Adding a rule to a security profile
You can add basic rules, as well as Smart Protection and WAF rules, to a security profile. ARL rules are added to an ARL profile.
-
In the management console
, select the folder containing the security profile you need. -
In the list of services, select Smart Web Security.
-
Select the profile to add a rule to.
-
Click
Add rule and in the window that opens:-
Enter a name for the rule.
-
(optional) Enter a description.
-
Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.
Note
The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
- Basic default rule:
1000000
. - Smart Protection rule providing full protection:
999900
.
- Basic default rule:
-
(Optional) Enable Only logging (dry run) if you want only to log data about the traffic fulfilling the specified conditions without applying any actions to it.
-
Select the rule type:
-
Base: Rule that allows, denies, or sends traffic to Yandex SmartCaptcha under specified conditions.
-
Smart Protection: Sends traffic for automatic processing by machine learning and behavioral analysis algorithms. Suspicious requests are sent to Yandex SmartCaptcha for additional verification.
-
Web Application Firewall: Integrates rules from a WAF profile. Suspicious requests are sent to Yandex SmartCaptcha.
For a WAF rule, select or create a WAF profile.
-
-
Select an action:
-
For the basic rule:
Deny
.Allow
.Show captcha
: Show the captcha selected in the security profile.
-
For a Smart Protection or WAF rule:
Full protection
: After verification, suspicious requests are sent to SmartCaptcha.API protection
: After verification, suspicious requests are blocked.
-
-
Under Conditions for traffic, specify which traffic the rule will be used to analyze:
-
All traffic
: The rule will be used to analyze the whole traffic. -
On condition
: The rule will be used to analyze the traffic specified in the Conditions field:IP
: IP address, IP address range, or IP address region.HTTP header
: HTTP header string.Request URI
: Request path.Host
: Domain receiving the request.HTTP method
: Request method.Cookie
: Cookie header string.
You can set multiple conditions. To do this, select all the condition types you need in the Conditions field.
You can also set multiple conditions of the same type. To do this, click
and or or in the section with the condition you need.To delete a condition, click
.
-
-
Click Add.
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile list
Result:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+
-
Update the security profile by applying the YAML
configuration with both current and new security rules required for the profile:-
To get the YAML configuration for the current security rules in the profile, run this command, specifying the security profile name or ID:
yc smartwebsecurity security-profile get <security_profile_name_or_ID>
Result
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. created_at: "2024-08-05T17:54:48.898624Z"
-
Copy the current rule configuration from the
security_rules
section, paste it into any text editor, and save it to a file after adding new rules, such as the following:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api
Alert
If you change the rules in the security profile, all existing rules will be deleted. This is why the YAML file with the changes must contain the full set of rules that will be in effect in the security profile.
-
To update a security profile, run this command, specifying the profile name or ID:
yc smartwebsecurity security-profile update <security_profile_name_or_ID> \ --security-rules-file <path_to_file_with_security_rules>
Where
--security-rules-file
is the path to the YAML file with the description of security rules.Result:
id: fevr4g3121vn******** folder_id: b1g07hj5r6i4******** cloud_id: b1gia87mbaom******** name: my-sws-profile default_action: ALLOW security_rules: - name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb - name: rule-condition-allow description: Let's show how to whitelist IP. priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 - name: smart-protection-full description: Enable smart protection. Allow to show captcha on /search prefix. priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search - name: smart-protection-api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api created_at: "2024-07-27T20:37:36.389730Z"
-
For more information about the yc smartwebsecurity security-profile update
command, see the CLI reference.
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and edit the fragment with
yandex_sws_security_profile
description: add a section namedsecurity_rule
with a security rule.resource "yandex_sws_security_profile" "demo-profile-simple" { name = "<security_profile_name>" default_action = "DENY" captcha_id = "<captcha_ID>" advanced_rate_limiter_profile_id = "<ARL_profile_ID>" # Smart Protection rule security_rule { name = "smart-protection" priority = 99999 smart_protection { mode = "API" } } #Basic rule security_rule { name = "base-rule-geo" priority = 100000 rule_condition { action = "ALLOW" condition { source_ip { geo_ip_match { locations = ["ru", "kz"] } } } } } # WAF profile rule security_rule { name = "waf" priority = 88888 waf { mode = "API" waf_profile_id = "<WAF_profile_ID>" } } }
For more information about the
yandex_sws_security_profile
resource parameters in Terraform, see the relevant provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
You can check the resources' updates using the management console
yc smartwebsecurity security-profile get <security_profile_ID>
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.