IBM Cloud Docs
Assigning firewall rule actions

Assigning firewall rule actions

Firewall rule actions tell CIS how to respond to requests that match the criteria you define.

For lightweight firewall rules, go to Security > IP firewall, which contains IP rules, User Agent rules, and Domain Lockdown rules. Firewall rules are based on IP address, IP address range, Autonomous System Number (ASN), or country/region.

Domain lockdown rules specify a list of IP addresses, CIDR ranges, or networks that can access a domain, subdomain, or URL. Anything not on the list is blocked.

For more robust firewall rules, go to Security > Firewall rules, where you can create rules that examine incoming HTTP traffic against a set of filters to block, challenge, log, or allow matching requests.

The following table describes the actions that you can assign to your rules. The priority column shows what precedence the action receives. If a request matches two different rules that have the same priority, precedence determines the action to take.

Table 1. Firewall rule actions and priority
Action Available in Description Priority
Log
  • Firewall rules
 Logs matching requests on the CIS edge for access with Enterprise Logpush and Logpull. Recommended for testing rule effectiveness you commit to a more severe action. Available to Enterprise customers only. 1
Bypass
  • Firewall rules
 Allows dynamic disabling of security features for a request. Exempts matching requests from evaluation, based on a user-defined list that contains one or more of the following features: Browser Integrity Check, Domain Lockdown, Hotlink Protection, Rate Limiting, Security Level, User Agent Block, WAF Managed Rules. Matching requests are still subject to evaluation within Firewall Rules, based on order of execution. 2
Allow
  • Firewall rules
  • IP firewall
 Allows matching requests to access the site, on condition that no other CIS firewall features block the request, such as IP firewall or access rules. 3
Challenge (Captcha)
  • Firewall rules
  • IP firewall
  • User agent rules
 Requires a user to pass a Google reCaptcha Challenge before proceeding. If successful, CIS accepts the matched request; otherwise, it is blocked. 4
JS Challenge
  • Firewall rules
  • IP firewall
  • User agent rules
 JS Challenge Requires a user to pass a CIS JavaScript Challenge before proceeding. If successful, CIS accepts the matched request; otherwise, it is blocked.
Block
  • Firewall rules
  • IP firewall
  • User agent rules
 Blocks a matching request from accessing the site. 6