[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Step-by-step guides](index.md) > Security profiles > Editing a rule

# Editing a rule in a security profile

You can edit basic [rules](../concepts/rules.md), as well as Smart Protection and WAF rules, in a [security profile](../concepts/profiles.md). ARL rules are [edited in an ARL profile](arl-rule-update.md). If editing rules causes an error, make sure the service account has the `logging.writer` role.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the security profile.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![shield-check](../../_assets/console-icons/shield-check.svg) **Security profiles**.
  1. Select the profile where you want to edit a rule.
  1. On the **Security rules** tab, click ![options](../../_assets/console-icons/ellipsis.svg) next to the rule in question and select **Edit**.
  1. In the window that opens, configure the new rule:
  
      1. Name the rule.
      1. Optionally, enter a description.
      1. Set the rule priority. The rule you add will have a higher priority than the preconfigured rules.
      
          {% note info %}
          
          The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
          * Basic default rule: `1000000`.
          * Smart Protection rule providing full protection: `999900`.
          
          {% endnote %}
      
          Learn more about rule priorities in [Overview of how rules work](../concepts/rules.md#rules-order).
      
      1. Optionally, enable **Only logging (dry run)** if you want only to log data about the traffic matching the specified conditions without applying any actions to it.
      1. Select the rule type:
          * [**Base**](../concepts/rules.md#base-rules): Allows, denies, or forwards traffic to [Yandex SmartCaptcha](../../smartcaptcha/index.md) under specified conditions.
          * [**Smart Protection**](../concepts/rules.md#smart-protection-rules): Sends traffic for automatic processing by machine learning and behavioral analysis algorithms and redirects suspicious requests to Yandex SmartCaptcha for additional verification.
          * [**Web Application Firewall**](../concepts/rules.md#waf-rules): Integrates rules from a WAF profile and redirects suspicious requests to Yandex SmartCaptcha.
      
              For a WAF rule, select or [create a WAF profile](waf-profile-create.md).
      1. Select an [action](../concepts/rules.md#rule-action):
          * For a basic rule:
            * `Deny`.
            * `Allow`.
            * `Show CAPTCHA`: To show the CAPTCHA selected in the security profile.
          * For a Smart Protection or WAF rule:
      
            * `Full protection`: To redirect suspicious requests to SmartCaptcha after verification.
            * `API protection`: To block suspicious requests after verification.
      
      1. Optionally, select or [create](template-create.md) a response template that will be returned to the client whenever a rule triggers. The standard Yandex Cloud template is used by default.
      1. Under **Conditions for traffic**, specify the traffic the rule will apply to:
         * `All traffic`: The rule will be used to analyze the whole traffic.
         * `On condition`: The rule will be used to analyze the traffic specified in the **Conditions** field:
             * `IP`: IP address, IP address range, IP address region, or [address list](../concepts/lists.md).
             * `HTTP header`: HTTP header string.
             * `Request URI`: Request path.
             * `Host`: Domain receiving the request.
             * `HTTP method`: Request method.
             * `Cookie`: Cookie header string.
             * `Bot name`: Names of legitimate bots owned by various companies and services.
             * `Bot category`: Verified bot categories based on their purpose or nature of action.
             * `Verified bot`: Filtering based on whether the bot is verified (`yes` or `no`).
             * `Bot score`: Filtering based on request bot score, from `0` (the lowest, represents a human) to `100` (the highest, represents a bot).
             * `FingerPrint`: SSL/TLS connection [fingerprint](../concepts/botes.md#fingerprint).
         
             You can set multiple conditions by selecting all the condition types you need in the **Conditions** field.
         
             You can also set multiple conditions of the same type by clicking ![plus-sign](../../_assets/console-icons/plus.svg) **and** or ![plus-sign](../../_assets/console-icons/plus.svg) **or** in the section with the condition you need.
         
             To delete a condition, click ![options](../../_assets/console-icons/trash-bin.svg).
      
      1. Click **Add**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of current security profiles in the default folder, run this command:

     ```bash
     yc smartwebsecurity security-profile list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------+---------------------+----------------+------------+-------------+
     |          ID          |       NAME        |       CREATED       | DEFAULT ACTION | CAPTCHA ID | RULES COUNT |
     +----------------------+-------------------+---------------------+----------------+------------+-------------+
     | fev3s055oq64******** | my-new-profile    | 2024-08-05 06:57:18 | DENY           |            |           1 |
     | fevlqk8vei9p******** | my-sample-profile | 2024-08-05 06:57:28 | DENY           |            |           2 |
     +----------------------+-------------------+---------------------+----------------+------------+-------------+
     ```

  1. Update the security profile by applying the [YAML](https://en.wikipedia.org/wiki/YAML) configuration with updated description of the current security rules:
  
     1. To get the YAML configuration for the current security rules in the profile, run this command specifying the security profile name or ID:

         ```bash
         yc smartwebsecurity security-profile get <security_profile_name_or_ID>
         ```
         
         {% cut "Result:" %}
         
         ```yaml
         id: fev450d61ucv********
         folder_id: b1gt6g8ht345********
         cloud_id: b1gia87mbaom********
         labels:
           label1: value1
           label2: value2
         name: my-new-profile
         description: my description
         default_action: DENY
         security_rules:
           - name: rule-condition-deny
             priority: "11111"
             dry_run: true
             rule_condition:
               action: DENY
               condition:
                 authority:
                   authorities:
                     - exact_match: example.com
                     - exact_match: example.net
                 http_method:
                   http_methods:
                     - exact_match: GET
                     - exact_match: POST
                 request_uri:
                   path:
                     prefix_match: /search
                   queries:
                     - key: firstname
                       value:
                         pire_regex_match: .ivan.
                     - key: lastname
                       value:
                         pire_regex_not_match: .petr.
                 headers:
                   - name: User-Agent
                     value:
                       pire_regex_match: .curl.
                   - name: Referer
                     value:
                       pire_regex_not_match: .bot.
                 source_ip:
                   ip_ranges_match:
                     ip_ranges:
                       - 1.2.33.44
                       - 2.3.4.56
                   ip_ranges_not_match:
                     ip_ranges:
                       - 8.8.0.0/16
                       - 10::1234:1abc:1/64
                   geo_ip_match:
                     locations:
                       - ru
                       - es
                   geo_ip_not_match:
                     locations:
                       - us
                       - fm
                       - gb
             description: My first security rule. This rule it's just example to show possibilities of configuration.
         created_at: "2024-08-05T17:54:48.898624Z"
         ```
         
         {% endcut %}

     1. Copy the current rule configuration (the `security_rules` section contents) to any text editor and save it to a file after editing it as needed. In the example below, we edited the rule name and replaced the `DENY` action with `ALLOW`:

         {% cut "security-rules.yaml" %}

         ```yaml
         - name: rule-condition-allow
           priority: "11111"
           dry_run: true
           rule_condition:
             action: ALLOW
             condition:
               authority:
                 authorities:
                   - exact_match: example.com
                   - exact_match: example.net
               http_method:
                 http_methods:
                   - exact_match: GET
                   - exact_match: POST
               request_uri:
                 path:
                   prefix_match: /search
                 queries:
                   - key: firstname
                     value:
                       pire_regex_match: .ivan.
                   - key: lastname
                     value:
                       pire_regex_not_match: .petr.
               headers:
                 - name: User-Agent
                   value:
                     pire_regex_match: .curl.
                 - name: Referer
                   value:
                     pire_regex_not_match: .bot.
               source_ip:
                 ip_ranges_match:
                   ip_ranges:
                     - 1.2.33.44
                     - 2.3.4.56
                 ip_ranges_not_match:
                   ip_ranges:
                     - 8.8.0.0/16
                     - 10::1234:1abc:1/64
                 geo_ip_match:
                   locations:
                     - ru
                     - es
                 geo_ip_not_match:
                   locations:
                     - us
                     - fm
                     - gb
         ```

         {% endcut %}

         {% note alert %}
         
         When you change the rules in the security profile, all the existing rules will be deleted. Make sure the updated YAML file includes the full set of rules that the security profile should use.
         
         {% endnote %}

     1. To update a security profile, run this command specifying the profile name or ID:
    
         ```bash
         yc smartwebsecurity security-profile update <security_profile_name_or_ID> \
            --security-rules-file <path_to_file_with_security_rules>
         ```

         Where `--security-rules-file` is the path to the [YAML](https://en.wikipedia.org/wiki/YAML) file with the description of security rules.


         {% cut "Result:" %}

         ```yaml
         id: fev450d61ucv********
         folder_id: b1gt6g8ht345********
         cloud_id: b1gia87mbaom********
         labels:
           label1: value1
           label2: value2
         name: my-new-profile
         description: my description
         default_action: DENY
         security_rules:
           - name: rule-condition-allow
             priority: "11111"
             dry_run: true
             rule_condition:
               action: ALLOW
               condition:
                 authority:
                   authorities:
                     - exact_match: example.com
                     - exact_match: example.net
                 http_method:
                   http_methods:
                     - exact_match: GET
                     - exact_match: POST
                 request_uri:
                   path:
                     prefix_match: /search
                   queries:
                     - key: firstname
                       value:
                         pire_regex_match: .ivan.
                     - key: lastname
                       value:
                         pire_regex_not_match: .petr.
                 headers:
                   - name: User-Agent
                     value:
                       pire_regex_match: .curl.
                   - name: Referer
                     value:
                       pire_regex_not_match: .bot.
                 source_ip:
                   ip_ranges_match:
                     ip_ranges:
                       - 1.2.33.44
                       - 2.3.4.56
                   ip_ranges_not_match:
                     ip_ranges:
                       - 8.8.0.0/16
                       - 10::1234:1abc:1/64
                   geo_ip_match:
                     locations:
                       - ru
                       - es
                   geo_ip_not_match:
                     locations:
                       - us
                       - fm
                       - gb
             description: My first security rule. This rule it's just example to show possibilities of configuration.
         created_at: "2024-08-05T17:54:48.898624Z"
         ```

         {% endcut %}

  For more information about the `yc smartwebsecurity security-profile update` command, see the [CLI reference](../../cli/cli-ref/smartwebsecurity/cli-ref/security-profile/update.md).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. Open the Terraform configuration file and edit the `security_rule` section in the `yandex_sws_security_profile` description:

      ```hcl
      resource "yandex_sws_security_profile" "demo-profile-simple" {
        name                             = "<security_profile_name>"
        default_action                   = "DENY"
        captcha_id                       = "<captcha_ID>"
        advanced_rate_limiter_profile_id = "<ARL_profile_ID>"

        # Smart Protection rule
        security_rule {
          name     = "smart-protection"
          priority = 99999

          smart_protection {
            mode = "API"
          }
        }

        #Basic rule
        security_rule {
          name = "base-rule-geo"
          priority = 100000
          rule_condition {
            action = "ALLOW"
            condition {
              source_ip {
                geo_ip_match {
                  locations = ["ru", "kz"]
                }
              }
            }
          }
        }

        # WAF profile rule
        security_rule {
          name     = "waf"
          priority = 88888

          waf {
            mode           = "API"
            waf_profile_id = "<WAF_profile_ID>"
          }
        }
      }
      ```

      For more information about `yandex_sws_security_profile` properties in Terraform, see [this provider guide](../../terraform/resources/sws_security_profile.md).

  1. Create the resources:

       1. In the terminal, navigate to the configuration file directory.
       1. Make sure the configuration is correct using this command:
       
          ```bash
          terraform validate
          ```
       
          If the configuration is valid, you will get this message:
       
          ```bash
          Success! The configuration is valid.
          ```
       
       1. Run this command:
       
          ```bash
          terraform plan
          ```
       
          You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
       1. Apply the configuration changes:
       
          ```bash
          terraform apply
          ```
       
       1. Type `yes` and press **Enter** to confirm the changes.

  You can check the resource update using the [management console](https://console.yandex.cloud) or this [CLI](../../cli/index.md) command:

  ```bash
  yc smartwebsecurity security-profile get <security_profile_ID>
  ```

- API {#api}

  Use the [update](../api-ref/SecurityProfile/update.md) REST API method for the [SecurityProfile](../api-ref/SecurityProfile/index.md) resource or the [SecurityProfileService/Update](../api-ref/grpc/SecurityProfile/update.md) gRPC API call.

{% endlist %}

### Useful links {#see-also}

* [Deleting a rule from a security profile](rule-delete.md)