Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up basic protection in Smart Web Security

Written by
Updated at November 12, 2025

Smart Web Security (SWS) protects web resources from internet threats by filtering malicious traffic.

For individual customization, you can connect several Smart Web Security tools:

  • Basic rules for simple filtering.
  • Smart Protection rules for DDoS protection.
  • SmartCaptcha for protection against bots.
  • Web Application Firewall (WAF) as a safeguard from exploitation of vulnerabilities.
  • Advanced Rate Limiter (ARL) for traffic limiting.

Setting up each tool includes these steps: adding rules, testing them in real-world conditions, and adjusting. We recommend setting up the tools one by one, starting from the basic and Smart Protection rules. This will allow you to quickly enable protection and easily monitor and adjust your rules.

In this guide, you will set up web resource protection using SWS tools connected to a security profile, an essential SWS element. Security profile setup involves rule adjustment based on real web application traffic. So here we assume that you already have a configured web resource in Yandex Cloud or another infrastructure.

Steps

  1. Connecting resources to Yandex Cloud:

    1. Get your cloud ready
    2. Create a protected resource

  2. Set up DDoS and anti-bot protection:

    1. Create a security profile
    2. Set up filtering by IP address lists
    3. Optionally, set up filtering by regions
    4. Set up an allowing rule for captcha
    5. Check the sequence in which the rules will apply
    6. Connect the security profile to your resources
    7. Test your security profile in logging mode
    8. Test your security profile in real mode

  3. Set up load limitations:

    1. Create an ARL profile
    2. Set up ARL rules
    3. Add your ARL profile to the security profile
    4. Test the ARL rules

  4. Optionally, set up the web application firewall

    1. Create a WAF profile
    2. Configure basic rules
    3. Create an exclusion rule
    4. Add your WAF profile to the security profile
    5. Test the WAF rules

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Create a protected resource

You can connect a security profile to various types of resources:

  • Virtual host or ingress controller to protect resources that use Yandex Application Load Balancer.
  • API Gateway API gateway to protect the APIs of your applications.
  • Domain to protect your website or web application hosted in Yandex Cloud, your internal infrastructure, or other platforms.

This guide assumes that you already have a configured web resource. If your resource is not in Yandex Cloud or you are not using Application Load Balancer and API Gateway, create a domain by following the steps below. You can also see the documentation of other services with Smart Web Security support and set up the relevant infrastructure.

Application Load Balancer evenly distributes incoming traffic between nodes, thus preventing overload and improving fault tolerance.

API gateway is the single entry point for APIs of various services, enabling requests management, routing, authentication, and so forth.

Domain is a server, website, or application that processes external requests to a web address. For domain protection, Smart Web Security provides a proxy server with load balancing, request analysis and routing, and basic DDoS protection.

The proxy server has an MTU limit of 1,450 bytes for all packets.

Note

Domain protection is at the Preview stage.

Prepare data about the resource

  • Address of the domain the web application is running on. You need access to the domain management interface to update the A record.
  • Server IP address, port and protocol used by the web application.
  • Valid private key and TLS certificate for this domain in PEM-encoded format. Certificates with RSA-2048 and RSA-4096 keys are supported.

Create a proxy server

  1. In the management console, select your folder.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select Domain security.

  4. Click Create proxy server.

  5. Enter a name for the proxy server, e.g., test-proxy.

  6. Enable the Log requests option.

  7. Select an existing log group or create a new one.

  8. Click Create server.

    To work with the proxy server, a service account with the monitoring.editor, smart-web-security.admin, certificate-manager.admin, logging.writer roles will be created.

    Creating a proxy server can take several minutes. Wait for the server to get the Active status. After that, you can add a domain.

Add a domain

  1. In the left-hand menu, go to the Domains tab and click Add domain.

  2. Enter the address of the domain your web application is in, e.g., example.com.

  3. Click Continue.

  4. Select the connection type used by your application. We recommend the secure HTTPS protocol.

  5. If you use Certificate Manager and have added your domain certificate to it, select it from the list.

  6. If not using Certificate Manager, click CreateCustom certificate.

    1. Enter a name for the certificate.
    2. Copy or upload the private key, certificate, and intermediate certificate chain as a file in PEM format.
    3. Click Create certificate.

  7. Click Continue.

  8. Under Target resources, set up the targets:

    1. IP address and port your web application runs on.
    2. Optionally, expand the Connect target resources section to select the protocol your web application runs on.

  9. Click Add domain.

After you create a domain, the domain parameters overview page will open. Under How do I activate protection?, copy the proxy server IP address, as you will need it in the next step.

Set up your infrastructure

  1. Add a resource A record to your domain's public DNS zone, with values specified as follows:

    • Record name: Your domain's address, ending with a dot. Example: example.com. or my.first.example.com..
    • Value: Proxy server's IPv4 address you obtained in the previous step.

    This record redirects requests coming to your domain to the proxy server IP address.

    Note

    If your domain is delegated to Yandex Cloud DNS, create a resource record according to this guide. Otherwise, use your domain name registrar's personal account. If you have any questions, refer to the relevant documentation or contact the registrar's support service.

  2. In your server settings, block all connections except those for Yandex Cloud IP addresses.

Check your resource status

  1. Under Domain security, select the new proxy server.

  2. In the left-hand menu, go to the Domains tab and select the new domain.

  3. Under Target resources, check that your resource's status is Healthy.

    If it is not, the proxy server cannot connect to your resource. Check your web server address and network settings. Make sure access to the web server is allowed from Yandex Cloud IP addresses.

  4. In the left-hand panel, check that your domain's status is Healthy.

    If it is not, verify the domain address and the A record, and check the certificate for validity.

Set up DDoS and anti-bot protection

Create a security profile

You configure the security profile according to your threat model, i.e., description of your service-specific potential risks, attack actors, and vulnerabilities. If you are setting up your protection without professional cybersecurity assistance, we recommend using the preconfigured profile template set up by Yandex Cloud experts. This will insure the basic level of protection and help reduce the probability of configuration errors.

This guide uses a ready-made security profile template.

  1. In the management console, select the folder the protected resources are in.

  2. In the list of services, select Smart Web Security.

  3. In the left-hand panel, select Security profiles.

  4. Click Create profile and select From a preset template.

    A preset profile includes:

  5. Enter a name for the profile, e.g., site-protection.

  6. Enable test mode for the sp-rule-1 Smart Protection rule:

    1. For Action for the default base rule, select Allow.
    2. Click next to sp-rule-1 and select Edit.
    3. Enable Only logging.
    4. Click Save changes.

    Note

    Rules in a security profile apply based on the first triggered rule in the priority order. Rules in the Only logging mode do not actually apply. Logs only collect the information on possible rule triggering. That is why the first triggered rule will be the basic default rule with the Deny action type. This will block all traffic to your resource. To prevent this, switch the basic default rule to the Allow mode.

    You will be charged for the traffic handled by the rules in the Only logging mode. For more information, see Yandex Smart Web Security pricing policy.

  7. Optionally, set up security policies for API calls.

    If your service additionally handles requests to a public API, set up an additional Smart Protection rule with the API protection action. In contrast to full protection, in this mode, requests are not sent to SmartCaptcha for an additional check for automated traffic. To do this, enable the Only logging mode for this rule as well.

    1. Click Add rule.
    2. Enter a name for the rule, e.g., api-protection.
    3. Set a higher priority than that of the full protection rule, e.g., 900000.
    4. Enable Only logging.
    5. Specify the rule settings:
      • Rule type: Smart Protection.
      • Action: API protection.
      • Traffic: On condition.
      • Conditions: Request URI.
      • Request path: Relative path for requests to the API. Let’s assume your primary domain is example.com, and requests to the API are received at example.com/api. In this case, select Starts with as a condition and specify this path: /api.
    6. Click Create profile.

  8. Under Fine-tuning ML models, consent to the use of HTTP request information to tune machine learning models. Otherwise, Smart Web Security will not get data for investigating security incidents.

  9. Click Create.

Set up filtering by IP address lists

IP address lists allow you to optimize traffic checks by allowing requests from trusted (white) addresses. You can instantly block unsecure or questionable addresses or redirect their requests to SmartCaptcha.

Smart Web Security has pre-installed lists of untrusted (black) IP addresses. You can manually add lists of white addresses, e.g., addresses of your counterparties or partners. You can also add your own lists of black addresses.

  1. Add your own black and white address lists.

    1. In the left-hand panel, select Lists.
    2. Click Create list.
    3. Enter a name for the list, e.g., my-partners, and click Create list.
    4. Click Add addresses.
    5. Enter or upload a list of white addresses that you do not need to filter.
    6. Click Save changes.
    7. If needed, add a list of black addresses.

  2. Configure a rule for blocking by IP address lists.

    1. In the left-hand panel, select Security profiles and select the site-protection profile.
    2. Click Add rule.
    3. Enter a name for the rule, e.g., block-by-list.
    4. Set a higher Priority than that of the Smart Protection rules, e.g., 9100.
    5. Enable Only logging.
    6. Specify the rule settings:

      • Type: Base.

      • Action: Deny or Show CAPTCHA.

      • Traffic: On condition.

      • Conditions: IP.

      • Conditions for IP: IP belongs to the list.

      • Select the is_ddoser list (IP addresses used in DDoS attacks). Requests from these addresses will be blocked.

      • To add another list, click + or and select a list.

        Add pre-installed is_tor lists (IP addresses of the Tor network used for traffic anonymization), is_anonimous (IP addresses of anonymous networks frequently used to hide one’s identity), and your own black lists.

    7. Click Add.

  3. Set up an allowing rule to allow all requests from white IP addresses.

    1. In the site-protection profile, click Add rule.
    2. Enter a name for the rule, e.g., allow-by-list.
    3. Set a higher Priority than that of the blocking rule for black lists, e.g., 9000.
    4. Enable Only logging.
    5. Specify the rule settings:
      • Type: Base.
      • Action: Allow.
      • Traffic: On condition.
      • Conditions: IP.
      • Conditions for IP: IP belongs to the list.
      • Select the white address lists you created earlier.
    6. Click Add.

Set up filtering by regions

If your service does not expect traffic from certain countries, you can set up policies to handle such traffic, e.g., block it or redirect it to captcha.

  1. In the site-protection profile, click Add rule.

  2. Enter a name for the rule, e.g., block-by-geo.

  3. Enable Only logging.

  4. Set a higher Priority than that of the Smart Protection rules, but lower than that of the rules for IP address lists, e.g., 9200.

  5. Specify the rule settings:

    • Type: Base.

    • Action: Deny or Show CAPTCHA.

    • Traffic: On condition.

    • Conditions: IP.

    • Conditions for IP: IP belongs to the region.

    • Select a region where your service is not available, e.g., CN, US, or IN.

      To add another region, click + or.

    Tip

    If your service operates only in certain regions, select the IP does not belong to the region condition. In the list, specify the target region, e.g., RU. Traffic from other regions will be blocked.

    You can check the region of an IP address at ipinfo.io or with an ASN provider.

  6. Click Add.

Set up an allowing rule for captcha

An allowing rule for SmartCaptcha is requred in case the Deny action is set for the default basic rule and the requests are sent to SmartCaptcha for verification.

  1. In the left-hand panel, click Security profiles and select site-protection.

  2. Click Add rule and in the window that opens:

    1. Enter a name for the rule, e.g., allow-captcha.

    2. Set Priority higher than that of the rules sending requests to captcha checks.

    3. Enable Only logging.

    4. Specify the rule settings:

      • Type: Base.
      • Action: Allow.
      • Traffic: On condition.
      • Conditions: Request URI.
      • Request path: Matches the regular expression.
      • Enter this expression: /(captcha_smart.*\.(css|js)|showcaptcha|checkcaptcha).

    5. Click Add.

Note

If the Deny action is set for the default basic rule and the requests are sent to SmartCaptcha for verification, add a basic rule that allows requests to the CAPTCHA. The address of the allowed request matches the regular expression: /(captcha_smart.*.(css|js)|showcaptcha|checkcaptcha). Set the rule to have a higher priority than rules sending CAPTCHA requests.

Check the sequence in which the rules will apply

Security profile rules apply to all traffic according to the priority: the lower the number, the higher the priority. The sequence in which the rules will apply is provided in the table below.

Priority Rule name Action Rule description
8000 allow-captcha Allow Basic for captcha
9000 allow-by-list Allow Basic for white IP addresses
9100 block-by-list Deny Basic for black IP addresses
9200 block-by-geo Deny Basic by regions
900000 api-protection API protection Smart Protection for the public API
999900 sp-rule-1 Full protection Smart Protection from a ready-made template
1000000 Allow Basic default

The Allow action is set for the basic default rule, while other rules are in the Logging only (dry run) mode. When switching rules to the real mode, set the Deny action for the basic default rule.

Connect the security profile to the resources

To connect a virtual host in Application Load Balancer:

  1. If the load balancer is managed by an Application Load Balancer ingress controller, use the ingress resource annotation.

    Tip

    We recommend using the new Yandex Cloud Gwin controller instead of an Application Load Balancer Ingress controller.

  2. If the load balancer is managed by you, select the created profile under Security profiles.

  3. At the top right, click Connect to host.

  4. In the window that opens, select the following in the given order:

    To associate the profile with another L7 load balancer, click Add load balancer.

  5. Click Connect.

You will see the associated virtual host under Connected hosts.

The security profile is assigned to a particular virtual host of the L7 load balancer, with all incoming host traffic analyzed. If analysis of traffic to certain host routes is not required, disable the security profile for those routes. You can do this by using the --disable-security-profile (disableSecurityProfile) parameter when adding or updating a route via the CLI, API, or Terraform.

When adding routes, consider their order: a request will follow the first route with a matching predicate, so place the most specific routes first. Otherwise, the shared route may intercept requests, and the specific rules will not apply.

To connect an API gateway:

  1. Under Security profiles, copy the ID of the profile you need.
  2. Specify the x-yc-apigateway:smartWebSecurity extension when creating an API gateway or in the existing API gateway specification.
  3. Specify the copied ID in the extension.

To connect a domain:

  1. Under Domain security Domains, select the required domain.
  2. In the top menu, click Connect security profile and select the site-protection security profile.

Test your security profile in logging mode

Note

Keep the rules in the Only logging mode for a few days. This will help you detect false positives, while your service will continue to operate.

To see how the security profile rules work, check the logs.

  1. Make sure that logging is configured.
  2. In the list of services, select Application Load Balancer.
  3. Select the load balancer with an associated security profile.

  4. Select Logs:

    • Select the number of messages per page and the period, e.g., 1 hour.

    • In the Query field, specify you query using the filter expression language and click Run.

      Request examples

      • Show requests which triggered a Smart Protection rule with a CAPTCHA challenge (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA

      • Show requests blocked by basic rules based on any conditions (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY
  1. Make sure that logging is configured.
  2. In the list of services, select API Gateway.
  3. Select the API gateway with an associated security profile.

  4. Select Logs:

    • Select the number of messages per page and the period, e.g., 1 hour.

    • In the Query field, specify you query using the filter expression language and click Run.

      Request examples

      • Show requests which triggered a Smart Protection rule with a CAPTCHA challenge (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA

      • Show requests blocked by basic rules based on any conditions (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY
  1. Make sure that logging is configured.
  2. In the list of services, select Smart Web Security.
  3. In the left-hand panel, select Domain security.
  4. Select the proxy server your security profile is associated with.

  5. Select Logs:

    • Select the number of messages per page and the period, e.g., 1 hour.

    • In the Query field, specify you query using the filter expression language and click Run.

      Request examples

      • Show requests which triggered a Smart Protection rule with a CAPTCHA challenge (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA

      • Show requests blocked by basic rules based on any conditions (in logging mode):

        json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY

      • Similar request without the logging mode:

        json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY

For more information about working with logs, see Configuring logging via Smart Web Security.

After testing the rules, make the required adjustments and test the rules again in the Only logging mode.

Test your security profile in real mode

Once you make sure the rules work correctly:

  1. Disable the Only logging mode for all security profile rules.
  2. Set the Deny action for the basic default rule.

Use logs and monitoring charts to check the performance of your rules:

  1. In the list of services, select Smart Web Security.
  2. Select Monitoring.
  3. Examine the data displayed on the charts:
    • Denied by Security Profile RPS: Number of incoming requests per second the security profile has checked and blocked.
    • Redirected to SmartCaptcha RPS: Number of incoming requests per second routed to SmartCaptcha for additional verification.

For detailed description of charts, see Monitoring in Smart Web Security.

Set up load limitations

After setting up and testing a security profile, set limitations for the number of requests. This will keep your service alive in case of accidental traffic spikes or request flooding during DDoS attacks.

Request limitations are set in an advanced rate limiter (ARL) profile. It runs checks after the security profile and only works with the traffic that passed the initial verification. Unlike security profile rules, ARL rules can be triggered simultaneously. In this case, a higher priority rule applies to the traffic.

To set a request limitation, estimate your standard service load first. If you use an L7 load balancer, you can do this in Application Load Balancer under Monitoring. The RPS chart displays the total number of incoming requests per second the load balancer receives. Set the request limit with a small margin. Instead of setting a limit for the whole traffic, you can set one by certain conditions, e.g., by region, by IP address range or list, by request address, etc.

Create an ARL profile

  1. In the management console, select the folder containing the security profile.
  2. In the list of services, select Smart Web Security.
  3. In the left-hand panel, select ARL profiles and click Create ARL profile.
  4. Enter a name for the profile, e.g., arl-site-protection.
  5. Click Create.

Set up ARL rules

  1. On the ARL profile page, click Add rule.

  2. Enter a name for the rule, e.g., arl-rule-1.

  3. In the Priority field, set the rule triggering priority, e.g., 1000.

    Since all ARL profile rules apply after the security profile rules, this priority applies only to ARL rules and is independent of the rule priority in the security profile.

  4. Enable the dry run (logging only) mode.

  5. Under Traffic conditions, select All traffic or On condition.

  6. Optionally, specify traffic conditions to apply the rule by.

  7. Under Request counting, select how to count requests for limiting:

    • No grouping: Count each request separately.
    • Grouping by property: Count the number of request groups sharing one or more properties.
    1. Optionally, enable Case-sensitive to put properties with the same values but in different cases into separate groups.

  8. Specify the request limit and select the time interval, e.g., 1000 per 1 minute.

  9. Click Save rule.

Add your ARL profile to the security profile

  1. In the left-hand panel, select Security profiles.
  2. Open the site-protection security profile.
  3. Click Edit.
  4. From the list of ARL profiles, select arl-site-protection.
  5. Click Save.

Test the ARL rules

You usually need to test ARL rules only once, and then you can switch the real mode protection. However, in certain cases, rules might require more testing and adjustment.

You can use Load Testing to perform a load test. For more information on configuring HTTP load, see Fixed-load HTTPS testing with Phantom.

  1. Open the L7 load balancer, API gateway, or proxy server your security profile is associated with.

  2. Select Logs.

  3. In the Query row, specify your query for ARL rule search and click Run.

    Request examples:

    • Show requests blocked by the ARL profile rules (in logging mode): 
      json_payload.smartwebsecurity.dry_run_advanced_rate_limiter.verdict = DENY
    • Similar request without the logging mode: 
      json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY

After disabling the Only logging mode, use logs and monitoring charts to check the performance of your profile.

  1. In the list of services, select Smart Web Security.
  2. Select Monitoring.
  3. Examine the data displayed on the charts:
    • Allowed by ARL Profile RPS: Number of incoming requests per second not exceeding the ARL profile limit.
    • Denied by ARL Profile RPS: Number of incoming requests per second exceeding the ARL profile limit and blocked.

Set up the web application firewall

A web application firewall (WAF) protects your web apps from various vulnerability exploits and requires fine tuning depending on the specific features of your service.

When creating a WAF protifle, multiple rule sets are available. For better protection, we recommend using multiple rule sets. For a quick setup, use ML WAF (Yandex Malicious Score) and Yandex Ruleset. These rule sets deliver minimum false positives and may be used for initial protection. To enhance protection, use the pre-installed OWASP Core Ruleset but make sure to tailor it to your service.

You need to set two parameters in the OWASP set:

  • Paranoia level: Determines the number of active rules. The higher the paranoia level, the more checks will be made. The first paranoia level is for the most precise rules that produce the lowest number of false positives. In test mode, start from the first level and gradually move up.

  • Anomaly threshold: Total threat score of a request. The score grows with each triggered rule, and once it exceeds the threshold, the request gets blocked. Start from the threshold of 25 and gradually reduce it.

    You can set any rule you deem critical for the serivce as a blocking rule. In this case, requests that trigger this rule get blocked regardless of the total score.

You may need to disable certain rules to prevent false positives and create exclusion rules. Since every service is unique, configuring this rule set may take a while.

Create a WAF profile

  1. In the management console, select the folder containing the security profile.
  2. In the list of services, select Smart Web Security.
  3. Go to the WAF profiles tab and click Create WAF profile.
  4. Enter a name for the profile, e.g., waf-site-protection.
  5. Enable rule sets, e.g., ML WAF and Yandex Ruleset. To view the rules it includes, click the row with its description.
  6. Click Create.

Configure the OWASP basic rule set

  1. On the WAF profile page, click Configure next to the rule set.

  2. Set the Anomaly threshold, which is the total anomaly score of triggered rules that results in blocking the request, e.g., Moderate: 25 and more.

    We recommend that you start with an anomaly threshold of 25 and gradually reduce it to 5. To reduce the anomaly threshold, address WAF false positives triggered by legitimate requests. To do so, select rules from the basic set and configure exclusion rules.

  3. Set Paranoia level to Only 1.

    The paranoia level classifies rules based on how aggressive they are. The higher the paranoia level, the better the protection, but also the greater the risk of WAF false positives.

  4. Check the rules you included in the set. Add or delete them as needed. When using rules, pay attention to their anomaly scores and paranoia levels.

  5. If needed, set one or multiple rules as blocking ones by clicking to the right of the rule. Requests matching such a rule get blocked regardless of the anomaly threshold you set.

Create an exclusion rule

  1. Go to the Exclusion rules tab and click Create exception rule.

  2. Enter a name for the exclusion rule, e.g., exception-rule-1.

  3. Under Scope of use, specify rules from the active sets for which the exclusion will apply. You can either select All rules or specify particular rules from particular sets.

  4. Under Traffic conditions, select the triggering conditions for the exclusion rule.

    If you leave the Conditions field empty, the exclusion rule will apply to all traffic.

  5. Click Create.

Add your WAF profile to the security profile

  1. In the left-hand panel, select Security profiles.
  2. Open the site-protection security profile.
  3. Click Add rule.
  4. Enter a name for the rule, e.g., waf-rule-1.
  5. Set a higher priority for the rule than that of the Smart Protection rules, e.g., 1111.
  6. Enable Only logging.
  7. Select Type: Web Application Firewall.
  8. In the list of WAF profiles, select waf-site-protection.

Test the WAF rules

  1. Open the L7 load balancer, API gateway, or proxy server your security profile is associated with.

  2. Select Logs.

  3. In the Query row, specify your query for WAF rule search and click Run.

    Request examples:

    • Show requests blocked based on the WAF profile, i.e., by the security profile WAF rules (in logging mode): 
      json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = WAF and json_payload.smartwebsecurity.matched_rule.verdict = DENY
    • Similar request without the logging mode: 
      json_payload.smartwebsecurity.matched_rule.rule_type = WAF and json_payload.smartwebsecurity.matched_rule.verdict = DENY

Since WAF is configured for each web service individually, test WAF in logging mode for no less than a week. For ML WAF and Yandex Ruleset, the setup may take less time. During this stage, you may get false positives, so you should track them in logs and adjust the rule parameters. For example, if the rule with id920280 gets triggered incorrectly when using HTTP/2, you can disable it immediately. This rule will work correctly with HTTP/1.1.

Once WAF is configured and switched to the real mode, use logs and monitoring charts to regularly check the performance of its rules. This will allow you to track anomalies and adjust the protection specifically for your web app.

Further configuration of security policies

Each time you update or add security profile, WAF, or ARL rules, enable the Only logging mode. Activate a rule only after the logs confirm that it works correctly. This way you will avoid false positives and ensure stable operation of your web app.

Previous
Centralized online publication and DDoS protection of applications
Next
Emergency DDoS protection in Application Load Balancer, L7