Manual Chapter :
Configuring Bot Defense in Enterprise Service Level
Applies To:
Show VersionsBIG-IP Distributed Cloud Services
- 17.0.0
Configuring Bot Defense in Enterprise Service Level
Configuring Bot Defense in Enterprise service level for web
Before configuring Bot Defense you need to configure a Proxy Pool or Shape Protection pool, or select an existing pool during configuration. For more information, refer to BIG-IP Local Traffic Management: Basics - Introduction to pools.
Use this task to configure the Bot Defense in Enterprise service level for protecting web pages.
The screen elements described here are for basic configuration. Refer to the help text available in the configuration utility for details about all the fields.
- On the Main tab, click.The BD Profiles screen displays the list of Bot Defense profiles on the system.
- In the General Properties section, enter the following details:
- In theNamefield, enter a unique name for the Bot Defense profile.
- In theParent Profilefield, select the Bot Defense parent profile from which this profile will inherit settings.
- For theService Levelfield, selectEnterprise.
- For theApplications in Scopefield, checkWeb.
- In the API Request Settings section, in theImport API Settingsfield, checkUpload Fileand click theChoose Filebutton to import a JSON file with predefined values or checkPaste Textto enter the JSON file content. The contents of the file must be in a valid JSON format.
- In the JS Injection Configuration section, theBIG-IP Handles JS Injectionsfield is checked by default, if you uncheck the field then follow theNotegiven in the Web UI.
- In the Shape Endpoints Configuration section, enter the following details:The GET (Document) field is checked only when the Bot Defense is required for web scraping.
- In theMitigation Handlerfield, selectBIG-IPif you want to handle the mitigation actions or selectShape Policyto let the system handle the mitigation of malicious HTTP requests.
- In theShape Protected URIsfield, enter the following details and click theAddbutton:
- In theHostfield, enter the hostname or IP address of the web page to be protected by the Bot Defense.
- In theEndpointfield, enter the path to the web page.
- Check theANY Methodfield to protect the path when it has any method.You must check (enable) at least one of the methods orANY Methodfield, else, the HTTP requests will not be routed.
- Check theGET (XHR/Fetch)field to protect the path when it has a GET method.
- Check thePOSTfield to protect the path when it has a POST method.
- Check thePUTfield to protect the path when it has a PUT method.
- In theMitigation Actionfield, choose the mitigation action you want the BIG-IP to take if a malicious HTTP request is detected on the endpoint.TheMitigation Actionfield is available only whenBIG-IPis selected in theMitigation Handlerfield.
Click theAddbutton to add the URI. You can add multiple URIs, use theEditandDeletebuttons to update or delete a URI from the list.
- In the Advanced Features section, selectAdvanced, enter the following details:
- Check theUse Proxyfield if you want the data to be routed through a proxy server, else uncheck this field to send data directly from the BIG-IP to the Bot Defense backend server.
- In theProxy Poolfield, select an existing pool or click the+button to add a new pool.TheProxy Poolfield is displayed when theUse Proxyfield is checked.
- In theProxy Shape Endpoint URLfield, enter the web URL that is used to redirect HTTP requests to the Bot Defense backend server.TheProxy Shape Endpoint URLfield is displayed when theUse Proxyfield is checked.
- In theShape Protection Poolfield, select an existing pool or click the+button to add a new pool.TheShape Protection Poolfield is displayed when theUse Proxyfield is unchecked.
- In theSSL Profilefield, select the server-side SSL profile.
- In theAllow IP addressesfield, enter the IP addresses that do not need to be checked by the Bot Defense.
- In theAllow Headersfield, enter the name and value for a header in an HTTP request that does not need to be checked by the Bot Defense.
- Click theFinishedbutton.The Bot Defense profile is created.
Assign the Bot Defense profile to Virtual Server, refer to Assigning a Bot Defense profile to Virtual Server.
Configuring Bot Defense
in Enterprise service level for web scraping
Before configuring the Bot Defense for web scraping (interstitial), configure the Bot Defense profile in Enterprise service level for web and update the
Shape Protected URIs
field, refer to Configuring Bot Defense in Enterprise service level for web.Use this task to configure the Bot Defense in Enterprise service level for protecting traffic from web scraping.
- On the Main tab, click.The BD Profiles screen displays the list of Bot Defense profiles on the system.
- Click the Bot Defense profile for which web scraping is configured.
- In the Shape Endpoints Configuration section, enter the following details:
- In theMitigation Handlerfield, selectBIG-IPif you want to handle the mitigation actions or selectShape Policyto let the system handle the mitigation of malicious HTTP requests.
- In theShape Protected URIsfield, enter the following details and click theAddbutton:
- In theEndpointfield, enter the path to the web page.
- Check theGET (Document)field to protect the path from web scrapping.When you check (enable)GET (Document)field, no other method can be enabled.
- In theMitigation Actionfield, choose the mitigation action you want the BIG-IP to take if a malicious HTTP request is detected on the endpoint.TheMitigation Actionfield is available only whenBIG-IPis selected in theMitigation Handlerfield.
Click theAddbutton to add the URI. You can add multiple URIs, use theEditandDeletebuttons to update or delete a URI from the list.
- Click theUpdatebutton.
Configuring Bot Defense
in Enterprise service level for mobile
Before configuring Bot Defense you need to configure a Proxy Pool or Shape Protection pool, or select an existing pool during configuration. For more information, refer to BIG-IP Local Traffic Management: Basics - Introduction to pools.
Use this task to configure the Bot Defense in Enterprise service level for mobile applications. If you want to configure Bot Defense for both mobile and web in the same profile, then in
Applications in Scope
field check Web
and Mobile
and configure respective screen elements. Use Configuring Bot Defense in Enterprise service level for web task for reference.The screen elements described here are for basic configuration. Refer to the help text available in the configuration utility for details about all the fields.
- On the Main tab, click.The BD Profiles screen displays the list of Bot Defense profiles on the system.
- Click theCreatebutton.The New BD Profile screen opens.
- In the General Properties section, enter the following details:
- In theNamefield, enter a unique name for the Bot Defense profile.
- In theParent Profilefield, select the Bot Defense parent profile from which this profile will inherit settings.
- For theService Levelfield, selectEnterprise.
- For theApplications in Scopefield, checkMobile. TheWebis checked by default, you can uncheckWebif the Bot Defense profile is only used to protect mobile application. You can leave theWebas checked, if the Bot Defense profile is used to protect both web page and mobile application.
- In the API Request Settings section, in theImport API Settingsfield, checkUpload Fileand click theChoose Filebutton to import a JSON file with predefined values or checkPaste Textto enter the JSON file content. The contents of the file must be in a valid JSON format.
- In the Mobile Protected Endpoints Configuration section, enter the following details:
- In theMitigation Handlerfield, selectBIG-IPif you want to handle the mitigation actions or selectShape Policyto let the system handle the mitigation of malicious HTTP requests for mobile application.
- In theMobile Protected URIsfield, enter the following details and click theAddbutton:
- In theHostfield, enter the hostname or IP address of the mobile application to be protected by the Bot Defense.
- In theEndpointfield, enter the path to the mobile application.
- Check theANY Methodfield to protect path the when it has any method.You must check (enable) at least one of the methods orANY Methodfield, else, the HTTP requests will not be routed.
- Check theGETfield to protect the path when it has a GET method.
- Check thePOSTfield to protect the path when it has a POST method.
- Check thePUTfield to protect the path when it has a PUT method.
- Use theCheck Mobile Identifierfield if the URL is same for web and mobile, selectHeaderto request the information, or selectSkipto ignore.
- In theMitigation Actionfield, choose the mitigation action you want the BIG-IP to take if a malicious HTTP request is detected on the endpoint.TheMitigation Actionfield is available only if theMitigation Handlerfield is set to BIG-IP.
Click theAddbutton to add the URI. You can add multiple URIs, use theEditandDeletebuttons to update or delete a URI from the list. - In theSDK Reload Headernamefiled, enter the reload header prefix.
- In theSDK Config Fetch URL - Android, enter the URL to fetch SDK configuration for android.
- In theSDK Config Fetch URL - iOS, enter the URL to fetch SDK configuration for iOS.
- In the Advanced Features section, selectAdvanced, enter the following details:
- Check theUse Proxyfield if you want the data to be routed through a proxy server, else uncheck this field to send data directly from the BIG-IP to the Bot Defense backend server.
- In theProxy Poolfield, select an existing pool or click the+button to add a new pool.TheProxy Poolfield is displayed when theUse Proxyfield is checked.
- In theProxy Shape Endpoint URL - Mobilefield, enter the application URL that is used to redirect HTTP requests to the Bot Defense backend server.TheProxy Shape Endpoint URL - Mobilefield is displayed when theUse Proxyfield is checked.
- In theShape Protection Pool - Mobilefield, select an existing pool or click the+button to add a new pool.TheShape Protection Pool - Mobilefield is displayed when theUse Proxyfield is unchecked.
- In theSSL Profilefield, select the server-side SSL profile.
- In theAllow IP addressesfield, enter the IP addresses that do not need to be checked by the Bot Defense.
- In theAllow Headersfield, enter the name and value for a header in an HTTP request that does not need to be checked by the Bot Defense.
Assign the Bot Defense profile to Virtual Server, refer to Assigning a Bot Defense profile to Virtual Server.