How to add and manage protected objects and protected object groups - Web Application Firewall

Protected objects and protected object groups are units for which protection rules take effect. You can associate a protected object or protected object group with a protection template to implement Web Application Firewall (WAF) protection. This topic describes how to add and manage protected objects and protected object groups.

Background information

Protected objects

A protected object is the smallest unit for which WAF protection rules take effect. A protected object can be a cloud service instance or a domain name.

To add a protected object to WAF, you can use one of the following methods:

Automatic addition: After you add an instance or a domain name to WAF, the instance or domain name is automatically added to WAF as a protected object.
Manual addition: If you want to configure protection rules for one or more domain names that are hosted on an Application Load Balancer (ALB) instance, Classic Load Balancer (CLB) instance, or Elastic Compute Service (ECS) instance, you can manually add the domain names to WAF as protected objects. For more information, see Manually add protected objects.

In different access modes, you can use different methods to add protected objects to WAF.

Access mode	Automatic addition	Manual addition	Limits
Cloud native mode (Add an ALB instance to WAF)	ALB instances that are added to WAF are automatically added to WAF as protected objects.	Domain names that are hosted on ALB instances can be manually added to WAF as protected objects.	The maximum number of protected objects that can be added to WAF varies based on the WAF edition. Subscription: Basic Edition: Up to 300 protected objects can be added to WAF. Pro Edition: Up to 600 protected objects can be added to WAF. Enterprise Edition: Up to 2,500 protected objects can be added to WAF. Ultimate Edition: Up to 10,000 protected objects can be added to WAF. Pay-as-you-go Edition: Up to 10,000 protected objects can be added to WAF. To view the number of protected objects in your WAF instance and the number of protected objects that can be added to your WAF instance, go to the Protected Objects page in the WAF 3.0 console. If you use a subscription WAF instance, the number of protected objects that you can add to your WAF instance is calculated by using the following formula: Number of protected objects that can be added to WAF = Maximum number of protected objects supported by the current edition - Number of free domain names supported by the current edition - Number of extra domains that you purchase. For example, if you use a subscription WAF instance that runs Pro Edition and purchased two extra domains, you can add 593 (600 - 5 - 2) protected objects to WAF. If the number of protected objects that you add to WAF reaches the limit, you can no longer add domain names or cloud service instances to WAF. In addition, you can no longer purchase extra domains. If you want to add more protected objects to WAF, remove protected objects that no longer require WAF protection from your WAF instance or upgrade your WAF instance. For more information, see Manage protected objects, Manage protected object groups, and Upgrade or downgrade a WAF instance.
Cloud native mode (Add an MSE instance to WAF)	Microservices Engine (MSE) instances that are added to WAF, including all routes that are hosted on MSE instances, are automatically added to WAF as protected objects.	Manual addition is not supported.
Cloud native mode (Add a custom domain name in Function Compute to WAF)	Custom domain names in Function Compute that are added to WAF are automatically added to WAF 3.0 as protected objects.	Manual addition is not supported.
Cloud native mode (Add a Layer 7 CLB instance to WAF, Add a Layer 4 CLB instance to WAF, and Add an ECS instance to WAF)	CLB or ECS instances that are added to WAF are automatically added to WAF as protected objects.	Domain names that are hosted on CLB or ECS instances can be manually added to WAF as protected objects.
CNAME record mode	Domain names that are added to WAF in CNAME record mode or hybrid cloud reverse proxy mode are automatically added to WAF as protected objects.	Manual addition is not supported.
Hybrid cloud reverse proxy mode		Manual addition is not supported.
Hybrid cloud SDK-based traffic mirroring mode	Automatic addition is not supported.	Domain names that are added to WAF in hybrid cloud SDK-based traffic mirroring mode can be manually added to WAF as protected objects.

Protected object groups

A protected object group is a group of protected objects. A protected object group is a unit for which WAF protection rules take effect. You can add multiple protected objects to a protected object group and configure protection rules for the protected object group. The protection rules take effect for all protected objects in the group.

Note

A protected object can belong to only one protected object group.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
If you want to manually add a domain name that is hosted on a CLB or an ECS instance and resides in the Chinese Mainland to WAF as a protected object, you must apply for an Internet Content Provider (ICP) filing for the domain name.
Note
When you apply for an ICP filing in the Alibaba Cloud ICP Filing system, the system displays the required operations based on the website information that you specify.

Manually add protected objects

If you want to configure protection rules for domain names that meet the following conditions, perform the following steps to manually add the domain names to WAF as protected objects:

The domain names are hosted on ALB, CLB, or ECS instances that are added to WAF in cloud native mode.
The domain names are added to WAF in hybrid cloud SDK-based traffic mirroring mode.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Objects tab, click Add Protected Object.

In the Add Protected Object dialog box, configure the parameters based on the value of the Protected Object Type parameter and click OK.

Cloud services

If you want to add a domain name that is hosted on an ALB, CLB, or ECS instance to WAF as a protected object, set the Protected Object Type parameter to Cloud Service. Then, configure the parameters. The following table describes the parameters.

Parameter	Description
Domain Name	The domain name that you want to add to WAF. You can enter an exact-match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `aliyundoc.com`. WAF does not match domain names at levels that are different from the level of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `www.example.aliyundoc.com`. WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter `*.aliyundoc.com`, WAF matches subdomain names such as `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
Cloud Service	The cloud service on which the origin server is deployed. Valid values: ALB CLB4: Layer 4 CLB service CLB7: Layer 7 CLB service ECS
Instances	The ID of the cloud service instance. This parameter is required only if you set the Cloud Service parameter to ALB. Note If no ALB instances are added to WAF, add an ALB instance to WAF. For more information, see Add an ALB instance to WAF.
Add to Protected Object Group	The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add a protected object to the protected object group. For information about how to create a protected object group, see Create a protected object group.

Hybrid cloud SDK-based traffic mirroring mode

If you want to add a domain name that is added to WAF 3.0 in hybrid cloud SDK-based traffic mirroring mode as a protected object, set the Protected Object Type parameter to Hybrid Cloud. Then, configure the parameters. The following table describes the parameters.

Parameter	Description
Protected Object Name	The name of the protected object that you want to add to WAF.
Domain Name	The domain name that you want to add to WAF. You can enter an exact match domain name, such as `www.aliyundoc.com`, or a wildcard domain name, such as `.aliyundoc.com`. Note* If you enter a wildcard domain name, WAF does not match the primary domain name of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `aliyundoc.com`. WAF does not match domain names at levels that are different from the level of the wildcard domain name. For example, if you enter `.aliyundoc.com`, WAF does not match `www.example.aliyundoc.com`. WAF automatically matches all domain names at the same level as the wildcard domain name. For example, if you enter `*.aliyundoc.com`, WAF matches subdomain names such as `www.aliyundoc.com` and `example.aliyundoc.com`. If you enter an exact-match domain name and a wildcard domain name, the protection rules of the exact-match domain name take precedence.
URL	The URL that you want to add to WAF.
Add to Protected Object Group	The protected object group to which you want to add the protected object. You can add multiple protected objects to the protected object group and configure protection rules for the protected objects at the same time. After you add a protected object to a protected object group, you can configure protection rules for the protected object only by configuring protection rules for the protected object group. You cannot separately configure protection rules for the protected object. If you want to separately configure protection rules for the protected object, skip this parameter. Note If no protected object groups exist in the drop-down list, skip this parameter. After you create a protected object group, you can add a protected object to the protected object group. For information about how to create a protected object group, see Create a protected object group.

After you add a protected object to a protected object group, you can view and manage the protected object in the protected object list. For more information, see Manage protected objects.

Create a protected object group

You can create protected object groups, associate protected objects with protected object groups, and configure protection rules for multiple protected objects at the same time.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Object Group tab, click Create.
In the Create Protected Object Group dialog box, configure the Name, Associate with Protected Object, and Description parameters. Then, click OK.
Note
- Only protected objects that do not belong to a protected object group and use the default protection rule template are displayed in the Objects to Select section.
- If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you add the protected object to another protected object group. For more information, see Modify a protected object group.
After you create a protected object group, you can manage the protected object group on the Protected Object Group tab. For more information, see Manage protected object groups.

Manage protected objects

On the Protected Objects tab, you can view and manage protected objects.

Feature		Description
Settings	Configure Client IP Address	If a Layer 7 proxy is deployed in front of WAF, you can specify the method that you want WAF to use to obtain the IP addresses of clients. Layer 7 proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN. This way, WAF can obtain the actual IP addresses of clients, match requests with corresponding protection rules, such as IP address blacklist rules, and display information on security reports, such as source IP addresses. Find the protected object that you want to manage and click Settings in the Actions column. In the Settings dialog box, configure the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF and Obtain Actual IP Address of Client parameters. For more information, see the description of the Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF parameter. Note Domain names that are added to WAF in CNAME record mode, CLB instances, and ECS instances: If you configure this parameter when you add the protected object to WAF, skip this parameter. ALB instances, MSE instances, custom domain names in Function Compute, and domain names that are added to WAF in hybrid cloud SDK-based traffic mirroring mode: You can configure this parameter based on your business requirements.
	Cookie Settings	Tracking Cookie By default, WAF uses `acw_tc` to mark a request if the request passes through WAF. You can turn on or turn off Status to enable or disable the Tracking Cookie feature. If you want WAF to use acw_tc to mark only HTTPS requests, turn on Secure Attribute. Important We recommend that you turn on Status. Otherwise, the HTTP flood protection and scan protection features may not function as expected. By default, if you add a protected object to a protected object group, the Tracking Cookie feature is enabled and cannot be disabled, and Secure Attribute is turned on for the protected object. You cannot turn on Secure Attribute for MSE instances and custom domain names in Function Compute. If a request is sent to multiple protected objects and the Tracking Cookie feature is enabled or Secure Attribute is turned on for one of the protected objects, the same features are enabled for the protected objects. Slider CAPTCHA Cookie If a request passes slider CAPTCHA verification, WAF uses `acw_sc__v3` to mark the request. If you want WAF to use acw_sc__v3 to mark only HTTPS requests, turn on Secure Attribute. Important If you turn on Secure Attribute, slider CAPTCHA may not function as expected on HTTP sites. By default, if you add a protected object to a protected object group, Secure Attribute is turned off and cannot be turned on for the protected object. You cannot turn on Secure Attribute for MSE instances or custom domain names in Function Compute.
View and configure protection rules		Find the protected object for which you want to configure protection rules and click View Protection Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object. Note After you add a protected object to a protected object group, the protection rules that are configured for the protected object group take effect on the protected object. If you do not add a protected object to a protected object group, the default protection rules take effect on the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic. You can also configure additional protection rules for protected objects on the Protection Rules page. For more information, see Protection rules.
Add to a protected object group		Find the protected object that you want to add to a protected object group and choose > Add to Protected Object Group in the Actions column. If you want to add multiple protected objects to a protected object group at the same time, select the protected objects and click Add to Protected Object Group below the list.
View protection logs		Find the protected object whose protection logs you want to view and choose > View Logs in the Actions column. You are redirected to the Log Service page. On the Log Service page, you can enable the log collection feature for the protected object and view the protection logs of the protected object. For more information, see Enable or disable the Log Service for WAF feature.
Remove a protected object		Find the protected object that you want to remove from WAF and choose > Delete in the Actions column. Note You can remove only domain names that are manually added to WAF as protected objects. To remove a CLB or ECS instance from WAF, perform the following steps: Go to the Website Configuration page. Find the instance or redirection port that you want to remove from WAF, click Remove in the Actions column, and then remove the protected object.
Add tags to or remove tags from protected objects		You can use tags to search for specific resources in the WAF console. Find the protected object to which you want to add a tag and move the pointer over the icon in the Tag column. If no tags are added to the protected object, click Add. If a tag is already added to the protected object, click Edit. In the Edit Tag dialog box, select or enter a tag key and enter a tag value. Note You can configure up to 10 tag keys at the same time. You can leave the tag value empty. The tag key or tag value can be up to 128 characters in length, and cannot contain `http://` or `https://`. The tag key or tag value cannot start with `acs:` or `aliyun`. You can add or modify tags on the Protected Objects page or Website Configuration page. The latest tags are automatically displayed on both pages. You can also select multiple protected objects and then add tags to or remove tags from the protected objects at the same time.

Manage protected object groups

On the Protected Object Group tab, you can view and manage protected object groups.

Feature		Description
Modify protected object groups		Find the protected object group that you want to modify and click Edit in the Actions column. Move the protected objects from the Objects to Select section to the Selected Protected Object Groups section or from the Selected Protected Object Groups section to the Objects to Select section. Note After you remove the protected object from the protected object group, a default protection template is applied to the protected object. For more information, see the description of the default protection rule template in the Protection configuration overview topic. You can add a protected object to only one protected object group. If a protected object already exists in a protected object group, you must remove the protected object from the protected object group before you add the protected object to another protected object group.
View and configure protection rules		Find the protected object group for which you want to configure protection rules and click Configure Rule in the Actions column. On the Protection Rules page, configure protection rules for the protected object group. If you configure a protection rule for a protected object group, the rule takes effect for all protected objects in the group.
Delete protected object groups		Find the protected object group that you want to delete and click Delete in the Actions column. Note If you delete a protected object group, all protected objects in the group are disassociated from the group and a default protection template is applied to the protected objects.