All Products
Search

This Product

    Web Application Firewall:Asset Center

    Document Center

    Web Application Firewall:Asset Center

    Last Updated:Sep 03, 2025

    The Asset Center feature of Web Application Firewall (WAF) organizes your domain name assets both on and off Alibaba Cloud. It assesses risk levels based on the attack status of your cloud assets, helping you understand the overall security posture of your services. You can enable protection for high-risk domain name assets to improve your overall security.

    Background information

    Network application assets are the most important carrier of network applications in a security management system and are the most fundamental components in a business system. As enterprise business rapidly develops, more business systems are used. A single enterprise may have multiple business systems, and employees may forget to release resources after they build websites or test environments. As a result, business systems may contain unmanaged zombie assets. The most vulnerable part of a business system determines the overall security of the system. In most cases, zombie assets use outdated versions of open source systems, components, or web frameworks, which have common vulnerabilities. Attackers can exploit these vulnerabilities to invade the internal network of an enterprise.

    The asset discovery feature can obtain the configurations of Alibaba Cloud services, such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature, together with big data-enabled correlation analysis, can identify domain names in and outside the cloud based on the obtained configurations. This way, you can monitor the overall situation of all the domain names and make sure that all domain names are protected. The asset discovery feature calculates the security scores of domain names based on threat intelligence and the default attack detection capability of Alibaba Cloud. This way, you can identify the domain names that are vulnerable to attacks. Then, you can add the domain names to WAF to prevent attacks.
    Note The asset discovery feature can identify domain names from Alibaba Cloud and third-party providers. The domain names from third-party providers include the domain names of servers from third-party providers and the domain names of servers that are deployed in data centers.

    Step 1: Access Asset Center and grant WAF permissions to access cloud resources

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the navigation pane on the left, click Asset Center.

    3. On the Asset Center page, click Enable Now.

      Note

      You only need to grant these permissions once. If you have already granted them, you can skip this step.

      • After you enable Asset Center for the first time, Alibaba Cloud automatically creates a service-linked role for WAF (AliyunServiceRoleForWAF). You can log on to the Resource Access Management (RAM) console to view the service-linked role that was automatically created for WAF. For more information, see View a RAM role.

        After the AliyunServiceRoleForWAF service-linked role is created, your WAF instance can access the resources of associated Alibaba Cloud services, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), Alibaba Cloud DNS, Alibaba Cloud CDN, Digital Certificate Management Service, and Simple Log Service (SLS).

      • After WAF is granted permissions to access cloud resources, it automatically detects the domain name assets associated with your Alibaba Cloud account and displays the information on the Asset Center page.

        Note

        Asset Center supports the detection of both Alibaba Cloud and non-Alibaba Cloud domain names. Non-Alibaba Cloud domain names include those that resolve to non-Alibaba Cloud servers and those used in on-premises data centers.

        To improve the accuracy of asset discovery, WAF enables active fingerprint scanning by default. For assets added to WAF, asset fingerprints are identified through passive traffic analysis and active probing. Active fingerprint scanning is performed every two weeks. Keep this feature enabled.

    Step 2: Add assets

    If a primary domain name that you want to monitor is not in the asset list, you can manually add it.

    1. On the Overview tab of the Asset Center page, click Add Asset.

    2. In the Add Asset dialog box, enter the website domain name and verify its ownership.

      Verify domain name ownership

      To confirm that you own the domain name, you must complete an ownership verification. You can use one of the following two methods:

      • DNS verification: Manually add the TXT record provided by WAF to your DNS provider's settings. This is the recommended method.

      • File verification: Upload the verification file provided by WAF to the specified root directory of the domain name's origin server. This requires you to have operational permissions on the origin server.

      DNS verification

      1. In the verification prompt area, click the Method 1: DNS Verification tab.

      2. Add a TXT record with the Record Type, Host Record, and Record Value provided in the WAF console to your DNS provider's settings.

        If you use Alibaba Cloud DNS, follow these steps. If you use a different DNS provider, perform similar configurations on their platform.

        1. Log on to the Alibaba Cloud DNS console.

        2. On the Authoritative Zones page, click DNS Settings next to the target primary domain name.

        3. Click Add Record. Enter the Record Type, Host Record, and Record Value, then click OK. Keep the default values for other parameters.

          Configuration Item

          Description

          Example

          Record Type

          Select TXT.

          TXT

          Host Record

          The host record is the prefix of the domain name.

          verification

          Record Value

          Enter the record value generated by WAF.

          verify_8fca29dec22746a7841daf2b3af6****

          After the record is added, you can view it in the record list. The record is enabled by default (the Status is Enabled).

      3. Wait for the TXT record to take effect. A new TXT record takes effect immediately, but changes to an existing record usually take effect within 10 minutes. The exact time depends on the TTL value of the DNS record, which is 10 minutes by default.

      4. Return to the WAF console and click Click To Verify.

        • If Verification Successful is displayed, the domain name ownership is verified.

        • If Verification Failed is displayed, troubleshoot the issue as follows:

          1. Check the TXT record: Make sure the host record and record value you added are identical to the information provided in the WAF console. If they are different, delete the incorrect record, add it again, and then try to verify again.

          2. Wait for the DNS record to take effect: The DNS record may not have taken effect yet. Propagation time depends on the TTL cache duration set on your DNS server. We recommend that you wait 10 minutes before you try to verify again.

          3. Change the verification method: If verification continues to fail after multiple attempts, we recommend that you use Method 2: File Verification.

      File verification

      1. In the verification prompt area, click the Method 2: File Verification tab.

      2. Click the link to download the verification file (① in the figure).image..png

        Important

        • The verification file is valid for only three days after you download it. If you do not complete the file verification within this period, you must download the file again.

        • Do not perform any operations on the verification file, such as opening, editing, or renaming it.

        • WAF accesses your origin server based on the selected protocol type. Make sure that the corresponding security group rule or firewall rule is configured on the origin server to allow access from WAF:

          • If you select HTTP, you must allow inbound traffic over TCP port 80 from the source IP address 0.0.0.0/0.

          • If you select HTTPS, you must allow inbound traffic over TCP port 443 from the source IP address 0.0.0.0/0.

      3. Manually upload the verification file to the root directory of the domain name's origin server (such as your ECS, OSS, CVM, COS, or EC2 instance) as prompted in the console (② in the figure).

        Note

        If you add a wildcard domain name, such as *.aliyun.com, you must upload the verification file to the root directory of aliyun.com.

        After the upload is complete, you can use the following methods to check whether the verification file was uploaded successfully.

      4. Return to the WAF console and click Click To Verify.

        • If Verification Successful is displayed, the domain name ownership is verified.

        • If Verification Failed is displayed, troubleshoot the issue based on the error message:

          Problem

          Solution

          Cannot access the domain name

          1. Check the DNS resolution for the domain name to make sure a DNS record points to the origin server. For example, if you use Alibaba Cloud DNS, see Add a DNS record.

          2. Check the security group rules or firewall rules of the origin server to make sure that public network access requests are allowed. For example, if you use an ECS security group, see Add a security group rule.

          The verification file does not exist

          Re-upload the verification file to the domain name's origin server.

          The file content is incorrect

          1. Go to your domain name's origin server and delete the incorrect verification file.

          2. Re-upload the verification file.

    3. After you complete the preceding configurations, click Add.

    Note

    After you manually add an asset, it appears in the Asset Center list on the next day (T+1).

    Step 3: View assets

    On the Asset Center page, you can view the details of your domain name assets.

    资产中心

    Data Type

    Description

    Related actions

    Domain name asset data (Area ① in the figure)

    Displays data about the domain name assets associated with your Alibaba Cloud account. This includes the total number of primary domain names, the total number of subdomains and its change from the previous day, and the number of unprotected subdomains, categorized as high-risk, medium-risk, and low-risk.

    None

    Domain name asset details (Area ② in the figure)

    WAF aggregates and displays detected domain name assets, grouped by primary domain name. Each primary domain name includes the following information:

    • Primary Domain Name: The primary domain name that is bound to the website.

    • Resolved IP: The IP address or CNAME of the website server.

    • Number Of Protected Subdomains: The number of subdomains that are protected by WAF.

    • Number Of Unprotected Subdomains: The number of subdomains that are not protected by WAF. This includes the number of high-risk, medium-risk, and low-risk subdomains.

    • In the search box above the domain name asset list, you can enter a keyword to search for a specific primary domain name. Fuzzy search is supported.

    • In the domain name asset list, click the 展开 icon to the left of a primary domain name to filter subdomains by configuration status and risk level. Subdomain information includes:

      • Subdomain: The subdomain that is bound to the website.

      • IP Address: The IP address or CNAME of the website server.

      • Fingerprint: The fingerprint information of the website server, which is identified through passive traffic analysis and active fingerprint scanning.

        The active fingerprint scanning switch is enabled after you grant permissions to Asset Center. You can use the switch in the upper-right corner of the domain name asset list to enable or disable active fingerprint scanning.

      • Severity: The risk level of the domain name, which is assessed based on attack trends over the last 30 days and threat intelligence data. For high-risk domain names, we recommend that you add them to WAF for protection as soon as possible to prevent intrusions.

      • Status: Indicates whether the website domain name is protected by WAF. The following statuses are available:

        • Not Added: The website domain name is not protected by WAF. You can click Add in the Actions column to add the domain name to WAF. For more information, see Add a domain name to WAF using a CNAME record.

        • Added: The website domain name is protected by WAF. WAF detects website traffic and provides comprehensive protection for the domain name.

    • Click Details in the Actions column of a subdomain to view its threat information.

      Note

      This feature is available only for WAF instances of the Enterprise and Ultimate editions.

    Step 4: Export assets

    1. On the Overview tab of the Asset Center page, select the primary domain names that you want to export and click the download 下载 icon in the upper-right corner to generate an export file.

    2. On the Export Record tab in Asset Center, click Download to export the domain name asset document.

      The exported file is temporarily stored on Alibaba Cloud and is automatically deleted after three days. You must download the file within this period.

      Note

      Only an Alibaba Cloud account can download the asset list. This feature is not supported for RAM users.