End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller API Management Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller API- Management customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller Application Delivery Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller Application Delivery customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
Bring Your Own WAF Policy
Learn how to use your own F5 NGINX App Protect WAF policies with NGINX Controller.
Overview
You can use the App Security Add-on for F5 NGINX Controller ADC to bring your own (“BYO”) NGINX App Protect policies into NGINX Controller. This lets you use your existing declarative JSON policies from NGINX App Protect to protect your ADC app components.
A BYO NGINX App Protect policy lets you maintain consistent Security Policies across your F5 WAF and NGINX WAF deployments. For example, say you already use F5 BIG-IP Application Security Manager (ASM) or F5 Advanced WAF and are now adopting NGINX Controller App Security. You can convert your XML Security Policies to an NGINX App Protect policy by using the NGINX App Protect Policy Converter tool.
To export a policy from F5 Advanced WAF or ASM, take the following steps:
-
Convert your F5 XML security policy to an NGINX App Protect WAF declarative JSON policy using the NGINX App Protect Policy Converter tool.
Note:
We recommend using the Converter tool that corresponds with the most recent NGINX App Protect version. -
Use the NGINX App Protect declarative JSON policy as the WAF policy in NGINX Controller for your app component(s).
With a BYO NGINX App Protect policy, you can also provide customized security by crafting an NGINX App Protect WAF policy that specifies the security controls appropriate for your apps. For more information on how to configure an NGINX App Protect WAF policy, refer to the NGINX App Protect Configuration Guide.
Security Strategy for BYO NGINX App Protect Policy
The BYO NGINX App Protect policy uses the concept of a Security Strategy
With the BYO NGINX App Protect policy feature, you can specify the exact NGINX App Protect policy for the Security Strategy. Then, the Security Strategy can be shared across – and referenced by – multiple app components. A Security Strategy can be comprised of various app-security-related Security Policies. NGINX Controller includes a custom NGINX App Protect WAF policy, which can be assigned to a Security Strategy.
You can also add a BYO NGINX App Protect WAF policy in JSON format to NGINX Controller “as-is” for use in a Security Strategy.
An App Component contains a reference to a Security Strategy, which, in turn, references a Security Policy. This Security Policy contains the NGINX App Protect WAF policy.
Refer to the topic Enable WAF for a Component Using Your Own NGINX App Protect Policy to get started.
Limitations
BYO NAP WAF policy currently has the following limitations:
- The size of the BYO NGINX App Protect WAF policy that’s referenced by app components may affect application performance.
- References to external files, such as the following, in the NGINX App Protect WAF JSON declarative policy are not supported:
- User Defined Signatures
- Security controls in external references
- Referenced OpenAPI spec files
- Cookie modification (
VIOL_COOKIE_MODIFIED
) is not supported. - gRPC protection is not supported.
- Protection with partial security visibility:
- Not all security metrics dimensions are available for the following:
- Bot violations
- CSRF origin validation violations
- User-defined browser violations
- Not all security metrics dimensions are available for the following: