Deleting a rule from a security profile
You can delete basic rules, as well as Smart Protection and WAF rules, from a security profile. ARL rules are deleted from an ARL profile.
- In the management console
, select the folder containing the security profile you need. - In the list of services, select Smart Web Security.
- Select the profile to delete a rule from.
- On the Security rules tab, in the rule row, click
and select Delete. - Confirm the deletion.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
To view a list of current security profiles in the default folder, run this command:
yc smartwebsecurity security-profile list
Result:
+----------------------+-------------------+---------------------+----------------+------------+-------------+ | ID | NAME | CREATED | DEFAULT ACTION | CAPTCHA ID | RULES COUNT | +----------------------+-------------------+---------------------+----------------+------------+-------------+ | fev3s055oq64******** | my-new-profile | 2024-08-05 06:57:18 | DENY | | 1 | | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY | | 2 | +----------------------+-------------------+---------------------+----------------+------------+-------------+
-
Update the security profile by applying the updated YAML
configuration with security rules after you delete all irrelevant rules from it:-
To get the YAML configuration for the current security rules in the profile, run this command, specifying the security profile name or ID:
yc smartwebsecurity security-profile get <security_profile_name_or_ID>
Result:
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. - name: rule-condition-allow priority: "2" rule_condition: action: ALLOW condition: source_ip: ip_ranges_match: ip_ranges: - 44.44.44.44-44.44.44.45 - 44.44.44.77 description: Let's show how to whitelist IP. - name: smart-protection-full priority: "11" smart_protection: mode: FULL condition: request_uri: path: prefix_match: /search description: Enable smart protection. Allow to show captcha on /search prefix. - name: smart-protection-api priority: "10" smart_protection: mode: API condition: request_uri: path: prefix_match: /api description: Enable smart protection with mode API. We are not expect to see captcha on /api prefix. created_at: "2024-08-05T17:54:48.898624Z"
-
Copy current rule configuration from the
security_rules
section, paste it into any text editor, and save it to a file after removing all irrelevant rules, such as the following:security-rules.yaml
- name: rule-condition-deny description: My first security rule. This rule it's just example to show possibilities of configuration. priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb
Alert
If you change the rules in the security profile, all existing rules will be deleted. This is why the YAML file with the changes must contain the full set of rules that will be in effect in the security profile.
-
To update a security profile, run this command, specifying the profile name or ID:
yc smartwebsecurity security-profile update <security_profile_name_or_ID> \ --security-rules-file <path_to_file_with_security_rules>
Where
--security-rules-file
is the path to the YAML file with security rules.Result:
id: fev450d61ucv******** folder_id: b1gt6g8ht345******** cloud_id: b1gia87mbaom******** labels: label1: value1 label2: value2 name: my-new-profile description: my description default_action: DENY security_rules: - name: rule-condition-deny priority: "11111" dry_run: true rule_condition: action: DENY condition: authority: authorities: - exact_match: example.com - exact_match: example.net http_method: http_methods: - exact_match: GET - exact_match: POST request_uri: path: prefix_match: /search queries: - key: firstname value: pire_regex_match: .ivan. - key: lastname value: pire_regex_not_match: .petr. headers: - name: User-Agent value: pire_regex_match: .curl. - name: Referer value: pire_regex_not_match: .bot. source_ip: ip_ranges_match: ip_ranges: - 1.2.33.44 - 2.3.4.56 ip_ranges_not_match: ip_ranges: - 8.8.0.0/16 - 10::1234:1abc:1/64 geo_ip_match: locations: - ru - es geo_ip_not_match: locations: - us - fm - gb description: My first security rule. This rule it's just example to show possibilities of configuration. created_at: "2024-08-05T17:54:48.898624Z"
-
For more information about the yc smartwebsecurity security-profile update
command, see the CLI reference.
Use the update REST API method for the SecurityProfile resource or the SecurityProfileService/Update gRPC API call.