Adding a rule to a security profile
You can add basic rules, as well as Smart Protection and WAF rules, to a security profile. ARL rules are added to an ARL profile.
-
In the management console, select the folder containing the security profile.
-
In the list of services, select Smart Web Security.
-
Select the profile where you want to add a rule.
-
Click Add rule and in the window that opens:
-
Name the rule.
-
Optionally, provide a description.
-
Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.
Note
The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
- Basic default rule:
1000000. - Smart Protection rule providing full protection:
999900.
- Basic default rule:
-
Optionally, enable Only logging (dry run) if you want only to log data about the traffic matching the specified conditions without applying any actions to it.
-
Select the rule type:
-
Base: Allows, denies, or forwards traffic to Yandex SmartCaptcha under specified conditions.
-
Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms and redirects suspicious requests to Yandex SmartCaptcha for additional verification.
-
Web Application Firewall: Integrates rules from a WAF profile and redirects suspicious requests to Yandex SmartCaptcha.
For a WAF rule, select or create a WAF profile.
-
-
Select an action:
-
For a basic rule:
Deny.Allow.Show CAPTCHA: To show the CAPTCHA selected in the security profile.
-
For a Smart Protection or WAF rule:
Full protection: To redirect suspicious requests to SmartCaptcha after verification.API protection: To block suspicious requests after verification.
-
-
Under Conditions for traffic, specify the traffic the rule will apply to:
-
All traffic: Rule will apply to all traffic. -
On condition: Rule will apply to the traffic defined in the Conditions field:IP: IP address, IP address range, IP address region, or address list.HTTP header: HTTP header string.Request URI: Request path.Host: Domain receiving the request.HTTP method: Request method.Cookie: Cookie header string.
You can set multiple conditions by selecting all the condition types you need in the Conditions field.
You can also set multiple conditions of the same type by clicking and or or in the section with the condition you need.
To delete a condition, click .
-
-
Click Add.
-
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile listResult:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+ -
Update the security profile by applying the YAML configuration with both the current and new security rules required for the profile:
-
To get the YAML configuration for the current security rules in the profile, run this command specifying the security profile name or ID:
yc smartwebsecurity security-profile get <security_profile_name_or_ID>Result:
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. created_at: "2024-08-05T17:54:48.898624Z" -
Copy the current rule configuration (the
security_rulessection contents) to any text editor and save it to a file after adding new rules to it. Here is an example:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /apiAlert
When you change the rules in the security profile, all the existing rules will be deleted. Make sure the updated YAML file includes the full set of rules that the security profile should use.
-
To update a security profile, run this command specifying the profile name or ID:
yc smartwebsecurity security-profile update <security_profile_name_or_ID> \ --security-rules-file <path_to_file_with_security_rules>Where
--security-rules-fileis the path to the YAML file with the description of security rules.Result:
id: fevr4g3121vn******** folder_id: b1g07hj5r6i4******** cloud_id: b1gia87mbaom******** name: my-sws-profile default_action: ALLOW security_rules: - name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api created_at: "2024-07-27T20:37:36.389730Z"
-
For more information about the yc smartwebsecurity security-profile update command, see the CLI reference.
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and edit the
yandex_sws_security_profiledescription: add thesecurity_rulesection defining your security rule.resource "yandex_sws_security_profile" "demo-profile-simple" { name = "<security_profile_name>" default_action = "DENY" captcha_id = "<CAPTCHA_ID>" advanced_rate_limiter_profile_id = "<ARL_profile_ID>" # Smart Protection rule security_rule { name = "smart-protection" priority = 99999 smart_protection { mode = "API" } } # Basic rule security_rule { name = "base-rule-geo" priority = 100000 rule_condition { action = "ALLOW" condition { source_ip { geo_ip_match { locations = ["ru", "kz"] } } } } } # WAF profile rule security_rule { name = "waf" priority = 88888 waf { mode = "API" waf_profile_id = "<WAF_profile_ID>" } } }For more information about
yandex_sws_security_profileproperties, see this Terraform provider article. -
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-
You can check the resource update using the management console or this CLI command:
yc smartwebsecurity security-profile get <security_profile_ID>
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.
If the Deny action is set for the default basic rule and the requests are sent to SmartCaptcha for verification, add an allowing rule.