Forum Discussion

MVP

Nov 11, 2025

Solved

F5 CIS IngressLink attaching WAF policy on the big-ip through the CRD ?

Hey Everyone, I did a lot of lab testing for F5 CIS. One interesting thing I saw it that the IngressLink integration between F5 BIG-IP and Nginx Ingress does not have the policy option w...

NGINX Ingress Controller

Nikoolayy1
Nov 11, 2025
Ok I tested it and actually even with the community edition it works but sort of 😅 One small issue is the community edition returns 404 error when sending health monitor request to / without hostname and ingresslink attaches http monitors as it is meant to for the F5 Networks nginx version that has a default response page with 200 code. Also IngressLink creates F5 VIP that is just layer 3/4 without HTTP profile, so this explains a lot!

This feature is meant where F5 is Tier 0 and just provides basic protections like Global AFM DOS, AFM rules, TCP profile cookie security etc. It seems the main features like WAF (Nginx AppProtect ) , SAML and OAUth authentication/authorization in that case will be on the Nginx Plus (not the community opensource one) Ingress

apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-ingresslink
namespace: ingress-nginx
labels:
app: ingresslink
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-ingress
---
apiVersion: "cis.f5.com/v1"
kind: IngressLink
metadata:
name: nginx-ingress
namespace: ingress-nginx
spec:
virtualServerAddress: "xxxx"
host: demo.localdev.me
# iRules:
# - /Common/nginx-ingress
selector:
matchLabels:
app: ingresslink

Nikoolayy1

MVP

Nov 11, 2025

Ok I tested it and actually even with the community edition it works but sort of 😅 One small issue is the community edition returns 404 error when sending health monitor request to / without hostname and ingresslink attaches http monitors as it is meant to for the F5 Networks nginx version that has a default response page with 200 code. Also IngressLink creates F5 VIP that is just layer 3/4 without HTTP profile, so this explains a lot!

This feature is meant where F5 is Tier 0 and just provides basic protections like Global AFM DOS, AFM rules, TCP profile cookie security etc. It seems the main features like WAF (Nginx AppProtect ) , SAML and OAUth authentication/authorization in that case will be on the Nginx Plus (not the community opensource one) Ingress

apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-ingresslink
namespace: ingress-nginx
labels:
app: ingresslink
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: nginx-ingress
---
apiVersion: "cis.f5.com/v1"
kind: IngressLink
metadata:
name: nginx-ingress
namespace: ingress-nginx
spec:
virtualServerAddress: "xxxx"
host: demo.localdev.me
# iRules:
# - /Common/nginx-ingress
selector:
matchLabels:
app: ingresslink

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

F5 CIS IngressLink attaching WAF policy on the big-ip through the CRD ?

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

JSON Web Key Set Endpoint

Related Content

My first deployment of IngressLink

Quick Deployment: Deploy F5 CIS/F5 IngressLink in a Kubernetes cluster on AWS

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

Methods to attach ASM policy to virtual server via REST API requests

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS