATION violation.
The following violations and signature sets have a low chance of being false positives and are, therefore, configured by default to block the request regardless of its Violation Rating:
- High accuracy attack signatures
- Threat campaigns
- Malformed request: unparsable header, malformed cookie and malformed body (JSON or XML).
NGINX One Console includes a Policy JSON section which displays your policy in JSON format. What you configure here is written to your instance of NGINX App Protect WAF.
With the Edit option, you can customize this policy. It opens the JSON file in a local editor. When you select Save Policy, it saves the latest version of what you’ve configured. You’ll see your new policy under the name you used.
From NGINX One Console, you can review the policies that you’ve saved, along with their versions. Select App Protect > Policies. Select the policy that you want to review or modify.