Test Your Bot Defense Advanced Configuration

Important: Bot Defense Advanced Self-Service Policy Management is a beta feature.

Use the following information to help ensure that Bot Defense Advanced is properly configured, that it is injecting JavaScript tags in your application pages correctly, or that you have correctly integrated the F5 Distributed Cloud Mobile SDK with your mobile application.

Verify JavaScript Tags Injection in Your Entry Pages

To confirm that JavaScript tags are injected in your entry pages, use the following procedure to inspect the pages in your browser and look for Bot Defense-specific headers.

Note: For help with JavaScript tag injection, contact the F5 Operations team.

  1. Open one of the application pages you chose to protect.

  2. Use the developer tools in your browser or view the page source to inspect the page and confirm that Bot Defense has inserted JavaScript tags with the query string parameters: ?matcher, ?cache, and ?async. For example:

    yourscript.js?matcher
    yourscript.js?cache
    yourscript.js?async

Figure: JavaScript tags

Figure: JavaScript tags

If the JavaScript tags appear correctly, then the JavaScript tags are being correctly injected into your entry pages. If you do not see all three JavaScript tags, check your configuration to confirm it is correct. If necessary, contact the F5 Operations team for additional assistance.

Verify Mobile SDK Integration

If you integrated the F5 Distributed Cloud Mobile SDK with your mobile application, perform the following tasks to verify that you integrated it correctly:

  • Review the Mobile SDK integration documentation that you received from F5 and confirm that you followed all integration steps.

  • Mobile SDK Initialization

    1. Deploy the application on a device for the first time (if the device already has the application, remove it before this test).
    2. Start the application.
    3. On the Bot Defense Dashboard or the Traffic Analyzer, filter by your client IP address and look for a GET request configuration fetch from your application. If you do not find the GET request, recheck your configuration. For additional assistance, contact the F5 Operations team.

  • Decorated Request

    1. Make a request for every protected URL.
    2. On the Bot Defense Dashboard, filter by your client IP address. All protected requests should be marked as “Human.”

  • Mitigation

    1. Temporarily alter the application code so that it does not call getRequestHeaders.
    2. Launch the application and make protected requests.
    3. On the Bot Defense Dashboard, filter by your client IP address. All protected requests should be marked as “Automation.” A GET request configuration fetch should appear immediately after each blocked mitigated request.
    4. Update your code to call getRequestHeaders again.

Successfully complete all test cases to confirm that your integration is working correctly.

Note: F5 recommends that you incorporate these Mobile SDK test-cases into your standard regression testing.

Before you release a new application into your production environment, F5 recommends that you set the mitigation action for the application to Continue and then review your traffic for false positive results.

Analyze Bot Defense Results

After you enable Bot Defense Advanced in your production environment, but before you enable mitigation actions for your web and mobile applications, you must confirm that Bot Defense is working as expected and that no legitimate traffic is marked as automation. F5 recommends that you also explore your traffic reports and examine any unexpected results. Resolve all issues before you enable the Block or Redirect mitigation actions.

Analyze Protected Website Traffic

Perform the following tests to help confirm that Bot Defense identifies web traffic correctly.

  • Review the Bot Defense dashboard to see the types of traffic identified by Bot Defense. From the Bot Defense Home page, click Overview > Monitor.

    • In the Protected Apps Overview widget, check that your protected application is listed and that the amount of traffic is appropriate.
    • In the Traffic Overview widget, check that the level of human, benign bot, bad bot and other activity is appropriate.
    Figure: Bot Defense dashboard

    Figure: Bot Defense dashboard

    From the time-period drop-down menu, select Last 24 hours. In the Traffic Visualized section, check whether traffic marked as malicious increases during the day and decreases at night. If so, this might indicate human traffic.

    Figure: Time frame controls

    Figure: Time frame controls

  • From the Bot Defense Home page, click Report > Traffic Analyzer.

    • Look at the distribution of IP addresses and the countries of origin. Confirm that this distribution looks like it comes from your normal user base.

    • Look at the User Agent column and decide if there are any suspicious user agents present. You can also use this technique to identify wanted automation (benign bots), such as test tools or SEO bots.

    • Click Add Filter. From the drop-down menu, select Bot Reason, select In, select Token Missing and click Apply. Review the traffic and determine if it looks legitimate.

      If a normal user request appears in the "token missing" results, it could mean that one of the following occurred:

      • The Bot Defense JavaScript did not run.
      • Another JavaScript on the page interfered with the Bot Defense JavaScript.
      • The request was made before the Bot Defense JavaScript loaded.
    Figure: Traffic Analyzer report

    Figure: Traffic Analyzer report

    If you see legitimate traffic flagged as automation, determine if you can add it to an Allow list.

Analyze Protected Mobile Traffic

Perform the following tests to help confirm that Bot Defense is identifying mobile traffic correctly.

  1. Confirm that the number of protected requests with no telemetry headers is low or non-existent and that requests with headers are marked as Human.
  2. Confirm that configuration update requests are made at an expected rate. Each configuration fetch corresponds to approximately one user session.

Review your traffic reports and examine any unexpected results. Resolve all issues before you enable mitigation actions.

Analyze Protected Requests

Perform a false positive analysis to determine if Bot Defense marks any legitimate traffic to your mobile application as non-human.

  1. In the Bot Defense Traffic Analyzer report, add the User Agent filter.
  2. Select In and then select your application version.
  3. Then click Apply.

Important: Make sure the Bot Reason and Traffic Type columns are displayed.

In the list of filter results, is any traffic marked as non-human? For example, is traffic identified as Benign Bot or Bad Bot? If yes:

  • If the Bot Reason column displays Token Missing, look at the IP distribution and decide if the traffic looks like user traffic or automation. Is the traffic limited to a particular platform (iOS or Android)?
  • If the Bot Reason column displays something other than Token Missing, but the traffic looks human, this is unexpected behavior. Investigate or contact support@cloud.f5.com for assistance.
  • If the IP Address distribution looks organic and is not concentrated on only a few specific IP addresses, this might indicate that there is a problem with your Mobile SDK integration.
  • In the Path column, carefully examine the URLs that are being marked as illegitimate. If traffic from the URLs that are marked as malicious increases during the day and decreases at night, this might indicate human traffic. Additionally, if the traffic is from a wide range of IP addresses, it can also indicate human traffic.

If the flagged traffic is an expected automation, for example, for a monitoring service, determine if you can add the IP addresses to an Allow list.

Review Configuration Update Request Frequency

Mobile applications that are integrated with the F5 Distributed Cloud Mobile SDK fetch new configuration settings from Bot Defense at specific times during the application lifecycle, including:

  • At application launch
  • At mitigation
  • After four hours (if the application is in the foreground).

Typically, there is approximately one configuration fetch during each active user session. Since some users launch an app but do not proceed further, and others have two sessions within the same four-hour period, it is normal to see an average of 0.5-2 sessions per configuration fetch.

How you view configuration fetches depends on how you host your application pages you want to protect.

Next steps

After you confirm that Bot Defense is functioning as expected, that legitimate traffic is not being marked as automation, and that your mobile applications are communicating properly with Bot Defense, you can work with the F5 Operations team to update your Bot Endpoint Policy and enable mitigation actions. For information, see Configure the Bot Endpoint Policy.

On this page: