Initial WAF support for NGINXaaS for Google

Support for enabling WAF per deployment, NGINX configurations with WAF,
and WAF logging.

Author: edarzins

content/includes/nginxaas-google/logging-config-security-logs.md

@@ -0,0 +1,17 @@
+---
+f5-product: NGOOGL
+f5-files:
+- content/nginxaas-google/monitoring/enable-nginx-logs.md
+---
+
+You can enable security logs by adding **app_protect_security_log** directives to your NGINX configuration to specify the location of the logs and formats. The log path should always be configured to be inside **/var/log/app_protect**.
+
+```nginx
+app_protect_security_log_enable on;
+app_protect_security_log log_default /var/log/app_protect/security.log;
+```
+
+NGINXaaS does not support custom logging profiles and is limited to the [default logging profiles]({{< ref "/waf/logging/logs-overview.md#default-logging-profile-bundles" >}}).
+
+{{< call-out "warning" >}}Keep F5 WAF for NGINX logs in the **/var/log/app_protect** directory. Otherwise, you may lose data from your logs.
+{{< /call-out >}}

content/nginxaas-google/changelog.md

@@ -12,6 +12,15 @@ Learn about the latest updates, new features, and resolved bugs in F5 NGINXaaS f
 
 To see a list of currently active issues, visit the [Known issues]({{< ref "/nginxaas-google/known-issues.md" >}}) page.
 
+
+## May 15, 2026
+
+- {{% icon-feature %}} **NGINXaaS for Google now supports F5 WAF for NGINX (Preview)**
+
+You can now deploy NGINXaaS with [F5 WAF for NGINX]({{< ref "/waf" >}}); an advanced high-performance web application firewall (WAF) to provide protection from OWASP Top 10 web application security risks.
+
+**Note:** This feature is currently in Preview and free to use during the preview period. Custom security policies and custom logging profiles are not yet supported.
+
 ## April 16, 2026
 
 - {{% icon-feature %}} **NGINXaaS for Google now supports Managed Public Endpoint deployments (Preview)**

content/nginxaas-google/getting-started/create-deployment/deploy-console.md

@@ -60,6 +60,7 @@ Next, create a new NGINXaaS deployment using the NGINXaaS Console:
    - Add an optional description for your deployment.
    - Change the **NCU Capacity** if needed.
       - The default value of `20 NCU` should be adequate for most scenarios.
+   - Enable **WAF** if you want [F5 WAF for NGINX]({{< ref "/waf" >}}) enabled for your deployment.
    - In the Apply Configuration section, select an NGINX configuration [you created earlier](#create-or-import-an-nginx-configuration) from the **Choose Configuration** list.
    - Select a **Configuration Version** from the list.
    - In the Cloud Details section, enter the network attachment ID that [you created earlier](#create-a-network-attachment) or select it in the  **Network attachment** list.
@@ -78,7 +79,7 @@ In the NGINXaaS Console,
 
 1. To open the details of your deployment, select its name from the list of deployments.
    - You can view the details of your deployment, including the status, region, network attachment, NGINX configuration, and more.
-1. Select **Edit** to modify the deployment description, and NCU Capacity.
+1. Select **Edit** to modify the deployment description, NCU Capacity, and WAF enablement.
    - You can also configure monitoring from here. Detailed instructions can be found in [Enable Monitoring]({{< ref "/nginxaas-google/monitoring/enable-monitoring.md" >}})
 1. Select **Update** to save your changes.
 1. Select the Configuration tab to view the current NGINX configuration associated with the deployment.

content/nginxaas-google/getting-started/nginx-configuration/overview.md

@@ -78,7 +78,9 @@ For connection and request rate limiting, consider using these NGINX modules:
 
 ## Configuration directives list
 
-NGINXaaS supports a limited set of NGINX directives.
+NGINXaaS supports a limited set of NGINX directives. The directives with the "app_protect" prefix require [F5 WAF for NGINX]({{< ref "/waf" >}}) to be enabled for the deployment.
+
+NGINXaaS does not yet support F5 WAF for NGINX custom security policies or logging profiles. Support is limited to the [prebuilt policies]({{< ref "/waf/policies/configuration.md#default-policy" >}}) and the [default logging profiles]({{< ref "/waf/logging/logs-overview.md#default-logging-profile-bundles" >}}).
 
 {{< details summary="Alphabetical index of directives">}}
 
@@ -99,6 +101,19 @@ NGINXaaS supports a limited set of NGINX directives.
 [allow (ngx_stream_access_module)](https://nginx.org/en/docs/stream/ngx_stream_access_module.html#allow)\
 [ancient_browser](https://nginx.org/en/docs/http/ngx_http_browser_module.html#ancient_browser)\
 [ancient_browser_value](https://nginx.org/en/docs/http/ngx_http_browser_module.html#ancient_browser_value)\
+[app_protect_compressed_requests_action]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_compressed_requests_action" >}})\
+[app_protect_cookie_seed]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_cookie_seed" >}})\
+[app_protect_cpu_thresholds]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_cpu_thresholds" >}})\
+[app_protect_custom_log_attribute]({{< ref "/waf/policies/directives/#f5-waf-for-nginx-directives:~:text=app_protect_custom_log_attribute" >}})\
+[app_protect_enable]({{< ref "/waf/policies/directives/#f5-waf-for-nginx-directives:~:text=modules/ngx_http_app_protect_module.so-,app_protect_enable" >}})\
+[app_protect_failure_mode_action]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_failure_mode_action" >}})\
+[app_protect_physical_memory_util_thresholds]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_physical_memory_util_thresholds" >}})\
+[app_protect_policy_file](<{{< ref "/waf/policies/directives/#f5-waf-for-nginx-directives:~:text=app_protect_enable%20on-%2Capp_protect_policy_file" >}}>)\
+[app_protect_reconnect_period_seconds]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_reconnect_period_seconds" >}})\
+[app_protect_request_buffer_overflow_action]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_request_buffer_overflow_action" >}})\
+[app_protect_security_log]({{< ref "/waf/policies/directives/#f5-waf-for-nginx-directives:~:text=app_protect_security_log" >}})\
+[app_protect_security_log_enable]({{< ref "/waf/policies/directives/#f5-waf-for-nginx-directives:~:text=app_protect_security_log_enable" >}})\
+[app_protect_user_defined_signatures]({{< ref "/waf/policies/directives/#global-directives:~:text=app_protect_user_defined_signatures" >}})\
 [auth_basic](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html#auth_basic)\
 [auth_basic_user_file](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html#auth_basic_user_file)\
 [auth_delay](https://nginx.org/en/docs/http/ngx_http_core_module.html#auth_delay)\

content/nginxaas-google/monitoring/enable-nginx-logs.md

@@ -8,7 +8,7 @@ f5-content-type: how-to
 f5-product: NGOOGL
 ---
 
-F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud services to collect NGINX error and access logs.
+F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud services to collect NGINX error and access logs, and F5 WAF for NGINX security logs.
 
 ## Prerequisites
 
@@ -24,6 +24,10 @@ F5 NGINXaaS for Google (NGINXaaS) supports integrating with Google Cloud service
 
 {{< include "/nginxaas-google/logging-config-access-logs.md" >}}
 
+## Setting up F5 WAF for NGINX security logs
+
+{{< include "/nginxaas-google/logging-config-security-logs.md" >}}
+
 ## Export NGINX logs to a Google Cloud Project
 
 To enable sending logs to your desired Google Cloud project, you must specify the project ID when creating or updating a deployment. To create a deployment, see [our documentation on creating an NGINXaaS deployment]({{< ref "/nginxaas-google/getting-started/create-deployment/" >}}) for a step-by-step guide. To update the deployment, in the NGINXaaS console,