Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Creating a security profile

Written by
Updated at October 17, 2024

  1. In the management console, select the folder where you want to create your security profile.

  2. In the list of services, select Smart Web Security.

  3. Click Create.

  4. Select one of the creation options:

    • From a preset template (recommended). A preset profile includes:

    • From scratch. This profile includes only the basic default rule enabled for all traffic.

  5. Enter the profile name.

  6. (Optional) Enter a description.

  7. (Optional) Add labels for your profile.

  8. In the Action for the default base rule field, select an action to be applied to the traffic that mismatches the criteria of other rules: Deny or Allow.

  9. Select or create an ARL profile to limit the number of requests.

  10. Select or create a Yandex SmartCaptcha to verify suspicious requests:

    • Default: Managed on the Yandex Cloud side, captcha parameters:

      The Default captcha usage fee is included in the cost of Smart Web Security.

    • Custom captcha: You can customize captcha difficulty, types of main and additional challenges, and appearance.

      Note

      To use a custom captcha, select Disable domain verification in its settings.

      The custom captcha usage fee is charged according to SmartCaptcha pricing policy.

  11. Click Add rule.

  12. In the rule creation window:

    1. Enter a name for the rule.

    2. (optional) Enter a description.

    3. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    4. (Optional) Enable Only logging (dry run) if you want only to log data about the traffic fulfilling the specified conditions without applying any actions to it.

    5. Select the rule type:

      • Base: Rule that allows, denies, or sends traffic to Yandex SmartCaptcha under specified conditions.

      • Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms. Suspicious requests are sent to Yandex SmartCaptcha for additional verification.

      • Web Application Firewall: Integrates rules from a WAF profile. Suspicious requests are sent to Yandex SmartCaptcha.

        For a WAF rule, select or create a WAF profile.

    6. Select an action:

      • For the basic rule:

        • Deny.
        • Allow.
        • Show captcha: Show the captcha selected in the security profile.

      • For a Smart Protection or WAF rule:

        • Full protection: After verification, suspicious requests are sent to SmartCaptcha.
        • API protection: After verification, suspicious requests are blocked.

    7. Under Conditions for traffic, specify which traffic the rule will be used to analyze:

      • All traffic: The rule will be used to analyze the whole traffic.

      • Conditional: The rule will be used to analyze the traffic specified in the Conditions field:

        • IP: IP address, IP address range, or IP address region.
        • HTTP header: HTTP header string.
        • Request URI: Request path.
        • Host: Domain receiving the request.
        • HTTP method: Request method.
        • Cookie: Cookie header string.

        You can set multiple conditions. To do this, select all the condition types you need in the Conditions field.

        You can also set multiple conditions of the same type. To do this, click and or or in the section with the condition you need.

        To delete a condition, click .

    8. Click Add.

  13. Add all relevant rules to the profile one by one.

    The rules you created will appear under Security rules in the table.

  14. Click Create.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for creating a security profile:

    yc smartwebsecurity security-profile create --help

  2. To create a security profile, run this command:

    yc smartwebsecurity security-profile create \
   --name <security_profile_name> \
   --description "<profile_description>" \
   --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \
   --default-action <action> \
   --captcha-id <CAPTCHA_ID> \
   --security-rules-file <path_to_file_with_rules>

    Where:

    • --name: Security profile name. This is a required parameter. If you specify only the profile name without additional parameters, a single basic rule will be created in the security profile.

    • --description: Text description of the security profile. This is an optional parameter.

    • --labels: List of labels to add to the profile in KEY=VALUE format. This is an optional parameter. For example: --labels foo=baz,bar=baz'.

    • --default-action: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value is allow, which allows all requests to the service. To block requests, set the parameter to deny.

    • --captcha-id: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional parameter.

    • --security-rules-file: Path to the YAML file with security rule description. This is an optional parameter. For example:

      security-rules.yaml
      - name: rule-condition-deny
  description: My first security rule. This rule it's just example to show possibilities of configuration.
  priority: "11111"
  dry_run: true
  rule_condition:
    action: DENY
    condition:
      authority:
        authorities:
          - exact_match: example.com
          - exact_match: example.net
      http_method:
        http_methods:
          - exact_match: GET
          - exact_match: POST
      request_uri:
        path:
          prefix_match: /search
        queries:
          - key: firstname
            value:
              pire_regex_match: .ivan.
          - key: lastname
            value:
              pire_regex_not_match: .petr.
      headers:
        - name: User-Agent
          value:
            pire_regex_match: .curl.
        - name: Referer
          value:
            pire_regex_not_match: .bot.
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 1.2.33.44
            - 2.3.4.56
        ip_ranges_not_match:
          ip_ranges:
            - 8.8.0.0/16
            - 10::1234:1abc:1/64
        geo_ip_match:
          locations:
            - ru
            - es
        geo_ip_not_match:
          locations:
            - us
            - fm
            - gb
- name: rule-condition-allow
  description: Let's show how to whitelist IP.
  priority: "2"
  rule_condition:
    action: ALLOW
    condition:
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 44.44.44.44-44.44.44.45
            - 44.44.44.77
- name: smart-protection-full
  description: Enable smart protection. Allow to show captcha on /search prefix.
  priority: "11"
  smart_protection:
    mode: FULL
    condition:
      request_uri:
        path:
          prefix_match: /search
- name: smart-protection-api
  description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
  priority: "10"
  smart_protection:
    mode: API
    condition:
      request_uri:
        path:
          prefix_match: /api

    Result:

    id: fev6q4qqnn2q********
folder_id: b1g07hj5r6i********
cloud_id: b1gia87mbaom********
name: my-sample-profile
description: "my description"
labels: label1=value1,label2=value2
default_action: DENY
created_at: "2024-07-25T19:21:05.039610Z"

For more information about the yc smartwebsecurity security-profile create command, see the CLI reference.

Use the create REST API method for the SecurityProfile resource or the SecurityProfileService/Create gRPC API call.

See also

Previous
All guides
Next
Editing basic profile settings