Set up security alerts
With this page, you’ll learn how to set up alerts in F5 Distributed Cloud. Once configured, you’ll see the CVEs and insecure configurations associated with your NGINX fleet. These instructions are intended for those responsible for keeping their NGINX infrastructure and application traffic secure. It assumes you know how to:
- Install Linux programs or run Docker containers
By the end of this tutorial, you’ll be able to:
- Access the NGINX One Console in F5 Distributed Cloud
- Connect NGINX instances to the NGINX One Console
- Review Security Risks associated with your NGINX fleet
- Configure Alert Policies in F5 Distributed Cloud
NGINX One Console is a service to monitor and manage NGINX. It’s a part of the F5 Distributed Cloud and is included with all NGINX and F5 Distributed Cloud subscriptions. While NGINX is built to be secure and stable, critical vulnerabilities can occasionally emerge – and misconfigurations may leave your applications or APIs exposed to attacks.
If you already have accessed F5 Distributed Cloud and have NGINX instances available, you can skip these steps and start to connect instances to the NGINX One Console.
Confirm an F5 Distributed Cloud tenant has been provisioned for you. Log in to the MyF5 customer portal and review your subscriptions. You should see within one of your subscriptions “Distributed Cloud”. This could be in either an NGINX subscription or a Distributed Cloud. If the above does not appear in any of your subscriptions, reach out to either your F5 Account Team or Customer Success Manager.
With access, you or someone in your organization should have an email from no-reply@cloud.f5.com asking you to update your password when the tenant was created. The account name referenced in the email in bold is the tenant name.
Go to https://INSERT_YOUR_TENANT_NAME.console.ves.volterra.io/ to access F5 Distributed Cloud. If you have never logged in, select the Forgot Password? option in the log in screen. Alternatively, if someone within your organization has access, ask them to add you as a user within your tenant with a role providing permissions for NGINX One.
Once you’ve logged in with your password, you should be able to see and select the NGINX One tile.
- Select the NGINX One tile
- Select Visit Service
Ensure you have an instance of NGINX Open Source or NGINX Plus installed and available. This guide provides instructions for connecting an instance installed in a Linux environment (VM or bare metal hardware) where you have command line access. Alternatively, we also have instructions for Deploying NGINX and NGINX Plus with Docker with NGINX and the NGINX Agent installed. That deployment can connect with environment variables.
If you already have connected instances to the NGINX One Console, you can start to Configure an active alert policy. Otherwise, you need to add an instance, generate a data plane key, and install NGINX Agent. We assume this is the first time you are connecting an instance.
You can add an instance to NGINX One Console in the following ways:
- Directly, under Instances
- Indirectly, by selecting a Config Sync Group, and selecting Add Instance to Config Sync Group
In either case, NGINX One Console gives you a choice for data plane keys:
- Create a new key
- Use an existing key
NGINX One Console takes the option you use, and adds the data plane key to a command that you’d use to register your target instance. You should see the command in the Add Instance screen in the console.
Connect to the host where your NGINX instance is running. Run the provided command to install NGINX Agent dependencies and packages on that host.
curl https://agent.connect.nginx.com/nginx-agent/install | DATA_PLANE_KEY="<data_plane_key>" sh -s -- -yOnce the process is complete, you can configure that instance in your NGINX One Console.
A data plane key is a security token that ensures only trusted NGINX instances can register and communicate with NGINX One.
To generate a data plane key, select Manage > Instances > Add Instance:
- For a new key: In the Add Instance pane, select Generate Data Plane Key.
- To reuse an existing key: If you already have a data plane key and want to use it again, select Use existing key. Then, enter the key’s value in the Data Plane Key box.
Data plane key guidelinesData plane keys are displayed only once and cannot be retrieved later. Be sure to copy and store this key securely.
Data plane keys expire after one year. You can change this expiration date later by editing the key. If you revoke a data plane key you disconnect all instances registered with that key.
After entering your data plane key, you’ll see a curl command to install NGINX Agent, similar to the one below. Copy and run this command on each NGINX instance. Once installed, NGINX Agent typically registers with NGINX One within a few seconds.
Connecting to NGINX OneEnsure that any firewall rules you have in place for your NGINX hosts allows network traffic to port
443for all of the following IPs:
3.135.72.1393.133.232.5052.14.85.249NGINX Agent must be able to establish a connection to NGINX One Console’s Agent endpoint (
agent.connect.nginx.com).
To install NGINX Agent on an NGINX instance:
-
Check if NGINX is running and start it if it’s not:
First, see if NGINX is running:
sudo systemctl status nginxIf the status isn’t
Active, go ahead and start NGINX:sudo systemctl start nginx -
Install NGINX Agent:
Next, use the
curlcommand provided to you to install NGINX Agent:curl https://agent.connect.nginx.com/nginx-agent/install | DATA_PLANE_KEY="YOUR_DATA_PLANE_KEY" sh -s -- -y- Replace
YOUR_DATA_PLANE_KEYwith your actual data plane key.
- Replace
You can also install NGINX Agent from our repositories and configure it manually. Alternatively you can use our official NGINX Docker images, pre-configured with NGINX Agent.
The NGINX One Console monitors all connected NGINX instances for CVEs and insecure configurations. Using the F5 Distributed Cloud’s Alert Policies, you can receive alerts for these risks in a manner of your choosing; for the purposes of this guide, we show you how to configure email alerts.
The F5 Distributed Cloud generates alerts from all its services including NGINX One Console. You can configure rules to send those alerts to a receiver of your choice. These instructions walk you through how to configure an email notification when we see new CVEs or detect security issues with your NGINX instances.
This page describes basic steps to set up an email alert. For authoritative documentation, see Alerts - Email & SMS.
To configure security-related alerts, follow these steps:
- Go to the F5 Distributed Cloud Console at https://INSERT_YOUR_TENANT_NAME.console.ves.volterra.io.
- Select Audit Logs & Alerts
- Select Alerts Management > Alert Receivers
- Select Add Alert Receiver
- Enter the name of your choice.
- (Optional) Specify a label and description.
- Under Receiver, select Email and enter your email address.
- Select Add Alert Receiver Your alert receiver should now appear on the list of Alert Receivers.
- Select the Actions ellipsis (…) for your receiver. Select Verify Email.
- Select Send email to confirm.
- You should receive a verification code in the email provided. Copy that code.
- Under the Actions column, select Enter verification code.
- Paste the code and select Verify receiver.
Next, configure the policy that identifies when you’ll get an alert. You’ll need to reference available alerts in our NGINX One Console Glossary. Relevant security alerts include:
- SecurityRecommendationNGINX
- HighCVENGINX
- MediumCVENGINX
- LowCVENGINX
- Go to Alerts Management > Alert Policies.
- Select Add Alert Policy.
- Enter the name of your choice. You’re limited to lower-case characters, numbers, and dashes.
- (Optional) Specify a label and description.
- Under Alert Reciever Configuration > Alert Receivers, select the Alert Receiver you just created.
- Under Policy Rules select Configure.
- In the Policy Rules screen that appears, select Add Item.
- In the Route window that appears, review the Select Alerts drop-down.
- Under Select Alerts select a filter. Now select Matching Custom Criteria > Alertname > Configure. In the screen that appears, use Exact Match and copy/paste an alert name from the NGINX One Console Glossary.
- Select Apply to exit the Alertname window.
- Select Apply to exit the Route window.
- Select Apply to exit the Policy Rules window.
- You can now select the Add Alert policy button.
- Set the Action as Send and select Apply.
Repeat the process described in Configure Alert Policy section. Repeat again if and as needed for all of the alerts in the NGINX One Console Glossary.
Now to make sure your new policy works, add your new policies to the list of Active Alert Policies. To do so:
- Select Alerts Management > Active Alert Policies
- Select Select Active Alert Policies.
- In the Select Active Alert Policies window, select Add Item
- In the drop-down box that appears, select the Alert Policy that you created.
- Select the Add Select Active Alert Policies button.
- Select Add Item
You’ve now set up F5 Distributed Cloud to send you alerts from NGINX One Console, to your email address. When the alert policy identifies an alert, it sends you an email from alerts@cloud.f5.com.
When you set up an email alert for a problem, you’ll see the alert in:
- The F5 Distributed Cloud Console, under Notifications > Alerts in Audit Logs & Alerts
- An email with a subject like
Alert Requires Action
You may also get a follow-up email with the subject Alert Resolved.
Important: Sometimes an Alert Resolved email is sent even though the issue is still active. To check the current status, go to the NGINX One Console.
For CVEs, the trusted source is:
- NGINX One Console > Manage > Instances >
Instance hostname
Open the instance dashboard to see the latest list of CVEs. Use the Console, not email, to confirm whether an issue is resolved.
In this tutorial, you learned how to:
- Access the NGINX One Console
- Connect an NGINX instance
- Configure and activate an alert
You will now receive an email any time the F5 Distributed Cloud sees one or more of the alerts that you configued.
Now that you have NGINX instances connected to the NGINX One Console, consider reviewing our use cases to see how you can easily manage your NGINX instances, draft new configurations, and more. Additionally, you can review how to add additional Alert Receivers such as SMS, Slack, PagerDuty, or with a webhook.