[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Tutorials](index.md) > Managing traffic sources

# Managing traffic sources

Smart Web Security allows you to configure request processing rules according to the source of traffic. For example, you can separately process requests from the Tor network, VPNs, anonymous networks, public proxies, or from individual countries.

All this is done with the help of preset Yandex Cloud [IP address lists](../concepts/lists.md). These lists group IP addresses and networks together based on a particular characteristic, e.g., being Tor or VPN. The service maintains and regularly updates the lists.

This guide describes how to set up common traffic filtering rules based on source.

## Setup steps {#steps}

1. [Create a security profile](#profile-create).
1. [Set up a rule for Tor, proxy, and anonymous networks](#configure-source-rules).
1. [Set up a rule for VPN traffic](#configure-vpn-rules).
1. [Set up a rule based on regions](#configure-geo-rules).
1. [Check the order of executing the rules](#rules-order).
1. [Connect a security profile to the resources](#profile-connect).
1. [Test the rules in logging mode](#dry-run).
1. [Activate the production mode](#production).

## Required paid resources {#paid-resources}

* Fee for the number of requests to Smart Web Security based on plans detailed in [Yandex Smart Web Security pricing policy](../pricing.md).
* Fee for the infrastructure of the protected resource depending on its location.

This guide assumes that you already have a configured web resource in your Yandex Cloud infrastructure. If your web resource is located in a different infrastructure, connect it to a proxy server as per [Setting up basic protection in Smart Web Security](sws-basic-protection.md).

## Create a security profile {#profile-create}

This guide uses a ready-made security profile template.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder the protected resources are in.
  1. Navigate to **Smart Web Security**.
  1. In the left-hand panel, select ![image](../../_assets/smartwebsecurity/profiles.svg) **Security profiles**.
  1. Click **Create profile** and select **From a preset template**.

      A preset profile includes:
      
      * [Basic default rule](../concepts/rules.md#base-rules) enabled for all traffic with the `Allow` [action type](../concepts/rules.md#rule-action).
      * [Smart Protection rule](../concepts/rules.md#smart-protection-rules), `sp-rule-1`, enabled for all traffic with the `Full protection` action type.
   
  1. Enter a name for the profile, e.g., `sources-manage`.

  1. Enable test mode for the `sp-rule-1` Smart Protection rule:
     1. For **Action for the default base rule**, select `Allow`.
     1. Click ![image](../../_assets/console-icons/ellipsis.svg) next to `sp-rule-1` and select **Edit**.
     1. Enable **Only logging**.
     1. Click **Save changes**.

  1. Under **Fine-tuning ML models**, do not withdraw your consent to the use of HTTP request info to improve your machine learning models. Otherwise, Smart Web Security will not be getting the data it needs to investigate security incidents.
  1. Click **Create**.

{% endlist %}


## Set up a rule for Tor, proxy, and anonymous networks {#configure-source-rules}

Such traffic is identified with the help of the `is_tor`, `is_proxy`, and `is_anonymous` lists.

{% list tabs group=instructions %}

- Management console {#console}

  1. Open the security profile you created earlier.
  1. Click ![image](../../_assets/console-icons/plus.svg) **Add rule**.
  1. Enter a name for the rule, e.g., `traffic-sources-rule`.
  1. Enable **Only logging**.
  1. Set a higher priority than the Smart Protection rules, e.g., `9100`.
  1. Specify the rule settings:
     * **Type**: `Base`.
     * **Traffic**: `On condition`.
     * **Conditions**: `IP`.
     * **Conditions for IP**: `IP belongs to the list`.
  1. For the `is_tor` list, select `Deny`.
  1. Create a separate rule or add an additional condition for the `is_proxy` and `is_anonymous` lists with the `Show CAPTCHA` action.
  1. Click **Add**.

{% endlist %}

This set of rules helps block traffic from Tor immediately and, separately, check requests from public proxies and anonymous networks via SmartCaptcha.

## Set up a rule for VPN traffic {#configure-vpn-rules}

VPN traffic is identified with the help of the `is_vpn` and `is_ml_vpn` lists.

You can set separate processing rules for such traffic as per your security policy: allow, block, require CAPTCHA, or apply further restrictions in the ARL profile.

{% note warning %}

VPN traffic detection is based on Yandex Cloud IP addresses and does not guarantee complete accuracy. False positives and false negatives are a possibility. Your decision to block VPN traffic should align with your business scenarios, as some of your real users may be using VPN.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the security profile, click ![image](../../_assets/console-icons/plus.svg) **Add rule**.
  1. Enter a name for the rule, e.g., `vpn-traffic-rule`.
  1. Enable **Only logging**.
  1. Set up priority for the rule to be executed in the right order relative to other rules in the lists.
  1. Specify the rule settings:
     * **Type**: `Base`.
     * **Traffic**: `On condition`.
     * **Conditions**: `IP`.
     * **Conditions for IP**: `IP belongs to the list`.
  1. Select the list: `is_vpn` or `is_ml_vpn`.
  1. Select the VPN traffic action:
     * `Allow`: If VPN traffic is allowed.
     * `Deny`: If VPN traffic has to be blocked.
     * `Show CAPTCHA`: If further verification is required.
  1. Click **Add**.

{% endlist %}

To limit the request rate for VPN traffic, [create an ARL profile](../operations/arl-profile-create.md) and add to it a [rule](../operations/arl-rule-add.md) with conditions for the `is_vpn` and `is_ml_vpn` lists.

## Set up a rule based on regions {#configure-geo-rules}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the security profile, click ![image](../../_assets/console-icons/plus.svg) **Add rule**.
  1. Enter a name for the rule, e.g., `geo-traffic-rule`.
  1. Enable **Only logging**.
  1. Set a higher priority than the Smart Protection rules but with due consideration for existing list-based rules.
  1. Specify the rule settings:
     * **Type**: `Base`.
     * **Traffic**: `On condition`.
     * **Conditions**: `IP`.
     * **IP conditions**: `IP belongs to region` or `IP does not belong to region`.
  1. Select the countries of interest using the two-letter code, e.g., `RU`, `KZ`, `BY`.
  1. Select an action:
     * `Allow`: To allow traffic.
     * `Deny`: To bock traffic.
     * `Show CAPTCHA`: To send requests to SmartCaptcha.
  1. Click **Add**.

{% endlist %}

If your service targets only a few countries, it is best to use the `IP does not belong to region` condition. Then you can explicitly specify allowed regions and restrict the rest of the traffic.

## Check the order of executing the rules {#rules-order}

Security profile rules are applied on first-to-trigger basis. Therefore, specify the processing order ahead of time:

* First come the _allowing_ rules for trusted traffic.
* Then, rules for high-risk sources.
* Then, rules based on regions.
* After that, the Smart Protection rules and other general rules.

For more on the order of executing the rules, click [here](../concepts/rules.md#rules-order).

## Test the rules in logging mode {#dry-run}

Keep the new rules in the **Only logging** mode for a few days. During which period:

* Analyze which requests are covered by the rules.
* Estimate the share of legitimate traffic.
* Update your lists, regions, and actions.

Use logs and the service's monitoring capabilities for your analysis. For more information, see [Configuring logging via Smart Web Security](../operations/configure-logging.md) and [Monitoring in Smart Web Security](../operations/monitoring.md).

## Activate the production mode {#production}

After testing, disable **Only logging** for the rules. Keep on monitoring and updating the rules as needed.

#### Useful links {#see-also}

* [Lists](../concepts/lists.md)
* [Conditions](../concepts/conditions.md)
* [Managing bot traffic](../concepts/botes.md)
* [Setting up basic protection in Smart Web Security](sws-basic-protection.md)