Add and manage protected objects and protected object groups - Web Application Firewall

Protected objects and protected object groups are units to which protection rules apply. You can associate a protected object or a protected object group with a protection template to enable Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.

Background information

Protected objects

A protected object is a domain name or a cloud service instance that is added to WAF for protection. It is the smallest unit to which mitigation rules apply.

Protected objects can be created in the following two ways:

Automatic addition: Instances added in cloud native mode or domain names added using the CNAME connection type are automatically added as protected objects.
Manual addition: To configure separate protection rules for one or more domain names of your ALB, CLB, ECS, and NLB instances in cloud native mode, you can manually add the domain names as protected objects. For more information, see Manually add a protected object.

The following table describes the protected objects that are automatically and manually added for different connection types and their specification limits.

Connection type	Automatically added protected objects	Support for manual addition of protected objects	Specification limits
Cloud native mode (Enable WAF protection for an ALB instance)	ALB instance	Manually add domain names from an instance as protected objects.	Different WAF editions support different numbers of protected objects: Subscription: Basic Edition: Up to 300 protected objects Pro: Up to 600 protected objects Enterprise: Up to 2,500 protected objects Ultimate: Up to 10,000 protected objects Pay-as-you-go: Up to 10,000 protected objects Log on to the Web Application Firewall 3.0 console. On the Protected Objects page, view the number of protected objects already added and the remaining quota for your current edition. For subscription instances, WAF reserves a protected object quota for the free domain names included in your plan and for any additional domain names you purchase. For example, if you have a subscription Pro instance that includes 5 free domain names and supports up to 600 protected objects, and you purchase two Domain Name Extension packages, WAF reserves a quota for 7 (5+2) protected objects. You can then add up to 593 (600-7) more protected objects. If you use up your protected object quota, you cannot add more domain names or cloud product instances to WAF. You also cannot purchase new Domain Name Extension packages. To increase your available quota, delete protected objects or upgrade your instance. For more information, see Manage protected objects, Manage protected object groups, and Upgrade and downgrade instances.
Cloud native mode (Enable WAF protection for an MSE cloud-native gateway instance)	MSE instance (including its routes)	Not supported
Cloud native mode (Enable WAF protection for Function Compute functions)	Domain Names	Not supported
Cloud native mode (Enable WAF protection for CLB instances, Enable WAF protection for ECS instances, and Enable WAF protection for NLB instances)	CLB instances, ECS instances, and NLB instances	Manually add domain names from an instance as protected objects.
CNAME access	Domain Names	Not supported
Reverse proxy mode for hybrid cloud access	Domain Names	Not supported
Hybrid cloud access SDK integration mode	Not supported	Manually add connected domain names as protected objects.

Protected object groups

A protected object group is a collection of protected objects. It is also a unit to which mitigation rules apply. You can add multiple protected objects to a group and configure mitigation rules for the group. This lets you apply the rules to all protected objects in the group in a batch.

Note

A protected object can belong to only one protected object group.

Basic Edition (Subscription)	Pro (Subscription)	Enterprise Edition (Subscription)	Ultimate (Subscription)	Pay-as-you-go
Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 10 protected object groups.	Supports up to 100 protected object groups.
Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 50 protected objects.	Each protected object group supports up to 100 protected objects.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Onboarding page. For more information, see Website configuration overview.
If you want to manually add domain names for CLB, ECS, or NLB instances that are hosted on servers in Chinese Mainland, you must obtain an ICP filing from Alibaba Cloud.
Note
When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you provide.

Manually add a protected object

To configure separate mitigation rules for the following domain names, you must manually add them as protected objects:

Domain names in ALB, CLB, ECS, or NLB instances that are added to WAF in cloud native mode.
Domain names that are added to WAF in hybrid cloud integration mode with an SDK.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Objects tab, click Add Protected Object.

In the Add Protected Object dialog box, configure the parameters based on the Protected Object Type and click OK.

Cloud service

To add the domain names of ALB, CLB, ECS, and NLB instances as protected objects, set Protected Object Type to Cloud Service and configure the following parameters.

Configuration item	Note
Domain Name	Enter the domain name to protect. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* A wildcard domain name cannot match the corresponding primary domain name. For example, `.aliyundoc.com` cannot match `aliyundoc.com`. A wildcard domain name cannot match subdomains at different levels. For example, `.aliyundoc.com` cannot match `www.example.aliyundoc.com`. A wildcard domain name can match all subdomains at the same level. For example, `*.aliyundoc.com` can match subdomains such as `www.aliyundoc.com` and `example.aliyundoc.com`. If a protected object has both an exact-match domain name and a matching wildcard domain name, the protection rule for the exact-match domain name takes precedence.
Cloud Service	Select the cloud product type for the DNS server. The available options are: ALB: The Application Load Balancer service. CLB4: The Layer 4 Classic Load Balancer service. CLB7: The Layer 7 Classic Load Balancer service. ECS: The Elastic Computing Service. NLB: The Network Load Balancer service.
Instance	Select the instance ID for the DNS server. This configuration is required only when the Cloud Service type is ALB. Note If the ALB instance is not in the list, first complete the cloud native mode integration. For more information, see Enable WAF protection for an ALB instance.
Add To Protected Object Group	As needed, add the protected object to a specified protected object group to apply protection rules to multiple protected objects in a batch. Once a protected object is added to a group, you can configure its protection rules only through the group, not individually. If you prefer to configure rules for the object individually, skip this setting. Note If the target protected object group does not exist, skip this setting. Create the group, and then add the protected object to it. For more information, see Create a protected object group.

Hybrid cloud integration with an SDK

To add a domain name that is connected to WAF 3.0 in SDK-based Traffic Mirroring mode as a protected object, set Protected Object Type to SDK-based Traffic Mirroring and configure the following parameters.

Configuration item	Note
Protected Object Name	Enter a name for the protected object.
Domain Name/IP	Enter the domain name to protect. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* A wildcard domain name does not match the corresponding primary domain name. For example, `.aliyundoc.com` does not match `aliyundoc.com`. A wildcard domain name does not match subdomains at different levels. For example, `.aliyundoc.com` does not match `www.example.aliyundoc.com`. A wildcard domain name can match all subdomains at the same level. For example, `*.aliyundoc.com` can match `www.aliyundoc.com` and `example.aliyundoc.com`. If a protected object has both an exact-match domain name and a matching wildcard domain name, the rule for the exact-match domain name takes precedence.
URL	Enter the URL path to protect.
Add To Protected Object Group	As needed, add a protected object to a specified protected object group to easily configure protection rules for multiple protected objects in batches. After a protected object is added to a group, its protection rules can only be configured through the group, not individually. If you want to configure rules for the object individually, skip this setting. Note If the target protected object group does not exist, you can skip this setting. You can add the protected object to the group after you create it. For more information, see Create a protected object group.

After you add a protected object, you can view and manage it in the protected object list. For more information, see Manage protected objects.

Create a protected object group

You can create a protected object group and associate protected objects with it to apply mitigation rules to the objects in a batch.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Object Group tab, click Create Object Group.
In the Create Protected Object Group dialog box, enter a Protected Object Group Name, select the Associated Protected Objects, add Remarks, and click OK.
Note
- The Available Objects list in the Associate Protected Objects section displays only protected objects that do not belong to any group and have either the default mitigation capability or no mitigation capability applied.
- If a protected object already belongs to another protected object group, you must first remove the protected object from its original group before you can add it to the current group. For more information, see Edit a protected object group.
After the protected object group is created, you can manage it on the Protected Object Groups tab. For more information, see Manage protected object groups.

Manage protected objects

You can view and manage protected objects on the Protected Objects tab.

To configure a protected object, click Settings in the Actions column for the object.

Feature		Note
WAF Link Settings	Configure Client IP Address	If a reverse proxy device, such as Anti-DDoS or CDN, is deployed in front of WAF, you can configure the client IP identification method. This method specifies a field that WAF uses to detect the real client IP. WAF uses this IP for protection rule matching, such as for IP blacklists, and for displaying attack source IPs in reports. Click Settings in the Actions column for the target protected object to configure Layer 7 Proxy Before WAF (such As Anti-DDoS Or CDN) and Client IP Detection Method. For more information, see Add a website to WAF using a CNAME record. Note Domain names added using a CNAME record, CLB instances, and ECS instances: If you completed this configuration during setup, do not configure it again. ALB instances, MSE instances, FC custom domain names, and domain names added in hybrid cloud SDK integration mode: Configure this as needed.
	Cookie Settings	Tracking Cookie When you use features such as HTTP flood protection and scan protection, if a request's cookie does not contain `acw_tc`, WAF inserts `acw_tc` into the response by default to identify and collect statistics on different client access. WAF determines whether the service traffic contains CC attack behavior by analyzing the cookie information from the client in combination with your configured HTTP flood protection rules, scan protection rules that use sessions for statistics, custom frequency rules that use sessions for statistics, and the statistical results. Use the Status switch to enable or disable the Tracking Cookie. To deliver this cookie only in HTTPS requests, enable the Secure Attribute of the cookie. Important Enable the Status switch for the tracking cookie. Otherwise, features such as HTTP flood protection and scan protection will be affected. For protected objects in a protected object group, the Tracking Cookie is enabled by default. You cannot disable the Tracking Cookie or enable the Secure Attribute for these objects. MSE instances and FC custom domain names do not support setting the Secure Attribute. Effective rule: If a request hits multiple protected objects and the Tracking Cookie or Secure Attribute is enabled for any of them, the setting is synchronized to all the hit objects. Slider CAPTCHA Cookie After a user passes a slider challenge, WAF delivers the `acw_sc__v3` slider cookie by default to mark the authentication action. To deliver this cookie only to HTTPS sites, enable the Secure Attribute of the cookie. Important Enabling the Secure Attribute affects how the slider feature works on HTTP sites. For protected objects in a protected object group, the Secure Attribute is disabled by default and cannot be enabled. MSE instances and FC custom domain names do not support setting the Secure Attribute.
	Custom Response Header	WAF can insert up to five custom headers into a response. If a custom header's Header Name is the same as a source header's name, the value of the source header is replaced with the configured Header Value.
Decode Settings		WAF parses and decodes data formats such as JSON, XML, and Form, and encoding methods such as Base64 and HTML entities. This lets WAF detect malicious traffic hidden in multilayer encoding or compression. Select these options as needed. For more information about the decoding settings, see the Appendix.
User Identification		After you configure account fetching rules, you can reference them in Scan Protection, Bot Management, and custom rules. Each protected object supports up to five rules, sorted by priority. Select a location to fetch accounts from: Query String Body Cookie Header Account formats: Plaintext Authentication: For example, email*@qq.com. JWT Authentication: Typically found in the header to carry user information. The common format is Authorization: Bearer {Token}. For the JWT format, also specify the account field to use after the token is decoded. Basic Authentication: Typically found in the header. The common format is Authorization: Basic {Token}**.

Click View Protection Rule in the Actions column for the object. On the Core Web Protection page, you can view the protection rules that are configured for the protected object.
Note
- You can also configure more protection rules for the protected object on the Protection Rules page. For more information, see Web Core Protection.

Click in the Actions column for the object.

Feature	Note
Add to Protected Object Group	To add multiple protected objects to the same object group, select the protected objects and click Add To Protection Group below the list.
View Logs	Enable log collection and query logs for the protected object. For more information, see Enable or disable Simple Log Service.

Click Delete in the Actions column for the object to delete the protected object.
Note
Only manually added domain name protected objects can be deleted.
To delete CLB instances or ECS instances, go to the Provisioning page, locate the target instance or traffic redirection port, and click Remove in the Actions column. After traffic redirection for the port is canceled, you can delete the protected object.
To attach or detach a tag for a protected object, hover over the icon in the Tag column for the protected object and click Attach. In the Edit Tag dialog box, select or enter a Tag Key and enter a Tag Value.
Note
- You can attach up to 20 Tag Keys at a time, and the Tag Value can be empty.
- The Tag Key and Tag Value can be up to 128 characters in length. They cannot start with aliyun or acs:, or contain http:// or https://.
- You can add or modify tags for a protected object in either the protected object list or the provisioning list. Changes made in one place are synchronized to the other.
- You can also select multiple protected objects to add or remove tags in a batch.

Manage protected object groups

On the Protected Object Groups tab, you can view and manage protected object groups.

Feature		Note
Edit protected object group		In the Operation column for the target protected object group, click Edit. Move a protected object from Objects to Select to Selected Protected Object Groups, or remove a protected object from Selected Protected Object Groups. Note When a protected object is removed from its current group, the default mitigation capability is automatically applied. A protected object cannot be in more than one group. To add an object to a new group, first remove it from its current group.
View and configure protection rules		Click Configure Rule in the Operation column for the target protected object. On the Protection Rules page, configure protection rules for the protected object group. These rules apply to all protected objects in the group.
Delete a protected object group		Locate the target protected object group, and in the Operation column, click Delete.

Appendix

Decoding settings

Important

When you add an ALB instance in cloud native mode, Base64 Decoding is disabled by default. You can enable it as needed.
FC, MSE instances in cloud native mode do not support decoding settings.
For the hybrid cloud connection type, you must upgrade the xagent to version 4.1.0 or later for the decoding settings to take effect.

Key-value parsing

JSON Data Parsing
- Description: The JSON parsing module is implemented based on the RFC 7159 standard to parse and reconstruct the JavaScript Object Notation (JSON) format. This module supports the parsing of JSON syntax specifications, including the identification and processing of key-value pair objects, arrays, strings, and numbers. The parsing process includes syntax validation, data type conversion, nested structure handling, and Unicode escape sequence decoding. By standardizing JSON format parsing, it enhances the ability of WAF rules to detect malicious content in JSON payloads.
- Example: For an input of {"Hello":"World"}, JSON parsing extracts a key of Hello and a value of World.
XML Data Parsing
- Description: The XML parsing module is implemented based on the XML specification (W3C Recommendation) to parse and reconstruct Extensible Markup Language (XML) data. This module supports the full parsing of XML document structures, including the identification and processing of elements, attributes, text content, CDATA sections, and processing instructions. The parsing process includes syntax validation, entity reference parsing, namespace handling, and document structure standardization. By standardizing XML format parsing, it enhances the ability of WAF rules to detect malicious content in XML payloads.
- Example: For the input <Hello attr="desc"><![CDATA[World]]></Hello>, XML parsing extracts key as Hello, value as World, key2 as Hello.attr, and value2 as desc.
Form Data Parsing
- Description: The Form parsing module is implemented based on the RFC 1866 standard to parse and reconstruct the application/x-www-form-urlencoded format. This module supports the full parsing of HTML form data, including the identification and processing of key-value pair parameters, array parameters, file upload fields, and nested structures. The parsing process includes URL decoding, character set handling, parameter separator identification, and data type conversion. By standardizing form data format parsing, it enhances the ability of WAF rules to detect malicious content in form payloads.
- Example: For the input Hello=World, form parsing extracts the key as Hello and the value as World.
Multipart Data Parsing
- Note: The Form parsing module parses and reconstructs the application/x-www-form-urlencoded format based on the RFC 1866 standard. It fully parses HTML form data, which includes detecting and processing key-value parameters, array parameters, file upload fields, and nested structures. The parsing process includes URL decoding, character set processing, parameter separator detection, and data type conversion. Standardizing the parsing of form data enhances the ability of WAF rules to detect malicious content in form payloads.
- Example: For the input Hello=World, Form parsing extracts the key as Hello and the value as World.
GraphQL Parsing
- Note: The Multipart parsing module parses and reconstructs the multipart/form-data format based on the RFC 2046 standard. The module supports the complete parsing of HTTP file uploads and complex form data, including the detection and processing of file fields, text fields, boundary delimiters, and nested structures. The parsing process includes boundary detection, field parsing, file content extraction, and encoding conversion. This standardized parsing of the multipart format allows WAF rules to better detect malicious content in file uploads and complex form payloads.
- Example: After multipart parsing, the input is resolved into a key of Hello and a value of World.
```
------WebKitFormBoundary7MA4YWxkTrZu0gW 
Content-Disposition: form-data; name="Hello"

World
------WebKitFormBoundary7MA4YWxkTrZu0gW--
```

Decoding

Base64 Decoding
- Description: The Base64 decoding engine implements the reverse conversion algorithm for Base64 encoding defined in RFC 4648. This module uses the standard Base64 character set (A-Z, a-z, 0-9, +, /) and the padding character (=) for standardized processing. The decoding process includes character validation, padding handling, byte alignment, and data integrity checks to ensure the accuracy and reliability of binary data transmission.
- Example: If you input SGVsbG8gV29scmQh, the output after Base64 decoding is Hello World!.
HTML Entity Decoding
- Description: The HTML entity decoding engine is implemented based on the HTML 5.2 specification (W3C Recommendation) to parse character entity references. This module supports the standardized processing of numeric character references (&#x;) and named character entities (&).
- For example, if you input Hello World&excl;, the output is Hello World!.
PHP Deserialization
- Description: The PHP serialization decoding engine implements the reverse operation of the PHP serialize() function. This module, based on the PHP serialization protocol, parses the syntax structure of the serialized format, including type identifiers (i, s, a, O, etc.), length metadata, and recursive data structures. The decoding process includes type validation, memory safety checks, and object graph reconstruction, supporting the full parsing of scalar types, compound types, and object serialization.
- For example, if the input is payload=O:5:"Hello":1:{s:4:"desc";s:6:"World!";}, PHP deserialization extracts the key payload.Hello.desc and the corresponding value World!.
Java Deserialization
- Description: Java Deserialization Decoding is based on the Java serialization protocol and implements the reverse operation of ObjectInputStream. This module parses the binary format of the Java serialization stream, including class descriptors, field metadata, and object state information. The decoding process follows the JVM serialization specification and supports the recursive parsing of complex object graphs.
- Example: For the input rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAFSGVsbG90AAZXb3JsZCF4, Java deserialization decoding extracts the Java class java.util.HashMap.
UTF-7 Decode
- Description: The UTF-7 decoding engine is implemented based on the RFC 2152 standard for variable-length character encoding conversion. This module processes UTF-7 encoding markers (+/-) and Base64-encoded Unicode character sequences. The decoding algorithm supports Unicode transmission in 7-bit ASCII environments, including encoding state machines, character set switching, and compatibility with traditional protocols, making it suitable for email systems and MIME message transmission scenarios.
- Example: Input +/v8 +AEgAZQBsAGwAbwAgAFcAbwByAGwAZAAh-, Output Hello World!.
Unicode Decode
- Description: Unicode Decoding is a character encoding conversion mechanism based on the Unicode standard (ISO/IEC 10646). This module implements the parsing of UTF-16 escape sequences, supporting the \uXXXX four-byte hexadecimal notation and the \u{XXXXXX} extended format. The decoding process follows the Unicode 15.0 specification to ensure standardized character encoding.
- Example: If you input \u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064\u0021, the output after Unicode decoding is Hello World!.
URL Decoding
- Description: URL Decoding is based on the RFC 3986 standard and implements the reverse conversion of Percent-Encoding. This mechanism handles the encoding of reserved characters, non-ASCII characters, and special characters in the generic URI syntax. The decoding algorithm follows the application/x-www-form-urlencoded MIME type specification and supports the standard parsing of HTTP request parameters.
- For example, for an input of Hello%20World%21, the output after URL decoding is Hello World!.
Hex Decoding
- Description: Hexadecimal Decoding implements the conversion from a hexadecimal string to binary data based on the RFC 4648 standard. This module uses Big-Endian byte order and supports the standard hexadecimal character set (0-9, A-F, a-f). The decoding process includes input validation, character normalization, and byte alignment.
- Example: For the input \x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21, the output after Hex decoding is Hello World!.
Oct Decode
- Description: The OCT octal decoding engine processes character encodings that are represented by a backslash followed by octal digits, such as \123. This module converts octal numbers to their corresponding characters based on the ASCII lookup table, supports the standard octal range of 0–377 (equivalent to 0–255 in decimal), and can batch parse octal escape sequences in mixed text.
- Example: For the input \110\145\154\154\157\040\127\157\162\154\144\041, the output after Oct decoding is Hello World!.

Decompression

Gzip Decompression
- Description: The Gzip decoding engine is implemented based on the RFC 1952 standard and uses the decompression mechanism of the DEFLATE compression algorithm. This module handles the header parsing of the Gzip file format (magic number 0x1f8b, compression method, flags), CRC32 checksum, and decompression of compressed data blocks. The decoding algorithm supports stream processing and batch decompression, including state machine management, multi-member file handling, and error recovery mechanisms. It is suitable for web transmission, file archiving, and data compression scenarios.
- Example: Given the input binary file data 1f 8b 08 00 11 39 00 69 00 ff 01 0c 00 f3 ff 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 a3 1c 29 1c 0c 00 00 00 (presented in HEX format for readability), the output after GZIP decompression is Hello World!.

Pre-processing

Remove Comments
- Description: The comment removal module is implemented based on the SQL standard and MySQL extended syntax to identify and remove comment syntax. This module supports two comment formats defined by the ANSI SQL standard: single-line comments (-- followed by any characters to the end of the line) and multi-line comments (any character sequence enclosed by /* */). It is also compatible with MySQL's specific conditional comment syntax (/! ... /). The process includes comment marker identification, nested comment handling, version condition parsing, and syntax boundary validation. By removing comment content, it enhances the accuracy of the WAF rules engine in detecting malicious SQL statements and effectively reduces the risk of attackers bypassing rules using comments.
- Example: For the input /*!40101 SET */@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;, the output after comment deletion is SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;.
Whitespace Normalization
- Description: The space removal module implements a standardized process for handling multiple space characters. This module detects consecutive space sequences in an input string and compresses multiple consecutive space characters into a single space character. The process includes the unified handling of leading, trailing, and intermediate consecutive spaces to ensure the standardization and consistency of text format.
- Example: The input Hello World! becomes Hello World! after space compression.