Editing basic parameters in a security profile
-
In the management console
, select the folder containing the security profile. -
In the list of services, select Smart Web Security.
-
In the row with the profile you need, click
and select Edit. -
In the window that opens, edit the following parameters:
- Name.
- Description.
- Labels. To add a label, click Add label.
- Action for the default base rule:
Deny
orAllow
. - ARL profile: Select or create an ARL profile.
- Select or create a SmartCaptcha to verify suspicious requests.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command for editing security profile basic parameters:
yc smartwebsecurity security-profile update --help
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile list
Result:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+
-
To edit basic parameters for a security profile, run this command:
yc smartwebsecurity security-profile update \ --name <security_profile_name> \ --new-name <new_security_profile_name> \ --description "<profile_description>" \ --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \ --default-action <action> \ --captcha-id <CAPTCHA_ID> \ --security-rules-file <path_to_file_with_security_rules>
Where:
-
--name
: Security profile name. This is a required parameter. Instead of the security profile name, you can provide its ID in the--id
parameter. -
--new-name
: New name for the security profile. This is an optional parameter if the profile name remains unchanged. -
--description
: Text description of the security profile. This is an optional parameter. -
--labels
: List of labels to add to the profile inKEY=VALUE
format. This is an optional parameter. For example:--labels foo=baz,bar=baz'
. -
--default-action
: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value isallow
, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter todeny
. -
--captcha-id
: ID of the CAPTCHA in SmartCaptcha to verify suspicious requests. This is an optional parameter. -
--security-rules-file
: Path to the YAML file with security rule description. This is an optional parameter. For example:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api
Result:
id: fev6q4qqnn2q******** folder_id: b1g07hj5r6i******** cloud_id: b1gia87mbaom******** name: my-sample-profile new-name: my-update-profile description: "my update description" labels: label1=value1,label2=value2 default_action: DENY created_at: "2024-07-25T19:21:05.039610Z"
-
For more information about the yc smartwebsecurity security-profile update
command, see the CLI reference.
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.