Skip to content

N1C WAF Security Dashboard Release #1834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sylwang wants to merge 13 commits into
base: main
Choose a base branch
from
Open

N1C WAF Security Dashboard Release #1834

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e6f9369
N1C WAF Security Dashboard Release
sylwang Apr 3, 2026
3806295
add changelog
sylwang Apr 3, 2026
2da665f
update reference links
sylwang Apr 3, 2026
10ad819
Apply suggestions from code review
sylwang Apr 7, 2026
8d182e5
consolidate security dashboard section
sylwang Apr 7, 2026
a5851ee
rewrite to follow templates and expand coverage
vrmare Apr 8, 2026
dd939d8
fix call-out note
vrmare Apr 8, 2026
7c557d1
renamed for clarity
vrmare Apr 8, 2026
23766af
Apply review feedback from the WAF security monitoring docs walkthrough
vrmare Apr 8, 2026
e51026a
addressed more reeview comments
vrmare Apr 9, 2026
af39012
addressed more reeview comments
vrmare Apr 9, 2026
f77bf17
moved waf api to automation docs
vrmare Apr 9, 2026
363e107
final one.json
vrmare Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions content/nginx-one-console/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,12 @@ nd-docs: DOCS-1394

Stay up-to-date with what's new and improved in the F5 NGINX One Console.

## April 7, 2026

### Observability: F5 WAF for NGINX security dashboard

A new Security Monitoring module provides real-time visibility into F5 WAF for NGINX security events. Monitor attack counts, violation types, and triggered signatures across your WAF instances with customizable dashboards and global filters.

## March 18, 2026

### F5 WAF for NGINX: Log profile management
Expand Down
18 changes: 18 additions & 0 deletions content/nginx-one-console/waf-security-dashboard/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
title: F5 WAF for NGINX security monitoring
description: Monitor security events and review WAF dashboards to assess threats
weight: 425
url: /nginx-one-console/waf-security-dashboard
---

Use the Security Monitoring module in NGINX One Console to monitor data from F5 WAF for NGINX instances. Review the security dashboards to assess potential threats and identify opportunities to fine-tune your policies.

## Dashboard metrics overview

The security dashboard displays key metrics to help you understand attack patterns and threats. Here's an overview of the main metrics:

- **Attack Counts** - Track the number of attacks with percentage change comparisons against previous periods
- **Violation Types** - View violations grouped by category (e.g., Protocol Compliance) to understand threat patterns
- **Signatures** - See specific signatures triggered within each violation type across multiple events
- **Event Details** - Access Support IDs, raw request data, triggered signatures, and contextual metadata (Original IP, X-Forwarded-For, Violation Context)
- **Global Filters** - Apply filters by time period, policy, and attack type to instantly update all dashboard widgets
48 changes: 48 additions & 0 deletions content/nginx-one-console/waf-security-dashboard/default-log-profile.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
title: Default log profile
description: Learn about the security dashboard default log profile and how to deploy it
weight: 200
nd-content-type: concept
nd-product: NONECO
---

The default log profile is a pre-configured F5 WAF for NGINX log profile designed specifically for security event monitoring in NGINX One Console. It captures security violation data in a standardized format optimized for analysis and troubleshooting.

## About the default log profile

The default log profile is similar to [other log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/_index.md" >}}) in structure and function, but has these key characteristics:

- **Immutable** — The default log profile cannot be edited or deleted. This ensures the security monitoring data format remains consistent across your deployment.
- **Pre-compiled** — NGINX One Console automatically compiles the default log profile for all available WAF compiler versions. This eliminates the need for on-demand compilation during deployment.
- **Standardized format** — It captures all necessary security telemetry fields for the security dashboard, including support IDs, violation details, signature information, and client context.

## When to use the default log profile

Use the default log profile when you want to:
- Send security violation data to NGINX One Console for centralized monitoring
- Analyze attack patterns and trends across your NGINX fleet
- Review violation details and raw request data for specific security events
- Generate baseline security metrics and trending reports

For specialized logging requirements beyond security monitoring, you can create and deploy custom log profiles alongside the default profile.

## Deploy the default log profile

To deploy the default log profile to your NGINX instances or Config Sync Groups, follow the same process described in [Deploy log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md" >}}).

The default log profile can be deployed using either of these methods:

1. **Direct deployment** — Go to **WAF** > **Log Profiles**, select the default log profile, and use **Actions** > **Deploy** to send it to your target instances or Config Sync Groups.

2. **During configuration editing** — When editing an instance or Config Sync Group configuration, you can select the default log profile from **Add File** > **Existing Log Profile** and specify the deployment path.

Since the default log profile is pre-compiled for all WAF compiler versions, deployment completes immediately without requiring additional compilation.

For detailed deployment instructions, see [Deploy log profiles]({{< ref "/nginx-one-console/waf-integration/log-profiles/deploy-log-profiles.md" >}}).

## Next steps

After deploying the default log profile:
- Monitor security events in the [F5 WAF for NGINX security monitoring dashboard]({{< ref "/nginx-one-console/waf-security-dashboard/" >}})
- Review security event details and identify attack patterns
- Fine-tune your F5 WAF for NGINX policies based on observed violations
293 changes: 293 additions & 0 deletions content/nginx-one-console/waf-security-dashboard/set-up-security-monitoring.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,293 @@
---
title: Set up security monitoring
description: Configure NGINX Plus with F5 WAF for NGINX to forward security events to NGINX One Console
weight: 100
nd-content-type: how-to
nd-product: NONECO
---

This guide walks you through configuring your NGINX Plus data plane to send security telemetry to NGINX One Console. You'll install F5 WAF for NGINX, configure the security dashboard log profile, and set up NGINX Agent to forward security events.

## Prerequisites

- NGINX Plus installed and running on your data plane
- Root or sudo access on the data plane system
- NGINX One Console access with permissions to add instances

## Verify NGINX Plus is running

Before you begin, confirm that NGINX Plus is installed and running on your system.

1. Run the following command to check the NGINX Plus service status:

```bash
sudo systemctl status nginx
```

Your output should show that the service is active and running:

```
● nginx.service - NGINX Plus - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Wed 2026-03-11 17:26:52 UTC; 1 week 1 day ago
Docs: https://www.nginx.com/resources/
Main PID: 3682 (nginx)
Tasks: 3 (limit: 4586)
Memory: 4.3M (peak: 4.9M)
CPU: 807ms
```
If NGINX Plus is not installed, see the [NGINX Plus installation guide]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md" >}}).


## Install F5 WAF for NGINX

Install F5 WAF for NGINX on your data plane following the [installation instructions for your operating system]({{< ref "/waf/install/virtual-environment.md" >}}).

After installation, continue with the next section to configure the security dashboard log profile.

## Configure the security dashboard log profile

The security dashboard uses the default log profile to capture security violations. This is a pre-configured, immutable log profile that is automatically compiled for all available WAF compiler versions. For more information about the default log profile, see [Default log profile]({{< ref "/nginx-one-console/waf-security-dashboard/default-log-profile.md" >}}).

To configure the security dashboard, create the `/etc/app_protect/conf/secops_dashboard.json` file with the following content:

1. Create the file:

```bash
sudo touch /etc/app_protect/conf/secops_dashboard.json
```

2. Add the log profile configuration:

```bash
sudo tee /etc/app_protect/conf/secops_dashboard.json > /dev/null << 'EOF'
{
"filter": {
"request_type": "illegal"
},
"content": {
"format": "user-defined",
"format_string": "%support_id%|%ip_client%|%src_port%|%dest_ip%|%dest_port%|%vs_name%|%policy_name%|%method%|%uri%|%protocol%|%request_status%|%response_code%|%outcome%|%outcome_reason%|%violation_rating%|%blocking_exception_reason%|%is_truncated_bool%|%sig_ids%|%sig_names%|%sig_cves%|%sig_set_names%|%threat_campaign_names%|%sub_violations%|%x_forwarded_for_header_value%|%violations%|%violation_details%|%request%|%geo_location%",
"max_request_size": "2048",
"max_message_size": "64k",
"escaping_characters": [
{
"from": "|",
"to": "%7C"
}
]
}
}
EOF
```

## Enable F5 WAF for NGINX in your configuration

Update your NGINX configuration to enable F5 WAF for NGINX and specify the security dashboard log profile.

### Update the main NGINX configuration

Edit `/etc/nginx/nginx.conf` and add the `load_module` directive at the top:

```nginx
user nginx;
worker_processes auto;
load_module modules/ngx_http_app_protect_module.so;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
keepalive_timeout 65;

include /etc/nginx/conf.d/*.conf;
}
```

### Configure a server block with F5 WAF for NGINX

Edit `/etc/nginx/conf.d/default.conf` to add the F5 WAF for NGINX directives:

```nginx
server {
listen 80 default_server;
server_name localhost;
app_protect_enable on;
app_protect_policy_file "/etc/app_protect/conf/NginxStrictPolicy.json";
app_protect_security_log "/etc/app_protect/conf/secops_dashboard.json" syslog:server=127.0.0.1:1514;
app_protect_security_log_enable on;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
```

Make sure you specify port `1514` for the syslog server. NGINX Agent listens on this port to receive security events.

## Verify your NGINX configuration

Test your NGINX configuration for syntax errors:

```bash
sudo nginx -t
```

You should see output like this:

```
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```

Restart NGINX Plus to apply the changes:

```bash
sudo systemctl restart nginx
```

Verify NGINX Plus is running after the restart:

```bash
sudo systemctl status nginx
```

## Install NGINX Agent

NGINX Agent forwards security telemetry from F5 WAF for NGINX to NGINX One Console.

1. In NGINX One Console, go to **Instances** and select **Add Instance**.

2. Select **Generate new key**. This generates your data plane key and displays a `curl` command for agent installation.

3. Copy the `curl` command and run it in your terminal:

```bash
curl <command-shown-in-console>
```

Wait a few minutes for the system to appear in NGINX One Console.

4. Verify the agent is running:

```bash
sudo systemctl status nginx-agent
```

You should see output like this:

```
● nginx-agent.service - NGINX Agent
Loaded: loaded (/etc/systemd/system/nginx-agent.service; enabled; preset: enabled)
Active: active (running) since Thu 2026-03-19 23:53:00 UTC; 23s ago
Docs: https://github.com/nginx/agent#readme
Main PID: 24716 (nginx-agent)
Tasks: 8 (limit: 4586)
Memory: 26.0M (peak: 27.2M)
CPU: 414ms
```

## Configure NGINX Agent to forward security events

Enable NGINX Agent to collect and forward security telemetry from F5 WAF for NGINX.

1. Edit `/etc/nginx-agent/nginx-agent.conf` and add the following telemetry pipeline configuration at the end of the file:

```yaml
collector:
exporters:
debug: {}
processors:
batch:
"logs":
send_batch_size: 1000
timeout: 30s
send_batch_max_size: 1000
pipelines:
logs:
"default-security-events":
receivers: ["tcplog/nginx_app_protect"]
processors: ["batch/logs"]
exporters: ["debug","otlp/default"]
```

This configuration batches security events with a 30-second timeout and a maximum batch size of 1000 events. Events are forwarded to NGINX One Console through the `otlp/default` exporter.

2. Restart NGINX Agent to apply the changes:

```bash
sudo systemctl restart nginx-agent
```

3. Verify NGINX Agent is running:

```bash
sudo systemctl status nginx-agent
```

## Verify the security event pipeline

Check that NGINX Agent successfully started the syslog receiver:

```bash
sudo tail /var/log/nginx-agent/agent.log | grep "syslogserver"
```

You should see a log entry like this:

```
time=2026-03-20T00:05:10.212Z level=INFO msg="Found available local NGINX App Protect syslogserver configured on port 1514"
```

To debug security events being sent to NGINX One Console, tail the agent logs:

```bash
sudo tail /var/log/nginx-agent/opentelemetry-collector-agent.log -f
```

## Test security event detection

Generate test security violations to verify the pipeline is working.

1. Trigger some violations with these example requests:

```bash
curl -X SEARCH -k -v 'http://127.0.0.1/helloworld'

curl -k -v 'http://127.0.0.1/a=<script>getAllMoneyV2()</script>'
```

You should receive a response indicating the request was rejected:

```html
<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator...
```

2. Verify that security events are being sent to NGINX One Console:

```bash
sudo tail /var/log/nginx-agent/opentelemetry-collector-agent.log -n 200
```

Look for log entries showing the violations being forwarded.

Your security monitoring setup is now complete. Security events from F5 WAF for NGINX are now being forwarded to NGINX One Console, where you can monitor and analyze them in the security dashboard.
Loading