PingIntelligence

CLI for inline ASE

The following table shows the command-line interface (CLI) functions and their syntax for API Security Enforcer (ASE) in inline mode.

Function Description Syntax

Start ASE

Starts ASE

./start.sh

Stop ASES

Stops ASE

./stop.sh

Help

Displays cli.sh help

./cli.sh help

Version

Displays the version number of ASE

./cli.sh version

Status

Displays the running status of ASE

./cli.sh status

Update password

Changes ASE admin password

./cli.sh update_password \{-u admin}

Change log level

Change balancer.log and controller.log log level

./cli.sh log_level -u admin -p

Options:

  • warn

  • info

  • error

  • fatal

  • debug

Get Authentication Method

Displays the current authentication method

./cli.sh get_auth_method {method} \{-u admin}

Update Authentication Method

Updates ASE authentication method

./cli.sh update_auth_method {method} \{-u admin}

Enable Audit Logging

Enables audit logging

./cli.sh enable_audit -u admin -p admin

Disable Audit Logging

Disables audit logging

./cli.sh disable_audit -u admin -p admin

Add Syslog Server

Adds a new syslog server

./cli.sh –u admin -p admin add_syslog_server host:port

Delete Syslog Server

Deletes the syslog server

./cli.sh –u admin -p admin delete_syslog_server host:port

List Syslog Server

Lists the current syslog server

./cli.sh –u admin -p admin list_syslog_server

Add API

Adds a new API from config file in JSON format. File should have .json extension

./cli.sh –u admin -p admin add_api {config_file_path}

Update API

Updates an API after the API JSON file has been edited and saved.

./cli.sh –u admin -p admin update_api {api_name}

List APIs

Lists all APIs configured in ASE

./cli.sh –u admin -p admin list_api

API Info

Displays the API JSON file

./cli.sh –u admin -p admin api_info {api_id}

API Count

Displays the total number of APIs configured

./cli.sh –u admin -p admin api_count

List API Mappings

Lists all the external and internal URL mappings.

./cli.sh –u admin -p admin list_api_mappings

Delete API

Deletes an API from ASE. Deleting an API removes the corresponding JSON file and deletes all the cookies associated with that API

./cli.sh –u admin -p admin delete_api {api_id}

Add a Server

Adds a backend server to an API. Provide the IP address and port number of the server

./cli.sh –u admin -p admin add_server {api_id}\{host:port}[quota][spike_threshold]

List Server

Lists all servers for an API

./cli.sh –u admin -p admin list_server {api_id}

Delete a Server

Deletes a backend server from an API. Provide the IP address and port number of the serve

./cli.sh –u admin -p admin delete_server {api_id}\{host:port}

Enable Per API Blocking

Enables attack blocking for the API

./cli.sh –u admin -p admin enable_blocking {api_id}

Disable Per API Blocking

Disables attack blocking for the API

./cli.sh –u admin -p admin disable_blocking {api_id}

Enable Health Check

Enables health check for a specific API

./cli.sh -u admin -p admin enable_health_check shop_api

Disable Health Check

Disables health check for a specific API

./cli.sh -u admin -p admin disable_health_check {api_id}

Generate Master Key

Generates the master obfuscation key ase_master.key

./cli.sh -u admin -p admin generate_obfkey

Obfuscate Keys and Password

Obfuscates the keys and passwords configured in various configuration files

./cli.sh -u admin -p admin obfuscate_keys

Create a Key Pair

Creates private key and public key pair in key store

./cli.sh –u admin -p admin create_key_pair

Create a CSR

Creates a certificate signing request

./cli.sh –u admin -p admin create_csr

Create a Self-Signed Certificate

Creates a self-signed certificate

./cli.sh –u admin -p admin create_self_sign_cert

Import Certificate

Imports CA-signed certificate into key store

./cli.sh –u admin -p admin import_cert {cert_path}

Create Management Key Pair

Creates a private key for management server

/cli.sh –u admin -p admin create_management_key_pair

Create Management CSR

Creates a certificate signing request for management server

/cli.sh –u admin -p admin create_management_csr

Create Management Self-signed Certificate

Creates a self-signed certificate for management server

/cli.sh –u admin -p admin create_management_self_sign_cert

Import Management Key Pair

Imports a key-pair for management server

/cli.sh –u admin -p admin import_management_key_pair {key_path}

Import Management Certificate

Imports CA-signed certificate for management server

/cli.sh –u admin -p admin import_management_cert {cert_path}

Health Status

Displays health status of all backend servers for the specified API

./cli.sh –u admin -p admin health_status {api_id}

Cluster Info

Displays information about an ASE cluster

./cli.sh –u admin -p admin cluster_info

Server Count

Lists the total number of APIs associated with an API

./cli.sh –u admin -p admin server_count {api_id}

Cookie Count

Lists the live cookie count associated with an API

./cli.sh –u admin -p admin cookie_count {api_id}

Persistent Connection Count

Lists the WebSocket or http-keep alive connection count for an API

./cli.sh –u admin -p admin persistent_connection_count {api_id}

Clear cookies

Clears all cookies for an API

./cli.sh –u admin -p admin clear_cookies{api_id}

Enable Firewall

Enables API firewall. Activates pattern enforcement, API name mapping, manual attack type

./cli.sh –u admin -p admin enable_firewall

Disable Firewall

Disables API firewall

./cli.sh –u admin -p admin disable_firewall

Enable ASE detected attacks

Enables ASE detected attacks

./cli.sh –u admin -p admin enable_ase_detected_attack

Disable ASE Detected Attacks

Disables API firewall

./cli.sh –u admin -p admin disable_ase_detected_attack

Enable ABS

Enables ABS to send access logs to ABS

./cli.sh –u admin -p admin enable_abs

Disable ABS

Disables ABS to stop sending access logs to ABS

./cli.sh –u admin -p admin disable_abs

Enable ABS Detected Attack Blocking

Enables ASE to fetch ABS detected attack lists and block access of list entries.

./cli.sh –u admin -p admin enable_abs_attack

Disable ABS Detected Attack Blocking

Stops ASE from blocking and fetching ABS detected attack list. This command does not stop ABS from detecting attacks.

./cli.sh –u admin -p admin disable_abs_attack

Adding deny list

Adds an entry to ASE deny list using CLI. Valid type values are: IP, Cookie, OAuth2 token, API Key, and username

./cli.sh –u admin -p admin add_blacklist {type}{name}{value}

If type is ip, then name is the IP address.

If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_blacklist ip 1.1.1.1

Delete deny list Entry

Deletes entry from the deny list.

./cli.sh –u admin -p admin delete_blacklist {type}{name}{value}

Example:

cli.sh -u admin -p delete_blacklist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear deny list

Clears all the entries from the deny list

./cli.sh –u admin -p admin clear_blacklist

View deny list

Views the entire deny list or view a deny list for the specified attack type (for example, invalid_method)

./cli.sh –u admin -p admin view_blacklist \{all|manual|abs_generated|invalid_content_type|invalid_method|invalid_protocol|decoy|missing_token}

View deny list for IP addresses with missing tokens

Views the deny list entries that are blocked due to missing tokens

./cli.sh view_blacklist missing_token -uadmin -padmin

Adding allow list

Adds an entry to ASE allow list using CLI. Valid type values are: IP, cookie, OAuth2 token, API key, and username

./cli.sh –u admin -p admin add_whitelist {type}{name}{value}

Options:

  • If type is ip, then name is the IP address.

  • If type is cookie, then name is the cookie name, and value is the cookie value

Example:

/cli.sh -u admin -p admin add_whitelist api_key AccessKey 065f73cdf39e486f9d7cda97d2dd1597

Delete allow list entry

Deletes entry from the allow list

./cli.sh –u admin -p admin delete_whitelist {type}{name}{value}

Example:

/cli.sh -u admin -p delete_whitelist token 58fcb0cb97c54afbb88c07a4f2d73c35

Clear allow list

Clears all the entries from the allow list

./cli.sh –u admin -p admin clear_whitelist

View allow list

Views the entire allow list

./cli.sh –u admin -p admin view_whitelist

ABS Info

Displays ABS status information.

ABS enabled or disabled, ASE fetching ABS attack types, and ABS cluster information

./cli.sh –u admin -p admin abs_info

Enable XFF

Enables X-Forwarded For

./cli.sh –u admin -p admin enable_xff

Disable XFF

Disables X-Forwarded For

./cli.sh –u admin -p admin disable_xff

Update Client Spike

Update Client Spike Threshold

update_client_spike_threshold {api_id} \{+ve digit/(second|minute|hour)}

Example:

update_client_spike_threshold shop_api 5000/second

Update Server Spike

Updates Server Spike Threshold

“*” - use the same value for all servers

update_server_spike_threshold {api_id} \{host:port} \{+ve digit/(second|minute|hour)}

Examples:

update_server_spike_threshold shop_api 127.0.0.1:9090 5000/second

update_server_spike_threshold shop_api "*" 5000/second

Update Bytes-in

Updates bytes in value for a WebSocket API

update_bytes_in_threshold {api_id} \{+ve digit/(second|minute|hour)}

Example:

update_bytes_in_threshold shop_api 8096/second

Update Bytes-out

Updates bytes out value for a WebSocket API

update_bytes_out_threshold {api_id} \{+ve digit/(second|minute|hour)}

Example:

update_bytes_out_threshold shop_api 8096/second

Update Server Quota

Updates the number of API connections allowed on a backend server

“*” - use the same value for all backend servers

update_server_connection_quota {api_id} \{host:port} \{+ve digit}

Examples:

update_server_connection_quota shop_api 127.0.0.1:9090 5000

update_server_connection_quota shop_api "*" 5000