# Onboard custom security policies

Type of document: How-to guide
Product: NGINX Instance Manager
> Upload and prepare your own security policy bundles for use with F5 NGINX Instance Manager.

---


After verifying that F5 WAF for NGINX is active on your instances, you can onboard your own custom security policies. Use this option when you need to apply application-specific rules or integrate policies created in other environments. You’ll upload your JSON policy files, package them into `.tgz` bundles, and publish them through **F5 NGINX Instance Manager**.

## Before you begin

- Make sure the policy you plan to onboard is valid JSON and follows the F5 WAF for NGINX schema.  
- Confirm that the NGINX Agent has permission to access the directory where you’ll store your bundles.  
- Review the [F5 WAF for NGINX configuration guide](/waf/policies/configuration.md) for examples of policy structure and directive usage.

## Upload and publish a custom policy

#### Web interface

1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select **Instance Manager** from the Launchpad menu.
2. In the left menu, select **Security Policies**.
3. Choose **Upload Policy**, then select your `.json` or `.tgz` policy file.
4. If you uploaded a `.json` file, **NGINX Instance Manager** automatically compiles it into a `.tgz` bundle.
5. After upload, select **Publish** to make the policy available to your instances.

#### API

**Note:** Use tools such as `curl` or [Postman](https://www.postman.com) to send requests to the NGINX Instance Manager REST API.
The API base URL is `https://<NIM-FQDN>/api/[nim|platform]/<API_VERSION>`.  
All requests require authentication. For details on authentication methods, see the [API overview](/nim/fundamentals/api-overview.md).

Use the **NGINX Instance Manager** REST API to onboard policies programmatically.

| Method | Endpoint |
|--------|-----------|
| POST | `/api/platform/v1/security/policies` |
| GET | `/api/platform/v1/security/policies` |

Example — upload and publish a policy:

```shell
curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \
 -H "Authorization: Bearer <access token>" \
 --header "Content-Type: multipart/form-data" \
 -F "file=@my-custom-policy.json"
```

The API response includes the policy ID. Use that ID to reference your custom policy in your NGINX configuration:

```nginx
app_protect_policy_file /etc/nms/my-custom-policy.tgz;
```


