How to add and manage protected objects and protected object groups - Web Application Firewall

Protected objects and protected object groups are units for which protection rules take effect. You can associate a protected object or protected object group with a protection template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.

Background information

Protected objects

A protected object is the smallest unit for which WAF protection rules take effect. A protected object can be a cloud service instance or a domain name.

To add a protected object to WAF, you can use one of the following methods:

Automatic addition: After you enable WAF protection for a cloud service instance or add a domain name to WAF in CNAME record mode, the instance or domain name is automatically added as a protected object.
Manual addition: If you want to configure domain name-level protection rules for an Application Load Balancer (ALB) instance, Classic Load Balancer (CLB) instance, or Elastic Compute Service (ECS) instance for which you enable WAF protection, you can manually add the domain names as protected objects. For more information, see Manually add protected objects.

In different access modes, you can use different methods to add protected objects to WAF.

Mode	Automatic addition	Manual addition	Limits
Cloud native mode (Enable WAF protection for an ALB instance)	After you enable WAF protection for an ALB instance, the instance is automatically added as a protected object.	You can manually add the instance-related domain names as protected objects.	The maximum number of protected objects that can be added to WAF varies based on the WAF edition. Subscription: Basic Edition: Up to 300 protected objects can be added to WAF. Pro Edition: Up to 600 protected objects can be added to WAF. Enterprise Edition: Up to 2,500 protected objects can be added to WAF. Ultimate Edition: Up to 10,000 protected objects can be added to WAF. Pay-as-you-go: Up to 10,000 protected objects can be added to WAF. To view the number of protected objects that are added to your WAF instance and the number of protected objects that still can be added to your WAF instance, you can go to the Protected Objects page of the WAF 3.0 console. If you use a subscription WAF instance, the number of protected objects that you can add to your WAF instance is calculated by using the following formula: Maximum number of protected objects supported by the current edition - Number of free domain names supported by the current edition - Additional domain name quota that you purchase. For example, if you use a subscription WAF instance that runs Pro Edition and purchased an additional domain name quota of 2, you can add up to 593 protected objects to WAF because the edition supports 600 protected objects and 5 free domain names. The number is calculated by using the following formula: 600 - 5 - 2. If the number of protected objects that you add to WAF reaches the limit, you can no longer add domain names or cloud service instances to WAF. In addition, you can no longer purchase additional domain name quota. If you want to add more protected objects to WAF, you can remove protected objects that no longer require WAF protection from your WAF instance or upgrade your WAF instance. For more information, see Manage protected objects, Manage protected object groups, and Upgrade or downgrade a WAF instance.
Cloud native mode (Enable WAF protection for an MSE instance)	After you enable WAF protection for a Microservices Engine (MSE) instance, the instance is automatically added as a protected object. The routes of the instances are also added as protected objects.	Manual addition is not supported.
Cloud native mode (Enable WAF protection for a custom domain name bound to a web application in Function Compute)	After you enable WAF protection for a custom domain name in Function Compute, the domain name is automatically added as a protected object.	Manual addition is not supported.
Cloud native mode (Enable WAF protection for a layer 7 CLB instance, Add a Layer 4 CLB instance to WAF, and Enable WAF protection for an ECS instance)	After you add a CLB or ECS instance to WAF, the instance is automatically added as a protected object.	You can manually add the instance-related domain names as protected objects.
CNAME record mode	After you add a domain name to WAF, the domain name is automatically added as a protected object.	Manual addition is not supported.
Hybrid cloud - reverse proxy mode		Manual addition is not supported.
Hybrid cloud - SDK integration mode	Automatic addition is not supported.	You can manually add a domain name that is added to WAF as a protected object.

Protected object groups

A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.

Note

A protected object can belong to only one protected object group.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
If you want to manually add a CLB or ECS-related domain name as a protected object and the domain name resides in the Chinese Mainland, you must apply for an Internet Content Provider (ICP) filing for the domain name.
Note
When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you specify.

Manually add protected objects

If you want to configure protection rules for domain names that meet the following conditions, perform the following steps to manually add the domain names as protected objects:

The domain names are configured to point to ALB or CLB instances or hosted on ECS instances, and the instances are added to WAF in cloud native mode.
The domain names are added to WAF in hybrid cloud - SDK integration mode.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Objects tab, click Add Protected Object.

In the Add Protected Object dialog box, configure the Protected Object Type parameter and other parameters. Then, click OK. The other parameters that you need to configure vary based on the value of the Protected Object Type parameter.

Cloud Service

If you want to add an ALB, CLB, or ECS-related domain name as a protected object, set the Protected Object Type parameter to Cloud Service. Then, configure the other parameters. The following table describes the parameters.

Parameter	Description
Domain Name	The domain name that you want to add to WAF. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `aliyundoc.com`. If you enter a wildcard domain name, WAF does not match the subdomains of the wildcard domain name at different levels. For example, if you enter `.aliyundoc.com`, WAF does not match `www.example.aliyundoc.com`. If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name at the same level. For example, if you enter `*.aliyundoc.com`, WAF matches subdomains such as `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
Cloud Service	The cloud service on which the origin server is deployed. Valid values: ALB: ALB service CLB4: Layer 4 CLB service CLB7: Layer 7 CLB service ECS: ECS service
Instance	The ID of the cloud service instance. This parameter is required only if you set the Cloud Service parameter to ALB. Note If your ALB instance does not exist in the drop-down list, add the instance to WAF first. For more information, see Add an ALB instance to WAF.
Add to Protected Object Group	The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add the protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.

SDK-based Traffic Mirroring

If you want to add a domain name that is added to WAF 3.0 in hybrid cloud - SDK integration mode as a protected object, set the Protected Object Type parameter to SDK-based Traffic Mirroring. Then, configure the other parameters. The following table describes the parameters.

Parameter	Description
Protected Object Name	The name of the protected object that you want to add to WAF.
Domain Name/IP Address	The domain name or IP address that you want to add to WAF. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `aliyundoc.com`. If you enter a wildcard domain name, WAF does not match the subdomains of the wildcard domain name at different levels. For example, if you enter `.aliyundoc.com`, WAF does not match `www.example.aliyundoc.com`. If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name at the same level. For example, if you enter `*.aliyundoc.com`, WAF matches subdomains such as `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
URL	The URL that you want to add to WAF.
Add to Protected Object Group	The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add the protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.

After you add a protected object to WAF, you can view and manage the protected object in the protected object list. For more information, see Manage protected objects.

Create a protected object group

You can create a protected object group, associate protected objects with the protected object group, and configure protection rules for multiple protected objects at the same time.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Object Group tab, click Create.
In the Create Protected Object Group dialog box, configure the Name, Associate with Protected Object, and Description parameters. Then, click OK.
Note
- Only protected objects that do not belong to a protected object group and use the default protection template are displayed in the Objects to Select section below Associate with Protected Object.
- If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you can add the protected object to the current protected object group. For more information, see Modify a protected object group.
After you create a protected object group, you can manage the protected object group on the Protected Object Group tab. For more information, see Manage protected object groups.

Manage protected objects

On the Protected Objects tab, you can view and manage protected objects.

Feature		Description
Settings	Configure Client IP Address	If a Layer 7 proxy is deployed in front of WAF, you can specify the method that you want WAF to use to obtain the IP addresses of clients. Layer 7 proxies include Anti-DDoS Proxy and Alibaba Cloud CDN. This way, WAF can obtain the originating IP addresses of clients, match requests with protection rules, such as IP address blacklist rules, and display details in security reports, such as source IP addresses. Find the protected object that you want to manage and click Settings in the Actions column. In the Settings panel, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Note If you configured this parameter when you added a domain name to WAF in CNAME record mode or when you added a CLB or ECS instance to WAF, you do not need to configure the parameter again. If you configured this parameter when you enabled WAF protection for an ALB instance, MSE instance, or custom domain name in Function Compute or when you added a domain name to WAF in hybrid cloud - SDK integration mode, you do not need to configure the parameter again.
	Cookie Settings	When the HTTP flood protection and scan protection features are enabled, WAF inserts `acw_tc` into requests that do not include the `acw_tc` cookie. This helps WAF identify and distinguish between different clients. WAF can determine whether HTTP flood attacks are initiated based on the client cookie information, HTTP flood protection rules, scan protection rules with Statistical and Blocked Object set to Session, custom rules with Rate Limiting turned on and Statistical Object set to Session, and statistical results. You can turn on or turn off Status to enable or disable the Tracking Cookie feature. If you want WAF to use acw_tc to mark only HTTPS requests, turn on Secure Attribute. Important We recommend that you turn on Status. Otherwise, the HTTP flood protection and scan protection features may not function as expected. By default, if you add a protected object to a protected object group, the Tracking Cookie feature is enabled and cannot be disabled, and Secure Attribute is turned on for the protected object. You cannot turn on Secure Attribute for MSE instances or custom domain names in Function Compute. If a request is sent to multiple protected objects and the Tracking Cookie feature is enabled or Secure Attribute is turned on for one of the protected objects, the same features are enabled for the other protected objects.
	Slider CAPTCHA Cookie	If a request passes slider CAPTCHA verification, WAF uses `acw_sc__v3` to mark the request. If you want WAF to use acw_sc__v3 to mark only HTTPS requests, you can turn on Secure Attribute. Important If you turn on Secure Attribute, slider CAPTCHA verification may not function as expected on HTTP requests. By default, if you add a protected object to a protected object group, Secure Attribute is turned off and cannot be turned on for the protected object. You cannot turn on Secure Attribute for MSE instances or custom domain names in Function Compute.
View and configure protection rules		Find the protected object that you want to manage and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object. Note After you add a protected object to a protected object group, the protection rules that are configured for the protected object group take effect for the protected object. If you do not add a protected object to a protected object group, the default protection rules take effect for the protected object. For more information, see the description of the default protection template in Protection configuration overview. You can also configure additional protection rules for protected objects on the Protection Rules page. For more information, see Basic web protection.
Add a protected object to a protected object group		Find the protected object that you want to manage and choose > Add to Protected Object Group in the Actions column. If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list.
View protection logs		Find the protected object whose protection logs you want to view and choose > View Logs in the Actions column. You are redirected to the Log Service page. On this page, you can enable the log collection feature for the protected object and view the protection logs of the protected object. For more information, see Enable or disable the Simple Log Service for WAF feature.
Remove a protected object from WAF		Find the protected object that you want to manage and choose > Delete in the Actions column. Note You can remove only domain names that are manually added as protected objects. To remove a CLB or ECS instance from WAF, perform the following steps: Go to the Website Configuration page. Find the instance or redirection port that you want to remove from WAF and click Remove in the Actions column. Then, remove the protected object.
Add tags to or remove tags from a protected object		You can use tags to search for specific resources in the WAF console. Find the protected object that you want to manage, move the pointer over the icon in the Tag column, and then click Edit. In the Edit Tag dialog box, configure the Tag Key and Tag Value parameters. Note You can add up to 20 tag keys below the Tag Key parameter and leave the Tag Value parameter empty. When you specify a value for the Tag Key or Tag Value parameter, make sure that the value is 1 to 128 characters in length, does not contain `http://` or `https://`, and does not start with `acs:` or `aliyun`. You can add or modify tags on the Protected Objects page or Website Configuration page. The latest tag settings are synchronized between the two pages. You can also select multiple protected objects and then add tags to or remove tags from the protected objects at the same time.

Manage protected object groups

On the Protected Object Group tab, you can view and manage protected object groups.

Feature		Description
Modify a protected object group		Find the protected object group that you want to modify and click Edit in the Actions column. In the dialog box that appears, move the protected objects from the Objects to Select section to the Selected Protected Object Groups section or from the Selected Protected Object Groups section to the Objects to Select section. Note After you remove a protected object from the protected object group, the default protection template is applied to the protected object. For more information, see the description of the default protection template in Protection configuration overview. You can add a protected object to only one protected object group. If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you can add the protected object to another protected object group.
View and configure protection rules		Find the protected object group that you want to manage and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group. If you configure a protection rule for a protected object group, the rule takes effect for all protected objects in the group.
Delete a protected object group		Find the protected object group that you want to delete and click Delete in the Actions column. Note If you delete a protected object group, all protected objects in the group are disassociated from the group and the default protection template is applied to the protected objects.