All Products
Search

This Product

    Web Application Firewall:Asset Center

    Document Center

    Web Application Firewall:Asset Center

    Last Updated:Nov 21, 2025

    The Asset Center feature of Web Application Firewall (WAF) organizes your domain name assets both on and off Alibaba Cloud. It assesses risk levels based on the attack status of your cloud assets, helping you understand the overall security posture of your services. You can enable protection for high-risk domain name assets to improve your overall security.

    Background information

    Network application assets are the most important carrier of network applications in a security management system and are the most fundamental components in a business system. As enterprise business rapidly develops, more business systems are used. A single enterprise may have multiple business systems, and employees may forget to release resources after they build websites or test environments. As a result, business systems may contain unmanaged zombie assets. The most vulnerable part of a business system determines the overall security of the system. In most cases, zombie assets use outdated versions of open source systems, components, or web frameworks, which have common vulnerabilities. Attackers can exploit these vulnerabilities to invade the internal network of an enterprise.

    The asset discovery feature can obtain the configurations of Alibaba Cloud services, such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature, together with big data-enabled correlation analysis, can identify domain names in and outside the cloud based on the obtained configurations. This way, you can monitor the overall situation of all the domain names and make sure that all domain names are protected. The asset discovery feature calculates the security scores of domain names based on threat intelligence and the default attack detection capability of Alibaba Cloud. This way, you can identify the domain names that are vulnerable to attacks. Then, you can add the domain names to WAF to prevent attacks.
    Note The asset discovery feature can identify domain names from Alibaba Cloud and third-party providers. The domain names from third-party providers include the domain names of servers from third-party providers and the domain names of servers that are deployed in data centers.

    Step 1: Access Asset Center and grant WAF permissions to access cloud resources

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the navigation pane on the left, click Asset Center.

    3. On the Asset Center page, click Enable Now.

      Note

      You only need to grant these permissions once. If you have already granted them, you can skip this step.

      • After you enable Asset Center for the first time, Alibaba Cloud automatically creates a service-linked role for WAF (AliyunServiceRoleForWAF). You can log on to the Resource Access Management (RAM) console to view the service-linked role that was automatically created for WAF. For more information, see View a RAM role.

        After the AliyunServiceRoleForWAF service-linked role is created, your WAF instance can access the resources of associated Alibaba Cloud services, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), Alibaba Cloud DNS, Alibaba Cloud CDN, Digital Certificate Management Service, and Simple Log Service (SLS).

      • After WAF is granted permissions to access cloud resources, it automatically detects the domain name assets associated with your Alibaba Cloud account and displays the information on the Asset Center page.

        Note

        Asset Center supports the detection of both Alibaba Cloud and non-Alibaba Cloud domain names. Non-Alibaba Cloud domain names include those that resolve to non-Alibaba Cloud servers and those used in on-premises data centers.

        To improve the accuracy of asset discovery, WAF enables active fingerprint scanning by default. For assets added to WAF, asset fingerprints are identified through passive traffic analysis and active probing. Active fingerprint scanning is performed every two weeks. Keep this feature enabled.

    Step 2: Add assets

    If a primary domain name that you want to monitor is not in the asset list, you can manually add it.

    1. On the Overview tab of the Asset Center page, click Add Asset.

    2. In the Add Asset dialog box, enter the website domain name and verify its ownership.

      • DNS record verification: Manually add the TXT record that is provided by WAF at your domain's DNS provider. This method is recommended.

      • File verification: Upload the verification file that is provided by WAF to a specified root directory on your origin server. This requires operational permission on the origin server and a security group policy that allows access from all IP addresses. This ensures that WAF can verify the file from the Internet.

      DNS record verification

      1. In the validation prompt area, click the Method 1: DNS Record tab.

      2. Add a TXT record with your domain name resolution service provider and specify the Record Type, Host Name, and Record Value from the WAF console.

        If you use Alibaba Cloud DNS, you can follow these steps. If you use another DNS provider, you must perform similar steps in their system.

        1. On the Public Zone page, click Settings to the right of the target primary domain name.

        2. Click Add Record, configure the following parameters, and click OK. Leave the other parameters at their default values.

          • Set Record Type to TXT.

          • Hostname: Enter the domain name prefix. For example, verification.

          • Record Value: Enter the record value generated by WAF, such as verify_8fca29dec226****.

      3. Wait for the TXT record to take effect. A new TXT record takes effect in real time. However, changes to an existing TXT record typically take effect after 10 minutes. The effective period depends on the TTL duration that is configured for the domain's DNS record, which is 10 minutes by default.

      4. Return to the WAF console and click Verify.

        • If Verification Successful is displayed, the domain ownership verification is complete.

        • If Verification Failed is displayed, you can troubleshoot the issue as follows:

          1. Check the TXT record: Make sure that the added hostname and record value are exactly the same as the information that is provided in the WAF console. If there are differences, you can delete the incorrect record, add it again, and then verify again.

          2. Wait for DNS to take effect: The DNS record configuration may not take effect immediately. The effective period depends on the TTL cache time that is set on the DNS server. You can wait 10 minutes and then verify again.

          3. Change the verification method: If verification still fails after multiple attempts, you can use Method 2: File Verification.

      File verification

      1. In the verification area, click the Method 2: Verification File tab.

      2. Click the download link for the verification file (① in the figure) to download the verification file.image..png

        Important

        • The verification file is valid for only 3 days after download. If you do not complete file verification within this period, you must download it again.

        • Do not modify the verification file in any way, such as by editing or renaming it.

        • WAF accesses the origin server based on the selected protocol type. Make sure that your origin server's security group or firewall rules allow the corresponding traffic:

          • If you select HTTP, allow inbound TCP traffic on port 80 from 0.0.0.0/0.

          • If you select HTTPS, you must allow inbound TCP traffic on port 443 from the 0.0.0.0/0 source.

      3. Manually upload the verification file to the web root directory of your domain's origin server, such as an ECS instance, an OSS bucket, a CVM instance, a COS bucket, or an EC2 instance (② in the figure).

        Note

        If you add a wildcard domain name, such as *.aliyun.com, you must upload the validation file to the root directory of the aliyun.com domain.

        After the upload is complete, you can check whether the verification document was uploaded successfully by following the methods below.

      4. Return to the WAF console and click Verify.

        • If Verification Successful is displayed, the domain ownership verification is complete.

        • If Verification Failed is displayed, you can troubleshoot the issue based on the error message:

          Problem description

          Solution

          Cannot access the domain name.

          1. Check the DNS record for your domain name to ensure that it points to the origin server. For Alibaba Cloud DNS, see Add a DNS record.

          2. Check the security group or firewall rules of the origin server to ensure that public network access requests are allowed. For ECS security groups, see Add a security group rule.

          Verification file does not exist.

          Re-upload the verification file to the domain's origin server.

          Incorrect file content.

          1. Go to your domain's origin server and delete the incorrect verification file.

          2. Re-upload the verification file.

      5. A security group rule that allows access from all IP addresses poses a security risk. If the initial security group configuration of the origin server does not include the 0.0.0.0/0 rule, you must delete the security group rule that was added for verification after you complete the ownership verification.

    3. After you complete the preceding configurations, click Add.

    Note

    After you manually add an asset, it appears in the Asset Center list on the next day (T+1).

    Step 3: View assets

    On the Asset Center page, you can view the details of your domain name assets.

    资产中心

    Data Type

    Description

    Related actions

    Domain name asset data (Area ① in the figure)

    Displays data about the domain name assets associated with your Alibaba Cloud account. This includes the total number of primary domain names, the total number of subdomains and its change from the previous day, and the number of unprotected subdomains, categorized as high-risk, medium-risk, and low-risk.

    None

    Domain name asset details (Area ② in the figure)

    WAF aggregates and displays detected domain name assets, grouped by primary domain name. Each primary domain name includes the following information:

    • Second-level Domain Name: The primary domain name that is bound to the website.

    • IP Address: The IP address or CNAME of the website server.

    • Protected Subdomains: The number of subdomains that are protected by WAF.

    • Unprotected Subdomains: The number of subdomains that are not protected by WAF. This includes the number of high-risk, medium-risk, and low-risk subdomains.

    • In the search box above the domain name asset list, you can enter a keyword to search for a specific primary domain name. Fuzzy search is supported.

    • In the domain name asset list, click the 展开 icon to the left of a primary domain name to filter subdomains by configuration status and risk level. Subdomain information includes:

      • Subdomain: The subdomain that is bound to the website.

      • IP Address: The IP address or CNAME of the website server.

      • Fingerprint: The fingerprint information of the website server, which is identified through passive traffic analysis and active fingerprint scanning.

        The active fingerprint scanning switch is enabled after you grant permissions to Asset Center. You can use the switch in the upper-right corner of the domain name asset list to enable or disable active fingerprint scanning.

      • Severity: The risk level of the domain name, which is assessed based on attack trends over the last 30 days and threat intelligence data. For high-risk domain names, we recommend that you add them to WAF for protection as soon as possible to prevent intrusions.

      • Status: Indicates whether the website domain name is protected by WAF. The following statuses are available:

        • Not Added: The website domain name is not protected by WAF. You can click Add in the Actions column to add the domain name to WAF. For more information, see Add a domain name to WAF using a CNAME record.

        • Added: The website domain name is protected by WAF. WAF detects website traffic and provides comprehensive protection for the domain name.

    • Click Details in the Actions column of a subdomain to view its threat information.

      Note

      This feature is available only for WAF instances of the Enterprise and Ultimate editions.

    Step 4: Export assets

    1. On the Overview tab of the Asset Center page, select the primary domain names that you want to export and click the download 下载 icon in the upper-right corner to generate an export file.

    2. On the Export Record tab in Asset Center, click Download to export the domain name asset document.

      The exported file is temporarily stored on Alibaba Cloud and is automatically deleted after three days. You must download the file within this period.

      Note

      Only an Alibaba Cloud account can download the asset list. This feature is not supported for RAM users.