CIS CLI reference

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create an access application for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-app-create 31984fea73a15b45779fa0df4ef62f9b --name exampleCreate --domain example.com --session-duration 12h -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all access applications for domains 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-apps 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details of access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

--name

The name of the Application. Required.

--domain

The domain and path that Access blocks. Required.

--session-duration

Defines the amount of time that the tokens issued for this application are valid. Valid values: 30m, 6h, 12h, 24h, 168h, 730h.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --name exampleUpdate --domain example.com --session-duration 24h -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-app-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

The name of the Certificate. Required.

--ca-cert-file

The Root CA file for your certificates. Required.

--associated-hostnames

The hostnames that are prompted for this certificate.

ACCESS_APPLICATION_ID

The ID of the access application.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Create an access certificate for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificate-create 31984fea73a15b45779fa0df4ef62f9b --name example --ca-cert-file CERT_FILE --associated-hostnames example.com  -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all access certificates for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details of access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

--name

The name of the Certificate. Required.

--associated-hostnames

The hostnames that are prompted for this certificate. Required. The associated hostnames are reset if not specified by associated-hostnames.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update the access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --name example  --associated-hostnames example.com -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_CERTIFICATE_ID

The ID of the access certificate. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete the access certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-certificate-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get access certificates settings for Domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates-settings 31984fea73a15b45779fa0df4ef62f9b -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-f, --feature

Feature of certificates settings. Valid values:

client_certificate_forwarding

The client certificate payload and its SHA256 signature are forwarded to origin servers through CF-Client-Cert-DER_BASE64 and CF-Client-Cert-SHA256 headers.

-v, --value

The value set to the feature for certificates.

client_certificate_forwarding

Specify the hostname to forward the client certificate or not. For example, -v host1=on,host2=on,host3=off.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update access certificates settings for Domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis access-certificates-settings-update 31984fea73a15b45779fa0df4ef62f9b -f client_certificate_forwarding -v mtls1.example.com=on,mtls2.example.com=off -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

--name

The name of the policy. Required.

--decision

Defines the action Access takes if the policy matches the user. Valid values: non_identity. Required.

--include

The included rule of the policy. Valid values: certificate, common_name. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create an access policy for access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policy-create 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -name examplePolicy --decision non_identity --include certificate  --include common_name=test -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all access policies for access application a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policies 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

ACCESS_POLICY_ID

The ID of access policy. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details of access policy a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis access-policy 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 65fe21071877669cc69544642bc6c4c4 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

ACCESS_APPLICATION_ID

The ID of the access application. Required.

ACCESS_POLICY_ID

The ID of access policy. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete access policy 65fe21071877669cc69544642bc6c4c4.

ibmcloud cis access-policy-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 65fe21071877669cc69544642bc6c4c4 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--all

Purging all cached files. This option is mutually exclusive with --file.

--file

Granularly remove one or more files by specifying URLs. This option is mutually exclusive with --all.

--tag

Granularly remove one or more files by the associated Cache-Tag (Enterprise plan only). This option is mutually exclusive with --all.

--host

Granularly remove one or more files by specifying the host (Enterprise plan only). This option is mutually exclusive with --all.

--prefix

Granularly remove one or more files by a prefix (Enterprise plan only). This option is mutually exclusive with --all.

-f, --force

Purging all cached files without prompting for confirmation.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

Specify output format, only JSON is supported.

Examples

Clear all cached assets file for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-purge 31984fea73a15b45779fa0df4ef62f9b --all --force -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

Specify output format, only JSON is supported.

Examples

Get caching settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-settings 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--caching-level

Specify under what URL conditions you want to deliver cached assets to the user. Valid values: no-query-string, query-string-independent, query-string-dependent.

• no-query-string: Delivers resources from cache only when no query string is present.
• query-string-independent: Delivers the same resource to everyone independent of the query string.
• query-string-dependent: Delivers a different resource each time the query string changes.

--browser-expiration

Specify how long you want the user's browser to store cached assets.

• Valid values are: respect-existing-header, 30s, 1M, 5M, 20M, 30M, 1h, 2h, 4h, 8h, 16h, 1d 3d, 8d, 16d, 1m, 6m, 1y.
• 30s, 1M, 5M, and 20M are only available for Enterprise or Security plan instance.
• 30s means 30 seconds.
• 30M means 30 minutes.
• 1h means 1 hour.
• 1d means 1 day.
• 1m means 1 month.
• 1y means 1 year.

--development-mod

Bypass all edge caches and send traffic toward your origin servers.

--serve-stale-content

Continue serving cached content to users when origin servers are offline, even if the content is expired.

`--query-string-sort**: In the cache, CIS treats files with the same query strings as the same file, regardless of the order of the query strings.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

Specify output format, only JSON is supported.

Examples

Update caching settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis cache-settings-update 31984fea73a15b45779fa0df4ef62f9b --caching-level no-query-string --browser-expiration 1h -i "cis-demo"

Command options

PAGE_ID

The name of the Custom Page type. Valid values: basic_challenge, country_challenge, ip_block, ratelimit_block, serve_stale_content, under_attack, waf_block, waf_challenge, 1000_errors, 500_errors. Required.

PAGE_URL

A URL that is associated with the Custom Page. For example, http://www.example.com/example.html. Value default means to use the default page. Required.

-d, --domain

DNS Domain ID.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update basic_challenge page for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-page-update "basic_challenge" "http://www.example.com/example.html" -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

PAGE_ID

The name of the Custom Page type. Valid values: basic_challenge, country_challenge, ip_block, ratelimit_block, serve_stale_content, under_attack, waf_block, waf_challenge, 1000_errors, 500_errors. Required.

-d, --domain

DNS Domain ID.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get basic_challenge page for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-page "basic_challenge" -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

`-d, --domain

DNS Domain ID.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List existing custom pages for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis custom-pages -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

DNS record name.

--type

DNS record type.

--content

DNS record content.

--ttl

Time to live for DNS record. A value of 1 is automatic. The default value is 1.

--proxied

Control whether or not traffic flows through the security and performance functions on CIS. CIS proxies only traffic for A, AAAA, and CNAME records. Valid values: true, false.

--json

The JSON file or JSON string that is used to describe a DNS Record. Supported DNS Record types are: A, AAAA, CNAME, NS, TXT, MX, LOC, SRV, CAA, PTR.

• For type A, AAAA, CNAME, NS, TXT:
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl, proxied:
    • proxied Control whether traffic flows through the security and performance functions on CIS. CIS proxies only traffic for A, AAAA, and CNAME records.

Sample JSON data:

{
   "name": "testA",
   "type": "A",
   "content": "127.0.0.1",
   "proxied": true
}

{
   "name": "testAAAA",
   "type": "AAAA",
   "content": "2001:0db8:0012:0001:3c5e:7354:0000:5db1",
   "proxied": false
}

{
   "name": "testCNAME",
   "type": "CNAME",
   "content": "example.com"
}

{
   "name": "testNS",
   "type": "NS",
   "content": "ns1.example.com"
}

{
   "name": "testTXT",
   "type":"TXT",
   "content": "text information"
}

• For type PTR:
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl.

Sample JSON data:

{
 "name": "1.2.3.4",
 "type":"PTR",
 "content": "abc.test.com"
}

• For type MX:
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl, priority.

Sample JSON data:

{
   "name": "testMX",
   "type": "MX",
   "content": "smtp.example.com",
   "priority": 10
}

• For type LOC:
  • The required fields in JSON data are name, type, data:
    • data:
      • lat_degrees: Degrees of latitude.
      • lat_minutes: Minutes of latitude
      • lat_seconds: Seconds of latitude.
      • lat_direction: Latitude direction.
      • long_degrees: Degrees of longitude.
      • long_minutes: Minutes of longitude.
      • long_seconds: Seconds of longitude.
      • long_direction: Longitude direction.
      • altitude: Altitude of location in meters.
      • size: Size of location in meters.
      • precision_horz: Horizontal precision of location.
      • precision_vert: Vertical precision of location.
    • The optional field is ttl.

Sample JSON data:

{
   "name": "testLOC",
   "type": "LOC",
   "data": {
         "lat_degrees": 45,
         "lat_minutes": 0,
         "lat_seconds": 0,
         "lat_direction": "N",
         "long_degrees": 45,
         "long_minutes": 0,
         "long_seconds": 0,
         "long_direction": "E",
         "altitude": 20,
         "size": 0,
         "precision_horz": 0,
         "precision_vert": 0
   }
}

• For type SRV:
  • The required fields in JSON data are type, data:
    • data: - service: A service type, prefixed with an underscore. - proto: A valid protocol. - priority: Priority. - weight: The record weight. - port: The port of the service. - target: A valid hostname.
    • The optional field is ttl.

Sample JSON data:

{
   "type": "SRV",
   "data": {
         "service": "_ftp",
         "proto": "_tcp",
         "name": "testSRV",
         "priority": 1,
         "weight": 1,
         "port": 21,
         "target": "example.com"
   }
}

• For type CAA:
  • The required fields in JSON data are name, type, and data.
  • The optional field is ttl.

Sample JSON data:

{
   "name": "testCAA.yourdomain.com",
   "type": "CAA",
   "data": {
         "tag": "issue",
         "value": "letsencrypt.org"
   }
}

-s, --json-str

Deprecated. The JSON data used to describe a DNS Record.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

Specify output format, only JSON is supported.

Examples

Create a DNS record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-create 31984fea73a15b45779fa0df4ef62f9b --json '{"name": "testCNAME", "type": "CNAME", "content": "example.com"}' -i "cis-demo"
ibmcloud cis dns-record-create 31984fea73a15b45779fa0df4ef62f9b --type A --name testA --content "127.0.0.1" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

--name

DNS record name.

--type

DNS record type.

--content

DNS record content.

--ttl

Time to live for DNS record. A value of 1 is automatic. The default value is 1.

--proxied

Control whether or not traffic flows through the security and performance functions on CIS. CIS proxies traffic only for A, AAAA, and CNAME records. Valid values: true, false.

--json

The JSON file or JSON string that is used to describe a DNS Record. Supported DNS Record types are: A, AAAA, CNAME, NS, TXT, MX, LOC, SRV, CAA,PTR.

• For type A, AAAA, CNAME, NS, TXT:
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl, proxied:
    • proxied Control whether or not traffic flows through the security and performance functions on CIS. CIS proxies only traffic for A, AAAA, and CNAME records.

Sample JSON data:

{
   "name": "testA",
   "type": "A",
   "content": "127.0.0.1",
   "proxied": true
}

{
   "name": "testAAAA",
   "type": "AAAA",
   "content": "2001:0db8:0012:0001:3c5e:7354:0000:5db1",
   "proxied": false
}

{
   "name": "testCNAME",
   "type": "CNAME",
   "content": "example.com"
}

{
   "name": "testNS",
   "type": "NS",
   "content": "ns1.example.com"
}

{
   "name": "testTXT",
   "type":"TXT",
   "content": "text information"
}

• For type PTR:
  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl.

Sample JSON data:

{
 "name": "1.2.3.4",
 "type":"PTR",
 "content": "abc.test.com"
}

• For type MX:

  • The required fields in JSON data are name, type, content.
  • The optional fields are ttl, priority.

  Sample JSON data:

{
   "name": "testMX",
   "type": "MX",
   "content": "smtp.example.com",
   "priority": 10
}

• For type LOC:

  • The required fields in JSON data are name, type, data:
    • data:
      • lat_degrees: Degrees of latitude.
      • lat_minutes: Minutes of latitude
      • lat_seconds: Seconds of latitude.
      • lat_direction: Latitude direction.
      • long_degrees: Degrees of longitude.
      • long_minutes: Minutes of longitude.
      • long_seconds: Seconds of longitude.
      • long_direction: Longitude direction.
      • altitude: Altitude of location in meters.
      • size: Size of location in meters.
      • precision_horz: Horizontal precision of location.
      • precision_vert: Vertical precision of location.
  • The optional field is ttl.

  Sample JSON data:

{
   "name": "testLOC",
   "type": "LOC",
   "data": {
         "lat_degrees": 45,
         "lat_minutes": 0,
         "lat_seconds": 0,
         "lat_direction": "N",
         "long_degrees": 45,
         "long_minutes": 0,
         "long_seconds": 0,
         "long_direction": "E",
         "altitude": 20,
         "size": 0,
         "precision_horz": 0,
         "precision_vert": 0
   }
}

• For type SRV:

  • The required fields in JSON data are type, data:
    • data:
      • service: A service type, prefixed with an underscore.
      • proto: A valid protocol.
      • priority: Priority.
      • weight: The record weight.
      • port: The port of the service.
      • target: A valid hostname.
  • The optional field is ttl.

  Sample JSON data:

{
   "type": "SRV",
   "data": {
         "service": "_ftp",
         "proto": "_tcp",
         "name": "testSRV",
         "priority": 1,
         "weight": 1,
         "port": 21,
         "target": "example.com"
   }
}

• For type CAA:

  • The required fields in JSON data are name, type, data:
  • The optional field is ttl.

  Sample JSON data:

{
   "name": "testCAA.yourdomain.com",
   "type": "CAA",
   "data": {
         "tag": "issue",
         "value": "letsencrypt.org"
   }
}

-s, --json-str

Deprecated. The JSON data used to describe a DNS Record.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set is used.

--output

Specify output format, only JSON is supported.

Examples

Update a DNS record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-update 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 --json '{"name": "testCNAME", "type": "CNAME", "content": "example.com"}' -i "cis-demo"
ibmcloud cis dns-record-update 31984fea73a15b45779fa0df4ef62f9b 417e8605a72d3e085020b82c93cd7f82 --type A --name testA --content "127.0.0.1" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get a dns record details in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 -i "cis-demo"

Command options

`DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DNS_RECORD_ID

The ID of the DNS record. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete a dns record in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-record-delete 31984fea73a15b45779fa0df4ef62f9b 77335b17ce1853d0d76e08a8379a0376 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--type

Type of DNS records to display.

--name

Value of name field to filter by.

--content

Value of content field to filter by.

--page

Page number of paginated results.

--per_page

Maximum number of DNS records per page.

--order

Field by which to order the list of DNS records. Valid values are type, name, content, ttl, proxied.

--direction

Direction in which to order the results (ascending or descending order). Valid values are asc, desc.

--match

Whether to match all or at least one search parameter. Valid values are any, all.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all dns records in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--file

BIND config to import. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Import BIND config in the domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records-import 31984fea73a15b45779fa0df4ef62f9b --file bind_config_file.txt -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--file

The BIND config file that saves exported DNS records.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Export BIND config for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-records-export 31984fea73a15b45779fa0df4ef62f9b --file bind_config_file.txt -i "cis-demo"

Command options

type

Specify the domain type setup. Valid values: full, partial (default full).

• full: A full zone implies that the DNS is hosted.
• partial: A partial zone implies a CNAME setup domain.

jump-start

Automatically attempt to fetch existing DNS records.

DNS_DOMAIN_NAME

The FQDN of DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Add a domain test.com in instance cis-demo.

ibmcloud cis domain-add "test.com" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Resume the specified domain.

ibmcloud cis domain-resume 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Pause the specified domain.

ibmcloud cis domain-pause 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Display the specified domain details.

ibmcloud cis domain 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Remove the specified domain.

ibmcloud cis domain-remove 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List domains for the specified domain cis-demo.

ibmcloud cis domains -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Perform activation check on the specified domain.

ibmcloud cis domain-activation-check 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-g, --group

Display features in a same group. Valid values for group are all, domain, reliability, performance, security. This option is mutually exclusive with -f, --feature.

-f, --feature

Feature of domain settings to check. This option is mutually exclusive with g, --group. Valid values are as follows:

• always_use_https: Redirect all requests with scheme http to https. This setting applies to all HTTP requests to the domain.
• automatic_https_rewrites: Help fix mixed content by changing http to https for all resources or links on your website that can be served with HTTPS.
• bot_management: Detect and mitigate bot traffic on your domain.
• brotli: When the client that is requesting an asset supports the brotli compression algorithm, CIS serves a brotli compressed version of the asset.
• browser_check: Evaluate HTTP headers from your visitors' browser for threats. If a threat is found, then a block page is delivered.
• challenge_ttl: Specify how long a visitor with a bad IP reputation is allowed access to your website after they complete a challenge.
• ciphers: An allowlist of ciphers for TLS termination in the BoringSSL format. This command lists ciphers that are allowlisted by customers. If no ciphers are allowlisted, the list is empty and the default ciphers are used. See Edge cipher suites and Origin cipher suites for the list of default ciphers.
• cname_flattening: Follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, flatten only the CNAME at the root of your domain.
• domain_hold: Domain holds prevent teams in your organization from adding domains that are already active in another account (Enterprise plan only).
• email_obfuscation: Encrypt email addresses on your web page from bots while keeping them visible to humans.
• opportunistic_onion: Allow legitimate users of Tor Browser to access your websites.
• hotlink_protection: Protect your images from off-site linking.
• http2: Accelerate your website with HTTP/2.
• http3: Accelerate your website with HTTP/3.
• image_load_optimization: Improve load time for pages that include images on mobile devices with slow network connections.
• image_size_optimization: Improve image load time by optimizing images hosted on your domain.
• image_resizing: Provide on-demand resizing, conversion and optimization for images served through the CIS network.
• ip_geolocation: Include the country code of the visitor location with all requests to your website.
• ipv6: Enable IPv6 support and gateway.
• max_upload: The amount of data visitors can upload to your website in a single request.
• min_tls_version: Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer.
• minify: Reduce the file size of source code on your website.
• mobile_redirect: Redirect visitors that are using mobile devices to a mobile-optimized website.
• opportunistic_encryption: Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 by letting them know that your site is available over an encrypted connection.
• origin_error_page_pass_thru: When Origin Error Page is set to On, CIS will proxy the 502 and 504 error pages directly from the origin. (Enterprise plan only)
• origin_max_http_version: Configure the HTTP version to Origin.
• origin_post_quantum_encryption: Instructs CIS to use Post-Quantum (PQ) key agreement algorithms when connecting to your origin.
• prefetch_preload: CIS will prefetch any URLs included in the prefetch HTTP header (Enterprise plan only).
• pseudo_ipv4: Adds an IPv4 header to requests when a client is using IPv6, but the server only supports IPv4.
• response_buffering: Enable or disable buffering of responses from the origin server (Enterprise plan only).
• script_load_optimization: Improve the paint time for pages that include JavaScript.
• security_header: Enforce web security policy for your website.
• security_level: Choose the appropriate security profile for your website.
• server_side_exclude: Automatically hide specific content from suspicious visitors.
• tls_client_auth: TLS client certificate presented for authentication on origin pull (Enterprise plan only).
• true_client_ip_header: CIS sends the end user’s IP address in the True-Client-IP header (Enterprise plan only).
• waf: A Web Application Firewall (WAF) blocks requests that contain malicious content.
• websockets: Allow WebSockets connections to your origin server.
• proxy_read_timeout: Maximum time between two read operations from origin (Enterprise plan only).
• url_normalization: Modify the URLs of incoming requests.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get ciphers settings for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings -f "ciphers" 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-f, --feature

Feature of domain settings to update. Required. Valid values:

• always_use_https: Redirect all requests with scheme http to https. This redirect applies to all http requests to the domain.
• automatic_https_rewrites: Help fix mixed content by changing http to https for all resources or links on your website that can be served with HTTPS.
• bot_management: Detect and mitigate bot traffic on your domain.
• brotli: When the client that is requesting an asset supports the brotli compression algorithm, CIS serves a brotli compressed version of the asset.
• browser_check: Evaluate HTTP headers from your visitors' browser for threats. If a threat is found, then a block page is delivered.
• challenge_ttl: Specify how long a visitor with a bad IP reputation is allowed access to your website after completing a challenge.
• ciphers: A whitelist of ciphers for TLS termination. These ciphers must be in the BoringSSL format.
• cname_flattening: Follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, only flatten the CNAME at the root of your domain.
• domain_hold: Domain holds prevent teams in your organization from adding domains that are already active in another account (Enterprise plan only).
• email_obfuscation: Encrypt email addresses on your web page from bots while keeping them visible to humans.
• opportunistic_onion: Allow legitimate users of Tor Browser to access your websites.
• hotlink_protection: Protect your images from off-site linking.
• http2: Accelerate your website with HTTP/2.
• http3: Accelerate your website with HTTP/3.
• image_load_optimization: Improve load time for pages that include images on mobile devices with slow network connections.
• image_size_optimization: Improve image load time by optimizing images hosted on your domain.
• image_resizing: Provide on-demand resizing, conversion and optimization for images served through the CIS network.
• ip_geolocation: Include the country code of the visitor location with all requests to your website.
• ipv6: Enable IPv6 support and gateway.
• max_upload: The amount of data visitors can upload to your website in a single request.
• min_tls_version: Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer.
• minify: Reduce the file size of source code on your website.
• mobile_redirect: Redirect visitors that are using mobile devices to a mobile-optimized website.
• opportunistic_encryption: Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 by letting them know that your site is available over an encrypted connection.
• origin_error_page_pass_thru: When Origin Error Page is set to On, CIS will proxy the 502 and 504 error pages directly from the origin (Enterprise plan only).
• origin_max_http_version: Configure the HTTP version to Origin.
• origin_post_quantum_encryption: Instructs CIS to use Post-Quantum (PQ) key agreement algorithms when connecting to your origin.
• prefetch_preload: CIS will prefetch any URLs included in the prefetch HTTP header (Enterprise plan only).
• pseudo_ipv4: Adds an IPv4 header to requests when a client is using IPv6, but the server only supports IPv4.
• response_buffering: Enable or disable buffering of responses from the origin server (Enterprise plan only).
• script_load_optimization: Improve the paint time for pages that include JavaScript.
• security_header: Enforce web security policy for your website.
• security_level: Choose the appropriate security profile for your website.
• server_side_exclude: Automatically hide specific content from suspicious visitors.
• tls_client_auth: TLS client certificate presented for authentication on origin pull (Enterprise plan only).
• true_client_ip_header: CIS will send the end user’s IP address in the True-Client-IP header (Enterprise plan only).
• waf: A Web Application Firewall (WAF) blocks requests that contain malicious content.
• websockets: Allow WebSockets connections to your origin server.
• proxy_read_timeout: Maximum time between two read operations from origin.
• url_normalization: Modify the URLs of incoming requests.

-v, --value

The value set to the feature for domain. Required.

• Valid values for always_use_https are on, off.

• Valid values for automatic_https_rewrites are on, off.

• Valid values for bot_management are "use_latest_model", "fight_mode", "session_score", "enable_js". For example, -v fight_mode=true,session_score=true

  • use_latest_model: Whether to enable latest model version. Valid values for use_latest_model are true, false.
  • fight_mode: Whether to enable the fight mode. Valid values for fight_mode are true, false.
  • session_score: Whether to enable the session score. Valid values for session_score are true, false.
  • enable_js: Whether to enable javascript detections. Valid values for enable_js are true, false.

• Valid values for browser_check are on, off.

• Valid values for challenge_ttl are 300, 900, 1800, 2700, 3600, 7200, 10800, 14400, 28800, 57600, 86400, 604800, 2592000, 31536000.

• Valid values for cname_flattening are flatten_at_root, flatten_all.

  • flatten_at_root: Flatten CNAME at root domain. This is the default value.
  • flatten_all: Flatten all CNAME records under your domain.

• Valid values for domain_hold are hold, include_subdomains, hold_after.

  • hold: Whether to enable the domain hold. Valid values for hold are true, false.
  • include_subdomains: Whether to enable the domain hold. Valid values for include_subdomains are true, false.
  • hold_after: If hold_after is provided, the hold is temporarily disabled, then automatically re-enabled by the system at the time specified.

  For enable domain and subdomains hold: -v hold=true,include_subdomains=true. For disable domain hold: -v hold=false,hold_after=2023-05-31T15:56:36+00:00.

• Valid values for hotlink_protection are on, off.

• Valid values for email_obfuscation are on, off.

• Valid values for opportunistic_onion are on, off.

• Valid values for http2 are on, off.

• Valid values for http3 are on, off.

• Valid values for image_load_optimization are on, off.

• Valid values for image_resizing are on, off.

• Valid values for image_size_optimization are off, lossless, lossy.

  • off: Disable Image Size Optimization.
  • lossless: Reduce the size of image files without impacting visual quality.
  • lossy: The file size of JPEG images is reduced using lossy compression, which may reduce visual quality.

• Valid values for ip_geolocation are on, off.

• Valid values for ipv6 are on, off.

• Valid values(in MB) for max_upload are: 100, 125, 150, 175, 200 and 225, 250, 275, 300, 325, 350, 375, 400, 425, 450, 475, 500 only for Enterprise plan.

• Valid values for min_tls_version are 1.0, 1.1, 1.2, 1,3.

• Valid values for minify are css, html, js. For example, -v css=on,html=off,js=on

  • css: Automatically minify all CSS for your website. Valid values for css are on, off.
  • html: Automatically minify all HTML for your website. Valid values for html are on, off.
  • js: Automatically minify all JS for your website. Valid values for js are on, off.

• Valid values for mobile_redirect are status, mobile_subdomain, strip_uri. For example, -v status=on,mobile_subdomain=m,strip_uri=true

  • status: Whether or not the mobile redirection is enabled. Valid values for status are on, off.
  • mobile_subdomain: Which subdomain prefix you wish to redirect visitors on mobile devices to (subdomain must already exist).
  • strip_uri: Whether to drop the current page path and redirect to the mobile subdomain URL root. Valid values for strip_uri are true, false.

• Valid values for opportunistic_encryption are on, off.

• Valid values for origin_error_page_pass_thru are 1, 2.

• Valid values for origin_max_http_version are supported, preferred, off.

  • supported: Post-Quantum algorithms are advertised but only used when requested by the origin.
  • preferred: Preferred instructs CIS to opportunistically send a Post-Quantum (PQ) keyshare in the first message to the origin (for fastest connections when the origin supports and prefers PQ).
  • off: Post-Quantum algorithms are not advertised.

• Valid values for origin_post_quantum_encryption are on, off.

• Valid values for brotli are on, off.

• Valid values for prefetch_preload are on, off.

• Valid values for pseudo_ipv4 are off, add_header, overwrite_header.

  • off: Disable Pseudo IPv4.
  • add_header: Add additional Cf-Pseudo-IPv4 header only.
  • overwrite_header: Overwrite the existing Cf-Connecting-IP and X-Forwarded-For headers with a pseudo IPv4 address.

• Valid values for response_buffering are on, off.

• Valid values for script_load_optimization are on, off.

• Valid values for security_header are enabled, max_age, include_subdomains, preload, nosniff. For example, -v enabled=true,max_age=100,include_subdomains=true,preload=true,nosniff=true

  • enabled: Whether or not security_header is enabled.Valid values for enabled are true, false.
  • max_age: Specify the duration(in seconds) security_header are cached in browsers.
  • include_subdomains: Every domain below the domain will inherit the same security_header. Valid values for include_subdomains are true, false.
  • preload: Whether or not to permit browsers to preload security_header config. Valid values for enabled are true, false.
  • nosniff: Whether or not to send X-Content-Type-Options: nosniff header. Valid values for nosniff are true, false.

• Valid values for server_level are off, essentially_off, low, medium, high, under_attack.

• Valid values for server_side_exclude are on, off.

• Valid values for tls_client_auth are on, off.

• Valid values for true_client_ip_header are on, off.

• Valid values for waf are on, off.

• Valid values for websockets are on, off.

• Valid values for proxy_read_timeout, 1-6000, default: 100.

• Valid values for ciphers are ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES128-SHA, AES128-GCM-SHA256, AES128-SHA256, AES128-SHA, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA, AES256-GCM-SHA384, AES256-SHA256, AES256-SHA, DES-CBC3-SHA, default. For example, -v AES256-SHA256,AES256-SHA, using -v default to reset configured cipher suites to default value.

• Valid values for url_normalization are "type", "scope". For example -v type=cis,scope=both

  • type: Selects the type of URL normalization performed by CIS. Valid values for type are cis, rfc3986.
  • scope: Configures the scope of the URL normalization.Valid values for scope are both, incoming.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Enable tls_client_auth for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis domain-settings-update -f tls_client_auth -v on 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all Edge Functions actions in instance cis-demo.

ibmcloud cis edge-functions-actions -i "cis-demo"

Command options

--name

Action name (Enterprise plan only).

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Show details of Edge Functions action action-demo.

ibmcloud cis edge-functions-action --name "action-demo" -i "cis-demo"

Command options

--name

Action name (Enterprise plan only).

--javascript-str

Javascript string. For example, addEventListener('fetch', event => { event.respondWith(fetch(event.request))})

--javascript-file

Javascript file.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create an Edge Functions action for instance action-demo.

ibmcloud cis edge-functions-action-create --javascript-str "addEventListener('fetch', event => { event.respondWith(fetch(event.request)) })" --name "action-demo" -i "cis-demo"

Command options

--name

Action name (Enterprise plan only).

--javascript-str

Javascript string. For example, addEventListener('fetch', event => { event.respondWith(fetch(event.request))})

--javascript-file

Javascript file.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update an Edge Functions action for instance action-demo.

ibmcloud cis edge-functions-action-update --javascript-str "addEventListener('fetch', event => { event.respondWith(fetch(event.request)) })" --name "action-demo" -i "cis-demo"

Command options

--name

Action name (Enterprise plan only).

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete Edge Functions action action-demo.

ibmcloud cis edge-functions-action-delete --name "action-demo" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all Edge Functions triggers for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis edge-functions-triggers 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details of Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PATTERN_URL

The request URL which triggers the action. Required.

name

Action name to which the created trigger is attached. (Enterprise plan only.)

disable

Disable an Edge Functions trigger.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create an Edge Functions trigger for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b "example.net/*" --name "demo-action" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

PATTERN_URL

The request URL which triggers the action. Required.

name

Action name which the created trigger is attached to. (Enterprise plan only.)

disable

Disable an Edge Functions trigger.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac "example.net/*" --name "demo-action" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

TRIGGER_ID

The ID of the trigger. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete Edge Functions trigger 9a7806061c88ada191ed06f989cc3dac.

ibmcloud cis edge-functions-trigger-delete 31984fea73a15b45779fa0df4ef62f9b 9a7806061c88ada191ed06f989cc3dac -i "cis-demo"

Command options

-t, --type

Type of firewall rule to create. Valid values: access-rules, ua-rules, lockdowns. Required.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--json

The JSON file or JSON string used to describe a firewall rule. Required.

• For --type access-rules: The JSON data describing a firewall access rule as follows.
  • Required fields are mode, configuration.
    • mode: The type of action to perform. Valid values: block, challenge, whitelist, js_challenge.
    • configuration: Target/Value pair to use for this rule.
      • target: The request property to target. Valid values: ip, ip_range, asn, country.
      • value: The value for the selected target.
        • For ip the value is a valid ip address.
        • For ip_range the value specifies ip range limited to /16 and /24.
        • For asn the value is an AS number.
        • For country the value is a country code for the country.
  • Option fields are notes.
    • notes: Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "block",
   "notes": "This rule is added because of event X that occurred on date xyz",
   "configuration": {
      "target": "ip",
      "value": "127.0.0.1"
   }
}

• For --type ua-rules: The JSON data describing a user-agent rule as follows.
  • Required fields are mode, configuration.
    • mode: The type of action to perform. Valid values: block, challenge, js_challenge.
    • configuration: Target/Value pair to use for this rule.
      • target: The request property to target. Valid values: ua.
      • value: The exact UserAgent string to match with this rule.
  • Option fields are paused, description.
    • paused: Whether this rule is currently disabled.
    • description: Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "block",
   "configuration": {
      "target": "ua",
      "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
   }
}

• For --type lockdowns: The JSON data describing a lockdown rule as follows.
  • Required fields are urls, configurations.
    • urls: URLs to be included in this rule definition.
      • Wildcards are permitted.
      • The URL pattern entered here will be escaped before use.
      • This limits the URL to just simple wildcard patterns.
    • configurations: List of IP addresses or CIDR ranges to use for this rule.
      • This can include any number of ip or ip_range configurations that can access the provided URLs.
      • target: The request property to target. Valid values: ip, ip_range.
      • value: IP addresses or CIDR. If target is ip, then value should be an IP addresses, otherwise CIDR.
  • Option fields are paused, description.
    • paused: Whether this rule is currently disabled.
    • description: Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "urls": [
      "api.mysite.com/some/endpoint*"
   ],
   "configurations": [
      {
         "target": "ip",
         "value": "127.0.0.1"
      },
      {
         "target": "ip_range",
         "value": " 2.2.2.0/24"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a firewall rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create firewall rules.

ibmcloud cis firewall-create -t access-rules --json '{"mode": "block", "notes": "This rule is added because of event X that occurred on date xyz", "configuration": {"target": "ip", "value": "127.0.0.1"}}' -i "cis-demo"
ibmcloud cis firewall-create -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b --json '{"mode": "block", "configuration": {"target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"}}' -i "cis-demo"
ibmcloud cis firewall-create -t lockdowns -d 31984fea73a15b45779fa0df4ef62f9b --json '{"urls": ["api.mysite.com/some/endpoint*"], "configurations": [{"target": "ip", "value": "127.0.0.1"}, {"target": "ip_range", "value": "2.2.2.0/24"}]}' -i "cis-demo"

Command options

• FIREWALL_RULE_ID: The ID of firewall rule. Required.

-t, --type

Type of firewall rule to create. Valid values: access-rules, ua-rules, lockdowns. Required.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--json

The JSON file or JSON string used to describe a firewall rule. Required.

• For --type access-rules: The JSON data describing a firewall access rule as follows.
  • Option fields are mode, notes.
    • mode: The type of action to perform. Valid values: block, challenge, whitelist, js_challenge.
    • notes: Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "mode": "challenge",
   "notes": "This rule is added because of event X that occurred on date xyz",
}

• For --type ua-rules: The JSON data describing a user-agent rule as follows.

  • Required fields are mode, configuration.
    • mode: The type of action to perform. Valid values: block, challenge, js_challenge.
    • configuration: Target/Value pair to use for this rule.
      • target: The request property to target. Valid values: ua.
      • value: The exact UserAgent string to match with this rule.
  • Option fields are paused, description.
    • paused: Whether this rule is currently disabled.
    • description: Some useful information about this rule to help identify the purpose of it.

  Sample JSON data:

{
   "mode": "block",
   "configuration": {
      "target": "ua",
      "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"
   }
}

• For --type lockdowns: The JSON data describing a lockdown rule as follows.
  • Required fields are urls, configurations.
    • urls: URLs to be included in this rule definition.
      • Wildcards are permitted.
      • The URL pattern entered here will be escaped before use.
      • This limits the URL to just simple wildcard patterns.
    • configurations: List of IP addresses or CIDR ranges to use for this rule.
      • This can include any number of ip or ip_range configurations that can access the provided URLs.
      • target: The request property to target. Valid values: ip, ip_range.
      • value: IP addresses or CIDR. If target is ip, then value should be an IP addresses, otherwise CIDR.
  • Option fields are paused, description.
    • paused: Whether this rule is currently disabled.
    • description: Some useful information about this rule to help identify the purpose of it.

Sample JSON data:

{
   "urls": [
      "api.mysite.com/some/endpoint*"
   ],
   "configurations": [
      {
         "target": "ip",
         "value": "127.0.0.1"
      },
      {
         "target": "ip_range",
         "value": " 2.2.2.0/24"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a firewall rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update firewall rules.

ibmcloud cis firewall-update bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules --json '{"mode": "challenge", "notes": "This rule is added because of event X that occurred on date xyz"}' -i "cis-demo"
ibmcloud cis firewall-update 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b --json '{"mode": "block", "configuration": {"target": "ua", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4"}}' -i -i "cis-demo"
ibmcloud cis firewall-update e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdowns -d 31984fea73a15b45779fa0df4ef62f9b --json '{"urls": ["api.mysite.com/some/endpoint*"], "configurations": [{"target": "ip", "value": "127.0.0.1"}, {"target": "ip_range", "value": "2.2.2.0/24"}]}' -i "cis-demo"

Command options

-t, --type

Type of firewall rule to create. Valid values: access-rules, ua-rules, lockdowns. Required.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

--page

Page number of paginated results. The default value is 0.

--per-page

Maximum number of access rules per page. The minimum value is 5. The default value is 20.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List firewall rules.

ibmcloud cis firewalls -t access-rules -i "cis-demo"
ibmcloud cis firewalls -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewalls -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

FIREWALL_RULE_ID

The ID of firewall rule. Required.

-t, --type

Type of firewall rule to create. Valid values: access-rules, ua-rules, lockdowns.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get firewall rule details.

ibmcloud cis firewall dc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -i "cis-demo"
ibmcloud cis firewall bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

FIREWALL_RULE_ID

The ID of firewall rule. Required.

-t, --type

Type of firewall rule to create. Valid values: access-rules, ua-rules, lockdowns. Required.

• access-rules: Access Rules are a way to allow, challenge, or block requests to your website. You can apply access rules to one domain only or all domains in the same service instance.
• ua-rules: Perform access control when matching the exact UserAgent reported by the client. The access control mechanisms can be defined within a rule to help manage traffic from particular clients. This enables you to customize the access to your site.
• lockdowns: Lock access to URLs in this domain to only permitted addresses or address ranges.

-d, --domain

DNS Domain ID. For ua-rules and lockdowns type rule, it is a required parameter.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete a firewall rule.

ibmcloud cis firewall-delete dc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -i "cis-demo"
ibmcloud cis firewall-delete bc014906ccce4e7ea2e28be7df70d0d2 -t access-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall-delete 4af47b1518be478aa2c8f024af1c0bad -t ua-rules -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"
ibmcloud cis firewall-delete e6106d7ec58e47ebb2fa053dedcd7dcb -t lockdown -d 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--page

Page number of paginated results. The default value is 1.

--per-page

Number of firewall rules per page. The minimum value is 5 and the maximum value is 100. The default value is 25.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List existing firewall-rules in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis firewall-rules 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get the details of firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--expression

A filter expression. For example, ip.src eq 93.184.216.0.

--action

The rule action to perform. Valid values: log, allow, challenge, js_challenge, block, bypass.

--priority

The rule's priority. Valid values: 0 ~ 2147483647. Value 0 means to set to the default value.

--description

To briefly describe the rule.

--paused

Indicates if the rule is active. Valid values: on, off. Default value is off.

--products

The list of security products to be bypassed. Valid values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf.

--json

The JSON file or JSON string used to describe a firewall-rule.

• The required fields in JSON data are expression, action.
  • expression: A filter expression. For example, ip.src eq 93.184.216.0
  • action: The rule action to perform. Valid values: log, allow, challenge, js_challenge, block, bypass.
• The optional fields are description, priority, paused, products.
  • description: To briefly describe the rule.
  • priority: The rule's priority. Valid values: 0 ~ 2147483647. Value 0 means to set to the default value.
  • paused: Indicates if the rule is active. Valid values: on, off.Default value is off.
  • products: The list of security products to be bypassed. Valid values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf For example, --products zoneLockdown,rateLimit

Sample JSON data:

{
   "expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"",
   "action": "allow",
   "priority": 100,
   "paused": false,
   "description": "do not challenge login from office"
}

-s, --json-str

Deprecated. The JSON data describing a firewall-rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a firewall-rule in domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-create 31984fea73a15b45779fa0df4ef62f9b --expression "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\""  --action allow --priority 200 --paused off --description "do not challenge login from office" -i "cis-demo"

ibmcloud cis firewall-rule-create 31984fea73a15b45779fa0df4ef62f9b --json '{"expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"", "action": "allow", "priority": 100, "paused": false, "description": "do not challenge login from office"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

--expression

A filter expression. For example, ip.src eq 93.184.216.0.

--action

The rule action to perform. Valid values: log, allow, challenge, js_challenge, block, bypass.

--priority

The rule's priority. Valid values: 0 ~ 2147483647. Value 0 means to set to the default value.

--description

To briefly describe the rule.

--paused

Indicates if the rule is active. Valid values: on, off. Default value is off.

--products

The list of security products to be bypassed. Valid values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf.

--json

The JSON file or JSON string used to describe a firewall-rule.

• The required fields in JSON data are expression, action.
  • expression: A filter expression. For example, ip.src eq 93.184.216.0
  • action: The rule action to perform. Valid values: log, allow, challenge, js_challenge, block, bypass.
• The optional fields are description, priority, paused, products.
  • description: To briefly describe the rule.
  • priority: The rule's priority. Valid values: 0 ~ 2147483647. Value 0 means to set to the default value.
  • paused: Indicates if the rule is active. Valid values: on, off.Default value is off.
  • products: The list of security products to be bypassed. Valid values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf For example, --products zoneLockdown,rateLimit
• Note: Fields description, priority, paused which aren't explicitly set in JSON data will be overwritten by the default value.

Sample JSON data:

{
   "expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"",
   "action": "allow",
   "priority": 100,
   "paused": false,
   "description": "do not challenge login from office"
}

-s, --json-str

Deprecated. The JSON data describing a firewall-rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-update 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 --expression "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\""  --action allow --priority 200 --paused off --description "do not challenge login from office" -i "cis-demo"

ibmcloud cis firewall-rule-update 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 --json '{"expression": "ip.src eq 93.184.216.1 and http.request.uri.path ~ \"^.*/wp-login.php$\"", "action": "allow", "priority": 100, "paused": false, "description": "do not challenge login from office"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

FIREWALL_RULE_ID

The ID of firewall-rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete firewall-rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis firewall-rule-delete 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

EXPRESSION

The filter expression. For example, ip.src eq 93.184.216.0. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Validate firewall-rule expression ip.src eq 93.184.216.0.

ibmcloud cis firewall-rule-validate 31984fea73a15b45779fa0df4ef62f9b "ip.src eq 93.184.216.0" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--json

The JSON file or JSON string used to describe a global load balancer. Required.

• The required fields in JSON data are name, fallback_pool, default_pools:
  • name: the DNS hostname to associate with your Load Balancer.
  • fallback_pool: the pool ID to use when all other pools are detected as unhealthy.
  • default_pools: a list of pool IDs ordered by their failover priority.
• The optional fields are description, ttl, region_pools, proxied, enabled, session_affinity, session_affinity_ttl, steering_policy:
  • description: the description of your Load Balancer.
  • ttl: time to live (TTL) of the DNS entry for the IP address returned by this load balancer.
  • region_pools: a mapping of region and country codes to a list of pool IDs (ordered by their failover priority) for the region.
  • proxied: Control whether or not traffic should flow through the security and performance functions on CIS.
  • enabled: Whether to enable (the default) this load balancer.
  • session_affinity: valid values are cookie, none.
  • session_affinity_ttl: Time, in seconds, until this load balancers session affinity cookie expires after being created.Valid value is between [1800, 604800]. Default is 82800.
  • steering_policy: valid values for steering_policy are off, geo, random, dynamic_latency.
    • off: use default_pools.
    • geo: use region_pools/pop_pools.
    • random: select a pool randomly.
    • dynamic_latency: use round trip time to select the closest pool in default_pools (requires pool health checks).

Sample JSON data:

{
      "name": "www.example.com",
      "fallback_pool": "17b5962d775c646f3f9725cbc7a53df4",
      "default_pools": [
         "17b5962d775c646f3f9725cbc7a53df4",
         "9290f38c5d07c2e2f4df57b1f61d4196"
      ],
      "description": "Example global load balancer.",
      "ttl": 60,
      "region_pools": {
         "WNAM": [
               "de90f38ced07c2e2f4df50b1f61d4194",
               "9290f38c5d07c2e2f4df57b1f61d4196"
         ],
         "ENAM": [
               "00920f38ce07c2e2f4df50b1f61d4194"
         ]
      }
}

-s, --json-str

Deprecated. The JSON data describing a global load balancer.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a global load balancer in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-create 31984fea73a15b45779fa0df4ef62f9b --json '{"description":"Example global load balancer.","name":"www.example.com","ttl":60,"fallback_pool":"17b5962d775c646f3f9725cbc7a53df4","default_pools":["17b5962d775c646f3f9725cbc7a53df4","9290f38c5d07c2e2f4df57b1f61d4196"],"region_pools":{"WNAM":["de90f38ced07c2e2f4df50b1f61d4194","9290f38c5d07c2e2f4df57b1f61d4196"],"ENAM":["00920f38ce07c2e2f4df50b1f61d4194"]}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of global load balancer. Required.

--json

The JSON file or JSON string used to describe a global load balancer. Required.

• The required fields in JSON data are name, fallback_pool, default_pools:
  • name:the DNS hostname to associate with your Load Balancer.
  • fallback_pool:the pool ID to use when all other pools are detected as unhealthy.
  • default_pools:a list of pool IDs ordered by their failover priority.
• The optional fields are description, ttl, region_pools, proxied, enabled, session_affinity, session_affinity_ttl, steering_policy:
  • description: the description of your Load Balancer.
  • ttl: time to live (TTL) of the DNS entry for the IP address returned by this load balancer.
  • region_pools: a mapping of region and country codes to a list of pool IDs (ordered by their failover priority) for the region.
  • proxied: Control whether or not traffic should flow through the security and performance functions on CIS.
  • enabled: Whether to enable (the default) this load balancer.
  • session_affinity: valid values are cookie, none.
  • session_affinity_ttl: Time, in seconds, until this load balancers session affinity cookie expires after being created.Valid value is between [1800, 604800]. Default is 82800.
  • steering_policy: Valid values for steering_policy are off, geo, random, dynamic_latency.
    • off: Use default_pools.
    • geo: Use region_pools/pop_pools.
    • random: Select a pool randomly.
    • dynamic_latency: Use round trip time to select the closest pool in default_pools (requires pool health checks).

Sample JSON data:

{
      "name": "www.example.com",
      "fallback_pool": "17b5962d775c646f3f9725cbc7a53df4",
      "default_pools": [
         "17b5962d775c646f3f9725cbc7a53df4",
         "9290f38c5d07c2e2f4df57b1f61d4196"
      ],
      "description": "Example global load balancer.",
      "ttl": 60,
      "region_pools": {
         "WNAM": [
               "de90f38ced07c2e2f4df50b1f61d4194",
               "9290f38c5d07c2e2f4df57b1f61d4196"
         ],
         "ENAM": [
               "00920f38ce07c2e2f4df50b1f61d4194"
         ]
      }
}

-s, --json-str

Deprecated. The JSON data describing a global load balancer.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update global load balancer 699d98642c564d2e855e9661899b7252 in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-update 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 --json '{"description":"Example global load balancer.","name":"www.example.com","ttl":60,"fallback_pool":"17b5962d775c646f3f9725cbc7a53df4","default_pools":["17b5962d775c646f3f9725cbc7a53df4","9290f38c5d07c2e2f4df57b1f61d4196"],"region_pools":{"WNAM":["de90f38ced07c2e2f4df50b1f61d4194","9290f38c5d07c2e2f4df57b1f61d4196"],"ENAM":["00920f38ce07c2e2f4df50b1f61d4194"]}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of global load balancer. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show global load balancer 699d98642c564d2e855e9661899b7252 in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

GLB_ID

The ID of global load balancer. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete global load balancer 699d98642c564d2e855e9661899b7252 in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glb-delete 31984fea73a15b45779fa0df4ef62f9b 699d98642c564d2e855e9661899b7252 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List load balancers for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis glbs 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all GLB pools for instance cis-demo.

ibmcloud cis glb-pools -i "cis-demo"

Command options

--json

The JSON file or JSON string used to describe a GLB pool. Required.

• The required fields in JSON data are name, origins, check_regions:
  • name:a short name (tag) for the pool.
  • origins:a list of origins within this pool.
  • check_regions:a list of geographic region code.
• The optional fields are description, minimum_origins, enabled, monitor, notification_email.

Sample JSON data:

{
   "name": "us-pool",
   "description": "application server pool in US",
   "origins": [
      {
            "name": "us-app-dal01",
            "address": "1.1.1.1",
            "enabled": true,
            "header": {
               "host": ["test.com"]
            }
      },
      {
            "name": "us-app-dal02",
            "address": "2.2.2.2",
            "enabled": true,
            "header": {
               "host": ["example.com"]
            }
      }
   ],
   "minimum_origins": 1,
   "check_regions": [ "WNAM" ],
   "monitor": "f1aba936b94213e5b8dca0c0dbf1f9cc",
   "enabled": true,
   "notification_email": "someone@example.com"
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB pool.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a GLB pool for instance cis-demo.

ibmcloud cis glb-pool-create --json '{"description":"application server pool in US", "name":"us-pool", "enabled":true, "check_regions":["WNAM"], "minimum_origins":1,"monitor":"f1aba936b94213e5b8dca0c0dbf1f9cc", "origins":[{"name":"us-app-dal01","address":"1.1.1.1","enabled":true,"header":{"host":["test.com"]}}, {"name":"us-app-dal02","address":"2.2.2.2","enabled":true,"header":{"host":["example.com"]}}], "notification_email":"someone@example.com"}'-i "cis-demo"

Command options

GLB_POOL_ID

The ID of global load balancer pool. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show the details of GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool 17b5962d775c646f3f9725cbc7a53df4 -i "cis-demo"

Command options

GLB_POOL_ID

The ID of global load balancer pool. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool-delete 17b5962d775c646f3f9725cbc7a53df4 -i "cis-demo"

Command options

GLB_POOL_ID

The ID of global load balancer pool. Required.

--json

The JSON file or JSON string used to describe a GLB pool.

• The required fields in JSON data are name, origins, check_regions:
  • name:a short name (tag) for the pool.
  • origins:a list of origins within this pool.
  • check_regions:a list of geographic region code.
• The optional fields are description, minimum_origins, enabled, monitor, notification_email.

Sample JSON data:

{
   "name": "us-pool",
   "description": "application server pool in US",
   "origins": [
      {
            "name": "us-app-dal01",
            "address": "1.1.1.1",
            "enabled": true,
            "header": {
               "host": ["example.com"]
            }
      },
      {
            "name": "us-app-dal02",
            "address": "2.2.2.2",
            "enabled": true
      }
   ],
   "minimum_origins": 1,
   "check_regions": [ "WNAM" ],
   "monitor": "f1aba936b94213e5b8dca0c0dbf1f9cc",
   "enabled": true,
   "notification_email": "someone@example.com"
}

--enable-origin

Enable the origin within the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

--disable-origin

Disable the origin within the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

--add-origin

Add an origin into the Pool. ORIGIN_NAME and ORIGIN_ADDRESS are required. For example, --add-origin name=us-app-dal01,address=1.1.1.1,enabled=true,weight=0.5,host=example.com

--remove-origin

Remove an origin from the Pool. The value can be ORIGIN_NAME or ORIGIN_ADDRESS.

-s, --json-str

Deprecated. The JSON data used to describe a GLB pool.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update GLB pool 17b5962d775c646f3f9725cbc7a53df4.

ibmcloud cis glb-pool-update 17b5962d775c646f3f9725cbc7a53df4 --json '{"description":"application server pool in US", "name":"us-pool", "enabled":true, "check_regions":["WNAM"], "minimum_origins":1,"monitor":"f1aba936b94213e5b8dca0c0dbf1f9cc", "origins":[{"name":"us-app-dal01","address":"1.1.1.1","enabled":true,"header":{"host":["example.com"]}}, {"name":"us-app-dal02","address":"2.2.2.2","enabled":true}], "notification_email":"someone@example.com"}'-i "cis-demo"

Command options

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all GLB monitors for instance cis-demo.

ibmcloud cis glb-monitors -i "cis-demo"

Command options

--json

The JSON file or JSON string used to describe a GLB monitor. Required.

• The required fields in JSON data are type.
  • type: The protocol to use for the healthcheck. Valid values: HTTP, HTTPS, TCP.
• The optional fields are description, timeout, retries, interval.
  • description: Description.
  • timeout: The timeout (in seconds) before marking the health check as failed.
  • retries: The number of retries to attempt in case of a timeout before marking the origin as unhealthy.
  • interval: The interval between each health check.
• For TCP type health check. Extra required fields are port.
  • port: The TCP port to use for the health check.
• For HTTP/HTTPS type health check. Extra option fields are port, expected_body, expected_codes, method, path, header, follow_redirects, allow_insecure.
  • port: The TCP port to use for the health check.
  • expected_body: A case-insensitive sub-string to look for in the response body.
  • expected_codes: The expected HTTP response code or code range of the health check.
  • method: The HTTP method to use for the health check.
  • path: The endpoint path to health check against.
  • header: The HTTP request headers to send in the health check.
  • follow_redirects: Follow redirects if returned by the origin.
  • allow_insecure: Do not validate the certificate when monitor use HTTPS.
  • probe_zone: Assign this monitor to emulate the specified zone while probing.

Sample JSON data:

For HTTP/HTTPS:

{
      "description": "Health monitor of web service",
      "type": "https",
      "method": "GET",
      "path": "/health",
      "header": {
         "Host": [
            "example.com"
         ],
         "X-App-ID": [
            "abc123"
         ]
      },
      "timeout": 5,
      "retries": 2,
      "interval": 90,
      "follow_redirects": true,
      "allow_insecure": false,
      "expected_codes": "2xx",
      "expected_body": "alive",
      "probe_zone": "example.com"
}

For TCP:

{
      "description": "Health monitor of TCP",
      "type": "tcp",
      "port": 80,
      "timeout": 5,
      "retries": 2,
      "interval": 90
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB monitor.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a GLB monitors under instance cis-demo.

ibmcloud cis glb-monitor-create --json '{"type":"https", "description":"Health monitor of web service", "method":"GET", "path":"/health", "header":{"Host":["example.com"],"X-App-ID":["abc123"]}, "port":8080, "timeout":5, "retries":2, "interval":90, "expected_body":"alive", "expected_codes":"2xx", "follow_redirects":true, "allow_insecure":true}' -i "cis-demo"

Command options

GLB_MON_ID

The ID of global load balancer monitor. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show the details of GLB monitor f1aba936b94213e5b8dca0c0dbf1f9cc.

ibmcloud cis glb-monitor f1aba936b94213e5b8dca0c0dbf1f9cc -i "cis-demo"

Command options

GLB_MON_ID

The ID of global load balancer monitor. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete GLB monitor f1aba936b94213e5b8dca0c0dbf1f9cc.

ibmcloud cis glb-monitor-delete f1aba936b94213e5b8dca0c0dbf1f9cc -i "cis-demo"

Command options

GLB_MON_ID

The ID of global load balancer monitor. Required.

--json

The JSON file or JSON string used to describe a GLB monitor. Required.

• The required fields in JSON data are type.
  • type: The protocol to use for the healthcheck. Valid values: HTTP, HTTPS, TCP.
• The optional fields are description, timeout, retries, interval.
  • description: Description.
  • timeout: The timeout (in seconds) before marking the health check as failed.
  • retries: The number of retries to attempt in case of a timeout before marking the origin as unhealthy.
  • interval: The interval between each health check.
• For TCP type health check. Extra required fields are port.
  • port: The TCP port to use for the health check.
• For HTTP/HTTPS type health check. Extra option fields are port, expected_body, expected_codes, method, path, header, follow_redirects, allow_insecure.
  • port: The TCP port to use for the health check.
  • expected_body: A case-insensitive sub-string to look for in the response body.
  • expected_codes: The expected HTTP response code or code range of the health check.
  • method: The HTTP method to use for the health check.
  • path: The endpoint path to health check against.
  • header: The HTTP request headers to send in the health check.
  • follow_redirects: Follow redirects if returned by the origin.
  • allow_insecure: Do not validate the certificate when monitor use HTTPS.
  • probe_zone: Assign this monitor to emulate the specified zone while probing.

Sample JSON data:

For HTTP/HTTPS:

{
      "description": "Health monitor of web service",
      "type": "https",
      "method": "GET",
      "path": "/health",
      "header": {
         "Host": [
            "example.com"
         ],
         "X-App-ID": [
            "abc123"
         ]
      },
      "timeout": 5,
      "retries": 2,
      "interval": 90,
      "follow_redirects": true,
      "allow_insecure": false,
      "expected_codes": "2xx",
      "expected_body": "alive",
      "probe_zone": "example.com"
}

For TCP:

{
      "description": "Health monitor of TCP",
      "type": "tcp",
      "port": 80,
      "timeout": 5,
      "retries": 2,
      "interval": 90
}

-s, --json-str

Deprecated. The JSON data used to describe a GLB monitor.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update GLB monitors f1aba936b94213e5b8dca0c0dbf1f9cc under instance cis-demo.

ibmcloud cis glb-monitor-update f1aba936b94213e5b8dca0c0dbf1f9cc --json '{"type":"https", "description":"Health monitor of web service", "method":"GET", "path":"/health", "header":{"Host":["example.com"],"X-App-ID":["abc123"]}, "port":8080, "timeout":5, "retries":2, "interval":90, "expected_body":"alive", "expected_codes":"2xx", "follow_redirects":true, "allow_insecure":true}' -i "cis-demo"

Command options

-s, --since

Start date requesting data period in the ISO8601 format. For example 2018-11-26.

-u, --until

End date requesting data period in the ISO8601 format. For example 2018-11-28.

--origin-name

The name for the origin to filter for.

--pool-name

The name for the pool to filter for.

--origin-healthy

If true, filter events where the origin status is healthy, if false, filter events where the origin status is unhealthy. Default value is true, valid values are true and false.

--pool-healthy

If true, filter events where the pool status is healthy, if false, filter events where the pool status is unhealthy. Default value is true, valid values are true and false.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get glb events in instance cis-demo.

ibmcloud cis glb-events -s "2020-05-20" -u "2020-05-22" --origin-name "dal09" --origin-healthy true -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--fields

Define field set in return.

• This must be specified as a comma-separated list without any whitespaces, and all fields must exist.
• The order in which fields are specified doesn't matter, and the order of fields in the response is not specified.
• The fields are expected to be case sensitive.

--filter

Filters to drill down into specific events. Filters consist of three parts: key, operator and value. For information about supported operators, see Using fields, functions, and expressions.

--sample

The sample rate of the records set by the client: sample: 1 is 100% of records.

-i, --instance

Instance name or ID. If not set, the context instance specified by cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

-h, --help

Get help on this command.

Examples

Create an instant log for dns-domain:

cis instant-log-create dns-domain [--fields all] [--filter FILTER] [--sample 1] [-i cis-demo]

Here are three examples of filters:

• Filter when client IP country is not Canada:

  "filter": "{\"where\":{\"and\":[{\"key\":\"ClientCountry\",\"operator\":\"neq\",\"value\":\"ca\"}]}}"

• Filter when the status code returned from CIS is either 200 or 201:

  "filter": "{\"where\":{\"and\":[{\"key\":\"EdgeResponseStatus\",\"operator\":\"in\",\"value\":\"200,201\"}]}}"

• Filter when the request path contains "/static" and the request hostname is "example.com":

  "filter": "{\"where\":{\"and\":[{\"key\":\"ClientRequestPath\",\"operator\":\"contains\",\"value\":\"/static\"}, {\"where\":{\"and\":[{\"key\":\"ClientRequestHost\",\"operator\":\"eq\",\"value\":\"example.com\"}]}}"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance specified by cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported now.

-h, --help

Help on this command.

Example

Get the instant logs job for dns-domain:

cis instant-log-get dns-domain [-i cis-demo]

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--available-fields

List of all available fields.

--ray-id

Lookup logs by specific Ray ID.

--fields

Define field set in return. This must be specified as a comma separated list without any spaces, and all fields must exist. The order in which fields are specified doesn't matter, and the order of fields in the response is not specified. Note that fields are expected to be case sensitive.

--start

The (inclusive) beginning of the requested time frame. This can be a unix timestamp (in seconds or nanoseconds), or an absolute timestamp that conforms to RFC 3339. At this point in time, it cannot exceed a time in the past greater than 7 days. Default is 65 minutes earlier.

--end

The (exclusive) end of the requested time frame. This can be a unix timestamp (in seconds or nanoseconds), or an absolute timestamp that conforms to RFC 3339. The end must be at least 5 minutes earlier than now and must be later than start. Difference between start and end must be not greater than 1h. Default is 5 minutes earlier.

--count

Number of logs to retrieve. The default value is -1.

--sample

Percentage of sampling. When sample is provided, a sample of matching records is returned. If sample=0.1 then 10% of records will be returned. Sampling is random: repeated calls will not only return different records, but likely will also vary slightly in number of returned records. When count is also specified, count is applied to the number of returned records, not the sampled records. So, with sample=0.05 and count=7, when there is a total of 100 records available, approximately 5 will be returned. When there are 1000 records, 7 will be returned. When there are 10,000 records, 7 will be returned. The default value is 1.

--timestamps

Set the format in which response timestamps are returned. Valid values: unix, unixnano, rfc3339.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --available-fields`
ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --ray-id 59348abde87afe50 --all-fields --timestamps rfc3339 --output JSON`
ibmcloud cis logpull 31984fea73a15b45779fa0df4ef62f9b --start 2020-05-18T12:14:58Z --end 2020-05-18T13:14:58Z --fields ClientIP,EdgeServerIP,ClientRequestHost --count 10 --sample 1 --timestamps rfc3339 --output JSON`

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--destination

Specify a COS bucket path or a LogDNA path where data will be pushed.

• Syntax for LogDNA Path: https://{LOGS_REGION_URL}?hostname={DOMAIN}&apikey={LOGDNA_INGRESS_KEY}

  Example: 'https://logs.eu-de.logging.cloud.ibm.com/logs/ingest?hostname=testv2_logpush&apikey=xxxxxx' Syntax for COS Path: cos://<BUCKET_OBJECT_PATH>?region=<REGION>&instance-id=<IBM_ClOUD_OBJECT_STORAGE_INSTANCE_ID> Example: 'cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd' To separate logs into daily subfolders, use the special string {DATE} in the bucket path. It will be substituted with the date in YYYYMMDD format, for example '20190423'. Subfolders will be created as appropriate, for example: 'cos://cis-test-bucket/logs/{DATE}?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd'

--name

Job name. Required.

--enable

Enable the job. The job is disabled by default.

--fields

Define the list of log fields to be included in log files. Multiple fields can be separated by commas and use command [ibmcloud cis logpush-available-fields DNS_DOMAIN_ID] to get the comprehensive list of available log fields, or use all to include all available fields in log files. Note that fields are expected to be case sensitive.

--timestamps

Set the format in which response timestamps are returned. Valid values: unix, unixnano, rfc3339.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values: http_requests, range_events, firewall_events, dns_logs. The default value is http_requests.

--frequency

The frequency at which CIS sends batches of logs to your destination. Setting frequency to high sends your logs in larger quantities of smaller files. Setting frequency to low sends logs in smaller quantities of larger files. Valid values: high, low.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-create 31984fea73a15b45779fa0df4ef62f9b --destination cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd --name logpushcreate --enable true --fields all --timestamps rfc3339 --dataset http_requests --frequency low -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--destination

Specify a COS bucket path or a LogDNA path where data will be pushed. Syntax for LogDNA Path: https://{LOGS_REGION_URL}?hostname={DOMAIN}&apikey={LOGDNA_INGRESS_KEY} Example: 'https://logs.eu-de.logging.cloud.ibm.com/logs/ingest?hostname=testv2_logpush&apikey=xxxxxx' Syntax for COS Path: cos://<BUCKET_OBJECT_PATH>?region=<REGION>&instance-id=<IBM_ClOUD_OBJECT_STORAGE_INSTANCE_ID> Example: 'cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd' To separate logs into daily subfolders, use the special string {DATE} in the bucket path. It will be substituted with the date in YYYYMMDD format, for example '20190423'. Subfolders will be created as appropriate, for example: 'cos://cis-test-bucket/logs/{DATE}?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd'

--enable

Enable the job. The job is disabled by default.

--fields

Define the list of log fields to be included in log files. Multiple fields can be separated by commas and use command ibmcloud cis logpush-available-fields DNS_DOMAIN_ID to get the comprehensive list of available log fields, or use all to include all available fields in log files. Note that fields are expected to be case sensitive.

--timestamps

Set the format in which response timestamps are returned. Valid values: unix, unixnano, rfc3339.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values: http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of logpush job.

--frequency

The frequency at which CIS sends batches of logs to your destination. Setting frequency to high sends your logs in larger quantities of smaller files. Setting frequency to low sends logs in smaller quantities of larger files. Valid values: high, low.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update range_events log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-update 31984fea73a15b45779fa0df4ef62f9b --destination cos://cis-test-bucket/logs?region=us&instance-id=f75e6d90-4212-4026-851c-d572071146cd --enable true --fields all --timestamps rfc3339 --dataset range_events --frequency high -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

-output

Specify output format, only JSON is supported.

Examples

Get all log push jobs for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-jobs 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values: http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of logpush job.

-i , --instance value*

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get details of http_requests log push job.

ibmcloud cis logpush-job 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values: http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

--jobid

JOB_ID is the ID of logpush job.

-f, --force

Delete log push job without prompting for confirmation.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete http_requests log push job for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis logpush-job-delete 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo --force

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

The category of logs you want to receive. This value cannot be changed after the job is created. Valid values: http_requests, range_events, firewall_events,dns_logs. The default value is http_requests.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Get all available fields for http_requests logs.

ibmcloud cis logpush-available-fields 31984fea73a15b45779fa0df4ef62f9b --dataset http_requests -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get log retention setting for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis log-retention 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--flag

Whether to turn log retention on or off. Required.

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Enable log retention for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis log-retention-update 31984fea73a15b45779fa0df4ef62f9b --flag on -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

Requested dataset. The default value is firewallEventsAdaptiveGroups.

Use the following table to identify which datasets are included in your plan and the range of historical data you can query.

Datasets included in your plan

Dataset	Trial / Standard / Standard-Next	Enterprise / Security / GLB
firewallEventsAdaptiveGroups	30 days	30 days
firewallEventsAdaptive	30 days	30 days

--filter

Filter events. The default value is the last 6 hours of data.

The following operators are supported for all filter options:

Operators supported for filter options

Operator	Comparison
gt	greater than
lt	less than
geq	greater or equal to
leq	less or equal to
neq	not equal
in	in

• firewallEventsAdaptiveGroups filter options.
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFiveMinutes
  • datetimeMinute
  • matchIndex
  • sampleInterval
• The following filter options support like and notlike operators.
  • action
  • clientASNDescription
  • clientAsn
  • clientCountryName
  • clientIP
  • clientRefererHost
  • clientRefererPath
  • clientRefererQuery
  • clientRefererScheme
  • clientRequestHTTPHost
  • clientRequestHTTPMethodName
  • clientRequestHTTPProtocol
  • clientRequestPath
  • clientRequestQuery
  • clientRequestScheme
  • edgeColoName
  • edgeResponseStatus
  • kind
  • originResponseStatus
  • originatorRayName
  • rayName
  • ref
  • ruleId
  • source
  • userAgent

--order

Output order. (default: "datetime_ASC")

The following list is usable order options for corresponding dataset and all of order options support ASC and DESC action. Combine these filter options and action with _.

For example datetime_ASC is order by datetime ascending.

• firewallEventsAdaptiveGroups order options.
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFiveMinutes
  • datetimeMinute
  • action
  • avg_sampleInterval
  • clientASNDescription
  • clientAsn
  • clientCountryName
  • clientIPClass
  • clientIP
  • clientRefererHost
  • clientRefererPath
  • clientRefererQuery
  • clientRefererScheme
  • clientRequestHTTPHost
  • clientRequestHTTPMethodName
  • clientRequestHTTPProtocol
  • clientRequestPath
  • clientRequestQuery
  • clientRequestScheme
  • count
  • edgeColoName
  • edgeResponseStatus
  • kind
  • matchIndex
  • originResponseStatus
  • originatorRayName
  • rayName
  • ref
  • ruleId
  • sampleInterval
  • source
  • userAgent
  • visibility

--limit

The number of events to return. (minimum: 1, maximum: 10000, default: 10000)

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get firewall event analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis firewall-event-analytics 31984fea73a15b45779fa0df4ef62f9b --order datetime_ASC \
     --filter "datetime_geq:2020-06-28T00:00:00Z"  --filter "datetime_leq:2020-06-29T00:00:00Z" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--dataset

Requested dataset. The default value is httpRequests1dGroups. Use the following table to identify which datasets are included in your plan and the range of historical data you can query.

Identify datasets included in your plan

Dataset	Trial / Standard / Standard-next	Enterprise / Security / GLB
httpRequests1dGroups	365 days	365 days
httpRequests1hGroups	30 days	90 days
httpRequests1mGroups	3 days	7 days

--filter

Filter events. The default value is the last 7 days data. The following operators are supported for all filter options:

Operators supported for filter options

Operator	Comparison
gt	greater than
lt	less than
geq	greater or equal to
leq	less or equal to
neq	not equal
in	in

• httpRequests1dGroups and httpRequests1hGroups filter options.

  • date

• httpRequests1mGroups filter options.

  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeDay

--order

Output order. (default: "datetime_ASC")

The following list is usable order options for corresponding dataset and all of order options support ASC and DESC action. Combine these order options and action with _.

For example date_ASC is order by date ascending.

• Common order options for every http dataset.
  • orderByParams
  • date
  • sum_bytes
  • sum_cachedBytes
  • sum_cachedRequests
  • sum_requests
• httpRequests1dGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
• httpRequests1hGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
  • datetime
• httpRequests1mGroups order options.
  • avg_bytes
  • sum_encryptedBytes
  • sum_encryptedRequests
  • sum_pageViews
  • sum_threats
  • uniq_uniques
  • datetime
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeFifteenMinutes
  • datetimeHour
  • datetimeDay

--limit

The number of events to return. (minimum: 1, maximum: 10000, default: 10000)

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get http request analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis http-request-analytics 31984fea73a15b45779fa0df4ef62f9b --order date_ASC \
     --dataset httpRequests1dGroups --limit 500 \
     --filter "date_geq:2020-06-28"  --filter "date_leq:2020-06-29" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--recent

The beginning of the requested time frame. Valid values are: 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago), 1m (1 month ago), 2m, 3m. The default value is 1w.

-t, --table

Output table. Valid values are requests, bandwidth, uniques, threats and status_code. If not set, it outputs all the tables.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get web analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis web-analytics 31984fea73a15b45779fa0df4ef62f9b --recent 1d -t requests -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

DIMENSION

The queried dimension. Valid values: queries-by-response-code, queries-by-type, queries-by-name. Required.

-s, --since

Since time to now. Valid values are: 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago)

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get DNS analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis dns-analytics 31984fea73a15b45779fa0df4ef62f9b queries-by-response-code -s 6h -i "cis-demo" --output json

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--recent

The beginning of the requested time frame. Valid values are: 6h (6 hours ago), 12h, 1d (1 day ago), 1w (1 week ago), 1m (1 month ago), 2m, 3m. The default value is 1w.

--time-delta

The time interval (seconds) of each analytic's record. Valid values: 60, 3600, 86400, 2592000. The default value is 3600.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get rate limit analytics for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis ratelimit-analytics 31984fea73a15b45779fa0df4ef62f9b --recent 6h --time-delta 3600 -i "cis-demo" --output json

Command options

-i , --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Enable Mutual TLS for instance cis-demo.

ibmcloud cis access-enable -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all origin certificates for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis origin-certificates 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--request-type REQUEST_TYPE

Signature type desired on certificate. Valid values: origin-rsa, origin-ecc.

--hostnames HOSTNAME

hostname or wildcard name bound to the certificate.

--requested-validity DAYS

The number of days for which the certificate should be valid. The default value is 5475.

--csr CSR

The Certificate Signing Request (CSR). If not set, CIS will generate one.

--json value*

The JSON file or JSON string used to describe an origin certificate.

• The required fields in JSON data are request_type, hostnames.
  • request_type: Signature type desired on certificate. Valid values: origin-rsa, origin-ecc.
  • hostnames: Array of hostnames or wildcard names bound to the certificate.
• The optional fields are requested_validity, csr.
  • requested_validity: The number of days for which the certificate should be valid. Valid values: 0, 7, 30, 90, 365, 730, 1095, 5475.
  • csr: The Certificate Signing Request (CSR). If not set, CIS will generate one.

Sample JSON data:

{
   "request_type": "origin-rsa",
   "hostnames": [
      "*.example.com",
      "example.com",
],
   "requested_validity": 5475,
   "csr": "your_csr"
}

-s, --json-str

Deprecated. The JSON data describing an origin certificate.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a CIS-signed certificate for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis origin-certificate-create 31984fea73a15b45779fa0df4ef62f9b --request-type origin-rsa --hostnames "*.example.com" --hostnames "example.com" --requested-validity 5475 --csr your_csr -i cis-demo --output JSON

ibmcloud cis origin-certificate-create 31984fea73a15b45779fa0df4ef62f9b --json '{"hostnames":["example.com","*.example.com"], "requested_validity":5475,"request_type": "origin-rsa","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICxzCCAa8CAQAwSDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz\nY28xCzAJBgNVBAcTAkNBMRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALxejtu4b+jPdFeFi6OUsye8TYJQBm3WfCvL\nHu5EvijMO/4Z2TImwASbwUF7Ir8OLgH+mGlQZeqyNvGoSOMEaZVXcYfpR1hlVak8\n4GGVr+04IGfOCqaBokaBFIwzclGZbzKmLGwIQioNxGfqFm6RGYGA3be2Je2iseBc\nN8GV1wYmvYE0RR+yWweJCTJ157exyRzu7sVxaEW9F87zBQLyOnwXc64rflXslRqi\ng7F7w5IaQYOl8yvmk/jEPCAha7fkiUfEpj4N12+oPRiMvleJF98chxjD4MH39c5I\nuOslULhrWunfh7GB1jwWNA9y44H0snrf+xvoy2TcHmxvma9Eln8CAwEAAaA6MDgG\nCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFt\ncGxlLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAcBaX6dOnI8ncARrI9ZSF2AJX+8mx\npTHY2+Y2C0VvrVDGMtbBRH8R9yMbqWtlxeeNGf//LeMkSKSFa4kbpdx226lfui8/\nauRDBTJGx2R1ccUxmLZXx4my0W5iIMxunu+kez+BDlu7bTT2io0uXMRHue4i6quH\nyc5ibxvbJMjR7dqbcanVE10/34oprzXQsJ/VmSuZNXtjbtSKDlmcpw6To/eeAJ+J\nhXykcUihvHyG4A1m2R6qpANBjnA0pHexfwM/SgfzvpbvUg0T1ubmer8BgTwCKIWs\ndcWYTthM51JIqRBfNqy4QcBnX+GY05yltEEswQI55wdiS3CjTTA67sdbcQ==\n-----END CERTIFICATE REQUEST-----"}' -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

CERT_ID

The ID of the Origin Certificate. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get details of origin certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis origin-certificate 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

CERT_ID

The ID of Origin Certificate. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete origin certificate a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis origin-certificate-delete 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE will be used.

--output

Specify output format, only JSON is supported.

Examples

Show the overview information for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis overview 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--json

The JSON file or JSON string used to describe a page rule. Required.

• The required fields in JSON data are targets, actions:
  • targets: The target URL pattern to evaluate on a request.
  • actions: An array of actions to perform if the targets of this rule match the request. Available actions are:
    • disable_security
    • always_use_https
    • ssl
    • browser_cache_ttl
    • security_level
    • cache_level
    • edge_cache_ttl
    • bypass_cache_on_cookie
    • browser_check
    • server_side_exclude
    • email_obfuscation
    • automatic_https_rewrites
    • opportunistic_encryption
    • ip_geolocation
    • explicit_cache_control
    • cache_deception_armor
    • waf
    • forwarding_url
    • image_load_optimization
    • image_size_optimization
    • script_load_optimization
    • host_header_override
    • resolve_override
    • Some actions are limited to Enterprise plans:
      • cache_on_cookie
      • disable_apps
      • disable_performance
      • minify
      • origin_error_page_pass_thru
      • response_buffering
      • true_client_ip_header
      • sort_query_string_for_cache
      • respect_strong_etag
• The optional fields are priority, status:
  • priority: A number that indicates the preference for a page rule over another. Default is 1.
  • status: Status of the page rule. The valid values are active and disabled (default).

Sample JSON data:

   {
   "targets": [
      {
            "target": "url",
            "constraint": {
               "operator": "matches",
               "value": "*example.com/images/*"
            }
      }
   ],
   "actions": [
      {
            "id": "ssl",
            "value": "flexible"
      },
      {
            "id": "browser_cache_ttl",
            "value": 14400
      },
      {
            "id": "security_level",
            "value": "medium"
      },
      {
            "id": "cache_level",
            "value": "basic"
      },
      {
            "id": "edge_cache_ttl",
            "value": 7200
      },
      {
            "id": "bypass_cache_on_cookie",
            "value": "wp-.*|wordpress.*|comment_.*"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a page rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a page rule for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis page-rule-create 31984fea73a15b45779fa0df4ef62f9b --json '{"targets":[{"target":"url", "constraint":{"operator": "matches", "value":"*example.com/images/*"}}], "actions":[{"id":"always_online", "value":"on"}], "priority":1, "status": "active"}' cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

--json VALUE

The JSON file or JSON string used to describe a page rule. Required.

• The required fields in JSON data are targets, actions:
  • targets: The target URL pattern to evaluate on a request.
  • actions: An array of actions to perform if the targets of this rule match the request. Available actions are:
    • disable_security
    • always_use_https
    • ssl
    • browser_cache_ttl
    • security_level
    • cache_level
    • edge_cache_ttl
    • bypass_cache_on_cookie
    • browser_check
    • server_side_exclude
    • email_obfuscation
    • automatic_https_rewrites
    • opportunistic_encryption
    • ip_geolocation
    • explicit_cache_control
    • cache_deception_armor
    • waf
    • forwarding_url
    • image_load_optimization
    • image_size_optimization
    • script_load_optimization
    • host_header_override
    • resolve_override
    • Some actions are limited to Enterprise plans:
      • cache_on_cookie
      • disable_apps
      • disable_performance
      • minify
      • origin_error_page_pass_thru
      • response_buffering
      • true_client_ip_header
      • sort_query_string_for_cache
      • respect_strong_etag
• The optional fields are priority, status:
  • priority: A number that indicates the preference for a page rule over another. Default is 1.
  • status: Status of the page rule. The valid values are active and disabled, default is disabled.

Sample JSON data:

{
   "targets": [
      {
            "target": "url",
            "constraint": {
               "operator": "matches",
               "value": "*example.com/images/*"
            }
      }
   ],
   "actions": [
      {
            "id": "ssl",
            "value": "flexible"
      },
      {
            "id": "browser_cache_ttl",
            "value": 14400
      },
      {
            "id": "security_level",
            "value": "medium"
      },
      {
            "id": "cache_level",
            "value": "basic"
      },
      {
            "id": "edge_cache_ttl",
            "value": 7200
      },
      {
            "id": "bypass_cache_on_cookie",
            "value": "wp-.*|wordpress.*|comment_.*"
      }
   ]
}

-s, --json-str

Deprecated. The JSON data describing a page rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 --json '{"targets":[{"target":"url", "constraint":{"operator":"matches", "value":"*example.com/images/*"}}], "actions":[{"id":"always_online", "value":"on"}],"priority":1, "status":"active"}' -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule-update 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all page rules in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis page-rules 31984fea73a15b45779fa0df4ef62f9b -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

PAGE_RULE_ID

The ID of page rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get details of page rule a5836c2a7ea72d2e225890caea70ae32.

ibmcloud cis page-rule 31984fea73a15b45779fa0df4ef62f9b a5836c2a7ea72d2e225890caea70ae32 -i cis-demo --output JSON

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--name

The name of DNS record for the range application.

--edge-port

Port configuration at CIS's edge. The default value is 22.

--origin-direct

Destination addresses to the origin.

--origin-lb-name

The Load Balancer name associated with the range application.

--origin-lb-port

The Load Balancer port associated with the range application. The default value is 22.

--protocol

Protocol type. Valid values: tcp, udp. UDP protocol support is in early access, request custom UDP from CIS dashboard before creating range UDP app. The default value is tcp.

--proxy-protocol

Enable Proxy Protocol to the origin. Valid values: on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.

--ip-firewall

Control whether or not enables the IP Firewall for this application. Valid values: on, off. The default value is off.

--edge-connectivity

The IP versions supported for inbound connections on range anycast IPs. Valid values: all, ipv4, ipv6. The default value is all.

--edge-tls

The type of TLS termination associated with the application. Valid values: off, flexible, full, strict. The default value is off.

--traffic-type

Determines how data travels from the edge to your origin. Valid values: direct, http, https. The default value is direct.

--json

The JSON file or JSON string used to describe a range application.

• The required fields in JSON data are protocol, dns.
  • protocol: Port configuration at CIS's edge.
  • dns: The name and type of DNS record for the range application.
    • name: The name of DNS record for the range application.
    • type: The type of DNS record associated with the application. Valid values: CNAME.
• The optional fields are origin_direct, origin_dns, origin_port, proxy_protocol, ip_firewall, edge_ips, tls, traffic_type.
  • origin_direct: A list of destination addresses to the origin.
  • origin_dns: Method and parameters used to discover the origin server address via DNS.
    • name: DNS record name.
  • origin_port: The destination port at the origin.
  • proxy_protocol: Enable Proxy Protocol to the origin. Valid values: on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.
  • ip_firewall: Control whether or not enables the IP Firewall for this application. Valid values: on, off.
  • edge_ips: The anycast edge IP configuration for the hostname of this application.
    • type: The type of edge IP configuration specified. Dynamically allocated edge IPs use range anycast IPs in accordance with the connectivity you specify. Valid values: dynamic.
    • connectivity: The IP versions supported for inbound connections on range anycast IPs. Valid values: all, ipv4, ipv6.
  • tls: The type of TLS termination associated with the application. Valid values: off, flexible, full, strict.
  • traffic_type: Determines how data travels from the edge to your origin. When set to direct, range will send traffic directly to your origin, and the application's type is derived from the protocol. When set to http or https, range will apply CIS's HTTP/HTTPS features as it sends traffic to your origin, and the application type matches this property exactly. Valid values: direct, http, https. The default value is direct.

Sample JSON data:

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "ssh.example.com"
   },
   "origin_direct": [
      "tcp://1.2.3.4:22",
      "tcp://1.2.3.4:23",
      "tcp://1.2.3.4:24"
   ],
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "glb.example.com"
   },
   "origin_dns": {
      "name": "name-to-glb.example.com"
   },
   "origin_port": 22,
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}

-s, --json-str

Deprecated. The JSON data describing a range application.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a range app for doamin 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis range-app-create 31984fea73a15b45779fa0df4ef62f9b --json '{"protocol":"tcp/22", "dns":{"type":"CNAME","name":"ssh.example.com"}, "origin_direct":["tcp://1.2.3.4:22"], "proxy_protocol":"off", "ip_firewall":true, "tls":"full", "edge_ips":{"type":"dynamic", "connectivity":"all"}, "traffic_type":"direct"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

APP_ID

The ID of range application. Required.

--name

The name of DNS record for the range application.

--add-origin-direct

Add new destination addresses to origin.

--remove-origin-direct

Remove destination addresses from origin.

--origin-direct

Destination addresses to the origin.

--origin-lb-name

The Load Balancer name associated with the range application.

--origin-lb-port

The Load Balancer port associated with the range application. The default value is 22.

--proxy-protocol

Enable Proxy Protocol to the origin. Valid values: on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.

--ip-firewall

Control whether or not enables the IP Firewall for this application. Valid values: on, off. The default value is off.

--edge-connectivity

The IP versions supported for inbound connections on range anycast IPs. Valid values: all, ipv4, ipv6. The default value is all.

--edge-tls

The type of TLS termination associated with the application. Valid values: off, flexible, full, strict. The default value is off.

--traffic-type

Determines how data travels from the edge to your origin. Valid values: direct, http, https. The default value is direct.

--json

The JSON file or JSON string used to describe a range application.

• The required fields in JSON data are protocol, dns.
  • protocol: Port configuration at CIS's edge.
  • dns: The name and type of DNS record for the range application.
    • name: The name of DNS record for the range application.
    • type: The type of DNS record associated with the application. Valid values: CNAME.
• The optional fields are origin_direct, origin_dns, origin_port, proxy_protocol, ip_firewall, edge_ips, tls, traffic_type.
  • origin_direct: A list of destination addresses to the origin.
  • origin_dns: Method and parameters used to discover the origin server address via DNS.
    • name: DNS record name.
  • origin_port: The destination port at the origin.
  • proxy_protocol: Enable Proxy Protocol to the origin. Valid values: on, off, v1, v2, simple. The default value is off. Deprecated. The value on is equivalent to v1.
  • ip_firewall: Control whether or not enables the IP Firewall for this application. Valid values: on, off.
  • edge_ips: The anycast edge IP configuration for the hostname of this application.
    • type: The type of edge IP configuration specified. Dynamically allocated edge IPs use range anycast IPs in accordance with the connectivity you specify. Valid values: dynamic.
    • connectivity: The IP versions supported for inbound connections on range anycast IPs. Valid values: all, ipv4, ipv6.
  • tls: The type of TLS termination associated with the application. Valid values: off, flexible, full, strict.
  • traffic_type: Determines how data travels from the edge to your origin. When set to direct, range will send traffic directly to your origin, and the application's type is derived from the protocol. When set to http or https, range will apply CIS's HTTP/HTTPS features as it sends traffic to your origin, and the application type matches this property exactly. Valid values: direct, http, https. The default value is direct.

Sample JSON data:

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "ssh.example.com"
   },
   "origin_direct": [
      "tcp://1.2.3.4:22",
      "tcp://1.2.3.4:23",
      "tcp://1.2.3.4:24"
   ],
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}

{
   "protocol": "tcp/22",
   "dns": {
      "type": "CNAME",
      "name": "glb.example.com"
   },
   "origin_dns": {
      "name": "name-to-glb.example.com"
   },
   "origin_port": 22,
   "proxy_protocol": false,
   "ip_firewall": false,
   "edge_ips": {
      "type": "dynamic",
      "connectivity": "all"
   },
   "tls": "full",
   "traffic_type": "direct"
}

-s, --json-str

Deprecated. The JSON data describing a range application.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update range app ea95132c15732412d22c1476fa83f27a.

ibmcloud cis range-app-update 31984fea73a15b45779fa0df4ef62f9b ea95132c15732412d22c1476fa83f27a --json '{"protocol":"tcp/22", "dns":{"type":"CNAME","name":"ssh.example.com"}, "origin_direct":["tcp://1.2.3.4:22"], "proxy_protocol":"off", "ip_firewall":true, "tls":"full", "edge_ips":{"type":"dynamic", "connectivity":"all"}, "traffic_type":"direct"}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

APP_ID

The ID of range application. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete range application ea95132c15732412d22c1476fa83f27a.

ibmcloud cis range-app-delete 31984fea73a15b45779fa0df4ef62f9b ea95132c15732412d22c1476fa83f27a -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

APP_ID

The ID of range application. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details of range application ea95132c15732412d22c1476fa83f27a.

ibmcloud cis range-app 31984fea73a15b45779fa0df4ef62f9b ea95132c15732412d22c1476fa83f27a -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all range applications in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis range-apps 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--metrics

One or more metrics to compute. To get all metrics, set metrics to count,bytesIngress,bytesEgress,durationAvg,durationMedian,duration90th,duration99th.

--dimension

Can be used to break down the data by attributes. To get all dimensions, set dimensions to event,appID,coloName,ipVersion. --filters

Used to filter rows by one or more dimensions. Filters can be combined using OR and AND boolean logic. AND takes precedence over OR in all the expressions. The OR operator is defined using a comma (,) or OR keyword surrounded by whitespace. The AND operator is defined using a semicolon (;) or AND keyword surrounded by whitespace. Comparison options are: ==, !=, >, <, >=, <=. An example value for filters is: event==connect AND coloName!=SFO.

--sort

The sort order for the result set. Sort fields must be included in metrics or dimensions. An example value for sort is: +count,-bytesIngress.

--since

Start of time interval to query, defaults to until - 6 hours. This should be an absolute timestamp that conforms to RFC 3339.

--until

End of time interval to query, defaults to current time. This should be an absolute timestamp that conforms to RFC 3339.

--bytime

Analytics data for range applications grouped by time interval.

--time-delta

Used to select time series resolution. Valid values: year, quarter, month, week, day, hour, dekaminute, minute. Only valid when --bytime is given.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get analytics data for range applications in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis range-analytics 31984fea73a15b45779fa0df4ef62f9b --metrics "count,bytesIngress" --dimensions "event,appID" --since "2020-05-22T02:20:00Z"
--until "2020-05-23T02:20:00Z" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--json

The JSON file or JSON string used to describe a rate limiting rule.

• The required fields in JSON data are match, threshold, period, action:
  • match: Determines which traffic the rate limiting rule counts towards the threshold.
    • request: Matches HTTP requests.
      • methods: HTTP Methods, can be a subset [POST,PUT] or all [_ALL_]. This field is not required to create a rate limit rule. Valid values are GET, POST, PUT, DELETE, PATCH, HEAD, _ALL_.
      • schemes: HTTP Schemes, can be one [HTTPS], both [HTTP,HTTPS] or all [_ALL_]. This field is not required.
      • url: The URL pattern to match comprised of the host and path, for instance, example.org/path. Wildcards are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Max length is 1024.
    • response: Matches HTTP responses before they are returned to the client . If this is defined, then the entire counting of traffic occurs at this stage.
      • status: HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value. This field is not required. Min value: 100, max value: 999.
      • headers: Array of response headers to match. If a response does not meet the header criteria then the request is not counted towards the rate limiting rule. The header matching criteria includes following properties.
        • name: The name of the response header to match.
        • op: The operator when matching, eq means equals, ne means not equals. Valid values are eq and ne.
        • value: The value of the header, which is exactly matched.
  • threshold: The threshold that triggers the rate limit mitigations, combined with period. For example, threshold per period. Min value: 2, max value: 1000000.
  • period: The time, in seconds, to count matching traffic. If the count exceeds threshold within this period the action is performed. Min value: 10, max value: 86400.
  • action: The action performed when the threshold of matched traffic within the period defined is exceeded.
    • mode: The type of action performed. Valid values are: simulate, ban, challenge, js_challenge.
    • timeout: The time, in seconds, as an integer to perform the mitigation action. Timeout be the same or greater than the period. This field is valid only when mode is simulate or ban. Min value: 10, max value: 86400.
    • response: Custom content-type and body to return. This overrides the custom error for the zone. This field is not required. Omission results in the default HTML error page. This field is valid only when mode is simulate or ban.
      • content_type: The content-type of the body, which must be one of the following: text/plain, text/xml, application/json.
      • body: The body to return. The content here must conform to the content_type. Max length is 10240.
• The optional fields are id, disabled, description, correlate and bypass:
  • id: Identifier of the rate limiting rule.
  • disabled: Whether this rate limiting rule is currently disabled.
  • description: A note that you can use to describe the reason for a rate limiting rule.
  • correlate: Whether to enable NAT based rate limiting.
    • by: Valid values: nat.
  • bypass: Criteria that allows the rate limit to be bypassed. For example, to express that you shouldn’t apply a rate limit to a set of URLs.
    • name: Valid values is url.
    • value: The url to bypass.

Sample JSON data:

{
   "id": "92f17202ed8bd63d69a66b86a49a8f6b",
   "disabled": false,
   "description": "Prevent multiple login failures to mitigate brute force attacks",
   "bypass": [
      {
         "name": "url",
         "value": "api.example.com/*"
      }
   ],
   "threshold": 60,
   "period": 900,
   "correlate": {
      "by": "nat"
   },
   "action": [
      {
         "mode": "simulate",
         "timeout": 86400,
         "response": {
            "content_type": "text/plain",
            "body": "<error>This request has been rate-limited.</error>"
         }
      }
   ],
   "match": {
      "request": {
               "methods": [
                  "GET"
               ],
               "schemes": [
                  "HTTP",
                  "HTTPS"
               ],
               "url": "*.example.org/path*"
      },
      "response": {
         "status": [
               403, 401
         ],
         "headers": [
            {
               "name": "Cf-Cache-Status",
               "op": "eq",
               "value": "HIT"
            }
         ]
      }
   }
}

-s, --json-st

Deprecated. The JSON data describing a rate limiting rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Create a rate limiting rule for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis ratelimit-rule-create 31984fea73a15b45779fa0df4ef62f9b --json '{"id":"372e67954025e0ba6aaa6d586b9e0b59","disabled":false,"description":"Prevent multiple login failures to mitigate brute force attacks","match":{"request":{"methods":["GET","POST"],"schemes":["HTTP","HTTPS"],"url":"*.example.org/path*"},"response":{"status": [403, 401],"headers":[{"name":"Cf-Cache-Status","op":"ne","value":"HIT"}]}},"bypass":[{"name":"url","value":"api.example.com/*"}],"threshold":60,"period":900,"action":{"mode":"challenge","timeout":86400,"response":{"content_type":"text/xml","body":"<error>This request has been rate-limited.</error>"}}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

RATELIMIT_RULE_ID

The ID of rate limiting rule. Required.

--json

The JSON file or JSON string used to describe a rate limiting rule.

• The required fields in JSON data are match, threshold, period, action:
  • match: Determines which traffic the rate limiting rule counts towards the threshold.
    • request: Matches HTTP requests.
      • methods: HTTP Methods, can be a subset [POST,PUT] or all [_ALL_]. This field is not required to create a rate limit rule. Valid values are GET, POST, PUT, DELETE, PATCH, HEAD, _ALL_.
      • schemes: HTTP Schemes, can be one [HTTPS], both [HTTP,HTTPS] or all [_ALL_]. This field is not required.
      • url: The URL pattern to match comprised of the host and path, for instance, example.org/path. Wildcards are expanded to match applicable traffic, query strings are not matched. Use * for all traffic to your zone. Max length is 1024.
    • response: Matches HTTP responses before they are returned to the client . If this is defined, then the entire counting of traffic occurs at this stage.
      • status: HTTP Status codes, can be one [403], many [401,403] or indicate all by not providing this value. This field is not required. Min value: 100, max value: 999.
      • headers: Array of response headers to match. If a response does not meet the header criteria then the request is not counted towards the rate limiting rule. An array of header matching criteria includes following properties.
        • name: The name of the response header to match.
        • op: The operator when matching, eq means equals, ne means not equals. Valid values are eq and ne.
        • value: The value of the header, which is exactly matched.
  • threshold: The threshold that triggers the rate limit mitigations, combined with period. For example, threshold per period. Min value: 2, max value: 1000000.
  • period: The time, in seconds, to count matching traffic. If the count exceeds threshold within this period the action is performed. Min value: 1, max value: 3600.
  • action: The action performed when the threshold of matched traffic within the period defined is exceeded.
    • mode: The type of action performed. Valid values are: simulate, ban, challenge, js_challenge.
    • timeout: The time, in seconds, as an integer to perform the mitigation action. Timeout be the same or greater than the period. This field is valid only when mode is simulate or ban. Min value: 10, max value: 86400.
    • response: Custom content-type and body to return. This overrides the custom error for the zone. This field is not required. Omission results in the default HTML error page. This field is valid only when mode is simulate or ban.
      • content_type: The content-type of the body, which must be one of the following: text/plain, text/xml, application/json.
      • body: The body to return. The content here must conform to the content_type. Max length is 10240.
• The optional fields are disabled, description, correlate and bypass:
  • disabled: Whether this rate limiting rule is currently disabled.
  • description: A note that you can use to describe the reason for a rate limiting rule.
  • correlate: Whether to enable NAT based rate limiting.
    • by: Valid values: nat.
  • bypass: Criteria that allows the rate limit to be bypassed. For example, to express that you shouldn’t apply a rate limit to a set of URLs.
    • name: Valid values is url.
    • value: The url to bypass.

Sample JSON data:

{
   "disabled": false,
   "description": "Prevent multiple login failures to mitigate brute force attacks",
   "bypass": [
      {
         "name": "url",
         "value": "api.example.com/*"
      }
   ],
   "threshold": 60,
   "period": 900,
   "correlate": {
      "by": "nat"
   },
   "action": [
      {
         "mode": "simulate",
         "timeout": 86400,
         "response": {
            "content_type": "text/plain",
            "body": "<error>This request has been rate-limited.</error>"
         }
      }
   ],
   "match": {
      "request": {
               "methods": [
                  "GET"
               ],
               "schemes": [
                  "HTTP",
                  "HTTPS"
               ],
               "url": "*.example.org/path*"
      },
      "response": {
         "status": [
               403, 401
         ],
         "headers": [
            {
               "name": "Cf-Cache-Status",
               "op": "eq",
               "value": "HIT"
            }
         ]
      }
   }
}

-s, --json-str

Deprecated. The JSON data describing a rate limiting rule.

-j, --json-file

Deprecated. A file contains input JSON data.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update rate limiting rule for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis ratelimit-rule-update 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b59 --json '{"disabled":false,"description":"Prevent multiple login failures to mitigate brute force attacks","match":{"request":{"methods":["GET","POST"],"schemes":["HTTP","HTTPS"],"url":"*.example.org/path*"},"response":{"status": [403, 401],"headers":[{"name":"Cf-Cache-Status","op":"ne","value":"HIT"}]}},"bypass":[{"name":"url","value":"api.example.com/*"}],"threshold":60,"period":900,"action":{"mode":"challenge","timeout":86400,"response":{"content_type":"text/xml","body":"<error>This request has been rate-limited.</error>"}}}' -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List rate limiting rules in domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis ratelimit-rules 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

RATELIMIT_RULE_ID

The ID of rate limit rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get the details of rate limiting rule 372e67954025e0ba6aaa6d586b9e0b59.

ibmcloud cis ratelimit-rule 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b59 -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

RATELIMIT_RULE_ID

The ID of rate limit rule. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

Examples

Delete rate limiting rule 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis ratelimit-rule-delete 31984fea73a15b45779fa0df4ef62f9b 372e67954025e0ba6aaa6d586b9e0b60 -i "cis-demo"

Command options

--output

Specify output format, only JSON is supported.

Examples

List all CIS instance in current account.

ibmcloud cis instances

Command options

INSTANCE_NAME

The name of CIS service instance. If it is presented, set the context instance to operate, if not, show the current context instance.

--unset

Unset context instance.

Examples

Set context service instance to cis-demo

ibmcloud cis instance-set cis-demo

Command options

INSTANCE_NAME

The name of CIS service instance. Required.

PLAN

The name or ID of a service plan. Required.

--output

Specify output format, only JSON is supported.

Examples

Create a standard-next plan CIS instance cis-demo

ibmcloud cis instance-create cis-demo standard-next

Command options

INSTANCE

The name or ID of a CIS service instance. Required.

-f, --force

Delete instance without prompting for confirmation.

Examples

Delete CIS instance cis-demo

ibmcloud cis instance-delete cis-demo -f

Command options

INSTANCE

The name or ID of a CIS service instance. Required.

NAME

The name of CIS service instance.

PLAN

The name or ID of a service plan.

--output

Specify output format, only JSON is supported.

Examples

Update cis instance cis-demo to enterprise-usage plan.

ibmcloud cis instance-update cis-demo --plan enterprise-usage

Command options

INSTANCE

The name or ID of a CIS service instance. Required.

--output

Specify output format, only JSON is supported.

Examples

Show details of cis instance cis-demo.

ibmcloud cis instance cis-demo

Command options

--refresh

Force refresh from catalog.

--output

Specify output format, only JSON is supported.

Examples

List CIS services plans.

ibmcloud cis plans --refresh

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--smart-routing

Leverages real-time network intelligence to route traffic across paths from the origin to a CIS data center.

--tiered-caching

Uses regional Tier 1 CIS data centers to accelerate content delivery.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get the details of routing settings for domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis routing 31984fea73a15b45779fa0df4ef62f9b --smart-routing -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--smart-routing

Leverages real-time network intelligence to route traffic across paths from the origin to a CIS data center. Valid values: on, off.

--tiered-caching

Uses regional Tier 1 CIS data centers to accelerate content delivery. Valid values: on, off.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update routing settings for domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis routing-update 31984fea73a15b45779fa0df4ef62f9b --smart-routing on --tiered-caching on -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--colos

Analytics of smart-routing latency colos.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get analytics of smart-routing latency for domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis routing-analytics 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--ip-class

IP class is a map of client IP to visitor classification. Valid values: unknown, clean, badHost, searchEngine, whitelist, greylist, monitoringService, securityScanner, noRecord, scan, backupService, mobilePlatform, tor.

--method

The HTTP method of the request. Valid values: GET, POST, DELETE, PUT, HEAD, PURGE, OPTIONS, PROPFIND, MKCOL, PATCH, ACL, BCOPY, BDELETE, BMOVE, BPROPFIND, BPROPPATCH, CHECKIN, CHECKOUT, CONNECT, COPY, LABEL, LOCK, MERGE, MKACTIVITY, MKWORKSPACE, MOVE, NOTIFY, ORDERPATCH, POLL, PROPPATCH, REPORT, SEARCH, SUBSCRIBE, TRACE, UNCHECKOUT, UNLOCK, UNSUBSCRIBE, UPDATE, VERSION-CONTROL, BASELINE-CONTROL, X-MS-ENUMATTS, RPC_OUT_DATA, RPC_IN_DATA, JSON, COOK, TRACK.

--scheme

The scheme of the URI. Valid values: unknown, http, https.

--ip

The IPv4 or IPv6 address from which the request originated.

--host

The hostname the request attempted to access.

--protocol

The protocol of the request. Valid values: UNK, HTTP/1.0, HTTP/1.1, HTTP/1.2, HTTP/2, SPDY/3.1.

--uri

The URI requested from the hostname.

--ua

The client user agent that initiated the request.

--colo

The 3-letter airport code of the Cloudflare data-center that handled the request. For example, SJC.

--ray-id

Ray ID of the request.

--action

What type of action was taken. Valid values: unknown, allow, drop, challenge, jschallenge, simulate, connectionClose, log.

--cursor

Cursor position and direction for requesting next set of records when amount of results was limited by the limit parameter. A valid value for the cursor can be obtained from the cursors object in the result_info structure.

--country

The 2-digit country code in which the request originated. For example, US.

--since

Start date and time of requesting data period in the ISO8601 format. Can't go back more than a year. For example, 2016-11-11T12:00:00Z.

--until

End date and time of requesting data period in the ISO8601 format. For example, 2016-11-11T12:00:00Z.

--source

Source of the event. Valid values: unknown, asn, country, ip, ipRange, securityLevel, zoneLockdown, waf, uaBlock, rateLimit, firewallRules, bic, hot, l7ddos.

--limit

The number of events to return. The cursor attribute may be used to iterate over the next batch of events, if there are more events in the queried time range. Note that the scanned_range parameter in the result_info structure gives an indication of when events were considered in the current resultset if a limit was applied. Valid values are from 10 to 1000. Default value: 50.

--rule-id

The ID of the rule that triggered the event, which should be considered in the context of source.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get security events for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis security-events 31984fea73a15b45779fa0df4ef62f9b --action challenge --colo SJC --country US --host "www.example.com" --ip-class clean
--method POST --ray-id 187d944c61940c77 --cursor "6yDGxLKVeeHZZmORS_8XeSuhz9SjIJRaSa2lnsF01tQOHrfTGAP3R5X1Kv5iVUuMbNKhWNAXHOl6ePB0TUL8nw" -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Get TLS settings for domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis tls-settings 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--mode

Specify whether visitors can browse your website over a secure connection, and when they do, how CIS will connect to your origin server. Valid values: off, client-to-edge, end-to-end-flexible, end-to-end-ca-signed, https-only-origin-pull. See the following documentation link for detailed TLS mode description.

--universal

Specify whether universal ssl is enabled for you domain. Valid values are true and false.

--tls-1-2-only

Specify whether Crypto TLS 1.2 feature is enable for your domain. Enabling this feature prevents use of previous versions. Valid values are on and off.

--tls-1-3

Specify whether Crypto TLS 1.3 feature is enabled for your domain. Valid values are on, off.

--min-tls-version

Only accept HTTPS requests that use at least the TLS protocol version specified. Valid values: 1.0, 1.1, 1.2, 1.3.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Update TLS settings for for domain 372e67954025e0ba6aaa6d586b9e0b60.

ibmcloud cis tls-settings-update 31984fea73a15b45779fa0df4ef62f9b --mode end-to-end-ca-signed --tls-1-2-only on -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--keyless

List all keyless certificates.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

List all certificates for domain 31984fea73a15b45779fa0df4ef62f9b.

ibmcloud cis certificates 31984fea73a15b45779fa0df4ef62f9b -i "cis-demo"

Command options

DNS_DOMAIN_ID

The ID of the DNS domain. Required.

--cert-id

ID of the dedicated or custom certificate.

--universal

Show universal certificate details.

--keyless

Show keyless certificate details.

-i, --instance

Instance name or ID. If not set, the context instance that is specified by ibmcloud cis instance-set INSTANCE is used.

--output

Specify output format, only JSON is supported.

Examples

Show details for a certificate.

ibmcloud cis certificate 31984fea73a15b45779fa0df4ef62f9b --universal -i "cis-demo"
ibmcloud cis certificate 31984fea73a15b45779fa0df4ef62f9b --cert-id 5a7805061c76ada191ed06f989cc3dac -i "cis-demo"
ibmcloud cis certificate 31984fea73a15b45779fa0df4ef62f9b --cert-id 5a7805061c76ada191ed06f989cc3dac --keyless -i "cis-demo"