Get Started with Bot Defense

Published April 5, 2023 | Last modified April 6, 2026

Bot Defense protects your web and mobile application endpoints from automated attacks by identifying and mitigating malicious or bad bots. For more information about Bot Defense features, see Bot Defense Overview.

Important: Bot Defense Self-Service Policy Management is an Early Access feature.

The following information helps you get started with Bot Defense.

Step 1: Sign Up for Bot Defense

To enable Bot Defense, contact your F5 account team. Once enabled, your F5 team can help you quickly get your Bot Defense infrastructure and policies configured to protect your applications from automated attacks, such as credential stuffing, denial of service, web scraping and so on.

As your applications change and you add new endpoints to your environment, you can use Bot Defense Self-Service Policy Management to make changes to your policies, or you can contact your F5 team for assistance.

Bot Defense Self-Service Policy Management is available from the Distributed Cloud Console. You must have one or more of the following permissions:

  • f5xc-bot-defense-admin role: Provides advanced administrative access, including service activation.
  • f5xc-bot-defense-user role: Provides read and write access to bot policies and read access to bot infrastructure. This role also grants permission to deploy new bot policy versions.
  • f5xc-bot-defense-monitor role: Provides read-only access to bot infrastructure, bot policies and dashboards.
  • f5xc-bot-defense-report role: Provides permissions to create and manage monthly Bot Defense reports.

If you do not have any of these roles, contact your Bot Defense administrator or F5 Support.

Step 2: Decide What You Want to Protect

You must decide which endpoints you want to protect with Bot Defense. For information about what to consider when you configure web and mobile endpoints, see the following information:

Step 3: Configure Your Bot Defense Infrastructure

Use the F5 Distributed Cloud Console to add and configure your Bot Defense infrastructures in the F5 Hosted Cloud. Bot Defense infrastructures are the virtual machines that host the Bot Defense components that process and evaluate your traffic to determine what traffic is human and what is bots.

Important: If F5 Operations has already configured your Bot Defense infrastructure, go to Step 4: Configure Your Bot Policies.

Important: If you use Bot Defense in API mode, you cannot use self-service to create your Bot Defense infrastructure. You must contact F5 Support or your Sales team to create your infrastructure.

A typical Bot Defense deployment can consist of multiple Test and Production infrastructures. You must configure different infrastructures for web-based traffic and mobile traffic. You can add as many Production and Test infrastructures as your subscription limit allows.

To configure a Bot Defense infrastructure, you must configure the following settings:

  • Traffic type: Whether you want the infrastructure to process mobile or web-based traffic.
  • Infrastructure type: Whether the infrastructure is for production traffic or is for testing.
  • Region: The geographic region where you want your infrastructure located. For production infrastructures, you must choose two regions.
  • Access control list: The list of IP addresses from which traffic can access the new infrastructure.

For instructions, see Configure the Bot Defense Infrastructure.

Step 4: Configure Your Bot Policies

Bot Defense provides three system policies that allow you to control system configuration settings:

Bot Defense Self-Service Policy Management allows you to make and deploy any necessary changes to your policies, for example, to protect new endpoints, update mitigation actions, add new clients to the allowlist or to add new network routes. If you prefer, you can also work with your F5 team to make these changes.

Important: F5 strongly recommends that you deploy and thoroughly test policy updates in the Test infrastructure provided to you by F5 before you deploy in your Production infrastructure.

Note: If you use Bot Defense in API mode, you do not need to configure the Bot Network Policy.

Use the Distributed Cloud Console to view and manage your policies, including details of current and past policy versions.

Step 5: Test Your Configuration

Deploy your policies in the Test infrastructure provided to you by F5 to test your Bot Defense deployment and help ensure that Bot Defense policies are properly configured, that JavaScript tags are injected in your application pages correctly, or that you have correctly integrated the F5 Distributed Cloud Mobile SDK.

For information about how to deploy your Bot Defense policies, see Deploy Policy Updates.

For information about how to test Bot Defense, see Test Your Bot Defense Configuration.

Step 6: Deploy Policies in Your Production Environment

Important: F5 strongly recommends that you deploy and thoroughly test policy updates in the Test infrastructure provided to you by F5 before you deploy in your Production infrastructure.

After you verify in your Test infrastructure that Bot Defense is configured correctly and correctly identifies automated traffic, you can deploy your policies yourself or work with your F5 team to deploy your policies in your Production infrastructure.

Step 7: Enable Bot Defense on an HTTP Load Balancer (Optional)

You can enable Bot Defense on one or more HTTP load balancers that you have configured in the F5 Distributed Cloud Console in either the Web App & API Protection workspace or the Multi-Cloud App Connect workspace. To configure Bot Defense on an HTTP load balancer, you must complete the following tasks on each HTTP load balancer where you want to enable Bot Defense:

  1. Enable the Bot Defense workspace on one or more HTTP load balancers.
  2. Configure how you want Bot Defense to inject JavaScript tags in the HTTP pages in your application. Bot Defense adds JavaScript, which runs in users' browsers and collects data that distinguishes between human visitors and automation.
  3. If you are protecting mobile endpoints, enable and configure the F5 Distributed Cloud Mobile SDK. The Mobile SDK collects telemetry that is then inspected by Bot Defense to determine if requests initiated from legitimate mobile devices.

For instructions, see Configure Bot Defense on an HTTP Load Balancer.

Step 8: Deploy Bot Detection Rules

Important: Bot detection rule self-service management is a limited availability feature. Contact your F5 account team for information.

When you first configure Bot Defense, F5 supplies you with a set of bot detection rules. A bot detection rule contains criteria that Bot Defense uses to determine whether a transaction is from a human or automated source. A subset of rules is turned on by default. The remaining rules are turned off. Monitor your traffic for approximately two weeks to see how rules that are turned on affect your traffic. After this initial two weeks, you can begin to turn rules on and off to make changes to how Bot Defense handles your traffic. You can make these changes in the Distributed Cloud Console without contacting F5 for assistance.

Important: F5 recommends that you deploy each rule in a Test infrastructure before you deploy in your production infrastructure.

For information about bot detection rules, see Bot Detection Rules Overview.

On this page: