Set up WAF configuration management
F5 NGINX Instance Manager helps you manage your NGINX App Protect WAF configurations, making it easier to stay secure. This guide walks you through how to set up NGINX Instance Manager to configure and manage NGINX App Protect WAF.
Make sure you’ve completed the following prerequisites before you get started:
- 
You have one or more NGINX App Protect WAF instances running. For supported versions, see Support for NGINX App Protect WAF. Note: If you’re using configuration management and Security Monitoring, follow the steps in the setup guide to set up your NGINX App Protect WAF instances first.
- 
You’re running NGINX Instance Manager v2.6.0 or later. Make sure it’s installed, licensed, and running. If you have a subscription to NGINX App Protect WAF, you can find your license in the subscription details section of MyF5. 
NGINX Instance Manager doesn’t support the following NGINX App Protect WAF features:
- Policies with external references
- Custom signatures
NGINX Instance Manager can use the WAF compiler to precompile security configurations before deploying them to NGINX App Protect WAF instances. Precompiling configurations improves performance and reduces the risk of runtime errors.
Install the WAF compiler on the NGINX Instance Manager host only if you plan to compile configurations on the management plane. If you’ll compile on the data plane, you can skip this step.
Each version of NGINX App Protect WAF has a matching WAF compiler version. If you’re managing multiple versions, install the corresponding WAF compiler for each one on the NGINX Instance Manager host.
The WAF compiler installs to the /opt directory. Make sure this directory has the correct permissions so the owner can write to it. A permission setting like 0755 is typically sufficient.
To keep track of instances running the same version, you can create instance groups.
For an overview of how the WAF compiler works, see the Security bundle compilation topic.
The table below shows which WAF compiler version to use for each version of NGINX App Protect WAF:
| NGINX App Protect WAF version | WAF compiler version | 
|---|---|
| 5.6.0 | nms-nap-compiler-v5.342.0 | 
| 5.5.0 | nms-nap-compiler-v5.264.0 | 
| 5.4.0 | nms-nap-compiler-v5.210.0 | 
| 5.3.0 | nms-nap-compiler-v5.144.0 | 
| 5.2.0 | nms-nap-compiler-v5.48.0 | 
| 5.1.0 | nms-nap-compiler-v5.17.0 | 
| 4.14.0 | nms-nap-compiler-v5.342.0 | 
| 4.13.0 | nms-nap-compiler-v5.264.0 | 
| 4.12.0 | nms-nap-compiler-v5.210.0 | 
| 4.11.0 | nms-nap-compiler-v5.144.0 | 
| 4.10.0 | nms-nap-compiler-v5.48.0 | 
| 4.9.0 | nms-nap-compiler-v5.17.0 | 
| 4.8.1 | nms-nap-compiler-v4.815.0 | 
| 4.8.0 | nms-nap-compiler-v4.762.0 | 
| 4.7.0 | nms-nap-compiler-v4.641.0 | 
| 4.6.0 | nms-nap-compiler-v4.583.0 | 
| 4.5.0 | nms-nap-compiler-v4.457.0 | 
| 4.4.0 | nms-nap-compiler-v4.402.0 | 
| 4.3.0 | nms-nap-compiler-v4.279.0 | 
| 4.2.0 | nms-nap-compiler-v4.218.0 | 
| 4.1.0 | nms-nap-compiler-v4.100.1 | 
| 4.0.0 | nms-nap-compiler-v4.2.0 | 
| 3.12.2 | nms-nap-compiler-v3.1088.2 | 
To install the WAF compiler on Debian or Ubuntu, run the following command:
sudo apt-get install nms-nap-compiler-v5.342.0If you want to install more than one version of the WAF compiler on the same system, append the --force-overwrite option to the install command after the first installation:
sudo apt-get install nms-nap-compiler-v5.342.0 -o Dpkg::Options::="--force-overwrite"Restart the nms-integrations service:
sudo systemctl restart nms-integrationsTo install the WAF compiler on RHEL 8.1 or later:
- 
Download the dependencies.repofile to the/etc/yum.repos.ddirectory:sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
- 
Enable the CodeReady Builder repository: sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
- 
Install the WAF compiler: sudo yum install nms-nap-compiler-v5.342.0
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
To install the WAF compiler on RHEL 7.4 or later or CentOS:
- 
Download the dependencies.repofile to the/etc/yum.repos.ddirectory:sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
- 
Enable the RHEL 7 server repositories: sudo yum-config-manager --enable rhui-REGION-rhel-server-optional rhui-REGION-rhel-server-releases rhel-7-server-optional-rpms
- 
Install the WAF compiler: sudo yum install nms-nap-compiler-v5.342.0
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
To install the WAF compiler on Amazon Linux 2 LTS:
- 
Download the required repo files to the /etc/yum.repos.ddirectory:sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms-amazon2.repo sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
- 
Enable the Extra Packages for Enterprise Linux (EPEL) repository: sudo amazon-linux-extras enable epel sudo yum clean metadata sudo yum install epel-release
- 
Install the WAF compiler: sudo yum install nms-nap-compiler-v5.342.0
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
To install the WAF compiler on Oracle Linux 7.4 or later:
- 
Download the dependencies.repofile to the/etc/yum.repos.ddirectory:sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
- 
Enable the ol8_codeready_builderrepository:sudo yum-config-manager --enable ol8_codeready_builder
- 
Install the WAF compiler: sudo yum install nms-nap-compiler-v5.342.0
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
If you can’t access the public NGINX repository, you can manually download the WAF compiler from MyF5.
To install the WAF compiler manually:
- 
Log in to MyF5. 
- 
Go to Resources > Downloads. 
- 
Select the following: - Group/Product Family: NGINX
- Product Line: NGINX App Protect
- Choose a Product version that matches your environment
- Select the Linux distribution, version, and architecture
 
- 
Download the appropriate .debor.rpmWAF compiler file.
- 
Transfer the file to your NGINX Instance Manager host. 
- 
Install the WAF compiler: - 
Debian or Ubuntu sudo apt-get install -f /path/to/nms-nap-compiler-<version>_focal_amd64.debTo install multiple versions, use: sudo apt-get install -f /path/to/nms-nap-compiler-<version>_focal_amd64.deb -o Dpkg::Options::="--force-overwrite"
- 
RHEL, CentOS, or Oracle Linux sudo yum install -f /path/to/nms-nap-compiler-<version>_el8.ngx.x86_64.rpm
 
- 
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
After you manually install at least one version of the NGINX App Protect WAF compiler, NGINX Instance Manager can automatically download and install additional versions as needed.
This typically happens when:
- A managed instance is upgraded to a new NGINX App Protect WAF version.
- You add a new instance running a different version of NGINX App Protect WAF.
To enable this automatic download feature, you need to upload your NGINX App Protect WAF certificate and key to NGINX Instance Manager. This step allows Instance Manager to securely connect to the NGINX package repository and retrieve the necessary files. You only need to upload the certificate and key once.
If the certificate is missing or invalid, or if NGINX Instance Manager can’t connect to the repository, you’ll see an error like:
missing the specific compiler, please install it and try again.This usually means the certificate and key are missing or incorrect, or that NGINX Instance Manager can’t connect to the NGINX repository.
Check the log file for errors:
/var/log/nms/nms.logIf you see the following message, your certificate and key might be invalid or expired:
error when creating the nginx repo retriever - NGINX repo certificates not foundIf needed, you can also install the WAF compiler manually.
NGINX App Protect WAF protects your applications using predefined and regularly updated detection patterns:
- 
Attack signatures: Known threat patterns used to detect common vulnerabilities and exploits. These are included with NGINX App Protect WAF and updated frequently to reflect the latest security threats. See the attack signatures documentation for more information. 
- 
Threat campaigns: Context-aware threat intelligence based on attack campaigns observed by F5 Threat Labs. These are updated even more frequently than attack signatures and require installation to take effect. Learn more in the threat campaigns documentation. 
To take advantage of the latest updates, you must upload the attack signature and threat campaign packages to NGINX Instance Manager.
You can either:
- Configure NGINX Instance Manager to automatically download new versions, or
- Manually download packages from MyF5 and upload them to NGINX Instance Manager using the REST API.
To enable automatic downloads, NGINX Instance Manager must authenticate with the NGINX repository. You do this by uploading the NGINX repository certificate and private key that come with your NGINX App Protect WAF subscription. Once uploaded, NGINX Instance Manager can securely retrieve the latest attack signature and threat campaign packages on your behalf.
Follow these steps to get and upload the certificate and key:
- 
Log in to MyF5. 
- 
Go to My Products and Plans > Subscriptions. 
- 
Download the following files from your NGINX App Protect WAF subscription: - nginx-repo.crt(certificate)
- nginx-repo.key(private key)
 
- 
Create a JSON file that includes the contents of both files. Replace newlines ( \n) in each file with literal\ncharacters so the certificate and key can be formatted correctly inside the JSON.Example request{ "name": "nginx-repo", "nginxResourceType": "NginxRepo", "certPEMDetails": { "caCerts": [], "password": "", "privateKey": "-----BEGIN PRIVATE KEY-----\n[content snipped]\n-----END PRIVATE KEY-----\n", "publicCert": "-----BEGIN CERTIFICATE-----\n[content snipped]\n-----END CERTIFICATE-----", "type": "PEM" } }
- 
Upload the file to NGINX Instance Manager using the REST API: curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/certs' \ --header "Authorization: Bearer <access token>" \ --header "Content-Type: application/json" \ -d @nginx-repo-certs.json
- 
If successful, you should see a response similar to this: Example response{ "certAssignmentDetails": [], "certMetadata": [ { "authorityKeyIdentifier": "<fingerprint>", "commonName": "<subscription name>", "expired": false, "expiry": 59789838, "issuer": "C=US, ST=Washington, L=Seattle, Inc., O=F5 Networks\\, OU=Certificate Authority, CN=F5 PRD Issuing Certificate Authority TEEM V1", "publicKeyType": "RSA (2048 bit)", "serialNumber": "<serial number>", "signatureAlgorithm": "SHA256-RSA", "subject": "CN=<subscription name>", "subjectAlternativeName": "", "subjectKeyIdentifier": "<fingerprint>", "thumbprint": "<thumbprint>", "thumbprintAlgorithm": "SHA256-RSA", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z", "version": 3 } ], "certPEMDetails": { "caCerts": [], "password": "**********", "privateKey": "**********", "publicCert": "[content snipped]", "type": "PEM" }, "created": "2023-01-27T23:42:41.587760092Z", "modified": "2023-01-27T23:42:41.587760092Z", "name": "nginx-repo", "serialNumber": "<serial number>", "uid": "d08d9f54-58dd-447a-a71d-6fa5aa0d880c", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z" }
NGINX Instance Manager can automatically download the latest Attack Signatures and Threat Campaign versions. To enable automatic downloads:
- 
Log in to the NGINX Instance Manager host using SSH. 
- 
Open the /etc/nms/nms.conffile in a text editor.
- 
Adjust the app_protect_security_updatesettings, as shown in the example below:integrations: # enable this for integrations on tcp # address: 127.0.0.1:8037 address: unix:/var/run/nms/integrations.sock dqlite: addr: 127.0.0.1:7892 app_protect_security_update: # enable this to automatically retrieve the latest Attack Signatures and Threat Campaigns enable: true # how often, in hours, to check for updates; default is 6 interval: 6 # how many updates to download; default is 10, max is 20 number_of_updates: 10
- 
Save the changes and close the file. 
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
If the NGINX App Protect WAF certificate and key are missing, invalid, or expired, you’ll see the following error:
error when creating the nginx repo retriever - NGINX repo certificates not foundThis means NGINX Instance Manager can’t connect to the NGINX repository to retrieve the packages. You may need to re-upload a valid certificate and key to resolve the issue.
If you prefer not to enable automatic updates, you can manually update the Attack Signature and Threat Campaign packages by downloading them from MyF5 and uploading them to NGINX Instance Manager.
- 
Log in to MyF5, then go to Resources > Downloads. 
- 
Select the following options in the product menu: - Group/Product Family: NGINX
- Product Line: NGINX App Protect
- Product Version: Choose a version that matches your WAF compiler version.
- Select your Linux Distribution, Version, and Architecture.
 
- 
Download the .debor.rpmpackages:- For Attack Signatures: package starts with app-protect-attack-signatures
- For Threat Campaigns: package starts with app-protect-threat-campaigns
 
- For Attack Signatures: package starts with 
- 
Extract the following three files from the package: - signatures.bin.tgz(or- threat_campaigns.bin.tgz)
- signature_update.yaml(or- threat_campaign_update.yaml)
- version
 Use tools like rpm2cpio | cpioorar(for.deb) to extract the files.
- 
Create a .tgzbundle that includes the three files. For example:tar -czvf attack-signatures.tgz signatures.bin.tgz signature_update.yaml version
Use the NGINX Instance Manager REST API to upload the .tgz files.
Upload Attack Signatures:
curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/security/attack-signatures' \
  --header "Authorization: Bearer <access token>" \
  --form 'revisionTimestamp="2022.11.16"' \
  --form 'filename=@"/attack-signatures.tgz"'Upload Threat Campaigns:
curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/security/threat-campaigns' \
  --header "Authorization: Bearer <access token>" \
  --form 'revisionTimestamp="2022.11.15"' \
  --form 'filename=@"/threat-campaigns.tgz"'Important The bundle you upload must match the OS of your NGINX Instance Manager host. For example, if the host is running Ubuntu 20.04, create the.tgzfrom the Ubuntu 20.04 package.
The Security Monitoring dashboards in NGINX Instance Manager rely on a Signature Database to show more information about triggered security violations, such as the signature’s name, accuracy, and risk level.
To keep the dashboards accurate and up to date, you need to update the Security Monitoring signature database.
For instructions, see the update signatures guide.
You can configure NGINX Instance Manager to automatically remove unused compiler resources:
- Compiled security policies
- Compiled security log profiles
- Attack Signatures
- Threat Campaigns
Only the compiled bundles are removed. NGINX Instance Manager does not delete the definitions for security policies or log profiles.
To enable compiler resource pruning:
- 
Log in to the NGINX Instance Manager host using SSH. 
- 
Open the /etc/nms/nms.conffile in a text editor.
- 
Update the policy_managersection underintegrationswith time-to-live (TTL) values for each resource type:integrations: address: unix:/var/run/nms/integrations.sock dqlite: addr: 127.0.0.1:7892 policy_manager: # Time to live for attack signatures. If the attack signatures exceed their TTL and are not # deployed to an instance or instance group, they will be deleted from the database. # Duration unit can be seconds (s), minutes (m), or hours (h). attack_signatures_ttl: 336h # Time to live for compiled bundles, including compiled security policies and log profiles. # If a compiled bundle exceeds its TTL and is not deployed to an instance or instance group, # it will be deleted from the database. The bundle is deleted, not the resource definition. compiled_bundles_ttl: 336h # Time to live for threat campaigns. If the threat campaigns exceed their TTL and are not # deployed to an instance or instance group, they will be deleted from the database. threat_campaigns_ttl: 1440h app_protect_security_update: enable: true interval: 6 number_of_updates: 10
- 
Save the file and close the editor. 
- 
Restart the nms-integrationsservice:sudo systemctl restart nms-integrations
NGINX Instance Manager runs the pruning process at startup and every 24 hours after the nms-integrations service starts.
To onboard your NGINX App Protect WAF instances to NGINX Instance Manager, install and configure the NGINX Agent on each instance.
- 
Use SSH to connect to the NGINX App Protect WAF instance. Repeat these steps for each instance you want to onboard. 
- 
Download the NGINX Agent package from the NGINX Instance Manager host and run the installation script. You can group instances that use the same version of NGINX App Protect WAF by using the optional --instance-groupflag in the install command.Note: Make suregpgis installed on your system before continuing. You can install NGINX Agent using command-line tools likecurlorwget.If your NGINX Instance Manager host doesn’t use valid TLS certificates, you can use the insecure flags to bypass verification. Here are some example commands: - 
   Secure: curl https://<NIM_FQDN>/install/nginx-agent | sudo sh
- 
   Insecure: curl --insecure https://<NIM_FQDN>/install/nginx-agent | sudo sh
 To add the instance to a specific instance group during installation, use the --instance-group(or-g) flag:curl https://<NIM_FQDN>/install/nginx-agent -o install.sh chmod u+x install.sh sudo ./install.sh --instance-group <instance group>By default, the install script uses a secure connection to download packages. If it can’t establish one, it falls back to an insecure connection and logs this message: Warning: An insecure connection will be used during this nginx-agent installationTo enforce a secure connection, set the --skip-verifyflag to false:curl https://<NIM_FQDN>/install/nginx-agent -o install.sh chmod u+x install.sh sudo ./install.sh --skip-verify false- 
   Secure: wget https://<NIM_FQDN>/install/nginx-agent -O - | sudo sh -s --skip-verify false
- 
   Insecure: wget --no-check-certificate https://<NIM_FQDN>/install/nginx-agent -O - | sudo sh
 To add your instance to a group during installation, use the --instance-group(or-g) flag:wget https://<NIM_FQDN>/install/nginx-agent -O install.sh chmod u+x install.sh sudo ./install.sh --instance-group <instance group>
- 
   
- 
Edit the NGINX Agent configuration file to enable support for NGINX App Protect WAF: sudo vi /etc/nginx-agent/nginx-agent.conf
- 
Update or confirm the following settings: config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect" extensions: - nginx-app-protect nginx_app_protect: report_interval: 15s precompiled_publication: trueThese settings: - Allow the agent to access NGINX App Protect WAF configuration directories.
- Enable the agent to detect changes in security configurations.
- Enable support for precompiled publication of WAF configurations from NGINX Instance Manager.
 You can also apply these settings automatically during installation by using the --nginx-app-protect-modeflag:curl https://<NMS_FQDN>/install/nginx-agent > install.sh sudo sh ./install.sh --nginx-app-protect-mode precompiled-publication
- 
Restart NGINX Agent: sudo systemctl restart nginx-agent
After installing and configuring the NGINX Agent, verify that your NGINX App Protect WAF instances appear in NGINX Instance Manager.
You should now be able to view your NGINX App Protect WAF instances in the Instance Manager user interface. Take the steps below to verify that NGINX Agent is installed and reporting data to Instance Manager.
- 
In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select Instance Manager from the Launchpad menu. 
- 
In the left menu, select Instances. 
- 
Confirm that each instance shows an NGINX App Protect WAF version in the NGINX App Protect column. 
- 
Select an instance and scroll to the App Protect Details section to confirm status and build information. 
<strong>See Also:</strong> You can use tools like <code>curl</code> or <a href="https://www.postman.com" target="_blank" rel="noopener">Postman</a> to interact with the NGINX Instance Manager REST API. The API URL is <code>https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION></code>, and each request requires authentication. For more details on authentication options, see the <a href="https://frontdoor-test-docs.nginx.com/previews/docs/539/nginx-instance-manager/fundamentals/api-overview/">API Overview</a>.
Use the REST API to confirm the version and status of NGINX App Protect WAF:
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/instances | 
| GET | /api/platform/v1/systems | 
- 
Send a GETrequest to/api/platform/v1/systemsto check version info:Example response: { "count": 3, "items": [ { "appProtect": { "attackSignatureVersion": "2022.11.16", "status": "active", "threatCampaignVersion": "2022.11.15", "version": "build-3.954.0" } } ] }
- 
Send a GETrequest to/api/platform/v1/instancesto check how many instances have NGINX App Protect WAF installed:Example response: { "count": 3, "items": [ [...] ], "nginxAppProtectWAFCount": 2, "nginxPlusCount": 3 }
Before configuring Docker Compose, make sure you’ve completed the following steps:
- Installed NGINX App Protect WAF v5 using the official installation guide.
- Created a docker-compose.yamlfile during the installation process.
This section explains how to modify that file so NGINX App Protect WAF can work with NGINX Instance Manager.
- 
Edit the docker-compose.yamlfile created during installation.To give NGINX App Protect WAF access to the policy and log profile bundles written by NGINX Instance Manager, make the following changes: - 
Add the line user: 101:<group-id>to each service. The group ID should match the NGINX Agent group on your system. You can find the group ID by running:cat /etc/group
- 
Add /etc/nmsto the volume maps for both services.Example: version: "3.9" services: waf-enforcer: container_name: waf-enforcer image: private-registry.nginx.com/nap/waf-enforcer:5.2.0 user: 101:1002 environment: - ENFORCER_PORT=50000 ports: - "50000:50000" volumes: - /opt/app_protect/bd_config:/opt/app_protect/bd_config - /etc/nms:/etc/nms networks: - waf_network restart: always waf-config-mgr: container_name: waf-config-mgr image: private-registry.nginx.com/nap/waf-config-mgr:5.2.0 user: 101:1002 volumes: - /opt/app_protect/bd_config:/opt/app_protect/bd_config - /opt/app_protect/config:/opt/app_protect/config - /etc/app_protect/conf:/etc/app_protect/conf - /etc/nms:/etc/nms restart: always network_mode: none depends_on: waf-enforcer: condition: service_started networks: waf_network: driver: bridge
 
- 
- 
Restart the containers: docker compose restart
NGINX Instance Manager provides the same default security policies as NGINX App Protect WAF:
- NGINX Default Policy: Provides OWASP Top 10 and Bot protection.
- NGINX Strict Policy: Contains more restrictive blocking criteria than the default policy.
If you plan to use these built-in policies, you can skip to Add WAF configuration to NGINX instances.
If you’ve created custom security policies on your NGINX App Protect WAF instances, you can upload them to NGINX Instance Manager using the REST API. These policies must be uploaded so NGINX Instance Manager can compile and publish them across your data plane.
To upload a policy, follow these steps:
- 
Encode the JSON policy using base64.Example: base64 -i ./ignore-xss-policy-example.json
- 
Create a JSON request that includes the base64-encoded policy from step 1 as the value for the contentfield.Replace the example string below with the actual base64-encoded output you generated. { "metadata": { "name": "ignore-xss-example", "displayName": "Ignore cross-site scripting example", "description": "Security policy that intentionally ignores cross-site scripting" }, "content": "<base64-encoded-policy>" }
- 
Send the request to the Instance Manager REST API to create the policy: curl -X POST https://<NIM_FQDN>/api/platform/v1/security/policies \ -H "Authorization: Bearer <access token>" \ -H "Content-Type: application/json" \ -d @policy.jsonYou should receive a success response with the policy metadata. 
- 
To verify that your policy was successfully onboarded, send a GET request: curl -X GET https://<NIM_FQDN>/api/platform/v1/security/policies \ -H "Authorization: Bearer <access token>"The response includes a list of all security policies managed by NGINX Instance Manager. 
The NGINX App Protect WAF configuration guide shows where and how to add security directives to your NGINX configuration. NGINX Instance Manager includes the same default security policies as NGINX App Protect WAF:
- NGINX Default Policy: Provides OWASP Top 10 and bot protection out of the box.
- NGINX Strict Policy: Contains more restrictive criteria for blocking traffic, with a higher risk of false positives.
You can use these default policies as-is or customize them for your app. Security Monitoring dashboards can help you fine-tune policy settings.
Keep the following in mind when configuring NGINX App Protect WAF through NGINX Instance Manager:
- 
Instance Manager compiles JSON security policies into .tgzbundles.
- 
Use the app_protect_policy_filedirective to reference custom policies.If you’re using precompiled publication with NGINX Agent, make sure to change the file extension from .jsonto.tgz. The filename remains the same. NGINX Instance Manager doesn’t support referencing both.jsonand.tgzin the same NGINX configuration.
- 
If you’re using custom policies, make sure NGINX Agent has permission to access the directories where those policy files are stored. Update the config_dirssetting in the NGINX Agent’s configuration file if needed.
- 
NGINX Instance Manager uses the default log profiles that come with NGINX App Protect WAF. You can reference them with the app_protect_security_logdirective. Custom log profiles aren’t supported.
If you’re using different directories on the data plane, update paths accordingly in your NGINX configuration.
Add the NGINX App Protect WAF directives in the appropriate context (http, server, or location). Here’s an example:
server {
  ...
  location / {
    # Enable NGINX App Protect WAF
    app_protect_enable on;
    # Reference a custom security policy bundle
    app_protect_policy_file /etc/nms/ignore-xss.tgz;
    # Enable security logging
    app_protect_security_log_enable on;
    # Reference the log profile bundle
    app_protect_security_log /etc/nms/log-default.tgz /var/log/nginx/security-violations.log;
    ...
  }
}If you’re using NGINX Instance Manager with Security Monitoring, your configuration may already include the following directive:
app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514;Don’t change this value. See the Security Monitoring setup guide for more details.
If you’re using NGINX App Protect WAF v5:
- 
You must add the app_protect_enforcer_addressdirective to thehttpcontext:app_protect_enforcer_address 127.0.0.1:50000;
- 
JSON policies and log profiles aren’t supported. You must precompile and publish them using NGINX Instance Manager. Make sure the precompiled_publication setting in the NGINX Agent configuration is set to true. See the NGINX App Protect WAF configuration guide for details. 
- 
In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select Instance Manager from the Launchpad menu. 
- 
In the left menu, select Instances or Instance Groups. 
- 
From the Actions menu (…), select Edit Config for the instance or group. 
- 
If you’re using precompiled publication, change any .jsonfile extensions to.tgz.
- 
If you want to apply a default policy, select Apply Security, then copy the policy snippet and paste it into your configuration. 
- 
Add the directives inside an http,server, orlocationblock.
- 
Select Publish to push the configuration. 
<strong>See Also:</strong> You can use tools like <code>curl</code> or <a href="https://www.postman.com" target="_blank" rel="noopener">Postman</a> to interact with the NGINX Instance Manager REST API. The API URL is <code>https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION></code>, and each request requires authentication. For more details on authentication options, see the <a href="https://frontdoor-test-docs.nginx.com/previews/docs/539/nginx-instance-manager/fundamentals/api-overview/">API Overview</a>.
You can use the NGINX Instance Manager REST API to deploy your NGINX App Protect WAF configuration.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/systems/{systemUID}/instances | 
| POST | /api/platform/v1/security/{systemUID}/instances/{nginxUID}/config | 
<strong>Important</strong> Before deploying a configuration to an instance group, make sure all instances in the group are running the same version of NGINX App Protect WAF. Otherwise, the deployment may fail.
- 
Send a GETrequest to the/api/platform/v1/systems/{systemUID}/instancesendpoint to list all instances. This response includes the unique identifier (UID) of the instance that you want to update.curl -X GET https://{{NMS_FQDN}}/api/platform/v1/systems/{systemUID}/instances \ -H "Authorization: Bearer <access token>"
- 
Add the NGINX App Protect WAF configuration to your NGINX config file ( nginx.confor another config file located in a validconfig_dirspath on the data plane host):- 
At a minimum, add the following directive: app_protect_enable on;
- 
If precompiled publication is enabled, change any .jsonpolicy references to.tgz.
- 
If you want to apply a default policy, you can use: app_protect_policy_file /etc/nms/NginxDefaultPolicy.tgz;or app_protect_policy_file /etc/nms/NginxStrictPolicy.tgz;
- 
Add the directives to an http,server, orlocationcontext.
 
- 
- 
Encode the updated NGINX configuration file using base64. base64 -i /etc/nginx/nginx.conf
- 
Send a POSTrequest to the/api/platform/v1/security/{systemUID}/instances/{nginxUID}/configendpoint to deploy the configuration. Replace<base64-encoded-content>with your encoded config:curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/{systemUID}/instances/{nginxUID}/config \ -H "Authorization: Bearer <access token>" \ --header "Content-Type: application/json" \ -d '{ "configFiles": { "rootDir": "/etc/nginx", "files": [ { "name": "nginx.conf", "contents": "<base64-encoded-content>" } ] }, "validateConfig": true }'
After you add NGINX App Protect WAF directives to your NGINX configuration, you can verify the setup in the NGINX Instance Manager web interface.
To confirm that the NGINX App Protect WAF configuration was applied:
- In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select Instance Manager from the Launchpad menu. 
- In the left navigation menu, select Instances.
- In the NGINX App Protect column, confirm that the correct version is listed.
- Select the instance. Then, scroll to the App Protect Details section.
- Confirm that the App Protect WAF status is Active, and the Build matches the version installed on the instance.
If you’re having trouble with NGINX App Protect WAF, try the steps below. If these don’t solve the issue, reach out to F5 NGINX Customer Support.
NGINX App Protect WAF and the WAF compiler shouldn’t run on the same host. To check:
- 
Log in to the NGINX Instance Manager host from a terminal. 
- 
Run the command that matches your operating system: - 
For Debian-based systems: dpkg -s app-protect
- 
For RPM-based systems: rpm -qi | grep app-protect
 
- 
If NGINX App Protect WAF is installed, follow the uninstall instructions.
Each NGINX App Protect WAF version has a matching WAF compiler version. To confirm:
- 
Log in to the NGINX Instance Manager host. 
- 
Run the following command to see installed compiler versions: ls -l /opt/nms-nap-compiler
You can verify that the WAF compiler is installed and responding:
sudo /opt/nms-nap-compiler/app_protect-<version>/bin/apcompile -hExample:
sudo /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -hExpected output:
USAGE:
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile <options>
Examples:
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -p /path/to/policy.json -o mypolicy.tgz
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -p policyA.json -g myglobal.json -o /path/to/policyA_bundle.tgz
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -g myglobalsettings.json --global-state-outfile /path/to/myglobalstate.tgz
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -b /path/to/policy_bundle.tgz --dump
    /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -l logprofA.json -o /path/to/logprofA_bundle.tgzOpen the /etc/nginx-agent/nginx-agent.conf file and make sure it includes the right settings.
# List of directories the agent monitors for config files
config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect"
# Enable necessary NGINX App Protect extensions
extensions:
  - nginx-app-protect
  - nap-monitoring
nginx_app_protect:
  # Report interval for NGINX App Protect details — how often the agent checks for changes
  report_interval: 15s
  # Set to true to publish precompiled policies and log profiles from NGINX Instance Manager
  precompiled_publication: true
nap_monitoring:
  # Buffer size for the collector — holds log lines and parsed entries
  collector_buffer_size: 50000
  # Buffer size for the processor — processes log lines from the buffer
  processor_buffer_size: 50000
  # IP address where the agent listens for syslog messages
  syslog_ip: "127.0.0.1"
  # Port number for receiving syslog messages
  syslog_port: 514If automatic downloads for Attack Signatures or Threat Campaigns are failing, check whether the repo certificate and key are set up correctly.
Run this command to test access:
curl --key /etc/ssl/nginx/nginx-repo.key --cert /etc/ssl/nginx/nginx-repo.crt https://pkgs.nginx.com/app-protect-security-updates/index.xmlExpected output:
...
<repositories>
<repository distro="centos" version="6" arch="x86_64" prefix="centos/6/x86_64/">
</repository>
<repository distro="centos" version="7" arch="x86_64" prefix="centos/7/x86_64/">
<package type="rpm">
  <name>app-protect-attack-signatures</name>
  <arch>x86_64</arch>
  <version epoch="0" ver="2019.07.16" rel="1.el7.ngx"/>
  <location href="RPMS/app-protect-attack-signatures-2019.07.16-1.el7.ngx.x86_64.rpm"/>
</package>
...Now that configuration management is set up, you can use the NGINX Instance Manager REST API to:
- Manage NGINX App Protect WAF security policies.
- View system information about your NGINX App Protect WAF instances.
- Update Attack Signatures and Threat Campaigns.
To learn more, see Manage WAF Security Policies and Security Log Profiles.
What's on This Page
- Overview
- Install the WAF compiler
- Set up attack signatures and threat campaigns
- Set up compiler resource pruning
- Onboard NGINX App Protect WAF instances
- Onboard security policies
- Add WAF configuration to NGINX instances
- Troubleshooting
      - Check that NGINX App Protect WAF is not installed on the NGINX Instance Manager host
- Check that the WAF compiler version matches the NGINX App Protect WAF version
- Confirm the WAF compiler is working correctly
- Confirm NGINX Agent configuration on the NGINX App Protect WAF instance
- Confirm access to the NGINX packages repository
 
- What’s Next