Configure the Bot Endpoint Policy

Important: Bot Defense Advanced Self-Service Policy Management is a beta feature.

The Bot Endpoint Policy defines the path and mitigation actions for automation and human traffic for the endpoints you want to protect with Bot Defense Advanced. Before you configure your Bot Endpoint Policy, you should perform a site analysis and compile a list of endpoints that you need to protect.

To view your Bot Endpoint Policies, click Manage > Bot Policies > Bot Endpoint Policy.

Figure: Bot Endpoint Policies

Figure: Bot Endpoint Policies

Work with the F5 Operations team to configure the following settings for each endpoint:

  • Traffic Type: Specify whether the endpoint is accessed by web traffic, mobile traffic or both web and mobile traffic.

  • Domain Matcher: Specify the domains you want to protect. Enter an exact value, a suffix value, or a regex value.

    Note that if you do not specify a domain, the domain field is blank, and the endpoint is allowed to accept traffic from any domain.

    Figure: No domain specified

    Figure: No domain specified

  • Path: Enter the path to the endpoint you want to protect. For example, enter /login. Enter a prefix, exact path, or regex value.

  • (Optional) In the Query field, if you want to protect specific sections of a page, enter the criteria for the section you want to protect.

    For example, if the query string of a URI you want to protect is <yourdomain>/account.do/issue?account=moneytransfer, enter the parameter name and parameter value account=moneytransfer to protect the moneytransfer function.

    When you enter a Query parameter, the Bot Defense service looks at both the Path and Query values.

  • Request Body: Content in the body of the request must match this criteria to be protected by Bot Defense.

  • Header: A header in the request must match this criteria to be protected by Bot Defense.

  • HTTP Methods you want to protect with Bot Defense:

    • ANY: Includes GET(XHR/Fetch), POST and PUT. Does not include GET(Document). To select all methods including GET(Document), instead of ANY, you must select each method from the list.
    • GET(XHR/Fetch): Use when the protected application makes an XHTTPRequest or Fetch API call to get the content of the page. GET requests are protected only if they are sent by XHTTPRequest from a page with Bot Defense JavaScript injected, not from direct navigation using the address bar or link.
    • POST: The most commonly attacked method. F5 recommends that you protect all POST requests.
    • PUT
    • GET(Document): Use to protect pages on a web site that can be accessible by GET requests without visiting the main page. When you configure an endpoint using GET(Document), Bot Defense displays an interstitial page that is transparent to the user but that allows it to collect telemetry data about the requests. Note that you cannot use GET(Document) with mobile endpoints.

  • Endpoint Category: F5 strongly recommends that you select endpoint labels to allow more granular attack intent identification and reporting when Bot Defense detects automation.

    For a full list of available endpoint labels, see Endpoint Labels.

  • Mitigation Action: Specify what action to take when a bot is detected.

    • Continue: Allows requests to continue to the origin. A log record is created but headers are not added to the request.
    • Block: The endpoint returns a status code and message. You can enter a status code and edit the message here.
    • Redirect: The endpoint forwards the browser to the URL that you specify. You can only select Redirect for web endpoints.
    • Transform: Allows the request to continue to the origin. Headers are added to the request for inference and automation type.

  • Good Bot Detection Settings: Specify whether the mitigation actions you selected above apply to both bad bots and good bots. You can choose to flag good bots but allow them to continue to origin, or you can apply the mitigation actions to all automation. By default, mitigation actions are applied to all automation.

Next Steps

Work with your F5 Operations team to deploy your policy update in your test environment. Then test your new policy settings to make sure the system behaves as you intended.

After you deploy your Bot Endpoint Policy, you can view information about your policy, including details about current and past versions. For information, see Manage Bot Policies.