Lab 3: Explore NGINX One Console features

Introduction

In this lab, you’ll explore and use key NGINX One Console features:

  • Overview dashboard
  • TLS certificate management
  • Configuration recommendations
  • CVE scanning
  • AI Assistant for configuration insights

You’ll see how each feature helps you monitor and secure your NGINX fleet without writing custom scripts.

What you’ll learn

By the end of this tutorial, you can:

  • Navigate the Overview Dashboard panels
  • View and filter certificate status
  • Review and apply configuration recommendations
  • Investigate CVEs and open details
  • Use the AI Assistant to explain directives and variables

Before you begin

Make sure you have:

  • All labs require an F5 Distributed Cloud (XC) account with NGINX One enabled. If you don’t have an account or need to verify access, follow the steps in Lab 1: Before you begin.

  • All containers from Lab 2: Run workshop components with Docker running and registered

  • Set these environment variables:

    • TOKEN: your data plane key, for example:

      export TOKEN="your-data-plane-key"

    • JWT: your NGINX Plus license JWT. Save it as nginx-repo.jwt, then run:

      export JWT=$(cat path/to/nginx-repo.jwt)

    • NAME: a unique ID for your workshop (for example, s.jobs):

      export NAME="s.jobs"
  • Basic NGINX and Linux knowledge

1. Overview Dashboard panels

Open NGINX One Console and select Overview. Here are the key metrics and what they mean:

Overview dashboard showing panels for instance availability, NGINX versions, operating systems, certificates status, configuration recommendations, CVE severity, CPU and memory utilization, disk space usage, unsuccessful response codes, and network usage.

  • Instance availability

    • Online: NGINX Agent and NGINX are connected and working
    • Offline: NGINX Agent is running, but NGINX isn’t installed, isn’t running, or can’t connect
    • Unavailable: NGINX Agent lost connection or instance was removed
    • Unknown: Current state can’t be determined

  • NGINX versions by instance
    See which NGINX Open Source or NGINX Plus versions your instances are running.

  • Operating systems
    View the Linux distributions in use.

  • Certificates
    Monitor SSL certificates, including expiring soon or still valid.

  • Configuration recommendations
    Get suggestions to improve security, performance, and best practices.

  • CVEs (Common Vulnerabilities and Exposures)
    Review threats by severity:

    • Major: fix immediately
    • Medium: play to fix soon
    • Low/Minor: monitor
    • Other: any non-standard categories

  • CPU utilization
    Track which instances use the most CPU over time.

  • Memory utilization
    Monitor which instances consume the most RAM.

  • Disk space utilization
    See which instances are nearing full disk capacity.

  • Unsuccessful response codes
    Spot instances with high counts of HTTP 4xx or 5xx errors.

  • Top network usage
    Review inbound and outbound network traffic trends.

2. Investigate CVEs

Use the CVEs panel to investigate vulnerabilities:

  1. In the CVEs panel, select High to list instances with high-severity issues.
  2. Select your $NAME-plus1 instance to view CVE details, including ID, severity, and description.
  3. Select any CVE ID (for example, CVE-2024-39792) to open its official page with remediation guidance.
  4. Switch to the Security tab to see every CVE NGINX One tracks, with the number of affected instances.
  5. Select View More next to a CVE name for a direct link to the CVE database.

3. Investigate certificates

The Certificates panel shows the total number of certificates and their status across all instances.

Note: NGINX One only scans certificates that are part of a running NGINX configuration.

Statuses include:

  • Expired: The certificate expiration date has passed
  • Expiring: The certificate expires within 30 days
  • Valid: The certificate is not near expiration
  • Not Ready: NGINX One can’t determine the status

Steps:

  1. In the Certificates panel, select Expiring to list certificates that will expire soon.
  2. Select your $NAME-oss1 instance and switch to the Unmanaged tab to see certificate name, status, expiration date, and subject.
  3. Select a certificate name (for example, 30-day.crt) to open its details page.
  4. Scroll to Placements to view all instances that use that certificate.

4. Configuration recommendations

The Configuration Recommendations panel provides suggestions:

  • Orange = Security
  • Green = Optimization
  • Blue = Best practices
  1. In NGINX One Console, go to Overview > Dashboard.
  2. In the Configuration Recommendations panel, select Security to view security-related suggestions.
  3. Select an instance hostname.
  4. Switch to the Configuration tab.
  5. Select a config file (for example, cafe.example.com.conf) to see recommendations by line number.
  6. Select Edit Configuration (pencil icon) to enter edit mode.
  7. Update the configuration to address each recommendation.
  8. Select Next to preview your changes, then select Save and Publish to apply them.
Configuration recommendation panel showing a Best Practice warning: 'log should not be set to off on line 34', with a pencil icon to edit.

5. AI Assistant

Highlight any configuration text, such as a directive, variable, or phrase, in a configuration preview and select Explain with AI.

The AI Assistant shows:

  • A concise definition of the selected element
  • Best-practice tips
  • Guidance on common use cases

Try it on:

  • stub_status
  • proxy_buffering off
  • $upstream_response_time
AI Assistant panel showing a highlighted $upstream_response_time snippet alongside the assistant's response with Purpose and Guidance headings.
Pro tip: You can learn about NGINX directives and variables without leaving the Console.

Next steps

You’re ready to apply configuration changes across your fleet using sync groups.

Go to Lab 4: Config Sync Groups.

References