diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md new file mode 100644 index 000000000..5ad373350 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-override-rules.md @@ -0,0 +1,73 @@ +#### IP-Groups feature as part of Override Rules feature. + +The Override Rules feature allows you to modify original or parent policy settings. + +Rules are defined using specific conditions, which can include an IP group based on the declarative policy JSON schema. + +When triggered, the rule is applied to the _clientIp_ attribute using the _matches_ function. + +'clientIp.matches(ipAddressLists["standalone"])' + +Here is a policy example: + +```json +{ + "policy": { + "name": "ip_group_override_rule", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "standalone", + "description": "This is my list of IP addresses", + "ipAddresses": [ + { + "ipAddress": "6.5.3.3/32" + }, + { + "ipAddress": "6.5.4.2" + } + ] + } + ], + "override-rules": [ + { + "name": "myFirstRule", + "condition": "clientIp.matches(ipAddressLists['standalone'])", + "actionType": "violation", + "violation": { + "block": true, + "alarm": true, + "attackType": { + "name": "Forceful Browsing" + }, + "description": "Attempt to access from clientIp", + "rating": 4 + } + } + ], + "general": { + "trustXff": true + } + } +} +``` + +The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])". +The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". +The value used for the override condition must exist and exactly match the name in "ip-address-lists". + +#### Possible errors + +| Error text | Input | Explanation | +| -----------| ------------- | ------------ | +| _Invalid field invalidList_ | _clientIp.matches(invalidList['standalone']);_ | An incorrect keyword was used instead of _ipAddressLists_ | +| _Invalid value empty string_ | _clientIp.matches(ipAddressLists['']_ | An empty name was provided | +| _Failed to compile policy - 'ipGroupOverridePolicy'_ | _uri.matches(ipAddressLists['standalone']);_ | Used _ipAddressLists_ without the _clientIP_ attribute | + + + diff --git a/content/includes/nap-waf/config/common/ip-groups-overview.md b/content/includes/nap-waf/config/common/ip-groups-overview.md new file mode 100644 index 000000000..635cd4c67 --- /dev/null +++ b/content/includes/nap-waf/config/common/ip-groups-overview.md @@ -0,0 +1,86 @@ +IP groups is a feature to organize lists of allowed and forbidden IP addresses across several lists with common attributes. + +This allows you to control unique policy settings for incoming requests based on specific IP addresses. + +Each IP Group contains a unique name, enforcement type (_always_, _never_ and _policy-default_), and list of IP addresses. + + +An example of a declarative policy using IP Groups configuration: + +```json +{ + "policy": { + "name": "IpGroups_policy", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "Standalone", + "description": "Optional Description", + "blockRequests": "policy-default", + "setGeolocation": "IN", + "ipAddresses": [ + { + "ipAddress": "1.2.3.4/32" + }, + { + "ipAddress": "1111:fc00:0:112::2" + } + ] + } + ] + } +} + +``` +The example with IP-Group definition in external file external_ip_groups.json: + +```json +{ + "policy": { + "name": "IpGroups_policy2", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "applicationLanguage": "utf-8", + "caseInsensitive": false, + "enforcementMode": "blocking", + "ip-address-lists": [ + { + "name": "external_ip_groups", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IL", + "ipAddresses": [ + { + "ipAddress": "31.8.194.27" + } + ], + "$ref": "file:///tmp/policy/external_ip_groups.json" + } + ] + } +} +``` +Example of the file external_ip_groups.json + +```json +{ + "name": "External Ip Groups List", + "description": "Optional Description", + "blockRequests": "always", + "setGeolocation": "IR", + "ipAddresses": [ + { + "ipAddress": "66.51.41.21" + }, + { + "ipAddress": "66.52.42.22" + } + ] +} +``` diff --git a/content/nap-waf/v4/configuration-guide/configuration.md b/content/nap-waf/v4/configuration-guide/configuration.md index 025870d05..4f709e149 100644 --- a/content/nap-waf/v4/configuration-guide/configuration.md +++ b/content/nap-waf/v4/configuration-guide/configuration.md @@ -478,6 +478,15 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} +## IP Groups + +### Overview + +{{< include "nap-waf/config/common/ip-groups-overview.md" >}} + +### IP Groups in Policy Override Rules Conditions + +{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} ## JSON Web Token Protection diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md index a17322367..c936023fa 100644 --- a/content/nap-waf/v5/configuration-guide/configuration.md +++ b/content/nap-waf/v5/configuration-guide/configuration.md @@ -475,6 +475,16 @@ For the full reference of Override Rules condition syntax and usage see the NGIN {{< include "nap-waf/config/common/geolocation-override-rules.md" >}} +## IP Groups + +### Overview + +{{< include "nap-waf/config/common/ip-groups-overview.md" >}} + +### IP Groups in Policy Override Rules Conditions + +{{< include "nap-waf/config/common/ip-groups-override-rules.md" >}} + ## JSON Web Token Protection ### Overview