--- title: Managing allow lists and deny lists description: The API Security Enforcer (ASE) maintains both allow lists and deny lists. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_managing_allow_list_deny_list canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_managing_allow_list_deny_list.html revdate: June 4, 2024 section_ids: managing-the-allow-list: Managing the allow list about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: example-4: Example: example-5: Example: example-6: Example: example-7: Example: example-8: Example: managing-the-deny-list: Managing the deny list about-this-task-2: About this task steps-2: Steps example-9: Example: example-10: Example: example-11: Example: example-12: Example: example-13: Example: example-14: Example: example-15: Example: example-16: Example: example-17: Example: example-18: Example: example-19: Example: example-20: Example: example-21: Example: --- # Managing allow lists and deny lists The API Security Enforcer (ASE) maintains both allow lists and deny lists. * Allow list List of safe IP addresses, cookies, OAuth2 tokens, API keys, or usernames that are not blocked by ASE.The list is manually generated by adding the client identifiers using command-line interface (CLI) commands. * Deny list List of bad IP addresses, cookies, OAuth2 tokens, API keys, or usernames that are always blocked by ASE.The list consists of entries from one or more of the following sources: * API Behavioral Security (ABS)-detected attacks, such as data exfiltration. ABS-detected attacks have a time-to-live (TTL) in minutes. The TTL is configured in ABS. * ASE-detected attacks, such as invalid method or decoy API accessed. * List of bad clients manually generated by CLI. - Allow list - Deny list ## Managing the allow list ### About this task To manage operations for OAuth2 Tokens, cookies, IP addresses, API keys, and usernames on an allow list: ### Steps * To add an IP address to an allow list, run the `add_whitelist` command with the `ip` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist ip 10.10.10.10 ip 10.10.10.10 added to whitelist ``` * Add a cookie to an allow list, run the `add_whitelist` command with the `cookie` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist cookie JSESSIONID cookie_1.4 cookie JSESSIONID cookie_1.4 added to whitelist ``` * To add a token to an allow list, run the `add_whitelist` with the `token` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist token token1.4 token token1.4 added to whitelist ``` * To add an API key to an allow list, run the `add_whitelist` command with the `api_key` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist api_key X-API-KEY key_1.4 api_key X-API-KEY key_1.4 added to whitelist ``` * To add a username to an allow list, run the `add_whitelist` command with the `username` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_whitelist username abc@example.com username abc@example.com added to whitelist ``` * To view an allow list, run the `view_whitelist` command. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_whitelist Whitelist 1) type : ip, value : 1.1.1.1 2) type : cookie, name : JSESSIONID, value : cookie_1.1 3) type : token, value : token1.3 4) type : api_key, name : X-API-KEY, value : key_1.4 5) type : username, value : abc@example.com ``` * To delete an entry from an allow list, run the `delete_whitelist` command. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist ip 4.4.4.4 ip 4.4.4.4 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist cookie JSESSIONID cookie_1.1 cookie JSESSIONID cookie_1.1 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist token token1.1 token token1.1 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist api_key X-API-KEY key_1.4 api_key X-API-KEY key_1.4 deleted from whitelist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_whitelist username abc@example.com ``` * To clear the allow list, run the `clear_whitelist` command. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin clear_whitelist This will delete all whitelist Attacks, Are you sure (y/n) : y Whitelist cleared /opt/pingidentity/ase/bin/cli.sh -u admin -p admin clear_whitelist This will delete all whitelist Attacks, Are you sure (y/n) : n Action canceled ``` ## Managing the deny list ### About this task To manage IP addresses, Cookies, OAuth2 Tokens, and API keys on a deny list: ### Steps * To add an IP address to the deny list. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1 ip 1.1.1.1 added to blacklist ``` * To add a cookie to a deny list, run the `add_blacklist` command with the `cookie` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist cookie JSESSIONID ad233edqsd1d23redwefew cookie JSESSIONID ad233edqsd1d23redwefew added to blacklist ``` * To add a token to a deny list, run the `add_blacklist` command with the `token` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist token ad233edqsd1d23redwefew token ad233edqsd1d23redwefew added to blacklist ``` * To add an API key to a deny list, run the `add_blacklist` command with the `api_key` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4 api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4 added to blacklist ``` * To add a username to a deny list, run the `add_black list` command with the `username` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin add_blacklist username abc@example.com username abc@example.com added to blacklist ``` You can also add username with space to a deny list. For example, `your name`. * To view the entire deny list, run the `view_blacklist` command with the `all` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist all Manual Blacklist 1) type : ip, value : 172.168.11.110 2) type : token, value : cdE94R3osh283B7NoiJR41XHgt7gxroot 3) type : username, value : blockeduser 4) type : cookie, name : JSESSIONID, value : pZlhg5s3i8csImMoas7vh81vz 5) type : api_key, name : x-api-key, value : d4d28833e2c24be0913f4267f3b91ce5 ABS Generated Blacklist 1) type : token, value : fAtTzxFJZ2Zkr7HZ9KM17s7kY2Mu 2) type : token, value : oFQOr11Gj8cCRv1k4849RZOPztPP 3) type : token, value : Rz7vn5KoLUcAhruQZ4H5cE00s2mG 4) type : token, value : gxbkGPNuFJw69Z5PF44PoRIfPugA 5) type : username, value : user1 Realtime Decoy Blacklist 1) type : ip, value : 172.16.40.15 2) type : ip, value : 1.2.3.4 ``` | | | | - | ------------------------------------------------------------------------------ | | | You can view the entire deny list or based on the type of real-time violation. | * To view the deny list based on decoy IP addresses, run the `view_blacklist` with the `decoy` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist decoy Realtime Decoy Blacklist 1) type : ip, value : 4.4.4.4 ``` * To view the deny list based on protocol violations, run the `view_blacklist` with the `invalid_protocol` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_protocol Realtime Protocol Blacklist 1) type : token, value : token1.1 2) type : ip, value : 1.1.1.1 3) type : cookie, name : JSESSIONID, value : cookie_1.1 ``` * To view the deny list based on method violations, run the `view_blacklist` with the `invalid_method` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_method Realtime Method Blacklist 1) type : token, value : token1.3 2) type : ip, value : 3.3.3.3 3) type : cookie, name : JSESSIONID, value : cookie_1.3 ``` * To view the deny list based on content-type violation, run the `view_blacklist` with the `invalid_content_type` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist invalid_content_type Realtime Content-Type Blacklist 1) type : token, value : token1.2 2) type : ip, value : 2.2.2.2 3) type : cookie, name : JSESSIONID, value : cookie_1.2 ``` * To view ABS-detected attacks, run the `view_blacklist` with the `abs_detected` option. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin view_blacklist abs_detected No Blacklist ``` * To delete an entry from a deny list, run the `delete_blacklist` command. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_blacklist ip 1.1.1.1 ip 1.1.1.1 deleted from blacklist ./bin/cli.sh -u admin -p admin delete_blacklist cookie JSESSIONID avbry47wdfgd cookie JSESSIONID avbry47wdfgd deleted from blacklist ./bin/cli.sh -u admin -p admin delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35 token 58fcb0cb97c54afbb88c07a4f2d73c35 deleted from blacklist /opt/pingidentity/ase/bin/cli.sh -u admin -p admin delete_blacklist api_key AccessKey b31dfa4678b24aa5a2daa06aba1857d4 ``` * To clear the deny list, run the `clear_blacklist` command. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When clearing the deny list, make sure that the real-time ASE detected attacks and ABS detected attacks are disabled. If these are not disabled, the deny list gets populated again as both ASE and ABS are continuously detecting attacks. | #### Example: ``` ./bin/cli.sh -u admin -p admin clear_blacklist This will delete all blacklist Attacks, Are you sure (y/n) :y Blacklist cleared ./bin/cli.sh -u admin -p admin clear_blacklist This will delete all blacklist Attacks, Are you sure (y/n) :n Action canceled ```