feature: Secure your fleet, NGINX One

content/includes/nginx-one/how-to/generate-data-plane-key.md

@@ -0,0 +1,19 @@
+---
+docs:
+files:
+  - content/nginx-one/secure-your-fleet/secure.md
+  - content/nginx-one/getting-started.md
+---
+
+A data plane key is a security token that ensures only trusted NGINX instances can register and communicate with NGINX One.
+
+To generate a data plane key, select **Manage > Instances > Add Instance**:
+
+- **For a new key:** In the **Add Instance** pane, select **Generate Data Plane Key**.
+- **To reuse an existing key:** If you already have a data plane key and want to use it again, select **Use existing key**. Then, enter the key's value in the **Data Plane Key** box.
+
+{{<call-out "caution" "Data plane key guidelines" "fas fa-key" >}}
+Data plane keys are displayed only once and cannot be retrieved later. Be sure to copy and store this key securely.
+
+Data plane keys expire after one year. You can change this expiration date later by [editing the key]({{< ref "nginx-one/connect-instances/create-manage-data-plane-keys.md#change-expiration-date" >}}). If you [revoke a data plane key]({{< ref "nginx-one/connect-instances/create-manage-data-plane-keys.md#revoke-data-plane-key" >}}) you disconnect all instances registered with that key.
+{{</call-out>}}

content/includes/nginx-one/how-to/install-nginx-agent.md

@@ -0,0 +1,44 @@
+---
+docs:
+files:
+  - content/nginx-one/secure-your-fleet/secure.md
+  - content/nginx-one/getting-started.md
+---
+
+After entering your data plane key, you'll see a `curl` command to install NGINX Agent, similar to the one below. Copy and run this command on each NGINX instance. Once installed, NGINX Agent typically registers with NGINX One within a few seconds.
+
+{{<call-out "important" "Connecting to NGINX One" >}}
+ Ensure that any firewall rules you have in place for your NGINX hosts allow network traffic to port `443` for all of the following IPs:
+
+- `3.135.72.139`
+- `3.133.232.50`
+- `52.14.85.249`
+
+NGINX Agent must be able to establish a connection to NGINX One Console's Agent endpoint (`agent.connect.nginx.com`). 
+{{</call-out>}}
+
+To install NGINX Agent on an NGINX instance:
+
+1. **Check if NGINX is running and start it if it's not:**
+
+    First, see if NGINX is running:
+
+    ```shell
+    sudo systemctl status nginx
+    ```
+
+    If the status isn't `Active`, go ahead and start NGINX:
+
+    ```shell
+    sudo systemctl start nginx
+    ```
+
+2. **Install NGINX Agent:**
+
+    Next, use the `curl` command provided to you to install NGINX Agent:
+
+    ``` shell
+    curl https://agent.connect.nginx.com/nginx-agent/install | DATA_PLANE_KEY="YOUR_DATA_PLANE_KEY" sh -s -- -y
+    ```
+
+   - Replace `YOUR_DATA_PLANE_KEY` with your actual data plane key.

content/nginx-one/_index.md

@@ -34,12 +34,12 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
     {{<card title="Connect more NGINX instances" titleUrl="/nginx-one/connect-instances/" >}}
       Work with data plane keys, containers, and proxy servers
     {{</card>}}
+    {{<card title="Secure your fleet" titleUrl="/nginx-one/secure-your-fleet/" >}}
+      Configure alerts that match your security policies
+    {{</ card >}}
     {{<card title="Manage your NGINX instances" titleUrl="/nginx-one/nginx-configs/" >}}
       Manage one instance or groups of instances. Monitor certificates. Set up metrics.
     {{</card>}}
-    {{<card title="Secure with NGINX App Protect" titleUrl="/nginx-one/nap-integration/" >}}
-      Set up security policies by instance and group
-    {{</card>}}
     {{<card title="Connect Kubernetes deployments" titleUrl="/nginx-one/k8s/">}}
       Monitor deployments for CVEs and certificates
     {{</ card >}}
@@ -50,13 +50,13 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
 
 {{<card-layout>}}
   {{<card-section showAsCards="true" >}}
-    {{<card title="Connect Kubernetes deployments" titleUrl="/nginx-one/k8s/">}}
-      Monitor deployments for CVEs and certificates
-    {{</ card >}}
+    {{<card title="Secure with NGINX App Protect" titleUrl="/nginx-one/nap-integration/" >}}
+      Set up security policies by instance and group
+    {{</card>}}
     {{<card title="Organize users with RBAC" titleUrl="/nginx-one/rbac/" >}}
       Assign responsibilities with role-based access control 
     {{</card>}}
-    {{<card title="Automate with the NGINX One Console API" titleUrl="/nginx-one/api/" >}}
+    {{<card title="Automate with the NGINX One API" titleUrl="/nginx-one/api/" >}}
       Manage your NGINX fleet over REST
     {{</card>}}
     {{<card title="Glossary" titleUrl="/nginx-one/glossary/" >}}

content/nginx-one/secure-your-fleet/_index.md

@@ -0,0 +1,6 @@
+---
+title: Secure your fleet
+description:
+weight: 450
+url: /nginx-one/secure-your-fleet
+---

content/nginx-one/secure-your-fleet/secure.md

@@ -0,0 +1,166 @@
+---
+title: "Set up security alerts"
+weight: 500
+toc: true
+nd-content-type: how-to
+nd-product: NGINX One
+---
+
+Set up alerts in F5 Distributed Cloud to track CVEs and insecure configurations across your NGINX fleet.
+
+These instructions are for those responsible for keeping their NGINX infrastructure and application traffic secure. Before you begin, make sure you know how to:
+
+- Install Linux programs or run Docker containers
+
+By the end of this tutorial, you'll be able to:
+
+- Access the NGINX One Console in F5 Distributed Cloud
+- Connect NGINX instances to the NGINX One Console
+- Review Security Risks associated with your NGINX fleet
+- Configure Alert Policies in F5 Distributed Cloud
+
+## Background
+
+NGINX One Console is a service to monitor and manage NGINX. It's a part of the F5 Distributed Cloud and is included with all NGINX and F5 Distributed Cloud subscriptions. While NGINX is built to be secure and stable, critical vulnerabilities can occasionally emerge – and misconfigurations may leave your applications or APIs exposed to attacks. 
+
+## Before you begin
+
+If you already have accessed F5 Distributed Cloud and have NGINX instances available, you can skip these steps and start to connect instances to the NGINX One Console.
+
+### Confirm access to the F5 Distributed Cloud
+
+Make sure your F5 Distributed Cloud tenant is provisioned before continuing.
+
+Log in to the [MyF5](https://my.f5.com) customer portal and check your subscriptions. Look for **Distributed Cloud** under one of your subscriptions. It might appear under an NGINX subscription or a dedicated Distributed Cloud subscription.
+
+If you don’t see Distributed Cloud listed, contact your F5 account team or Customer Success Manager.
+
+Once your tenant is provisioned, you or someone in your organization should receive an email from `[email protected]` prompting you to set a password. The **account name** shown in bold in the email is your tenant name.
+
+To access the F5 Distributed Cloud Console, go to: `https://INSERT_YOUR_TENANT_NAME.console.ves.volterra.io/`
+
+If you haven’t logged in before:
+- Select **Forgot password?** on the login screen.
+
+If someone in your organization already has access:
+- Ask them to add you as a user in your tenant.
+- Make sure the role they assign gives you the right permissions.
+
+### Confirm access to NGINX One Console in the F5 Distributed Cloud
+
+Once you've logged in with your password, you should be able to see and select the NGINX One tile. 
+
+1. Select the **NGINX One** tile
+1. Select **Visit Service**
+
+### Install an instance of NGINX
+
+Ensure you have an instance of [NGINX Open Source or NGINX Plus]({{< ref "/nginx/admin-guide/installing-nginx/" >}}) installed and available. This guide shows you how to connect an instance installed on a Linux system (VM or bare metal hardware) where you have command line access.
+Alternatively, you can [deploy NGINX Open Source or NGINX Plus with Docker]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-docker.md" >}}). This method includes the NGINX Agent and uses environment variables to connect the deployment.
+
+## Connect at least one NGINX instance to the NGINX One Console
+
+If you've already connected instances to the NGINX One Console, you can [configure an active alert policy]({{< ref "/nginx-one/secure-your-fleet/secure.md#configure-an-active-alert-policy" >}}).
+
+If not, you’ll need to add an instance, generate a data plane key, and install NGINX Agent. This guide assumes you're connecting an instance for the first time.
+
+### Add an instance
+
+{{< include "/nginx-one/how-to/add-instance.md" >}}
+
+### Generate a data plane key
+
+{{< include "/nginx-one/how-to/generate-data-plane-key.md" >}}
+
+### Install NGINX Agent
+
+{{< include "/nginx-one/how-to/install-nginx-agent.md" >}}
+
+You can also install NGINX Agent from our repositories and configure it manually. Alternatively you can use our official NGINX Docker images, pre-configured with NGINX Agent.
+
+## Configure an active alert policy
+
+The NGINX One Console monitors all connected NGINX instances for CVEs and insecure configurations.
+
+With F5 Distributed Cloud alert policies, you can choose how to receive alerts for these risks. This guide shows how to set up email alerts.
+
+F5 Distributed Cloud generates alerts from all its services, including the NGINX One Console.
+
+You can create rules to send those alerts to the receiver of your choice. This guide shows how to set up email notifications for new CVEs or other security issues detected in your NGINX instances.
+
+This page describes basic steps to set up an email alert. For authoritative documentation, see
+[Alerts - Email & SMS](https://docs.cloud.f5.com/docs-v2/shared-configuration/how-tos/alerting/alerts-email-sms).
+
+## Configure alerts to be sent to your email
+
+To configure security-related alerts, follow these steps:
+
+1. Go to the F5 Distributed Cloud Console at https://INSERT_YOUR_TENANT_NAME.console.ves.volterra.io. 
+1. Select **Audit Logs & Alerts**
+1. Select **Alerts Management > Alert Receivers**
+1. Select **Add Alert Receiver**
+   1. Enter the name of your choice.
+   1. (Optional) Specify a label and description.
+1. Under **Receiver**, select **Email** and enter your email address.
+1. Select **Add Alert Receiver**
+   Your alert receiver should now appear on the list of Alert Receivers.
+1. Select the **Actions** ellipsis (...) for your receiver. Select **Verify Email**.
+1. Select **Send email** to confirm.
+1. You should receive a verification code in the email provided. Copy that code.
+1. Under the **Actions** column, select **Enter verification code**.
+1. Paste the code and select **Verify receiver**.
+
+## Configure Alert Policy
+
+Next, configure the policy that identifies when you'll get an alert. You'll need to reference available alerts in our [NGINX One Console Glossary]({{< ref "/nginx-one/glossary.md#nginx-alerts/" >}}). Relevant security alerts include:
+
+- SecurityRecommendationNGINX
+- HighCVENGINX
+- MediumCVENGINX
+- LowCVENGINX
+
+1. Go to **Alerts Management > Alert Policies**.
+1. Select **Add Alert Policy**.
+   1. Enter the name of your choice. You're limited to lower-case characters, numbers, and dashes.
+   1. (Optional) Specify a label and description.
+1. Under **Alert Reciever Configuration > Alert Receivers,** select the **Alert Receiver** you just created.
+1. Under **Policy Rules** select **Configure**.
+1. In the **Policy Rules** screen that appears, select **Add Item**.
+1. In the **Route** window that appears, review the **Select Alerts** drop-down.
+1. Under **Select Alerts** select a filter. Now select **Matching Custom Criteria > Alertname > Configure**. In the screen that appears, use **Exact Match** and copy/paste an alert name from the [NGINX One Console Glossary]({{< ref "/nginx-one/glossary.md#nginx-alerts" >}}).
+1. Select **Apply** to exit the **Alertname** window.
+1. Select **Apply** to exit the **Route** window.
+1. Select **Apply** to exit the **Policy Rules** window.
+1. You can now select the **Add Alert policy** button.
+1. Set the **Action as Send** and select **Apply**.
+
+## Create more alert policies  
+
+Repeat the process described in [Configure Alert Policy](#configure-alert-policy) section. Repeat again if and as needed for all of the alerts in the 
+[NGINX One Console Glossary]({{< ref "/nginx-one/glossary.md#nginx-alerts/" >}}).
+
+## Activate the alert policy
+
+Now to make sure your new policy works, add your new policies to the list of **Active Alert Policies**. To do so:
+
+1. Select **Alerts Management > Active Alert Policies**
+1. Select **Select Active Alert Policies**. 
+1. In the **Select Active Alert Policies** window, select **Add Item**
+1. In the drop-down box that appears, select the Alert Policy that you created. 
+1. Select the **Add Select Active Alert Policies** button.	
+1. Select **Add Item**
+
+You've now set up F5 Distributed Cloud to send you alerts from the NGINX One Console to your email. When an alert is triggered, you'll receive a message from **[email protected]**.
+
+## Summary
+
+In this tutorial, you learned how to:
+
+- Access the NGINX One Console
+- Connect an NGINX instance
+- Configure and activate an alert
+
+## Next steps
+
+Now that you have NGINX instances connected to the NGINX One Console, consider reviewing our [use cases]({{< ref "/nginx-one/" >}}) to see how you can easily manage your NGINX instances, draft new configurations, and more.
+Additionally, you can review how to add additional Alert Receivers such as [SMS](https://docs.cloud.f5.com/docs-v2/shared-configuration/how-tos/alerting/alerts-email-sms), [Slack](https://docs.cloud.f5.com/docs-v2/shared-configuration/how-tos/alerting/alerts-slack), [PagerDuty](https://docs.cloud.f5.com/docs-v2/shared-configuration/how-tos/alerting/alerts-pagerduty), or with a [webhook](https://docs.cloud.f5.com/docs-v2/shared-configuration/how-tos/alerting/alerts-webhook).