Triggered immediately prior to taking an action on a transaction. The event may be used to override the default behavior, and/or to log the action taken.
This event is always triggered when Proactive Bot Defense is enabled on the DOS profile, unless the request is mitigated by dosl7 attack. The event will also be triggered if Proactive Bot Defense is disabled, but a Bot Signature was detected on the request, whether for blocking or for reporting.
Most of the command that are available on the HTTP_REQUEST event are also available on the BOTDEFENSE_ACTION event.
Note that commands which may suspend iRule processing are currently not supported in this event and should not be used. Partial list of these commands: after, persist, session, table, and RESOLV::lookup.


Deprecated in BIG-IP Next v20.0.1


Example 1: Send parsed Bot Defense data and action to High Speed Logging

     set log "BOTDEFENSE:"
     append log " uri [HTTP::uri]"
     append log " cs_possible [BOTDEFENSE::cs_possible]"
     append log " cs_allowed [BOTDEFENSE::cs_allowed]"
     append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
     append log " cookie_status [BOTDEFENSE::cookie_status]"
     append log " cookie_age [BOTDEFENSE::cookie_age]"
     append log " device_id [BOTDEFENSE::device_id]"
     append log " support_id [BOTDEFENSE::support_id]"
     append log " previous_action [BOTDEFENSE::previous_action]"
     append log " previous_support_id [BOTDEFENSE::previous_support_id]"
     append log " previous_request_age [BOTDEFENSE::previous_request_age]"
     append log " bot_signature [BOTDEFENSE::bot_signature]"
     append log " bot_signature_category [BOTDEFENSE::bot_signature_category]"
     append log " captcha_status [BOTDEFENSE::captcha_status]"
     append log " captcha_age [BOTDEFENSE::captcha_age]"
     append log " default action [BOTDEFENSE::action]"
     append log " reason \"[BOTDEFENSE::reason]\""
     log local0. $log
     HSL::send $hsl $log

Example 2: Bypassing enforcement on URL pattern
     if {[HTTP::uri] starts_with "/t/"} {
         log local0. "bypassing enforcement for URI [HTTP::uri]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""

Change Log

  • Introduced: BIGIP-12.1
  • Deprecated: BIGIP-20.0.1

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.