Deploying rule sets

You can deploy rule sets at the zone or instance level by using the CLI or API.

Deployment workflow

Use the following workflow to deploy a managed ruleset to a phase at the zone level:

Get your zone ID.
Run the List zone rulesets operation to obtain the available rulesets.
Find the ruleset ID of the managed ruleset you wish to deploy.
Identify the phase where you want to deploy the managed ruleset. Ensure that the managed ruleset belongs to the same phase where you want to deploy it.
Add a rule to the zone-level phase entry point ruleset that executes the managed ruleset.

Deploying rule sets from the CLI

You can deploy rule sets from the CLI.

Listing rule sets from the CLI

To list all zone rule sets from the CLI, run the following command:

ibmcloud cis managed-waf rulesets DNS_DOMAIN_ID [-i, --instance INSTANCE] [--output FORMAT]

Where:

DNS_DOMAIN_ID is the ID of the domain.
-i, --instance value is the instance name or ID.
--output value specifies the output format; only JSON is supported.

Updating deployed rule set from the CLI

To update a rule set that has been deployed by using the CLI, run the following command:

ibmcloud cis managed-waf deployment-add-ruleset DNS_DOMAIN_ID RULESET_ID [--match EXPRESSION] [--enabled true|false] [--override-action ACTION] [--override-status STATUS] [--paranoia-level LEVEL] [--override-rules RULE] [-i, --instance INSTANCE] [--output FORMAT]

Where:

DNS_DOMAIN_ID is the ID of the domain.
--match value is the conditions that must be matched for the rule to run. See fields and expressions for a list of values to match.
--enabled value indicates if the rule is active. The default is true.
--overide-action value is the ruleset action of any overrides. Valid values are managed_challenge, block, js_challenge, log, challenge.
--paranoia-level value is the OWASP paranoia level. Valid values are PL1, PL2, PL3, PL4. This is only available for the CIS OWASP Core Ruleset.
--override-rules value is the rules options of the overrides. For example --override-rules rule=RULE_ID,action=ACTION,enabled=STATUS.
-i, --instance value is the instance name or ID.
--output value specifies the output format; only JSON is supported.

Deploying rule sets with the API

You can deploy rule sets from the API.

Listing rule sets from the API

To list all zone rule sets from the API, run the following command:

curl -X GET \
  https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets \
  -H 'content-type: application/json' \
  -H 'accept: application/json' \
  -H 'x-auth-user-token: Bearer xxxxxx'

Updating entry point rule set from the API

To update the entry point rule set from the API, run the following command:

curl -X PUT \
  https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets/phases/$RULESET_PHASE/entrypoint \
  -H 'content-type: application/json' \
  -H 'accept: application/json' \
  -H 'x-auth-user-token: Bearer xxxxxx' \
  -d '{"rules":[{"action":"execute","action_parameters":{"id":"4814384a9e5d4991b9815dcfc25d2f1f"},"expression":"true","description":"Execute WAF OWASP ruleset"}]}'

Where:

$RULESET_PHASE is the rule set phase that will be deployed. Use http_request_firewall_managed to deploy managed WAF rule sets.
-d is the object of attributes that are required to create the rule set.
- rules is the array of rules to deploy with the rule set. For example:
  - action is the action for the rule to take. See Rules actions for a description of actions that can be used.
  - action_parameters is the object for defining what the action should operate on.
    - id is the ID of the ruleset to execute. This ID is retrieved from the list zone rulesets operation.
- expression is the condition under which the rule will run. Using true means that this rule will always run.
- description defines the summary of what your rule is accomplishing.