Manage and deploy WAF policies and log profiles
F5 NGINX Instance Manager lets you manage NGINX App Protect WAF configurations using either the web interface or REST API. You can edit, update, and deploy security policies, log profiles, attack signatures, and threat campaigns to individual instances or instance groups.
You can compile a security policy, attack signatures, and threat campaigns into a security policy bundle. The bundle includes all necessary components for a specific NGINX App Protect WAF version. Precompiling the bundle improves performance by avoiding separate compilation of each component during deployment.
The following capabilities are available only through the Instance Manager REST API:
- Update security policies
- Create, read, and update security policy bundles
- Create, read, update, and delete security log profiles
- Publish security policies, log profiles, attack signatures, and threat campaigns to instances and instance groups
Before continuing, complete the following steps:
- 
Make sure your user account has the required permissions to access the REST API: - Module: Instance Manager
- Feature: Instance Management → READ
- Feature: Security Policies → READ,CREATE,UPDATE,DELETE
 
To use policy bundles, you also need to:
- Have UPDATEpermissions for each referenced security policy
- Install the correct nms-nap-compilerpackage for your App Protect WAF version
- Install the required attack signatures and threat campaigns
To access the web interface, open a browser and go to the fully qualified domain name (FQDN) of your NGINX Instance Manager. Log in, then select Instance Manager from the Launchpad.
You can use tools like curl or Postman to interact with the NGINX Instance Manager REST API. The API URL is https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION>, and each request requires authentication. For more details on authentication options, see the API Overview.
To create a security policy using the NGINX Instance Manager web interface:
- 
In your browser, go to the FQDN for your NGINX Instance Manager host and log in. 
- 
From the Launchpad menu, select Instance Manager. 
- 
In the left menu, select App Protect. 
- 
On the Security Policies page, select Create. 
- 
On the Create Policy page, enter the required information: - Name: Enter a name for the policy.
- Description: (Optional) Add a brief description.
- Enter Policy: Paste or type the JSON-formatted policy into the editor. The interface automatically validates the JSON.
 For help writing custom policies, see the NGINX App Protect WAF Declarative Policy guide and the Policy Authoring and Tuning section in the configuration guide. 
- 
Select Save. 
To upload a new security policy using the REST API, send a POST request to the Security Policies API endpoint.
You must encode the JSON policy using base64. If you send the policy in plain JSON, the request will fail.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/policies | 
For example:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies \
    -H "Authorization: Bearer <access token>" \
    -d @ignore-xss-example.jsonJSON Request
{
  "metadata": {
    "name": "ignore-cross-site-scripting",
    "displayName": "Ignore cross-site scripting",
    "description": "Ignore cross-site scripting is a security policy that intentionally ignores cross site scripting."
  },
  "content": "ewoJInBvbGljeSI6IHsKCQkibmFtZSI6ICJzaW1wbGUtYmxvY2tpbmctcG9saWN5IiwKCQkic2lnbmF0dXJlcyI6IFsKCQkJewoJCQkJInNpZ25hdHVyZUlkIjogMjAwMDAxODM0LAoJCQkJImVuYWJsZWQiOiBmYWxzZQoJCQl9CgkJXSwKCQkidGVtcGxhdGUiOiB7CgkJCSJuYW1lIjogIlBPTElDWV9URU1QTEFURV9OR0lOWF9CQVNFIgoJCX0sCgkJImFwcGxpY2F0aW9uTGFuZ3VhZ2UiOiAidXRmLTgiLAoJCSJlbmZvcmNlbWVudE1vZGUiOiAiYmxvY2tpbmciCgl9Cn0="
}JSON Response
{
  "metadata": {
    "created": "2022-04-10T23:19:58.502Z",
    "description": "string",
    "displayName": "Ignore cross-site scripting",
    "modified": "2022-04-12T23:19:58.502Z",
    "name": "ignore-cross-site-scripting",
    "revisionTimestamp": "2022-04-12T23:19:58.502Z",
    "uid": "<policy-uid>"
  },
  "selfLink": {
    "rel": "/api/platform/v1/services/environments/prod"
  }
}To update a security policy, send a POST or PUT request to the Security Policies API.
- Use POSTwith theisNewRevision=trueparameter to add a new version of an existing policy.
- Use PUTwith the policy UID to overwrite the existing version.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/policies?isNewRevision=true | 
| PUT | /api/platform/v1/security/policies/{system_id_string} | 
To use POST, include the policy metadata and content in your request:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies?isNewRevision=true \
    -H "Authorization: Bearer <access token>" \
    -d @update-xss-policy.jsonTo use PUT, first retrieve the policy’s unique identifier (UID). You can do this by sending a GET request to the policies endpoint:
curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies \
    -H "Authorization: Bearer <access token>"Then include the UID in your PUT request:
curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/policies/<policy-uid> \
    -H "Authorization: Bearer <access token>" \
    --Content-Type application/json \
    -d @update-xss-policy.jsonAfter updating the policy, you can publish it to selected instances or instance groups.
To delete a security policy using the NGINX Instance Manager web interface:
- In your browser, go to the FQDN for your NGINX Instance Manager host and log in.
- From the Launchpad menu, select Instance Manager.
- In the left menu, select App Protect.
- On the Security Policies page, find the policy you want to delete.
- Select the Actions menu (…) and choose Delete.
To delete a security policy using the REST API:
- 
Retrieve the UID for the policy by sending a GETrequest to the policies endpoint:curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies \ -H "Authorization: Bearer <access token>"
- 
Send a DELETErequest using the policy UID:
| Method | Endpoint | 
|---|---|
| DELETE | /api/platform/v1/security/policies/{security-policy-uid} | 
Example:
curl -X DELETE https://{{NIM_FQDN}}/api/platform/v1/security/policies/<policy-uid> \
    -H "Authorization: Bearer <access token>"To create a security policy bundle, send a POST request to the Security Policy Bundles API. The policies you want to include in the bundle must already exist in NGINX Instance Manager.
Each bundle includes:
- A security policy
- Attack signatures
- Threat campaigns
- A version of NGINX App Protect WAF
- Supporting files required to compile and deploy the bundle
- appProtectWAFVersion: The version of NGINX App Protect WAF to target.
- policyName: The name of the policy to include. Must reference an existing policy.
- policyUID: Optional. If omitted, the latest revision of the specified policy is used. This field does not accept the keyword- latest.
If you don’t include attackSignatureVersionDateTime or threatCampaignVersionDateTime, the latest versions are used by default. You can also set them explicitly by using "latest" as the value.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/policies/bundles | 
Example:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies/bundles \
    -H "Authorization: Bearer <access token>" \
    -d @security-policy-bundles.jsonJSON Request
{
  "bundles": [{
      "appProtectWAFVersion": "4.457.0",
      "policyName": "default-enforcement",
      "policyUID": "<policy-uid>",
      "attackSignatureVersionDateTime": "2023.06.20",
      "threatCampaignVersionDateTime": "2023.07.18"
    },
    {
      "appProtectWAFVersion": "4.279.0",
      "policyName": "default-enforcement",
      "attackSignatureVersionDateTime": "latest",
      "threatCampaignVersionDateTime": "latest"
    },
    {
      "appProtectWAFVersion": "4.457.0",
      "policyName": "ignore-xss"
    }
  ]
}JSON Response
{
  "items": [{
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.457.0",
        "policyName": "default-enforcement",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.06.20",
        "threatCampaignVersionDateTime": "2023.07.18",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiling",
        "message": ""
      }
    },
    {
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.279.0",
        "policyName": "default-enforcement",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.08.10",
        "threatCampaignVersionDateTime": "2023.08.09",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiling",
        "message": ""
      }
    },
    {
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.457.0",
        "policyName": "ignore-xss",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.08.10",
        "threatCampaignVersionDateTime": "2023.08.09",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiling",
        "message": ""
      }
    }
  ]
}To list all security policy bundles, send a GET request to the Security Policy Bundles API.
You’ll only see bundles you have "READ" permissions for.
You can use the following query parameters to filter results:
- includeBundleContent: Whether to include base64-encoded content in the response. Defaults to- false.
- policyName: Return only bundles that match this policy name.
- policyUID: Return only bundles that match this policy UID.
- startTime: Return only bundles modified at or after this time.
- endTime: Return only bundles modified before this time.
If no time range is provided, the API defaults to showing bundles modified in the past 24 hours.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/security/policies/bundles | 
Example:
curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies/bundles \
    -H "Authorization: Bearer <access token>"JSON Response
{
  "items": [{
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.457.0",
        "policyName": "default-enforcement",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.06.20",
        "threatCampaignVersionDateTime": "2023.07.18",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiled",
        "message": ""
      }
    },
    {
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.279.0",
        "policyName": "defautl-enforcement",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.08.10",
        "threatCampaignVersionDateTime": "2023.08.09",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiled",
        "message": ""
      }
    },
    {
      "metadata": {
        "created": "2023-10-04T23:19:58.502Z",
        "modified": "2023-10-04T23:19:58.502Z",
        "appProtectWAFVersion": "4.457.0",
        "policyName": "ignore-xss",
        "policyUID": "<policy-uid>",
        "attackSignatureVersionDateTime": "2023.08.10",
        "threatCampaignVersionDateTime": "2023.08.09",
        "uid": "<bundle-uid>"
      },
      "content": "",
      "compilationStatus": {
        "status": "compiling",
        "message": ""
      }
    }
  ]
}To retrieve a specific security policy bundle, send a GET request to the Security Policy Bundles API using the policy UID and bundle UID in the URL path.
You must have "READ" permission for the bundle to retrieve it.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/security/policies/{security-policy-uid}/bundles/{security-policy-bundle-uid} | 
Example:
curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies/<policy-uid>/bundles/<bundle-uid> \
    -H "Authorization: Bearer <access token>"The response includes a content field that contains the bundle in base64 format. To use it, you’ll need to decode the content and save it as a .tgz file.
Example:
curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/policies/<policy-uid>/bundles/<bundle-uid>" \
    -H "Authorization: Bearer <access token>" | jq -r '.content' | base64 -d > security-policy-bundle.tgzJSON Response
{
  "metadata": {
    "created": "2023-10-04T23:19:58.502Z",
    "modified": "2023-10-04T23:19:58.502Z",
    "appProtectWAFVersion": "4.457.0",
    "policyUID": "<policy-uid>",
    "attackSignatureVersionDateTime": "2023.08.10",
    "threatCampaignVersionDateTime": "2023.08.09",
    "uid": "<bundle-uid>"
  },
  "content": "ZXZlbnRzIHt9Cmh0dHAgeyAgCiAgICBzZXJ2ZXIgeyAgCiAgICAgICAgbGlzdGVuIDgwOyAgCiAgICAgICAgc2VydmVyX25hbWUgXzsKCiAgICAgICAgcmV0dXJuIDIwMCAiSGVsbG8iOyAgCiAgICB9ICAKfQ==",
  "compilationStatus": {
    "status": "compiled",
    "message": ""
  }
}To upload a new security log profile, send a POST request to the Security Log Profiles API endpoint.
You must encode the log profile in base64 before sending it. If you send plain JSON, the request will fail.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/logprofiles | 
Example:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles \
    -H "Authorization: Bearer <access token>" \
    -d @default-log-example.jsonJSON Request
{
  "metadata": {
    "name": "default-log-example"
  },
  "content": "Cgl7CgkJImZpbHRlciI6IHsKCQkJInJlcXVlc3RfdHlwZSI6ICJpbGxlZ2FsIgoJCX0sCgkJImNvbnRlbnQiOiB7CgkJCSJmb3JtYXQiOiAiZGVmYXVsdCIsCgkJCSJtYXhfcmVxdWVzdF9zaXplIjogImFueSIsCgkJCSJtYXhfbWVzc2FnZV9zaXplIjogIjVrIgoJCX0KCX0="
}JSON Response
{
  "metadata": {
    "created": "2023-07-05T22:09:19.634358096Z",
    "externalIdType": "",
    "modified": "2023-07-05T22:09:19.634358096Z",
    "name": "default-log-example",
    "revisionTimestamp": "2023-07-05T22:09:19.634358096Z",
    "uid": "<log-profile-uid>"
  },
  "selfLink": {
    "rel": "/api/platform/v1/security/logprofiles/<log-profile-uid>"
  }
}To update a security log profile, you can either:
- Use POSTwith theisNewRevision=trueparameter to add a new version.
- Use PUTwith the log profile UID to overwrite the existing version.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/logprofiles?isNewRevision=true | 
| PUT | /api/platform/v1/security/logprofiles/{security-log-profile-uid} | 
To create a new revision:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles?isNewRevision=true \
    -H "Authorization: Bearer <access token>" \
    -d @update-default-log.jsonTo overwrite an existing security log profile:
- 
Retrieve the profile’s UID: curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/<log-profile-uid> \ -H "Authorization: Bearer <access token>" \ --Content-Type application/json \ -d @update-log-profile.json
- 
Use the UID in your PUT request: curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/<log-profile-uid> \ -H "Authorization: Bearer <access token>" \ --Content-Type application/json \ -d @update-log-profile.json
After updating the security log profile, you can publish it to specific instances or instance groups.
To delete a security log profile, send a DELETE request to the Security Log Profiles API using the profile’s UID.
| Method | Endpoint | 
|---|---|
| DELETE | /api/platform/v1/security/logprofiles/{security-log-profile-uid} | 
- 
Retrieve the UID: curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles \ -H "Authorization: Bearer <access token>"
- 
Send the delete request: curl -X DELETE https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/<log-profile-uid> \ -H "Authorization: Bearer <access token>"
Use the Publish API to push security policies, log profiles, attack signatures, and threat campaigns to NGINX instances or instance groups.
Call this endpoint after you’ve created or updated the resources you want to deploy.
| Method | Endpoint | 
|---|---|
| POST | /api/platform/v1/security/publish | 
Include the following information in your request, depending on what you’re publishing:
- Instance and instance group UIDs
- Policy UID and name
- Log profile UID and name
- Attack signature library UID and version
- Threat campaign UID and version
Example:
curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/publish \
    -H "Authorization: Bearer <access token>" \
    -d @publish-request.jsonJSON Request
{
  "publications": [
    {
      "instances": [
        "<instance-uid>"
      ],
      "instanceGroups": [
        "<instance-group-uid>"
      ],
      "policyContent": {
        "name": "example-policy",
        "uid": "<policy-uid>"
      },
      "logProfileContent": {
        "name": "example-log-profile",
        "uid": "<log-profile-uid>"
      },
      "attackSignatureLibrary": {
        "uid": "<signature-library-uid>",
        "versionDateTime": "2023.10.02"
      },
      "threatCampaign": {
        "uid": "<campaign-uid>",
        "versionDateTime": "2023.10.01"
      }
    }
  ]
}JSON Response
{
  "deployments": [
    {
      "deploymentUID": "ddc781ca-15d6-46c9-86ea-e7bdb91e8dec",
      "links": {
        "rel": "/api/platform/v1/security/deployments/ddc781ca-15d6-46c9-86ea-e7bdb91e8dec"
      },
      "result": "Publish security content request Accepted"
    }
  ]
}After publishing updates, you can check deployment status using the NGINX Instance Manager REST API.
Use the following endpoints to verify whether the configuration updates were successfully deployed to instances or instance groups.
To view deployment status for a specific policy, send a GET request to the Security Deployments Associations API using the policy name.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/security/deployments/associations/{policy-name} | 
Example:
curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/deployments/associations/ignore-xss" \
    -H "Authorization: Bearer <access token>"In the response, look for the lastDeploymentDetails field under instance or instanceGroup.instances.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/security/deployments/logprofiles/associations/{log-profile-name} | 
Example:
curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/deployments/logprofiles/associations/default-log" \
    -H "Authorization: Bearer <access token>"The response also contains lastDeploymentDetails for each instance or group.
You can also view the deployment status for a specific instance by providing the system UID and instance UID.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/systems/{system-uid}/instances/{instance-uid} | 
Example:
curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/systems/<system-uid>/instances/<instance-uid>" \
    -H "Authorization: Bearer <access token>"In the response, look for the lastDeploymentDetails field, which shows the deployment status and any related errors.
When you use the Publish API to publish security content, NGINX Instance Manager creates a deployment ID for the request. You can use this ID to check the result of the publication.
| Method | Endpoint | 
|---|---|
| GET | /api/platform/v1/systems/instances/deployments/{deployment-id} | 
Example:
curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/systems/instances/deployments/<deployment-id>" \
    -H "Authorization: Bearer <access token>"The response includes the full deployment status, success or failure details, and any compiler error messages.
What's on This Page
- Overview
- Before you begin
- Create a security policy
- Update a security policy
- Delete a security policy
- Create security policy bundles
- List security policy bundles
- Get a security policy bundle
- Create a security log profile
- Update a security log profile
- Delete a security log profile
- Publish updates to instances
- Check security policy and security log profile publication status