nginx · AlexFenlon · Jun 24, 2026 · Jun 24, 2026 · Jun 24, 2026 · Jun 24, 2026
@@ -1293,7 +1293,8 @@ waf:
 | ---| ---| ---| --- |
 |``enable`` | Enables F5 WAF for NGINX. | ``bool`` | Yes |
 |``apPolicy`` | The [F5 WAF for NGINX policy]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-policies" >}}) of the WAF. Accepts an optional namespace. Mutually exclusive with ``apBundle``. | ``string`` | No |
-|``apBundle`` | The [F5 WAF for NGINX policy bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}). Mutually exclusive with ``apPolicy``. | ``string`` | No |
+|``apBundle`` | The [F5 WAF for NGINX policy bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}). Mutually exclusive with ``apPolicy`` and ``apBundleSource``. | ``string`` | No |
+|``apBundleSource`` | [Remote source]({{< ref "/nic/tutorials/bundle-sources.md" >}}) for fetching the WAF policy bundle. Mutually exclusive with ``apBundle`` and ``apPolicy``. | [waf.bundleSource](#wafbundlesource) | No |
 |``securityLog.enable`` | **Deprecated:** Enables security log. | ``bool`` | No |
 |``securityLog.apLogConf`` | **Deprecated:** The [F5 WAF for NGINX log conf]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No |
 |``securityLog.apLogBundle`` | **Deprecated:** The [F5 WAF for NGINX log bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No |
@@ -1310,11 +1311,35 @@ waf:
 | ---| ---| ---| --- |
 |``enable`` | Enables security log. | ``bool`` | No |
 |``apLogConf`` | The [App Protect WAF log conf]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No |
-|``apLogBundle`` | The [App Protect WAF log bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No |
+|``apLogBundle`` | The [App Protect WAF log bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. Mutually exclusive with ``apLogBundleSource``. | ``string`` | No |
+|``apLogBundleSource`` | [Remote source]({{< ref "/nic/tutorials/bundle-sources.md" >}}) for fetching the log profile bundle. Mutually exclusive with ``apLogBundle``. | [waf.bundleSource](#wafbundlesource) | No |
 |``logDest`` | The log destination for the security log. Only accepted variables are ``syslog:server=<ip-address>; localhost; <fqdn>:<port>``, ``stderr``, ``<absolute path to file>``. | ``string`` | No |
 
 {{% /table %}}
 
+#### WAF.BundleSource
+
+The `bundleSource` object configures how NGINX Ingress Controller fetches a pre-compiled WAF bundle from a remote source. It is used by both `apBundleSource` and `apLogBundleSource`. For details and examples, see [Connect F5 WAF for NGINX to bundle sources]({{< ref "/nic/tutorials/bundle-sources.md" >}}).
+
+{{% table %}}
+
+|Field | Description | Type | Required |
+| ---| ---| ---| --- |
+|``type`` | The source type: ``HTTPS``, ``NIM`` (NGINX Instance Manager), or ``N1C`` (NGINX One Console). Defaults to ``HTTPS`` if not set. Recommended to set explicitly. | ``string`` | No |
+|``url`` | The full bundle URL for HTTPS, or the API base URL for NIM/N1C. Must use ``https://``. | ``string`` | Yes |
+|``enablePolling`` | Enables background polling for bundle updates. Must be explicitly set to ``true`` or ``false``. When ``false``, the bundle is fetched once on policy creation or update. | ``bool`` | Yes |
+|``pollInterval`` | The interval between poll cycles. Minimum ``1m``, default ``5m``. Ignored when ``enablePolling`` is ``false``. | ``duration`` | No |
+|``policyName`` | The policy name on the management plane. Required for NIM and N1C; forbidden for HTTPS. | ``string`` | No |
+|``policyNamespace`` | The namespace or tenant on the management plane. Required for N1C only. | ``string`` | No |
+|``secret`` | The name of a Secret in the same namespace as the Policy. For HTTPS: ``kubernetes.io/tls`` (``tls.crt`` + ``tls.key`` for client mTLS; optional ``ca.crt`` for server CA). For NIM: ``nginx.com/waf-bundle`` with ``token`` (bearer) or ``username`` + ``password`` (basic auth). For N1C: ``nginx.com/waf-bundle`` with ``token``. | ``string`` | No |
+|``trustedCertSecret`` | The name of a Secret of type ``nginx.org/ca`` containing a custom CA certificate (``ca.crt`` key) for verifying the remote endpoint TLS certificate. Must be in the same namespace as the Policy. | ``string`` | No |
+|``insecureSkipVerify`` | Disables TLS certificate verification. Not recommended for production. | ``bool`` | No |
+|``verifyChecksum`` | Fetches a companion ``.sha256`` file and verifies the bundle's SHA-256 digest. HTTPS sources only. | ``bool`` | No |
+|``timeout`` | Per-request HTTP timeout. Default ``60s``. | ``duration`` | No |
+|``retryAttempts`` | Number of retry attempts on transient failure. Range ``1``–``10``. | ``int`` | No |
+
+{{% /table %}}
+
 #### WAF Merging Behavior
 
 A VirtualServer/VirtualServerRoute can reference multiple WAF policies. However, only one can be applied. Every subsequent reference will be ignored. For example, here we reference two policies:

@@ -15,6 +15,8 @@ F5 WAF for NGINX uses policies to configure which security features are set. Whe
 
 By using NGINX Instance Manager to compile WAF policies, the policy bundle can also be used immediately by NGINX Ingress Controller without reloading.
 
+{{< call-out class="tip" >}} NGINX Ingress Controller can fetch compiled bundles directly from NGINX Instance Manager or NGINX One Console without the manual download and upload steps described on this page. See [Connect F5 WAF for NGINX to bundle sources]({{< ref "/nic/tutorials/bundle-sources.md" >}}) for details on automated bundle fetching with optional polling for updates. {{< /call-out >}}
+
 The following steps describe how to use the NGINX Instance Manager API to create a new security policy, compile a bundle, then add it to NGINX Ingress Controller.
 
 ## Before you begin

@@ -29,6 +29,8 @@ F5 WAF for NGINX bundles for VirtualServer custom resources are defined by creat
 
 Before applying a policy, a WAF policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
 
+{{< call-out class="tip" >}} Instead of manually placing bundles on a mounted volume, you can configure NGINX Ingress Controller to fetch bundles from a remote source automatically. See [Connect F5 WAF for NGINX to bundle sources]({{< ref "/nic/tutorials/bundle-sources.md" >}}) for details on NGINX One Console, NGINX Instance Manager, and HTTPS source types. {{< /call-out >}}
+
 {{< call-out class="note" >}} NGINX Ingress Controller supports `securityLogs` for policy bundles. Log bundles must also be copied to a volume mounted to `/etc/app_protect/bundles`. {{< /call-out >}}
 
 This example shows how a policy is configured by referencing a generated WAF Policy Bundle:

@@ -23,6 +23,9 @@ The table below categorizes some potential problems with NGINX Ingress Controlle
 |Start | The configuration is not applied. | Check if a policy bundle is compiled using version of the compiler running in NGINX Ingress Controller. | Policy bundle is invalid. |
 |Start | The configuration is not applied. | Check if bundle is present in a volume. | Policy bundle is not present in the mounted volume. |
 |APLogConf, Policy or Ingress Resource. | The configuration is not applied. | Check the events of the APLogConf, Policy and Ingress Resource, check the logs, replace the policy bundle. | Policy bundle is invalid. |
+|[Bundle source]({{< ref "/nic/tutorials/bundle-sources.md" >}}). | Bundle not fetched, Warning event on Policy. | Check Policy events and status. Verify the bundle source URL and credentials are correct. | Invalid URL, authentication failure, or bundle not yet compiled on the management plane. |
+|[Bundle source]({{< ref "/nic/tutorials/bundle-sources.md" >}}). | VirtualServer or Ingress returns HTTP 500. | Check Policy status for bundle source errors. | Bundle source is unreachable or the bundle is not yet available. |
+|[Bundle source]({{< ref "/nic/tutorials/bundle-sources.md" >}}). | Policy not updating after bundle recompilation. | Verify ``enablePolling`` is ``true`` and ``pollInterval`` is at least ``1m``. | Polling is not enabled, or the poll interval is below the minimum. |
 
 {{< /table >}}