You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: Update NIM Security Monitoring front matter and reference links (#298)
This commit updates the Security Monitoring subsection of the NAP WAF
documentation within NGINX Instance Manager to have contemporary
frontmatter formatting, including a fixed url parameter for the index.
The previous URL parameter was causing some odd behaviour, with
duplicate deployments of folders.
F5 NGINX Security Monitoring supports two main use cases:
13
13
14
-
-**Security Monitoring only**: Monitor data from NGINX App Protect WAF instances. You can view security dashboards to identify threats and adjust policies. WAF configurations are managed outside NGINX Instance Manager.
15
-
-**Security Monitoring and Instance Manager**: Monitor security data and manage WAF configurations and policies in one place. Push pre-compiled updates to individual instances or groups.
14
+
-**Security Monitoring only**: Use only the Security Monitoring module to monitor data from NGINX App Protect WAF instances. You will be able to review the security dashboards to assess potential threats and identify opportunities to fine-tune your policies. Your NGINX App Protect WAF configurations are managed outside of the NGINX Instance Manager context.
15
+
-**Security Monitoring and Instance Manager**: Use the Security Monitoring module with the NGINX Instance Manager. In addition to monitoring your application security, you will be able to manage your NGINX App Protect WAF configurations and security policies in a single location and push pre-compiled updates to an instance or instance group.
16
16
17
17
---
18
18
19
19
## Before you begin
20
20
21
-
Complete these steps before starting:
21
+
Complete the following prerequisites before proceeding with the steps in this guide.
22
22
23
-
1. If you’re new to NGINX App Protect WAF, follow these guides:
23
+
1. If you are new to NGINX App Protect WAF, follow the instructions in the installation and configuration guides to get up and running:
24
24
25
-
-[Install NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect/admin-guide/install/) on each data plane instance. Ensure connectivity to the NGINX Instance Manager host.
26
-
-[Configure NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect/configuration-guide/configuration/#policy-configuration-overview) as needed for each instance.
25
+
-[Install NGINX App Protect WAF]({{< ref "/nap-waf/v4/admin-guide/install.md" >}}) on one or more data plane instances. Each data plane instance must have connectivity to the NGINX Instance Manager host.
26
+
-[Configure NGINX App Protect WAF]({{< ref "/nap-waf/v4//configuration-guide/configuration.md#policy-configuration-overview" >}}) according to your needs on each of the data plane instance.
27
27
28
-
2. Review NGINX App Protect WAF dependencies:
28
+
1. Review the dependencies with NGINX App Protect WAF and NGINX Plus.
29
29
30
30
{{< include "nim/tech-specs/security-data-plane-dependencies.md" >}}
31
31
32
-
3. Determine your use case: **Security Monitoring only** or **Security Monitoring and Configuration Management**.
32
+
1. Determine your use case: **Security Monitoring only** or **Security Monitoring and Configuration Management**.
33
+
1.[Upload your license]({{< relref "/nim/admin-guide/license/add-license.md" >}}).
33
34
34
35
---
35
36
36
37
## Install NGINX Agent
37
38
38
-
NGINX Agent collects metrics, manages configurations, and sends events. Install and configure it on each WAF data plane host.
39
+
NGINX Agent is a companion daemon for NGINX Open Source or NGINX Plus instance that provides:
39
40
40
-
1. Connect to the host via SSH.
41
-
2. Install the NGINX Agent package from the NGINX Instance Manager host:
41
+
- Remote management of NGINX configurations
42
+
- Collection and reporting of real-time NGINX performance and operating system metrics
43
+
- Notifications of NGINX events
44
+
45
+
Repeat the steps in this section on each NGINX App Protect WAF data plane host to install and configure NGINX Agent for use with Security Monitoring. **These settings apply to both of the Security Monitoring use cases.**
46
+
47
+
1. Use SSH to connect to the data plane host.
48
+
1. Install the NGINX Agent package from the NGINX Instance Manager host.
42
49
43
50
{{< include "agent/installation/install-agent-api.md" >}}
44
51
45
-
3. Edit `/etc/nginx-agent/nginx-agent.conf` to enable `nap_monitoring`. Add this configuration:
52
+
1. Edit the `/etc/nginx-agent/nginx-agent.conf`file to add the `nap_monitoring`configuration.
46
53
47
-
```yaml
54
+
```yaml
48
55
dataplane:
49
56
status:
57
+
# poll interval for data plane status - the frequency the NGINX Agent will query the data plane for changes
50
58
poll_interval: 30s
59
+
# report interval for data plane status - the maximum duration to wait before syncing data plane information if no updates have been observed
51
60
report_interval: 24h
52
61
events:
62
+
# report data plane events back to the management plane
53
63
enable: true
54
64
metrics:
65
+
# specify the size of a buffer to build before sending metrics
After adding the directive, restart NGINX to apply the changes:
86
112
87
-
```bash
113
+
```shell
88
114
sudo systemctl restart nginx
89
115
```
90
116
91
-
5. **Important:** The `syslog:server=<syslog_ip>:<syslog_port>` must match the `syslog_ip` and `syslog_port` values in the NGINX Agent configuration file. The dashboards won’t display data if these settings don’t match.
92
-
93
-
- For NGINX App Protect Version 5, networking changes prevent using `127.0.0.1` as a syslog server address. Instead, use the `docker0` interface address (typically `192.0.10.1`) or the IP address of the data plane host.
117
+
{{<important>}}You can change the values of `syslog_ip` and `syslog_port` to meet your needs.
118
+
You must use the same values when configuring logging for the Security Monitoring module. If the `syslog:<server><port>` configuration does not match these settings, the monitoring dashboards will not display any data. Also, the networking changes for NGINX App Protect Version 5 preclude the use of `127.0.0.1` as a syslog server address. For Version 5, the address of the `docker0` interface (typically `192.0.10.1`) or the IP address of the data plane host can be used for the syslog server address.{{</important>}}
94
119
95
-
6. Use the NGINX Agent installation script to add `nginx_app_protect` and `nap_monitoring` fields to the configuration. Follow these steps:
120
+
{{<note>}}You can use the NGINX Agent installation script to add the fields for `nginx_app_protect` and `nap_monitoring`:
# Use the --nap-monitoring flag to set the child fields for nap_monitoring.
102
-
# The values will match the example configuration above.
103
-
# Use -m | --nginx-app-protect-mode to set up NGINX App Protect management.
104
-
# Example: Specify 'precompiled-publication' for precompiled policy publication,
105
-
# which sets 'precompiled_publication' to 'true'. To set it to 'false', use 'none'.
126
+
# Use the flag --nap-monitoring to set the child fields for the field 'nap_monitoring', the
127
+
# child field values will be set to the values in the example configuration from above. Specify
128
+
# the -m | --nginx-app-protect-mode flag to set up management of NGINX App Protect on the instance.
129
+
# In the example below we specify 'precompiled-publication' for the flag value which will make the
130
+
# config field 'precompiled_publication' set to 'true', if you would like to set the config field
131
+
# 'precompiled_publication' to 'false' you can specify 'none' as the flag value.
132
+
sudo sh ./install.sh --nap-monitoring true --nginx-app-protect-mode precompiled-publication
133
+
```
106
134
107
-
sudo sh ./install.sh --nap-monitoring true --nginx-app-protect-mode precompiled-publication
108
-
```
135
+
Restart NGINX Agent:
109
136
110
-
{{<note>}}The `--nap-monitoring` flag adds fields under `nap_monitoring`. The `--nginx-app-protect-mode` flag sets up management of NGINX App Protect with the following options:
111
-
- Use `precompiled-publication` to enable precompiled policy publication (`precompiled_publication: true`).
112
-
- Use `none` if you don’t want to enable precompiled publication (`precompiled_publication: false`).{{</note>}}
137
+
```shell
138
+
sudo systemctl restart nginx-agent
139
+
```
113
140
114
-
7. Restart the NGINX Agent:
141
+
{{</ note >}}
115
142
116
-
```bash
117
-
sudo systemctl restart nginx-agent
118
-
```
119
143
120
144
---
121
145
122
146
## Create instances for Security Monitoring only
123
147
124
-
Use these steps if you’re only monitoring security data without managing configurations in NGINX Instance Manager.
148
+
Complete the steps in this section if you are only using the Security Monitoring module to monitor your application security. In this use case, you are **not using Instance Manager** to manage your WAF security policies.
125
149
126
-
1. Connect to the data plane host via SSH.
127
-
2. Create a log format file at `/etc/app_protect/conf/log_sm.json`:
150
+
Repeat the steps below on each NGINX App Protect WAF data plane instance.
128
151
129
-
```json
152
+
1. Use SSH to connect to the data plane host.
153
+
154
+
1. Create a new log format definition file with the name `/etc/app_protect/conf/log_sm.json` and the contents shown below.
155
+
This defines the log format for the Security Monitoring module.
156
+
157
+
This configuration sets the maximum accepted request payload to 2048 bytes and the maximum message size to 5k. The latter setting truncates messages larger than 5k.
158
+
2. Add character escaping for the used separator `,` to be escaped with its standard URL encoding `%2C`.
1. Find the context in your NGINX configuration where NGINX App Protect WAF logging is enabled.
182
+
In the same context, add the `app_protect_security_log` directive shown in the example below to configure attack data logging for use with the Security Monitoring dashboards.
{{<important>}}The `syslog:server=<syslog_ip>:<syslog_port>` must match the `syslog_ip` and `syslog_port` values specified in the [NGINX Agent configuration file](#agent-config). The dashboards won't display any data if these settings don't match. Also, the networking changes for NGINX App Protect Version 5 preclude the use of `127.0.0.1` as a syslog server address. For Version 5, the address of the `docker0` interface (typically `192.0.10.1`) or the IP address of the data plane host can be used for the syslog server address.{{</important>}}
190
+
191
+
1. Restart NGINX Agent and the NGINX web server.
157
192
158
193
```bash
159
194
sudo systemctl restart nginx-agent
160
195
sudo systemctl restart nginx
161
196
```
162
197
198
+
You should now be able to view data from your NGINX App Protect instances in the NGINX Security Monitoring dashboards.
199
+
163
200
---
164
201
165
202
## Create instances for Security Monitoring with Instance Manager
166
203
167
-
Follow these steps to use Security Monitoring and Instance Manager together.
204
+
Complete the steps in this section if you want to use the Security Monitoring module **and** Instance Manager. In this use case, you will use NGINX Instance Manager to monitor threats and to manage your NGINX App Protect WAF configurations and security policies.
205
+
206
+
Take the steps below to update your NGINX App Protect WAF configurations by using Instance Manager.
168
207
169
-
1. Log in to the NGINX Instance Manager interface.
170
-
2. Navigate to **Modules** > **Instance Manager**.
171
-
3. Select **Edit Config** for the desired instance or group.
172
-
4. Add the following to the configuration file:
208
+
1. Log in to the NGINX Instance Manager user interface and go to **Modules** > **Instance Manager**.
209
+
1. Select **Instances** or **Instance Groups**, as appropriate.
210
+
1. Select **Edit Config** from the **Actions** menu for the desired instance or instance group.
211
+
1. Next, edit the desired configuration file. You will add directives that reference the security policies bundle and enable the NGINX App Protect WAF logs required by the Security Monitoring dashboards. An example configuration is provided below.
5. **Important:** Add the `app_protect_policy_file` directive with a reference to a security policy. Use the `.tgz` file extension for precompiled publication or `.json` for non-precompiled configurations. Ensure the policy file exists at the specified location. If using custom policies, update them in NGINX Instance Manager.
221
+
- Add the `app_protect_policy_file` directive with a reference to a security policy.
222
+
223
+
The policy reference must use the `.tgz` file extension when using Instance Manager to perform precompiled publication of NGINX App Protect WAF policies and log profiles. The file path referenced must exist on the NGINX Instance Manager host, but it's ok if the policy file doesn't exist yet. If your Instance is not configured for precompiled publication, then use the `.json` file extension for polcies and log profiles. In this case, the file path referenced in the NGINX configuration must reside on the Instance.
224
+
225
+
If you are using custom security policies, at this stage, it's fine to use the default security policy shown in the example above. After completing the steps in this guide, refer to the instructions in [Set Up App Protect WAF Configuration Management]({{< relref "/nim/nginx-app-protect/setup-waf-config-management#add-waf-config" >}}) to add your custom security policy files to NGINX Instance Manager and update your NGINX configuration.
226
+
227
+
- Add the `app_protect_security_log_enable on` and the `app_protect_security_log` directive to any NGINX context where NGINX App Protect WAF is enabled and you want to be able to review attack data.
228
+
229
+
The logging configuration must reference `"/etc/nms/secops_dashboard.tgz"`, as shown in the example.
230
+
231
+
If the `app_protect_security_log_enable` setting is already present, just add the `app_protect_security_log` beneath it in the same context.
232
+
233
+
{{<important>}}The `syslog:server=<syslog_ip>:<syslog_port>` must match the `syslog_ip` and `syslog_port` values specified in the [NGINX Agent configuration file](#agent-config). The Security Monitoring dashboards won't display any data if these settings don't match. Also, the networking changes for NGINX App Protect Version 5 preclude the use of `127.0.0.1` as a syslog server address. For Version 5, the address of the `docker0` interface (typically `192.0.10.1`) or the IP address of the data plane host can be used for the syslog server address.{{</important>}}
182
234
183
-
6. Add the `app_protect_security_log_enable` and `app_protect_security_log` directives to log attack data. Ensure the configuration references the correct `syslog:server` values.
235
+
1. Select **Publish** to immediately push the configuration file updates out to your NGINX instance or instance group.
184
236
185
-
7. Select **Publish** to push updates to instances.
237
+
You should now be able to view data from your NGINX App Protect WAF instances in the Security Monitoring dashboard.
186
238
187
239
---
188
240
189
241
## See also
190
242
191
-
- [Add user access to Security Monitoring dashboards]({{< relref "/nim/nginx-app-protect/security-monitoring/give-access-to-security-monitoring-dashboards.md" >}})
192
-
- [Manage your app protect WAF configs]({{< relref "/nim/nginx-app-protect/setup-waf-config-management" >}})
243
+
- [Add user access to Security Monitoring dashboards]({{< ref "/nim/nginx-app-protect/security-monitoring/give-access-to-security-monitoring-dashboards.md" >}})
244
+
- [Manage your app protect WAF configs]({{< relref "/nim/nginx-app-protect/setup-waf-config-management.md" >}})
0 commit comments