Protected objects and protected object groups are units for which protection rules are configured. You can associate a protected object or a protected object group with a protection rule template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.
Background information
Protected objects
- Automatic addition: After you add an instance or a domain name to WAF 3.0, the instance or domain name is automatically added to WAF 3.0 as a protected object.
- Manual addition: If an instance or domain name is not automatically added to WAF 3.0 as a protected object or you want to separately configure protection rules for one or more domain names that are hosted on an Application Load Balancer (ALB) instance, you can manually add the instance or domain name as a protected object. For more information, see Manually add protected objects.
Access mode | Automatically added protected object | Manually added protected object |
---|---|---|
Cloud native mode (Add an ALB instance to WAF) | ALB instances, including all domain names that are hosted on ALB instances | Supported |
Cloud native mode (Enable WAF protection for an MSE instance) | Microservice Engine (MSE) instances, including all domain names that are hosted on MSE instances | Not supported |
Cloud native mode (Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF) | Classic Load Balancer (CLB) instances or Elastic Compute Service (ECS) instances, including all domain names that are hosted on CLB or ECS instances | Not supported |
CNAME record mode | Domain names | Not supported |
CNAME record mode | Domain names | Not supported |
Hybrid cloud reverse proxy mode | ||
Hybrid cloud SDK-based traffic mirroring mode | Not supported | Supported |
Protected object groups
Prerequisites
- A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
- Web services are added to WAF on the Website Configuration page. For more information, see Overview.
Manually add protected objects
- The domain names are hosted on ALB instances and are added to WAF 3.0 in cloud native mode.
- The domain names are added to WAF 3.0 in hybrid cloud SDK-based traffic mirroring mode.
Create a protected object group and associate the group with a protected object
Associate or disassociate a protected object with or from a protected object group
You can add a protected object to a protected object group to associate the protected object with the protected object group. You can also remove a protected object from a protected object group to disassociate the protected object from the protected object group.
Add a protected object to a protected object group
- On the Protected Objects tab, find the protected object that you want to add to a protected object group and
click in the Actions column.
Note
- If a protected object is already added to a protected object group, the Add to Protected Object Group button is dimmed. You must remove the protected object from the current protected object group before you add the protected object to another protected object group.
- If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list.
- On the Protected Object Groups tab, find the protected object group to which you want to add the protected object
and click Edit in the Actions column. In the Objects to Select section, select the protected object and click the
icon to move the protected object to the Selected section.
Remove a protected object from a protected object group
- If you want to remove a protected object from a protected object group, click the
Protected Objects tab, find the protected object that you want to remove, and click in the Actions column.
Note
- After the protected object is removed from the protected object group, you can check whether the protected object group is still listed under the protected object group. You can add the protected object to another protected object group based on your business requirements.
- After you remove the protected object from the protected object group, the default protection rule template is applied to the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic.
- You can also click the Protected Object Groups tab, find the protected object group from which you want to remove the protected
object, and click the
icon. Then, find the protected object that you want to remove and click Delete in the Actions column to remove the protected object from the protected object group.
Related operations
- Obtain actual IP addresses of clients
On the Protected Objects tab, find the required protected object and click Configure Client IP Address in the Actions column. In the dialog box that appears, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. WAF 3.0 matches protection rules and displays reports based on the values of the parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter in the CNAME record mode topic.
Note You must configure this parameter only when you add an ALB instance, an MSE instance, or a domain name that is added to WAF in hybrid cloud SDK-based traffic mirroring mode as a protected object. - View and configure protection rules
- Find the protected object for which you want to configure protection rules and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object.
- Find the protected object group for which you want to configure protection rules and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group.
Note- If a new protected object is added to a protected object group, the protection rules that are configured for the protected object group automatically take effect for the protected object. If the new protected object is not added to any protected object group, the default protection rule template automatically takes effect for the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic.
- You can also configure additional protection rules for protected objects on the Protection Rules page. For more information, see Protection rules.
- View protection logs
Find the protected object whose protection logs you want to view and click Actions column. Then, you are redirected to the Log Service page. On the Log Service page, you can enable the Log Service for WAF feature for the protected object to view the protection logs of the protected object. For more information, see Enable Log Service for WAF.
in the