Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Adding a rule to a security profile

Written by
Updated at May 5, 2025

You can add basic rules, as well as Smart Protection and WAF rules, to a security profile. ARL rules are added to an ARL profile.

  1. In the management console, select the folder containing the security profile you need.

  2. In the list of services, select Smart Web Security.

  3. Select the profile to add a rule to.

  4. Click Add rule and in the window that opens:

    1. Enter a name for the rule.

    2. (optional) Enter a description.

    3. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.

      Note

      The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:

      • Basic default rule: 1000000.
      • Smart Protection rule providing full protection: 999900.

    4. (Optional) Enable Only logging (dry run) if you want only to log data about the traffic fulfilling the specified conditions without applying any actions to it.

    5. Select the rule type:

      • Base: Rule that allows, denies, or sends traffic to Yandex SmartCaptcha under specified conditions.

      • Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms. Suspicious requests are sent to Yandex SmartCaptcha for additional verification.

      • Web Application Firewall: Integrates rules from a WAF profile. Suspicious requests are sent to Yandex SmartCaptcha.

        For a WAF rule, select or create a WAF profile.

    6. Select an action:

      • For the basic rule:

        • Deny.
        • Allow.
        • Show captcha: Show the captcha selected in the security profile.

      • For a Smart Protection or WAF rule:

        • Full protection: After verification, suspicious requests are sent to SmartCaptcha.
        • API protection: After verification, suspicious requests are blocked.

    7. Under Conditions for traffic, specify which traffic the rule will be used to analyze:

      • All traffic: The rule will be used to analyze the whole traffic.

      • On condition: The rule will be used to analyze the traffic specified in the Conditions field:

        • IP: IP address, IP address range, IP address region, or address list.
        • HTTP header: HTTP header string.
        • Request URI: Request path.
        • Host: Domain receiving the request.
        • HTTP method: Request method.
        • Cookie: Cookie header string.

        You can set multiple conditions. To do this, select all the condition types you need in the Conditions field.

        You can also set multiple conditions of the same type. To do this, click and or or in the section with the condition you need.

        To delete a condition, click .

    8. Click Add.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. To view a list of current security profiles in the default folder, run this command:

    yc smartwebsecurity security-profile list

    Result:

    +----------------------+-------------------+---------------------+----------------+------------+-------------+
|          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
+----------------------+-------------------+---------------------+----------------+------------+-------------+
| fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
| fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
+----------------------+-------------------+---------------------+----------------+------------+-------------+

  2. Update the security profile by applying the YAML configuration with both current and new security rules required for the profile:

    1. To get the YAML configuration for the current security rules in the profile, run this command, specifying the security profile name or ID:

      yc smartwebsecurity security-profile get <security_profile_name_or_ID>
      Result
      id: fev450d61ucv********
folder_id: b1gt6g8ht345********
cloud_id: b1gia87mbaom********
labels:
  label1: value1
  label2: value2
name: my-new-profile
description: my description
default_action: DENY
security_rules:
  - name: rule-condition-deny
    priority: "11111"
    dry_run: true
    rule_condition:
      action: DENY
      condition:
        authority:
          authorities:
            - exact_match: example.com
            - exact_match: example.net
        http_method:
          http_methods:
            - exact_match: GET
            - exact_match: POST
        request_uri:
          path:
            prefix_match: /search
          queries:
            - key: firstname
              value:
                pire_regex_match: .ivan.
            - key: lastname
              value:
                pire_regex_not_match: .petr.
        headers:
          - name: User-Agent
            value:
              pire_regex_match: .curl.
          - name: Referer
            value:
              pire_regex_not_match: .bot.
        source_ip:
          ip_ranges_match:
            ip_ranges:
              - 1.2.33.44
              - 2.3.4.56
          ip_ranges_not_match:
            ip_ranges:
              - 8.8.0.0/16
              - 10::1234:1abc:1/64
          geo_ip_match:
            locations:
              - ru
              - es
          geo_ip_not_match:
            locations:
              - us
              - fm
              - gb
    description: My first security rule. This rule it's just example to show possibilities of configuration.
created_at: "2024-08-05T17:54:48.898624Z"

    2. Copy the current rule configuration from the security_rules section, paste it into any text editor, and save it to a file after adding new rules, such as the following:

      security-rules.yaml
      - name: rule-condition-deny
  description: My first security rule. This rule it's just example to show possibilities of configuration.
  priority: "11111"
  dry_run: true
  rule_condition:
    action: DENY
    condition:
      authority:
        authorities:
          - exact_match: example.com
          - exact_match: example.net
      http_method:
        http_methods:
          - exact_match: GET
          - exact_match: POST
      request_uri:
        path:
          prefix_match: /search
        queries:
          - key: firstname
            value:
              pire_regex_match: .ivan.
          - key: lastname
            value:
              pire_regex_not_match: .petr.
      headers:
        - name: User-Agent
          value:
            pire_regex_match: .curl.
        - name: Referer
          value:
            pire_regex_not_match: .bot.
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 1.2.33.44
            - 2.3.4.56
        ip_ranges_not_match:
          ip_ranges:
            - 8.8.0.0/16
            - 10::1234:1abc:1/64
        geo_ip_match:
          locations:
            - ru
            - es
        geo_ip_not_match:
          locations:
            - us
            - fm
            - gb
- name: rule-condition-allow
  description: Let's show how to whitelist IP.
  priority: "2"
  rule_condition:
    action: ALLOW
    condition:
      source_ip:
        ip_ranges_match:
          ip_ranges:
            - 44.44.44.44-44.44.44.45
            - 44.44.44.77
- name: smart-protection-full
  description: Enable smart protection. Allow to show captcha on /search prefix.
  priority: "11"
  smart_protection:
    mode: FULL
    condition:
      request_uri:
        path:
          prefix_match: /search
- name: smart-protection-api
  description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
  priority: "10"
  smart_protection:
    mode: API
    condition:
      request_uri:
        path:
          prefix_match: /api

      Alert

      If you change the rules in the security profile, all existing rules will be deleted. This is why the YAML file with the changes must contain the full set of rules that will be in effect in the security profile.

    3. To update a security profile, run this command, specifying the profile name or ID:

      yc smartwebsecurity security-profile update <security_profile_name_or_ID> \
   --security-rules-file <path_to_file_with_security_rules>

      Where --security-rules-file is the path to the YAML file with the description of security rules.

      Result:
      id: fevr4g3121vn********
folder_id: b1g07hj5r6i4********
cloud_id: b1gia87mbaom********
name: my-sws-profile
default_action: ALLOW
security_rules:
  - name: rule-condition-deny
    description: My first security rule. This rule it's just example to show possibilities of configuration.
    priority: "11111"
    dry_run: true
    rule_condition:
      action: DENY
      condition:
        authority:
          authorities:
            - exact_match: example.com
            - exact_match: example.net
        http_method:
          http_methods:
            - exact_match: GET
            - exact_match: POST
        request_uri:
          path:
            prefix_match: /search
          queries:
            - key: firstname
              value:
                pire_regex_match: .ivan.
            - key: lastname
              value:
                pire_regex_not_match: .petr.
        headers:
          - name: User-Agent
            value:
              pire_regex_match: .curl.
          - name: Referer
            value:
              pire_regex_not_match: .bot.
        source_ip:
          ip_ranges_match:
            ip_ranges:
              - 1.2.33.44
              - 2.3.4.56
          ip_ranges_not_match:
            ip_ranges:
              - 8.8.0.0/16
              - 10::1234:1abc:1/64
          geo_ip_match:
            locations:
              - ru
              - es
          geo_ip_not_match:
            locations:
              - us
              - fm
              - gb
  - name: rule-condition-allow
    description: Let's show how to whitelist IP.
    priority: "2"
    rule_condition:
      action: ALLOW
      condition:
        source_ip:
          ip_ranges_match:
            ip_ranges:
              - 44.44.44.44-44.44.44.45
              - 44.44.44.77
  - name: smart-protection-full
    description: Enable smart protection. Allow to show captcha on /search prefix.
    priority: "11"
    smart_protection:
      mode: FULL
      condition:
        request_uri:
          path:
            prefix_match: /search
  - name: smart-protection-api
    description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix.
    priority: "10"
    smart_protection:
      mode: API
      condition:
        request_uri:
          path:
            prefix_match: /api
created_at: "2024-07-27T20:37:36.389730Z"

For more information about the yc smartwebsecurity security-profile update command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Open the Terraform configuration file and edit the fragment with yandex_sws_security_profile description: add a section named security_rule with a security rule.

    resource "yandex_sws_security_profile" "demo-profile-simple" {
  name                             = "<security_profile_name>"
  default_action                   = "DENY"
  captcha_id                       = "<captcha_ID>"
  advanced_rate_limiter_profile_id = "<ARL_profile_ID>"

  # Smart Protection rule
  security_rule {
    name     = "smart-protection"
    priority = 99999

    smart_protection {
      mode = "API"
    }
  }

  #Basic rule
  security_rule {
    name = "base-rule-geo"
    priority = 100000
    rule_condition {
      action = "ALLOW"
      condition {
        source_ip {
          geo_ip_match {
            locations = ["ru", "kz"]
          }
        }
      }
    }
  }

  # WAF profile rule
  security_rule {
    name     = "waf"
    priority = 88888

    waf {
      mode           = "API"
      waf_profile_id = "<WAF_profile_ID>"
    }
  }
}

    For more information about the yandex_sws_security_profile resource parameters in Terraform, see the relevant provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check the resources' updates using the management console or this CLI command:

yc smartwebsecurity security-profile get <security_profile_ID>

Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.

See also

Previous
Deleting a profile
Next
Editing a rule