About Configuration Management for App Protect WAF
Learn how you can use NGINX Management Suite Instance Manager to configure NGINX App Protect WAF security policies.
This documentation applies to NGINX Management Suite Instance Manager 2.6.0 and later.
NGINX Management Suite Instance Manager (NIM) provides configuration management for NGINX App Protect WAF.
You can use NGINX App Protect WAF with NIM to inspect incoming traffic, identify potential threats, and block malicious traffic. With Configuration Management for App Protect WAF, you can configure WAF security policies in a single location and push your configurations out to one, some, or all of your NGINX App Protect WAF instances.
- Manage NGINX App Protect WAF security configurations by using the NGINX Management Suite user interface or REST API
- Update Attack Signatures and Threat Campaign packages
- Compile security configurations into a binary bundle for consumption by NGINX App Protect WAF instances
- Provide metrics to the NGINX Management Suite Security Monitoring module. The Security Monitoring module lets you monitor the security of your applications and APIs and get protection insights that help when analyzing possible threats and tuning security policies.
As demonstrated in Figure 1, Instance Manager lets you manage security configurations for NGINX App Protect WAF. You can define security policies, upload attack signatures and threat campaign packages, and publish common configurations out to your NGINX App Protect WAF instances. Instance Manager can compile the security configuration into a bundle before pushing the configuration to the NGINX App Protect WAF data plane instances. The NGINX Management Suite Security Monitoring module provides data visualization for NGINX App Protect, so you can monitor, analyze, and refine your policies.
Instance Manager provides a compiler that can be configured to bundle the complete security configuration – including JSON security policies, attack signatures, threat campaigns, and log profiles – into a single binary in
.tgz format. This bundle is then pushed out to each selected NGINX App Protect WAF instance.
Performing the security bundle compilation on Instance Manager (precompiled publication) instead of on the NGINX App Protect WAF instances provides the following benefits:
- Eliminates the need to provision system resources on NGINX App Protect WAF instances to perform compilation.
- The bundles produced by Instance Manager can be reused by multiple NGINX App Protect WAF instances, instead of each instance having to perform the compilation separately.
However, if you prefer to maintain policy compilation on the NGINX App Protect WAF instance, that is supported with the following limitation:
- Instance Manager does not publish JSON policies to the NGINX App Protect WAF instance. JSON policies referenced in an NGINX configuration must already exist on the NGINX App Protect WAF instance.
location context below enables NGINX App Protect WAF and tells NGINX where to find the compiled security bundle:
Instance Manager can also be configured to compile log profiles when you install a new version of the WAF compiler. When you publish an NGINX configuration with the NGINX App Protect
app_protect_security_log directive, Instance Manager publishes the compiled log profiles to the NGINX App Protect WAF instances when precompiled publication is enabled.
Instance Manager and Security Monitoring both use NGINX App Protect log profiles. The configuration requirements for each are different. When using Instance Manager configuration management, you must reference the log profile in your NGINX configuration using the
.tgzfile extension instead of
By using the Instance Manager REST API, you can automate configuration updates to be pushed out to all of your NGINX App Protect WAF instances. You can use the NIM API to manage and deploy the following security configurations:
- security policies,
- log profiles,
- attack signatures, and
- threat campaigns.
Just as with changes made via the user interface, the NIM compiler bundles all of the config updates into a single binary package that you can push out to your instances. Figure 2 shows an overview of the API endpoints available to support security policy configuration and publishing.
More information is available in the Instance Manager API documentation.
You can view the Instance Manager API Reference documentation in the NGINX Management Suite user interface. To access the API Docs, take the steps below:
- Log in to the NMS user interface.
- From the Launchpad, select the Docs card.
- Select NIM and Platform API from the Docs list in the sidebar. The API Reference documentation will then display.