Bring Your Own NGINX App Protect WAF Policy

Learn how to use your own NGINX App Protect WAF policies with NGINX Controller

Overview

You can use the App Security Add-on for NGINX Controller ADC to bring your own (“BYO”) NGINX App Protect policies into NGINX Controller. This lets you use your existing declarative JSON policies from NGINX App Protect to protect your ADC app components.

A BYO NGINX App Protect policy lets you maintain consistent Security Policies across your F5 WAF and NGINX WAF deployments. For example, say you already use F5 BIG-IP Application Security Manager (ASM) or F5 Advanced WAF and are now adopting NGINX Controller App Security. You can convert your XML Security Policies to an NGINX App Protect policy by using the NGINX App Protect Policy Converter tool.

To export a policy from F5 Advanced WAF or ASM, take the following steps:

  1. Convert your F5 XML security policy to an NGINX App Protect WAF declarative JSON policy using the NGINX App Protect Policy Converter tool.

    Note:
    We recommend using the Converter tool that corresponds with the most recent NGINX App Protect version.

  2. Use the NGINX App Protect declarative JSON policy as the WAF policy in NGINX Controller for your app component(s).

 

With a BYO NGINX App Protect policy, you can also provide customized security by crafting an NGINX App Protect WAF policy that specifies the security controls appropriate for your apps. For more information on how to configure an NGINX App Protect WAF policy, refer to the NGINX App Protect Configuration Guide.

Security Strategy for BYO NGINX App Protect Policy

The BYO NGINX App Protect policy uses the concept of a Security Strategy

With the BYO NGINX App Protect policy feature, you can specify the exact NGINX App Protect policy for the Security Strategy. Then, the Security Strategy can be shared across – and referenced by – multiple app components. A Security Strategy can be comprised of various app-security-related Security Policies. NGINX Controller includes a custom NGINX App Protect WAF policy, which can be assigned to a Security Strategy.

You can also add a BYO NGINX App Protect WAF policy in JSON format to NGINX Controller “as-is” for use in a Security Strategy.

An App Component contains a reference to a Security Strategy, which, in turn, references a Security Policy. This Security Policy contains the NGINX App Protect WAF policy.

Refer to the topic Enable WAF for a Component Using Your Own NGINX App Protect Policy to get started.

Limitations

BYO NAP WAF policy currently has the following limitations:

  • The size of the BYO NGINX App Protect WAF policy that’s referenced by app components may affect application performance.
  • References to external files, such as the following, in the NGINX App Protect WAF JSON declarative policy are not supported:
    • User Defined Signatures
    • Security controls in external references
    • Referenced OpenAPI spec files
  • Cookie modification (VIOL_COOKIE_MODIFIED) is not supported.
  • gRPC protection is not supported.
  • Protection with partial security visibility:
    • Not all security metrics dimensions are available for the following:
      • Bot violations
      • CSRF origin validation violations
      • User-defined browser violations
​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​

This documentation applies to the following versions of NGINX Controller: 3.17 and 3.18.