Creating a security profile
-
In the management console
, select the folder where you want to create your security profile. -
In the list of services, select Smart Web Security.
-
Click Create.
-
Select one of the creation options:
-
From a preset template (recommended). A preset profile includes:
- Basic default rule enabled for all traffic with the
Deny
action type. - Smart Protection rule enabled for all traffic with the
Full protection
action type.
- Basic default rule enabled for all traffic with the
-
From scratch. This profile includes only the basic default rule enabled for all traffic.
-
-
Enter the profile name.
-
(Optional) Enter a description.
-
(Optional) Add labels for your profile.
-
In the Action for the default base rule field, select an action to be applied to the traffic that mismatches the criteria of other rules:
Deny
orAllow
. -
Select or create an ARL profile to limit the number of requests.
-
Select or create a Yandex SmartCaptcha to verify suspicious requests:
-
Default
: Managed on the Yandex Cloud side, captcha parameters:- Main challenge: Checkbox.
- Additional challenge:
Silhouettes. - Additional challenge difficulty: Easy.
- Appearance: Standard.
The
Default
captcha usage fee is included in the cost of Smart Web Security. -
Custom captcha
: You can customize captcha difficulty, types of main and additional challenges, and appearance.Note
To use a custom captcha, select Disable domain verification in its settings.
The custom captcha usage fee is charged according to SmartCaptcha pricing policy.
-
-
Click
Add rule. -
In the rule creation window:
-
Enter a name for the rule.
-
(optional) Enter a description.
-
Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.
Note
The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
- Basic default rule:
1000000
. - Smart Protection rule providing full protection:
999900
.
- Basic default rule:
-
(Optional) Enable Only logging (dry run) if you want only to log data about the traffic fulfilling the specified conditions without applying any actions to it.
-
Select the rule type:
-
Base: Rule that allows, denies, or sends traffic to Yandex SmartCaptcha under specified conditions.
-
Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms. Suspicious requests are sent to Yandex SmartCaptcha for additional verification.
-
Web Application Firewall: Integrates rules from a WAF profile. Suspicious requests are sent to Yandex SmartCaptcha.
For a WAF rule, select or create a WAF profile.
-
-
Select an action:
-
For the basic rule:
Deny
.Allow
.Show captcha
: Show the captcha selected in the security profile.
-
For a Smart Protection or WAF rule:
Full protection
: After verification, suspicious requests are sent to SmartCaptcha.API protection
: After verification, suspicious requests are blocked.
-
-
Under Conditions for traffic, specify which traffic the rule will be used to analyze:
-
All traffic
: The rule will be used to analyze the whole traffic. -
Conditional
: The rule will be used to analyze the traffic specified in the Conditions field:IP
: IP address, IP address range, or IP address region.HTTP header
: HTTP header string.Request URI
: Request path.Host
: Domain receiving the request.HTTP method
: Request method.Cookie
: Cookie header string.
You can set multiple conditions. To do this, select all the condition types you need in the Conditions field.
You can also set multiple conditions of the same type. To do this, click
and or or in the section with the condition you need.To delete a condition, click
.
-
-
Click Add.
-
-
Add all relevant rules to the profile one by one.
The rules you created will appear under Security rules in the table.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command for creating a security profile:
yc smartwebsecurity security-profile create --help
-
To create a security profile, run this command:
yc smartwebsecurity security-profile create \ --name <security_profile_name> \ --description "<profile_description>" \ --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \ --default-action <action> \ --captcha-id <CAPTCHA_ID> \ --security-rules-file <path_to_file_with_rules>
Where:
-
--name
: Security profile name. This is a required parameter. If you specify only the profile name without additional parameters, a single basic rule will be created in the security profile. -
--description
: Text description of the security profile. This is an optional parameter. -
--labels
: List of labels to add to the profile inKEY=VALUE
format. This is an optional parameter. For example:--labels foo=baz,bar=baz'
. -
--default-action
: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value isallow
, which allows all requests to the service. To block requests, set the parameter todeny
. -
--captcha-id
: ID of the CAPTCHA in Yandex SmartCaptcha to verify suspicious requests. This is an optional parameter. -
--security-rules-file
: Path to the YAML file with security rule description. This is an optional parameter. For example:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api
Result:
id: fev6q4qqnn2q******** folder_id: b1g07hj5r6i******** cloud_id: b1gia87mbaom******** name: my-sample-profile description: "my description" labels: label1=value1,label2=value2 default_action: DENY created_at: "2024-07-25T19:21:05.039610Z"
-
For more information about the yc smartwebsecurity security-profile create
command, see the CLI reference.
Use the create REST API method for the SecurityProfile resource or the SecurityProfileService/Create gRPC API call.