# Configure policy sources Type of document: How-to guide Product: NGINX Gateway Fabric --- NGINX Gateway Fabric supports three policy source types for fetching compiled WAF bundles: F5 NGINX Instance Manager, F5 NGINX One Console, and direct HTTP/HTTPS URLs. For a quick start walkthrough using the HTTP source, see [Get started with F5 WAF for NGINX](/ngf/waf-integration/get-started.md). Before configuring a policy source, ensure that WAF is [enabled on the NginxProxy](/ngf/waf-integration/overview.md#enable-waf-on-the-nginxproxy) — either per Gateway or globally via Helm values. **Note:** By default, NGINX Gateway Fabric retries transient fetch failures up to 3 times with exponential backoff, and each fetch attempt times out after 30 seconds. You can tune these using the `retryAttempts` and `timeout` fields on `policySource` or `logSource`. --- ## NGINX Instance Manager (NGINX Instance Manager) Use this option when you manage WAF policies through NGINX Instance Manager. For details on creating and compiling policies in NGINX Instance Manager, see [How WAF policy management works](/nim/waf-integration/overview.md) and [Create a security policy bundle](/nim/waf-integration/policies-and-logs/bundles/create-bundle.md). **Workflow:** 1. Author and compile a policy in NGINX Instance Manager using the NGINX Instance Manager console or API. Verify that compilation succeeded before proceeding — NGINX Gateway Fabric cannot detect compilation failures in NGINX Instance Manager. 2. Create a Secret with your NGINX Instance Manager credentials. 3. Create a `WAFPolicy` referencing the compiled policy by name. ### Create the credentials Secret NGINX Instance Manager supports HTTP Basic Auth (username and password) or Bearer Token authentication. NGINX Gateway Fabric infers the authentication method from the keys present in the Secret: ```yaml kubectl apply -f - <" password: "" EOF ``` To use a Bearer Token instead, create the Secret with a `token` key: ```yaml kubectl apply -f - < EOF ``` ### Create a gateway-level WAFPolicy The following `WAFPolicy` targets the Gateway and protects all attached routes: ```yaml kubectl apply -f - < EOF ``` ### Create a WAFPolicy The following example uses `policyObjectID` to reference the policy directly. You can use `policyName` instead if you prefer to reference by name: ```yaml kubectl apply -f - <.console.ves.volterra.io namespace: default policyObjectID: pol_12345_WTHGmDEX9qnbVjQ policyVersionID: pv_Tm__12345oWmJgwxiKlHAg auth: secretRef: name: n1c-credentials securityLogs: - destination: type: syslog syslog: server: syslog-svc.default.svc.cluster.local:514 logSource: n1cSource: url: https://.console.ves.volterra.io namespace: default profileObjectID: "lp_8s8uZxLpThWwEGF7LTn_rA" auth: secretRef: name: n1c-credentials EOF ``` Replace `` with your NGINX One Console tenant hostname. The `namespace` field refers to the NGINX One Console namespace where the policy resides. **Note:** To pin a specific policy version, set `policyVersionID`. A pinned version always resolves to the same compiled bundle, so polling should be disabled to avoid unnecessary network requests. If you use only `policyName` or `policyObjectID` without a version pin, the latest compiled bundle is fetched on each reconciliation or poll cycle. --- ## HTTP/HTTPS server Use this option when you compile WAF policies using the F5 WAF compiler CLI or a CI/CD pipeline and host the resulting bundle on an HTTP/HTTPS server. For details on using the compiler, see [Build and use the compiler tool](/waf/configure/compiler.md). For a complete walkthrough including policy compilation and a bundle server deployment, see [Get started with F5 WAF for NGINX](/ngf/waf-integration/get-started.md). For production environments, you would typically host compiled bundles on an HTTPS server with authentication. See [Configure WAF settings](/ngf/waf-integration/configuration.md) for details on adding credentials, custom CA certificates, and checksum verification to your `policySource`. --- ## Management console visibility When using NGINX Instance Manager or NGINX One Console as your policy source, be aware that neither management console currently displays WAF policy deployments to NGINX Gateway Fabric, nor does it show which compiled bundle versions NGINX Gateway Fabric has fetched. This is by design: NGINX Gateway Fabric pulls compiled bundles from the management plane using a pull model and deploys them directly in Kubernetes using native Kubernetes manifests, rather than through the NGINX Instance Manager or NGINX One Console console. This workflow ensures that policies can be created, compiled, and made available to NGINX Gateway Fabric via API without requiring console-managed deployment flows. Policy association visibility for NGINX Instance Manager and NGINX One Console will be added in a future release. In the meantime, use `kubectl describe wafpolicy ` to check deployment status. ### Connect NGINX Gateway Fabric to F5 NGINX One Console Ensure that NGINX Gateway Fabric is configured to connect to NGINX One Console. Follow the guidance at [Connect NGINX Gateway Fabric with Helm](/nginx-one-console/k8s/add-ngf-helm.md) or [Connect NGINX Gateway Fabric with Manifests](/nginx-one-console/k8s/add-ngf-manifests.md) before continuing. ### Export security logs to F5 NGINX One Console Although the NGINX One Console console does not display which policies are deployed to NGINX Gateway Fabric data planes, you can export WAF security events to the NGINX One Console security dashboard. This gives your security operations team visibility into blocked attacks, violations, and traffic patterns directly in the console. To enable this, configure a `securityLogs` entry that sends events to the NGINX Agent's built-in OpenTelemetry collector, which forwards them to NGINX One Console. Use a log profile compiled for the NGINX One Console security dashboard: ```yaml kubectl apply -f - <.console.ves.volterra.io namespace: default policyName: "ngfExample" auth: secretRef: name: n1c-credentials securityLogs: - destination: type: syslog syslog: server: localhost:1514 logSource: n1cSource: url: https://.console.ves.volterra.io namespace: default profileName: "secops_dashboard" auth: secretRef: name: n1c-credentials EOF ``` The `localhost:1514` syslog destination points to the NGINX Agent's OpenTelemetry collector receiver, which runs as a sidecar in the NGINX Pod. The agent forwards the security events to the NGINX One Console console, where they appear in the security monitoring dashboard. **Note:** The `profileName: "secops_dashboard"` log profile must exist in your NGINX One Console namespace. This profile is required for events to appear correctly in the NGINX One Console security dashboard. --- ## See also - [F5 WAF for NGINX overview](/ngf/waf-integration/overview.md) - [Configure WAF settings](/ngf/waf-integration/configuration.md) - [Troubleshoot WAFPolicy status](/ngf/waf-integration/troubleshooting.md) - [WAFPolicy and NginxProxy API reference](/ngf/reference/api.md)