Blog Viewer

Incapsula-CLI: An Easy-to-use Interface for Imperva’s Cloud WAF

By Brian Anderson posted 04-13-2020 09:16

Take control of Incapsula using a command-line interface

Command-line interfaces (CLIs) offer users the ability to invoke system functions and operations, including interacting with external systems, in an easy to use text based format.  Cloud WAF users can use the Incap-CLI to invoke remote API calls to automate daily tasks with simple and easy to understand commands, as opposed to having to write the underlying code to make those API calls on their own.  

How to Use Incapsula-CLI

Incapsula-CLI is an open source project available on Imperva’s GitHub repository.  It’s a Python application compatible with Python 3.5.0 and higher.  The Incap-CLI can be used to automate repeatable tasks such as adding new sites, creating and managing security policies (alert, block, etc), defining application delivery rules to facilitate global load balancing, manipulating urls, or enriching headers to downstream origin servers.  Additionally, the Incap-CLI provides the ability to perform full site configuration backup and restore functions.  

Many of the most important commands are listed in the application’s “--help” output. We’ve added comprehensive information natively within the tool about each supported command and parameter, including descriptions of what they do and how to use them.  Users can now make virtually any change they are accustomed to performing via the GUI, directly through the CLI.  

The business value of a tool like this really comes into play when considering the complexities of managing and deploying applications at scale within a large organization.  In many cases, there are different teams within an organization that will develop, test, and deploy an application through the SDLC from development, to staging, to UAT, and on to prod.  This deployment lifecycle can span many technology sets and business units on a per application basis including development, database, build pipelines and toolchains, QA, networking, infrastructure, operations, security, etc.  To make this possible, organizations will leverage automation implementing DevOps with CI/CD pipelines and configuration management systems to help automate these tasks.  The requirement for automation is where the Incap-CLI can help easily natively integrate directly into these provisioning processes. 

Watch the entire How to video here. 

Easy Site Management and Access to Configurations

One really useful aspect of Incapsula-CLI is the ease of retrieving information for sites that are configured. You can use the “incap site list” command to retrieve an organized and parsed list of every site in your account.  You create a new site by running “incap site add” followed by the fully qualified domain name of the site you are looking to add, which will return you the unique site ID. You can then use the “incap site status” command, followed by a specific site ID, to display all of the relevant configurations tied to that particular site, including:

  • The domain attached to the site and its CNAME record
  • The exact date and time the site was created
  • The site’s original and current DNS information
  • Security policy settings (SQL injection, cross-site scripting, bot access control, etc)

The capability of on-boarding and managing site configurations is perfect for inclusion in a DevOps workflow.  This is especially true if the end user is more comfortable with CLI tools than, for instance, API-oriented solutions. An end-user or a configuration management system can programmatically configure N number of sites with dozens of policies in an extremely short amount of time, simply by running a preset queue of commands. This process provides a convenient level of abstraction from the underlying components sending web requests, allowing for ease of use in the implementation of automation.

Advanced Policy Versioning: Full Site Export in JSON Format

Incapsula-CLI users also have the ability to retrieve and export full site configuration data in raw JSON text format.  This is important because users can export, backup, and restore site configuration settings on-the-fly. This also allows users to quickly identify site elements that have changed on a day-to-day basis over the course of time. 

Users can simply drop this JSON exported data into a version control system as a nightly job, and be able to track changes (for example, using the “git diff” command), and immediately have new additions or deletions brought to their attention.  Version control systems like git will help track changes and will help identify any site or policy changes (in green) and excised policy data (in red), giving the user visibility day-to-day changes, as well as comprehensive roll-back capability on each site’s configuration.

This makes Incapsula-CLI an extremely valuable tool to have from a reliability and resiliency perspective.  If you find yourself in the position of having to systematically review security policies in order to develop an audit trail, the command-line interface gives you the fastest and most efficient way to access the records you are looking for.

This same functionality can be used to restore policies that have been accidentally changed or deleted. Any user familiar with this Cloud WAF CLI application will be able to restore configurations that might otherwise have been lost.  

Leverage the Power Of Your Cloud WAF Today

Imperva’s GitHub repository isn’t just the ideal place for our team to make useful tools available. In many ways, it’s also a testing ground for the kinds of features and functionalities that our best engineers are coming up with to respond to user feedback. This is where we let our open source solutions prove their worth in real users’ actual workflows – and prepare them for integration with our upcoming products.

Make sure to regularly check our repository out and look for new tools you can start using to streamline your workflows. If there’s a particular application you would like to see included on one of Imperva’s official products, feel free to reach out and let us know!

Learn More With the Imperva Community

The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like On-Prem WAF, Cloud WAF and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 

Related Content: