How WAF policy management works
F5 NGINX Instance Manager helps you manage F5 WAF for NGINX security configurations.
Use NGINX Instance Manager with F5 WAF for NGINX to inspect incoming traffic, detect threats, and block malicious requests. You can define policies in one place and push them to some or all of your F5 WAF for NGINX instances.
- Manage WAF policies using the NGINX Instance Manager web interface or REST API
- Update attack signature and threat campaign packages
- Compile WAF configurations into a binary bundle for deployment
NGINX Instance Manager lets you define and manage security policies, upload signature packages, and push configurations to your F5 WAF for NGINX instances. It can also compile your security configuration into a bundle before publishing it to the data plane.
The Security Monitoring module shows real-time data from F5 WAF for NGINX so you can track traffic, spot anomalies, and fine-tune policies.

Figure 1. NGINX Instance Manager with NGINX App Protect architecture overview
NGINX Instance Manager includes a compiler that packages your complete WAF configuration — security policies, attack signatures, threat campaigns, and log profiles — into a single .tgz file. It then pushes this bundle to the selected F5 WAF for NGINX instances.
Why precompile with NGINX Instance Manager?
- Saves system resources on WAF instances
- Lets you reuse the same bundle across multiple instances
If you choose to compile policies on the WAF instance instead, that works too—but with this limitation:
- NGINX Instance Manager won’t publish .jsonpolicies to the WAF instance. These policies must already exist on the instance and be referenced in the NGINX config.
Example location block to enable WAF and point to the bundle:
location / {
    app_protect_enable on;
    app_protect_policy_file /etc/app_protect/policies/policy_bundle.tgz;
}You can also configure NGINX Instance Manager to compile log profiles when you install a new version of the compiler. When publishing NGINX configs that include the app_protect_security_log directive, NGINX Instance Manager pushes the compiled log profile to your WAF instances (when precompiled publication is turned on).
NGINX Instance Manager and Security Monitoring both use log profiles, but their configurations are different. If you’re using configuration management in NGINX Instance Manager, you must reference the log profile with the.tgzfile extension, not.json.
Use the NGINX Instance Manager REST API to automate updates across your F5 WAF for NGINX instances. You can use the API to manage:
- Security policies
- Log profiles
- Attack signatures
- Threat campaigns
Just like with the web interface, the compiler creates a binary bundle with your updates that you can push to your WAF instances.

Figure 2. NGINX Instance Manager with F5 WAF for NGINX architecture overview
For full details, see the API documentation:
You can access the NGINX Instance Manager API documentation from the web interface:
- Log in to the FQDN of your NGINX Instance Manager host.
- Select API Documentation from the Launchpad menu.
- On the left menu, select NIM and Platform API.