Creating a WAF profile

Written by

Updated at September 24, 2025

Management console

Terraform

API

In the management console, select the folder where you want to create a WAF profile.
In the list of services, select Smart Web Security.
In the left-hand panel, select WAF profiles and click Create WAF profile.
Name the profile.
Optionally, provide a description.
Optionally, add labels to your profile.
Enable one or multiple rule sets. OWASP Core Rule Set, Yandex Ruleset, Yandex ML Ruleset. Click the row with the rule set to view its rules.
For OWASP Core Rule Set, select a rule set version.
If multiple rule sets are enabled:
- Select the profile trigger conditions:
  - Verdict returned in at least one selected rule set: At least one rule set has recognized the request as a threat.
  - Verdict returned in all rule sets: All added rule sets have recognized the request as a threat.
- Arrange rule sets in the order of priority in which the rules will analyze the request. Top positions indicate higher priority.
Click Create.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

In the configuration file, describe the resources you want to create:
```
# In the basic set, rules of this paranoia level and below will be enabled
locals {
  waf_paranoia_level = <paranoia_level>
}

# OWASP Core Rule Set data source
data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
  name    = "OWASP Core Ruleset"
  version = "4.0.0"
}

# WAF profile
resource "yandex_sws_waf_profile" "default" {
  name = "<WAF_profile_name>"

  # Basic rule set
  core_rule_set {
    inbound_anomaly_score = <anomaly_threshold>
    paranoia_level        = local.waf_paranoia_level
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }

  # Enabling rules from the basic set if their paranoia level is not higher than the value defined in the waf_paranoia_level variable
  dynamic "rule" {
    for_each = [
      for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
      if rule.paranoia_level <= local.waf_paranoia_level
    ]
    content {
      rule_id     = rule.value.id
      is_enabled  = true
      is_blocking = false
    }
  }
```
Where:
- waf_paranoia_level: Paranoia level which classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of WAF false positives.
- data "yandex_sws_waf_rule_set_descriptor": Terraform data source for the basic rule set. From the data source, you can get a list of rules and their IDs.
- resource "yandex_sws_waf_profile": Terraform resource to manage the WAF profile.
  - name: WAF profile name.
  - core_rule_set: Basic rule set:
    - inbound_anomaly_score: Anomaly threshold which is the total anomaly score of triggered rules that results in blocking the request. The possible values range from 2 to 10,000. The higher the value, the more likely it is that the request matching the rules is in fact an attack.
    - paranoia_level: Paranoia level which classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of false positives. The possible values range from 1 to 4.
      
      Note
      
      The paranoia level itself has no effect on enabling or disabling rules but serves as a recommendation for users to enable all rules with paranoia_level less than or equal to the specified value.
    - rule_set: Rule set. Specify its name and version.
  - dynamic "rule": Dynamically enabling the rules in the basic set if their paranoia level is not higher than the value defined in the waf_paranoia_level variable. You can manually edit the settings of dynamically configured rules. For example, you can turn a rule into a blocking one or enable a rule with the paranoia level higher than the one defined in the variable.
    - rule_id: Rule ID.
    - is_enabled: Flag to enable or disable a rule.
    - is_blocking: Blocking rule flag.
For more information about yandex_sws_waf_profile properties, see this Terraform provider article.
Create the resources:
1. In the terminal, go to the directory where you edited the configuration file.
2. Make sure the configuration file is correct using this command:
```
terraform validate
```
  If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
4. Apply the changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.

Terraform will create all the required resources. You can check the new resources in the management console.

After creating a WAF profile, you can configure a set of basic rules and exclusion rules.

Use the create REST API method for the WafProfile resource or the WafProfile/Create RPC API call.

Creating a WAF profile

See also

Was the article helpful?

Creating a WAF profile

See alsoSee also

Was the article helpful?

See also