diff --git a/content/includes/agent/installation/install-agent-api.md b/content/includes/agent/installation/install-agent-api.md
index 95a9650aa..15009d21f 100644
--- a/content/includes/agent/installation/install-agent-api.md
+++ b/content/includes/agent/installation/install-agent-api.md
@@ -1,74 +1,75 @@
-**Note**: To complete this step, make sure that `gpg` is installed on your system. You can install NGINX Agent using various command-line tools like `curl` or `wget`. If your NGINX Instance Manager host is not set up with valid TLS certificates, you can use the insecure flags provided by those tools. See the following examples:
+---
+docs: DOCS-1031
+files:
+ - content/nim/nginx-app-protect/setup-waf-config-management.md
+---
+
+{{}}Make sure `gpg` is installed on your system before continuing. You can install NGINX Agent using command-line tools like `curl` or `wget`.{{}}
+
+If your NGINX Instance Manager host doesn't use valid TLS certificates, you can use the insecure flags to bypass verification. Here are some example commands:
{{}}
{{%tab name="curl"%}}
-- Secure:
+- **Secure:**
```bash
- curl https:///install/nginx-agent | sudo sh
+ curl https:///install/nginx-agent | sudo sh
```
-- Insecure:
+- **Insecure:**
```bash
- curl --insecure https:///install/nginx-agent | sudo sh
+ curl --insecure https:///install/nginx-agent | sudo sh
```
- You can add your NGINX instance to an existing instance group or create one using `--instance-group` or `-g` flag when installing NGINX Agent.
-
- The following example shows how to download and run the script with the optional `--instance-group` flag adding the NGINX instance to the instance group **my-instance-group**:
-
- ```bash
- curl https:///install/nginx-agent > install.sh; chmod u+x install.sh
- sudo ./install.sh --instance-group my-instance-group
- ```
+To add the instance to a specific instance group during installation, use the `--instance-group` (or `-g`) flag:
- By default, the install script attempts to use a secure connection when downloading packages. If, however, the script cannot create a secure connection, it uses an insecure connection instead and logs the following warning message:
+```shell
+curl https:///install/nginx-agent -o install.sh
+chmod u+x install.sh
+sudo ./install.sh --instance-group
+```
- ``` text
- Warning: An insecure connection will be used during this nginx-agent installation
- ```
+By default, the install script uses a secure connection to download packages. If it can’t establish one, it falls back to an insecure connection and logs this message:
- To require a secure connection, you can set the optional flag `skip-verify` to `false`.
+```text
+Warning: An insecure connection will be used during this nginx-agent installation
+```
- The following example shows how to download and run the script with an enforced secure connection:
+To enforce a secure connection, set the `--skip-verify` flag to false:
- ```bash
- curl https:///install/nginx-agent > install.sh chmod u+x install.sh; chmod u+x install.sh
- sudo sh ./install.sh --skip-verify false
- ```
+```shell
+curl https:///install/nginx-agent -o install.sh
+chmod u+x install.sh
+sudo ./install.sh --skip-verify false
+```
{{%/tab%}}
{{%tab name="wget"%}}
+- **Secure:**
-- Secure:
-
- ```bash
- wget https:///install/nginx-agent -O - | sudo sh -s --skip-verify false
+ ```shell
+ wget https:///install/nginx-agent -O - | sudo sh -s --skip-verify false
```
-- Insecure:
+- **Insecure:**
- ```bash
- wget --no-check-certificate https:///install/nginx-agent -O - | sudo sh
+ ```shell
+ wget --no-check-certificate https:///install/nginx-agent -O - | sudo sh
```
- When you install the NGINX Agent, you can use the `--instance-group` or `-g` flag to add your NGINX instance to an existing instance group or to a new group that you specify.
-
- The following example downloads and runs the NGINX Agent install script with the optional `--instance-group` flag, adding the NGINX instance to the instance group **my-instance-group**:
-
- ```bash
- wget https://gnms1.npi.f5net.com/install/nginx-agent -O install.sh ; chmod u+x install.sh
- sudo ./install.sh --instance-group my-instance-group
- ```
+To add your instance to a group during installation, use the `--instance-group` (or `-g`) flag:
+```shell
+wget https:///install/nginx-agent -O install.sh
+chmod u+x install.sh
+sudo ./install.sh --instance-group
+```
{{%/tab%}}
-{{}}
-
-
+{{}}
diff --git a/content/includes/nim/nap-waf/restart-nms-integrations.md b/content/includes/nim/nap-waf/restart-nms-integrations.md
new file mode 100644
index 000000000..bca3636f9
--- /dev/null
+++ b/content/includes/nim/nap-waf/restart-nms-integrations.md
@@ -0,0 +1,11 @@
+---
+docs: DOCS-000
+files:
+ - content/nim/nginx-app-protect/setup-waf-config-management.md
+---
+
+Restart the `nms-integrations` service:
+
+```shell
+sudo systemctl restart nms-integrations
+```
diff --git a/content/nim/nginx-app-protect/manage-waf-security-policies.md b/content/nim/nginx-app-protect/manage-waf-security-policies.md
index 71684b133..5c0e5ebf3 100644
--- a/content/nim/nginx-app-protect/manage-waf-security-policies.md
+++ b/content/nim/nginx-app-protect/manage-waf-security-policies.md
@@ -1,8 +1,7 @@
---
-title: Manage WAF Security Policies and Security Log Profiles
-description: Learn how to use F5 NGINX Management Suite Instance Manager to manage NGINX
- App Protect WAF security policies and security log profiles.
-weight: 200
+title: Manage and deploy WAF policies and log profiles
+description: Learn how to use F5 NGINX Instance Manager to manage NGINX App Protect WAF security policies and security log profiles.
+weight: 300
toc: true
type: how-to
product: NIM
@@ -11,83 +10,76 @@ docs: DOCS-1105
## Overview
-F5 NGINX Management Suite Instance Manager provides the ability to manage the configuration of NGINX App Protect WAF instances either by the user interface or the REST API. This includes editing, updating, and deploying security policies, log profiles, attack signatures, and threat campaigns to individual instances and/or instance groups.
+F5 NGINX Instance Manager lets you manage NGINX App Protect WAF configurations using either the web interface or REST API. You can edit, update, and deploy security policies, log profiles, attack signatures, and threat campaigns to individual instances or instance groups.
-In Instance Manager v2.14.0 and later, you can compile a security policy, attack signatures, and threat campaigns into a security policy bundle. A security policy bundle consists of the security policy, the attack signatures, and threat campaigns for a particular version of NGINX App Protect WAF, and additional supporting files that make it possible for NGINX App Protect WAF to use the bundle. Because the security policy bundle is pre-compiled, the configuration gets applied faster than when you individually reference the security policy, attack signature, and threat campaign files.
+You can compile a security policy, attack signatures, and threat campaigns into a security policy bundle. The bundle includes all necessary components for a specific NGINX App Protect WAF version. Precompiling the bundle improves performance by avoiding separate compilation of each component during deployment.
{{}}
-The following capabilities are only available via the Instance Manager REST API:
+The following capabilities are available only through the Instance Manager REST API:
- Update security policies
- Create, read, and update security policy bundles
-- Create, read, update, and delete Security Log Profiles
-- Publish security policies, security log profiles, attack signatures, and/or threat campaigns to instances and instance groups
+- Create, read, update, and delete security log profiles
+- Publish security policies, log profiles, attack signatures, and threat campaigns to instances and instance groups
{{}}
---
-## Before You Begin
+## Before you begin
-Complete the following prerequisites before proceeding with this guide:
+Before continuing, complete the following steps:
-- [Set Up App Protect WAF Configuration Management]({{< ref "setup-waf-config-management" >}})
-- Verify that your user account has the [necessary permissions]({{< ref "/nim/admin-guide/rbac/overview-rbac.md" >}}) to access the Instance Manager REST API:
+- [Set up App Protect WAF configuration management]({{< ref "setup-waf-config-management" >}})
+- Make sure your user account has the [required permissions]({{< ref "/nim/admin-guide/rbac/overview-rbac.md" >}}) to access the REST API:
- - **Module**: Instance Manager
- - **Feature**: Instance Management
- - **Access**: `READ`
- - **Feature**: Security Policies
- - **Access**: `READ`, `CREATE`, `UPDATE`, `DELETE`
+ - **Module**: Instance Manager
+ - **Feature**: Instance Management → `READ`
+ - **Feature**: Security Policies → `READ`, `CREATE`, `UPDATE`, `DELETE`
-The following are required to use support policy bundles:
+To use policy bundles, you also need to:
-- You must have `UPDATE` permissions for the security policies specified in the request.
-- The correct `nms-nap-compiler` packages for the NGINX App Protect WAF version you're using are [installed on Instance Manager]({{< ref "/nim/nginx-app-protect/setup-waf-config-management.md#install-the-waf-compiler" >}}).
-- The attack signatures and threat campaigns that you want to use are [installed on Instance Manager]({{< ref "/nim/nginx-app-protect/setup-waf-config-management.md#set-up-attack-signatures-and-threat-campaigns" >}}).
+- Have `UPDATE` permissions for each referenced security policy
+- [Install the correct `nms-nap-compiler` package]({{< ref "/nim/nginx-app-protect/setup-waf-config-management.md#install-the-waf-compiler" >}}) for your App Protect WAF version
+- [Install the required attack signatures and threat campaigns]({{< ref "/nim/nginx-app-protect/setup-waf-config-management.md#set-up-attack-signatures-and-threat-campaigns" >}})
-### How to Access the Web Interface
+### Access the web interface
-To access the web interface, go to the FQDN for your NGINX Instance Manager host in a web browser and log in. Once you're logged in, select "Instance Manager" from the Launchpad menu.
+To access the web interface, open a browser and go to the fully qualified domain name (FQDN) of your NGINX Instance Manager. Log in, then select **Instance Manager** from the Launchpad.
-### How to Access the REST API
+### Access the REST API
{{< include "nim/how-to-access-nim-api.md" >}}
---
-## Create a Security Policy {#create-security-policy}
+## Create a security policy {#create-security-policy}
{{}}
{{%tab name="web interface"%}}
-
-
-To create a security policy using the Instance Manager web interface:
-
-1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select **Instance Manager**.
-2. On the left menu, select **App Protect**.
-3. On the *Security Policies* page, select **Create**.
-4. On the *Create Policy* page, fill out the necessary fields:
+To create a security policy using the NGINX Instance Manager web interface:
- - **Name**: Provide a name for the policy.
- - **Description**: (Optional) Add a short description for the policy.
- - **Enter Policy**: Type or paste the policy in JSON format into the form provided. The editor will validate the JSON for accuracy.
+1. In your browser, go to the FQDN for your NGINX Instance Manager host and log in.
+2. From the Launchpad menu, select **Instance Manager**.
+3. In the left menu, select **App Protect**.
+4. On the *Security Policies* page, select **Create**.
+5. On the *Create Policy* page, enter the required information:
+ - **Name**: Enter a name for the policy.
+ - **Description**: (Optional) Add a brief description.
+ - **Enter Policy**: Paste or type the JSON-formatted policy into the editor. The interface automatically validates the JSON.
- For more information about creating custom policies, refer to the [NGINX App Protect WAF Declarative Policy](https://docs.nginx.com/nginx-app-protect/declarative-policy/policy/) guide and the [Policy Authoring and Tuning](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-authoring-and-tuning) section of the config guide.
+ For help writing custom policies, see the [NGINX App Protect WAF Declarative Policy guide](https://docs.nginx.com/nginx-app-protect/declarative-policy/policy/) and the [Policy Authoring and Tuning section](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-authoring-and-tuning) in the configuration guide.
-5. Select **Save**.
+6. Select **Save**.
{{%/tab%}}
{{%tab name="API"%}}
-To upload a new security policy, send an HTTP `POST` request to the Security Policies API endpoint.
-
-{{}}Before sending a security policy to Instance Manager, you need to encode it using `base64`. Submitting a policy in its original JSON format will result in an error.{{}}
-
-
+To upload a new security policy using the REST API, send a `POST` request to the Security Policies API endpoint.
+You must encode the JSON policy using `base64`. If you send the policy in plain JSON, the request will fail.
{{}}
@@ -101,7 +93,7 @@ To upload a new security policy, send an HTTP `POST` request to the Security Pol
For example:
```shell
-curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies \
-H "Authorization: Bearer " \
-d @ignore-xss-example.json
```
@@ -134,7 +126,7 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
"modified": "2022-04-12T23:19:58.502Z",
"name": "ignore-cross-site-scripting",
"revisionTimestamp": "2022-04-12T23:19:58.502Z",
- "uid": "21daa130-4ba4-442b-bc4e-ab294af123e5"
+ "uid": ""
},
"selfLink": {
"rel": "/api/platform/v1/services/environments/prod"
@@ -148,11 +140,13 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
---
-## Update a Security Policy
+## Update a security policy
+
-To update a security policy, send an HTTP `POST` request to the Security Policies API endpoint, `/api/platform/v1/security/policies`.
+To update a security policy, send a `POST` or `PUT` request to the Security Policies API.
-You can use the optional `isNewRevision` parameter to indicate whether the updated policy is a new version of an existing policy.
+- Use `POST` with the `isNewRevision=true` parameter to add a new version of an existing policy.
+- Use `PUT` with the policy UID to overwrite the existing version.
{{}}
@@ -165,33 +159,35 @@ You can use the optional `isNewRevision` parameter to indicate whether the updat
{{}}
-For example:
+To use `POST`, include the policy metadata and content in your request:
```shell
-curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies?isNewRevision=true \
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies?isNewRevision=true \
-H "Authorization: Bearer " \
-d @update-xss-policy.json
```
-You can update a specific policy by sending an HTTP `PUT` request to the Security Policies API endpoint that includes the policy's unique identifier (UID).
+To use PUT, first retrieve the policy’s unique identifier (UID). You can do this by sending a GET request to the policies endpoint:
-To find the UID, send an HTTP `GET` request to the Security Policies API endpoint. This returns a list of all Security Policies that contains the unique identifier for each policy.
-
-Include the UID for the security policy in your `PUT` request to update the policy. Once the policy update is accepted, the WAF compiler will create a new, updated bundle.
+```shell
+curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies \
+ -H "Authorization: Bearer "
+```
-For example:
+Then include the UID in your PUT request:
```shell
-curl -X PUT https://{{NMS_FQDN}}/api/platform/v1/security/policies/23139e0a-4ac8-49f9-b7a0-0577b42c70c7 \
+curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/policies/ \
-H "Authorization: Bearer " \
- --Content-Type application/json -d @update-xss-policy.json
+ --Content-Type application/json \
+ -d @update-xss-policy.json
```
-After you have pushed an updated security policy, you can [publish it](#publish-policy) to selected instances or instance groups.
+After updating the policy, you can [publish it](#publish-policy) to selected instances or instance groups.
---
-## Delete a Security Policy
+## Delete a security policy
{{}}
@@ -199,17 +195,29 @@ After you have pushed an updated security policy, you can [publish it](#publish-
-To delete a security policy using the Instance Manager web interface:
+To delete a security policy using the NGINX Instance Manager web interface:
+
+1. In your browser, go to the FQDN for your NGINX Instance Manager host and log in.
+2. From the Launchpad menu, select **Instance Manager**.
+3. In the left menu, select **App Protect**.
+4. On the *Security Policies* page, find the policy you want to delete.
+5. Select the **Actions** menu (**...**) and choose **Delete**.
-1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select **Instance Manager**.
-2. On the left menu, select **App Protect**.
-3. On the *Security Policies* page, select the **Actions** menu (represented by an ellipsis, **...**) for the policy you want to delete. Select **Delete** to remove the policy.
{{%/tab%}}
{{%tab name="API"%}}
-To delete a security policy, send an HTTP `DELETE` request to the Security Policies API endpoint that includes the unique identifier for the policy that you want to delete.
+To delete a security policy using the REST API:
+
+1. Retrieve the UID for the policy by sending a `GET` request to the policies endpoint:
+
+ ```shell
+ curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies \
+ -H "Authorization: Bearer "
+ ```
+
+2. Send a `DELETE` request using the policy UID:
{{}}
@@ -221,10 +229,10 @@ To delete a security policy, send an HTTP `DELETE` request to the Security Polic
{{}}
-For example:
+Example:
```shell
-curl -X DELETE https://{{NMS_FQDN}}/api/platform/v1/security/policies/23139e0a-4ac8-49f9-b7a0-0577b42c70c7 \
+curl -X DELETE https://{{NIM_FQDN}}/api/platform/v1/security/policies/ \
-H "Authorization: Bearer "
```
@@ -232,36 +240,42 @@ curl -X DELETE https://{{NMS_FQDN}}/api/platform/v1/security/policies/23139e0a-4
{{}}
-{{%comment%}}TO DO: Add sections for managing attack signatures and threat campaigns{{%/comment%}}
-
---
-## Create Security Policy Bundles {#create-security-policy-bundles}
+## Create security policy bundles {#create-security-policy-bundles}
-To create security policy bundles, send an HTTP `POST` request to the Security Policies Bundles API endpoint. The specified security policies you'd like to compile into security policy bundles must already exist in Instance Manager.
-### Required Fields
+To create a security policy bundle, send a `POST` request to the Security Policy Bundles API. The policies you want to include in the bundle must already exist in NGINX Instance Manager.
-- `appProtectWAFVersion`: The version of NGINX App Protect WAF being used.
-- `policyName`: The name of security policy to include in the bundle. This must reference an existing security policy; refer to the [Create a Security Policy](#create-security-policy) section above for instructions.
+Each bundle includes:
-### Notes
+- A security policy
+- Attack signatures
+- Threat campaigns
+- A version of NGINX App Protect WAF
+- Supporting files required to compile and deploy the bundle
+
+### Required fields
+
+- `appProtectWAFVersion`: The version of NGINX App Protect WAF to target.
+- `policyName`: The name of the policy to include. Must reference an existing policy.
+- `policyUID`: Optional. If omitted, the latest revision of the specified policy is used. This field does **not** accept the keyword `latest`.
+
+If you don’t include `attackSignatureVersionDateTime` or `threatCampaignVersionDateTime`, the latest versions are used by default. You can also set them explicitly by using `"latest"` as the value.
-- If you do not specify a value for the `attackSignatureVersionDateTime` and/or `threatCampaignVersionDateTime` fields, the latest version of each will be used by default. You can also explicitly state that you want to use the most recent version by specifying the keyword `latest` as the value.
-- If the `policyUID` field is not defined, the latest version of the specified security policy will be used. This field **does not allow** use of the keyword `latest`.
{{}}
-| Method | Endpoint |
-|--------|--------------------------------------|
+| Method | Endpoint |
+|--------|----------------------------------------------|
| POST | `/api/platform/v1/security/policies/bundles` |
{{}}
-For example:
+Example:
```shell
-curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/policies/bundles \
-H "Authorization: Bearer " \
-d @security-policy-bundles.json
```
@@ -274,7 +288,7 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"bundles": [{
"appProtectWAFVersion": "4.457.0",
"policyName": "default-enforcement",
- "policyUID": "29d86fe8-612a-5c69-895a-04fc5b9849a6",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.06.20",
"threatCampaignVersionDateTime": "2023.07.18"
},
@@ -305,10 +319,10 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.457.0",
"policyName": "default-enforcement",
- "policyUID": "29d86fe8-612a-5c69-895a-04fc5b9849a6",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.06.20",
"threatCampaignVersionDateTime": "2023.07.18",
- "uid": "dceb8254-9a90-4e77-87ac-73070f821412"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -321,11 +335,11 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"created": "2023-10-04T23:19:58.502Z",
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.279.0",
- "policyName": "defautl-enforcement",
- "policyUID": "04fc5b9849a6-612a-5c69-895a-29d86fe8",
+ "policyName": "default-enforcement",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.08.10",
"threatCampaignVersionDateTime": "2023.08.09",
- "uid": "trs35lv2-9a90-4e77-87ac-ythn4967"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -339,10 +353,10 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.457.0",
"policyName": "ignore-xss",
- "policyUID": "849a604fc5b9-612a-5c69-895a-86f29de8",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.08.10",
"threatCampaignVersionDateTime": "2023.08.09",
- "uid": "nbu844lz-9a90-4e77-87ac-zze8861d"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -354,39 +368,38 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
}
```
-
---
-## List Security Policy Bundles {#list-security-policy-bundles}
+## List security policy bundles {#list-security-policy-bundles}
-To list security policy bundles, send an HTTP `GET` request to the Security Policies Bundles API endpoint.
+To list all security policy bundles, send a `GET` request to the Security Policy Bundles API.
-{{}}The list will only contain the security policy bundles that you have "READ" permissions for in Instance Manager.{{}}
+You’ll only see bundles you have `"READ"` permissions for.
-You can filter the results by using the following query parameters:
+You can use the following query parameters to filter results:
-- `includeBundleContent`: Boolean indicating whether to include the security policy bundle content for each bundle when getting a list of bundles or not. If not provided, defaults to `false`. Please note that the content returned is `base64 encoded`.
-- `policyName`: String used to filter the list of security policy bundles; only security policy bundles that have the specified security policy name will be returned. If not provided, it will not filter based on `policyName`.
-- `policyUID`: String used to filter the list of security policy bundles; only security policy bundles that have the specified security policy UID will be returned. If not provided, it will not filter based on `policyUID`.
-- `startTime`: The security policy bundle's "modified time" has to be equal to or greater than this time value. If no value is supplied, it defaults to 24 hours from the current time. `startTime` has to be less than `endTime`.
-- `endTime`: Indicates the time that the security policy bundles modified time has to be less than. If no value is supplied, it defaults to current time. `endTime` has to be greater than `startTime`.
+- `includeBundleContent`: Whether to include base64-encoded content in the response. Defaults to `false`.
+- `policyName`: Return only bundles that match this policy name.
+- `policyUID`: Return only bundles that match this policy UID.
+- `startTime`: Return only bundles modified at or after this time.
+- `endTime`: Return only bundles modified before this time.
-
+If no time range is provided, the API defaults to showing bundles modified in the past 24 hours.
{{}}
-| Method | Endpoint |
-|--------|--------------------------------------|
+| Method | Endpoint |
+|--------|----------------------------------------------|
| GET | `/api/platform/v1/security/policies/bundles` |
{{}}
-For example:
+Example:
```shell
-curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
+curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies/bundles \
-H "Authorization: Bearer "
```
@@ -401,10 +414,10 @@ curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.457.0",
"policyName": "default-enforcement",
- "policyUID": "29d86fe8-612a-5c69-895a-04fc5b9849a6",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.06.20",
"threatCampaignVersionDateTime": "2023.07.18",
- "uid": "dceb8254-9a90-4e77-87ac-73070f821412"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -418,10 +431,10 @@ curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.279.0",
"policyName": "defautl-enforcement",
- "policyUID": "04fc5b9849a6-612a-5c69-895a-29d86fe8",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.08.10",
"threatCampaignVersionDateTime": "2023.08.09",
- "uid": "trs35lv2-9a90-4e77-87ac-ythn4967"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -435,10 +448,10 @@ curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.457.0",
"policyName": "ignore-xss",
- "policyUID": "849a604fc5b9-612a-5c69-895a-86f29de8",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.08.10",
"threatCampaignVersionDateTime": "2023.08.09",
- "uid": "nbu844lz-9a90-4e77-87ac-zze8861d"
+ "uid": ""
},
"content": "",
"compilationStatus": {
@@ -452,35 +465,35 @@ curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/bundles \
---
-## Get a Security Policy Bundle {#get-security-policy-bundle}
+## Get a security policy bundle {#get-security-policy-bundle}
-To get a specific security policy bundle, send an HTTP `GET` request to the Security Policies Bundles API endpoint that contains the security policy UID and security policy bundle UID in the path.
+To retrieve a specific security policy bundle, send a `GET` request to the Security Policy Bundles API using the policy UID and bundle UID in the URL path.
-{{}}You must have "READ" permission for the security policy bundle to be able to retrieve information about a bundle by using the REST API.{{}}
-
-
+You must have `"READ"` permission for the bundle to retrieve it.
{{}}
-| Method | Endpoint |
-|--------|--------------------------------------|
+| Method | Endpoint |
+|--------|-------------------------------------------------------------------------------------------------|
| GET | `/api/platform/v1/security/policies/{security-policy-uid}/bundles/{security-policy-bundle-uid}` |
{{}}
-
-For example:
+Example:
```shell
-curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies/29d86fe8-612a-5c69-895a-04fc5b9849a6/bundles/trs35lv2-9a90-4e77-87ac-ythn4967 \
+curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/policies//bundles/ \
-H "Authorization: Bearer "
```
-The JSON response, shown in the example below, includes a `content` field that is base64 encoded. After you retrieve the information from the API, you will need to base64 decode the content field. You can include this in your API call, as shown in the following example cURL request:
+The response includes a content field that contains the bundle in base64 format. To use it, you’ll need to decode the content and save it as a `.tgz` file.
+
+Example:
```bash
-curl -X GET "https://{NMS_FQDN}/api/platform/v1/security/policies/{security-policy-uid}/bundles/{security-policy-bundle-uid}" -H "Authorization: Bearer xxxxx.yyyyy.zzzzz" | jq -r '.content' | base64 -d > security-policy-bundle.tgz
+curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/policies//bundles/" \
+ -H "Authorization: Bearer " | jq -r '.content' | base64 -d > security-policy-bundle.tgz
```
@@ -492,10 +505,10 @@ curl -X GET "https://{NMS_FQDN}/api/platform/v1/security/policies/{security-poli
"created": "2023-10-04T23:19:58.502Z",
"modified": "2023-10-04T23:19:58.502Z",
"appProtectWAFVersion": "4.457.0",
- "policyUID": "29d86fe8-612a-5c69-895a-04fc5b9849a6",
+ "policyUID": "",
"attackSignatureVersionDateTime": "2023.08.10",
"threatCampaignVersionDateTime": "2023.08.09",
- "uid": "trs35lv2-9a90-4e77-87ac-ythn4967"
+ "uid": ""
},
"content": "ZXZlbnRzIHt9Cmh0dHAgeyAgCiAgICBzZXJ2ZXIgeyAgCiAgICAgICAgbGlzdGVuIDgwOyAgCiAgICAgICAgc2VydmVyX25hbWUgXzsKCiAgICAgICAgcmV0dXJuIDIwMCAiSGVsbG8iOyAgCiAgICB9ICAKfQ==",
"compilationStatus": {
@@ -507,28 +520,25 @@ curl -X GET "https://{NMS_FQDN}/api/platform/v1/security/policies/{security-poli
---
-## Create a Security Log Profile {#create-security-log-profile}
-
-Send an HTTP `POST` request to the Security Log Profiles API endpoint to upload a new security log profile.
+## Create a security log profile {#create-security-log-profile}
-{{}}Before sending a security log profile to Instance Manager, you need to encode it using `base64`. Submitting a log profile in its original JSON format will result in an error.{{}}
-
-
+To upload a new security log profile, send a `POST` request to the Security Log Profiles API endpoint.
+You must encode the log profile in `base64` before sending it. If you send plain JSON, the request will fail.
{{}}
-| Method | Endpoint |
-|--------|--------------------------------------|
+| Method | Endpoint |
+|--------|-----------------------------------------|
| POST | `/api/platform/v1/security/logprofiles` |
{{}}
-For example:
+Example:
```shell
-curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/logprofiles \
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles \
-H "Authorization: Bearer " \
-d @default-log-example.json
```
@@ -558,87 +568,100 @@ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/logprofiles \
"modified": "2023-07-05T22:09:19.634358096Z",
"name": "default-log-example",
"revisionTimestamp": "2023-07-05T22:09:19.634358096Z",
- "uid": "54c35ad7-e082-4dc5-bb5d-2640a17d5620"
+ "uid": ""
},
"selfLink": {
- "rel": "/api/platform/v1/security/logprofiles/54c35ad7-e082-4dc5-bb5d-2640a17d5620"
+ "rel": "/api/platform/v1/security/logprofiles/"
}
}
```
---
-## Update a Security Log Profile
-
-To update a security log profile, send an HTTP `POST` request to the Security Log Profiles API endpoint, `/api/platform/v1/security/logprofiles`.
+## Update a security log profile {#update-security-log-profile}
-You can use the optional `isNewRevision` parameter to indicate whether the updated log profile is a new version of an existing log profile.
+To update a security log profile, you can either:
+- Use `POST` with the `isNewRevision=true` parameter to add a new version.
+- Use `PUT` with the log profile UID to overwrite the existing version.
{{}}
-| Method | Endpoint |
-|--------|---------------------------------------------------------|
-| POST | `/api/platform/v1/security/logprofiles?isNewRevision=true` |
+| Method | Endpoint |
+|--------|--------------------------------------------------------------------|
+| POST | `/api/platform/v1/security/logprofiles?isNewRevision=true` |
| PUT | `/api/platform/v1/security/logprofiles/{security-log-profile-uid}` |
{{}}
-For example:
+To create a new revision:
```shell
-curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/logprofiles?isNewRevision=true \
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles?isNewRevision=true \
-H "Authorization: Bearer " \
-d @update-default-log.json
```
-You can update a specific log profile by sending an HTTP `PUT` request to the Security Log Profiles API endpoint that includes the log profile's unique identifier (UID).
-
-To find the UID, send an HTTP `GET` request to the Security Log Profiles API endpoint. This returns a list of all Security Log Profiles that contains the unique identifier for each log profile.
+To overwrite an existing security log profile:
-Include the UID for the security log profile in your `PUT` request to update the log profile.
+1. Retrieve the profile’s UID:
-For example:
+ ```shell
+ curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/ \
+ -H "Authorization: Bearer " \
+ --Content-Type application/json \
+ -d @update-log-profile.json
+ ```
-```shell
-curl -X PUT https://{{NMS_FQDN}}/api/platform/v1/security/logprofiles/23139e0a-4ac8-49f9-b7a0-0577b42c70c7 \
- -H "Authorization: Bearer " \
- --Content-Type application/json -d @update-default-log.json
-```
+2. Use the UID in your PUT request:
+
+ ```shell
+ curl -X PUT https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/ \
+ -H "Authorization: Bearer " \
+ --Content-Type application/json \
+ -d @update-log-profile.json
+ ```
-After you have pushed an updated security log profile, you can [publish it](#publish-policy) to selected instances or instance groups.
+After updating the security log profile, you can [publish it](#publish-policy) to specific instances or instance groups.
---
-## Delete a Security Log Profile
+## Delete a security log profile {#delete-security-log-profile}
-To delete a security log profile, send an HTTP `DELETE` request to the Security Log Profiles API endpoint that includes the unique identifier for the log profile that you want to delete.
+To delete a security log profile, send a `DELETE` request to the Security Log Profiles API using the profile’s UID.
{{}}
-| Method | Endpoint |
-|--------|------------------------------------------------------------|
+| Method | Endpoint |
+|--------|--------------------------------------------------------------------|
| DELETE | `/api/platform/v1/security/logprofiles/{security-log-profile-uid}` |
{{}}
-For example:
+1. Retrieve the UID:
-```shell
-curl -X DELETE https://{{NMS_FQDN}}/api/platform/v1/security/logprofiles/23139e0a-4ac8-49f9-b7a0-0577b42c70c7 \
- -H "Authorization: Bearer "
-```
+ ```shell
+ curl -X GET https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles \
+ -H "Authorization: Bearer "
+ ```
+
+2. Send the delete request:
+
+ ```shell
+ curl -X DELETE https://{{NIM_FQDN}}/api/platform/v1/security/logprofiles/ \
+ -H "Authorization: Bearer "
+ ```
---
-## Publish Updates to Instances {#publish-policy}
+## Publish updates to instances {#publish-policy}
-The Publish API lets you distribute security policies, security log profiles, attack signatures, and/or threat campaigns to instances and instance groups.
+Use the Publish API to push security policies, log profiles, attack signatures, and threat campaigns to NGINX instances or instance groups.
-{{}}Use this endpoint *after* you've added or updated security policies, security log profiles, attack signatures, and/or threat campaigns.{{}}
+Call this endpoint *after* you've created or updated the resources you want to deploy.
{{}}
@@ -650,18 +673,20 @@ The Publish API lets you distribute security policies, security log profiles, at
{{}}
-When making a request to the Publish API, make sure to include all the necessary information for your specific use case:
+Include the following information in your request, depending on what you're publishing:
-- Instance and/or Instance Group UID(s) to push the bundle to
-- Threat Campaign version and UID
-- Attack Signature version and UID
-- Security Policy UID(s)
-- Security Log Profile UID(s)
+- Instance and instance group UIDs
+- Policy UID and name
+- Log profile UID and name
+- Attack signature library UID and version
+- Threat campaign UID and version
-For example:
+Example:
```shell
-curl -X PUT https://{{NMS_FQDN}}/api/platform/v1/security/publish -H "Authorization: Bearer "
+curl -X POST https://{{NIM_FQDN}}/api/platform/v1/security/publish \
+ -H "Authorization: Bearer " \
+ -d @publish-request.json
```
@@ -671,27 +696,27 @@ curl -X PUT https://{{NMS_FQDN}}/api/platform/v1/security/publish -H "Authorizat
{
"publications": [
{
- "attackSignatureLibrary": {
- "uid": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
- "versionDateTime": "2022.10.02"
- },
- "instanceGroups": [
- "3fa85f64-5717-4562-b3fc-2c963f66afa6"
- ],
"instances": [
- "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+ ""
],
+ "instanceGroups": [
+ ""
+ ],
+ "policyContent": {
+ "name": "example-policy",
+ "uid": ""
+ },
"logProfileContent": {
- "name": "default-log",
- "uid": "ffdbda39-88be-420a-b673-19d4183b7e4c"
+ "name": "example-log-profile",
+ "uid": ""
},
- "policyContent": {
- "name": "default-enforcement",
- "uid": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+ "attackSignatureLibrary": {
+ "uid": "",
+ "versionDateTime": "2023.10.02"
},
"threatCampaign": {
- "uid": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
- "versionDateTime": "2022.10.01"
+ "uid": "",
+ "versionDateTime": "2023.10.01"
}
}
]
@@ -721,357 +746,91 @@ curl -X PUT https://{{NMS_FQDN}}/api/platform/v1/security/publish -H "Authorizat
---
-## Check Security Policy and Security Log Profile Publication Status
-When publishing an NGINX configuration that references a security policy and secuity log profile, the Instance Manager REST APIs can provide further details about the status of the configuration publications. To access this information, use the Instance Manager API endpoints and method as indicated.
+## Check security policy and security log profile publication status {#check-publication-status}
-To retrieve the details for the different configuration publication statuses for a particular security policy, send an HTTP `GET` request to the Security Deployments Associations API endpoint, providing the name of the security policy.
+After publishing updates, you can check deployment status using the NGINX Instance Manager REST API.
-| Method | Endpoint |
-|--------|-----------------------------------------------------------------------------|
-| GET | `/api/platform/v1/security/deployments/associations/{security-policy-name}` |
+Use the following endpoints to verify whether the configuration updates were successfully deployed to instances or instance groups.
-You can locate the configuration publication status in the response within the field `lastDeploymentDetails` for instances and instance groups:
+### Check publication status for a security policy
-- `lastDeploymentDetails` (for an instance): associations -> instance -> lastDeploymentDetails
-- `lastDeploymentDetails` (for an instance in an instance group): associations -> instanceGroup -> instances -> lastDeploymentDetails
+To view deployment status for a specific policy, send a `GET` request to the Security Deployments Associations API using the policy name.
-The example below shows a call to the `security deployments associations` endpoint and the corresponding JSON response containing successful deployments.
+{{}}
-```shell
-curl -X GET "https://{NGINX-INSTANCE-MANAGER-FQDN}/api/platform/v1/security/deployments/associations/ignore-xss" -H "Authorization: Bearer "
-```
+| Method | Endpoint |
+|--------|--------------------------------------------------------------------|
+| GET | `/api/platform/v1/security/deployments/associations/{policy-name}` |
-
-JSON Response
+{{ }}
-```json
-{
- "associations": [
- {
- "attackSignatureLibrary": {
- "uid": "c69460cc-6b59-4813-8d9c-76e4a6c56b4b",
- "versionDateTime": "2023.02.16"
- },
- "instance": {
- "hostName": "ip-172-16-0-99",
- "lastDeploymentDetails": {
- "createTime": "2023-04-11T21:36:11.519174534Z",
- "details": {
- "failure": [],
- "pending": [],
- "success": [
- {
- "name": "ip-172-16-0-99"
- }
- ]
- },
- "id": "19cf5ed4-29d6-4139-b5f5-308c0d0ebb13",
- "message": "Instance config successfully published to",
- "status": "successful",
- "updateTime": "2023-04-11T21:36:14.008108979Z"
- },
- "systemUid": "0435a5de-41c1-3754-b2e8-9d9fe946bafe",
- "uid": "29d86fe8-612a-5c69-895a-04fc5b9849a6"
- },
- "instanceGroup": {
- "displayName": "inst_group_1",
- "instances": [
- {
- "hostName": "hostname1",
- "systemUid": "49d143c2-f556-4cd7-8658-76fff54fb861",
- "uid": "c8e15dcf-c504-4b7f-b52d-def7b8fd2f64",
- "lastDeploymentDetails": {
- "createTime": "2023-04-11T21:36:11.519174534Z",
- "details": {
- "failure": [],
- "pending": [],
- "success": [
- {
- "name": "ip-172-16-0-99"
- }
- ]
- },
- "id": "19cf5ed4-29d6-4139-b5f5-308c0d0ebb13",
- "message": "Instance config successfully published to",
- "status": "successful",
- "updateTime": "2023-04-11T21:36:14.008108979Z"
- },
- },
- {
- "hostName": "hostname2",
- "systemUid": "88a99ab0-15bb-4719-9107-daf5007c33f7",
- "uid": "ed7e9173-794f-41af-80d9-4ed37d593247",
- "lastDeploymentDetails": {
- "createTime": "2023-04-11T21:36:11.519174534Z",
- "details": {
- "failure": [],
- "pending": [],
- "success": [
- {
- "name": "ip-172-16-0-99"
- }
- ]
- },
- "id": "19cf5ed4-29d6-4139-b5f5-308c0d0ebb13",
- "message": "Instance config successfully published to",
- "status": "successful",
- "updateTime": "2023-04-11T21:36:14.008108979Z"
- },
- }
- ],
- "uid": "51f8addc-c0e9-438b-b0b6-3e4f1aa8202d"
- },
- "policyUid": "9991f237-d9c7-47b7-98aa-faa836838f38",
- "policyVersionDateTime": "2023-04-11T21:18:19.183Z",
- "threatCampaign": {
- "uid": "eab683fe-c2f1-4910-a88c-8bfbc6363164",
- "versionDateTime": "2023.02.15"
- }
- }
- ]
-}
+Example:
+
+```shell
+curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/deployments/associations/ignore-xss" \
+ -H "Authorization: Bearer "
```
-
+In the response, look for the `lastDeploymentDetails` field under instance or `instanceGroup.instances`.
-To retrieve the details for the different configuration publication statuses for a particular security log profile, send an HTTP `GET` request to the Security Deployments Associations API endpoint, providing the name of the security log profile.
-| Method | Endpoint |
-|--------|-----------------------------------------------------------------------------|
-| GET | `/api/platform/v1/security/deployments/logprofiles/associations/{security-log-profile-name}` |
+### Check publication status for a security log profile
-You can locate the configuration publication status in the response within the field `lastDeploymentDetails` for instances and instance groups:
+{{}}
-- `lastDeploymentDetails` (for an instance): associations -> instance -> lastDeploymentDetails
-- `lastDeploymentDetails` (for an instance in an instance group): associations -> instanceGroup -> instances -> lastDeploymentDetails
+| Method | Endpoint |
+|--------|-------------------------------------------------------------------------------------|
+| GET | `/api/platform/v1/security/deployments/logprofiles/associations/{log-profile-name}` |
-The example below shows a call to the `security deployments associations` endpoint and the corresponding JSON response containing successful deployments.
+{{}}
+
+Example:
```shell
-curl -X GET "https://{NGINX-INSTANCE-MANAGER-FQDN}/api/platform/v1/security/deployments/logprofiles/associations/default-log" -H "Authorization: Bearer "
+curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/security/deployments/logprofiles/associations/default-log" \
+ -H "Authorization: Bearer "
```
-
-JSON Response
+The response also contains `lastDeploymentDetails` for each instance or group.
-```json
-{
- "associations": [
- {
- "instance": {
- "hostName": "",
- "systemUid": "",
- "uid": ""
- },
- "instanceGroup": {
- "displayName": "ig1",
- "instances": [
- {
- "hostName": "ip-172-16-0-142",
- "systemUid": "1d1f03ff-02de-32c5-8dfd-902658aada4c",
- "uid": "18d074e6-3868-51ba-9999-b7466a936815"
- }
- ],
- "lastDeploymentDetails": {
- "createTime": "2023-07-05T23:01:06.679136973Z",
- "details": {
- "failure": [],
- "pending": [],
- "success": [
- {
- "name": "ip-172-16-0-142"
- }
- ]
- },
- "id": "9bfc9db7-877d-4e8e-a43d-9660a6cd11cc",
- "message": "Instance Group config successfully published to ig1",
- "status": "successful",
- "updateTime": "2023-07-05T23:01:06.790802157Z"
- },
- "uid": "0df0386e-82f7-4efc-863e-5d7cfbc3f7df"
- },
- "logProfileUid": "b680f7c3-6fc0-4c6b-889a-3025580c7fcb",
- "logProfileVersionDateTime": "2023-07-05T22:08:47.371Z"
- },
- {
- "instance": {
- "hostName": "ip-172-16-0-5",
- "lastDeploymentDetails": {
- "createTime": "2023-07-05T21:45:08.698646791Z",
- "details": {
- "failure": [],
- "pending": [],
- "success": [
- {
- "name": "ip-172-16-0-5"
- }
- ]
- },
- "id": "73cf670a-738a-4a74-b3fb-ac9771e89814",
- "message": "Instance config successfully published to",
- "status": "successful",
- "updateTime": "2023-07-05T21:45:08.698646791Z"
- },
- "systemUid": "0afe5ac2-43aa-36c8-bcdc-7f88cdd35ab2",
- "uid": "9bb4e2ef-3746-5d79-b526-e545fad27e90"
- },
- "instanceGroup": {
- "displayName": "",
- "instances": [],
- "uid": ""
- },
- "logProfileUid": "bb3badb2-f8f5-4b95-9428-877fc208e2f1",
- "logProfileVersionDateTime": "2023-07-03T21:46:17.006Z"
- }
- ]
-}
-```
+### Check status for a specific instance
-
+You can also view the deployment status for a specific instance by providing the system UID and instance UID.
-To retrieve the configuration publication status details for a particular instance, send an HTTP `GET` request to the Instances API endpoint, providing the unique system and instance identifiers.
+{{}}
-| Method | Endpoint |
-|--------|-----------------------------------------------------------------|
-| GET | `/api/platform/v1/systems/{system-uid}/instances/{instance-id}` |
+| Method | Endpoint |
+|--------|------------------------------------------------------------------|
+| GET | `/api/platform/v1/systems/{system-uid}/instances/{instance-uid}` |
-You can locate the configuration publication status in the the response within the `lastDeploymentDetails` field, which contains additional fields that provide more context around the status.
+{{}}
-The example below shows a call to the `instances` endpoint and the corresponding JSON response containing a compiler related error message.
+Example:
```shell
-curl -X GET "https://{NGINX-INSTANCE-MANAGER-FQDN}/api/platform/v1/systems/b9df6377-2c4f-3266-a64a-e064b0371c73/instances/5663cf4e-a0c7-50c8-b93c-16fd11a0f00b" -H "Authorization: Bearer "
+curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/systems//instances/" \
+ -H "Authorization: Bearer "
```
-
-JSON Response
+In the response, look for the `lastDeploymentDetails` field, which shows the deployment status and any related errors.
-```json
-{
- "build": {
- "nginxPlus": true,
- "release": "nginx-plus-r28",
- "version": "1.23.2"
- },
- "configPath": "/etc/nginx/nginx.conf",
- "configVersion": {
- "instanceGroup": {
- "createTime": "0001-01-01T00:00:00Z",
- "uid": "",
- "versionHash": ""
- },
- "versions": [
- {
- "createTime": "2023-01-14T10:48:46.319Z",
- "uid": "5663cf4e-a0c7-50c8-b93c-16fd11a0f00b",
- "versionHash": "922e9d40fa6d4dd3a4b721295b8ecd95f73402644cb8d234f9f4f862b8a56bfc"
- }
- ]
- },
- "displayName": "ip-192-0-2-27",
- "links": [
- {
- "rel": "/api/platform/v1/systems/b9df6377-2c4f-3266-a64a-e064b0371c73",
- "name": "system"
- },
- {
- "rel": "/api/platform/v1/systems/b9df6377-2c4f-3266-a64a-e064b0371c73/instances/5663cf4e-a0c7-50c8-b93c-16fd11a0f00b",
- "name": "self"
- },
- {
- "rel": "/api/platform/v1/systems/instances/deployments/b31c6ab1-4a46-4c81-a065-204575145e8e",
- "name": "deployment"
- }
- ],
- "processPath": "/usr/sbin/nginx",
- "registrationTime": "2023-01-14T10:12:31.000Z",
- "startTime": "2023-01-14T10:09:43Z",
- "status": {
- "lastStatusReport": "2023-01-14T11:11:49.323495017Z",
- "state": "online"
- },
- "uid": "5663cf4e-a0c7-50c8-b93c-16fd11a0f00b",
- "version": "1.23.2",
- "appProtect": {
- "attackSignatureVersion": "Available after publishing Attack Signatures from Instance Manager",
- "status": "active",
- "threatCampaignVersion": "Available after publishing Threat Campaigns from Instance Manager",
- "version": "4.2.0"
- },
- "configureArgs": [
- ...
- ],
- "lastDeploymentDetails": {
- "createTime": "2023-01-14T11:10:25.096812852Z",
- "details": {
- "error": "{\"instance:b9df6377-2c4f-3266-a64a-e064b0371c73\":\"failed building config payload: policy compilation failed for deployment b31c6ab1-4a46-4c81-a065-204575145e8e due to integrations service error: the specified compiler (4.2.0) is missing, please install it and try again.\"}",
- "failure": [
- {
- "failMessage": "failed building config payload: policy compilation failed for deployment b31c6ab1-4a46-4c81-a065-204575145e8e due to integrations service error: the specified compiler (4.2.0) is missing, please install it and try again.",
- "name": "ip-192-0-2-27"
- }
- ],
- "pending": [],
- "success": []
- },
- "id": "b31c6ab1-4a46-4c81-a065-204575145e8e",
- "message": "Instance config failed to publish to",
- "status": "failed",
- "updateTime": "2023-01-14T11:10:25.175145693Z"
- },
- "loadableModules": [
- ...
- ],
- "packages": [
- ...
- ],
- "processId": "10345",
- "ssl": {
- "built": null,
- "runtime": null
- }
-}
-```
+### Check deployment result by deployment ID
-
+When you use the Publish API to [publish security content](#publish-policy), NGINX Instance Manager creates a deployment ID for the request. You can use this ID to check the result of the publication.
-When you use the Publish API (`/security/publish`) to [publish a security policy and security log profile](#publish-policy), Instance Manager creates a deployment ID for the request. To view the status of the update, or to check for any errors, use the endpoint and method shown below and reference the deployment ID.
+{{}}
| Method | Endpoint |
|--------|------------------------------------------------------------------|
| GET | `/api/platform/v1/systems/instances/deployments/{deployment-id}` |
-You can locate the configuration publication status in the the response within the `details` field, which contains additional fields that provide more context around the status.
+{{}}
-The example below shows a call to the `deployments` endpoint and the corresponding JSON response containing a compiler error message.
+Example:
```shell
-curl -X GET --url "https://{NGINX-INSTANCE-MANAGER-FQDN}/api/platform/v1/systems/instances/deployments/d38a8e5d-2312-4046-a60f-a30a4aea1fbb" \
+curl -X GET "https://{{NIM_FQDN}}/api/platform/v1/systems/instances/deployments/" \
-H "Authorization: Bearer "
```
-
-JSON Response
-
-```json
-{
- "createTime": "2023-01-14T04:35:47.566082799Z",
- "details": {
- "error": "{\"instance:8a2092aa-5612-370d-bff0-5d7521e206d6\":\"failed building config payload: policy bundle compilation failed for d38a8e5d-2312-4046-a60f-a30a4aea1fbb, integrations service returned the following error: missing the specified compiler (4.2.0) please install it and try again\"}",
- "failure": [
- {
- "failMessage": "failed building config payload: policy bundle compilation failed for d38a8e5d-2312-4046-a60f-a30a4aea1fbb, integrations service returned the following error: missing the specified compiler (4.2.0) please install it and try again",
- "name": "ip-192-0-2-243"
- }
- ],
- "pending": [],
- "success": []
- },
- "id": "d38a8e5d-2312-4046-a60f-a30a4aea1fbb",
- "message": "Instance config failed to publish to",
- "status": "failed",
- "updateTime": "2023-01-14T04:35:47.566082799Z"
-}
-```
-
-
+The response includes the full deployment status, success or failure details, and any compiler error messages.
diff --git a/content/nim/nginx-app-protect/overview-nap-waf-config-management.md b/content/nim/nginx-app-protect/overview-nap-waf-config-management.md
index 92287079d..b0d31319f 100644
--- a/content/nim/nginx-app-protect/overview-nap-waf-config-management.md
+++ b/content/nim/nginx-app-protect/overview-nap-waf-config-management.md
@@ -1,68 +1,76 @@
---
-description: Learn how you can use F5 NGINX Management Suite Instance Manager to configure
- NGINX App Protect WAF security policies.
+description: Learn how to use F5 NGINX Instance Manager to set up and manage NGINX App Protect WAF security policies.
docs: DOCS-992
-title: NGINX App Protect WAF configuration management
+title: "How WAF policy management works"
toc: true
-weight: 500
+weight: 100
type:
- reference
---
## Overview
-F5 NGINX Management Suite Instance Manager provides configuration management for [NGINX App Protect WAF](https://www.nginx.com/products/nginx-app-protect/web-application-firewall/).
+F5 NGINX Instance Manager helps you manage [NGINX App Protect WAF](https://www.nginx.com/products/nginx-app-protect/web-application-firewall/) security configurations.
-You can use NGINX App Protect WAF with Instance Manager to inspect incoming traffic, identify potential threats, and block malicious traffic. With Configuration Management for App Protect WAF, you can configure WAF security policies in a single location and push your configurations out to one, some, or all of your NGINX App Protect WAF instances.
+Use NGINX Instance Manager with NGINX App Protect WAF to inspect incoming traffic, detect threats, and block malicious requests. You can define policies in one place and push them to some or all of your NGINX App Protect WAF instances.
-### Features
+### Key features
-- Manage NGINX App Protect WAF security configurations by using the NGINX Management Suite user interface or REST API
-- Update Attack Signatures and Threat Campaign packages
-- Compile security configurations into a binary bundle for consumption by NGINX App Protect WAF instances
+- Manage WAF policies using the NGINX Instance Manager web interface or REST API
+- Update attack signature and threat campaign packages
+- Compile WAF configurations into a binary bundle for deployment
## Architecture
-As demonstrated in Figure 1, Instance Manager lets you manage security configurations for NGINX App Protect WAF. You can define security policies, upload attack signatures and threat campaign packages, and publish common configurations out to your NGINX App Protect WAF instances. Instance Manager can compile the security configuration into a bundle before pushing the configuration to the NGINX App Protect WAF data plane instances. The NGINX Management Suite Security Monitoring module provides data visualization for NGINX App Protect, so you can monitor, analyze, and refine your policies.
+NGINX Instance Manager lets you define and manage security policies, upload signature packages, and push configurations to your NGINX App Protect WAF instances. It can also compile your security configuration into a bundle before publishing it to the data plane.
-{{< img src="nim/app-sec-overview.png" caption="Figure 1. NGINX Management Suite with NGINX App Protect Architecture Overview" alt="A diagram showing the architecture of the NGINX Management Suite with NGINX App Protect solution" width="75%">}}
+The **Security Monitoring** module shows real-time data from NGINX App Protect WAF so you can track traffic, spot anomalies, and fine-tune policies.
-### Security Bundle Compilation {#security-bundle}
+{{< img src="nim/app-sec-overview.png" caption="Figure 1. NGINX Instance Manager with NGINX App Protect architecture overview" alt="Architecture diagram showing NGINX Instance Manager and Security Monitoring in the control plane pushing security bundles to NGINX App Protect WAF instances in the data plane" >}}
-Instance Manager provides a compiler that can be configured to bundle the complete security configuration -- including JSON security policies, attack signatures, threat campaigns, and log profiles -- into a single binary in `.tgz` format. This bundle is then pushed out to each selected NGINX App Protect WAF instance.
+### Security bundle compilation {#security-bundle}
-Performing the security bundle compilation on Instance Manager (precompiled publication) instead of on the NGINX App Protect WAF instances provides the following benefits:
+NGINX Instance Manager includes a compiler that packages your complete WAF configuration — security policies, attack signatures, threat campaigns, and log profiles — into a single `.tgz` file. It then pushes this bundle to the selected NGINX App Protect WAF instances.
-- Eliminates the need to provision system resources on NGINX App Protect WAF instances to perform compilation.
-- The bundles produced by Instance Manager can be reused by multiple NGINX App Protect WAF instances, instead of each instance having to perform the compilation separately.
+**Why precompile with NGINX Instance Manager?**
-However, if you prefer to maintain policy compilation on the NGINX App Protect WAF instance, that is supported with the following limitation:
+- Saves system resources on WAF instances
+- Lets you reuse the same bundle across multiple instances
-- Instance Manager does not publish JSON policies to the NGINX App Protect WAF instance. JSON policies referenced in an NGINX configuration must already exist on the NGINX App Protect WAF instance.
+If you choose to compile policies on the WAF instance instead, that works too—but with this limitation:
-The example [`location`](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) context below enables NGINX App Protect WAF and tells NGINX where to find the compiled security bundle:
+- NGINX Instance Manager won’t publish `.json` policies to the WAF instance. These policies must already exist on the instance and be referenced in the NGINX config.
-## Log Profile Compilation
+Example [`location`](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) block to enable WAF and point to the bundle:
-Instance Manager can also be configured to compile log profiles when you install a new version of the WAF compiler. When you publish an NGINX configuration with the NGINX App Protect [`app_protect_security_log`](https://docs.nginx.com/nginx-app-protect/logging-overview/security-log/#app_protect_security_log) directive, Instance Manager publishes the compiled log profiles to the NGINX App Protect WAF instances when precompiled publication is enabled.
+```nginx
+location / {
+ app_protect_enable on;
+ app_protect_policy_file /etc/app_protect/policies/policy_bundle.tgz;
+}
+```
+
+## Log profile compilation
+
+You can also configure NGINX Instance Manager to compile log profiles when you install a new version of the compiler. When publishing NGINX configs that include the [`app_protect_security_log`](https://docs.nginx.com/nginx-app-protect/logging-overview/security-log/#app_protect_security_log) directive, NGINX Instance Manager pushes the compiled log profile to your WAF instances (when precompiled publication is turned on).
{{}}
-Instance Manager and Security Monitoring both use NGINX App Protect log profiles. The configuration requirements for each are different. When using Instance Manager configuration management, you must reference the log profile in your NGINX configuration using the `.tgz` file extension instead of `.json`.
+NGINX Instance Manager and Security Monitoring both use log profiles, but their configurations are different. If you're using configuration management in NGINX Instance Manager, you must reference the log profile with the `.tgz` file extension, not `.json`.
{{}}
-## Security Management APIs
+## Security management APIs
-By using the Instance Manager REST API, you can automate configuration updates to be pushed out to all of your NGINX App Protect WAF instances. You can use the Instance Manager API to manage and deploy the following security configurations:
+Use the NGINX Instance Manager REST API to automate updates across your NGINX App Protect WAF instances. You can use the API to manage:
-- security policies,
-- log profiles,
-- attack signatures, and
-- threat campaigns.
+- Security policies
+- Log profiles
+- Attack signatures
+- Threat campaigns
-Just as with changes made via the user interface, the Instance Manager compiler bundles all of the config updates into a single binary package that you can push out to your instances. Figure 2 shows an overview of the API endpoints available to support security policy configuration and publishing.
+Just like with the web interface, the compiler creates a binary bundle with your updates that you can push to your WAF instances.
-{{< img src="nim/app-sec-api-overview.png" caption="Figure 2. NGINX Management Suite with NGINX App Protect WAF Architecture Overview" alt="A diagram showing the architecture of the NGINX Management Suite with NGINX App Protect solution">}}
+{{< img src="nim/app-sec-api-overview.png" caption="Figure 2. NGINX Instance Manager with NGINX App Protect WAF architecture overview" alt="Diagram showing how the NGINX Instance Manager REST API is used to create policies, upload signatures and campaigns, and publish compiled security bundles to NGINX App Protect WAF instances">}}
-More information is available in the Instance Manager API documentation.
+For full details, see the API documentation:
{{< include "nim/how-to-access-api-docs.md" >}}
diff --git a/content/nim/nginx-app-protect/setup-waf-config-management.md b/content/nim/nginx-app-protect/setup-waf-config-management.md
index a0879164d..63175f6c4 100644
--- a/content/nim/nginx-app-protect/setup-waf-config-management.md
+++ b/content/nim/nginx-app-protect/setup-waf-config-management.md
@@ -1,9 +1,8 @@
---
-title: Manage Your App Protect WAF Configs
-weight: 100
+title: Set up WAF configuration management
+weight: 200
toc: true
-description: Learn how to use F5 NGINX Instance Manager to secure your
- applications with NGINX App Protect WAF security policies.
+description: Learn how to set up F5 NGINX Instance Manager to manage NGINX App Protect WAF configurations, including compiler installation, security policy onboarding, and threat update management.
type: how-to
product: NIM
docs: DOCS-996
@@ -11,498 +10,581 @@ docs: DOCS-996
## Overview
-Instance Manager helps you manage your F5 NGINX App Protect WAF configurations, making it easy to stay secure. This guide shows you how to set up Instance Manager to configure and manage NGINX App Protect WAF.
+F5 NGINX Instance Manager helps you manage your NGINX App Protect WAF configurations, making it easier to stay secure. This guide walks you through how to set up NGINX Instance Manager to configure and manage NGINX App Protect WAF.
-### Before You Begin
+### Before you begin
-Complete the following prerequisites before proceeding with this guide.
+Make sure you've completed the following prerequisites before you get started:
-- You have one or more instances of [NGINX App Protect WAF]({{< ref "/nap-waf/" >}}) installed and running. See [Support for NGINX App Protect WAF]({{< ref "/nim/fundamentals/tech-specs.md#support-for-nginx-app-protect-waf" >}}) for a list of supported versions.
+- You have one or more [NGINX App Protect WAF]({{< ref "/nap-waf/" >}}) instances running. For supported versions, see [Support for NGINX App Protect WAF]({{< ref "/nim/fundamentals/tech-specs.md#support-for-nginx-app-protect-waf" >}}).
- {{< note >}} If you are using configuration management and the NGINX Instance Manager Security Monitoring, follow the instructions in the [setup guide]({{< ref "/nim/nginx-app-protect/security-monitoring/set-up-app-protect-instances.md" >}}) to set up your NGINX App Protect instances before proceeding with this guide. {{}}
+ {{}}If you're using configuration management and Security Monitoring, follow the steps in the [setup guide]({{< ref "/nim/nginx-app-protect/security-monitoring/set-up-app-protect-instances.md" >}}) to set up your NGINX App Protect WAF instances first.{{}}
-- You have Instance Manager v2.6.0 or later [installed]({{< ref "/nim/deploy/vm-bare-metal/_index.md" >}}), licensed, and running.
- If you have a subscription to NGINX App Protect WAF, you can find your Instance Manager license in the subscription details section of [MyF5](https://my.f5.com).
+- You're running NGINX Instance Manager v2.6.0 or later. Make sure it's [installed]({{< ref "/nim/deploy/vm-bare-metal/_index.md" >}}), licensed, and running.
+
+ If you have a subscription to NGINX App Protect WAF, you can find your license in the subscription details section of [MyF5](https://my.f5.com).
### Limitations
-Instance Manager does not support the following NGINX App Protect features:
+NGINX Instance Manager doesn’t support the following NGINX App Protect WAF features:
- [Policies with external references]({{< ref "/nap-waf/v4/configuration-guide/configuration.md#external-references" >}})
- Custom signatures
---
-## Install the WAF Compiler
-
-Instance Manager can use the NGINX App Protect WAF compiler to "pre-compile" security configurations before syncing them to managed data plane instances. You'll need to install the WAF compiler package on the NGINX Instance Manager host to enable this functionality. If you'll be continuing with WAF compilation on the data plane host, installing the WAF compiler on the NGINX Instance Manager host is not necessary.
-
-Be sure to download and install the correct WAF compiler version for your environment:
-
-- Each NGINX App Protect version has a corresponding WAF compiler version. You must install the WAF compiler that matches the version of NGINX App Protect that you have running.
-- If you have different NGINX App Protect versions running, install the correct WAF compiler package for each on the management plane host. Instance Manager will use the correct WAF compiler for each version to bundle the security configurations.
-- You can create [instance groups]({{< ref "/nim/nginx-instances/manage-instance-groups" >}}) to keep track of and manage all instances that have the same version installed.
+## Install the WAF compiler
-For more information about the WAF compiler, refer to the [Security Bundle Compilation]({{< ref "/nim/nginx-app-protect/overview-nap-waf-config-management#security-bundle" >}}) section of the Policy Configuration overview topic.
+NGINX Instance Manager can use the WAF compiler to precompile security configurations before deploying them to NGINX App Protect WAF instances. Precompiling configurations improves performance and reduces the risk of runtime errors.
-### WAF Compiler and Supported App Protect Versions {#nap-waf-compiler-compatibility}
+Install the WAF compiler on the NGINX Instance Manager host only if you plan to compile configurations on the management plane. If you’ll compile on the data plane, you can skip this step.
-The following table shows the NGINX App Protect WAF Release version and its corresponding WAF compiler version:
+Each version of NGINX App Protect WAF has a matching WAF compiler version. If you're managing multiple versions, install the corresponding WAF compiler for each one on the NGINX Instance Manager host.
-{{}}
-
-| NGINX App Protect WAF Release version | WAF Compiler |
-|---------------------------------------|----------------------------|
-| NGINX App Protect WAF 5.6.0 | nms-nap-compiler-v5.342.0 |
-| NGINX App Protect WAF 5.5.0 | nms-nap-compiler-v5.264.0 |
-| NGINX App Protect WAF 5.4.0 | nms-nap-compiler-v5.210.0 |
-| NGINX App Protect WAF 5.3.0 | nms-nap-compiler-v5.144.0 |
-| NGINX App Protect WAF 5.2.0 | nms-nap-compiler-v5.48.0 |
-| NGINX App Protect WAF 5.1.0 | nms-nap-compiler-v5.17.0 |
-| NGINX App Protect WAF 4.14.0 | nms-nap-compiler-v5.342.0 |
-| NGINX App Protect WAF 4.13.0 | nms-nap-compiler-v5.264.0 |
-| NGINX App Protect WAF 4.12.0 | nms-nap-compiler-v5.210.0 |
-| NGINX App Protect WAF 4.11.0 | nms-nap-compiler-v5.144.0 |
-| NGINX App Protect WAF 4.10.0 | nms-nap-compiler-v5.48.0 |
-| NGINX App Protect WAF 4.9.0 | nms-nap-compiler-v5.17.0 |
-| NGINX App Protect WAF 4.8.1 | nms-nap-compiler-v4.815.0 |
-| NGINX App Protect WAF 4.8.0 | nms-nap-compiler-v4.762.0 |
-| NGINX App Protect WAF 4.7.0 | nms-nap-compiler-v4.641.0 |
-| NGINX App Protect WAF 4.6.0 | nms-nap-compiler-v4.583.0 |
-| NGINX App Protect WAF 4.5.0 | nms-nap-compiler-v4.457.0 |
-| NGINX App Protect WAF 4.4.0 | nms-nap-compiler-v4.402.0 |
-| NGINX App Protect WAF 4.3.0 | nms-nap-compiler-v4.279.0 |
-| NGINX App Protect WAF 4.2.0 | nms-nap-compiler-v4.218.0 |
-| NGINX App Protect WAF 4.1.0 | nms-nap-compiler-v4.100.1 |
-| NGINX App Protect WAF 4.0.0 | nms-nap-compiler-v4.2.0 |
-| NGINX App Protect WAF 3.12.2 | nms-nap-compiler-v3.1088.2 |
+The WAF compiler installs to the `/opt` directory. Make sure this directory has the correct permissions so the owner can write to it. A permission setting like `0755` is typically sufficient.
-{{}}
+To keep track of instances running the same version, you can create [instance groups]({{< ref "/nim/nginx-instances/manage-instance-groups" >}}).
-
+For an overview of how the WAF compiler works, see the [Security bundle compilation]({{< ref "/nim/nginx-app-protect/overview-nap-waf-config-management#security-bundle" >}}) topic.
-{{}}
+### WAF compiler and supported NGINX App Protect WAF versions {#nap-waf-compiler-compatibility}
-- The install commands in this guide use an example version to show the correct command format.
+The table below shows which WAF compiler version to use for each version of NGINX App Protect WAF:
- Be sure to replace the version string in the example with the correct version to suit your needs.
- You can find the package versions in the [NGINX App Protect WAF Release Notes](https://docs.nginx.com/nginx-app-protect/releases/).
+{{}}
-- The WAF compiler installs to the `/opt` directory. Set the permission level for the directory as appropriate to allow write access by the owner (for example, `0755`).
+| NGINX App Protect WAF version | WAF compiler version |
+|-------------------------------|----------------------------|
+| 5.6.0 | nms-nap-compiler-v5.342.0 |
+| 5.5.0 | nms-nap-compiler-v5.264.0 |
+| 5.4.0 | nms-nap-compiler-v5.210.0 |
+| 5.3.0 | nms-nap-compiler-v5.144.0 |
+| 5.2.0 | nms-nap-compiler-v5.48.0 |
+| 5.1.0 | nms-nap-compiler-v5.17.0 |
+| 4.14.0 | nms-nap-compiler-v5.342.0 |
+| 4.13.0 | nms-nap-compiler-v5.264.0 |
+| 4.12.0 | nms-nap-compiler-v5.210.0 |
+| 4.11.0 | nms-nap-compiler-v5.144.0 |
+| 4.10.0 | nms-nap-compiler-v5.48.0 |
+| 4.9.0 | nms-nap-compiler-v5.17.0 |
+| 4.8.1 | nms-nap-compiler-v4.815.0 |
+| 4.8.0 | nms-nap-compiler-v4.762.0 |
+| 4.7.0 | nms-nap-compiler-v4.641.0 |
+| 4.6.0 | nms-nap-compiler-v4.583.0 |
+| 4.5.0 | nms-nap-compiler-v4.457.0 |
+| 4.4.0 | nms-nap-compiler-v4.402.0 |
+| 4.3.0 | nms-nap-compiler-v4.279.0 |
+| 4.2.0 | nms-nap-compiler-v4.218.0 |
+| 4.1.0 | nms-nap-compiler-v4.100.1 |
+| 4.0.0 | nms-nap-compiler-v4.2.0 |
+| 3.12.2 | nms-nap-compiler-v3.1088.2 |
-{{}}
+{{ }}
### Debian or Ubuntu
-Install the WAF compiler, then restart the `nms-integrations` service:
+To install the WAF compiler on Debian or Ubuntu, run the following command:
-```bash
+```shell
sudo apt-get install nms-nap-compiler-v5.342.0
```
-{{}}
+If you want to install more than one version of the WAF compiler on the same system, append the `--force-overwrite` option to the install command after the first installation:
-- If you want to have more than one version of the `nms-nap-compiler` installed on your system at once, you'll need to append `-o Dpkg::Options::="--force-overwrite"` to the `nms-nap-compiler` installation commands after your initial `nms-nap-compiler` installation. For example, the installation command would look like this:
-
-```bash
+```shell
sudo apt-get install nms-nap-compiler-v5.342.0 -o Dpkg::Options::="--force-overwrite"
```
-{{}}
+{{< include "nim/nap-waf/restart-nms-integrations.md" >}}
### RHEL 8.1 or later
-Download the file dependencies.repo to `/etc/yum.repos.d`, enable the `codeready-builder` repository through subscription manager, and install the WAF compiler package:
+To install the WAF compiler on RHEL 8.1 or later:
-```bash
-sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
-sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
-sudo yum install nms-nap-compiler-v5.342.0
-```
+1. Download the `dependencies.repo` file to the `/etc/yum.repos.d` directory:
+
+ ```shell
+ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
+ ```
+
+2. Enable the CodeReady Builder repository:
+
+ ```shell
+ sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
+ ```
+
+3. Install the WAF compiler:
+
+ ```shell
+ sudo yum install nms-nap-compiler-v5.342.0
+ ```
+
+4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
### RHEL 7.4 or later; CentOS
-Download the file `dependencies.repo` to `/etc/yum.repos.d`, enable the RHEL 7 server repositories, and install the WAF compiler package.
-```bash
-sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
-sudo yum-config-manager --enable rhui-REGION-rhel-server-optional rhui-REGION-rhel-server-releases rhel-7-server-optional-rpms
-sudo yum install nms-nap-compiler-v5.342.0
-```
+To install the WAF compiler on RHEL 7.4 or later or CentOS:
+
+1. Download the `dependencies.repo` file to the `/etc/yum.repos.d` directory:
+
+ ```shell
+ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
+ ```
+
+2. Enable the RHEL 7 server repositories:
+
+ ```shell
+ sudo yum-config-manager --enable rhui-REGION-rhel-server-optional rhui-REGION-rhel-server-releases rhel-7-server-optional-rpms
+ ```
+
+3. Install the WAF compiler:
+
+ ```shell
+ sudo yum install nms-nap-compiler-v5.342.0
+ ```
+
+4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
### Amazon Linux 2 LTS
-Download the files `nms-amazon2.repo` and `app-protect-7.repo` to `/etc/yum.repos.d`, enable the `Extra Packages for Enterprise (EPEL)` repository, and install the WAF compiler package:
-
-```bash
-sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms-amazon2.repo
-sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
-sudo amazon-linux-extras enable epel
-sudo yum clean metadata
-sudo yum install epel-release
-sudo yum install nms-nap-compiler-v5.342.0
-```
+
+To install the WAF compiler on Amazon Linux 2 LTS:
+
+1. Download the required repo files to the `/etc/yum.repos.d` directory:
+
+ ```shell
+ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nms-amazon2.repo
+ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/app-protect-7.repo
+ ```
+
+2. Enable the Extra Packages for Enterprise Linux (EPEL) repository:
+
+ ```shell
+ sudo amazon-linux-extras enable epel
+ sudo yum clean metadata
+ sudo yum install epel-release
+ ```
+
+3. Install the WAF compiler:
+
+ ```shell
+ sudo yum install nms-nap-compiler-v5.342.0
+ ```
+
+4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
+
### Oracle Linux 7.4 or later
-Download the file `dependencies.repo` to `/etc/yum.repos.d`, enable the `ol8_codeready_builder` repository, and install the WAF compiler package:
-```bash
-sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
-sudo yum-config-manager --enable ol8_codeready_builder
-sudo yum install nms-nap-compiler-v5.342.0
-```
+To install the WAF compiler on Oracle Linux 7.4 or later:
+
+1. Download the `dependencies.repo` file to the `/etc/yum.repos.d` directory:
+
+ ```shell
+ sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/dependencies.repo
+ ```
+
+2. Enable the `ol8_codeready_builder` repository:
+
+ ```shell
+ sudo yum-config-manager --enable ol8_codeready_builder
+ ```
+
+3. Install the WAF compiler:
+
+ ```shell
+ sudo yum install nms-nap-compiler-v5.342.0
+ ```
+
+4. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
+
### Download from MyF5
-If you are not able to access the public NGINX repository, you can download all of the required packages from [MyF5](https://my.f5.com/).
+If you can’t access the public NGINX repository, you can manually download the WAF compiler from [MyF5](https://my.f5.com/).
-Take the steps below to download the WAF compiler, Attack Signatures, and Threat Campaigns packages from MyF5.
+To install the WAF compiler manually:
-1. Log in to [MyF5](https://my.F5.com).
-1. Go to **Resources** > **Downloads**.
-1. Select **Group/Product Family**: **NGINX**.
-1. Select **Product Line**: **NGINX App Protect**.
-1. Select a **Product version**.
-1. Select the **Linux distribution**, **distribution version**, and **Architecture**.
-1. Download the WAF compiler package and transfer it to the NGINX Instance Manager host.
-1. Run the appropriate command on the host to install the WAF compiler package from the file.
+1. Log in to [MyF5](https://my.f5.com).
+2. Go to **Resources** > **Downloads**.
+3. Select the following:
+ - **Group/Product Family**: **NGINX**
+ - **Product Line**: **NGINX App Protect**
+ - Choose a **Product version** that matches your environment
+ - Select the **Linux distribution**, **version**, and **architecture**
+4. Download the appropriate `.deb` or `.rpm` WAF compiler file.
+5. Transfer the file to your NGINX Instance Manager host.
+6. Install the WAF compiler:
- - Debian or Ubuntu:
+ - **Debian or Ubuntu**
- ``` bash
- sudo apt-get install -f /path/to/nms-nap-compiler-_focal_amd64.deb
- ```
+ ```shell
+ sudo apt-get install -f /path/to/nms-nap-compiler-_focal_amd64.deb
+ ```
- {{}}For Debian or Ubuntu, if you want to have more than one version of the `nms-nap-compiler` installed on your system at once, you'll need to append `-o Dpkg::Options::="--force-overwrite"` to the `nms-nap-compiler` installation commands after your initial `nms-nap-compiler` installation. For example, the installation command would look like this:
+ To install multiple versions, use:
-```bash
-sudo apt-get install -f /path/to/nms-nap-compiler-_focal_amd64.deb -o Dpkg::Options::="--force-overwrite"
-```
+ ```shell
+ sudo apt-get install -f /path/to/nms-nap-compiler-_focal_amd64.deb -o Dpkg::Options::="--force-overwrite"
+ ```
- {{}}
+ - **RHEL, CentOS, or Oracle Linux**
- - RHEL, CentOS, or Oracle Linux:
+ ```shell
+ sudo yum install -f /path/to/nms-nap-compiler-_el8.ngx.x86_64.rpm
+ ```
- ``` bash
- sudo yum install -f /path/to/nms-nap-compiler-_el8.ngx.x86_64.rpm
- ```
+7. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
+
+### Automatically download and install new WAF compiler
+
+After you manually install at least one version of the NGINX App Protect WAF compiler, NGINX Instance Manager can automatically download and install additional versions as needed.
-### Automatically Download and Install New WAF Compiler
+This typically happens when:
-Once a version of the NGINX App Protect WAF compiler is manually installed on Instance Manager, the system will automatically download and install a new WAF compiler when it detects that an update is required. This typically happens when the NGINX App Protect WAF version on the data plane has been [upgraded](#upgrade-nap-waf-version-on-managed-instances) or when a new data plane with a different NGINX App Protect WAF version is added.
+- A managed instance is upgraded to a new NGINX App Protect WAF version.
+- You add a new instance running a different version of NGINX App Protect WAF.
-To enable the automatic download and installation of a new WAF compiler, you need to [upload your NGINX App Protect WAF certificate and key](#upload-nginx-app-protect-waf-certificate-and-key) to Instance Manager. This upload needs to be done only once. By providing the certificate and key, Instance Manager can securely fetch and install the latest WAF compiler from the NGINX repository.
+To enable this automatic download feature, you need to [upload your NGINX App Protect WAF certificate and key](#upload-nginx-app-protect-waf-certificate-and-key) to NGINX Instance Manager. This step allows Instance Manager to securely connect to the NGINX package repository and retrieve the necessary files. You only need to upload the certificate and key once.
-If the automatic download and install of the new WAF compiler step fails, when publishing the NGINX configuration, the error message
+If the certificate is missing or invalid, or if NGINX Instance Manager can’t connect to the repository, you’ll see an error like:
-``` text
+```text
missing the specific compiler, please install it and try again.
```
-will appear. This happens if the NGINX App Protect WAF certificate and key are missing or not working, or if Instance Manager cannot connect to the NGINX Repository. Please check `/var/log/nms/nms.log` for errors.
+This usually means the certificate and key are missing or incorrect, or that NGINX Instance Manager can’t connect to the NGINX repository.
-If you see the following error, your NGINX App Protect WAF certificate and key are missing, invalid, or have expired:
+Check the log file for errors:
+
+```text
+/var/log/nms/nms.log
+```
+
+If you see the following message, your certificate and key might be invalid or expired:
```text
error when creating the nginx repo retriever - NGINX repo certificates not found
```
-Also, please refer to [Install the WAF Compiler](#install-the-waf-compiler) for details on how to manually install the new WAF compiler.
+If needed, you can also [install the WAF compiler manually](#install-the-waf-compiler).
---
-## Set Up Attack Signatures and Threat Campaigns
+## Set up attack signatures and threat campaigns
+
+NGINX App Protect WAF protects your applications using predefined and regularly updated detection patterns:
-NGINX App Protect provides predefined [Attack Signatures](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#configuring-attack-signatures) to protect your application against all attack types identified by the system. As new Attack Signatures are identified, they will become available for download so that your system will always have the most up-to-date protection.
+- **Attack signatures**: Known threat patterns used to detect common vulnerabilities and exploits. These are included with NGINX App Protect WAF and updated frequently to reflect the latest security threats. See the [attack signatures documentation]({{< ref "nap-waf/v5/configuration-guide/configuration.md#attack-signatures-overview" >}}) for more information.
-[Threat Campaigns](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#threat-campaigns) is a threat intelligence feature included in an NGINX App Protect WAF subscription. The feature includes frequent update feeds containing contextual information about active attack campaigns currently being observed by F5 Threat Labs that NGINX App Protect WAF can provide protection against. Just like Attack Signatures, the Threat Campaign patterns are updated regularly. Unlike Attack Signatures, the NGINX App Protect WAF installation does not include any Threat Campaigns and you need to install them in order for the protection to take effect. Due to the highly dynamic nature of those campaigns the updates are issued far more frequently than the Attack Signatures. You need to install those updates close to the time they are issued in order to get the most effective protection.
+- **Threat campaigns**: Context-aware threat intelligence based on attack campaigns observed by F5 Threat Labs. These are updated even more frequently than attack signatures and require installation to take effect. Learn more in the [threat campaigns documentation]({{< ref "nap-waf/v5/configuration-guide/configuration.md#threat-campaigns" >}}).
-In order to take advantage of new Attack Signature and Threat Campaign packages, you need to upload these packages to NGINX Instance Manager.
+To take advantage of the latest updates, you must upload the attack signature and threat campaign packages to NGINX Instance Manager.
-You can either configure Instance Manager to download new versions automatically, or manage the files manually by downloading the packages from MyF5 and then uploading them to Instance Manager by using the REST API.
+You can either:
+
+- Configure NGINX Instance Manager to automatically download new versions, or
+- Manually download packages from MyF5 and upload them to NGINX Instance Manager using the REST API.
### Automatically Download Latest Packages {#automatically-download-latest-packages}
-#### Upload NGINX App Protect WAF Certificate and Key
+#### Upload the NGINX App Protect WAF certificate and key
+
+To enable automatic downloads, NGINX Instance Manager must authenticate with the NGINX repository. You do this by uploading the NGINX repository certificate and private key that come with your NGINX App Protect WAF subscription. Once uploaded, NGINX Instance Manager can securely retrieve the latest attack signature and threat campaign packages on your behalf.
-You will need to use your NGINX repo certificates to setup automatic retrieval of Attack Signatures and Threat Campaigns packages. When you upload your NGINX App Protect WAF certificate and key to NGINX Instance Manager, you are letting NGINX Instance Manager access the NGINX repo to get Attack Signature and Threat Campaign files on your behalf.
+Follow these steps to get and upload the certificate and key:
-1. Log in to [MyF5](https://account.f5.com/myf5) and go to **My Products and Plans > Subscriptions** to download the SSL certificate (*nginx-repo.crt*) and private key (*nginx-repo.key*) for your NGINX App Protect subscription.
-1. Create a JSON file, similar to the example below, that contains the text from your crt and key files.
- You will need to replace all of the newlines in the crt and key output with `\n`.
+1. Log in to [MyF5](https://account.f5.com/myf5).
+2. Go to **My Products and Plans > Subscriptions**.
+3. Download the following files from your NGINX App Protect WAF subscription:
+ - `nginx-repo.crt` (certificate)
+ - `nginx-repo.key` (private key)
+4. Create a JSON file that includes the contents of both files. Replace newlines (`\n`) in each file with literal `\n` characters so the certificate and key can be formatted correctly inside the JSON.
+
+
+ Example resquest
```json
- {
- "name": "nginx-repo",
- "nginxResourceType": "NginxRepo",
- "certPEMDetails": {
- "caCerts": [],
- "password": "",
- "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDt71QRqMl/7/rv\n[CONTENT SNIPPED]\n-----END PRIVATE KEY-----\n",
- "publicCert": "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIRANydR2VZ+mlt75SkttRyQTkwDQYJKoZIhvcNAQELBQAw\n[CONTENT SNIPPED]\n-----END CERTIFICATE-----",
- "type": "PEM"
- }
- }
+ {
+ "name": "nginx-repo",
+ "nginxResourceType": "NginxRepo",
+ "certPEMDetails": {
+ "caCerts": [],
+ "password": "",
+ "privateKey": "-----BEGIN PRIVATE KEY-----\n[content snipped]\n-----END PRIVATE KEY-----\n",
+ "publicCert": "-----BEGIN CERTIFICATE-----\n[content snipped]\n-----END CERTIFICATE-----",
+ "type": "PEM"
+ }
+ }
```
-1. Send an HTTP POST request to the [Instance Manager REST API]({{< ref "/nim/fundamentals/api-overview" >}}) to upload the repo certificate and key.
+
-
- Example request
+5. Upload the file to NGINX Instance Manager using the REST API:
```shell
- curl -X POST 'https://{{NMS_FQDN}}/api/platform/v1/certs' \
- --header "Authorization: Bearer " \
- --header "Content-Type: application/json" \
- -d@nginx-repo-certs.json
+ curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/certs' \
+ --header "Authorization: Bearer " \
+ --header "Content-Type: application/json" \
+ -d @nginx-repo-certs.json
```
+6. If successful, you should see a response similar to this:
+
Example response
```json
{
- "certAssignmentDetails": [],
- "certMetadata": [
- {
- "authorityKeyIdentifier": "",
- "commonName": "",
- "expired": false,
- "expiry": 59789838,
- "issuer": "C=US, ST=Washington, L=Seattle, Inc., O=F5 Networks\\, OU=Certificate Authority, CN=F5 PRD Issuing Certificate Authority TEEM V1",
- "publicKeyType": "RSA (2048 bit)",
- "serialNumber": "",
- "signatureAlgorithm": "SHA256-RSA",
- "subject": "CN=",
- "subjectAlternativeName": "",
- "subjectKeyIdentifier": "",
- "thumbprint": "",
- "thumbprintAlgorithm": "SHA256-RSA",
- "validFrom": "2021-12-21T16:57:55Z",
- "validTo": "2024-12-20T00:00:00Z",
- "version": 3
- }
- ],
- "certPEMDetails": {
- "caCerts": [],
- "password": "**********",
- "privateKey": "**********",
- "publicCert": "[CONTENT SNIPPED]",
- "type": "PEM"
- },
- "created": "2023-01-27T23:42:41.587760092Z",
- "modified": "2023-01-27T23:42:41.587760092Z",
- "name": "nginx-repo",
- "serialNumber": "",
- "uid": "d08d9f54-58dd-447a-a71d-6fa5aa0d880c",
- "validFrom": "2021-12-21T16:57:55Z",
- "validTo": "2024-12-20T00:00:00Z"
+ "certAssignmentDetails": [],
+ "certMetadata": [
+ {
+ "authorityKeyIdentifier": "",
+ "commonName": "",
+ "expired": false,
+ "expiry": 59789838,
+ "issuer": "C=US, ST=Washington, L=Seattle, Inc., O=F5 Networks\\, OU=Certificate Authority, CN=F5 PRD Issuing Certificate Authority TEEM V1",
+ "publicKeyType": "RSA (2048 bit)",
+ "serialNumber": "",
+ "signatureAlgorithm": "SHA256-RSA",
+ "subject": "CN=",
+ "subjectAlternativeName": "",
+ "subjectKeyIdentifier": "",
+ "thumbprint": "",
+ "thumbprintAlgorithm": "SHA256-RSA",
+ "validFrom": "2021-12-21T16:57:55Z",
+ "validTo": "2024-12-20T00:00:00Z",
+ "version": 3
}
+ ],
+ "certPEMDetails": {
+ "caCerts": [],
+ "password": "**********",
+ "privateKey": "**********",
+ "publicCert": "[content snipped]",
+ "type": "PEM"
+ },
+ "created": "2023-01-27T23:42:41.587760092Z",
+ "modified": "2023-01-27T23:42:41.587760092Z",
+ "name": "nginx-repo",
+ "serialNumber": "",
+ "uid": "d08d9f54-58dd-447a-a71d-6fa5aa0d880c",
+ "validFrom": "2021-12-21T16:57:55Z",
+ "validTo": "2024-12-20T00:00:00Z"
+ }
```
#### Enable automatic downloads
-Instance Manager can automatically download the latest Attack Signature and Threat Campaign versions. To enable automatic downloads, take the steps below.
+NGINX Instance Manager can automatically download the latest Attack Signatures and Threat Campaign versions. To enable automatic downloads:
-1. Log in to the management plane host using SSH.
-1. Open the `/etc/nms/nms.conf` file for editing.
-1. Adjust the `app_protect_security_update` options, shown in the example below, to enable and configure automatic downloads:
+1. Log in to the NGINX Instance Manager host using SSH.
- ``` yaml
+2. Open the `/etc/nms/nms.conf` file in a text editor.
+
+3. Adjust the `app_protect_security_update` settings, as shown in the example below:
+
+ ```yaml
integrations:
# enable this for integrations on tcp
# address: 127.0.0.1:8037
address: unix:/var/run/nms/integrations.sock
- # Dqlite config
dqlite:
addr: 127.0.0.1:7892
app_protect_security_update:
- # Enable this setting to automatically retrieve the latest Attack Signatures and Threat Campaigns.
+ # enable this to automatically retrieve the latest Attack Signatures and Threat Campaigns
enable: true
- # Enable this setting to specify how often, in hours, the latest Attack Signatures and Threat Campaigns are retrieved.
- # The default interval is 6 hours, the maximum interval is 48 hours, and the minimum is 1 hour.
+ # how often, in hours, to check for updates; default is 6
interval: 6
- # Enable this setting to specify how many updates to download for the latest Attack Signatures and Threat Campaigns.
- # By default, the 10 latest updates are downloaded. The maximum value is 20, and the minimum value is 1.
+ # how many updates to download; default is 10, max is 20
number_of_updates: 10
```
-1. Save the changes and close the file.
-1. Restart the `nms-integrations` service:
+4. Save the changes and close the file.
- ``` bash
- sudo systemctl restart nms-integrations
- ```
-
-If you do not see the latest Attack Signatures and Threat Campaigns packages downloaded as expected, please check `/var/log/nms/nms.log` for errors.
+5. {{< include "/nim/nap-waf/restart-nms-integrations.md" >}}
-If you see the following error, your NGINX App Protect WAF certificate and key are invalid or have expired:
+If the NGINX App Protect WAF certificate and key are missing, invalid, or expired, you’ll see the following error:
```text
error when creating the nginx repo retriever - NGINX repo certificates not found
```
-### Manually Update Packages
+This means NGINX Instance Manager can’t connect to the NGINX repository to retrieve the packages. You may need to re-upload a valid certificate and key to resolve the issue.
+
+### Manually update packages
+
+If you prefer not to enable automatic updates, you can manually update the Attack Signature and Threat Campaign packages by downloading them from MyF5 and uploading them to NGINX Instance Manager.
#### Download packages from MyF5
-1. Log in to [MyF5](https://my.f5.com), then go to **Resources** > **Downloads**.
-1. Select **Group/Product Family**: **NGINX**.
-1. Select **Product Line**: **NGINX App Protect**.
-1. Select a **Product version** (a version that matches your WAF compiler version).
-1. Select your **Linux Distribution**, **Version** and **Architecture**.
-1. Find and download the deb or rpm package starting with "app-protect-attack-signatures" for Attack Signatures and "app-protect-threat-campaigns" for Threat Campaigns.
-1. Using utilities such as *az* or *rpm2cpio|cpio* to extract the following 3 files from the package:
- - `signatures.bin.tgz` for Attack Signatures or `threat_campaigns.bin.tgz` for Threat Campaigns
- - `signature_update.yaml` for Attack Signatures or `threat_campaign_update.yaml`for Threat Campaigns
+1. Log in to [MyF5](https://my.f5.com), then go to **Resources > Downloads**.
+
+2. Select the following options in the product menu:
+ - **Group/Product Family**: *NGINX*
+ - **Product Line**: *NGINX App Protect*
+ - **Product Version**: Choose a version that matches your WAF compiler version.
+ - Select your **Linux Distribution**, **Version**, and **Architecture**.
+
+3. Download the `.deb` or `.rpm` packages:
+ - For Attack Signatures: package starts with `app-protect-attack-signatures`
+ - For Threat Campaigns: package starts with `app-protect-threat-campaigns`
+
+4. Extract the following three files from the package:
+ - `signatures.bin.tgz` (or `threat_campaigns.bin.tgz`)
+ - `signature_update.yaml` (or `threat_campaign_update.yaml`)
- `version`
-1. Using a file archive utility, such as *tar*, bundle the three files into a single `.tgz` file. For example:
+ Use tools like `rpm2cpio | cpio` or `ar` (for `.deb`) to extract the files.
+
+5. Create a `.tgz` bundle that includes the three files. For example:
```shell
- tar –czvf attack-signatures.tgz signatures.bin.tgz signature_update.yaml version
+ tar -czvf attack-signatures.tgz signatures.bin.tgz signature_update.yaml version
```
-#### Upload packages to Instance Manager
+#### Upload packages to NGINX Instance Manager
-You will need to use the [Instance Manager REST API]({{< ref "/nim/fundamentals/api-overview" >}}) to upload the bundled Attack Signatures and Threat Campaigns.
+Use the NGINX Instance Manager REST API to upload the `.tgz` files.
-
-Attack Signatures Example
+**Upload Attack Signatures:**
```shell
-curl -X POST 'https://{{NMS_FQDN}}/api/platform/v1/security/attack-signatures' \
- --header "Authorization: Bearer " \
- --form 'revisionTimestamp="2022.11.16"' \
- --form 'filename=@"/attack-signatures.tgz"'
+curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/security/attack-signatures' \
+ --header "Authorization: Bearer " \
+ --form 'revisionTimestamp="2022.11.16"' \
+ --form 'filename=@"/attack-signatures.tgz"'
```
-
-
-
-Threat Campaigns Example
+**Upload Threat Campaigns:**
```shell
-curl -X POST 'https://{{NMS_FQDN}}/api/platform/v1/security/threat-campaigns' \
- --header "Authorization: Bearer " \
- --form 'revisionTimestamp="2022.11.15"' \
- --form 'filename=@"/threat-campaigns.tgz"'
+curl -X POST 'https://{{NIM_FQDN}}/api/platform/v1/security/threat-campaigns' \
+ --header "Authorization: Bearer " \
+ --form 'revisionTimestamp="2022.11.15"' \
+ --form 'filename=@"/threat-campaigns.tgz"'
```
-
+{{}}The bundle you upload must match the OS of your NGINX Instance Manager host. For example, if the host is running Ubuntu 20.04, create the `.tgz` from the Ubuntu 20.04 package.{{}}
-{{}}The bundle you upload for Attack Signatures or Threat Campaigns must correspond to the OS of your Instance Manager. For example, if your Instance Manager is running on ubuntu-20.04, then the bundle you upload for Attack Signatures or Threat Campaigns needs to be created from the ubuntu-20.04 packages.{{}}
+### Update the Security Monitoring signature database
-### Update the Security Monitoring Signature Database
+The Security Monitoring dashboards in NGINX Instance Manager rely on a Signature Database to show more information about triggered security violations, such as the signature's name, accuracy, and risk level.
-The Security Monitoring module's analytics dashboards make use of a Signature Database to provide more information on Attack Signatures that have triggered Security Violations, such as the Signature's name, accuracy, and risk level.
+To keep the dashboards accurate and up to date, you need to update the Security Monitoring signature database.
-To ensure that the dashboards show the most up-to-date information, you need to [update the Security Monitoring Signature Database]({{< ref "/nim/nginx-app-protect/security-monitoring/update-signatures.md" >}})
+For instructions, see the [update signatures guide]({{< ref "/nim/nginx-app-protect/security-monitoring/update-signatures.md" >}}).
---
-## Setup Compiler Resource Pruning
-You can configure the following compiler resources to prune automatically:
+## Set up compiler resource pruning
+
+You can configure NGINX Instance Manager to automatically remove unused compiler resources:
-- Compiled Security Policies
-- Compiled Security Log Profiles
+- Compiled security policies
+- Compiled security log profiles
- Attack Signatures
- Threat Campaigns
-In the case of `compiled security policies` and `compiled security log profiles`, the definition of the `security policy` and/or `security log profile` is not removed. Only the compiled bundles associated with those resources are removed.
+Only the compiled bundles are removed. NGINX Instance Manager does not delete the definitions for security policies or log profiles.
-To enable automatic compiler resource pruning, please follow these steps:
+To enable compiler resource pruning:
-1. Log in to the management plane host using SSH.
-1. Open the `/etc/nms/nms.conf` file for editing.
-1. Update the `policy_manager` field to contain the desired `time to live` values for each resource type; see the following snippet for an example of adding the necessary fields under `integrations`->`policy_manager`:
+1. Log in to the NGINX Instance Manager host using SSH.
+2. Open the `/etc/nms/nms.conf` file in a text editor.
+3. Update the `policy_manager` section under `integrations` with time-to-live (TTL) values for each resource type:
- ```yaml
- integrations:
- address: unix:/var/run/nms/integrations.sock
- dqlite:
- addr: 127.0.0.1:7892
- policy_manager:
- # Time to live for attack signatures. If the attack signatures exceed their TTL and are not deployed to an instance or
- # instance group they will be deleted from the database. Duration unit can be seconds (s), minutes (m), or hours (h).
- attack_signatures_ttl: 336h
- # Time to live for compiled bundles, this includes compiled security policies and compiled log profiles. If a compiled
- # bundle exceeds its TTL and is not deployed to an instance or instance group it will be deleted from the database. Note
- # that the compiled bundle is deleted, not the definition of it (i.e. the security policy or log profile definition).
- # Duration unit can be seconds (s), minutes (m), or hours (h).
- compiled_bundles_ttl: 336h
- # Time to live for threat campaigns. If the threat campaigns exceed their TTL and are not deployed to an instance or
- # instance group they will be deleted from the database. Duration unit can be seconds (s), minutes (m), or hours (h).
- threat_campaigns_ttl: 1440h
- app_protect_security_update:
- enable: true
- interval: 6
- number_of_updates: 10
+ ```yaml
+ integrations:
+ address: unix:/var/run/nms/integrations.sock
+ dqlite:
+ addr: 127.0.0.1:7892
+ policy_manager:
+ # Time to live for attack signatures. If the attack signatures exceed their TTL and are not
+ # deployed to an instance or instance group, they will be deleted from the database.
+ # Duration unit can be seconds (s), minutes (m), or hours (h).
+ attack_signatures_ttl: 336h
+
+ # Time to live for compiled bundles, including compiled security policies and log profiles.
+ # If a compiled bundle exceeds its TTL and is not deployed to an instance or instance group,
+ # it will be deleted from the database. The bundle is deleted, not the resource definition.
+ compiled_bundles_ttl: 336h
+
+ # Time to live for threat campaigns. If the threat campaigns exceed their TTL and are not
+ # deployed to an instance or instance group, they will be deleted from the database.
+ threat_campaigns_ttl: 1440h
+
+ app_protect_security_update:
+ enable: true
+ interval: 6
+ number_of_updates: 10
```
-1. Save the changes and close the file.
-1. Restart the `nms-integrations` service:
-
- ``` bash
- sudo systemctl restart nms-integrations
- ```
+4. Save the file and close the editor.
+5. {{< include "nim/nap-waf/restart-nms-integrations.md" >}}
-The compiler resource pruning process occurs once upon start-up of the `nms-integrations` service and once every `24 hours` after the `nms-integrations` service has been started.
+NGINX Instance Manager runs the pruning process at startup and every 24 hours after the `nms-integrations` service starts.
---
-## Onboard NGINX App Protect WAF Instances
+## Onboard NGINX App Protect WAF instances
-To onboard your NGINX App Protect WAF instances to Instance Manager, you need to install and configure NGINX Agent.
+To onboard your NGINX App Protect WAF instances to NGINX Instance Manager, install and configure the NGINX Agent on each instance.
### Install NGINX Agent
-1. Use SSH to connect to the NGINX App Protect WAF instance. Take the steps below for each instance to download and install NGINX Agent from the management plane host.
+1. Use SSH to connect to the NGINX App Protect WAF instance. Repeat these steps for each instance you want to onboard.
-1. Download the NGINX Agent package from the NGINX Instance Manager host and run the agent install script.
+2. Download the NGINX Agent package from the NGINX Instance Manager host and run the installation script.
+
+ You can group instances that use the same version of NGINX App Protect WAF by using the optional `--instance-group` flag in the install command.
- {{< tip >}}You can add instances with the same version of NGINX App Protect installed to an instance group by running the agent install command on each instance with the optional `--instance-group`` flag.{{< /tip>}}
{{< include "agent/installation/install-agent-api.md" >}}
+
### Configure NGINX Agent
-1. Edit the NGINX Agent configuration file (`/etc/nginx-agent/nginx-agent.conf`) to allow access to the `/etc/app-protect` directory and enable reporting.
+1. Edit the NGINX Agent configuration file to enable support for NGINX App Protect WAF:
- - The agent needs access to any directories where NGINX App Protect configuration files are stored on the data plane host.
- - The `report_interval` is the length of time the agent waits between checks for changes to NGINX App Protect WAF configurations.
- - `precompiled_publication` enables the publication of precompiled NGINX App Protect security policies and log profiles.
+ ```shell
+ sudo vi /etc/nginx-agent/nginx-agent.conf
+ ```
- ```yaml
- ...
- config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect"
- extensions:
- - nginx-app-protect
- nginx_app_protect:
+2. Update or confirm the following settings:
+
+ ```yaml
+ config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect"
+ extensions:
+ - nginx-app-protect
+ nginx_app_protect:
report_interval: 15s
precompiled_publication: true
- ...
- ```
+ ```
- {{}}You can use the NGINX Agent installation script to add these fields:
+ These settings:
-```bash
-# Download install script via API
-curl https:///install/nginx-agent > install.sh
+ - Allow the agent to access NGINX App Protect WAF configuration directories.
+ - Enable the agent to detect changes in security configurations.
+ - Enable support for precompiled publication of WAF configurations from NGINX Instance Manager.
-# Specify the -m | --nginx-app-protect-mode flag to set up management of NGINX App Protect on
-# the instance. In the example below we specify 'precompiled-publication' for the flag value
-# which will make the config field 'precompiled_publication' set to 'true', if you would like to
-# set the config field 'precompiled_publication' to 'false' you can specify 'none' as the flag value.
-sudo sh ./install.sh --nginx-app-protect-mode precompiled-publication
-```
+ You can also apply these settings automatically during installation by using the `--nginx-app-protect-mode` flag:
- {{}}
+ ```shell
+ curl https:///install/nginx-agent > install.sh
+ sudo sh ./install.sh --nginx-app-protect-mode precompiled-publication
+ ```
-1. Restart NGINX Agent.
+3. Restart NGINX Agent:
- ``` bash
+ ```shell
sudo systemctl restart nginx-agent
```
-### Verify Installation
+
+
+### Verify installation
+
+After installing and configuring the NGINX Agent, verify that your NGINX App Protect WAF instances appear in NGINX Instance Manager.
+
{{}}
@@ -511,9 +593,9 @@ sudo sh ./install.sh --nginx-app-protect-mode precompiled-publication
You should now be able to view your NGINX App Protect WAF instances in the Instance Manager user interface. Take the steps below to verify that NGINX Agent is installed and reporting data to Instance Manager.
1. {{< include "nim/webui-nim-login.md" >}}
-1. Select **Instances**.
-1. You should see the installed version listed in the **NGINX App Protect** column.
-1. Select the instance, then scroll to the **App Protect Details** section. There, you should see the "App Protect WAF" status and "Build" should match the version installed on the instance.
+2. In the left menu, select **Instances**.
+3. Confirm that each instance shows an NGINX App Protect WAF version in the **NGINX App Protect** column.
+4. Select an instance and scroll to the **App Protect Details** section to confirm status and build information.
{{%/tab%}}
@@ -521,12 +603,7 @@ You should now be able to view your NGINX App Protect WAF instances in the Insta
{{< see-also >}}{{< include "nim/how-to-access-nim-api.md" >}}{{< /see-also >}}
-You can query the Instance Manager REST API to verify the following information:
-
-- NGINX App Protect WAF version
-- NGINX App Protect WAF running status
-- Total number of instances with NGINX App Protect WAF installed, out of the total number of NGINX instances
-
+Use the REST API to confirm the version and status of NGINX App Protect WAF:
{{}}
@@ -538,35 +615,29 @@ You can query the Instance Manager REST API to verify the following information:
{{}}
-- Send an HTTP `GET` request to the `/api/platform/v1/systems` endpoint to find out what version of NGINX App Protect is running. This response will also show the Threat Campaign and Attack Signature package versions running on each instance.
+- Send a `GET` request to `/api/platform/v1/systems` to check version info:
-
- JSON response
+ **Example response:**
```json
{
- "count": 3,
- "items": [
- [...]
- "appProtect": {
- "attackSignatureVersion": "2022.11.16",
- "status": "active",
- "threatCampaignVersion": "2022.11.15",
- "version": "build-3.954.0"
- },
- [...]
- ]
+ "count": 3,
+ "items": [
+ {
+ "appProtect": {
+ "attackSignatureVersion": "2022.11.16",
+ "status": "active",
+ "threatCampaignVersion": "2022.11.15",
+ "version": "build-3.954.0"
+ }
+ }
+ ]
}
```
-
-
-- Send an HTTP `GET` request to the `/api/platform/v1/instances` endpoint to find out the number of instances with NGINX App Protect WAF installed. The total count will be in the `nginxAppProtectWAFCount` field in the response.
+- Send a `GET` request to `/api/platform/v1/instances` to check how many instances have NGINX App Protect WAF installed:
- For example:
-
-
- JSON response
+ **Example response:**
```json
{
@@ -579,385 +650,228 @@ You can query the Instance Manager REST API to verify the following information:
}
```
-
-
-
-
{{%/tab%}}
{{}}
-### Configure Docker Compose for NGINX App Protect WAF Version 5
+### Configure Docker Compose for NGINX App Protect WAF v5
-Version 5 of NGINX App Protect WAF provides a container-based architecture that requires some configuration changes to operate with Instance Manager.
+#### Before you begin
-1. Edit the `docker-compose.yaml` you created according to [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/v5/admin-guide/install/) to provide the containers with read access to the policies and log profiles written to the instance by Instance Manager.
+Before configuring Docker Compose, make sure you’ve completed the following steps:
- - Add the line `user: 101:nginx-agent-group` to each service, where `nginx-agent-group` is the ID of the NGINX Agent group. The value of this group ID can be determined with
+- Installed NGINX App Protect WAF v5 using the [official installation guide]({{< ref "/nap-waf/v5/admin-guide/install.md" >}}).
+- Created a `docker-compose.yaml` file during the installation process.
- ```bash
- cat /etc/group
- ```
+This section explains how to modify that file so NGINX App Protect WAF can work with NGINX Instance Manager.
- - Add the directory `/etc/nms` to the volume maps for both services
+#### Edit the Docker Compose file
- For example:
+1. Edit the `docker-compose.yaml` file created during installation.
- ```yaml
- version: "3.9"
-
- services:
- waf-enforcer:
- container_name: waf-enforcer
- image: private-registry.nginx.com/nap/waf-enforcer:5.2.0
- user: 101:1002
- environment:
- - ENFORCER_PORT=50000
- ports:
- - "50000:50000"
- volumes:
- - /opt/app_protect/bd_config:/opt/app_protect/bd_config
- - /etc/nms:/etc/nms
- networks:
- - waf_network
- restart: always
-
- waf-config-mgr:
- container_name: waf-config-mgr
- image: private-registry.nginx.com/nap/waf-config-mgr:5.2.0
- user: 101:1002
- volumes:
- - /opt/app_protect/bd_config:/opt/app_protect/bd_config
- - /opt/app_protect/config:/opt/app_protect/config
- - /etc/app_protect/conf:/etc/app_protect/conf
- - /etc/nms:/etc/nms
- restart: always
- network_mode: none
- depends_on:
- waf-enforcer:
- condition: service_started
+ To give NGINX App Protect WAF access to the policy and log profile bundles written by NGINX Instance Manager, make the following changes:
- networks:
- waf_network:
- driver: bridge
- ```
-
-1. Restart the containers:
-
- ``` bash
- docker compose restart
- ```
-
----
+ - Add the line `user: 101:` to each service. The group ID should match the NGINX Agent group on your system. You can find the group ID by running:
-## Onboard Security Policies
+ ```shell
+ cat /etc/group
+ ```
-Instance Manager provides the same [default security policies](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-configuration) as NGINX App Protect WAF:
+ - Add `/etc/nms` to the volume maps for both services.
-- **NGINX Default Policy**: provides [OWASP Top 10](https://owasp.org/www-project-top-ten/) and Bot security protection.
-- **NGINX Strict Policy**: contains more restrictive criteria for blocking traffic than the default policy.
+ **Example:**
-If you want to use the out-of-the-box policies, you can proceed to the next section: [Add WAF configuration to NGINX Instances](#add-waf-config).
+ ```yaml
+ version: "3.9"
-Continue in this section if you have custom security policies that you want to upload to Instance Manager.
+ services:
+ waf-enforcer:
+ container_name: waf-enforcer
+ image: private-registry.nginx.com/nap/waf-enforcer:5.2.0
+ user: 101:1002
+ environment:
+ - ENFORCER_PORT=50000
+ ports:
+ - "50000:50000"
+ volumes:
+ - /opt/app_protect/bd_config:/opt/app_protect/bd_config
+ - /etc/nms:/etc/nms
+ networks:
+ - waf_network
+ restart: always
+
+ waf-config-mgr:
+ container_name: waf-config-mgr
+ image: private-registry.nginx.com/nap/waf-config-mgr:5.2.0
+ user: 101:1002
+ volumes:
+ - /opt/app_protect/bd_config:/opt/app_protect/bd_config
+ - /opt/app_protect/config:/opt/app_protect/config
+ - /etc/app_protect/conf:/etc/app_protect/conf
+ - /etc/nms:/etc/nms
+ restart: always
+ network_mode: none
+ depends_on:
+ waf-enforcer:
+ condition: service_started
-### Upload Custom Security Policies
+ networks:
+ waf_network:
+ driver: bridge
+ ```
-If you onboarded NGINX App Protect WAF instances with existing security configurations, you'll need to use the Instance Manager REST API to onboard the security policies referenced in the `nginx.conf` on your NGINX App Protect instances.
+2. Restart the containers:
-To do so, take the steps below for each policy:
+ ```shell
+ docker compose restart
+ ```
-1. Use `base64` to encode the JSON policy.
+---
- For example:
+## Onboard security policies {#onboard-security-policies}
- ``` bash
- base64 -i ./ignore-xss-policy-example.json
- ```
+NGINX Instance Manager provides the same [default security policies](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-configuration) as NGINX App Protect WAF:
-
- ignore-xss-policy-example.json
+- **NGINX Default Policy**: Provides [OWASP Top 10](https://owasp.org/www-project-top-ten/) and Bot protection.
+- **NGINX Strict Policy**: Contains more restrictive blocking criteria than the default policy.
- ```json
- {
- "policy": {
- "name": "ignore-xss",
- "template": {
- "name": "POLICY_TEMPLATE_NGINX_BASE"
- },
- "applicationLanguage": "utf-8",
- "enforcementMode": "blocking",
- "signatures": [
- {
- "signatureId": 200001475,
- "enabled": false
- },
- {
- "signatureId": 200000098,
- "enabled": false
- },
- {
- "signatureId": 200001148,
- "enabled": false
- },
- {
- "signatureId": 200001480,
- "enabled": false
- },
- {
- "signatureId": 200001088,
- "enabled": false
- }
- ],
- "bot-defense": {
- "settings": {
- "isEnabled": false
- }
- },
- "headers": [
- {
- "name": "*",
- "type": "wildcard",
- "decodeValueAsBase64": "disabled"
- },
- {
- "name": "*-bin",
- "type": "wildcard",
- "decodeValueAsBase64": "required"
- },
- {
- "name": "Referer",
- "type": "explicit",
- "decodeValueAsBase64": "disabled"
- },
- {
- "name": "Authorization",
- "type": "explicit",
- "decodeValueAsBase64": "disabled"
- },
- {
- "name": "Transfer-Encoding",
- "type": "explicit",
- "decodeValueAsBase64": "disabled"
- }
- ],
- "cookies": [
- {
- "name": "*",
- "type": "wildcard",
- "decodeValueAsBase64": "disabled"
- }
- ],
- "parameters": [
- {
- "name": "*",
- "type": "wildcard",
- "decodeValueAsBase64": "disabled"
- }
- ]
- }
- }
- ```
+If you plan to use these built-in policies, you can skip to [Add WAF configuration to NGINX instances](#add-waf-config).
-
+If you’ve created custom security policies on your NGINX App Protect WAF instances, you can upload them to NGINX Instance Manager using the REST API. These policies must be uploaded so NGINX Instance Manager can compile and publish them across your data plane.
-1. Create a JSON request body that contains the encoded policy.
+### Upload custom security policies
- For example:
-
- ```json
- {
- "metadata": {
- "name": "ignore-xss-example",
- "displayName": "Ignore Cross Site Scripting example",
- "description": "Security policy that intentionally ignores cross site scripting"
- },
- "content":
- "ewogICAgInBvbGljeSI6IHsKICAgICAgICAibmFtZSI6ICJpZ25vcmUteHNzIiwKICAgICAgICAidGVtcGxhdGUiOiB7CiAgICAgICAgICAgICJuYW1lIjogIlBPTElDWV9URU1QTEFURV9OR0lOWF9CQVNFIgogICAgICAgIH0sCiAgICAgICAgImFwcGxpY2F0aW9uTGFuZ3VhZ2UiOiAidXRmLTgiLAogICAgICAgICJlbmZvcmNlbWVudE1vZGUiOiAiYmxvY2tpbmciLAogICAgICAgICJzaWduYXR1cmVzIjogWwogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAic2lnbmF0dXJlSWQiOiAyMDAwMDE0NzUsCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IGZhbHNlCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICJzaWduYXR1cmVJZCI6IDIwMDAwMDA5OCwKICAgICAgICAgICAgICAgICJlbmFibGVkIjogZmFsc2UKICAgICAgICAgICAgfSwKICAgICAgICAgICAgewogICAgICAgICAgICAgICAgInNpZ25hdHVyZUlkIjogMjAwMDAxMTQ4LAogICAgICAgICAgICAgICAgImVuYWJsZWQiOiBmYWxzZQogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAic2lnbmF0dXJlSWQiOiAyMDAwMDE0ODAsCiAgICAgICAgICAgICAgICAiZW5hYmxlZCI6IGZhbHNlCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICJzaWduYXR1cmVJZCI6IDIwMDAwMTA4OCwKICAgICAgICAgICAgICAgICJlbmFibGVkIjogZmFsc2UKICAgICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgImJvdC1kZWZlbnNlIjogewogICAgICAgICAgICAic2V0dGluZ3MiOiB7CiAgICAgICAgICAgICAgICAiaXNFbmFibGVkIjogZmFsc2UKICAgICAgICAgICAgfQogICAgICAgIH0sCiAgICAgICAgImhlYWRlcnMiOiBbCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICJuYW1lIjogIioiLAogICAgICAgICAgICAgICAgInR5cGUiOiAid2lsZGNhcmQiLAogICAgICAgICAgICAgICAgImRlY29kZVZhbHVlQXNCYXNlNjQiOiAiZGlzYWJsZWQiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICJuYW1lIjogIiotYmluIiwKICAgICAgICAgICAgICAgICJ0eXBlIjogIndpbGRjYXJkIiwKICAgICAgICAgICAgICAgICJkZWNvZGVWYWx1ZUFzQmFzZTY0IjogInJlcXVpcmVkIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAibmFtZSI6ICJSZWZlcmVyIiwKICAgICAgICAgICAgICAgICJ0eXBlIjogImV4cGxpY2l0IiwKICAgICAgICAgICAgICAgICJkZWNvZGVWYWx1ZUFzQmFzZTY0IjogImRpc2FibGVkIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAibmFtZSI6ICJBdXRob3JpemF0aW9uIiwKICAgICAgICAgICAgICAgICJ0eXBlIjogImV4cGxpY2l0IiwKICAgICAgICAgICAgICAgICJkZWNvZGVWYWx1ZUFzQmFzZTY0IjogImRpc2FibGVkIgogICAgICAgICAgICB9LAogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAibmFtZSI6ICJUcmFuc2Zlci1FbmNvZGluZyIsCiAgICAgICAgICAgICAgICAidHlwZSI6ICJleHBsaWNpdCIsCiAgICAgICAgICAgICAgICAiZGVjb2RlVmFsdWVBc0Jhc2U2NCI6ICJkaXNhYmxlZCIKICAgICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgImNvb2tpZXMiOiBbCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICJuYW1lIjogIioiLAogICAgICAgICAgICAgICAgInR5cGUiOiAid2lsZGNhcmQiLAogICAgICAgICAgICAgICAgImRlY29kZVZhbHVlQXNCYXNlNjQiOiAiZGlzYWJsZWQiCiAgICAgICAgICAgIH0KICAgICAgICBdLAogICAgICAgICJwYXJhbWV0ZXJzIjogWwogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAibmFtZSI6ICIqIiwKICAgICAgICAgICAgICAgICJ0eXBlIjogIndpbGRjYXJkIiwKICAgICAgICAgICAgICAgICJkZWNvZGVWYWx1ZUFzQmFzZTY0IjogImRpc2FibGVkIgogICAgICAgICAgICB9CiAgICAgICAgXQogICAgfQp9CiAgICAgICAgCg=="
- }
- ```
+To upload a policy, follow these steps:
-1. Send an HTTP `POST` request to the `/api/platform/v1/security/policies` endpoint to create the policy on Instance Manager.
+1. Encode the JSON policy using `base64`.
- For example:
+ **Example:**
- ```shell
- curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
- -H "Authorization: Bearer " --ContentType application/json \
- -d '{"content": "ewogICAgInBvbGljeSI6[CONTENT_SNIPPED]QogICAgfQp9CiAgICAgICAgCg==", \
- "metadata": {"description": "Ignore cross-site scripting is a security policy that intentionally ignores cross site scripting.", \
- "displayName": "Ignore cross-site scripting example", "name": "ignore-xss-example"}}'
- ```
+ ```shell
+ base64 -i ./ignore-xss-policy-example.json
+ ```
- You should receive a success response similar to the example below:
+2. Create a JSON request that includes the base64-encoded policy from step 1 as the value for the `content` field.
+
+ Replace the example string below with the actual base64-encoded output you generated.
```json
{
- "metadata": {
- "created": "2022-12-16T03:41:53.516Z",
- "description": "Security policy that intentionally ignores cross site scripting",
- "displayName": "Ignore Cross Site Scripting example",
- "modified": "2022-12-16T03:47:34.465920964Z",
- "name": "ignore-xss-example",
- "revisionTimestamp": "2022-12-16T03:41:53.516Z",
- "uid": "23139e0a-4ac8-49f9-b7a0-0577b42c70c7"
- },
- "selfLink": {
- "rel": "/api/platform/v1/security/policies/23139e0a-4ac8-49f9-b7a0-0577b42c70c7"
- }
+ "metadata": {
+ "name": "ignore-xss-example",
+ "displayName": "Ignore cross-site scripting example",
+ "description": "Security policy that intentionally ignores cross-site scripting"
+ },
+ "content": ""
}
```
-1. Verify that your policies have been onboarded by sending an HTTP `GET` request to the `/api/platform/v1/security/policies` endpoint:
+3. Send the request to the Instance Manager REST API to create the policy:
```shell
- curl -X GET https://{{NMS_FQDN}}/api/platform/v1/security/policies \
- -H "Authorization: Bearer z"
+ curl -X POST https:///api/platform/v1/security/policies \
+ -H "Authorization: Bearer " \
+ -H "Content-Type: application/json" \
+ -d @policy.json
```
- You should receive a success response similar to the example below:
+ You should receive a success response with the policy metadata.
-
- Example response
+4. To verify that your policy was successfully onboarded, send a GET request:
- ```json
- {
- "items": [
- {
- "content": "",
- "metadata": {
- "created": "2022-12-14T00:04:07.646Z",
- "description": "The default policy provides OWASP Top 10 and Bot security protection",
- "displayName": "NGINX Default Policy",
- "modified": "2022-12-14T00:04:07.646Z",
- "name": "NginxDefaultPolicy",
- "revisionTimestamp": "2022-12-14T00:04:07.646Z",
- "uid": "ae7d2ffc-972d-4951-a7ba-2340e1b8fe1c"
- }
- },
- {
- "content": "",
- "metadata": {
- "created": "2022-12-14T00:04:07.65Z",
- "description": "The strict policy contains more restrictive criteria for blocking traffic than the default policy",
- "displayName": "NGINX Strict Policy",
- "modified": "2022-12-14T00:04:07.65Z",
- "name": "NginxStrictPolicy",
- "revisionTimestamp": "2022-12-14T00:04:07.65Z",
- "uid": "94665634-0d7e-4b72-87e8-491d951c8510"
- }
- },
- {
- "content": "",
- "metadata": {
- "created": "2022-12-16T03:41:53.516Z",
- "description": "Security policy that intentionally ignores cross site scripting",
- "displayName": "Ignore Cross Site Scripting example",
- "modified": "2022-12-16T03:47:34Z",
- "name": "ignore-xss-example",
- "revisionTimestamp": "2022-12-16T03:41:53.516Z",
- "uid": "23139e0a-4ac8-49f9-b7a0-0577b42c70c7"
- }
- }
- ]
- }
+ ```shell
+ curl -X GET https:///api/platform/v1/security/policies \
+ -H "Authorization: Bearer "
```
-
+ The response includes a list of all security policies managed by NGINX Instance Manager.
---
-## Add WAF Configuration to NGINX Instances {#add-waf-config}
+## Add WAF configuration to NGINX instances {#add-waf-config}
-The [NGINX App Protect WAF Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-configuration-overview) provides information about how and where to add the directives that allow you to add security to your instances. Instance Manager ships with the same reference policies as NGINX App Protect WAF:
+The [NGINX App Protect WAF configuration guide](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-configuration-overview) shows where and how to add security directives to your NGINX configuration. NGINX Instance Manager includes the same default security policies as NGINX App Protect WAF:
-- NGINX Default Policy (`NginxDefaultPolicy.tgz`): Provides OWASP Top 10 and Bot security protection out of the box.
-- NGINX Strict Policy (`NginxStrictPolicy.tgz`): Contains more restrictive criteria for blocking traffic than the default policy, with a higher risk of false positives.
+- **NGINX Default Policy**: Provides [OWASP Top 10](https://owasp.org/www-project-top-ten/) and bot protection out of the box.
+- **NGINX Strict Policy**: Contains more restrictive criteria for blocking traffic, with a higher risk of false positives.
-You can use either of these policies as-is. Many users treat the reference policy as starting point and customize it to suit the needs of their applications. The Security Monitoring dashboards provide insights that can help you fine-tune your security policies.
+You can use these default policies as-is or customize them for your app. Security Monitoring dashboards can help you fine-tune policy settings.
-When using Instance Manager to manage your WAF configuration, keep the following in mind:
+Keep the following in mind when configuring NGINX App Protect WAF through NGINX Instance Manager:
-- Instance Manager can compile JSON security policies into a `.tgz` bundle.
-- You can reference custom policy files using the `app_protect_policy_file` directive.
+- Instance Manager compiles JSON security policies into `.tgz` bundles.
+- Use the `app_protect_policy_file` directive to reference custom policies.
- {{}}If you already have JSON security policies referenced in your NGINX configuration, you can keep them as-is if precompiled publication is not enabled in the NGINX Agent. However, you'll need to change the file extension for the referenced files from `.json` to `.tgz` if precompiled publication is enabled. The file name for the compiled bundle will be the same as the original file. Instance Manager does not support both `.json` and `.tgz` files within a single NGINX configuration{{}}
+ If you're using precompiled publication with NGINX Agent, make sure to change the file extension from `.json` to `.tgz`. The filename remains the same. NGINX Instance Manager doesn't support referencing both `.json` and `.tgz` in the same NGINX configuration.
-- If you are using custom policies, be sure NGINX Agent has permission to access the location(s) where the policies are stored on the data plane. To do so, edit the NGINX Agent configuration file on the data plane host and add the custom file path to the `config_dirs` setting.
+- If you're using custom policies, make sure NGINX Agent has permission to access the directories where those policy files are stored. Update the `config_dirs` setting in the NGINX Agent's configuration file if needed.
+- NGINX Instance Manager uses the default log profiles that come with NGINX App Protect WAF. You can reference them with the `app_protect_security_log` directive. Custom log profiles aren't supported.
-- Instance Manager uses the NGINX App Protect WAF [default log profiles](https://docs.nginx.com/nginx-app-protect/logging-overview/security-log/#default-logging-content). You can specify the desired log profile by using the `app_protect_security_log` directive.
-Instance Manager does not support the use of custom log profiles.
+If you're using different directories on the data plane, update paths accordingly in your NGINX configuration.
-The examples in this guide use the default path for NGINX App Protect configuration files. If you have these files stored elsewhere on your data plane instance(s), be sure to use the correct file path when setting up your configuration.
+### Edit the NGINX configuration
-### Edit the NGINX configuration {#update-nginx-conf}
-
-By using the Instance Manager web interface or REST API, add the NGINX App Protect WAF configurations to the appropriate context in your NGINX configuration.
-
-The example below shows the directives added to a `location` block:
+Add the NGINX App Protect WAF directives in the appropriate context (`http`, `server`, or `location`). Here's an example:
```nginx
-...
server {
...
location / {
- ##Enable NGINX App Protect
- app_protect_enable on;
- ## Reference to a custom security policy bundle
- app_protect_policy_file /etc/nms/ignore-xss.tgz;
- ## enable logging
- app_protect_security_log_enable on;
- ## Reference to the log profile bundle
- app_protect_security_log /etc/nms/log-default.tgz /var/log/nginx/security-violations.log;
- ...
+ # Enable NGINX App Protect WAF
+ app_protect_enable on;
+
+ # Reference a custom security policy bundle
+ app_protect_policy_file /etc/nms/ignore-xss.tgz;
+
+ # Enable security logging
+ app_protect_security_log_enable on;
+
+ # Reference the log profile bundle
+ app_protect_security_log /etc/nms/log-default.tgz /var/log/nginx/security-violations.log;
+
+ ...
+ }
}
```
-{{< note >}}If you're using the NGINX Instance Manager Security Monitoring, you should already have the `app_protect_security_log` directive set to reference the `secops_dashboard.tgz` file as shown below. Do not change this setting.
+If you’re using NGINX Instance Manager with Security Monitoring, your configuration may already include the following directive:
```nginx
app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514;
```
-Refer to the [Security Monitoring setup guide]({{< ref "/nim/nginx-app-protect/security-monitoring/set-up-app-protect-instances.md" >}}) to learn more. {{}}
+**Don’t change this value.** See the [Security Monitoring setup guide]({{< ref "/nim/nginx-app-protect/security-monitoring/set-up-app-protect-instances.md" >}}) for more details.
-{{}}
-NGINX configuration for NGINX App Protect Version 5 requires the following changes:
+If you’re using NGINX App Protect WAF v5:
-- The `app_protect_enforcer_address` directive must be included within the `http` context of the NGINX configuration:
+- You must add the `app_protect_enforcer_address` directive to the `http` context:
- ```nginx
- app_protect_enforcer_address 127.0.0.1:50000;
- ```
-
-- JSON policies and log profiles are not supported for Version 5, so all policies and log profiles must be precompiled and the `precompiled_publication` attribute in the NGINX Agent configuration must be set to `true`.
-
-Refer to the [NGINX App Protect WAF Configuration Guide](https://docs.nginx.com/nginx-app-protect-waf/v5/configuration-guide/configuration/) to learn more.
-{{}}
+ ```nginx
+ app_protect_enforcer_address 127.0.0.1:50000;
+ ```
-Additional example configurations tailored for NGINX features can be found in the [NGINX App Protect WAF Configuration Guide](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#interaction-with-nginx-features).
+- JSON policies and log profiles aren’t supported. You must precompile and publish them using NGINX Instance Manager. Make sure the precompiled_publication setting in the NGINX Agent configuration is set to true.
-
+ See the [NGINX App Protect WAF configuration guide]({{< ref "/nap-waf/v5/configuration-guide/configuration.md" >}}) for details.
{{}}
{{%tab name="UI"%}}
1. {{< include "nim/webui-nim-login.md" >}}
-2. On the left menu, select **Instances** or **Instance Groups**.
-3. Select **Edit Config** from the **Actions** menu (represented by an ellipsis, `...`) for the desired instance or instance group.
-4. If precompiled publication is enabled, change the file extension from `.json` to `.tgz` if there are any referenced security policies in the file.
-5. If you want to apply the default security policy, select **Apply Security** and then copy the desired policy snippet by selecting **Copy**.
-6. Paste the snippet into an `http`, `server`, or `location` context in the configuration.
-
- If multiple policies have been published, the most granular policy will apply.
-
-7. Select **Publish** to immediately push the updated configuration to the selected instance or instance group.
+2. In the left menu, select **Instances** or **Instance Groups**.
+3. From the **Actions** menu (**...**), select **Edit Config** for the instance or group.
+4. If you’re using precompiled publication, change any `.json` file extensions to `.tgz`.
+5. If you want to apply a default policy, select **Apply Security**, then copy the policy snippet and paste it into your configuration.
+6. Add the directives inside an `http`, `server`, or `location` block.
+7. Select **Publish** to push the configuration.
{{%/tab%}}
+
{{%tab name="API"%}}
{{< see-also >}}{{< include "nim/how-to-access-nim-api.md" >}}{{< /see-also >}}
+You can use the NGINX Instance Manager REST API to deploy your NGINX App Protect WAF configuration.
{{}}
@@ -968,135 +882,132 @@ Additional example configurations tailored for NGINX features can be found in th
{{}}
+{{}}Before deploying a configuration to an instance group, make sure all instances in the group are running the same version of NGINX App Protect WAF. Otherwise, the deployment may fail.{{}}
-1. Send an HTTP `GET` request to the `/api/platform/v1/systems/{systemUID}/instances` endpoint. This returns a list of all instances from which you can find the unique identifier (UID) of the instance that you want to update.
-1. Add the desired configurations to your `nginx.conf` file, or to any other configuration file that's within the context defined in the NGINX Agent `config_dirs` setting.
+1. Send a `GET` request to the `/api/platform/v1/systems/{systemUID}/instances` endpoint to list all instances. This response includes the unique identifier (UID) of the instance that you want to update.
- - At a minimum, you should add `app_protect_enable on;`.
- - If precompiled publication is enabled, change the file extension from `.json` to `.tgz` if there are any referenced security policies in the file.
- - If you'd like to use the default security policies, paste either of the policy snippets below into an `http`, `server`, or `location` context in the configuration file. The most granular policy will be applied if multiple policies have been published.
+ ```shell
+ curl -X GET https://{{NMS_FQDN}}/api/platform/v1/systems/{systemUID}/instances \
+ -H "Authorization: Bearer "
+ ```
- ``` nginx
- app_protect_policy_file /etc/nms/NginxDefaultPolicy.tgz;
- app_protect_policy_file /etc/nms/NginxStrictPolicy.tgz;
- ```
+2. Add the NGINX App Protect WAF configuration to your NGINX config file (`nginx.conf` or another config file located in a valid `config_dirs` path on the data plane host):
-1. Encode the configuration file using base64:
+ - At a minimum, add the following directive:
- ``` bash
- base64 -i /etc/nginx/nginx.conf
- ```
+ ```nginx
+ app_protect_enable on;
+ ```
+
+ - If precompiled publication is enabled, change any `.json` policy references to `.tgz`.
+ - If you want to apply a default policy, you can use:
-1. Provide the encoded string in `configFiles.files.contents`, as shown below.
+ ```nginx
+ app_protect_policy_file /etc/nms/NginxDefaultPolicy.tgz;
+ ```
- > **Important!** Before deploying an updated configuration to an instance group, ensure that all instances in the group have the same version of NGINX App Protect WAF installed. Otherwise, the deployment may fail.
+ or
- ```shell
- curl -X POST https://{{NMS_FQDN}}/api/platform/v1/systems/{systemUID}/instances/{nginxUID}/config -H "Authorization: Bearer " \
- --Content-Type application/json -d @
- ```
+ ```nginx
+ app_protect_policy_file /etc/nms/NginxStrictPolicy.tgz;
+ ```
-
- JSON Response
+ - Add the directives to an `http`, `server`, or `location` context.
- ```json
- {
- "auxFiles": {
- "files": [
- {
- "contents": "PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KP",
- "name": "/var/www/html/index.nginx-debian.html"
- }
- ],
+3. Encode the updated NGINX configuration file using base64.
- "rootDir": "/"
- },
+ ```shell
+ base64 -i /etc/nginx/nginx.conf
+ ```
+4. Send a `POST` request to the `/api/platform/v1/security/{systemUID}/instances/{nginxUID}/config` endpoint to deploy the configuration. Replace `` with your encoded config:
+
+ ```shell
+ curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/{systemUID}/instances/{nginxUID}/config \
+ -H "Authorization: Bearer " \
+ --header "Content-Type: application/json" \
+ -d '{
"configFiles": {
- "files": [
+ "rootDir": "/etc/nginx",
+ "files": [
{
- "contents": "dXNlciB3d3ctZGF0YTsKd29ya2VyX3Byb2Nlc3Nlc",
- "name": "nginx.conf"
+ "name": "nginx.conf",
+ "contents": ""
}
- ],
-
- "rootDir": "/etc/nginx"
+ ]
},
-
- "configUID": "",
- "ignoreConflict": false,
"validateConfig": true
- }
+ }'
```
-
-
{{%/tab%}}
-
{{}}
-### Verify Configuration
+### Verify configuration
+
+After you add NGINX App Protect WAF directives to your NGINX configuration, you can verify the setup in the NGINX Instance Manager web interface.
-Once you have added the NGINX App Protect WAF directives to your NGINX configuration, you should see the NGINX App Protect WAF status reported as "Active". Take the steps below to verify the configuration in the Instance Manager web interface.
+To confirm that the NGINX App Protect WAF configuration was applied:
1. {{< include "nim/webui-nim-login.md" >}}
-1. Select **Instances**.
-1. You should see the installed version listed in the **NGINX App Protect** column.
-1. Select the instance, then scroll to the **App Protect Details** section. There, you should see the "App Protect WAF" status is "Active". The "Build" should match the version installed on the instance.
+2. In the left navigation menu, select **Instances**.
+3. In the **NGINX App Protect** column, confirm that the correct version is listed.
+4. Select the instance. Then, scroll to the **App Protect Details** section.
+5. Confirm that the **App Protect WAF** status is **Active**, and the **Build** matches the version installed on the instance.
---
## Troubleshooting
-If you're having issues with NGINX App Protect WAF, we suggest trying the following troubleshooting steps. If none of them helps, please reach out to NGINX Customer Support for further assistance.
+If you're having trouble with NGINX App Protect WAF, try the steps below. If these don't solve the issue, reach out to F5 NGINX Customer Support.
-
-Verify that NGINX App Protect WAF is not installed on the NGINX Instance Manager host
+### Check that NGINX App Protect WAF is not installed on the NGINX Instance Manager host
-To ensure no library conflicts arise when installing `nms-nap-compiler`, verify that NGINX App Protect WAF is not installed on the NGINX Instance Manager host. You can do this by taking the following steps:
+NGINX App Protect WAF and the WAF compiler shouldn't run on the same host. To check:
-1. Open an SSH connection to your NGINX Instance Manager host and log in.
-2. Run the following command:
+1. Log in to the NGINX Instance Manager host from a terminal.
+2. Run the command that matches your operating system:
- - Debian-based distributions, run `dpkg -s app-protect`
- - RPM-based distributions, run `rpm -qi grep app-protect`
+ - For Debian-based systems:
-If NGINX App Protect WAF is installed, you'll need to [uninstall it](https://docs.nginx.com/nginx-app-protect-waf/admin-guide/install/#uninstall-app-protect).
+ ```shell
+ dpkg -s app-protect
+ ```
+
+ - For RPM-based systems:
-
+ ```shell
+ rpm -qi | grep app-protect
+ ```
-
-Verify the WAF compiler version and NGINX App Protect version match
+If NGINX App Protect WAF is installed, follow the [uninstall instructions]({{< ref "/nap-waf/v4/admin-guide/install.md#uninstall-app-protect" >}}).
-Each NGINX App Protect WAF version has a corresponding version of the WAF compiler. You must install the correct WAF compiler version for the version of NGINX App Protect WAF running on the managed instance(s). Refer to [WAF Compiler and Supported App Protect Versions]( #nap-waf-compiler-compatibility) for compatibility details.
+### Check that the WAF compiler version matches the NGINX App Protect WAF version
-To view the installed version of the WAF compiler:
+Each NGINX App Protect WAF version has a matching WAF compiler version. To confirm:
-1. Open an SSH connection to your NGINX Instance Manager host and log in.
-2. Run the following command:
+1. Log in to the NGINX Instance Manager host.
+2. Run the following command to see installed compiler versions:
```shell
ls -l /opt/nms-nap-compiler
```
-
-
-
-Verify the WAF compiler is running properly
+### Confirm the WAF compiler is working correctly
-Check if the WAF compiler has been installed and is working properly by viewing the command-line help:
+You can verify that the WAF compiler is installed and responding:
-```bash
+```shell
sudo /opt/nms-nap-compiler/app_protect-/bin/apcompile -h
```
-For example, to view the help description for WAF compiler 5.342.0, run the following command:
+**Example:**
-``` bash
+```shell
sudo /opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -h
```
-The output looks similar to the following example:
+**Expected output:**
```text
USAGE:
@@ -1108,66 +1019,51 @@ Examples:
/opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -g myglobalsettings.json --global-state-outfile /path/to/myglobalstate.tgz
/opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -b /path/to/policy_bundle.tgz --dump
/opt/nms-nap-compiler/app_protect-5.342.0/bin/apcompile -l logprofA.json -o /path/to/logprofA_bundle.tgz
-...
```
-
+### Confirm NGINX Agent configuration on the NGINX App Protect WAF instance
-
-
-
-Verify NGINX Agent configuration on NGINX App Protect WAF instance
-
-Configure NGINX Agent on your NGINX App Protect WAF instance with settings similar to the following example:
-
-"/etc/nginx-agent/nginx-agent.conf"
+Open the `/etc/nginx-agent/nginx-agent.conf` file and make sure it includes the right settings.
```yaml
-# path to aux file dirs can also be added
+# List of directories the agent monitors for config files
config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect"
-# Enable necessary NAP extensions
+# Enable necessary NGINX App Protect extensions
extensions:
- - nginx-app-protect
- - nap-monitoring
+ - nginx-app-protect
+ - nap-monitoring
nginx_app_protect:
- # Report interval for NGINX App Protect details - the frequency the NGINX Agent checks NGINX App Protect for changes.
+ # Report interval for NGINX App Protect details — how often the agent checks for changes
report_interval: 15s
- # Enable precompiled publication from the NGINX Instance Manager (true) or perform compilation on the data plane host (false).
+ # Set to true to publish precompiled policies and log profiles from NGINX Instance Manager
precompiled_publication: true
nap_monitoring:
- # Buffer size for collector. Will contain log lines and parsed log lines
+ # Buffer size for the collector — holds log lines and parsed entries
collector_buffer_size: 50000
- # Buffer size for processor. Will contain log lines and parsed log lines
+ # Buffer size for the processor — processes log lines from the buffer
processor_buffer_size: 50000
- # Syslog server IP address the collector will be listening to
+ # IP address where the agent listens for syslog messages
syslog_ip: "127.0.0.1"
- # Syslog server port the collector will be listening to
+ # Port number for receiving syslog messages
syslog_port: 514
```
-
-
-
+### Confirm access to the NGINX packages repository
-
-Verify access to the NGINX packages repository
+If automatic downloads for Attack Signatures or Threat Campaigns are failing, check whether the repo certificate and key are set up correctly.
-To allow Instance Manager to automatically download the latest Attack Signatures and Threat Campaigns, you need to [upload the certificate and key files]({{< ref "/nim/nginx-app-protect/setup-waf-config-management.md#upload-nginx-app-protect-waf-certificate-and-key" >}}) included with your subscription to allow access to the package repository.
+Run this command to test access:
-If you already uploaded your certificate and key files, use the command below to verify that they allow access to the package repo:
-
-```bash
+```shell
curl --key /etc/ssl/nginx/nginx-repo.key --cert /etc/ssl/nginx/nginx-repo.crt https://pkgs.nginx.com/app-protect-security-updates/index.xml
```
-
+**Expected output:**
-The output looks similar to the following example:
-
-``` text
+```text
...
@@ -1177,21 +1073,19 @@ The output looks similar to the following example:
app-protect-attack-signatures
x86_64
-
-
-
- app-protect-attack-signatures
- x86_64
-
-
+
...
```
-
-
---
## What's Next
-Now that configuration management is set up, you can use the Instance Manager REST API to manage security policies, view system information about your NGINX App Protect WAF instances, and update Attack Signatures and Threat Campaigns. Learn more in [Manage App Protect WAF Configuration using the REST API]({{< ref "manage-waf-security-policies" >}}).
+Now that configuration management is set up, you can use the NGINX Instance Manager REST API to:
+
+- Manage NGINX App Protect WAF security policies.
+- View system information about your NGINX App Protect WAF instances.
+- Update Attack Signatures and Threat Campaigns.
+
+To learn more, see [Manage WAF Security Policies and Security Log Profiles]({{< ref "/nim/nginx-app-protect/manage-waf-security-policies.md" >}}).
diff --git a/content/nim/nginx-app-protect/waf-config-management.md b/content/nim/nginx-app-protect/waf-config-management.md
deleted file mode 100644
index 5e76684d4..000000000
--- a/content/nim/nginx-app-protect/waf-config-management.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-description: Learn how to use NGINX Management Suite Instance Manager to publish NGINX
- App Protect WAF configurations.
-docs: DOCS-1114
-title: WAF Configuration Management
-toc: true
-weight: 100
----
-
-## Overview
-
-You can use NGINX Management Suite Instance Manager to publish configurations to your NGINX App Protect WAF data plane instances.
-
-## Publish WAF Configurations
-
-1. Set up your NGINX Management Suite Instance Manager instance:
-
- - [Install the WAF Compiler]({{< ref "/nim/nginx-app-protect/setup-waf-config-management#install-the-waf-compiler" >}})
-
- - [Set up the Attack Signatures and Threat Campaigns]({{< ref "/nim/nginx-app-protect/setup-waf-config-management#set-up-attack-signatures-and-threat-campaigns" >}})
-
-2. In Instance Manager, [onboard the App Protect Instances]({{< ref "/nim/nginx-app-protect/setup-waf-config-management#onboard-nginx-app-protect-waf-instances" >}}) you want to publish policies and log profiles to.
-
-3. [Create the security policies]({{< ref "/nim/nginx-app-protect/manage-waf-security-policies#create-security-policy" >}}).
-
-4. [Create the security log profiles]({{< ref "/nim/nginx-app-protect/manage-waf-security-policies#create-security-log-profile" >}}).
-
-5. [Add or edit a WAF Configuration]({{< ref "/nim/nginx-app-protect/setup-waf-config-management#add-waf-config" >}}) to your NGINX Instances, and publish using Instance Manager.
-
- {{}}Map the App Protect directives on NGINX configuration to `.tgz` file extensions (not `.json`).{{< /note >}}