End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

Advanced Security

Learn how to add an NGINX App Protect WAF policy to your environment by using the Advanced Security policy in NGINX Management Suite API Connectivity Manager.

Overview

In API Connectivity Manager, you can apply policies to an API Gateway to further enhance their configuration to meet your requirements.

Policies added at the proxy level are applied to all routes within that proxy.

For an overview of the different policy types and available policies, refer to the consult the Learn about Policies topic.

About Advanced Security Policy

Use the Advanced Security policy to add a pre-defined NGINX App Protect to your deployment. Doing so will apply the rules specified in the policy to your APIs. This will allow enforcement of rules to Block or Monitor security events triggering those violations set out in the policy.

Intended Audience

This guide is meant for Infrastructure Administrators.

Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.

This guide is intended for API Owners — the individuals or teams who are responsible for designing, creating, and maintaining APIs.

Before You Begin

To complete the steps in this guide, you need the following:

• API Connectivity Manager is installed, licensed, and running.
• You have one or more Environments with an API Gateway.
• You have published one or more API Gateways.
• You have installed and set up NGINX App Protect.
• NGINX Management Suite Security Monitoring is installed and running.

Policy Settings

The applied policy is configurable, and all events created by rule violations will go to the Security Monitoring dashboard in NGINX Management Suite.

To create a new policy or modify an existing policy, you can navigate to the App Protect area of the NGINX Management Suite.

NGINX App Protect policies can also contain a reference to an Open API Specification which will enable payload schema validation on the dataplane instance.

Note:

For information on how to configure an App Protect policy, please visit - Configure NGINX App Protect WAF

To create an NGINX App Protect WAF policy to use in your Advanced Security policy, please see the Create a Policy documentation.

Applying the Policy

NGINX App Protect policies can be applied to both Environments and Proxies, allowing for granular control.

Should you wish to configure a global monitoring policy (non-blocking), but require blocking on only a subset of your API endpoints, you can apply a monitoring policy to your environment and a blocking policy on the proxy you have deployed to that environment.

This means that only the specific Proxy that you have applied the policy to will be enforced in blocking mode and the other endpoints in that environment are unaffected, inherting the monitoring policy from their parent Environment.

Proxies in an Environment can also each have their own different policies applied should that be required.

There are two methods available to enable adding an Advanced Security policy to your Deployment:

{
  "policies": {
     "advanced-security": [
        {
           "action": {
              "policyRef": "<my_policy_name_here>"
           }
        }
     ]
  }
}

{
  "policies": {
     "api-advanced-security": [
        {
           "action": {
              "policyRef": "<my_policy_name_here>",
              "appProtectMode": "<ENABLE|DISABLE>"
           }
        }
     ]
  }
}