# F5 WAF for NGINX integration overview You can now integrate the features of F5 WAF for NGINX v4 and v5 in F5 NGINX One Console. F5 WAF for NGINX offers advanced Web Application Firewall (WAF) capabilities. Through the NGINX One Console UI, you can now set up the [F5 WAF for NGINX](/waf/) firewall. This solution provides robust security and scalability. ## Features Once you've connected to the NGINX One Console, select **WAF > Policies**. You can add new policies or edit existing policies, as defined in the [F5 WAF for NGINX Configure policies](/waf/policies/configuration.md) topic. Through the NGINX One Console UI, you can: - [Add and configure a policy](/nginx-one-console/waf-integration/policy/configure-policy.md/) - [Review existing policies](/nginx-one-console/waf-integration/policy/review-policy.md/) - [Deploy policies](/nginx-one-console/waf-integration/policy/deploy-policy.md/) on instances and Config Sync Groups - [Configure log profiles](/nginx-one-console/waf-integration/log-profiles/configure-log-profiles.md/) that control how security events are logged and formatted for monitoring and analysis - [Review log profiles](/nginx-one-console/waf-integration/log-profiles/review-log-profiles.md/) - [Deploy log profiles](/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md/) to instances and Config Sync Groups You can also set up policies through the [NGINX One Console API](/nginx-one-console/waf-integration/policy/security-policy-api.md/), and log profiles through the [Log Profile API](/nginx-one-console/waf-integration/log-profiles/log-profile-api.md/). Log profiles define the format, destination, and filtering criteria for security logs generated by F5 WAF for NGINX. For detailed information about security logging capabilities, see [Security Logs](/waf/logging/security-logs.md). ## Set up F5 WAF for NGINX You can [install and upgrade F5 WAF for NGINX](/waf/install/) ### Container-related configuration requirements F5 WAF for NGINX has specific requirements for the configuration with Docker containers: #### WAF Policy - Directory associated with the volume, which you may configure in a `docker-compose.yaml` file. - You may set it up with the `volumes` directive with a directory like `/etc/nginx/app_protect_policies`. - You need to set up the container volume. So when the policy bundle is referenced in the `nginx` directive, the file path is what the container sees. - You need to also include an `app_protect_policy_file`, as described in [F5 WAF for NGINX Directives](/waf/policies/directives.md) - You'll need to set a policy bundle (in compressed tar format) in a configured `volume`. - Make sure the directory for [NGINX Agent](/agent/configuration/) includes `/etc/nginx/app_protect_policies`. When you deploy NAP policy through NGINX One Console, do not also use plain JSON policy in the same NGINX instance. #### Log profiles To use security logs with F5 WAF for NGINX in containers, you need to set up the following: - **Compile log profiles**: Before you apply a log configuration, you need to [Compile the log profile](/nginx-one-console/waf-integration/log-profiles/configure-log-profiles.md#compile-the-log-profile) the JSON log configuration file into a logging profile bundle (in compressed tar format). - **Configure NGINX directives** in `nginx.conf`: - Add `app_protect_security_log_enable on` to enable security logging in the respective context (`http`, `server`, or `location`). - Add `app_protect_security_log` to specify the log profile bundle path and destination. For example: `app_protect_security_log /mounted_host_dir/logging_profile.tgz /mounted_host_dir/security.log`. - **Mount volumes for log destinations**: Because logs are generated from the `waf-enforcer` container, you need to mount paths to the host when using file destinations. You can configure this in your `docker-compose.yaml` file with the `volumes` directive.