Creating a WAF profile

Written by

Updated at April 22, 2025

Management console

Terraform

API

In the management console, select the folder you want to create a WAF profile in.
In the list of services, select Smart Web Security.
In the left-hand panel, select WAF profiles and click Create WAF profile.
Enter the profile name.
(Optional) Enter a description.
(Optional) Add labels for your profile.
By default, the WAF profile uses the OWASP Core Rule Set. Click the row with the rule set to view the rules it includes.
Click Create.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

In the configuration file, define the parameters of the resources you want to create:
```
# In the basic set, rules of this paranoia level and below will be active
locals {
  waf_paranoia_level = <paranoia_level>
}

# OWASP Core Rule Set data source
data "yandex_sws_waf_rule_set_descriptor" "owasp4" {
  name    = "OWASP Core Ruleset"
  version = "4.0.0"
}

# WAF profile
resource "yandex_sws_waf_profile" "default" {
  name = "<WAF_profile_name>"

  # Basic rule set
  core_rule_set {
    inbound_anomaly_score = <anomaly_threshold>
    paranoia_level        = local.waf_paranoia_level
    rule_set {
      name    = "OWASP Core Ruleset"
      version = "4.0.0"
    }
  }

  # Activating rules from the basic set if their paranoia level is not higher than specified in the waf_paranoia_level variable
  dynamic "rule" {
    for_each = [
      for rule in data.yandex_sws_waf_rule_set_descriptor.owasp4.rules : rule
      if rule.paranoia_level <= local.waf_paranoia_level
    ]
    content {
      rule_id     = rule.value.id
      is_enabled  = true
      is_blocking = false
    }
  }
```
Where:
- waf_paranoia_level: Paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the higher the probability of WAF false positives.
- data "yandex_sws_waf_rule_set_descriptor": Terraform data source for a basic rule set. From the data source, you can get a list of rules and their IDs.
- resource "yandex_sws_waf_profile": Terraform resource to manage the WAF profile.
  - name: WAF profile name.
  - core_rule_set: Basic rule set:
    - inbound_anomaly_score: Anomaly threshold. This is the sum of anomaly values of the triggered rules that will block the request. Possible values: from 2 to 10,000. The higher the value, the more likely it is that the request satisfying the rules is in fact an attack.
    - paranoia_level: Paranoia level classifies rules according to their aggression. The higher the paranoia level, the better the protection, but also the higher the probability of false positives. Possible values: from 1 to 4.
      
      Note
      
      The paranoia level has no effect on enabling or disabling rules, it only serves as a recommendation for the user to enable all rules with paranoia_level less than or equal to the specified value.
    - rule_set: Rule set. Specify name (name) and version (version) of the rule set.
  - dynamic "rule": Dynamic activation of rules from the basic set if their paranoia level is not higher than set in the waf_paranoia_level variable. For dynamically configured rules, you can change the parameters manually. For example, you can turn a rule into a blocking one or activate a rule with the paranoia level higher than specified in the variable.
    - rule_id: Rule ID.
    - is_enabled: Flag to enable or disable a rule.
    - is_blocking: Blocking rule flag.
For more information about the yandex_sws_waf_profile resource parameters in Terraform, see the relevant provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.

Terraform will create all the required resources. You can check the new resources using the management console.

After creating a WAF profile, you can customize a set of basic rules and exception rules.

Use the create REST API method for the WafProfile resource or the WafProfile/Create RPC API call.

Creating a WAF profile

See also

Was the article helpful?

Creating a WAF profile

See alsoSee also

Was the article helpful?

See also