All Products
Search

This Product

    Web Application Firewall:Asset center

    Document Center

    Web Application Firewall:Asset center

    Last Updated:Feb 10, 2026

    The Asset Center feature of Web Application Firewall (WAF) organizes your domain name assets both on and off Alibaba Cloud. It assesses risk levels based on the attack status of your cloud assets, helping you understand the overall security posture of your services. You can enable protection for high-risk domain name assets to improve your overall security.

    Background information

    Network application assets are the most important carrier of network applications in a security management system and are the most fundamental components in a business system. As enterprise business rapidly develops, more business systems are used. A single enterprise may have multiple business systems, and employees may forget to release resources after they build websites or test environments. As a result, business systems may contain unmanaged zombie assets. The most vulnerable part of a business system determines the overall security of the system. In most cases, zombie assets use outdated versions of open source systems, components, or web frameworks, which have common vulnerabilities. Attackers can exploit these vulnerabilities to invade the internal network of an enterprise.

    The asset discovery feature can obtain the configurations of Alibaba Cloud services, such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature, together with big data-enabled correlation analysis, can identify domain names in and outside the cloud based on the obtained configurations. This way, you can monitor the overall situation of all the domain names and make sure that all domain names are protected. The asset discovery feature calculates the security scores of domain names based on threat intelligence and the default attack detection capability of Alibaba Cloud. This way, you can identify the domain names that are vulnerable to attacks. Then, you can add the domain names to WAF to prevent attacks.

    Note

    The asset discovery feature can identify domain names from Alibaba Cloud and third-party providers. The domain names from third-party providers include the domain names of servers from third-party providers and the domain names of servers that are deployed in data centers.

    Step 1: Access Asset Center and grant WAF permissions to access cloud resources

    1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

    2. In the navigation pane on the left, click Asset Center.

    3. On the Asset Center page, click Enable Now.

      Note

      You only need to grant these permissions once. If you have already granted them, you can skip this step.

      • After you enable Asset Center for the first time, Alibaba Cloud automatically creates a service-linked role for WAF (AliyunServiceRoleForWAF). You can log on to the Resource Access Management (RAM) console to view the service-linked role that was automatically created for WAF. For more information, see View a RAM role.

        After the AliyunServiceRoleForWAF service-linked role is created, your WAF instance can access the resources of associated Alibaba Cloud services, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), Alibaba Cloud DNS, Alibaba Cloud CDN, Digital Certificate Management Service, and Simple Log Service (SLS).

      • After WAF is granted permissions to access cloud resources, it automatically detects the domain name assets associated with your Alibaba Cloud account and displays the information on the Asset Center page.

        Note

        Asset Center supports the detection of both Alibaba Cloud and non-Alibaba Cloud domain names. Non-Alibaba Cloud domain names include those that resolve to non-Alibaba Cloud servers and those used in on-premises data centers.

        To improve the accuracy of asset discovery, WAF enables active fingerprint scanning by default. For assets added to WAF, asset fingerprints are identified through passive traffic analysis and active probing. Active fingerprint scanning is performed every two weeks. Keep this feature enabled.

    Step 2: Add assets

    If a primary domain name that you want to monitor is not in the asset list, you can manually add it.

    1. On the Overview tab of the Asset Center page, click Add Asset.

    2. In the Add Asset dialog box, enter the website domain name and verify its ownership.

      • DNS record verification: Manually add the TXT record that is provided by WAF at your domain's DNS provider. This method is recommended.

      • File verification: Upload the verification file that is provided by WAF to a specified root directory on your origin server. This requires operational permission on the origin server and a security group policy that allows access from all IP addresses. This ensures that WAF can verify the file from the Internet.

    3. After you complete the preceding configurations, click Add.

    Note

    After you manually add an asset, it appears in the Asset Center list on the next day (T+1).

    Step 3: View assets

    On the Asset Center page, you can view the details of your domain name assets.

    资产中心

    Data Type

    Description

    Related actions

    Domain name asset data (Area ① in the figure)

    Displays data about the domain name assets associated with your Alibaba Cloud account. This includes the total number of primary domain names, the total number of subdomains and its change from the previous day, and the number of unprotected subdomains, categorized as high-risk, medium-risk, and low-risk.

    None

    Domain name asset details (Area ② in the figure)

    WAF aggregates and displays detected domain name assets, grouped by primary domain name. Each primary domain name includes the following information:

    • Second-level Domain Name: The primary domain name that is bound to the website.

    • IP Address: The IP address or CNAME of the website server.

    • Protected Subdomains: The number of subdomains that are protected by WAF.

    • Unprotected Subdomains: The number of subdomains that are not protected by WAF. This includes the number of high-risk, medium-risk, and low-risk subdomains.

    • In the search box above the domain name asset list, you can enter a keyword to search for a specific primary domain name. Fuzzy search is supported.

    • In the domain name asset list, click the 展开 icon to the left of a primary domain name to filter subdomains by configuration status and risk level. Subdomain information includes:

      • Subdomain: The subdomain that is bound to the website.

      • IP Address: The IP address or CNAME of the website server.

      • Fingerprint: The fingerprint information of the website server, which is identified through passive traffic analysis and active fingerprint scanning.

        The active fingerprint scanning switch is enabled after you grant permissions to Asset Center. You can use the switch in the upper-right corner of the domain name asset list to enable or disable active fingerprint scanning.

      • Severity: The risk level of the domain name, which is assessed based on attack trends over the last 30 days and threat intelligence data. For high-risk domain names, we recommend that you add them to WAF for protection as soon as possible to prevent intrusions.

      • Status: Indicates whether the website domain name is protected by WAF. The following statuses are available:

        • Not Added: The website domain name is not protected by WAF. You can click Add in the Actions column to add the domain name to WAF. For more information, see Add a domain name to WAF using a CNAME record.

        • Added: The website domain name is protected by WAF. WAF detects website traffic and provides comprehensive protection for the domain name.

    • Click Details in the Actions column of a subdomain to view its threat information.

      Note

      This feature is available only for WAF instances of the Enterprise and Ultimate editions.

    Step 4: Export assets

    1. On the Overview tab of the Asset Center page, select the primary domain names that you want to export and click the download 下载 icon in the upper-right corner to generate an export file.

    2. On the Export Record tab in Asset Center, click Download to export the domain name asset document.

      The exported file is temporarily stored on Alibaba Cloud and is automatically deleted after three days. You must download the file within this period.

      Note

      Only an Alibaba Cloud account can download the asset list. This feature is not supported for RAM users.