# Onboard custom security policies


> Upload and prepare your own security policy bundles for use with F5 NGINX Instance Manager.


After verifying that F5 WAF for NGINX is active on your instances, you can onboard your own custom security policies. Use this option when you need to apply application-specific rules or integrate policies created in other environments. You’ll upload your JSON policy files, package them into `.tgz` bundles, and publish them through **F5 NGINX Instance Manager**.

## Before you begin

- Make sure the policy you plan to onboard is valid JSON and follows the F5 WAF for NGINX schema.  
- Confirm that the NGINX Agent has permission to access the directory where you’ll store your bundles.  
- Review the [F5 WAF for NGINX configuration guide](/waf/policies/configuration.md) for examples of policy structure and directive usage.

## Upload and publish a custom policy

#### Web interface

1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select **Instance Manager** from the Launchpad menu.
2. In the left menu, select **Security Policies**.
3. Choose **Upload Policy**, then select your `.json` or `.tgz` policy file.
4. If you uploaded a `.json` file, **NGINX Instance Manager** automatically compiles it into a `.tgz` bundle.
5. After upload, select **Publish** to make the policy available to your instances.

#### API

**Note:** Use tools such as `curl` or [Postman](https://www.postman.com) to send requests to the NGINX Instance Manager REST API.
The API base URL is `https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION>`.  
All requests require authentication. For details on authentication methods, see the [API overview](/nim/fundamentals/api-overview.md).

Use the **NGINX Instance Manager** REST API to onboard policies programmatically.

| Method | Endpoint |
|--------|-----------|
| POST | `/api/platform/v1/security/policies` |
| GET | `/api/platform/v1/security/policies` |

Example — upload and publish a policy:

```shell
curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
 -H "Authorization: Bearer <access token>" \
 --header "Content-Type: multipart/form-data" \
 -F "file=@my-custom-policy.json"
```

The API response includes the policy ID. Use that ID to reference your custom policy in your NGINX configuration:

```nginx
app_protect_policy_file /etc/nms/my-custom-policy.tgz;
```