Update ip-groups-override-rules.md (#680)

kudriavitsky · web-flow · commit d0f58a28089a · 2025-06-17T11:57:34.000+01:00
change example of override-rules
diff --git a/content/includes/nap-waf/config/common/ip-groups-override-rules.md b/content/includes/nap-waf/config/common/ip-groups-override-rules.md
@@ -23,39 +23,31 @@ Here is a policy example:
     "ip-address-lists": [ 
       { 
         "name": "standalone", 
-        "description": "This is my list of IP addresses", 
         "ipAddresses": [ 
           { 
-            "ipAddress": "6.5.3.3/32" 
-          }, 
-          { 
-            "ipAddress": "6.5.4.2" 
+            "ipAddress": "1.1.1.1/32" 
           } 
         ] 
       } 
      ], 
      "override-rules": [ 
       { 
-        "name": "myFirstRule", 
+        "name": "myRule1", 
         "condition": "clientIp.matches(ipAddressLists['standalone'])", 
-        "actionType": "violation", 
-        "violation": { 
-          "block": true, 
-          "alarm": true, 
-          "attackType": { 
-            "name": "Forceful Browsing" 
-          }, 
-          "description": "Attempt to access from clientIp", 
-          "rating": 4
-        }
+        "actionType": "extend-policy",
+        "override": {
+          "policy": {
+            "enforcementMode": "transparent"
+          }
+        }  
       }
-    ],
+    ]
   }
 }
 ```
 
 The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])".
-The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". 
+The condition means that the rule enforcement is applied and override base policy enforcement when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone". 
 The value used for the override condition must exist and exactly match the name in "ip-address-lists".  
 
 #### Possible errors

Original file line number	Diff line number	Diff line change
`@@ -23,39 +23,31 @@ Here is a policy example:`
`23`	`23`	`"ip-address-lists": [`
`24`	`24`	`{`
`25`	`25`	`"name": "standalone",`
`26`		`- "description": "This is my list of IP addresses",`
`27`	`26`	`"ipAddresses": [`
`28`	`27`	`{`
`29`		`- "ipAddress": "6.5.3.3/32"`
`30`		`- },`
`31`		`- {`
`32`		`- "ipAddress": "6.5.4.2"`
	`28`	`+ "ipAddress": "1.1.1.1/32"`
`33`	`29`	`}`
`34`	`30`	`]`
`35`	`31`	`}`
`36`	`32`	`],`
`37`	`33`	`"override-rules": [`
`38`	`34`	`{`
`39`		`- "name": "myFirstRule",`
	`35`	`+ "name": "myRule1",`
`40`	`36`	`"condition": "clientIp.matches(ipAddressLists['standalone'])",`
`41`		`- "actionType": "violation",`
`42`		`- "violation": {`
`43`		`- "block": true,`
`44`		`- "alarm": true,`
`45`		`- "attackType": {`
`46`		`- "name": "Forceful Browsing"`
`47`		`- },`
`48`		`- "description": "Attempt to access from clientIp",`
`49`		`- "rating": 4`
`50`		`- }`
	`37`	`+ "actionType": "extend-policy",`
	`38`	`+ "override": {`
	`39`	`+ "policy": {`
	`40`	`+ "enforcementMode": "transparent"`
	`41`	`+ }`
	`42`	`+ }`
`51`	`43`	`}`
`52`		`- ],`
	`44`	`+ ]`
`53`	`45`	`}`
`54`	`46`	`}`
`55`	`47`	```
`56`	`48`
`57`	`49`	`The previous example policy contains an IP group with the name "standalone", used for the override rule condition "clientIp.matches(ipAddressLists['standalone'])".`
`58`		`-The condition means that the rule enforcement is applied when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone".`
	`50`	`+The condition means that the rule enforcement is applied and override base policy enforcement when clientIp is matched to one of ipAddresses in ipAddressList with name "standalone".`
`59`	`51`	`The value used for the override condition must exist and exactly match the name in "ip-address-lists".`
`60`	`52`
`61`	`53`	`#### Possible errors`