End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

Advanced Security

Learn how to add an F5 NGINX App Protect WAF policy to your environment by using the Advanced Security policy in NGINX Management Suite API Connectivity Manager.

Overview

In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.

Policies added at the proxy level are applied to all routes within that proxy.

For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.


About Advanced Security Policy

Use the Advanced Security policy to add a pre-defined F5 NGINX App Protect to your deployment. Doing so will apply the rules specified in the policy to your APIs. This will allow enforcement of rules to Block or Monitor security events triggering those violations set out in the policy.

Intended Audience

This guide is meant for Infrastructure Administrators.

Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.

This guide is intended for API Owners — the individuals or teams who are responsible for designing, creating, and maintaining APIs.


Before You Begin

To complete the steps in this guide, you need the following:


Policy Settings

The applied policy is configurable, and all events created by rule violations will go to the Security Monitoring dashboard in NGINX Management Suite.

To create a new policy or modify an existing policy, you can navigate to the App Protect area of the NGINX Management Suite.

NGINX App Protect policies can also contain a reference to an Open API Specification which will enable payload schema validation on the dataplane instance.

Note:

For information on how to configure an App Protect policy, please visit - Configure NGINX App Protect WAF

To create an NGINX App Protect WAF policy to use in your Advanced Security policy, please see the Create a Policy documentation.


Applying the Policy

NGINX App Protect policies can be applied to both Environments and Proxies, allowing for granular control.

Should you wish to configure a global monitoring policy (non-blocking), but require blocking on only a subset of your API endpoints, you can apply a monitoring policy to your environment and a blocking policy on the proxy you have deployed to that environment.

This means that only the specific Proxy that you have applied the policy to will be enforced in blocking mode and the other endpoints in that environment are unaffected, inherting the monitoring policy from their parent Environment.

Proxies in an Environment can also each have their own different policies applied should that be required.

There are two methods available to enable adding an Advanced Security policy to your Deployment:

Environment

See Also:

You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

To create an Advanced Security policy using the REST API, send an HTTP POST or PUT request to the Environments endpoint.

Method Endpoint
POST /infrastructure/workspaces/{infra-workspace}/environments
PUT /infrastructure/workspaces/{infra-workspace}/environments/{environment-name}
JSON request
{
  "policies": {
     "advanced-security": [
        {
           "action": {
              "policyRef": "<my_policy_name_here>"
           }
        }
     ]
  }
}

To create an Advanced Security policy using the web interface:

In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, from the Launchpad menu, select API Connectivity Manager.

  1. On the left menu, select Infrastructure.
  2. Select a workspace in the list that contains the Environment you want to update.
  3. On the workspace overview page, on the Environments tab, locate the Environment you want to update and select it.
  4. On the Environment Overview page, locate the API Gateway you want to update and select it.
  5. On the API Gateway overview page, find and select the Manage button and select it.
  6. On the Advanced > Global Policies page, locate Advanced Security Policy. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.
  7. On the Advanced Security Policy form, complete the necessary fields:
  • Choose a NAP Policy Reference: Specify the name of the policy you want to apply from the dropdown
  1. Select Add/Save to apply the policy to the Environment.
  2. Select Save and Submit to deploy the configuration to the Environment.
Proxy

See Also:

You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

To create an Advanced Security policy using the REST API, send an HTTP POST or PUT request to the Proxies endpoint.

Method Endpoint
POST /services/workspaces/{service-workspace}/proxies
PUT /services/workspaces/{service-workspace}/proxies/{proxy-name}
JSON request
{
  "policies": {
     "api-advanced-security": [
        {
           "action": {
              "policyRef": "<my_policy_name_here>",
              "appProtectMode": "<ENABLE|DISABLE>"
           }
        }
     ]
  }
}

To create an Advanced Security policy using the web interface:

In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, from the Launchpad menu, select API Connectivity Manager.

  1. On the left menu, select Services.

  2. Select a workspace in the list that contains the Proxy you want to update.

  3. On the workspace overview page, on the API Proxies tab, locate the Proxy you want to update and Select the Actions menu (represented by an ellipsis, ...) and select Edit proxy

  4. On the Policies page, locate Advanced Security. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.

  5. On the Advanced Security Policy form, complete the necessary fields:

    • Choose your App Protect mode: This allows the enforcement or non-enforcement on a particular group of API endpoints, you may want to disable App Protect for some endpoints but not others.
    • Choose a NAP Policy Reference: Specify the name of the policy you want to apply from the dropdown.
  6. Select Add/Save to apply the policy to the Proxy.

  7. Select Save and Submit to deploy the configuration to the Proxy.