Contact UsGet started

Getting started with a WAF profile

Written by
Updated at October 31, 2024

To protect your web apps from external threats, Yandex Smart Web Security implements a Web Application Firewall (WAF).

Create your first WAF profile and connect it to an existing Yandex Smart Web Security security profile.

If you have not configured a security profile yet, create it and connect it to a virtual host of an Yandex Application Load Balancer L7 load balancer. For more information, see Getting started with a security profile.

To get started with WAF:

  1. Create a WAF profile.
  2. Configure a basic rule set.
  3. Create an exclusion rule.
  4. Connect the WAF profile to a security profile.

Prepare your cloud

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Create a WAF profile

  1. In the management console, select the folder where you want to create your WAF profile.

  2. In the list of services, select Smart Web Security.

  3. Go to the WAF profiles tab and click Create WAF profile.

  4. Describe a scenario of using WAF features in your projects and click Submit request.

    Once your request is approved, you can proceed to create a WAF profile.

  5. Enter a name for the profile, e.g., test-waf-profile-1.

  6. The WAF profile's default basic rule set is called OWASP Core Rule Set. To view the rules it includes, click the line with its description.

  7. Click Create.

Configure a basic rule set

  1. On the WAF profile's review page that opens, click Configure basic rule set.

  2. Set the preferred Anomaly threshold, which is the sum of anomaly values of the triggered rules that will block the request, e.g., Moderate: 25 or higher.

    We recommend to start with the anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules. You can use the Only logging (dry-run) mode in the security profile to test various anomaly thresholds.

  3. Set the preferred Paranoia level, e.g., 2 and lower.

    Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better your protection, but also the higher the probability of WAF false positives.

  4. Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly values and paranoia levels.

You can turn any rule from the set into a blocking rule. A request that satisfies such a rule will be blocked regardless of the anomaly threshold you specified. To turn a rule into a blocking rule, click to the right of it. If the Only logging (dry-run) mode is enabled in the security profile, requests will not be blocked even when if they satisfy the blocking rules.

Create an exclusion rule

  1. Go to the Exclusion rules tab and click Create exclusion rule.

  2. Enter a name for the exclusion rule, e.g., exception-rule-1.

  3. Under Scope of use, specify rules from the basic set for which the exclusion will be valid. You can select All rules or specific ones.

  4. Under Traffic conditions, select the conditions for the exclusion rule to trigger.

    If you leave the Conditions field empty, the exclusion rule will apply to the whole traffic.

  5. Click Create.

Connect the WAF profile to a security profile

  1. Go to the Security profiles tab.
  2. From the list, select the security profile you want to connect your WAF profile to, e.g., test-sp1.
  3. Click Add rule.
  4. Enter a name for the rule, e.g., waf-rule-1.
  5. In the Priority field, set a value higher than that of the Smart Protection rules already existing in the security profile, e.g., 888800.
  6. (Optional) To test your WAF profile and simulate false positives triggered by legitimate requests, use the Only logging (dry-run) mode in the security profile.
  7. In the Rule type field, select Web Application Firewall.
  8. In the WAF profile field, select the test-waf-profile-1 profile you created earlier.
  9. In the Action field, select Full protection.
  10. If required, set the conditions for traffic mapping.
  11. Click Add.

See also

Previous
Getting started with Smart Web Security
Next
Getting started with ARL