Configure client lists
Reduce harmful security attacks by allowing only trusted IP/CIDRs, geo locations, autonomous system numbers (ASNs), file hashes, and TLS fingerprints to access your services and content. Unlike the Network Lists module, the Client Lists module offers greater flexibility in managing various list types and improved search and filtering.
You can create up to 1,000 lists per account, of which 500 lists can be concurrently active. You can reference up to 100 lists in a single security configuration.
What you'll do
Create and activate a client list to use with other Akamai services.
Create a client list
Each client list is of a certain type.
| Type | Description | Entry limit |
|---|---|---|
IP |
IPv4 and/or IPv6 addresses. | 10,000 |
GEO |
Request's country of origin.Note: For a full list of country codes, go to the EdgeScape documentation, then navigate to Data Codes ⇒ country_codes.csv. |
275 |
ASN |
Autonomous system numbers with a decimal value between 0 and 4294967295. |
100 |
FILE_HASH |
SHA-256 file hashes. |
100 |
TLS_FINGERPRINT |
Signals from data shared during the initial handshake between an HTTPS client and your server. | 100 |
USER_ID |
Usernames or user IDs. | 1,000 |
DOMAIN |
Domain names. | 500 |
Use the New-ClientList command to create a new client list. You can use this command in two ways:
-
Specify the client list's settings using individual parameters, including the list's name and type, as well as your contract and group IDs. Optionally, you can provide additional notes and tags to help you better identify the list.
New-ClientList -Name 'my-geo-client-list' -Type 'GEO' -ContractID 'C-0N7RAC7' -GroupID 12345 -Tags 'tag 1' -Notes 'My new GEO client list'availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=; DELETE=} contractId : C-0N7RAC7 createDate : 11/20/2025 4:37:38 PM createdBy : jsmith deprecated : False groupId : 12345 groupName : my-group items : {} itemsCount : 0 listId : 12345_MYCLIENTLIST listType : CL name : my-geo-client-list notes : My new GEO client list productionActivationStatus : INACTIVE readOnly : False shared : False stagingActivationStatus : INACTIVE tags : {tag 1} type : GEO updateDate : 11/20/2025 4:37:38 PM updatedBy : jsmith version : 1 -
Provide the client list's settings in a variable as a hashtable,
PSCustomObject, or JSON string, and then pass the variable in the-Bodyparameter of theNew-ClientListcommand. With that method, you can also add entries to your list.
| Parameter | Description |
|---|---|
| Required | |
contractId |
Your contract's ID. |
name |
Your client list's name. |
type |
Your client list's type. Possible values are:
|
| Optional | |
groupId |
Your group's ID. |
items |
Your list's match elements. Includes:
|
notes |
Comments or other human-readable details about your client list. |
tags |
User-created identifiers to filter client list searches. |
$MyClientList = @{
name = "my-client-list"
notes = "My new GEO client list"
type ="GEO"
tags = @(
"tag1"
)
contractId = "C-0N7RAC7"
groupId = 12345
items = @(
@{
description = "United States – North America"
expirationDate = "2026-12-31T23:59:19.700+00:00"
tags = @(
"tag1"
)
value = "US"
}
)
}
New-ClientList -Body $MyClientList
$MyClientList = '{
"name": "my-client-list",
"notes: "My new GEO client list",
"type": "GEO",
"tags": [
"tag1"
],
"contractId": "C-0N7RAC7",
"groupId": 12345,
"items": [
{
"description": "United States – North America",
"expirationDate": "2026-12-31T23:59:19.700+00:00",
"tags": [
"tag1"
],
"value": "US"
}
]
}'
New-ClientList -Body $MyClientList
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=;
DELETE=}
contractId : C-0N7RAC7
createDate : 11/20/2025 4:55:51 PM
createdBy : jsmith
deprecated : False
groupId : 12345
groupName : my-group
items : {@{createDate=11/20/2025 4:55:51 PM; createdBy=jsmith; description=United States – North America;
expirationDate=1/1/2027 12:59:19 AM; productionStatus=INACTIVE; stagingStatus=INACTIVE; tags=System.Object[]; type=GEO;
updateDate=11/20/2025 4:55:51 PM; updatedBy=jsmith; value=US}}
itemsCount : 1
listId : 12345_MYCLIENTLIST
listType : CL
name : my-client-list
notes : My new GEO client list
productionActivationStatus : INACTIVE
readOnly : False
shared : False
stagingActivationStatus : INACTIVE
tags : {tag1}
type : GEO
updateDate : 11/20/2025 4:55:51 PM
updatedBy : jsmith
version : 1
Optionally, you can create and add up to five tags per list and per item to help filter and sort searches against your list. Tag strings can use any character except a comma or semicolon and are limited to 256 characters.
Update a client list
If you don't know your client list, run the Get-ClientList command to return all available lists. To get a specific list, pass its name or ID in the command.
You can optionally provide additional parameters to sort and filter the results or return a more detailed output.
# Get all
Get-ClientList
## Get all detailed
Get-ClientList -IncludeItems -IncludeNetworkList -Search 'US' -Type 'GEO'
# Get one by list name
Get-ClientList -Name 'my-client-list'
# Get one by list ID
Get-ClientList -ListID '12345_MYCLIENTLIST'
# Get one detailed by list name
Get-ClientList -Name 'my-client-list' -IncludeItems
# Get one detailed by list ID
Get-ClientList -ListID '12345_MYCLIENTLIST' -IncludeItems
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=;
DELETE=}
createDate : 11/21/2025 10:14:21 AM
createdBy : jsmith
deprecated : False
itemsCount : 0
listId : 12345_MYCLIENTLIST
listType : CL
name : my-geo-client-list
notes : My new GEO client list
productionActivationStatus : INACTIVE
readOnly : False
rollbackPossible : False
shared : False
stagingActivationStatus : INACTIVE
tags : {tag1}
type : GEO
updateDate : 11/21/2025 10:14:21 AM
updatedBy : jsmith
upgradedFromNetworkList : False
version : 1
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=;
DELETE=}
createDate : 9/17/2025 4:11:57 PM
createdBy : jsmith
deprecated : False
itemsCount : 3
listId : 98765_MYCLIENTLIST
listType : CL
name : my-ip-client-list
notes : My IP client list
productionActivationStatus : ACTIVE
productionActiveVersion : 2
readOnly : True
rollbackPossible : False
shared : True
stagingActivationStatus : ACTIVE
stagingActiveVersion : 2
tags : {}
type : IP
updateDate : 9/17/2025 4:12:58 PM
updatedBy : jsmith
upgradedFromNetworkList : False
version : 4
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=;
DELETE=}
createDate : 11/21/2025 10:14:21 AM
createdBy : jsmith
deprecated : False
items : {}
itemsCount : 0
listId : 12345_MYCLIENTLIST
listType : CL
name : my-client-list
notes : My new GEO client list
productionActivationStatus : INACTIVE
readOnly : False
rollbackPossible : False
shared : False
stagingActivationStatus : INACTIVE
tags : {tag1}
type : GEO
updateDate : 11/21/2025 10:14:21 AM
updatedBy : jsmith
upgradedFromNetworkList : False
version : 1
To update the client list's details, including the name, notes, and tags, use the Set-ClientList command. When you update tags, the updated tag list replaces the existing one.
You can run the Set-ClientList command in one of these ways:
Method 1
Specify the updated client list's settings using individual parameters.
Set-ClientList -ListID '12345_MYCLIENTLIST' -NewName 'my-updated-geo-client-list' -Notes 'My updated GEO client list' -Tags 'tag2, tag3'
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=;
DELETE=}
contractId : C-0N7RAC7
createDate : 11/21/2025 10:14:21 AM
createdBy : jsmith
deprecated : False
groupId : 12345
groupName : my-group
itemsCount : 0
listId : 12345_MYCLIENTLIST
listType : CL
name : my-updated-client-list
notes : My updated GEO client list
productionActivationStatus : INACTIVE
readOnly : False
rollbackPossible : False
shared : False
stagingActivationStatus : INACTIVE
tags : {tag2, tag3}
type : GEO
updateDate : 11/21/2025 12:36:39 PM
updatedBy : jsmith
upgradedFromNetworkList : False
version : 1
Method 2
Save the results of the Get-ClientList command in a variable and update specific attributes of your list. Then pipe the entire object back to the Set-ClientList command to make your changes effective.
$MyClientList = Get-ClientList -ListID '12345_MYCLIENTLIST'
$MyClientList.name = 'my-updated-client-list'
$MyClientList.notes = 'My updated GEO client list'
$MyClientList.tags = @('tag2', 'tag3')
$MyClientList | Set-ClientList -ListID '12345_MYCLIENTLIST'
Method 3
Retrieve a specific record, save its output locally, and edit it as needed.
Get-ClientList -ListID '12345_MYCLIENTLIST' | ConvertTo-Json -Depth 100 | Out-File -FilePath ./myCLientList.json
Then pipe the updated content to the Set-ClientList command along with the required list ID or name.
$MyClientList = Get-Content ./myCLientList.json -Raw
$MyClientList | Set-ClientList -ListID '12345_MYCLIENTLIST'
Manage entries in a list
Before adding any entries to your client list, you can first validate them with the Test-ClientListItems operation for a specific list type.
When validating a CSV file, it needs to include these four columns: value, description, tags, and expirationDate.
# Entries provided in the `-Items` parameter
Test-ClientListItems -Items 'US,PL,JM' -ListType 'GEO'
# Entries provided in a CSV file and passed to the `-File` parameter
Test-ClientListItems -File './my-list-entries.csv' -ListType 'GEO'
duplicatesCount : 0
existingCount : 0
importedCount : 3
itemsImported : False
validation : @{errors=System.Object[]}
To view the details of any errors from the Test-ClientListItems command, save the function in a variable and then refer to the validation attribute from the output.
$MyListEntryValidation = Test-ClientListItems -File './my-list-entries.csv' -ListType 'GEO'
$MyListEntryValidation.validation
errors
------
{}
You can manage the entries to your client list using one of these operations:
Set-ClientListItem. This allows appending, updating, and deleting the client list entries in a single batch.Add-ClientListItem. This allows performing a bulk import of entries to your client list. You can choose to replace the imported entries with the existing ones or merge them.
To append, update, or delete the client list's entries with the Set-ClientListItem command, provide the entries in a variable as a hashtable, PSCustomObject, or JSON string. Then pass the variable in the -Body parameter.
| Parameter | Description |
|---|---|
append/update/delete |
|
$MyListItems = @{
append = @(
@{
tags = @("tag2")
expirationDate = "2026-06-31T23:59:19.700+00:00"
description = "United States - America"
value = "US"
}
)
update = @(
@{
tags = @("tag1")
expirationDate = "2026-06-31T23:59:19.700+00:00"
description = "Jamaica - North America"
value = "JM"
}
)
}
# For a list name
Set-ClientListItem -Name 'my-geo-client-list' -Body $MyListItems
# For a list ID
Set-ClientListItem -ListID '12345_MYCLIENTLIST' -Body $MyListItems
$MyListItems = '{
"update": [
{
"tags": [
"tag1"
],
"expirationDate": "2026-06-31T23:59:19.700+00:00",
"description": "United States - North America",
"value": "US"
}
],
"append": [
{
"tags": [
"tag1"
],
"expirationDate": "2026-06-31T23:59:19.700+00:00",
"description": "Jamaica - North America",
"value": "JM"
}
]
}'
# For a list name
Set-ClientListItem -Name 'my-geo-client-list' -Body $MyListItems
# For a list ID
Set-ClientListItem -ListID '12345_MYCLIENTLIST' -Body $MyListItems
appended
--------
{@{createDate=11/21/2025 5:55:59 PM; createdBy=jsmith; description=Jamaica - North America; expirationDate=7/2/2026 12:59:19 AM; tags=System.Object[]; type=GEO; updateDate=11/…
To perform a bulk import of entries to your client list with the Add-ClientListItem command, use one of these methods:
-
Add the client list's entries as individual parameters using the
-Itemsparameter.# For a list name Add-ClientListItem -Name 'my-client-list' -Action 'MERGE' -Items 'US,FR' -Version 1 # For a list ID Add-ClientListItem -ListID '12345_MYCLIENTLIST' -Action 'MERGE' -Items 'US,FR' -Version 1createDate : 11/25/2025 6:29:20 PM createdBy : jsmith productionStatus : INACTIVE stagingStatus : INACTIVE tags : {} type : GEO updateDate : 11/25/2025 6:29:20 PM updatedBy : jsmith value : US createDate : 11/25/2025 6:29:20 PM createdBy : jsmith productionStatus : INACTIVE stagingStatus : INACTIVE tags : {} type : GEO updateDate : 11/25/2025 6:29:20 PM updatedBy : jsmith value : FR -
Define the client list's entries in a CSV file and pass the path to your file in the
-Fileparameter. The CSV file needs to include these four columns:value,description,tags, andexpirationDate.# For a list name Add-ClientListItem -Name 'my-client-list' -Action 'MERGE' -Version 1 -File './my-list-entries.csv' -ListType 'GEO' # For a list ID Add-ClientListItem -ListID '12345_MYCLIENTLIST' -Action 'MERGE' -Version 1 -File './my-list-entries.csv' -ListType 'GEO'createDate : 11/25/2025 6:26:31 PM createdBy : jsmith description : United States – North America expirationDate : 6/1/2026 1:59:19 AM productionStatus : INACTIVE stagingStatus : INACTIVE tags : {tag1} type : GEO updateDate : 11/25/2025 6:26:31 PM updatedBy : jsmith value : US createDate : 11/25/2025 6:26:31 PM createdBy : jsmith description : France – Europe expirationDate : 7/2/2026 1:59:19 AM productionStatus : INACTIVE stagingStatus : INACTIVE tags : {tag2} type : GEO updateDate : 11/25/2025 6:26:31 PM updatedBy : jsmith value : FR
Activate a client list
Use your client list's name or ID to activate the list on either the STAGING or PRODUCTION network with the New-ClientListActivation command or its alias Deploy-ClientList.
You can optionally provide additional comments and emails of users who should be notified of the list activation.
In the command, you can provide the list's activation settings either:
-
As individual parameters.
# For a list name Deploy-ClientList -Name 'my-client-list' -Network 'STAGING' -Comments 'Activating a client list on staging' -NotificationRecipients 'jsmith@example.com' # For a list ID Deploy-ClientList -ListID '12345_MYCLIENTLIST' -Network 'STAGING' -Comments 'Activating a client list on staging' -NotificationRecipients 'jsmith@example.com'action : ACTIVATE activations : @{STAGING=} comments : Activating a client list on staging createDate : 11/24/2025 11:02:37 AM createdBy : jsmith listId : 12345_MYCLIENTLIST notificationRecipients : {jsmith@example.com} version : 1 -
In a variable as a hashtable,
PSCustomObject, or JSON string, and then pass the variable in the-Bodyparameter.
| Parameter | Required | Description |
|---|---|---|
action |
✔ | The action you can take for a client list. Only ACTIVATE is supported. |
network |
✔ | The type of network where you activate your client list, either STAGING or PRODUCTION. |
comments |
A brief description of the activation. | |
notificationRecipients |
A list of users to notify via email. | |
siebelTicketId |
Your Siebel ticket's ID, if the activation is linked to one. |
$MyActivationSettings = @{
action = "ACTIVATE"
network = "STAGING"
comments = "Activating a client list on staging"
notificationRecipients = @(
"jsmith@example.com"
)
}
# For a list name
Deploy-ClientList -Name 'my-client-list' -Body $MyActivationSettings
# For a list ID
Deploy-ClientList -ListID '12345_MYCLIENTLIST' -Body $MyActivationSettings
$MyActivationSettings = '{
"action": "ACTIVATE",
"network": "STAGING",
"comments": "Activating a client list on staging",
"notificationRecipients": [
"jsmith@example.com"
]
}'
# For a list name
Deploy-ClientList -Name 'my-client-list' -Body $MyActivationSettings
# For a list ID
Deploy-ClientList -ListID '12345_MYCLIENTLIST' -Body $MyActivationSettings
To view the list's activation status, run the Get-ClientListActivationStatus command specifying the list's name or ID and the network of activation, STAGING or PRODUCTION.
# For a list name
Get-ClientListActivationStatus -Name 'my-client-list' -Environment 'STAGING'
# For a list ID
Get-ClientListActivationStatus -ListID '12345_MYCLIENTLIST' -Environment 'STAGING'
action : ACTIVATE
activationId : 98765
activationStatus : ACTIVE
comments : Activating a client list on staging
createDate : 11/24/2025 10:58:26 AM
createdBy : jsmith
listId : 12345_MYCLIENTLIST
network : STAGING
notificationRecipients : {jsmith@example.com}
version : 1
Deactivate a client list
Before deactivating a list, ensure it's not used in any active security configurations on the staging or production network. You can check that by running the Get-ClientListUsage command for a list's name or ID.
Notes:
- If the list is in use, you can remove it from an active security configuration or deactivate the security configuration first.
- If a security configuration references a deactivated list in a previous or inactive version, that list will be activated again when you activate a new version of the security configuration.
# For a list name
Get-ClientListUsage -Name 'my-client-list'
# For a list ID
Get-ClientListUsage -ListID '12345_MYCLIENTLIST'
listId usage
------ -----
12345_MYCLIENTLIST {@{configId=12345; configName=my-security-config; production=}}
To deactivate a list, provide a list name or ID you want to deactivate in the New-ClientListDeactivation command or its alias Disable-ClientList. This deactivates the list on any or all networks.
You can optionally provide additional comments and emails of users who should be notified of the list deactivation.
In the command, provide the list's deactivation settings in a variable as a hashtable, PSCustomObject, or JSON string, and then pass the variable in the -Body parameter.
| Parameter | Required | Description |
|---|---|---|
action |
✔ | The action you can take for a client list. Only DEACTIVATE is supported. This deactivates the list on any or all networks. |
comments |
A brief description of the activation. | |
notificationRecipients |
A list of users to notify via email. | |
siebelTicketId |
Your Siebel ticket's ID, if the activation is linked to one. |
$MyDeactivationSettings = @{
action = "DEACTIVATE"
comments = "Deactivating a client list"
notificationRecipients = @(
"jsmith@example.com"
)
}
# For a list name
Disable-ClientList -Name 'my-client-list' -Body $MyDeactivationSettings
# For a list ID
Disable-ClientList -ListID '12345_MYCLIENTLIST' -Body $MyDeactivationSettings
$MyDeactivationSettings = '{
"action": "DEACTIVATE",
"comments": "Deactivating a client list",
"notificationRecipients": [
"jsmith@example.com"
]
}'
# For a list name
Disable-ClientList -Name 'my-client-list' -Body $MyDeactivationSettings
# For a list ID
Disable-ClientList -ListID '12345_MYCLIENTLIST' -Body $MyDeactivationSettings
action : DEACTIVATE
activations : @{STAGING=; PRODUCTION=}
comments : Deactivating a client list
createDate : 12/1/2025 1:26:15 PM
createdBy : jsmith
listId : 12345_MYCLIENTLIST
notificationRecipients : {jsmith@example.com}
version : 7
Remove a client list
Provide the list's name or ID you want to delete in the Remove-ClientList command.
You can delete a list that was never activated or has been deactivated on both the staging and production networks.
# By list name
Remove-ClientList -Name 'my-client-list'
# By list ID
Remove-ClientList -ListID '12345_MYCLIENTLIST'
The operation doesn't return any output.
After deleting the list, it’s marked as deprecated = true, and its details are stored for 90 days before the list is permanently deleted. During this time, you can download or clone the list from the UI. Moreover, all references to the list within a security configuration are marked as deleted. To activate a security configuration referencing a deleted list, you must remove the references to it.
To view the details of the deleted list, run the Get-ClientList command with the list's name and the -IncludeDeprecated switch parameter.
Get-ClientList -Name 'my-client-list' -IncludeDeprecated
availableActions : @{DEACTIVATE_ON_PRODUCTION=; EDIT=; DEACTIVATE=; ACTIVATE_ON_PRODUCTION=; ACTIVATE_ON_STAGING=; DEACTIVATE_ON_STAGING=; DELETE=}
createDate : 11/21/2025 10:14:21 AM
createdBy : jsmith
deprecated : True
itemsCount : 3
listId : 12345_MYCLIENTLIST
listType : CL
name : my-client-list
notes : My GEO client list
productionActivationStatus : DEACTIVATED
readOnly : False
rollbackPossible : False
shared : False
stagingActivationStatus : DEACTIVATED
tags : {tag2, tag3}
type : GEO
updateDate : 11/24/2025 12:02:56 PM
updatedBy : jsmith
upgradedFromNetworkList : False
version : 1
Use your client list
To add your client list to your security configuration, include your list name or ID in one of these services as an allowlist or blocklist.
All of the changes here require a new version and reactivation of your AppSec configuration.
IP/GEO firewall
Include the geoControls, ipControls, or asnControls objects with the client list ID in the allowedIPNetworkLists.networkList (applicable only to ASN and IP controls) or blockedIPNetworkLists.networkList property, and then pass them in the -Body parameter of the Set-AppSecPolicyIPGeoFirewall command if you haven't set the IP/GEO settings in your security configuration before.
$MyIPGeoSettings = @{
block = "blockSpecificIPGeo"
geoControls = @{
blockedIPNetworkLists = @{
action = "deny"
networkList = @("12345_MYGEOCLIENTLIST")
}
}
ipControls = @{
blockedIPNetworkLists = @{
action = "deny"
networkList = @("98765_MYIPCLIENTLIST")
}
allowedIPNetworkLists = @{
action = "deny"
networkList = @("87654_MYGEOCLIENTLIST")
}
}
}
Set-AppSecPolicyIPGeoFirewall -ConfigID 12345 -VersionNumber 1 -PolicyID 23456 -Body $MyIPGeoSettings
block geoControls ipControls ukraineGeoControl
----- ----------- ---------- -----------------
blockSpecificIPGeo @{blockedIPNetworkLists=} @{allowedIPNetworkLists=; blockedIPNetworkLists=} @{action=none}
When updating the existing IP/GEO settings in your security configuration, you can save them from the Get-AppSecPolicyIPGeoFirewall command in a variable and add the geoControls, ipControls, or asnControls objects with the client list ID in the allowedIPNetworkLists.networkList or blockedIPNetworkLists.networkList property. Then pipe the whole object back to the Set-AppSecPolicyIPGeoFirewall command to make your changes effective.
$MyIPGeoSettings = Get-AppSecPolicyIPGeoFirewall -ConfigID 12345 -VersionNumber 1 -PolicyID 23456
$MyIPGeoSettings.geoControls.blockedIPNetworkLists.networkList = @("12345_MYGEOCLIENTLIST")
$MyIPGeoSettings.ipControls.blockedIPNetworkLists.networkList = @("98765_MYIPCLIENTLIST")
$MyIPGeoSettings | Set-AppSecPolicyIPGeoFirewall -ConfigID 12345 -VersionNumber 1 -PolicyID 23456
Match targets
Include the bypassNetworkLists array with the ID and, optionally, the name of your client list in the -Body parameter of the New-AppSecMatchTarget operation if creating a new match target for your security configuration.
$MyMatchTarget = @{
type = "website"
securityPolicy = @{
policyId = "abc_12345"
}
defaultFile = "NO_MATCH"
fileExtensions = @("sfx", "py", "js", "jar", "html", "exe", "dll", "bat")
bypassNetworkLists = @(
@{
id = "12345_MYCLIENTLIST"
name = "my-client-list"
}
)
}
# For a security config name
New-AppSecMatchTarget -ConfigName 'my-security-config' -VersionNumber 1 -Body $MyMatchTarget
# For a security config ID
New-AppSecMatchTarget -ConfigID 12345 -VersionNumber 1 -Body $MyMatchTarget
type : website
bypassNetworkLists : {@{id=12345_MYCLIENTLIST; listType=CL; name=my-client-list; type=GEO}}
configId : 12345
configVersion : 1
defaultFile : NO_MATCH
effectiveSecurityControls : @{applyAccountProtectionControls=False; applyApplicationLayerControls=True; applyBotmanControls=True;
applyNetworkLayerControls=True; applyRateControls=True; applySlowPostControls=True;
applyUrlProtectionControls=False}
fileExtensions : {exe, sfx, bat, dll…}
isNegativeFileExtensionMatch : False
isNegativePathMatch : False
securityPolicy : @{policyId=abc_12345}
sequence : 1
targetId : 98765
If you're updating an existing match target in your security configuration, you can save your target details from the Get-AppSecMatchTarget command in a variable and add the bypassNetworkLists array with the ID and, optionally, the name of your client list. Then pipe the whole object back to the Set-AppSecMatchTarget command to make your changes effective.
$MyMatchTarget = Get-AppSecMatchTarget -ConfigID 12345 -VersionNumber 1 -TargetID 23456
$MyMatchTarget.bypassNetworkLists[0].id = '12345_MYCLIENTLIST'
$MyMatchTarget | Set-AppSecMatchTarget -ConfigID 12345 -VersionNumber 1 -TargetID 23456
Pragma headers
Include the excludeCondition array with the client list ID in the value property, and then pass it in the -Body parameter of the Set-AppSecPragmaSettings command if you haven't set the Pragma settings in your security configuration before.
$MyPragmaSettings = @{
action = "REMOVE"
conditionOperator = "AND"
excludeCondition = @(
@{
positiveMatch = $true
type = "networkList"
useHeaders = $false
value = @("12345_MYCLIENTLIST")
}
)
}
Set-AppSecPragmaSettings -ConfigID 12345 -VersionNumber 1 -Body $MyPragmaSettings
action conditionOperator excludeCondition
------ ----------------- ----------------
REMOVE AND {@{positiveMatch=True; type=networkList; useHeaders=False; value=System.Object[]; valueCase=False; valueWild…
When updating the existing Pragma settings in your security configuration, you can save them from the Get-AppSecPragmaSettings command in a variable and add the excludeCondition array with the client list ID in the value property. Then pipe the whole object back to the Set-AppSecPragmaSettings command to make your changes effective.
$MyPragmaSettings = Get-AppSecPragmaSettings -ConfigID 12345 -VersionNumber 1
$MyPragmaSettings.excludeCondition[0].value = @("12345_MYCLIENTLIST")
$MyPragmaSettings | Set-AppSecPragmaSettings -ConfigID 12345 -VersionNumber 1
Client reputation
Include the condition.atomicConditions array with your client list's ID in the value property and pass it in the -Body parameter of the New-AppSecReputationProfile operation if creating a new reputation profile for your security configuration.
$MyReputationProfile = @{
context = "WEBSCRP"
sharedIpHandling = "NON_SHARED"
condition = @{
atomicConditions = @(
@{
checkIps = "connecting"
className = "NetworkListCondition"
positiveMatch = $true
value = @("12345_MYCLIENTLIST")
}
)
}
threshold = 5
name = "my-reputation-profile"
description = "My reputation profile"
}
# For a security config name
New-AppSecReputationProfile -ConfigName 'my-security-config' -VersionNumber 1 -Body $MyReputationProfile
# For a security config ID
New-AppSecReputationProfile -ConfigID 12345 -VersionNumber 1 -Body $MyReputationProfile
condition : @{atomicConditions=System.Object[]; positiveMatch=True}
context : WEBSCRP
contextReadable : Web Scrapers
description : My reputation profile
enabled : False
id : 23456
name : my-reputation-profile
sharedIpHandling : NON_SHARED
threshold : 5
If you're updating an existing reputation profile in your security configuration, you can save your profile details from the Get-AppSecReputationProfile command in a variable and add the condition.atomicConditions array with your client list's ID in the value property. Then pipe the whole object back to the Set-AppSecReputationProfile command to make your changes effective.
$MyReputationProfile = Get-AppSecReputationProfile -ConfigID 12345 -VersionNumber 1 -ReputationProfileID 23456
$MyReputationProfile.condition.atomicConditions[0].value = @('12345_MYCLIENTLIST')
$MyReputationProfile | Set-AppSecReputationProfile -ConfigID 12345 -VersionNumber 1 -ReputationProfileID 23456
Rate policies
Include the additionalMatchOptions array with your client list's ID in the values property and pass it in the -Body parameter of the New-AppSecRatePolicy operation if creating a new rate policy for your security configuration.
$MyRatePolicy = @{
matchType = "path"
pathMatchType = "AllRequests"
requestType = "ClientRequest"
sameActionOnIpv6 = $false
type = "WAF"
additionalMatchOptions = @(
@{
type = "NetworkListCondition"
positiveMatch = $true
values = @(
"12345_MYCLIENTLIST"
)
}
)
averageThreshold = 5
burstThreshold = 10
clientIdentifier = "ip"
name = "Test_Paths"
}
# For a security config name
New-AppSecRatePolicy -ConfigName 'my-security-config' -VersionNumber 1 -Body $MyRatePolicy
# For a security config ID
New-AppSecRatePolicy -ConfigID 12345 -VersionNumber 1 -Body $MyRatePolicy
additionalMatchOptions : {@{positiveMatch=True; type=NetworkListCondition; values=System.Object[]}}
averageThreshold : 5
burstThreshold : 10
clientIdentifier : ip
clientIdentifiers : {ip}
counterType : per_edge
createDate : 12/1/2025 4:27:58 PM
id : 23456
matchType : path
name : Test_Paths
pathMatchType : AllRequests
pathUriPositiveMatch : True
penaltyBoxDuration : TEN_MINUTES
requestType : ClientRequest
sameActionOnIpv6 : False
type : WAF
updateDate : 12/1/2025 4:27:58 PM
useXForwardForHeaders : False
used : False
If you're updating an existing rate policy in your security configuration, you can save your policy details from the Get-AppSecRatePolicy command in a variable and add the additionalMatchOptions array with your client list's ID in the values property. Then pipe the whole object back to the Set-AppSecRatePolicy command to make your changes effective.
$MyRatePolicy = Get-AppSecRatePolicy -ConfigID 12345 -VersionNumber 1 -RatePolicyID 23456
$MyRatePolicy.additionalMatchOptions[0].values = @('12345_MYCLIENTLIST')
$MyRatePolicy | Set-AppSecRatePolicy -ConfigID 12345 -VersionNumber 1 -RatePolicyID 23456
Updated about 2 hours ago