Set Up App Security Monitor Mode

How to use NGINX Controller App Security to monitor or block security violations.

Overview

You can use the NGINX Controller REST API to enable or disable monitor-only mode for the App Security WAF policy.

Enable Monitor-Only Mode for App Security WAF

When monitor-only mode is enabled, traffic is allowed to pass without being rejected. However, security events are still generated and metrics are still collected. See About App Security Analytics for more information.

To enable monitor-only mode for App Security WAF, send a POST or PUT request to the Components endpoint, with a JSON object similar to the following:

{
  "metadata": {...},
  "desiredState": {
    "ingress": {...},
    "security": {
       "strategyRef": {
         "ref": "/security/strategies/policyName"
       },
       "waf": {
            "isEnabled": true,
            "isMonitorOnly": true
        }
    },
    "backend": {...},
    "logging": {...}
  }
}

Block Traffic Violations with App Security WAF

When monitor-only mode is disabled, traffic is blocked based on the Violation Rating score for the default policy.

To block traffic violations with App Security WAF, send a POST or PUT request to the /services/apps/components REST API endpoint, with a JSON object similar to the following:

{
  "metadata": {...},
  "desiredState": {
    "ingress": {...},
    "security": {
       "strategyRef": {
         "ref": "/security/strategies/policyName"
       },        
        "waf": {
            "isEnabled": true,
            "isMonitorOnly": false
        }
    },
    "backend": {...},
    "logging": {...}
  }
}

This documentation applies to the following versions of NGINX Controller Documentation: 3.12, 3.13, 3.14, 3.15, 3.16.1, 3.17 and 3.18.