Protected objects and protected object groups are units for which protection rules take effect. You can associate a protected object or protected object group with a protection template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.
Background information
Protected objects
A protected object is the smallest unit for which WAF protection rules take effect. A protected object can be a cloud service instance or a domain name.
To add a protected object to WAF, you can use one of the following methods:
Automatic addition: After you enable WAF protection for a cloud service instance or add a domain name to WAF in CNAME record mode, the instance or domain name is automatically added as a protected object.
Manual addition: If you want to configure domain name-level protection rules for an Application Load Balancer (ALB) instance, Classic Load Balancer (CLB) instance, or Elastic Compute Service (ECS) instance for which you enable WAF protection, you can manually add the domain names as protected objects. For more information, see Manually add protected objects.
In different access modes, you can use different methods to add protected objects to WAF.
Mode | Automatic addition | Manual addition | Limits |
Cloud native mode (Enable WAF protection for an ALB instance) | After you enable WAF protection for an ALB instance, the instance is automatically added as a protected object. | You can manually add the instance-related domain names as protected objects. |
|
Cloud native mode (Enable WAF protection for an MSE instance) | After you enable WAF protection for a Microservices Engine (MSE) instance, the instance is automatically added as a protected object. The routes of the instances are also added as protected objects. | Manual addition is not supported. | |
Cloud native mode (Enable WAF protection for a custom domain name bound to a web application in Function Compute) | After you enable WAF protection for a custom domain name in Function Compute, the domain name is automatically added as a protected object. | Manual addition is not supported. | |
Cloud native mode (Enable WAF protection for a layer 7 CLB instance, Add a Layer 4 CLB instance to WAF, and Enable WAF protection for an ECS instance) | After you add a CLB or ECS instance to WAF, the instance is automatically added as a protected object. | You can manually add the instance-related domain names as protected objects. | |
After you add a domain name to WAF, the domain name is automatically added as a protected object. | Manual addition is not supported. | ||
Automatic addition is not supported. | You can manually add a domain name that is added to WAF as a protected object. |
Protected object groups
A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.
A protected object can belong to only one protected object group.
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
If you want to manually add a CLB or ECS-related domain name as a protected object and the domain name resides in the Chinese Mainland, you must apply for an Internet Content Provider (ICP) filing for the domain name.
NoteWhen you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you specify.
Manually add protected objects
If you want to configure protection rules for domain names that meet the following conditions, perform the following steps to manually add the domain names as protected objects:
The domain names are configured to point to ALB or CLB instances or hosted on ECS instances, and the instances are added to WAF in cloud native mode.
The domain names are added to WAF in hybrid cloud - SDK integration mode.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protected Objects tab, click Add Protected Object.
In the Add Protected Object dialog box, configure the Protected Object Type parameter and other parameters. Then, click OK. The other parameters that you need to configure vary based on the value of the Protected Object Type parameter.
Cloud Service
If you want to add an ALB, CLB, or ECS-related domain name as a protected object, set the Protected Object Type parameter to Cloud Service. Then, configure the other parameters. The following table describes the parameters.
Parameter
Description
Domain Name
The domain name that you want to add to WAF. You can enter an exact-match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
.NoteIf you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchaliyundoc.com
.If you enter a wildcard domain name, WAF does not match the subdomains of the wildcard domain name at different levels. For example, if you enter
*.aliyundoc.com
, WAF does not matchwww.example.aliyundoc.com
.If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name at the same level. For example, if you enter
*.aliyundoc.com
, WAF matches subdomains such aswww.aliyundoc.com
andexample.aliyundoc.com
.If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
Cloud Service
The cloud service on which the origin server is deployed. Valid values:
ALB: ALB service
CLB4: Layer 4 CLB service
CLB7: Layer 7 CLB service
ECS: ECS service
Instance
The ID of the cloud service instance. This parameter is required only if you set the Cloud Service parameter to ALB.
NoteIf your ALB instance does not exist in the drop-down list, add the instance to WAF first. For more information, see Add an ALB instance to WAF.
Add to Protected Object Group
The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
NoteIf no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add the protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.
SDK-based Traffic Mirroring
If you want to add a domain name that is added to WAF 3.0 in hybrid cloud - SDK integration mode as a protected object, set the Protected Object Type parameter to SDK-based Traffic Mirroring. Then, configure the other parameters. The following table describes the parameters.
Parameter
Description
Protected Object Name
The name of the protected object that you want to add to WAF.
Domain Name/IP Address
The domain name or IP address that you want to add to WAF. You can enter an exact-match domain name, such as
www.aliyundoc.com
, or a wildcard domain name, such as*.aliyundoc.com
.NoteIf you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter
*.aliyundoc.com
, WAF does not matchaliyundoc.com
.If you enter a wildcard domain name, WAF does not match the subdomains of the wildcard domain name at different levels. For example, if you enter
*.aliyundoc.com
, WAF does not matchwww.example.aliyundoc.com
.If you enter a wildcard domain name, WAF automatically matches all subdomains of the wildcard domain name at the same level. For example, if you enter
*.aliyundoc.com
, WAF matches subdomains such aswww.aliyundoc.com
andexample.aliyundoc.com
.If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
URL
The URL that you want to add to WAF.
Add to Protected Object Group
The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
NoteIf no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add the protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.
After you add a protected object to WAF, you can view and manage the protected object in the protected object list. For more information, see Manage protected objects.
Create a protected object group
You can create a protected object group, associate protected objects with the protected object group, and configure protection rules for multiple protected objects at the same time.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protected Object Group tab, click Create.
In the Create Protected Object Group dialog box, configure the Name, Associate with Protected Object, and Description parameters. Then, click OK.
NoteOnly protected objects that do not belong to a protected object group and use the default protection template are displayed in the Objects to Select section below Associate with Protected Object.
If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you can add the protected object to the current protected object group. For more information, see Modify a protected object group.
After you create a protected object group, you can manage the protected object group on the Protected Object Group tab. For more information, see Manage protected object groups.
Manage protected objects
On the Protected Objects tab, you can view and manage protected objects.
Feature | Description | |
Settings | Configure Client IP Address | If a Layer 7 proxy is deployed in front of WAF, you can specify the method that you want WAF to use to obtain the IP addresses of clients. Layer 7 proxies include Anti-DDoS Proxy and Alibaba Cloud CDN. This way, WAF can obtain the originating IP addresses of clients, match requests with protection rules, such as IP address blacklist rules, and display details in security reports, such as source IP addresses. Find the protected object that you want to manage and click Settings in the Actions column. In the Settings panel, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Note
|
Cookie Settings | When the HTTP flood protection and scan protection features are enabled, WAF inserts
| |
Slider CAPTCHA Cookie | If a request passes slider CAPTCHA verification, WAF uses Important
| |
View and configure protection rules | Find the protected object that you want to manage and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object. Note
| |
Add a protected object to a protected object group | Find the protected object that you want to manage and choose in the Actions column.If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list. | |
View protection logs | Find the protected object whose protection logs you want to view and choose Enable or disable the Simple Log Service for WAF feature. in the Actions column. You are redirected to the Log Service page. On this page, you can enable the log collection feature for the protected object and view the protection logs of the protected object. For more information, see | |
Remove a protected object from WAF | Find the protected object that you want to manage and choose in the Actions column.Note
| |
Add tags to or remove tags from a protected object | You can use tags to search for specific resources in the WAF console.
|
Manage protected object groups
On the Protected Object Group tab, you can view and manage protected object groups.
Feature | Description | |
Modify a protected object group | Find the protected object group that you want to modify and click Edit in the Actions column. In the dialog box that appears, move the protected objects from the Objects to Select section to the Selected Protected Object Groups section or from the Selected Protected Object Groups section to the Objects to Select section. Note
| |
View and configure protection rules | Find the protected object group that you want to manage and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group. If you configure a protection rule for a protected object group, the rule takes effect for all protected objects in the group. | |
Delete a protected object group | Find the protected object group that you want to delete and click Delete in the Actions column. Note If you delete a protected object group, all protected objects in the group are disassociated from the group and the default protection template is applied to the protected objects. |