Configure Bot Detection Rules

Important: Bot detection rule self-service management is a limited availability feature. Contact your F5 account team for information.

The following sections explain how to make changes to your bot detection rules, including how to model rule changes before you make them, how to turn rules on and off, and how to view the status of your rule deployments.

Model Rule Changes in the Traffic Analyzer

Before you deploy a bot detection rule, you can use the Traffic Analyzer in the Distributed Cloud Console to see the impact of the change on your traffic. When you select a rule to model with the Traffic Analyzer, the Traffic Analyzer displays the traffic captured by that rule. You can use the filters and Transaction Detail panel to determine if the rule is correctly capturing automated traffic or if the rule is too aggressive for your environment and capturing too much legitimate traffic (false positives).

1. From the Bot Defense navigation panel, select Manage > Bot Policies. Then select Bot Detection Rules.

2. Select Active Rules. Then, from the list of bot detection rules, select the checkbox next to one or more rules.

   

   Figure: List of Bot Detection Rules

3. Select View Traffic Analyzer.

4. In the Traffic Analyzer results, inspect your traffic for the following types of issues:

   • Look for diurnal patters where traffic increases during the day and then decreases at night. This is a normal human pattern. If traffic does not follow this pattern and instead is constant throughout the day and night then you should investigate the traffic further to make sure it is legitimate and not automated.
   • Look at the distribution of IP addresses and the countries of origin. Confirm that this distribution looks like it comes from your normal user base.
   • Look at the User Agent column and decide if there are any suspicious user agents present. You can also use this technique to identify wanted automation, such as test tools or SEO bots.
   • In the Action Taken column, see how many transactions were blocked and then decide if that is an appropriate number or if it is more than expected.
   • Select Add Filter. From the drop-down menu, select Bot Reason, select In, select Token Missing and select Apply. Review the traffic and determine if it looks legitimate. If a normal user request appears in the "token missing" results, it could mean that one of the following occurred:
     • The Bot Defense JavaScript did not run.
     • Another JavaScript on the page interfered with the Bot Defense JavaScript.
     • The request was made before the Bot Defense JavaScript loaded.

   To learn more specific transactions captured by the rule, you can also select an entry in the Time column in the data table to display the Transaction Detail panel. The Transaction Detail panel provides information such as user name, IP address, HTTP method type, URL of the endpoint, the bot detection rule that was triggered, the type of traffic and information about why Bot Defense determined that the traffic was automated.

   

   Figure: Traffic Analyzer

For more information about using the Traffic Analyzer, see Traffic Analyzer in Bot Defense Dashboards and Reporting.

Note: When the Traffic Analyzer identifies traffic that may be unwanted automation, you can also use your own internal logging tools or other systems and data to learn more about the traffic.

Deploy a Bot Detection Rule

To deploy a bot detection rule, you must change the rule state from Off to On. When you deploy a bot detection rule, the rule is deployed on all infrastructures in the same cluster group that process the same type of traffic (Web or Mobile) that you selected. For example, if the rule you selected evaluates "web" traffic and you select to deploy to “Prod,” Bot Defense deploys the rule to all of your production infrastructures in the same cluster group that process web traffic. For information about cluster groups, see View Rule Details.

You can deploy one rule or one set of rules at a time. If you or another administrator has a rule deployment in progress then you must wait for that deployment to finish before you can deploy additional rules.

At any time during the bot detection rule deployment configuration process, you can choose to save your unfinished bot detection rule deployment as a draft. After you select the rules you want to deploy, select Save Draft. The rule deployment is saved as a draft and can be updated or deployed later by you or another user.

Note: If you want to turn off a rule, change the rule state to Off instead of On.

Note: If you see the message, “New Bot Detection Rules have been deployed,” when you attempt to deploy a bot detection rule, another administrator might be making changes to this rule, or the F5 Managed Services team might have made a change to the rule. Check with your internal team or with the F5 Managed Services team to identify possible bot detection rule update conflicts.

1. From the Bot Defense navigation panel, select Manage > Bot Policies, and then select Bot Detection Rules.

2. Select Active Rules, select the checkbox next to the rules you want to deploy, and then select Edit Rule State.

3. In the Edit Rule State panel, make sure the correct rules are selected. If you deselect the checkbox for one of the rules, the rule state for that rule does not change and the deselected rule is not deployed.

   

   Figure: Edit Rule State

4. From the Deploy To drop-down menu select one of the following options:

   • Prod: Deploys to all of your production infrastructures.
   • Test: Deploys to all of your test infrastructures.
   • Prod & Test: Deploys to all of your test and production infrastructures.

5. In the Change To column, select whether you want to turn each rule in your rule deployment On or Off.

6. In the Reasons column, next to each rule you want to deploy, select Add and select the reason you want to change the rule state. The "reason" helps you or other admins understand why you made the change in case you need to review the change in the future. Select one of the following reasons:

   • False Positive: Indicates you updated the rule status because the rule is incorrectly identifying legitimate traffic as automation.
   • True Positive: Indicates you updated the rule status because you determined that the rule correctly identifies unwanted traffic.
   • Testing: Indicates you deployed the rule as part of your testing process.
   • Other: Enter a custom reason for the rule change in the Comments box.
   

   Figure: Add Reasons

7. Select Add Reasons.

8. Review and acknowledge the legal agreement. F5 recommends that you review the text of the legal agreement before you agree.

   

   Figure: Review and Acknowledge the Legal Agreement

   Important: F5 recommends that you test all bot detection rule changes in your Test infrastructure before you deploy them in a Production infrastructure.

9. Select Deploy. It takes a few minutes for the rule deployment to complete.

   Note: When you deploy a rule change, you may see the message, "Bot Detection Rules could not be deployed due to an update error. Please try again. If the error persists, contact support." This is usually caused by a temporary network connectivity issue between your Bot Defense infrastructure and the Distributed Cloud Console. When this occurs, refresh your browser to view the latest updates. In some cases, depending on the changes, you might need to start a new rule deployment.

   Note: If you are not ready to deploy the rule change, you can select Save Draft to save the change as a draft that you can update or deploy later.

Next Steps

View the status of your in-progress rule deployment. See View Deployment Details.

Note: If you save a rule deployment as a draft, you can deploy it later or you can choose to discard the deployment. See Discard a Bot Detection Rule Deployment Draft.

View Deployment Details

View information about in-progress or previous successful, failed or discarded deployment attempts. This information can be helpful when you try to research issues with your rule deployments, such as deployments that were only partially successful. Details include information about the deployment, such as date and time of the deployment, who performed the deployment, and status of the deployment (Successful, Failed, Partial, and so on).

The Deployment Details panel also includes information about each infrastructure in the deployment, such as the infrastructure name, region and type. The panel also includes a section that details each rule change in the deployment and the intended change on each infrastructure (On to Off or Off to On).

1. From the Bot Defense navigation panel, select Manage > Bot Policies. Then select Bot Detection Rules.

2. Select Rule Deployment Status.

3. From the Actions column, select the Action menu (…) next to the deployment you want to view.

4. Select Deployment Details.

   

   Figure: Deployment Details

---