How to add and manage protected objects and protected object groups - Web Application Firewall

Protected objects and protected object groups are units for which protection rules take effect. You can associate protected objects or protected object groups with protection templates to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.

Background information

Protected objects

A protected object is the smallest unit for which WAF protection rules take effect. A protected object can be a cloud service instance or a domain name that is added to WAF.

To add a protected object to WAF, you can use one of the following methods:

Automatic addition: After you enable WAF protection for a cloud service instance or add a domain name to WAF in CNAME record mode, the instance or domain name is automatically added as a protected object.
Manual addition: If you want to configure protection rules for domain names that are used by Application Load Balancer (ALB) instances, Classic Load Balancer (CLB) instances, Elastic Compute Service (ECS) instances, or Network Load Balancer (NLB) instances, you can manually add the domain names as protected objects. For more information, see Manually add protected objects.

In different access modes, you can use different methods to add protected objects to WAF.

Access mode	Automatically added protected objects	Support for manually added protected objects	Quota limits
Cloud native mode (Enable WAF protection for an ALB instance)	ALB instance	You can manually add the instance-related domain names as protected objects	The maximum number of protected objects that can be added to WAF varies based on the WAF edition. Subscription: Basic: supports up to 300 protected objects Pro: supports up to 600 protected objects Enterprise: supports up to 2,500 protected objects Ultimate: supports up to 10,000 protected objects Pay-as-you-go: supports up to 10,000 protected objects You can log on to the Web Application Firewall 3.0 console and go to the Protected Objects page to view the number of protected objects that are added to WAF and the number of protected objects that can be added to WAF. For subscription instances, WAF reserves protected object specifications based on the free domains included in your edition and any additional domain extensions. For example, if you use a subscription Pro WAF instance that supports 5 free domain names and up to 600 protected objects, and you purchase 2 Domain Name Extension quotas, WAF reserves 7 (5+2) protected object quotas. In this case, you can add up to 593 (600-7) protected objects. If the number of protected objects that you add to WAF reaches the limit, you can no longer add domain names or cloud service instances to WAF. You also cannot purchase additional Domain Name Extension quotas. If you want to add more protected objects to WAF, you can remove protected objects that no longer require WAF protection from your WAF instance or upgrade your WAF instance. For more information, see Manage protected objects, Manage protected object groups, and Upgradation and downgrade.
Cloud native mode (Enable WAF protection for an MSE gateway instance)	MSE instance (including its Ingresses)	Not supported
Cloud native mode (Enable WAF protection for a custom domain name in Function Compute)	Domain name	Not supported
Cloud native mode (Enable WAF protection for a CLB instance, Enable WAF protection for an ECS instance, and Enable WAF protection for an NLB instance)	CLB instance, ECS instance, and NLB instance	You can manually add the instance-related domain names as protected objects
CNAME record mode	Domain name	Not supported
Hybrid cloud - reverse proxy mode	Domain name	Not supported
Hybrid cloud - SDK integration mode	Not supported	Domain names that are added to WAF in hybrid cloud SDK-based traffic mirroring mode can be manually added to WAF as protected objects.

Protected object groups

A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.

Note

A protected object can be added to only one protected object group.

Subscription Basic	Subscription Pro	Subscription Enterprise	Subscription Ultimate	Pay-as-you-go
Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 100 protected object groups.
Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 100 protected objects.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
If you want to manually add domain names that are used by CLB instances, ECS instances, or NLB instances, and the domain names are hosted on servers in Chinese Mainland, you must complete ICP filing .
Note
When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the operations that you must perform based on the website information that you specify.

Manually add protected objects

If you want to configure protection rules for domain names that meet the following conditions, perform the following steps to manually add the domain names as protected objects:

The domain names are used by ALB instances, CLB instances, ECS instances, or NLB instances that are added to WAF in cloud native mode.
The domain names are added to WAF in hybrid cloud - SDK integration mode.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Objects tab, click Add Protected Object.

In the Add Protected Object dialog box, configure the following parameters based on the Protected Object Type and click OK.

Cloud service

If you want to add domain names that are used by ALB instances, CLB instances, ECS instances, or NLB instances as protected objects, set Protected Object Type to Cloud Service and configure the following parameters.

Parameter	Description
Domain Name	The domain name that you want WAF to protect. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* A wildcard domain name cannot match the root domain name. For example, `.aliyundoc.com` cannot match `aliyundoc.com`. A wildcard domain name cannot match domain names that include multiple levels of subdomains. For example, `.aliyundoc.com` cannot match `www.example.aliyundoc.com`. A wildcard domain name can match all subdomains at the same level. For example, `*.aliyundoc.com` can match `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
Cloud Service	Select the cloud product type for the domain name server. Options: ALB: Application Load Balancer (ALB) CLB4: Layer 4 Classic Load Balancer (CLB) CLB7: Layer 7 Classic Load Balancer (CLB) ECS: Elastic Compute Service (ECS) NLB: Network Load Balancer (NLB)
Instance	The ID of the cloud service instance. This parameter is required only when Cloud Service is set to ALB. Note If no ALB instances are added to WAF, add an ALB instance to WAF. For more information, see Enable WAF protection for an ALB instance.
Add To Protected Object Group	The protected object group to which you want to add a protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add the protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.

Hybrid cloud - SDK integration

If you want to add domain names that are added to WAF 3.0 in hybrid cloud - SDK integration mode as protected objects, set Protected Object Type to SDK-based Traffic Mirroring and configure the following parameters.

Parameter	Description
Protected Object Name	The name of the protected object that you want to add.
Domain Name/IP	The domain name that you want to add to WAF. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* A wildcard domain name cannot match the root domain name. For example, `.aliyundoc.com` cannot match `aliyundoc.com`. A wildcard domain name cannot match domain names that include multiple levels of subdomains. For example, `.aliyundoc.com` cannot match `www.example.aliyundoc.com`. A wildcard domain name can match all subdomains at the same level. For example, `*.aliyundoc.com` can match `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
URL	The URL that you want WAF to protect.
Add To Protected Object Group	The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add a protected object to the protected object group. For more information about how to create a protected object group, see Create a protected object group.

After you add a protected object to WAF, you can view and manage the protected object in the protected object list. For more information, see Manage protected objects.

Create a protected object group

You can create protected object groups, associate protected objects with protected object groups, and configure protection rules for multiple protected objects at the same time.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Object Groups tab, click Create Object Group.
In the Create Protected Object Group dialog box, enter a Protected Object Group Name, select Associated Protected Objects, add Remarks, and then click OK.
Note
- The Objects To Be Selected list in the Associate Protected Objects section contains only protected objects that are not added to any protected object group and to which only the default mitigation capability or no template is applied.
- If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you add the protected object to another protected object group. For more information, see Edit a protected object group.
After you add a protected object group, you can manage the protected object group on the Protected Object Groups tab. For more information, see Manage protected object groups.

Manage protected objects

You can view and manage protected objects on the Protected Objects tab.

To configure a protected object, click Settings in the Actions column of the protected object.

Feature		Description
WAF Link Settings	Configure Client IP Address	If a Layer 7 proxy is deployed in front of WAF, you can specify the method that you want WAF to use to obtain the IP addresses of clients. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. This way, WAF can obtain the actual IP addresses of clients, match requests with corresponding protection rules, such as IP address blacklist rules, and display information on security reports, such as source IP addresses. Click Settings in the Actions column of the protected object and configure Layer 7 Proxy (CDN, Anti-DDoS, Etc.) and Client IP Header. For more information, see Layer 7 proxy configuration. Note If you configured this parameter when you added a domain name to WAF in CNAME record mode or when you added a CLB or ECS instance to WAF, you do not need to configure the parameter again. For ALB instances, MSE instances, FC custom domain names, and domains connected in hybrid cloud SDK integration mode, you can apply this configuration as needed.
	Cookie Settings	Tracking Cookie When you use HTTP flood protection or scan protection, if a request does not contain `acw_tc` in the cookie, WAF inserts `acw_tc` into the response to identify and count different client visits. WAF analyzes the cookie information carried by the client, combines the HTTP flood protection rules, scan protection rules with the session statistical object, custom frequency setting rules with the session statistical object, and statistical results to determine whether HTTP flood attacks exist in the service traffic. You can turn on or off Tracking Cookie using the Status switch. If you want the cookie to be delivered only to HTTPS requests, you can enable the Secure Attribute attribute of the cookie. Important We recommend that you turn on the Status switch for tracking cookies. Otherwise, the HTTP flood protection and scan protection features may not function as expected. Protected objects that are added to a protected object group have Tracking Cookie turned on by default. You cannot turn off Tracking Cookie or enable the Secure Attribute attribute. MSE instances and custom domain names in Function Compute do not support the Secure Attribute attribute. Effective rules: If a request matches multiple protected objects and any of the protected objects has Tracking Cookie or the Secure Attribute attribute enabled, all matched protected objects have the same feature enabled. Slider CAPTCHA Cookie After slider verification is passed, WAF delivers the slider cookie `acw_sc__v3` by default to mark the verification action. If you want the cookie to be delivered only to HTTPS websites, you can enable the Secure Attribute attribute of the cookie. Important After you enable the Secure Attribute attribute, the slider feature for HTTP websites may not function as expected. Protected objects that are added to a protected object group have the Secure Attribute attribute turned off by default. You cannot enable the attribute. MSE instances and custom domain names in Function Compute do not support the Secure Attribute attribute.
Account Extraction Settings		After you configure account extraction rules, you can reference the rules in scan protection, bot management, and custom rules. You can configure up to five rules for each protected object. The rules are sorted by priority. You can select one of the following positions for account extraction: Query String Body Cookie Header Account format: Plaintext Authentication: for example, email*@qq.com. JWT Authentication: typically in the Header, which can carry user information. The typical format is Authorization : Bearer {Token}. If the format is JWT, you need to specify the account field after decoding. Basic Authentication: typically in the Header. The typical format is Authorization : Basic {Token}**.

To view the protection rules of a protected object, click View Protection Rule in the Actions column of the protected object. On the Core Web Protection page, you can view the protection rules that are configured for the protected object.
Note
- You can also configure more protection rules for the protected object on the Protection Rules page. For more information, see Web core protection.

Click in the Actions column for the target object.

Feature	Description
Add to Protected Object Group	To add multiple protected objects to the same object group, select the protected objects and click Add To Protected Group at the bottom of the list.
View Logs	Enable log collection for the protected object and query related log data. For more information, see Enable or disable Simple Log Service.

To delete a protected object, click Delete in the Actions column of the protected object.
Note
Only manually added domain name protected objects can be deleted.
If you want to delete a CLB instance or an ECS instance, go to the Provisioning page, find the target instance or traffic redirection port, click Remove in the Actions column, cancel port redirection, and then delete the protected object.
To add or remove tags for a protected object, hover over the icon in the Tag column of the target protected object and click Attach. In the Edit Tag dialog box, select or enter a Tag Key and enter a Tag Value.
Note
- You can attach up to 20 Tag Keys at a time. The Tag Value can be empty.
- When you enter a Tag Key and a Tag Value, you can enter up to 128 characters. The key cannot start with aliyun or acs:, and cannot contain http:// or https://.
- You can add or modify tags on the Protected Objects page or Website Configuration page. The latest tag settings are synchronized between the two pages.
- You can also select multiple protected objects and then add tags to or remove tags from the protected objects at the same time.

Manage protected object groups

You can view and manage protected object groups on the Protected Object Groups tab.

Feature		Description
Edit a protected object group		Click Edit in the Actions column of the target protected object group. Move protected objects from the Objects to Select list to the Selected Protected Object Groups list, or remove protected objects from the Selected Protected Object Groups list. Note After a protected object is removed from the current object group, the default mitigation capability is automatically applied to the protected object. You can add a protected object to only one protected object group. If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you can add the protected object to another protected object group.
View and configure protection rules		Click Configure Rules in the Actions column of the protected object. On the Protection Rules page, configure protection rules for the protected object group. The protection rules that you configure for the protected object group take effect for all protected objects in the group.
Delete a protected object group		Find the protected object group and click Delete in the Actions column.