Protected objects and protected object groups are units for which protection rules are configured. You can associate a protected object or a protected object group with a protection rule template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.

Background information

Protected objects

A protected object is the smallest unit for which WAF 3.0 protection rules can be configured. A protected object can be a cloud service instance or a domain name that is added to WAF 3.0. You can use one of the following methods to add a protected object to WAF 3.0:
  • Automatic addition: After you add an instance or a domain name to WAF 3.0, the instance or domain name is automatically added to WAF 3.0 as a protected object.
  • Manual addition: If an instance or domain name is not automatically added to WAF 3.0 as a protected object or you want to separately configure protection rules for one or more domain names that are hosted on an Application Load Balancer (ALB) instance, you can manually add the instance or domain name as a protected object. For more information, see Manually add protected objects.
Different access modes support different methods that can be used to add protected objects.
Access mode Automatically added protected object Manually added protected object
Cloud native mode (Add an ALB instance to WAF) ALB instances, including all domain names that are hosted on ALB instances Supported
Cloud native mode (Enable WAF protection for an MSE instance) Microservice Engine (MSE) instances, including all domain names that are hosted on MSE instances Not supported
Cloud native mode (Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF) Classic Load Balancer (CLB) instances or Elastic Compute Service (ECS) instances, including all domain names that are hosted on CLB or ECS instances Not supported
CNAME record mode Domain names Not supported
CNAME record mode Domain names Not supported
Hybrid cloud reverse proxy mode
Hybrid cloud SDK-based traffic mirroring mode Not supported Supported

Protected object groups

A protected object group is a group of protected objects. A protected object group is a unit for which WAF 3.0 protection rules can be configured. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.
Note A protected object can be added to only one protected object group.

Prerequisites

Manually add protected objects

If you want to configure protection rules for domain names that meet the following conditions, you can perform the following steps to manually add the domain names to WAF 3.0 as protected objects.
  • The domain names are hosted on ALB instances and are added to WAF 3.0 in cloud native mode.
  • The domain names are added to WAF 3.0 in hybrid cloud SDK-based traffic mirroring mode.
Note If you add an instance or a domain name to WAF 3.0 in cloud native mode, CNAME record mode, or hybrid cloud reverse proxy mode, the instance or domain name is automatically added to WAF 3.0 as a protected object. You can directly configure protection rules for the protected object. You can also configure protection rules for the protected object after you create a protected object group and add the protected object to the protected object group. For more information, see the "Create a protected object group" section in this topic and Protection configuration overview.
  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protected Objects.
  3. On the Protected Objects tab, click Add Protected Object.
  4. In the Add Protected Object dialog box, configure the parameters based on the value of the Protected Object Type parameter and click OK.
    • If you want to add a domain name that is hosted on an ALB instance, select Cloud Service for the Protected Object Type parameter. The following table describes the parameters.
      Parameter Description
      Domain Name The domain name that you want WAF to protect. You can enter an exact-match domain name such as www.aliyundoc.com or a wildcard domain name such as *.aliyundoc.com.
      Note
      • If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com.
      • WAF does not match the domain names at different levels from the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match www.example.aliyundoc.com.
      • WAF automatically matches all domain names at the same level with the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches subdomain names such as www.aliyundoc.com and example.aliyundoc.com.
      • If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
      Cloud Service The type of the cloud service on which the origin server is deployed. Set this parameter to ALB.
      Instance The ID of the ALB instance on which the origin server is deployed.
      Note If no ALB instances are added to WAF, add an ALB instance to WAF. For more information, see Add an ALB instance to WAF.
      Add to Protected Object Group The protected object group to which you want to add a protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
      After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
      Note If no protected object groups exist in the drop-down list, skip this parameter. You can add the protected object to a protected object group after you create the protected object group. For information about how to create a protected object group, see the "Create a protected object group and associate the group with a protected object" section in this topic.
    • If you want to add domain names that are added to WAF 3.0 in hybrid cloud SDK-based traffic mirroring mode as protected objects, select Hybrid Cloud for the Protected Object Type parameter. The following table describes the related parameters.
      Parameter Description
      Protected Object Name The name of the protected object that you want to add.
      Domain Name The domain name that you want WAF to protect. You can enter an exact-match domain name such as www.aliyundoc.com or a wildcard domain name such as *.aliyundoc.com.
      Note
      • If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match aliyundoc.com.
      • WAF does not match the domain names at different levels from the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF does not match www.example.aliyundoc.com.
      • WAF automatically matches all domain names at the same level with the wildcard domain name. For example, if you enter *.aliyundoc.com, WAF matches subdomain names such as www.aliyundoc.com and example.aliyundoc.com.
      • If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
      URL The URL that you want WAF to protect.
      Add to Protected Object Group The protected object group to which you want to add a protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time.
      After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter.
      Note If no protected object groups exist in the drop-down list, skip this parameter. You can add the protected object to a protected object group after you create the protected object group. For information about how to create a protected object group, see the "Create a protected object group and associate the group with a protected object" section in this topic.
    After you add protected objects, you can perform the following operations on the Protected Objects tab:
    • View protected objects

      You can view information about the protected objects that you added to WAF, such as the names, asset types, and domain names of the protected objects. You can also view the protected object groups to which the protected objects belong.

    • Delete a protected object

      Find the protected object that you want to delete and click iMore > Delete in the Actions column.

      Note
      • You can delete only domain names that are manually added as protected objects.
      • If you want to delete a protected object that is automatically added, go to the Website Configuration page, find the instance or traffic redirection port that you want to delete, and click Remove in the Actions column.

Create a protected object group and associate the group with a protected object

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protected Objects.
  3. On the Protected Object Group tab, click Create.
  4. In the Create Protected Object Group dialog box, configure the Name, Associate with Protected Object, and Description parameters. Then, click OK.
    Note
    • Only protected objects that do not belong to a protected object group and use the default protection rule template are displayed in the Objects to Select section.
    • If a protected object is added to a protected object group, you must remove the protected object from the protected object group before you add the protected object to another protected object group. For more information, see the "Remove a protected object from a protected object group" section in this topic.
    After you create a protected object group, you can perform the following operations on the Protected Object Groups tab:
    • View protected object groups and the associated protected objects

      By default, the number of protected objects in each protected object group is displayed in the list of protected object groups. If you want to view information about protected objects in a protected object group, click the show icon to the left of the name of the protected object group.

    • Delete a protected object group

      Find the protected object group that you want to delete and click Delete in the Actions column.

Associate or disassociate a protected object with or from a protected object group

You can add a protected object to a protected object group to associate the protected object with the protected object group. You can also remove a protected object from a protected object group to disassociate the protected object from the protected object group.

Add a protected object to a protected object group

  • On the Protected Objects tab, find the protected object that you want to add to a protected object group and click iMore > Add to Protected Object Group in the Actions column.
    Note
    • If a protected object is already added to a protected object group, the Add to Protected Object Group button is dimmed. You must remove the protected object from the current protected object group before you add the protected object to another protected object group.
    • If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list.
  • On the Protected Object Groups tab, find the protected object group to which you want to add the protected object and click Edit in the Actions column. In the Objects to Select section, select the protected object and click the Rightwards arrow icon to move the protected object to the Selected section.

Remove a protected object from a protected object group

  • If you want to remove a protected object from a protected object group, click the Protected Objects tab, find the protected object that you want to remove, and click iMore > Remove from Protected Object Group in the Actions column.
    Note
    • After the protected object is removed from the protected object group, you can check whether the protected object group is still listed under the protected object group. You can add the protected object to another protected object group based on your business requirements.
    • After you remove the protected object from the protected object group, the default protection rule template is applied to the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic.
  • You can also click the Protected Object Groups tab, find the protected object group from which you want to remove the protected object, and click the show icon. Then, find the protected object that you want to remove and click Delete in the Actions column to remove the protected object from the protected object group.

Related operations

  • Obtain actual IP addresses of clients

    On the Protected Objects tab, find the required protected object and click Configure Client IP Address in the Actions column. In the dialog box that appears, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. WAF 3.0 matches protection rules and displays reports based on the values of the parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in the CNAME record mode topic.

    Note You must configure this parameter only when you add an ALB instance, an MSE instance, or a domain name that is added to WAF in hybrid cloud SDK-based traffic mirroring mode as a protected object.
  • View and configure protection rules
    • Find the protected object for which you want to configure protection rules and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object.
    • Find the protected object group for which you want to configure protection rules and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group.
    Note
    • If a new protected object is added to a protected object group, the protection rules that are configured for the protected object group automatically take effect for the protected object. If the new protected object is not added to any protected object group, the default protection rule template automatically takes effect for the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic.
    • You can also configure additional protection rules for protected objects on the Protection Rules page. For more information, see Protection rules.
  • View protection logs

    Find the protected object whose protection logs you want to view and click iMore > View Logs in the Actions column. Then, you are redirected to the Log Service page. On the Log Service page, you can enable the Log Service for WAF feature for the protected object to view the protection logs of the protected object. For more information, see Enable Log Service for WAF.