Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Editing basic parameters in a security profile

Written by
Updated at October 17, 2024

  1. In the management console, select the folder containing the security profile.

  2. In the list of services, select Smart Web Security.

  3. In the row with the profile you need, click and select Edit.

  4. In the window that opens, edit the following parameters:

    • Name.
    • Description.
    • Labels. To add a label, click Add label.
    • Action for the default base rule: Deny or Allow.
    • ARL profile: Select or create an ARL profile.
    • Select or create a SmartCaptcha to verify suspicious requests.

  5. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for editing security profile basic parameters:

    yc smartwebsecurity security-profile update --help

  2. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  3. To edit basic parameters for a security profile, run this command:

    yc smartwebsecurity security-profile update \
   --name <security_profile_name> \
   --new-name <new_security_profile_name> \
   --description "<profile_description>" \
   --labels <label_1_key>=<label_1_value>,<label_2_key>=<label_2_value>,...,<label_n_key>=<label_n_value> \
   --default-action <action> \
   --captcha-id <CAPTCHA_ID> \
   --security-rules-file <path_to_file_with_security_rules>

    Where:

    • --name: Security profile name. This is a required parameter. Instead of the security profile name, you can provide its ID in the --id parameter.

    • --new-name: New name for the security profile. This is an optional parameter if the profile name remains unchanged.

    • --description: Text description of the security profile. This is an optional parameter.

    • --labels: List of labels to add to the profile in KEY=VALUE format. This is an optional parameter. For example: --labels foo=baz,bar=baz'.

    • --default-action: Action to perform for the traffic that mismatches the criteria of other rules. This is an optional parameter. The default value is allow, which allows all requests to Yandex Smart Web Security. To block requests, set the parameter to deny.

    • --captcha-id: ID of the CAPTCHA in SmartCaptcha to verify suspicious requests. This is an optional parameter.

    • --security-rules-file: Path to the YAML file with security rule description. This is an optional parameter. For example:

      security-rules.yaml
      - name: rule-condition-deny
  description: My first security rule. This rule it's just example to show possibilities of configuration.
  priority: "11111"
  dry_run: true
  rule_condition:
    action: DENY
    condition:
      authority:
        authorities:
          - exact_match: example.com
          - exact_match: example.net
      http_method:
        http_methods:
          - exact_match: GET
          - exact_match: POST
      request_uri:
        path:
          prefix_match: /search
        queries:
          - key: firstname
            value:
              pire_regex_match: .ivan.
          - key: lastname
            value:
              pire_regex_not_match: .petr.
      headers:
        - name: User-Agent
          value:
            pire_regex_match: .curl.
        - name: Referer
          value:
            pire_regex_not_match: .bot.
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 1.2.33.44
            - 2.3.4.56
        ip_ranges_not_match:
          ip_ranges:
            - 8.8.0.0/16
            - 10::1234:1abc:1/64
        geo_ip_match:
          locations:
            - ru
            - es
        geo_ip_not_match:
          locations:
            - us
            - fm
            - gb
- name: rule-condition-allow
  description: Let's show how to whitelist IP.
  priority: "2"
  rule_condition:
    action: ALLOW
    condition:
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 44.44.44.44-44.44.44.45
            - 44.44.44.77
- name: smart-protection-full
  description: Enable smart protection. Allow to show captcha on /search prefix.
  priority: "11"
  smart_protection:
    mode: FULL
    condition:
      request_uri:
        path:
          prefix_match: /search
- name: smart-protection-api
  description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
  priority: "10"
  smart_protection:
    mode: API
    condition:
      request_uri:
        path:
          prefix_match: /api

    Result:

    id: fev6q4qqnn2q********
folder_id: b1g07hj5r6i********
cloud_id: b1gia87mbaom********
name: my-sample-profile
new-name: my-update-profile
description: "my update description"
labels: label1=value1,label2=value2
default_action: DENY
created_at: "2024-07-25T19:21:05.039610Z"

For more information about the yc smartwebsecurity security-profile update command, see the CLI reference.

Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.

See also

Previous
Creating a profile
Next
Deleting a profile