Set up App Protect WAF instances for Security Monitoring
Overview
F5 NGINX Security Monitoring supports two main use cases:
- Security Monitoring only: Monitor data from NGINX App Protect WAF instances. You can view security dashboards to identify threats and adjust policies. WAF configurations are managed outside NGINX Instance Manager.
- Security Monitoring and Instance Manager: Monitor security data and manage WAF configurations and policies in one place. Push pre-compiled updates to individual instances or groups.
Before you begin
Complete these steps before starting:
-
If you’re new to NGINX App Protect WAF, follow these guides:
- Install NGINX App Protect WAF on each data plane instance. Ensure connectivity to the NGINX Instance Manager host.
- Configure NGINX App Protect WAF as needed for each instance.
-
Review NGINX App Protect WAF dependencies:
The Security Monitoring module requires the following versions of NGINX App Protect WAF and NGINX Plus for the data plane:
Security Monitoring NGINX App Protect WAF 1.7.1 Release 4.7.0–4.12.0, 5.1.0–5.4.0 1.7.0 Release 4.4.0–4.7.0 1.6.0 Release 4.3.0–4.4.0 1.5.0 Release 4.3.0 1.4.0 Release 4.2.0 1.3.0 Release 3.12.2–4.2.0 1.2.0 Release 3.12.2–4.1.0 1.1.0 Release 3.12.2–4.0.0 1.0.0 Release 3.12.2 -
Determine your use case: Security Monitoring only or Security Monitoring and Configuration Management.
Install NGINX Agent
NGINX Agent collects metrics, manages configurations, and sends events. Install and configure it on each WAF data plane host.
-
Connect to the host via SSH.
-
Install the NGINX Agent package from the NGINX Instance Manager host:
Note: To complete this step, make sure that
gpgis installed on your system. You can install NGINX Agent using various command-line tools likecurlorwget. If your NGINX Instance Manager host is not set up with valid TLS certificates, you can use the insecure flags provided by those tools. See the following examples:-
Secure:
curl https://<NMS_FQDN>/install/nginx-agent | sudo sh -
Insecure:
curl --insecure https://<NMS_FQDN>/install/nginx-agent | sudo shYou can add your NGINX instance to an existing instance group or create one using
--instance-groupor-gflag when installing NGINX Agent.The following example shows how to download and run the script with the optional
--instance-groupflag adding the NGINX instance to the instance group my-instance-group:curl https://<NMS_FQDN>/install/nginx-agent > install.sh; chmod u+x install.sh sudo ./install.sh --instance-group my-instance-groupBy default, the install script attempts to use a secure connection when downloading packages. If, however, the script cannot create a secure connection, it uses an insecure connection instead and logs the following warning message:
Warning: An insecure connection will be used during this nginx-agent installationTo require a secure connection, you can set the optional flag
skip-verifytofalse.The following example shows how to download and run the script with an enforced secure connection:
curl https://<NMS_FQDN>/install/nginx-agent > install.sh chmod u+x install.sh; chmod u+x install.sh sudo sh ./install.sh --skip-verify false
-
Secure:
wget https://<NMS_FQDN>/install/nginx-agent -O - | sudo sh -s --skip-verify false -
Insecure:
wget --no-check-certificate https://<NMS_FQDN>/install/nginx-agent -O - | sudo shWhen you install the NGINX Agent, you can use the
--instance-groupor-gflag to add your NGINX instance to an existing instance group or to a new group that you specify.The following example downloads and runs the NGINX Agent install script with the optional
--instance-groupflag, adding the NGINX instance to the instance group my-instance-group:wget https://gnms1.npi.f5net.com/install/nginx-agent -O install.sh ; chmod u+x install.sh sudo ./install.sh --instance-group my-instance-group
-
-
Edit
/etc/nginx-agent/nginx-agent.confto enablenap_monitoring. Add this configuration:dataplane: status: poll_interval: 30s report_interval: 24h events: enable: true metrics: bulk_size: 20 report_interval: 1m collection_interval: 15s mode: aggregated config_dirs: "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms:/etc/app_protect" extensions: - nginx-app-protect - nap-monitoring nginx_app_protect: report_interval: 15s precompiled_publication: true nap_monitoring: collector_buffer_size: 50000 processor_buffer_size: 50000 syslog_ip: "127.0.0.1" syslog_port: 514 -
If
location /apiisn’t configured innginx.conf, add this directive:server { location /api { api write=on; allow 127.0.0.1; deny all; } }Restart NGINX:
sudo systemctl restart nginx -
Important: The
syslog:server=<syslog_ip>:<syslog_port>must match thesyslog_ipandsyslog_portvalues in the NGINX Agent configuration file. The dashboards won’t display data if these settings don’t match.- For NGINX App Protect Version 5, networking changes prevent using
127.0.0.1as a syslog server address. Instead, use thedocker0interface address (typically192.0.10.1) or the IP address of the data plane host.
- For NGINX App Protect Version 5, networking changes prevent using
-
Use the NGINX Agent installation script to add
nginx_app_protectandnap_monitoringfields to the configuration. Follow these steps:# Download the installation script via API curl https://<NMS_FQDN>/install/nginx-agent > install.sh # Use the --nap-monitoring flag to set the child fields for nap_monitoring. # The values will match the example configuration above. # Use -m | --nginx-app-protect-mode to set up NGINX App Protect management. # Example: Specify 'precompiled-publication' for precompiled policy publication, # which sets 'precompiled_publication' to 'true'. To set it to 'false', use 'none'. sudo sh ./install.sh --nap-monitoring true --nginx-app-protect-mode precompiled-publicationNote:
The
--nap-monitoringflag adds fields undernap_monitoring. The--nginx-app-protect-modeflag sets up management of NGINX App Protect with the following options:- Use
precompiled-publicationto enable precompiled policy publication (precompiled_publication: true). - Use
noneif you don’t want to enable precompiled publication (precompiled_publication: false).
- Use
-
Restart the NGINX Agent:
sudo systemctl restart nginx-agent
Create instances for Security Monitoring only
Use these steps if you’re only monitoring security data without managing configurations in NGINX Instance Manager.
-
Connect to the data plane host via SSH.
-
Create a log format file at
/etc/app_protect/conf/log_sm.json:{ "filter": { "request_type": "illegal" }, "content": { "format": "user-defined", "format_string": "%blocking_exception_reason%,%dest_port%,%ip_client%,%severity%,%uri%", "escaping_characters": [ { "from": ",", "to": "%2C" } ], "max_request_size": "2048", "max_message_size": "5k" } } -
In the NGINX configuration, add:
app_protect_security_log_enable on; app_protect_security_log "/etc/app_protect/conf/log_sm.json" syslog:server=127.0.0.1:514; -
Restart NGINX Agent and NGINX:
sudo systemctl restart nginx-agent sudo systemctl restart nginx
Create instances for Security Monitoring with Instance Manager
Follow these steps to use Security Monitoring and Instance Manager together.
-
Log in to the NGINX Instance Manager interface.
-
Navigate to Modules > Instance Manager.
-
Select Edit Config for the desired instance or group.
-
Add the following to the configuration file:
app_protect_enable on; app_protect_policy_file "/etc/nms/NginxDefaultPolicy.tgz"; app_protect_security_log_enable on; app_protect_security_log "/etc/nms/secops_dashboard.tgz" syslog:server=127.0.0.1:514; -
Important: Add the
app_protect_policy_filedirective with a reference to a security policy. Use the.tgzfile extension for precompiled publication or.jsonfor non-precompiled configurations. Ensure the policy file exists at the specified location. If using custom policies, update them in NGINX Instance Manager. -
Add the
app_protect_security_log_enableandapp_protect_security_logdirectives to log attack data. Ensure the configuration references the correctsyslog:servervalues. -
Select Publish to push updates to instances.