[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Step-by-step guides](index.md) > WAF profiles > Adding an exclusion rule

# Adding a WAF exclusion rule

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the [WAF profile](../concepts/waf.md).
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/waf.svg) **WAF profiles**.
  1. Select the profile where you want to add an [exclusion rule](../concepts/waf.md#exclusion-rules).
  1. In the left-hand menu, go to the ![image](../../_assets/console-icons/file-xmark.svg) **Exclusion rules** tab and click **Create exception rule**. In the window that opens:
      1. Name the exclusion rule.
      1. Optionally, provide a description.
      1. Optionally, enable **Write logs** to log exception rule triggering.
      1. Under **Scope**, select rules from the basic set to which the exclusion will apply:
          * `All rules`: Exclusion will apply to all rules.
          * `Selected rules`: Exclusion will apply to the selected rules.

              Click **Add rules** to select rules from the basic set.

      1. Under **Traffic conditions**, specify the traffic the rule will apply to:
         * `All traffic`: Rule will apply to all traffic.
         * `On condition`: Rule will apply to the traffic defined in the **Conditions** field:
             * `IP`: IP address, IP address range, or IP address region.
             * `HTTP header`: HTTP header string.
             * `Request URI`: Request path.
             * `Host`: Domain receiving the request.
             * `HTTP method`: Request method.
             * `Cookie`: Cookie header string.
             * `Bot name`: Names of legitimate bots owned by various companies and services.
             * `Bot category`: Verified bot categories based on their purpose or nature of action.
             * `Verified bot`: Filtering based on whether the bot is verified (`yes` or `no`).
             * `Bot score`: Filtering based on request bot score, from `0` (the lowest, represents a human) to `100` (the highest, represents a bot).
             * `FingerPrint`: SSL/TLS connection [fingerprint](../concepts/botes.md#fingerprint).
         
             You can set multiple conditions of the same type by selecting all the condition types you need in the **Conditions** field.
         
             You can also set multiple conditions of the same type at the same time by clicking ![plus-sign](../../_assets/console-icons/plus.svg) **and** or ![plus-sign](../../_assets/console-icons/plus.svg) **or** in the section with the condition you need.
         
             To delete a condition, click ![options](../../_assets/console-icons/trash-bin.svg).

      1. Click **Create**.

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. Open the Terraform configuration file and edit the `yandex_sws_waf_profile` description: add the `exclusion_rule` section with a WAF exclusion rule.

      ```hcl
      # WAF profile
      resource "yandex_sws_waf_profile" "default" {
        name = "waf-profile-default"
        core_rule_set {
          inbound_anomaly_score = 2
          paranoia_level        = local.waf_paranoia_level
          rule_set {
            name    = "OWASP Core Ruleset"
            version = "4.0.0"
          }
        }

        ...

        # Exclusion rule
        exclusion_rule {
          name = "<exclusion_rule_name>"
          condition {
            source_ip {
              ip_ranges_match {
                ip_ranges = [
                  "<IP_address_range_1>",
                  "<IP_address_range_2>",
                  ...
                  "<IP_address_range_n>"
                ]
              }
              ip_ranges_not_match {
                ip_ranges = [
                  "<IP_address_range_3>",
                  "<IP_address_range_4>",
                  ...
                  "<IP_address_range_y>"
                ]
              }
            }
          }

          exclude_rules {
            exclude_all = <true_or_false>
            rule_ids    = [
              "rule_ID_1",
              "rule_ID_2",
              ...
              "rule_ID_n",
            ]
          }
        }
      }
      ```

      Where:
      * `exclusion_rule`:
         * `name`: Exclusion rule name.
         * `condition`: [Conditions](../concepts/conditions.md) for the exception rule to trigger. The above example uses a condition based on the traffic source IP address.

            Under `condition`, you can specify multiple different condition types at the same time.
         * `exclude_rules`: Exclusion rule settings:
            * `exclude_all`: Exclusion will apply to all rules. It can be either `false` or `true`.
            * `rule_ids`: List of IDs of rules from the basic set to which the exclusion will apply. To specify individual rules, set `exclude_all` to `false`.

      For more information about `sws_waf_profile` properties in Terraform, see [this provider guide](../../terraform/resources/sws_waf_profile.md).

  1. Create the resources:

       1. In the terminal, navigate to the configuration file directory.
       1. Make sure the configuration is correct using this command:
       
          ```bash
          terraform validate
          ```
       
          If the configuration is valid, you will get this message:
       
          ```bash
          Success! The configuration is valid.
          ```
       
       1. Run this command:
       
          ```bash
          terraform plan
          ```
       
          You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
       1. Apply the configuration changes:
       
          ```bash
          terraform apply
          ```
       
       1. Type `yes` and press **Enter** to confirm the changes.

  You can check the resource update in the [management console](https://console.yandex.cloud).

- API {#api}

  Use the [update](../waf/api-ref/WafProfile/update.md) REST API method for the [WafProfile](../waf/api-ref/WafProfile/index.md) resource or the [WafProfile/Update](../waf/api-ref/grpc/WafProfile/update.md) gRPC API call.

{% endlist %}

### Useful links {#see-also}

* [Configuring WAF rule sets](configure-set-rules.md)
* [Deleting a WAF exclusion rule](exclusion-rule-delete.md)
* [Adding a rule to a security profile](rule-add.md)