# How WAF policy management works > Learn how to use F5 NGINX Instance Manager to set up and manage F5 WAF for NGINX security policies. F5 NGINX Instance Manager helps you manage [F5 WAF for NGINX](/waf/) security configurations. Use NGINX Instance Manager with F5 WAF for NGINX to inspect incoming traffic, detect threats, and block malicious requests. You can define policies in one place and push them to some or all of your F5 WAF for NGINX instances. ## Key features - Manage WAF policies using the NGINX Instance Manager web interface or REST API - Update attack signature, bot signature, and threat campaign packages - Compile WAF configurations into a binary bundle for deployment **Note:** **New in version 2.21.0:** NGINX Instance Manager now supports **bot signatures**. This feature adds detection and mitigation for automated bot traffic in your WAF policies. Although it works with older agents, we recommend upgrading the **NGINX Agent to v2.43.0** or later for best results. ## Architecture NGINX Instance Manager lets you define and manage security policies, upload signature packages, and push configurations to your F5 WAF for NGINX instances. It can also compile your security configuration into a bundle before publishing it to the data plane. The **Security Monitoring** module shows real-time data from F5 WAF for NGINX so you can track traffic, spot anomalies, and fine-tune policies. ![Architecture diagram showing NGINX Instance Manager and Security Monitoring in the control plane pushing security bundles to F5 WAF for NGINX instances in the data plane](nim/app-sec-overview.png) ## Security bundle compilation {#security-bundle} NGINX Instance Manager includes a compiler that packages your complete WAF configuration, including security policies, attack signatures, bot signatures, threat campaigns, and log profiles, into a single `.tgz` file. It then pushes this bundle to the selected F5 WAF for NGINX instances. **Why precompile with NGINX Instance Manager?** - Saves system resources on WAF instances - Lets you reuse the same bundle across multiple instances If you choose to compile policies on the WAF instance instead, that works too—but with this limitation: - NGINX Instance Manager won’t publish `.json` policies to the WAF instance. These policies must already exist on the instance and be referenced in the NGINX config. Example [`location`](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) block to enable WAF and point to the bundle: ```nginx location / { app_protect_enable on; app_protect_policy_file /etc/app_protect/policies/policy_bundle.tgz; } ``` ## Log profile compilation You can also configure NGINX Instance Manager to compile log profiles when you install a new version of the compiler. When publishing NGINX configs that include the [`app_protect_security_log`](/waf/logging/security-logs.md#app_protect_security_log) directive, NGINX Instance Manager pushes the compiled log profile to your WAF instances (when precompiled publication is turned on). **Note:** NGINX Instance Manager and Security Monitoring both use log profiles, but their configurations are different. If you're using configuration management in NGINX Instance Manager, you must reference the log profile with the `.tgz` file extension, not `.json`. ## Security management APIs Use the NGINX Instance Manager REST API to automate updates across your F5 WAF for NGINX instances. You can use the API to manage the following: - Security policies - Log profiles - Attack signatures - Bot signatures - Threat campaigns Just like with the web interface, the compiler creates a binary bundle with your updates that you can push to your WAF instances. ![Diagram showing how the NGINX Instance Manager REST API is used to create policies, upload signatures and campaigns, and publish compiled security bundles to F5 WAF for NGINX instances](nim/app-sec-api-overview.png) For full details, see the API documentation: Access the NGINX Instance Manager API documentation from the web interface: 1. Go to the FQDN of your NGINX Instance Manager host and log in. 2. From the Launchpad menu, select **API Documentation**. 3. In the left menu, choose **NIM and Platform API**.