feature: Secure your fleet, NGINX One

[mjang]

Proposed changes

Create end-to-end "use-case" documentation for admins / security engineers who want to use NGINX One Console to "Secure your fleet".

Fleets of NGINX deployments frequently include dozens and many more instances. With this use case, an admin/security engineer can set up the NGINX One Console to send them alerts for appropriate issues. Today, those issues include CVEs and other detected security "misconfigurations" identified by NGINX One Console.

This use case goes somewhat beyond NGINX One Console. This PR removes roadblocks to success in the following ways:

• It clarifies what users need to access the NGINX One Console, specifically with:

  • Supporting checks of appropriate licenses
  • Describing the detailed process of setting up a tenant

• It then shows users, step by step, how to set up notifications when one/more of their instances have CVEs and other detected security issues.

Replaces #637

Checklist

Before merging a pull request, run through this checklist and mark each as complete.

• I have read the contributing guidelines
• I have signed the F5 Contributor License Agreement (CLA)
• I have rebased my branch onto main
• I have ensured my PR is targeting the main branch and pulling from my branch from my own fork
• I have ensured that the commit messages adhere to Conventional Commits
• I have ensured that documentation content adheres to the style guide
• If the change involves potentially sensitive changes¹, I have assessed the possible impact
• If applicable, I have added tests that prove my fix is effective or that my feature works
• I have ensured that existing tests pass after adding my changes
• If applicable, I have updated README.md and CHANGELOG.md

Footnotes

1. Potentially sensitive changes include anything involving code, personally identify information (PII), live URLs or significant amounts of new or revised documentation. Please refer to our style guide for guidance about placeholder content. ↩

[github-actions]

✅ Deploy Preview will be available once build job completes!

Name	Link
😎 Deploy Preview	https://frontdoor-test-docs.nginx.com/previews/docs/731/

---

[ADubhlaoich]

LGTM. Small LOGAF non-blocking edit suggestions.

If the PR replaces #637, then that should probably be closed.

[jputrino]

I find the order in which the docs are presented confusing. Is "Manage your fleet" really before "Get started"? Shouldn't "Manage your instances" include items like Connect your instances and Draft configurations?

I could see 3 top-level headings on the landing page: Get started, Secure your fleet, and Manage your fleet. Or maybe 4, if we also add one for Admin tasks (like RBAC, metrics, etc.).

[mjang]

I find the order in which the docs are presented confusing. Is "Manage your fleet" really before "Get started"? Shouldn't "Manage your instances" include items like Connect your instances and Draft configurations?

I could see 3 top-level headings on the landing page: Get started, Secure your fleet, and Manage your fleet. Or maybe 4, if we also add one for Admin tasks (like RBAC, metrics, etc.).

Will be addressed in an internal issue (num-200 in internal-docs repo)

[mjang]

If that change doesn't get in, then we need to rewrite the adding alerts part of configure alert policy to something like this:

• Enable 'Show Advanced Fields'
• Choose Matching RegEx of Alertname
• Type in [name of CVE alert/security recommendation alert]

[mjang]

@travisamartin thank you for the detailed review. I've accepted all but 2 of your suggestions.

[mjang]

I now have set up and tested a working process for alerts with a production tenant of F5 Distributed Cloud. Here's a screenshot of an email notification

[mjang]

Based on separate discussions, @jasonclopper @travisamartin

Suggested change

	## Known issues
	When you set up an email alert that recognizes a problem, you'll see the alert in:
	- The F5 Distributed Cloud Console, in **Audit Logs & Alerts**, under **Notifications > Alerts**.
	- An email with a subject line like **<number> Alert Requires Action**.
	As defined in our [Alert Reference](https://docs.cloud.f5.com/docs-v2/platform/reference/alerts-reference), after a certain period of time, you may also receive an "Alert Resolved" email.
	For CVEs, the authoritative source is in **NGINX One**, under **Manage > Instances > <Instance hostname>.** See the list of CVEs on the dashboard details for that instance.

[travisamartin]

This section doesn’t describe the actual issue. The problem is that users may receive “Alert Resolved” emails even when the issue still exists, which is misleading.

If we don’t call out that behavior directly, I’m not sure “Known issues” is the right heading. As it stands, the text just tells users to defer to NGINX One Console as the source of truth.

[travisamartin]

Note: If you want to document this as a known issue, I recommend creating a KB article and linking to it from here. The KB system is the right place for that kind of content. It also helps make sure Global Services is aware of the problem.

[travisamartin]

The filename /secure-your-fleet/secure.md could be more descriptive.

Maybe /secure-your-fleet/set-up-security-alerts.md? That'd match the doc title.