Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create an access application for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-app-create 31984fea73a15b45779fa0df4ef62f9b --name exampleCreate --domain example.com --session-duration 12h -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all access applications for domains 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-apps 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show details of access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

--name

The name of the Application. Required.

--domain

The domain and path that Access blocks. Required.

--session-duration

Defines the amount of time that the tokens issued for this application are valid. Valid values are 30m, 6h, 12h, 24h, 168h, and 730h.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --name exampleUpdate --domain example.com --session-duration 24h -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

The name of the Certificate. Required.

--ca-cert-file

The Root CA file for your certificates. Required.

--associated-hostnames

The hostnames that are prompted for this certificate.

ACCESS_APPLICATION_ID

The ID of the access application.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Create an access certificate for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificate-create 31984fea73a15b45779fa0df4ef62f9b --name example --ca-cert-file CERT_FILE --associated-hostnames example.com  -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all access certificates for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show details of access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

--name

The name of the Certificate. Required.

--associated-hostnames

The hostnames that are prompted for this certificate. Required. The associated hostnames are reset if not specified by associated-hostnames.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update the access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --name example  --associated-hostnames example.com -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete the access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get access certificates settings for Domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates-settings 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-f, --feature

Feature of certificates settings. Valid values:

client_certificate_forwarding

The client certificate payload and its SHA256 signature are forwarded to origin servers through CF-Client-Cert-DER_BASE64 and CF-Client-Cert-SHA256 headers.

-v, --value

The value set to the feature for certificates.

client_certificate_forwarding

Specify the hostname to forward the client certificate or not. For example, -v host1=on,host2=on,host3=off.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update access certificates settings for Domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates-settings-update 31984fea73a15b45779fa0df4ef62f9b -f client_certificate_forwarding -v mtls1.example.com=on,mtls2.example.com=off -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

--name

The name of the policy. Required.

--decision

Defines the action Access takes if the policy matches the user. Valid value is non_identity. Required.

--include

The included rule of the policy. Valid values are certificate and common_name. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create an access policy for access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policy-create 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -name examplePolicy --decision non_identity --include certificate  --include common_name=test -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all access policies for access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policies 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

ACCESS_POLICY_ID

The ID of access policy. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show details of access policy a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policy 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 65fe21071877669cc69544642bc6c4c4 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

ACCESS_POLICY_ID

The ID of access policy. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete access policy 65fe21071877669cc69544642bc6c4c4.

ibmcloud cis access-policy-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 65fe21071877669cc69544642bc6c4c4 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--all

Purging all cached files. This option is mutually exclusive with --file.

--file

Granularly remove one or more files by specifying URLs. This option is mutually exclusive with --all.

--tag

Granularly remove one or more files by the associated Cache-Tag. This option is mutually exclusive with --all. Enterprise Plans Only

--host

Granularly remove one or more files by specifying the host. This option is mutually exclusive with --all. Enterprise Plans Only

--prefix

Granularly remove one or more files by a prefix. This option is mutually exclusive with --all. Enterprise Plans Only

-f, --force

Purging all cached files without prompting for confirmation.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

The output format. Currently, json is the only supported value.

Examples

Clear all cached assets file for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-purge 31984fea73a15b45779fa0df4ef62f9b --all --force -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get caching settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-settings 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--caching-level

Specify under what URL conditions that you want to deliver cached assets to the user. Valid values are no-query-string, query-string-independent, and query-string-dependent.

• no-query-string : Delivers resources from cache only when no query string is present.
• query-string-independent : Delivers the same resource to everyone independent of the query string.
• query-string-dependent : Delivers a different resource each time the query string changes.

--browser-expiration

Specify how long you want the user's browser to store cached assets.

• Valid values are respect-existing-header, 30s, 1M, 5M, 20M, 30M, 1h, 2h, 4h, 8h, 16h, 1d 3d, 8d, 16d, 1m, 6m, and 1y.
• 30s, 1M, 5M, and 20M are only available for an Enterprise or Security plan instance.
• 30s means 30 seconds.
• 30M means 30 minutes.
• 1h means 1 hour.
• 1d means 1 day.
• 1m means 1 month.
• 1y means 1 year.

--development-mod

Bypass all edge caches and send traffic toward your origin servers.

--serve-stale-content

Continue serving cached content to users when origin servers are offline, even if the content is expired.

--query-string-sort: In the cache, CIS treats files with the same query strings as the same file, regardless of the order of the query strings.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update caching settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-settings-update 31984fea73a15b45779fa0df4ef62f9b --caching-level no-query-string --browser-expiration 1h -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Example

ibmcloud cis custom-lists lists -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Example

ibmcloud cis custom-lists list f93d11a87c4945a0a6bd12820776a66d -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9:: -o json

Command options

--kind

Custom list kind. Valid values are ip, asn, and hostname.

--name

The list name.

--description

Description of the list.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--json

The JSON file or JSON string that is used to describe a custom list.

The required fields in JSON data are:

kind : Custom list kind. Valid values are ip, asn, and hostname.

name : The list name.

The optional field is:

"description" : Description of the list.

Sample JSON data:

{
  "kind": "ip",
  "name": "string",
  "description": "string"
}

Examples

ibmcloud cis custom-lists list-create --kind ip --name iplistone -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

ibmcloud cis custom-lists list-create —-json @example.json -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

--description

Briefly describe the list.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

json

The JSON file or JSON string that is used to describe a custom list.

The optional field is:

"description" : To briefly describe the list.

Sample JSON data:

  {
    "description": "string"
  }

Examples

ibmcloud cis custom-lists list-update a46c54444a97431e810c975bf2db4f83 --description "description example" -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

ibmcloud cis custom-lists list-update a46c54444a97431e810c975bf2db4f83 —-json @example.json -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

-f, --force

Attempt to delete a custom list without prompting for confirmation.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

Example

custom-lists list-delete 78277700444f4f69aefef78ea2bef013 -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Example

ibmcloud cis custom-lists items f93d11a87c4945a0a6bd12820776a66d -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

ITEM_ID

The ID of the custom list item.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Example

ibmcloud cis custom-lists item f93d11a87c4945a0a6bd12820776a66d f550e1d3ede74455bf225a06800bd1be -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

--asn

The ASN value.

--ip

The IPv4 address.

--hostname

The hostname.

--comment

To provide a brief comment on the item.

-i, --instance

Instance name or ID. If instance or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--json

The JSON file or JSON string that is used to describe a custom list.

The required fields in JSON data are:

items : List of custom list items to create.

asn : The ASN.

hostname : The hostname.

ip : The IPv4 address.

comment : To provide a brief comment on the item.

Sample JSON data:

  [
    {
      "asn": 19604,
      "comment": "My list of developer IPs.",
      "hostname": "cloud.ibm.com",
      "ip": "172.64.0.0/13"
    }
  ]

Command examples

ibmcloud cis custom-lists item-create f93d11a87c4945a0a6bd12820776a66d --ip 192.0.0.3  -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

ibmcloud cis custom-lists item-create f93d11a87c4945a0a6bd12820776a66d --json @example.json -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

--json

The JSON file or JSON string that is used to describe a custom list.

The required fields in JSON data are:

items : List of custom list items to create.

asn : The ASN value.

hostname : The hostname.

ip : The IPv4 address.

comment : To provide a brief comment on the item.

Sample JSON data:

   [
     {
       "asn": 19604,
       "comment": "My list of developer IPs.",
       "hostname": "cloud.ibm.com",
       "ip": "172.64.0.0/13"
     }
   ]

-f, --force

Attempt to delete a custom list without prompting for confirmation.

--output value

The output format. Currently, json is the only supported value.

-i, --instance

Instance name or ID. If instance value or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

Example

ibmcloud cis custom-lists item-update f93d11a87c4945a0a6bd12820776a66d —json @example.json -f -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

LIST_ID

The ID of the custom list.

--item-id

CUSTOM_LIST_ITEM_ID is the ID of the custom list item.

-f, --force

Attempt to delete a custom list without prompting for confirmation.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--json

The JSON file or JSON string that is used to describe a custom list.

The required fields in JSON data are:

items : List of custom list items to delete by ID.

id : Unique ID of the custom list item.

Sample JSON data:

  {
    "items": [
      {
        "id": "70c2009751b24ffc9ed1ab462ba957b4"
      }
    ]
  }

Examples

ibmcloud cis custom-lists item-delete f93d11a87c4945a0a6bd12820776a66d --item-id —force 42851cc4589746229552ec5a54f9d623 -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

ibmcloud cis custom-lists item-delete f93d11a87c4945a0a6bd12820776a66d —json @example.json —-force -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9::

Command options

OPERATION_ID

The ID of the custom list operation.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Example

ibmcloud cis custom-lists operation 04cdb3b267a44ceb895e766fc2affe72 -i crn:v1:staging:public:internet-svcs-ci:global:a/c987fg3e4h278745690dp435683568rp:eg7kb437-4893-56yl-4wn9-c595j8t78gr9:: -o json

Command options

PAGE_ID

The name of the Custom Page type. Valid values are basic_challenge, country_challenge, ip_block, ratelimit_block, serve_stale_content, under_attack, waf_block, waf_challenge, 1000_errors, 500_errors. Required.

PAGE_URL

A URL that is associated with the Custom Page. For example, http://www.example.com/example.html. Value default means to use the default page. Required.

-d, --domain

DNS Domain ID.

-i,- --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update basic_challenge page for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-page-update "basic_challenge" "http://www.example.com/example.html" -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

PAGE_ID

The name of the Custom Page type. Valid values are basic_challenge, country_challenge, ip_block, ratelimit_block, serve_stale_content, under_attack, waf_block, waf_challenge, 1000_errors, and 500_errors. Required.

-d, --domain

DNS Domain ID.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get basic_challenge page for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-page "basic_challenge" -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-d, --domain

DNS Domain ID.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List existing custom pages for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-pages -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

DNS record name.

--type

DNS record type.

--content

DNS record content.

--ttl

Time to live for DNS record. A value of 1 is automatic. The default value is 1.

--proxied

Control whether traffic flows through the security and performance functions on CIS. CIS proxies traffic only for A, AAAA, and CNAME records. Valid values are true and false.

--json

The JSON file or JSON string that is used to describe a DNS Record. Supported DNS Record types are: A, AAAA, CNAME, NS, TXT, MX, LOC, SRV, CAA, PTR.

• For type A, AAAA, CNAME, NS, TXT :
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl, proxied :
    • proxied Control whether traffic flows through the security and performance functions on CIS. CIS proxies only traffic for A, AAAA, and CNAME records.

Sample JSON data:

{
   "name": "testA",
   "type": "A",
   "content": "127.0.0.1",
   "proxied": true
}

{
   "name": "testAAAA",
   "type": "AAAA",
   "content": "2001:0db8:0012:0001:3c5e:7354:0000:5db1",
   "proxied": false
}

{
   "name": "testCNAME",
   "type": "CNAME",
   "content": "example.com"
}

{
   "name": "testNS",
   "type": "NS",
   "content": "ns1.example.com"
}

{
   "name": "testTXT",
   "type":"TXT",
   "content": "text information"
}

• For type PTR :
  • The required fields in JSON data are name, type, content.
  • The optional field is ttl.

Sample JSON data:

{
 "name": "1.2.3.4",
 "type":"PTR",
 "content": "abc.test.com"
}

• For type MX :
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl and priority.

Sample JSON data:

{
   "name": "testMX",
   "type": "MX",
   "content": "smtp.example.com",
   "priority": 10
}

• For type LOC :
  • The required fields in JSON data are name, type, data:
    • data:
      • lat_degrees : Degrees of latitude.
      • lat_minutes : Minutes of latitude
      • lat_seconds : Seconds of latitude.
      • lat_direction : Latitude direction.
      • long_degrees : Degrees of longitude.
      • long_minutes : Minutes of longitude.
      • long_seconds : Seconds of longitude.
      • long_direction : Longitude direction.
      • altitude : Altitude of location in meters.
      • size : Size of location in meters.
      • precision_horz : Horizontal precision of location.
      • precision_vert : Vertical precision of location.
    • The optional field is ttl.

Sample JSON data:

{
   "name": "testLOC",
   "type": "LOC",
   "data": {
         "lat_degrees": 45,
         "lat_minutes": 0,
         "lat_seconds": 0,
         "lat_direction": "N",
         "long_degrees": 45,
         "long_minutes": 0,
         "long_seconds": 0,
         "long_direction": "E",
         "altitude": 20,
         "size": 0,
         "precision_horz": 0,
         "precision_vert": 0
   }
}

• For type SRV :
  • The required fields in JSON data are type, data:
    • data: - service : A service type, prefixed with an underscore. - proto : A valid protocol. - priority : Priority. - weight : The record weight. - port : The port of the service. - target : A valid hostname.
    • The optional field is ttl.

Sample JSON data:

{
   "type": "SRV",
   "data": {
         "service": "_ftp",
         "proto": "_tcp",
         "name": "testSRV",
         "priority": 1,
         "weight": 1,
         "port": 21,
         "target": "example.com"
   }
}

• For type CAA:
  • The required fields in JSON data are name, type, and data.
  • The optional field is ttl.

Sample JSON data:

{
   "name": "testCAA.yourdomain.com",
   "type": "CAA",
   "data": {
         "tag": "issue",
         "value": "letsencrypt.org"
   }
}

-s, --json-str

Deprecated. The JSON data used to describe a DNS Record.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a DNS record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-create 31984fea73a15b45779fa0df4ef62f9b --json '{"name": "testCNAME", "type": "CNAME", "content": "example.com"}' -i "cis-demo"
ibmcloud cis dns-record-create 31984fea73a15b45779fa0df4ef62f9b --type A --name testA --content "127.0.0.1" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

--name

DNS record name.

--type

DNS record type.

--content

DNS record content.

--ttl

Time to live for DNS record. A value of 1 is automatic. The default value is 1.

--proxied

Control whether traffic flows through the security and performance functions on CIS. CIS proxies traffic only for A, AAAA, and CNAME records. Valid values are true and false.

--json

The JSON file or JSON string that is used to describe a DNS Record. Supported DNS Record types are: A, AAAA, CNAME, NS, TXT, MX, LOC, SRV, CAA,PTR.

• For type A, AAAA, CNAME, NS, TXT :
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl and proxied :
    • proxied Control whether traffic flows through the security and performance functions on CIS. CIS proxies only traffic for A, AAAA, and CNAME records.

Sample JSON data:

{
   "name": "testA",
   "type": "A",
   "content": "127.0.0.1",
   "proxied": true
}

{
   "name": "testAAAA",
   "type": "AAAA",
   "content": "2001:0db8:0012:0001:3c5e:7354:0000:5db1",
   "proxied": false
}

{
   "name": "testCNAME",
   "type": "CNAME",
   "content": "example.com"
}

{
   "name": "testNS",
   "type": "NS",
   "content": "ns1.example.com"
}

{
   "name": "testTXT",
   "type":"TXT",
   "content": "text information"
}

• For type PTR :
  • The required fields in JSON data are name, type, content.
  • The optional field is ttl.

Sample JSON data:

{
 "name": "1.2.3.4",
 "type":"PTR",
 "content": "abc.test.com"
}

• For type MX :

  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl and priority.

  Sample JSON data:

{
   "name": "testMX",
   "type": "MX",
   "content": "smtp.example.com",
   "priority": 10
}

• For type LOC :

  • The required fields in JSON data are name, type, data:
    • data:
      • lat_degrees : Degrees of latitude.
      • lat_minutes : Minutes of latitude
      • lat_seconds : Seconds of latitude.
      • lat_direction : Latitude direction.
      • long_degrees : Degrees of longitude.
      • long_minutes : Minutes of longitude.
      • long_seconds : Seconds of longitude.
      • long_direction : Longitude direction.
      • altitude : Altitude of location in meters.
      • size : Size of location in meters.
      • precision_horz : Horizontal precision of location.
      • precision_vert : Vertical precision of location.
  • The optional field is ttl.

  Sample JSON data:

{
   "name": "testLOC",
   "type": "LOC",
   "data": {
         "lat_degrees": 45,
         "lat_minutes": 0,
         "lat_seconds": 0,
         "lat_direction": "N",
         "long_degrees": 45,
         "long_minutes": 0,
         "long_seconds": 0,
         "long_direction": "E",
         "altitude": 20,
         "size": 0,
         "precision_horz": 0,
         "precision_vert": 0
   }
}

• For type SRV :

  • The required fields in JSON data are type, data:
    • data:
      • service : A service type, prefixed with an underscore.
      • proto : A valid protocol.
      • priority : Priority.
      • weight : The record weight.
      • port : The port of the service.
      • target : A valid hostname.
  • The optional field is ttl.

  Sample JSON data:

{
   "type": "SRV",
   "data": {
         "service": "_ftp",
         "proto": "_tcp",
         "name": "testSRV",
         "priority": 1,
         "weight": 1,
         "port": 21,
         "target": "example.com"
   }
}

• For type CAA :

  • The required fields in JSON data are name, type, data
  • The optional field is ttl.

  Sample JSON data:

{
   "name": "testCAA.yourdomain.com",
   "type": "CAA",
   "data": {
         "tag": "issue",
         "value": "letsencrypt.org"
   }
}

-s, --json-str

Deprecated. The JSON data used to describe a DNS Record.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update a DNS record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-update 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 --json '{"name": "testCNAME", "type": "CNAME", "content": "example.com"}' -i "cis-demo"
ibmcloud cis dns-record-update 31984fea73a15b45779fa0df4ef62f9b 417e8605a72d3e085020b82c93cd7f82 --type A --name testA --content "127.0.0.1" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get DNS record details in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete a DNS record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-delete 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--type

Type of DNS records to display.

--name

Value of name field to filter by.

--content

Value of content field to filter by.

--page

Page number of paginated results.

--per_page

Maximum number of DNS records per page.

--order

Field by which to order the list of DNS records. Valid values are type, name, content, ttl, and proxied.

--direction

Direction in which to order the results (ascending or descending order). Valid values are asc and desc.

--match

Whether to match all or at least one search parameter. Valid values are any and all.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all DNS records in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--file

BIND config to import. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Import BIND config in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records-import 31984fea73a15b45779fa0df4ef62f9b --file bind_config_file.txt -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--file

The BIND config file that saves exported DNS records.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Export BIND config for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records-export 31984fea73a15b45779fa0df4ef62f9b --file bind_config_file.txt -i "cis-demo"

Command options

type

Specify the domain type setup. Valid values are full and partial (default full).

• full : A full zone implies that the DNS is hosted.
• partial : A partial zone implies a CNAME setup domain.

jump-start

Automatically attempt to fetch existing DNS records.

DNS_DOMAIN_NAME

The FQDN of DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Add a domain test.com in instance cis-demo.

ibmcloud cis domain-add "test.com" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Resume the specified domain.

ibmcloud cis domain-resume 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Pause the specified domain.

ibmcloud cis domain-pause 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Display the specified domain details.

ibmcloud cis domain 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Remove the specified domain.

ibmcloud cis domain-remove 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List domains for the specified domain cis-demo.

ibmcloud cis domains -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Perform activation check on the specified domain.

ibmcloud cis domain-activation-check 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-g, --group

Display features in a same group. Valid values for group are all, domain, reliability, performance, and security. This option is mutually exclusive with -f, --feature.

-f, --feature

Feature of domain settings to check. This option is mutually exclusive with g, --group. Valid values are as follows:

• always_use_https : Redirect all requests with scheme http to https. This setting applies to all HTTP requests to the domain.
• automatic_https_rewrites : Help fix mixed content by changing http to https for all resources or links on your website that can be served with HTTPS.
• bot_management : Detect and mitigate bot traffic on your domain.
• brotli : When the client that is requesting an asset supports the brotli compression algorithm, CIS serves a brotli compressed version of the asset.
• browser_check : Evaluate HTTP headers from your visitors' browser for threats. If a threat is found, then a block page is delivered.
• challenge_ttl : Specify how long a visitor with a bad IP reputation is allowed access to your website after they complete a challenge.
• ciphers : An allowlist of ciphers for TLS termination in the BoringSSL format. This command lists ciphers that are allowlisted by customers. If no ciphers are allowlisted, the list is empty and the default ciphers are used. See Edge cipher suites and Origin cipher suites for the list of default ciphers.
• cname_flattening : Follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, flatten only the CNAME at the root of your domain.
• domain_hold: Domain holds prevent teams in your organization from adding domains that are already active in another account. Enterprise Plans Only
• email_obfuscation : Encrypt the email addresses on your web page from bots while it's kept visible to humans.
• opportunistic_onion : Allow legitimate users of the Tor Browser to access your websites.
• hotlink_protection : Protect your images from off-site linking.
• http2 : Accelerate your website with HTTP/2.
• http3 : Accelerate your website with HTTP/3.
• image_load_optimization : Improve load time for pages that include images on mobile devices with slow network connections.
• image_size_optimization : Improve image load time by optimizing images hosted on your domain.
• image_resizing : Provide on-demand resizing, conversion, and optimization for images served through the CIS network.
• ip_geolocation : Include the country code of the visitor location with all requests to your website.
• ipv6 : Enable IPv6 support and gateway.
• max_upload : The number of data visitors who can upload to your website in a single request.
• min_tls_version : Allow only HTTPS connections from visitors that support the selected TLS protocol version or newer.
• minify : Reduce the file size of source code on your website.
• mobile_redirect : Redirect visitors that are using mobile devices to a mobile-optimized website.
• opportunistic_encryption : Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 by letting them know that your site is available over an encrypted connection.
• origin_error_page_pass_thru : When the Origin Error Page is set to On, CIS proxies the 502 and 504 error pages directly from the origin. Enterprise Plans Only
• origin_max_http_version : Configure the HTTP version to Origin.
• origin_post_quantum_encryption : Instructs CIS to use Post-Quantum (PQ) key agreement algorithms when it connects to your origin.
• prefetch_preload : CIS prefetches any URLs included in the prefetch HTTP header. Enterprise Plans Only
• pseudo_ipv4 : Adds an IPv4 header to requests when a client is using IPv6, but the server only supports IPv4.
• response_buffering : Enable or disable buffering of responses from the origin server. Enterprise Plans Only
• script_load_optimization : Improve the paint time for pages that include JavaScript.
• security_header : Enforce a web security policy for your website.
• security_level : Choose the appropriate security profile for your website.
• server_side_exclude : Automatically hide specific content from suspicious visitors.
• tls_client_auth : TLS client certificate presented for authentication on origin pull. Enterprise Plans Only
• true_client_ip_header : CIS sends the user’s IP address in the True-Client-IP header. Enterprise Plans Only
• waf : A Web Application Firewall (WAF) blocks requests that contain malicious content.
• websockets : Allow WebSockets connections to your origin server.
• proxy_read_timeout : Maximum time between two read operations from origin. Enterprise Plans Only
• url_normalization : Modify the URLs of incoming requests.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get ciphers settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings -f "ciphers" 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-f, --feature

Feature of domain settings to update. Required. Valid values:

• always_use_https : Redirect all requests with scheme http to https. This redirect applies to all http requests to the domain.
• automatic_https_rewrites : Help fix mixed content by changing http to https for all resources or links on your website that can be served with HTTPS.
• bot_management : Detect and mitigate bot traffic on your domain.
• brotli : When the client that is requesting an asset supports the brotli compression algorithm, CIS serves a brotli compressed version of the asset.
• browser_check : Evaluate HTTP headers from your visitors' browser for threats. If a threat is found, then a block page is delivered.
• challenge_ttl : Specify how long a visitor with a bad IP reputation is allowed access to your website after they complete a challenge.
• ciphers : An allowlist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.
• cname_flattening : Follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, only flatten the CNAME at the root of your domain.
• domain_hold: Domain holds prevent teams in your organization from adding domains that are already active in another account. Enterprise Plans Only
• email_obfuscation : Encrypt the email addresses on your web page from bots while it's kept visible to humans.
• opportunistic_onion : Allow legitimate users of the Tor Browser to access your websites.
• hotlink_protection : Protect your images from off-site linking.
• http2 : Accelerate your website with HTTP/2.
• http3 : Accelerate your website with HTTP/3.
• image_load_optimization : Improve load time for pages that include images on mobile devices with slow network connections.
• image_size_optimization : Improve image load time by optimizing images hosted on your domain.
• image_resizing : Provide on-demand resizing, conversion, and optimization for images served through the CIS network.
• ip_geolocation : Include the country code of the visitor location with all requests to your website.
• ipv6 : Enable IPv6 support and gateway.
• max_upload : The number of data visitors who can upload to your website in a single request.
• min_tls_version: Allow only HTTPS connections from visitors that support the selected TLS protocol version or newer.
• minify : Reduce the file size of source code on your website.
• mobile_redirect : Redirect visitors that are using mobile devices to a mobile-optimized website.
• opportunistic_encryption : Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 by letting them know that your site is available over an encrypted connection.
• origin_error_page_pass_thru : When Origin Error Page is set to On, CIS proxies the 502 and 504 error pages directly from the origin. Enterprise Plans Only
• origin_max_http_version : Configure the HTTP version to Origin.
• origin_post_quantum_encryption : Instructs CIS to use Post-Quantum (PQ) key agreement algorithms when it connects to your origin.
• prefetch_preload : CIS prefetches any URLs included in the prefetch HTTP header. Enterprise Plans Only
• pseudo_ipv4 : Adds an IPv4 header to requests when a client is using IPv6, but the server supports IPv4 only.
• response_buffering : Enable or disable buffering of responses from the origin server. Enterprise Plans Only
• script_load_optimization : Improve the paint time for pages that include JavaScript.
• security_header : Enforce a web security policy for your website.
• security_level : Choose the appropriate security profile for your website.
• server_side_exclude : Automatically hide specific content from suspicious visitors.
• tls_client_auth : TLS client certificate presented for authentication on origin pull. Enterprise Plans Only
• true_client_ip_header : CIS sends the user’s IP address in the True-Client-IP header. Enterprise Plans Only
• waf : A Web Application Firewall (WAF) blocks requests that contain malicious content.
• websockets : Allow WebSockets connections to your origin server.
• proxy_read_timeout : Maximum time between two read operations from origin.
• url_normalization : Modify the URLs of incoming requests.

-v, --value

The value set to the feature for domain. Required.

• Valid values for always_use_https are on and off.

• Valid values for automatic_https_rewrites are on and off.

• Valid values for bot_management are "use_latest_model", "fight_mode", "session_score", "enable_js". For example, -v fight_mode=true,session_score=true

  • use_latest_model : Whether to enable the latest model version. Valid values for use_latest_model are true and false.
  • fight_mode : Whether to enable the fight mode. Valid values for fight_mode are true and false.
  • session_score : Whether to enable the session score. Valid values for session_score are true and false.
  • enable_js : Whether to enable JavaScript detections. Valid values for enable_js are true and false.

• Valid values for browser_check are on and off.

• Valid values for challenge_ttl are 300, 900, 1800, 2700, 3600, 7200, 10800, 14400, 28800, 57600, 86400, 604800, 2592000, 31536000.

• Valid values for cname_flattening are flatten_at_root, flatten_all.

  • flatten_at_root : Flatten CNAME at the root domain. This value is the default value.
  • flatten_all : Flatten all CNAME records under your domain.

• Valid values for domain_hold are hold, include_subdomains and hold_after.

  • hold : Whether to enable the domain hold. Valid values for hold are true and false.
  • include_subdomains: Whether to enable the domain hold. Valid values for include_subdomains are true and false.
  • hold_after : If hold_after is provided, the hold is temporarily disabled, then automatically re-enabled by the system at the time specified.

  For enable domain and subdomains hold: -v hold=true,include_subdomains=true. For disable domain hold: -v hold=false,hold_after=2023-05-31T15:56:36+00:00.

• Valid values for hotlink_protection are on, off.

• Valid values for email_obfuscation are on, off.

• Valid values for opportunistic_onion are on, off.

• Valid values for http2 are on, off.

• Valid values for http3 are on, off.

• Valid values for image_load_optimization are on, off.

• Valid values for image_resizing are on, off.

• Valid values for image_size_optimization are off, lossless, lossy.

  • off: Disable Image Size Optimization.
  • lossless : Reduce the size of image files without impacting visual quality.
  • lossy : The file size of JPEG images is reduced by using lossy compression, which might reduce visual quality.

• Valid values for ip_geolocation are on, off.

• Valid values for ipv6 are on, off.

• Valid values(in MB) for max_upload are: 100, 125, 150, 175, 200 and 225, 250, 275, 300, 325, 350, 375, 400, 425, 450, 475, 500. Enterprise Plans Only

• Valid values for min_tls_version are 1.0, 1.1, 1.2, 1,3.

• Valid values for minify are css, html, js. For example, -v css=on,html=off,js=on

  • css : Automatically minify all CSS for your website. Valid values for css are on, off.
  • html : Automatically minify all HTML for your website. Valid values for html are on, off.
  • js : Automatically minify all JS for your website. Valid values for js are on, off.

• Valid values for mobile_redirect are status, mobile_subdomain, strip_uri. For example, -v status=on,mobile_subdomain=m,strip_uri=true

  • status : Whether the mobile redirection is enabled. Valid values for status are on and off.
  • mobile_subdomain: Which subdomain prefix you want to redirect visitors on mobile devices to (subdomain must exist).
  • strip_uri : Whether to drop the current page path and redirect to the mobile subdomain URL root. Valid values for strip_uri are true, false.

• Valid values for opportunistic_encryption are on, off.

• Valid values for origin_error_page_pass_thru are 1, 2.

• Valid values for origin_max_http_version are supported, preferred, off.

  • supported : Post-Quantum algorithms are advertised but only used when requested by the origin.
  • preferred : Preferred instructs CIS to opportunistically send a Post-Quantum (PQ) keyshare in the first message to the origin (for fastest connections when the origin supports and prefers PQ).
  • off: Post-Quantum algorithms are not advertised.

• Valid values for origin_post_quantum_encryption are on, off.

• Valid values for brotli are on, off.

• Valid values for prefetch_preload are on, off.

• Valid values for pseudo_ipv4 are off, add_header, overwrite_header.

  • off: Disable Pseudo IPv4.
  • add_header : Add an additional Cf-Pseudo-IPv4 header only.
  • overwrite_header: Overwrite the existing Cf-Connecting-IP and X-Forwarded-For headers with a pseudo IPv4 address.

• Valid values for response_buffering are on, off.

• Valid values for script_load_optimization are on, off.

• Valid values for security_header are enabled, max_age, include_subdomains, preload, nosniff. For example, -v enabled=true,max_age=100,include_subdomains=true,preload=true,nosniff=true

  • enabled : Whether the security_header is enabled. Valid values for enabled are true, false.
  • max_age : Specify the duration(in seconds) security_header are cached in browsers.
  • include_subdomains: Every domain below the domain inherits the same security_header. Valid values for include_subdomains are true, false.
  • preload : Whether to permit browsers to preload security_header config. Valid values for enabled are true, false.
  • nosniff : Whether to send X-Content-Type-Options: nosniff header. Valid values for nosniff are true, false.

• Valid values for server_level are off, essentially_off, low, medium, high, under_attack.

• Valid values for server_side_exclude are on, off.

• Valid values for tls_client_auth are on, off.

• Valid values for true_client_ip_header are on, off.

• Valid values for waf are on, off.

• Valid values for websockets are on, off.

• Valid values for proxy_read_timeout, 1-6000, default: 100.

• Valid values for ciphers are ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA, default. For example, -v AES256-SHA256,AES256-SHA, using -v default to reset configured cipher suites to the default value.

• Valid values for url_normalization are "type", "scope". For example, -v type=cis,scope=both

  • type : Selects the type of URL normalization that is performed by CIS. Valid values for type are cis, rfc3986.
  • scope : Configures the scope of the URL normalization. Valid values for scope are both, incoming.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Enable tls_client_auth for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings-update -f tls_client_auth -v on 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all Edge Functions actions in instance cis-demo.

ibmcloud cis edge-functions-actions -i "cis-demo"

Command options

--name

Action name. Enterprise Plans Only

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Show details of Edge Functions action action-demo.

ibmcloud cis edge-functions-action --name "action-demo" -i "cis-demo"

Command options

--name

Action name. Enterprise Plans Only

--javascript-str

JavaScript string. For example, addEventListener('fetch', event => { event.respondWith(fetch(event.request))})

--javascript-file

JavaScript file.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create an Edge Functions action for instance action-demo.

ibmcloud cis edge-functions-action-create --javascript-str "addEventListener('fetch', event => { event.respondWith(fetch(event.request)) })" --name "action-demo" -i "cis-demo"

Command options

--name

Action name. Enterprise Plans Only

--javascript-str

JavaScript string. For example, addEventListener('fetch', event => { event.respondWith(fetch(event.request))})

--javascript-file

JavaScript file.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update an Edge Functions action for instance action-demo.

ibmcloud cis edge-functions-action-update --javascript-str "addEventListener('fetch', event => { event.respondWith(fetch(event.request)) })" --name "action-demo" -i "cis-demo"

Command options

--name

Action name. Enterprise Plans Only

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete Edge Functions action action-demo.

ibmcloud cis edge-functions-action-delete --name "action-demo" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all Edge Functions triggers for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis edge-functions-triggers 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show details of Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PATTERN_URL

The request URL, which triggers the action. Required.

name

The action name to which the created trigger is attached. Enterprise Plans Only

disable

Disable an Edge Functions trigger.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create an Edge Functions trigger for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b "example.net/*" --name "demo-action" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

PATTERN_URL

The request URL, which triggers the action. Required.

name

The action name, which the created trigger is attached to. Enterprise Plans Only

disable

Disable an Edge Functions trigger.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac "example.net/*" --name "demo-action" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger-delete 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac -i "cis-demo"

Command options

-t, --type

Type of firewall rules to create. Valid values: access-rules, ua-rules, lockdowns. Required.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This option enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--json

The JSON file or JSON string that is used to describe a firewall rule. Required.

• For --type access-rules : The JSON data that describes a firewall access rule as follows.
  • Required fields are mode, configuration.
    • mode : The type of action to perform. Valid values are block, challenge, whitelist, and js_challenge.
    • configuration : Target/Value pair to use for this rule.
      • target : The request property to target. Valid values are ip, ip_range, asn, and country.
      • value : The value for the selected target.
        • For ip, the value is a valid IP address.
        • For ip_range, the value specifies an ip range that is limited to /16 and /24.
        • For asn, the value is an AS number.
        • For a country, the value is a country code for the country.
  • Option fields are notes.
    • notes : Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "block",
   "notes": "This rule is added because of event X that occurred on date xyz",
   "configuration": {
      "target": "ip",
      "value": "127.0.0.1"
   }
}

• For --type ua-rules : The JSON data that describes a user-agent rule as follows.
  • Required fields are mode, configuration.
    • mode : The type of action to perform. Valid values are block, challenge, and js_challenge.
    • configuration : Target/Value pair to use for this rule.
      • target : The request property to target. Valid value is ua.
      • value : The exact UserAgent string to match with this rule.
  • Option fields are paused, description.
    • paused : Whether this rule is currently disabled.
    • description : Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "block",
   "configuration": {
      "target": "ua",
      "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
   }
}

• For --type lockdowns : The JSON data that describes a lockdown rule is as follows.
  • Required fields are urls, configurations.
    • urls : URLs to be included in this rule definition.
      • Wildcards are permitted.
      • The URL pattern entered here is escaped before use.
      • This field limits the URL to simple wildcard patterns.
    • configurations : List of IP addresses or CIDR ranges to use for this rule.
      • This field can include any number of ip or ip_range configurations that can access the provided URLs.
      • target : The request property to target. Valid values are ip, and ip_range.
      • value : IP addresses or CIDR. If target is ip, then value must be an IP address, otherwise CIDR.
  • Option fields are paused, description.
    • paused : Whether this rule is currently disabled.
    • description : Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "urls": [
      "api.mysite.com/some/endpoint*"
   ],
   "configurations": [
      {
         "target": "ip",
         "value": "127.0.0.1"
      },
      {
         "target": "ip_range",
         "value": " 2.2.2.0/24"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a firewall rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create firewall rules.

ibmcloud cis firewall-create -t access-rules --json '{"mode": "block", "notes": "This rule is added because of event X that occurred on date xyz", "configuration": {"target": "ip", "value": "127.0.0.1"}}' -i "cis-demo"
ibmcloud cis firewall-create -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b --json '{"mode": "block", "configuration": {"target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"}}' -i "cis-demo"
ibmcloud cis firewall-create -t lockdowns -d 31984fea73a15b45779fa0df4ef62f9b --json '{"urls": ["api.mysite.com/some/endpoint*"], "configurations": [{"target": "ip", "value": "127.0.0.1"}, {"target": "ip_range", "value": "2.2.2.0/24"}]}' -i "cis-demo"

Command options

• FIREWALL_RULE_ID: The ID of firewall rule. Required.

-t, --type

The type of firewall rule to create. Valid values are access-rules, ua-rules, and lockdowns. Required.

• access-rules : Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules : Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns : Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--json

The JSON file or JSON string that is used to describe a firewall rule. Required.

• For --type access-rules: The JSON data that describes a firewall access rule is as follows.
  • Option fields are mode, notes.
    • mode : The type of action to perform. Valid values are block, challenge, whitelist, and js_challenge.
    • notes : Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "challenge",
   "notes": "This rule is added because of event X that occurred on date xyz",
}

• For --type ua-rules : The JSON data that describes a user-agent rule is as follows.

  • Required fields are mode, configuration.
    • mode : The type of action to perform. Valid values are block, challenge, and js_challenge.
    • configuration : Target/Value pair to use for this rule.
      • target : The request property to target. Valid value is ua.
      • value : The exact UserAgent string to match with this rule.
  • Option fields are paused, description.
    • paused : Whether this rule is currently disabled.
    • description : Some useful information about this rule to help identify the purpose of it.

  Sample JSON data:

{
   "mode": "block",
   "configuration": {
      "target": "ua",
      "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
   }
}

• For --type lockdowns : The JSON data that describes a lockdown rule is as follows.
  • Required fields are urls, configurations.
    • urls : URLs to be included in this rule definition.
      • Wildcards are permitted.
      • The URL pattern entered here is escaped before use.
      • This field limits the URL to simple wildcard patterns.
    • configurations : List of IP addresses or CIDR ranges to use for this rule.
      • This field can include any number of ip or ip_range configurations that can access the provided URLs.
      • target : The request property to target. Valid values are ip and ip_range.
      • value : IP addresses or CIDR. If the target is ip, then the value must be an IP addresses, otherwise CIDR.
  • Option fields are paused, description.
    • paused : Whether this rule is currently disabled.
    • description : Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "urls": [
      "api.mysite.com/some/endpoint*"
   ],
   "configurations": [
      {
         "target": "ip",
         "value": "127.0.0.1"
      },
      {
         "target": "ip_range",
         "value": " 2.2.2.0/24"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data that describes a firewall rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update firewall rules.

ibmcloud cis firewall-update bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules --json '{"mode": "challenge", "notes": "This rule is added because of event X that occurred on date xyz"}' -i "cis-demo"
ibmcloud cis firewall-update 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b --json '{"mode": "block", "configuration": {"target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"}}' -i -i "cis-demo"
ibmcloud cis firewall-update e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdowns -d 31984fea73a15b45779fa0df4ef62f9b --json '{"urls": ["api.mysite.com/some/endpoint*"], "configurations": [{"target": "ip", "value": "127.0.0.1"}, {"target": "ip_range", "value": "2.2.2.0/24"}]}' -i "cis-demo"

Command options

-t, --type

The type of firewall rule to create. Valid values are access-rules, ua-rules, and lockdowns. Required.

• access-rules : Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules : Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This action enables you to customize the access to your site.
• lockdowns : Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--page

Page number of paginated results. The default value is 0.

--per-page

Maximum number of access rules per page. The minimum value is 5. The default value is 20.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List firewall rules.

ibmcloud cis firewalls -t access-rules -i "cis-demo"
ibmcloud cis firewalls -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewalls -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

FIREWALL_RULE_ID

The ID of firewall rule. Required.

-t, --type

Type of firewall rule to create. Valid values are access-rules, ua-rules, and lockdowns.

• access-rules : Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules : Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns : Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get firewall rule details.

ibmcloud cis firewall dc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -i "cis-demo"
ibmcloud cis firewall bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

FIREWALL_RULE_ID

The ID of firewall rule. Required.

-t, --type

Type of firewall rule to create. Valid values are access-rules, ua-rules, and lockdowns. Required.

• access-rules : Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules : Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This field enables you to customize the access to your site.
• lockdowns : Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete a firewall rule.

ibmcloud cis firewall-delete dc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -i "cis-demo"
ibmcloud cis firewall-delete bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall-delete 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall-delete e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--page

Page number of paginated results. The default value is 1.

--per-page

Number of firewall rules per page. The minimum value is 5 and the maximum value is 100. The default value is 25.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List existing firewall-rules in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis firewall-rules 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get the details of firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--expression

A filter expression. For example, ip.src eq 93.184.216.0.

--action

The rule action to perform. Valid values are log, allow, challenge, js_challenge, block, and bypass.

--priority

The rule's priority. Valid values range from 0 to 2147483647. The value 0 means to set to the default value.

--description

To briefly describe the rule.

--paused

Indicates whether the rule is active or not. Valid values are on and off. The default value is off.

--products

The list of security products to be bypassed. Valid values are zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf.

--json

The JSON file or JSON strin that isused to describe a firewall-rule.

• The required fields in JSON data are expression and action.
  • expression : A filter expression. For example, ip.src eq 93.184.216.0
  • action : The rule action to perform. Valid values are log, allow, challenge, js_challenge, block, and bypass.
• The optional fields are description, priority, paused, products.
  • description : To briefly describe the rule.
  • priority : The rule's priority. Valid values range from 0 to 2147483647. The value 0 means to set to the default value.
  • paused : Indicates whether the rule is active or not. Valid values are on and off. The default value is off.
  • products : The list of security products to be bypassed. Valid values are zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf For example, --products zoneLockdown, rateLimit

Sample JSON data:

{
   "expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"",
   "action": "allow",
   "priority": 100,
   "paused": false,
   "description": "do not challenge login from office"
}

-s, --json-str

Deprecated. The JSON data that describes a firewall-rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a firewall-rule in the domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-create 31984fea73a15b45779fa0df4ef62f9b --expression "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\""  --action allow --priority 200 --paused off --description "do not challenge login from office" -i "cis-demo"

ibmcloud cis firewall-rule-create 31984fea73a15b45779fa0df4ef62f9b --json '{"expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"", "action": "allow", "priority": 100, "paused": false, "description": "do not challenge login from office"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

--expression

A filter expression. For example, ip.src eq 93.184.216.0.

--action

The rule action to perform. Valid values are log, allow, challenge, js_challenge, block, and bypass.

--priority

The rule's priority. Valid values range from 0 to 2147483647. The value 0 means to set to the default value.

--description

To briefly describe the rule.

--paused

Indicates whether the rule is active or not. Valid values are on and off. The default value is off.

--products

The list of security products to be bypassed. Valid values are zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf.

--json

The JSON file or JSON string that is used to describe a firewall-rule.

• The required fields in JSON data are expression, and action.
  • expression : A filter expression. For example, ip.src eq 93.184.216.0
  • action : The rule action to perform. Valid values are log, allow, challenge, js_challenge, block, and bypass.
• The optional fields are description, priority, paused, products.
  • description : To briefly describe the rule.
  • priority : The rule's priority. Valid values range from 0 to 2147483647. The value 0 means to set to the default value.
  • paused : Indicates whether the rule is active or not. Valid values are on and off. The default value is off.
  • products : The list of security products to be bypassed. Valid values are zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf For example, --products zoneLockdown, rateLimit
• Note: Fields description, priority, paused, which aren't explicitly set in JSON data are overwritten by the default value.

Sample JSON data:

{
   "expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"",
   "action": "allow",
   "priority": 100,
   "paused": false,
   "description": "do not challenge login from office"
}

-s, --json-str

Deprecated. The JSON data that describes a firewall-rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-update 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 --expression "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\""  --action allow --priority 200 --paused off --description "do not challenge login from office" -i "cis-demo"

ibmcloud cis firewall-rule-update 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 --json '{"expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"", "action": "allow", "priority": 100, "paused": false, "description": "do not challenge login from office"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-delete 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

EXPRESSION

The filter expression. For example, ip.src eq 93.184.216.0. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Validate firewall-rule expression ip.src eq 93.184.216.0.

ibmcloud cis firewall-rule-validate 31984fea73a15b45779fa0df4ef62f9b "ip.src eq 93.184.216.0" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--json

The JSON file or JSON string that is used to describe a global load balancer. Required.

• The required fields in JSON data are name, fallback_pool and default_pools :
  • name : The DNS hostname to associate with your load balancer.
  • fallback_pool : The pool ID to use when all other pools are detected as unhealthy.
  • default_pools : A list of pool IDs ordered by their failover priority.
• The optional fields are description, ttl, region_pools, proxied, enabled, session_affinity, session_affinity_ttl, steering_policy:
  • description : The description of your load balancer.
  • ttl: Time to live (TTL) of the DNS entry for the IP address returned by this load balancer.
  • region_pools : A mapping of region and country codes to a list of pool IDs (ordered by their failover priority) for the region.
  • proxied : Control whether traffic should flow through the security and performance functions on CIS.
  • enabled : Whether to enable (the default) this load balancer.
  • session_affinity : Ensures that a user's requests are consistently directed to the same backend server during a session. Valid values are cookie and none.
  • session_affinity_ttl : Time, in seconds, until this load balancers session affinity cookie expires after it is created. Valid value is between [1800, 604800]. The default value is 82800.
  • steering_policy : Valid values for steering_policy are off, geo, random, dynamic_latency.
    • off : Use default_pools.
    • geo : Use region_pools/pop_pools.
    • random : Select a pool randomly.
    • dynamic_latency : Use round-trip time to select the closest pool in default_pools (requires pool health checks).

Sample JSON data:

{
      "name": "www.example.com",
      "fallback_pool": "17b5962d775c646f3f9725cbc7a53df4",
      "default_pools": [
         "17b5962d775c646f3f9725cbc7a53df4",
         "9290f38c5d07c2e2f4df57b1f61d4196"
      ],
      "description": "Example global load balancer.",
      "ttl": 60,
      "region_pools": {
         "WNAM": [
               "de90f38ced07c2e2f4df50b1f61d4194",
               "9290f38c5d07c2e2f4df57b1f61d4196"
         ],
         "ENAM": [
               "00920f38ce07c2e2f4df50b1f61d4194"
         ]
      }
}

-s, --json-str

Deprecated. The JSON data describing a global load balancer.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a global load balancer in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-create 31984fea73a15b45779fa0df4ef62f9b --json '{"description":"Example global load balancer.","name":"www.example.com","ttl":60,"fallback_pool":"17b5962d775c646f3f9725cbc7a53df4","default_pools":["17b5962d775c646f3f9725cbc7a53df4","9290f38c5d07c2e2f4df57b1f61d4196"],"region_pools":{"WNAM":["de90f38ced07c2e2f4df50b1f61d4194","9290f38c5d07c2e2f4df57b1f61d4196"],"ENAM":["00920f38ce07c2e2f4df50b1f61d4194"]}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of the global load balancer. Required.

--json

The JSON file or JSON string that is used to describe a global load balancer. Required.

• The required fields in JSON data are name, fallback_pool, and default_pools :
  • name : The DNS hostname to associate with your load balancer.
  • fallback_pool : The pool ID to use when all other pools are detected as unhealthy.
  • default_pools : A list of pool IDs ordered by their failover priority.
• The optional fields are description, ttl, region_pools, proxied, enabled, session_affinity, session_affinity_ttl, steering_policy:
  • description : The description of your Load Balancer.
  • ttl : Time to live (TTL) of the DNS entry for the IP address returned by this load balancer.
  • region_pools : A mapping of region and country codes to a list of pool IDs (ordered by their failover priority) for the region.
  • proxied : Control whether traffic must flow through the security and performance functions on CIS.
  • enabled : Whether to enable (the default) this load balancer.
  • session_affinity : Ensures that a user's requests are consistently directed to the same backend server during a session. Valid values are cookie and none.
  • session_affinity_ttl : Time, in seconds, until this load balancers session affinity cookie expires it is created. Valid value is between [1800, 604800]. The default value is 82800.
  • steering_policy : Valid values for steering_policy are off, geo, random, dynamic_latency.
    • off : Use default_pools.
    • geo : Use region_pools/pop_pools.
    • random : Select a pool randomly.
    • dynamic_latency : Use round-trip time to select the closest pool in default_pools (requires pool health checks).

Sample JSON data:

{
      "name": "www.example.com",
      "fallback_pool": "17b5962d775c646f3f9725cbc7a53df4",
      "default_pools": [
         "17b5962d775c646f3f9725cbc7a53df4",
         "9290f38c5d07c2e2f4df57b1f61d4196"
      ],
      "description": "Example global load balancer.",
      "ttl": 60,
      "region_pools": {
         "WNAM": [
               "de90f38ced07c2e2f4df50b1f61d4194",
               "9290f38c5d07c2e2f4df57b1f61d4196"
         ],
         "ENAM": [
               "00920f38ce07c2e2f4df50b1f61d4194"
         ]
      }
}

-s, --json-str

Deprecated. The JSON data describing a global load balancer.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update the global load balancer 699d98642c564d2e855e9661899b7252 in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-update 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 --json '{"description":"Example global load balancer.","name":"www.example.com","ttl":60,"fallback_pool":"17b5962d775c646f3f9725cbc7a53df4","default_pools":["17b5962d775c646f3f9725cbc7a53df4","9290f38c5d07c2e2f4df57b1f61d4196"],"region_pools":{"WNAM":["de90f38ced07c2e2f4df50b1f61d4194","9290f38c5d07c2e2f4df57b1f61d4196"],"ENAM":["00920f38ce07c2e2f4df50b1f61d4194"]}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of the global load balancer. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show global load balancer 699d98642c564d2e855e9661899b7252 in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of the global load balancer. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete global load balancer 699d98642c564d2e855e9661899b7252 in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-delete 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List load balancers for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glbs 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify the output format. Only JSON is supported.

Examples

List all GLB pools for instance cis-demo.

ibmcloud cis glb-pools -i "cis-demo"

Command options

--json

The JSON file or JSON string that is used to describe a GLB pool. Required.

• The required fields in JSON data are name, origins and check_regions :
  • name : A short name (tag) for the pool.
  • origins : A list of origins within this pool.
  • check_regions : A list of geographic region code.
• The optional fields are description, minimum_origins, enabled, monitor, notification_email.

Sample JSON data:

{
   "name": "us-pool",
   "description": "application server pool in US",
   "origins": [
      {
            "name": "us-app-dal01",
            "address": "1.1.1.1",
            "enabled": true,
            "header": {
               "host": ["test.com"]
            }
      },
      {
            "name": "us-app-dal02",
            "address": "2.2.2.2",
            "enabled": true,
            "header": {
               "host": ["example.com"]
            }
      }
   ],
   "minimum_origins": 1,
   "check_regions": [ "WNAM" ],
   "monitor": "f1aba936b94213e5b8dca0c0dbf1f9cc",
   "enabled": true,
   "notification_email": "someone@example.com"
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB pool.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a GLB pool for instance cis-demo.

ibmcloud cis glb-pool-create --json '{"description":"application server pool in US", "name":"us-pool", "enabled":true, "check_regions":["WNAM"], "minimum_origins":1,"monitor":"f1aba936b94213e5b8dca0c0dbf1f9cc", "origins":[{"name":"us-app-dal01","address":"1.1.1.1","enabled":true,"header":{"host":["test.com"]}}, {"name":"us-app-dal02","address":"2.2.2.2","enabled":true,"header":{"host":["example.com"]}}], "notification_email":"someone@example.com"}'-i "cis-demo"

Command options

GLB_POOL_ID

The ID of the global load balancer pool. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show the details of the GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool 17b5962d775c646f3f9725cbc7a53df4 -i "cis-demo"

Command options

GLB_POOL_ID

The ID of the global load balancer pool. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool-delete 17b5962d775c646f3f9725cbc7a53df4 -i "cis-demo"

Command options

GLB_POOL_ID

The ID of the global load balancer pool. Required.

--json

The JSON file or JSON string that is used to describe a GLB pool.

• The required fields in JSON data are name, origins and check_regions :
  • name : A short name (tag) for the pool.
  • origins : A list of origins within this pool.
  • check_regions : A list of geographic region code.
• The optional fields are description, minimum_origins, enabled, monitor, notification_email.

Sample JSON data:

{
   "name": "us-pool",
   "description": "application server pool in US",
   "origins": [
      {
            "name": "us-app-dal01",
            "address": "1.1.1.1",
            "enabled": true,
            "header": {
               "host": ["example.com"]
            }
      },
      {
            "name": "us-app-dal02",
            "address": "2.2.2.2",
            "enabled": true
      }
   ],
   "minimum_origins": 1,
   "check_regions": [ "WNAM" ],
   "monitor": "f1aba936b94213e5b8dca0c0dbf1f9cc",
   "enabled": true,
   "notification_email": "someone@example.com"
}

--enable-origin

Enable the origin within the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

--disable-origin

Disable the origin within the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

--add-origin

Add an origin into the Pool. ORIGIN_NAME and ORIGIN_ADDRESS are required. For example, --add-origin name=us-app-dal01,address=1.1.1.1,enabled=true,weight=0.5,host=example.com

--remove-origin

Remove an origin from the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

-s, --json-str

Deprecated. The JSON data used to describe a GLB pool.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool-update 17b5962d775c646f3f9725cbc7a53df4 --json '{"description":"application server pool in US", "name":"us-pool", "enabled":true, "check_regions":["WNAM"], "minimum_origins":1,"monitor":"f1aba936b94213e5b8dca0c0dbf1f9cc", "origins":[{"name":"us-app-dal01","address":"1.1.1.1","enabled":true,"header":{"host":["example.com"]}}, {"name":"us-app-dal02","address":"2.2.2.2","enabled":true}], "notification_email":"someone@example.com"}'-i "cis-demo"

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all GLB monitors for instance cis-demo.

ibmcloud cis glb-monitors -i "cis-demo"

Command options

--json

The JSON file or JSON string that is used to describe a GLB monitor. Required.

• The required fields in JSON data are type.
  • type : The protocol to use for the healthcheck. Valid values are HTTP, HTTPS, and TCP.
• The optional fields are description, timeout, retries, interval.
  • description : Description.
  • timeout : The timeout (in seconds) before marking the health check as failed.
  • retries : The number of retries to attempt in case of a timeout before marking the origin as unhealthy.
  • interval : The interval between each health check.
• For TCP type health check. Extra required fields are port.
  • port : The TCP port to use for the health check.
• For HTTP/HTTPS type health check. Extra option fields are port, expected_body, expected_codes, method, path, header, follow_redirects, allow_insecure.
  • port : The TCP port to use for the health check.
  • expected_body : A case-insensitive substring to look for in the response body.
  • expected_codes : The expected HTTP response code or code range of the health check.
  • method : The HTTP method to use for the health check.
  • path : The endpoint path to health check against.
  • header : The HTTP request headers to send in the health check.
  • follow_redirects : Follow redirects if returned by the origin.
  • allow_insecure : Do not validate the certificate when monitor use HTTPS.
  • probe_zone : Assign this monitor to emulate the specified zone while probing.

Sample JSON data:

For HTTP/HTTPS:

{
      "description": "Health monitor of web service",
      "type": "https",
      "method": "GET",
      "path": "/health",
      "header": {
         "Host": [
            "example.com"
         ],
         "X-App-ID": [
            "abc123"
         ]
      },
      "timeout": 5,
      "retries": 2,
      "interval": 90,
      "follow_redirects": true,
      "allow_insecure": false,
      "expected_codes": "2xx",
      "expected_body": "alive",
      "probe_zone": "example.com"
}

For TCP:

{
      "description": "Health monitor of TCP",
      "type": "tcp",
      "port": 80,
      "timeout": 5,
      "retries": 2,
      "interval": 90
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB monitor.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a GLB monitors under instance cis-demo.

ibmcloud cis glb-monitor-create --json '{"type":"https", "description":"Health monitor of web service", "method":"GET", "path":"/health", "header":{"Host":["example.com"],"X-App-ID":["abc123"]}, "port":8080, "timeout":5, "retries":2, "interval":90, "expected_body":"alive", "expected_codes":"2xx", "follow_redirects":true, "allow_insecure":true}' -i "cis-demo"

Command options

GLB_MON_ID

The ID of the global load balancer monitor. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show the details of the GLB monitor f1aba936b94213e5b8dca0c0dbf1f9cc.

ibmcloud cis glb-monitor f1aba936b94213e5b8dca0c0dbf1f9cc -i "cis-demo"

Command options

GLB_MON_ID

The ID of global load balancer monitor. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete the GLB monitor f1aba936b94213e5b8dca0c0dbf1f9cc.

ibmcloud cis glb-monitor-delete f1aba936b94213e5b8dca0c0dbf1f9cc -i "cis-demo"

Command options

GLB_MON_ID

The ID of the global load balancer monitor. Required.

--json

The JSON file or JSON string that is used to describe a GLB monitor. Required.

• The required fields in JSON data are type.
  • type : The protocol to use for the healthcheck. Valid values are HTTP, HTTPS, and TCP.
• The optional fields are description, timeout, retries, interval.
  • description : Description.
  • timeout : The timeout (in seconds) before marking the health check as failed.
  • retries : The number of retries to attempt in case of a timeout before marking the origin as unhealthy.
  • interval : The interval between each health check.
• For TCP type health check. Extra required fields are port.
  • port : The TCP port to use for the health check.
• For HTTP/HTTPS type health check. Extra option fields are port, expected_body, expected_codes, method, path, header, follow_redirects, allow_insecure.
  • port : The TCP port to use for the health check.
  • expected_body : A case-insensitive substring to look for in the response body.
  • expected_codes : The expected HTTP response code or code range of the health check.
  • method : The HTTP method to use for the health check.
  • path : The endpoint path to health check against.
  • header : The HTTP request headers to send in the health check.
  • follow_redirects : Follow redirects if returned by the origin.
  • allow_insecure : Do not validate the certificate when monitor use HTTPS.
  • probe_zone : Assign this monitor to emulate the specified zone while probing.

Sample JSON data:

For HTTP/HTTPS:

{
      "description": "Health monitor of web service",
      "type": "https",
      "method": "GET",
      "path": "/health",
      "header": {
         "Host": [
            "example.com"
         ],
         "X-App-ID": [
            "abc123"
         ]
      },
      "timeout": 5,
      "retries": 2,
      "interval": 90,
      "follow_redirects": true,
      "allow_insecure": false,
      "expected_codes": "2xx",
      "expected_body": "alive",
      "probe_zone": "example.com"
}

For TCP:

{
      "description": "Health monitor of TCP",
      "type": "tcp",
      "port": 80,
      "timeout": 5,
      "retries": 2,
      "interval": 90
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB monitor.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update GLB monitors f1aba936b94213e5b8dca0c0dbf1f9cc under instance cis-demo.

ibmcloud cis glb-monitor-update f1aba936b94213e5b8dca0c0dbf1f9cc --json '{"type":"https", "description":"Health monitor of web service", "method":"GET", "path":"/health", "header":{"Host":["example.com"],"X-App-ID":["abc123"]}, "port":8080, "timeout":5, "retries":2, "interval":90, "expected_body":"alive", "expected_codes":"2xx", "follow_redirects":true, "allow_insecure":true}' -i "cis-demo"

Command options

-s, --since

Start date requesting data period in the ISO8601 format. For example 2018-11-26.

-u, --until

End date requesting data period in the ISO8601 format. For example 2018-11-28.

--origin-name

The name for the origin to filter for.

--pool-name

The name for the pool to filter for.

--origin-healthy

If true, filter events where the origin status is healthy, if false, filter events where the origin status is unhealthy. The default value is true and valid values are true and false.

--pool-healthy

If true, filter events where the pool status is healthy, if false, filter events where the pool status is unhealthy. The default value is true and valid values are true and false.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get glb events in instance cis-demo.

ibmcloud cis glb-events -s "2020-05-20" -u "2020-05-22" --origin-name "dal09" --origin-healthy true -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--fields

Define the field set in return.

• This field must be specified as a comma-separated list without any whitespaces, and all fields must exist.
• The order in which fields are specified doesn't matter, and the order of fields in the response is not specified.
• The fields are expected to be case-sensitive.

--filter

Filters to drill down into specific events. Filters consist of three parts: key, operator, and value. For information about supported operators, see Using fields, functions, and expressions.

--sample

The sample rate of the records set by the client: sample: 1 is 100% of records.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

-h, --help

Get help on this command.

Examples

Create an instant log for dns-domain:

cis instant-log-create dns-domain [--fields all] [--filter FILTER] [--sample 1] [-i cis-demo]

The following are three examples of filters:

• Filter when client IP country is not Canada:

  "filter": "{\"where\":{\"and\":[{\"key\":\"ClientCountry\",\"operator\":\"neq\",\"value\":\"ca\"}]}}"

• Filter when the status code returned from CIS is either 200 or 201:

  "filter": "{\"where\":{\"and\":[{\"key\":\"EdgeResponseStatus\",\"operator\":\"in\",\"value\":\"200,201\"}]}}"

• Filter when the request path contains "/static" and the request hostname is "example.com":

  "filter": "{\"where\":{\"and\":[{\"key\":\"ClientRequestPath\",\"operator\":\"contains\",\"value\":\"/static\"}, {\"where\":{\"and\":[{\"key\":\"ClientRequestHost\",\"operator\":\"eq\",\"value\":\"example.com\"}]}}"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

-h, --help

Help on this command.

Example

Get the instant logs job for dns-domain:

cis instant-log-get dns-domain [-i cis-demo]

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--available-fields

List of all available fields.

--ray-id

Lookup logs by specific Ray ID.

--fields

Define the field set in return. This field must be specified as a comma-separated list without any spaces, and all fields must exist. The order in which fields are specified doesn't matter, and the order of fields in the response is not specified. Note that fields are expected to be case sensitive.

--start

The (inclusive) beginning of the requested time frame. This can be a unix timestamp (in seconds or nanoseconds), or an absolute timestamp that conforms to RFC 3339. Currently, it cannot exceed a time in the past greater than 7 days. Default is 65 minutes earlier.

--end

The (exclusive) end of the requested time frame. This value can be a unix timestamp (in seconds or nanoseconds), or an absolute timestamp that conforms to RFC 3339. The end must be at least 5 minutes earlier than now and must be later than start. The difference between start and end must be not greater than 1h. The default is 5 minutes earlier.

--count

Number of logs to retrieve. The default value is -1.

--sample

Percentage of sampling. When a sample is provided, a sample of matching records is returned. If sample=0.1 then 10% of records are returned. The sampling is random: repeated calls not only return different records, but likely also vary slightly in the number of returned records. When count is also specified, count is applied to the number of returned records, not the sampled records. So, with sample=0.05 and count=7, when there is a total of 100 records available, approximately 5 records are returned. When there are 1000 records, 7 records are returned. When there are 10,000 records, 7 records are returned. The default value is 1.

--timestamps

Set the format in which response timestamps are returned. Valid values are unix, unixnano and rfc3339.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --available-fields
ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --ray-id 59348abde87afe50 --all-fields --timestamps rfc3339 --output JSON
ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --start 2020-05-18T12:14:58Z --end 2020-05-18T13:14:58Z --fields ClientIP,EdgeServerIP,ClientRequestHost --count 10 --sample 1 --timestamps rfc3339 --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--destination

Specify a Cloud Object Storage bucket path or a LogDNA path where data is pushed.

• Syntax for LogDNA Path: https://{LOGS_REGION_URL}?hostname={DOMAIN}&apikey={LOGDNA_INGRESS_KEY}

  Example: 'https://logs.eu-de.logging.cloud.ibm.com/logs/ingest?hostname=testv2_logpush&apikey=xxxxxx' Syntax for Cloud Object Storage Path: cos://<BUCKET_OBJECT_PATH>?region=<REGION>&instance-id=<IBM_ClOUD_OBJECT_STORAGE_INSTANCE_ID> Example: 'cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd' To separate logs in to daily subfolders, use the special string {DATE} in the bucket path. It is substituted with the date in YYYYMMDD format, for example '20190423'. Subfolders are created as appropriate, for example: 'cos://cis-test-bucket/logs/{DATE}?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd'

--name

Job name. Required.

--enable

Enable the job. The job is disabled by default.

--fields

Define the list of log fields to be included in log files. Multiple fields can be separated by commas and use command [ibmcloud cis logpush-available-fields DNS_DOMAIN_ID] to get the comprehensive list of available log fields, or use all to include all available fields in log files. Note that fields are expected to be case sensitive.

--timestamps

Set the format in which response timestamps are returned. Valid values are unix, unixnano and rfc3339.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values are http_requests, range_events, firewall_events, dns_logs. The default value is http_requests.

--frequency

The frequency at which CIS sends batches of logs to your destination. Setting the frequency to high sends your logs in larger quantities of smaller files. Setting the frequency to low sends logs in smaller quantities of larger files. Valid values are high, low.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-create 31984fea73a15b45779fa0df4ef62f9b --destination cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd --name logpushcreate --enable true --fields all --timestamps rfc3339 --dataset http_requests --frequency low -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--destination

Specify a Cloud Object Storage bucket path or a LogDNA path where data is pushed. Syntax for LogDNA Path: https://{LOGS_REGION_URL}?hostname={DOMAIN}&apikey={LOGDNA_INGRESS_KEY} Example: 'https://logs.eu-de.logging.cloud.ibm.com/logs/ingest?hostname=testv2_logpush&apikey=xxxxxx' Syntax for Cloud Object Storage Path: cos://<BUCKET_OBJECT_PATH>?region=<REGION>&instance-id=<IBM_ClOUD_OBJECT_STORAGE_INSTANCE_ID> Example: 'cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd' To separate logs into daily subfolders, use the special string {DATE} in the bucket path. It is to be substituted with the date in YYYYMMDD format, for example '20190423'. Subfolders are created as appropriate, for example: 'cos://cis-test-bucket/logs/{DATE}?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd'

--enable

Enable the job. The job is disabled by default.

--fields

Define the list of log fields to be included in log files. Multiple fields can be separated by commas and use command ibmcloud cis logpush-available-fields DNS_DOMAIN_ID to get the comprehensive list of available log fields, or use all to include all available fields in log files. Note that fields are expected to be case sensitive.

--timestamps

Set the format in which response timestamps are returned. Valid values are unix, unixnano, rfc3339.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values are http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of the logpush job.

--frequency

The frequency at which CIS sends batches of logs to your destination. Setting the frequency to high sends your logs in larger quantities of smaller files. Setting the frequency to low sends logs in smaller quantities of larger files. Valid values are high and low.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update range_events log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-update 31984fea73a15b45779fa0df4ef62f9b --destination cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd --enable true --fields all --timestamps rfc3339 --dataset range_events --frequency high -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

-output

The output format. Currently, json is the only supported value.

Examples

Get all log push jobs for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-jobs 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values are http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of the logpush job.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get details of http_requests log push job.

ibmcloud cis logpush-job 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values are http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of the logpush job.

-f, --force

Delete log push job without prompting for confirmation.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete http_requests log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-delete 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo --force

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values are http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Get all available fields for http_requests logs.

ibmcloud cis logpush-available-fields 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get a log retention setting for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis log-retention 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--flag

Whether to turn log retention on or off. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Enable log retention for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis log-retention-update 31984fea73a15b45779fa0df4ef62f9b --flag on -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

Requested dataset. The default value is firewallEventsAdaptiveGroups.

Use the following table to identify which datasets are included in your plan and the range of historical data you can query.

Datasets included in your plan

Dataset	Trial / Standard / Standard-Next	Enterprise / Security / GLB
firewallEventsAdaptiveGroups	30 days	30 days
firewallEventsAdaptive	30 days	30 days

--filter

Filter events. The default value is the last 6 hours of data.

The following operators are supported for all filter options:

Operators supported for filter options

Operator	Comparison
gt	greater than
lt	less than
geq	greater or equal to
leq	less or equal to
neq	not equal
in	in

• firewallEventsAdaptiveGroups filter options.
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFiveMinutes
  • datetimeMinute
  • matchIndex
  • sampleInterval
• The following filter options support like and notlike operators.
  • action
  • clientASNDescription
  • clientAsn
  • clientCountryName
  • clientIP
  • clientRefererHost
  • clientRefererPath
  • clientRefererQuery
  • clientRefererScheme
  • clientRequestHTTPHost
  • clientRequestHTTPMethodName
  • clientRequestHTTPProtocol
  • clientRequestPath
  • clientRequestQuery
  • clientRequestScheme
  • edgeColoName
  • edgeResponseStatus
  • kind
  • originResponseStatus
  • originatorRayName
  • rayName
  • ref
  • ruleId
  • source
  • userAgent

--order

Output order. (The default value is datetime_ASC)

The following list is usable order options for corresponding dataset and all of order options support ASC and DESC action. Combine these filter options and action with _.

For example, datetime_ASC orders by datetime ascending.

• firewallEventsAdaptiveGroups order options.
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFiveMinutes
  • datetimeMinute
  • action
  • avg_sampleInterval
  • clientASNDescription
  • clientAsn
  • clientCountryName
  • clientIPClass
  • clientIP
  • clientRefererHost
  • clientRefererPath
  • clientRefererQuery
  • clientRefererScheme
  • clientRequestHTTPHost
  • clientRequestHTTPMethodName
  • clientRequestHTTPProtocol
  • clientRequestPath
  • clientRequestQuery
  • clientRequestScheme
  • count
  • edgeColoName
  • edgeResponseStatus
  • kind
  • matchIndex
  • originResponseStatus
  • originatorRayName
  • rayName
  • ref
  • ruleId
  • sampleInterval
  • source
  • userAgent
  • visibility

--limit

The number of events to return. (minimum: 1, maximum: 10000, default: 10000)

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get firewall event analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis firewall-event-analytics 31984fea73a15b45779fa0df4ef62f9b --order datetime_ASC \
     --filter "datetime_geq:2020-06-28T00:00:00Z"  --filter "datetime_leq:2020-06-29T00:00:00Z" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

Requested dataset. The default value is httpRequests1dGroups. Use the following table to identify which datasets are included in your plan and the range of historical data you can query.

Identify datasets included in your plan

Dataset	Trial / Standard / Standard-next	Enterprise / Security / GLB
httpRequests1dGroups	365 days	365 days
httpRequests1hGroups	30 days	90 days
httpRequests1mGroups	3 days	7 days

--filter

Filter events. The default value is the last 7 days data. The following operators are supported for all filter options:

Operators supported for filter options

Operator	Comparison
gt	greater than
lt	less than
geq	greater or equal to
leq	less or equal to
neq	not equal
in	in

• httpRequests1dGroups and httpRequests1hGroups filter options.

  • date

• httpRequests1mGroups filter options.

  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeDay

--order

Output order. (The default value is datetime_ASC)

The following list is usable order options for corresponding dataset and all of order options support ASC and DESC action. Combine these order options and action with _.

For example, date_ASC orders by date ascending.

• Common order options for every http dataset.
  • orderByParams
  • date
  • sum_bytes
  • sum_cachedBytes
  • sum_cachedRequests
  • sum_requests
• httpRequests1dGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
• httpRequests1hGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
  • datetime
• httpRequests1mGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeDay

--limit

The number of events to return. (minimum: 1, maximum: 10000, default: 10000)

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get http request analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis http-request-analytics 31984fea73a15b45779fa0df4ef62f9b --order date_ASC \
     --dataset httpRequests1dGroups --limit 500 \
     --filter "date_geq:2020-06-28"  --filter "date_leq:2020-06-29" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--recent

The beginning of the requested time frame. Valid values are 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago), 1m (1 month ago), 2m, 3m. The default value is 1w.

-t, --table

Output table. Valid values are requests, bandwidth, uniques, threats and, status_code. If this field is not set, it outputs all the tables.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get web analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis web-analytics 31984fea73a15b45779fa0df4ef62f9b --recent 1d -t requests -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DIMENSION

The queried dimension. Valid values are queries-by-response-code, queries-by-type, queries-by-name. Required.

-s, --since

Since time to now. Valid values are 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago).

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get DNS analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-analytics 31984fea73a15b45779fa0df4ef62f9b queries-by-response-code -s 6h -i "cis-demo" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--recent

The beginning of the requested time frame. Valid values are 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago), 1m (1 month ago), 2m, 3m. The default value is 1w.

--time-delta

The time interval (seconds) of each analytic's record. Valid values are 60, 3600, 86400, 2592000. The default value is 3600.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get rate limit analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis ratelimit-analytics 31984fea73a15b45779fa0df4ef62f9b --recent 6h --time-delta 3600 -i "cis-demo" --output json

Command options

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Enable Mutual TLS for instance cis-demo.

ibmcloud cis access-enable -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all origin certificates for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis origin-certificates 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--request-type REQUEST_TYPE

Signature type that you want on the certificate. Valid values are origin-rsa and origin-ecc.

--hostnames HOSTNAME

hostname or wildcard name that is bound to the certificate.

--requested-validity DAYS

The number of days for which the certificate must be valid. The default value is 5475.

--csr CSR

The Certificate Signing Request (CSR). If this field is not set, CIS generates one.

--json value*

The JSON file or JSON string that is used to describe an origin certificate.

• The required fields in JSON data are request_type, hostnames.
  • request_type : Signature type that you want on the certificate. Valid values are origin-rsa, origin-ecc.
  • hostnames : An array of hostnames or wildcard names that are bound to the certificate.
• The optional fields are requested_validity, csr.
  • requested_validity : The number of days for which the certificate must be valid. Valid values are 0, 7, 30, 90, 365, 730, 1095, 5475.
  • csr : The Certificate Signing Request (CSR). If this field is not set, CIS generates one.

Sample JSON data:

{
   "request_type": "origin-rsa",
   "hostnames": [
      "*.example.com",
      "example.com",
],
   "requested_validity": 5475,
   "csr": "your_csr"
}

-s, --json-str

Deprecated. The JSON data that describes an origin certificate.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a CIS-signed certificate for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis origin-certificate-create 31984fea73a15b45779fa0df4ef62f9b --request-type origin-rsa --hostnames "*.example.com" --hostnames "example.com" --requested-validity 5475 --csr your_csr -i cis-demo --output JSON

ibmcloud cis origin-certificate-create 31984fea73a15b45779fa0df4ef62f9b --json '{"hostnames":["example.com","*.example.com"], "requested_validity":5475,"request_type": "origin-rsa","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICxzCCAa8CAQAwSDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz\nY28xCzAJBgNVBAcTAkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALxejtu4b+jPdFeFi6OUsye8TYJQBm3WfCvL\nHu5EvijMO/4Z2TImwASbwUF7Ir8OLgH+mGlQZeqyNvGoSOMEaZVXcYfpR1hlVak8\n4GGVr+04IGfOCqaBokaBFIwzclGZbzKmLGwIQioNxGfqFm6RGYGA3be2Je2iseBc\nN8GV1wYmvYE0RR+yWweJCTJ157exyRzu7sVxaEW9F87zBQLyOnwXc64rflXslRqi\ng7F7w5IaQYOl8yvmk/jEPCAha7fkiUfEpj4N12+oPRiMvleJF98chxjD4MH39c5I\nuOslULhrWunfh7GB1jwWNA9y44H0snrf+xvoy2TcHmxvma9Eln8CAwEAAaA6MDgG\nCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFt\ncGxlLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAcBaX6dOnI8ncARrI9ZSF2AJX+8mx\npTHY2+Y2C0VvrVDGMtbBRH8R9yMbqWtlxeeNGf//LeMkSKSFa4kbpdx226lfui8/\nauRDBTJGx2R1ccUxmLZXx4my0W5iIMxunu+kez+BDlu7bTT2io0uXMRHue4i6quH\nyc5ibxvbJMjR7dqbcanVE10/34oprzXQsJ/VmSuZNXtjbtSKDlmcpw6To/eeAJ+J\nhXykcUihvHyG4A1m2R6qpANBjnA0pHexfwM/SgfzvpbvUg0T1ubmer8BgTwCKIWs\ndcWYTthM51JIqRBfNqy4QcBnX+GY05yltEEswQI55wdiS3CjTTA67sdbcQ==\n-----END CERTIFICATE REQUEST-----"}' -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

CERT_ID

The ID of the Origin Certificate. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get details of origin certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis origin-certificate 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

CERT_ID

The ID of Origin Certificate. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete origin certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis origin-certificate-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Show the overview information for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis overview 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--json

The JSON file or JSON string that is used to describe a page rule. Required.

• The required fields in JSON data are targets, actions :
  • targets : The target URL pattern to evaluate on a request.
  • actions : An array of actions to perform if the targets of this rule match the request. Available actions are:
    • disable_security
    • always_use_https
    • ssl
    • browser_cache_ttl
    • security_level
    • cache_level
    • edge_cache_ttl
    • bypass_cache_on_cookie
    • browser_check
    • server_side_exclude
    • email_obfuscation
    • automatic_https_rewrites
    • opportunistic_encryption
    • ip_geolocation
    • explicit_cache_control
    • cache_deception_armor
    • waf
    • forwarding_url
    • image_load_optimization
    • image_size_optimization
    • script_load_optimization
    • host_header_override
    • resolve_override
    • Some actions are limited to Enterprise plans:
      • cache_on_cookie
      • disable_apps
      • disable_performance
      • minify
      • origin_error_page_pass_thru
      • response_buffering
      • true_client_ip_header
      • sort_query_string_for_cache
      • respect_strong_etag
• The optional fields are priority and status :
  • priority: A number that indicates the preference for a page rule over another. The default value is 1.
  • status: Status of the page rule. The valid values are active and disabled (default).

Sample JSON data:

   {
   "targets": [
      {
            "target": "url",
            "constraint": {
               "operator": "matches",
               "value": "*example.com/images/*"
            }
      }
   ],
   "actions": [
      {
            "id": "ssl",
            "value": "flexible"
      },
      {
            "id": "browser_cache_ttl",
            "value": 14400
      },
      {
            "id": "security_level",
            "value": "medium"
      },
      {
            "id": "cache_level",
            "value": "basic"
      },
      {
            "id": "edge_cache_ttl",
            "value": 7200
      },
      {
            "id": "bypass_cache_on_cookie",
            "value": "wp-.*|wordpress.*|comment_.*"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a page rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Create a page rule for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis page-rule-create 31984fea73a15b45779fa0df4ef62f9b --json '{"targets":[{"target":"url", "constraint":{"operator": "matches", "value":"*example.com/images/*"}}], "actions":[{"id":"always_online", "value":"on"}], "priority":1, "status": "active"}' cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

--json VALUE

The JSON file or JSON string that is used to describe a page rule. Required.

• The required fields in JSON data are targets and actions :
  • targets : The target URL pattern to evaluate on a request.
  • actions : An array of actions to perform if the targets of this rule match the request. Available actions are:
    • disable_security
    • always_use_https
    • ssl
    • browser_cache_ttl
    • security_level
    • cache_level
    • edge_cache_ttl
    • bypass_cache_on_cookie
    • browser_check
    • server_side_exclude
    • email_obfuscation
    • automatic_https_rewrites
    • opportunistic_encryption
    • ip_geolocation
    • explicit_cache_control
    • cache_deception_armor
    • waf
    • forwarding_url
    • image_load_optimization
    • image_size_optimization
    • script_load_optimization
    • host_header_override
    • resolve_override
    • Some actions are limited to Enterprise plans:
      • cache_on_cookie
      • disable_apps
      • disable_performance
      • minify
      • origin_error_page_pass_thru
      • response_buffering
      • true_client_ip_header
      • sort_query_string_for_cache
      • respect_strong_etag
• The optional fields are priority and status :
  • priority : A number that indicates the preference for a page rule over another. The default value is 1.
  • status : Status of the page rule. Valid values are active and disabled. The default value is disabled.

Sample JSON data:

{
   "targets": [
      {
            "target": "url",
            "constraint": {
               "operator": "matches",
               "value": "*example.com/images/*"
            }
      }
   ],
   "actions": [
      {
            "id": "ssl",
            "value": "flexible"
      },
      {
            "id": "browser_cache_ttl",
            "value": 14400
      },
      {
            "id": "security_level",
            "value": "medium"
      },
      {
            "id": "cache_level",
            "value": "basic"
      },
      {
            "id": "edge_cache_ttl",
            "value": 7200
      },
      {
            "id": "bypass_cache_on_cookie",
            "value": "wp-.*|wordpress.*|comment_.*"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a page rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Update page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --json '{"targets":[{"target":"url", "constraint":{"operator":"matches", "value":"*example.com/images/*"}}], "actions":[{"id":"always_online", "value":"on"}],"priority":1, "status":"active"}' -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

List all page rules in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis page-rules 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

-i, --instance

Instance name or ID. If instance name or ID is not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

The output format. Currently, json is the only supported value.

Examples

Get details of page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

The name of the DNS record for the range application.

--edge-port

Port configuration at CIS's edge. The default value is 22.

--origin-direct

Destination addresses to the origin.

--origin-lb-name

The Load Balancer name associated with the range application.

--origin-lb-port

The Load Balancer port associated with the range application. The default value is 22.

--protocol

Protocol type. Valid values are tcp and udp. UDP protocol support is in early access, request custom UDP from CIS dashboard before creating range UDP app. The default value is tcp.

--proxy-protocol

Enable Proxy Protocol to the origin. Valid values are on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.

--ip-firewall

Control whether the IP Firewall for this application is enabled. Valid values are on and off. The default value is off.

--edge-connectivity

The IP versions supported for inbound connections on a range of anycast IPs. Valid values are all, ipv4, ipv6. The default value is all.

--edge-tls

The type of TLS termination associated with the application. Valid values are off, flexible, full, strict. The default value is off.

--traffic-type

Determines how data travels from the edge to your origin. Valid values are direct, http, https. The default value is direct.

--json

The JSON file or JSON string that is used to describe a range application.

• The required fields in JSON data are protocol and dns.
  • protocol : Port configuration at CIS's edge.
  • dns : The name and type of the DNS record for the range application.
    • name : The name of the DNS record for the range application.
    • type : The type of the DNS record associated with the application. Valid value is CNAME.
• The optional fields are origin_direct, origin_dns, origin_port, proxy_protocol, ip_firewall, edge_ips, tls, and traffic_type.
  • origin_direct : A list of destination addresses to the origin.
  • origin_dns : Method and parameters that are used to discover the origin server address via DNS.
    • name : DNS record name.
  • origin_port : The destination port at the origin.
  • proxy_protocol : Enable the Proxy Protocol to the origin. Valid values are on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.
  • ip_firewall : Control whether the IP Firewall for this application is enabled. Valid values are on and off.
  • edge_ips : The anycast edge IP configuration for the hostname of this application.
    • type : The type of edge IP configuration specified. Dynamically allocated edge IPs use range anycast IPs in accordance with the connectivity you specify. Valid value is dynamic.
    • connectivity : The IP versions supported for inbound connections on a range of anycast IPs. Valid values: all, ipv4, ipv6.
  • tls: The type of TLS termination associated with the application. Valid values are off, flexible, full, and strict.
  • traffic_type : Determines how data travels from the edge to your origin. When set to direct, range sends traffic directly to your origin, and the application's type is derived from the protocol. When set to http or https, range applies CIS's HTTP/HTTPS features as it sends traffic to your origin, and the application type matches this property exactly. Valid values are direct, http, and https. The default value is direct.

Sample JSON data:

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "ssh.example.com"
   },
   "origin_direct": [
      "tcp://1.2.3.4:22",
      "tcp://1.2.3.4:23",
      "tcp://1.2.3.4:24"
   ],
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "glb.example.com"
   },
   "origin_dns": {
      "name": "name-to-glb.example.com"
   },
   "origin_port": 22,
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}