security bot-defense profileΒΆ

security bot-defense profile(1BIG-IP TMSH Manuasecurity bot-defense profile(1)



NAME
       profile - Configures a Bot Defense profile.

MODULE
       security bot defense

SYNTAX
       Configure the profile component within the security bot defense module
       using the syntax shown in the following sections.

   CREATE/MODIFY
	create profile [name]
	modify profile [name]
	  options:
	    api-access-strict-mitigation [enabled | disabled]
	    anomaly-category-overrides [none | add | delete | modify | replace-all-with] {
	      [anomaly-category-name] ... {
		options:
		  action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
		  app-service [[string] | none]
	      }
	    }
	    anomaly-overrides [none | add | delete | modify | replace-all-with] {
	      [anomaly-name]   {
		options:
		  action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
	      }
	    }
	    app-service [[string] | none]
	    blocking-page {
	      body [string]
	      headers [string]
	      status-code [integer]
	      type [custom | default]
	    }
	    captcha-response {
	      failure {
		 body [string]
		 type [custom | default]
	      }
	      first {
		 body [string]
		 type [custom | default]
	      }
	    class-overrides [none | add | delete | modify | replace-all-with] {
	      [class-name]   {
		options:
		  mitigation {
		    action [alarm | block | captcha | none | rate-limit | tcp-reset | redirect-to-pool | honeypot-page]
		    rate-limit-tps [integer]
		  }
		  verification {
		    action [browser-challenge-free-verification | browser-verify-after-access-detection | mobile-verify-integrity browser-verify-after-access-blocking | browser-verify-before-access | none]
		 }
	     }
	   }
	   cross-domain-requests [allow-all | validate-bulk | validate-upon-request]
	   defaults-from [profile-name]
	   description [[string] | none]
	   deviceid-mode [generate-after-access | generate-before-access | none]
	   dos-attack-strict-mitigation [enabled | disabled]
	   enforcement-mode [blocking | transparent]
	   enforcement-readiness-period [integer]
	   external-domains [none | add | delete | modify | replace-all-with] { [string] ... }
	   grace-period [integer]
	   micro-services [none | add | delete | modify | replace-all-with] {
	    action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
	    class-overrides [none | add | delete | modify | replace-all-with] {
	      [class-name]   {
		options:
		  mitigation {
		    action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
		  }
		  verification {
		    action [browser-captcha | browser-challenge-free-verification | browser-verify-after-access-detection | mobile-verify-integrity browser-verify-after-access-blocking | browser-verify-before-access | none]
		 }
	       }
	     }
	     description [[string] | none]
	     detection-threshold [integer]
	     detection-time [integer]
	     enforcement-mode [blocking | profile-default | transparent]
	     hostname [string]
	     match-order [integer]
	     mitigation-time [integer]
	     type [micro-service-type]
	     urls [none | add | delete | modify | replace-all-with] {
	       match-order [integer]
	       url [string]
	     }
	   }
	   mobile-detection {
	     allow-android-rooted-device [enabled | disabled]
	     allow-any-android-package [enabled | disabled]
	     allow-any-ios-package [enabled | disabled]
	     allow-emulators [enabled | disabled]
	     allow-jailbroken-devices [enabled | disabled]
	     android-publishers [none | add | delete | modify | replace-all-with] { [string] ... }
	     block-debugger-enabled-device [enabled | disabled]
	     client-side-challenge-mode [cshui | pass]
	     ios-allowed-packages [none | add | delete | modify | replace-all-with] { [string] ... }
	     signatures [none | add | delete | modify | replace-all-with] { [signature-name] ... }
	   }
	   perform-challenge-in-transparent [enabled | disabled]
	   signature-category-overrides [none | add | delete | modify | replace-all-with] {
	     [signature-category] ... {
	       options:
		 action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
	     }
	   }
	   signature-overrides [none | add | delete | modify | replace-all-with] {
	     [signature-name] ... {
	       options:
		 action [alarm | block | captcha | none | rate-limit | tcp-reset | redirect-to-pool | honeypot-page]
		 rate-limit-tps [integer]
	     }
	   }
	   signature-staging-upon-update [enabled | disabled]
	   single-page-application [enabled | disabled]
	   site-domains [none | add | delete | modify | replace-all-with] { [string] ... }
	   staged-signatures [none | add | delete | modify | replace-all-with] { [signature-name] ... }
	   template [balanced | relaxed | strict]
	   whitelist [none | add | delete | modify | replace-all-with] {
	     disable-mitigation [no | yes]
	     disable-verification [no | yes]
	     geolocation [country-name]
	     match-order [integer]
	     source-address [ip-address]
	     url [string]
	   }

	edit profile [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list profile
	list profile [ [ [name] | [glob] | [regex] ] ... ]
	show running-config profile
	show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties
	    one-line
	    partition
	    recursive
	show profile [ [ [name] | [glob] | [regex] ] ... ]

   DELETE
	delete profile [name]

DESCRIPTION
       You can use the profile component to create, modify, display, or delete
       a Bot Defense profile for use with Bot Defense Protection
       functionality.

EXAMPLES
       create profile my_bot_profile

       Creates a custom Bot Defense profile named my_bot_profile with initial
       settings.

       list profile

       Displays the properties of all Bot Defense profiles.

OPTIONS
       api-access-strict-mitigation
	    Determines, when enabled, whether to apply the strict mitigation
	    settings on API access requests.

       anomaly-category-overrides
	    List or define anomaly categories that have mitigation settings
	    overriding the defaults determined by the template.

	    action
		 The overriding mitigation action for the anomaly category.
		 The options are:

		 alarm
		      Mark the request log entry with the alarm flag. Request
		      passes through.

		 block
		      Block the request and send the blocking page in
		      response.

		 captcha
		      Send a CAPTCHA challenge in response. If the user solves
		      the challenge successfully the requests from this user
		      are passed to the server for a limited period of time.

		 none The category will not be detected. This may affect the
		      classification of the client and hence the action based
		      on that classification.

		 tcp-reset
		      Discard the request by resetting the TCP connection it
		      was sent on.

		 redirect-to-pool
		      Send the request to the configured pool.

		 honeypot-page
		      Block the request and send the Honeypot response page in
		      response.

       anomaly-overrides
	    List or define anomalies that have mitigation settings overriding
	    the defaults determined by the template.

	    action
		 The overriding mitigation action for the anomaly.  The
		 options are:

		 alarm
		      Mark the request log entry with the alarm flag. Request
		      passes through.

		 block
		      Block the request and send the blocking page in
		      response.

		 captcha
		      Send a CAPTCHA challenge in response. If the user solves
		      the challenge successfully the requests from this user
		      are passed to the server for a limited period of time.

		 none The anomaly will not be detected. This may affect the
		      classification of the client and hence the action based
		      on that classification.

		 tcp-reset
		      Discard the request by resetting the TCP connection it
		      was sent on.

		 redirect-to-pool
		      Send the request to the configured pool.

		 honeypot-page
		      Block the request and send the Honeypot response page in
		      response.

       app-service
	    Specifies the name of the application service to which the profile
	    belongs. The default value is none. Note: If the strict-updates
	    option is enabled on the application service that owns the object,
	    you cannot modify or delete the profile. Only the application
	    service can modify or delete the profile.

       blocking-page
	    body Configures the body of the blocking page response.

	    headers
		 Configures the HTTP headers of the blocking page response.

	    status-code
		 Configures the HTTP status code of the blocking page
		 response.

	    type Configures a type of the blocking page response.

       captcha-response
	    Specifies properties of the CAPTCHA response in Application
	    Security. You can configure the following options for CAPTCHA
	    Response Settings:

	    failure
		 Specifies properties of a failed CAPTCHA response. You can
		 configure the following options for a failed CAPTCHA
		 response:

		 body Configures a failed CAPTCHA response body.

		 type Configures a type of a failed CAPTCHA response body. You
		      can configure the following options for a failed CAPTCHA
		      response type:

		      custom
			   Configures a custom failed CAPTCHA response type.

		      default
			   Configures a default failed CAPTCHA response type.

	    first
		 Specifies properties of the first CAPTCHA response. You can
		 configure the following options for the first CAPTCHA
		 response:

		 body Configures the first CAPTCHA response body.

		 type Configures a type of the first CAPTCHA response body.
		      You can configure the following options for the first
		      CAPTCHA response type:

		      custom
			   Configures a custom first CAPTCHA response type.

		      default
			   Configures a default first CAPTCHA response type.

       class-overrides
	    List or define classes that have settings overriding the defaults
	    determined by the template.

	    mitigation
		 These set which type of mitigation to take for each type of
		 bot.

		 action
		      The overriding mitigation action for the class.  The
		      options are:

		      alarm
			   Mark the request log entry with the alarm flag.
			   Request passes through.

		      block
			   Block the request and send the blocking page in
			   response.

		      captcha
			   Send a CAPTCHA challenge in response. If the user
			   solves the challenge successfully the requests from
			   this user are passed to the server for a limited
			   period of time.

		      none The class will not be detected. This may affect the
			   classification of the client and hence the action
			   based on that classification.

		      rate-limit
			   Traffic from this source will be limited to a given
			   transaction rate. Relevant only to classes and
			   signature categories.

		      tcp-reset
			   Discard the request by resetting the TCP connection
			   it was sent on.

		      redirect-to-pool
			   Send the request to the configured pool.

		      honeypot-page
			   Block the request and send the Honeypot response
			   page in response.

		 rate-limit-tps
		      The TPS limit for the signature Relevant only if the
		      action is rate limit.

	    verification
		 action
		      The overridden verification action for the class.
		      Relevant only to Browser and Mobile Application classes.
		      The options are:

		      browser-challenge-free-verification
			   Verify the browser authenticity by examining the
			   request header without sending any JavaScript
			   challenge to the client.

		      browser-verify-after-access-detection
			   Verify the browser authenticity by examining the
			   request header and by a JavaScript challenge
			   injected to the server response after letting the
			   request to the server.  The request is not
			   mitigated even if the JavaScript challenge failed,
			   rather, it is only reported, classifying the client
			   as a Bot.

		      browser-verify-after-access-blocking
			   Verify the browser authenticity by examining the
			   request header and by a JavaScript challenge
			   injected to the server response after letting the
			   request to the server.  Upon challenge failure, the
			   request is mitigated according to the respective
			   mitigation settings.

		      browser-verify-before-access
			   Verify the browser authenticity by examining the
			   request header and by responding with a JavaScript
			   challenge before letting the request to the server.
			   Request is sent to the server only upon successful
			   completion of the challenge.

		      mobile-verify-integrity
			   Enable verification of mobile applications with
			   Anti-Bot mobile SDK.

		      none No verification action taken. This may affect the
			   classification of the client and hence the action
			   based on that classification.

       cross-domain-requests
	    Specifies a cross-domain requests handling mode. The options are:

	    allow-all
		 Allows all cross-domain requests. This is the default value.

	    validate-bulk
		 System validates domains in bulk: the cookies for the related
		 domains are created together with the cookie for the current
		 domain, by generating challenges in iframes - one per each
		 domain.

	    validate-upon-request
		 System validates domains upon request: the cookie for the
		 related domain is generated when a request arrives to an
		 unqualified URL without a cookie.

       defaults-from
	    Specifies the profile that you want to use as the parent profile.

       description
	    User textual description of the profile.

       deviceid-mode
	    Specifies how the Device ID will be collected.

	    The options are:

	    generate-after-access
		 Device ID is collected by injecting a JavaScript in the
		 response.  This is less intrusive and has less of a latency
		 impact. Use when sensitive to response time or time-to-first-
		 byte.	Note that some requests at the beginning of the
		 session will have no Device ID until the handshake is
		 complete and the Device ID is generated.

	    generate-before-access
		 Device ID is collected by generating a JavaScript challenge
		 before forwarding the HTTP request to the application.  This
		 guarantees that every request that reaches the application
		 has a Device ID.  This has more of a latency impact that
		 Generate After Access.  Bots that present as browsers and are
		 unable to execute JavaScript will be blocked.

	    none Device ID will not be collected.

       dos-attack-strict-mitigation
	    Determines, when enabled, whether to apply strict mitigation
	    settings during DoS attacks.

       enforcement-mode
	    Specifies whether to execute the mitigation actions or just report
	    the detection results.

	    blocking
		 The system will replace responses with client side JavaScript
		 and if the client cannot run JavaScript, it will not be able
		 to receive the server responses.

	    transparent
		 The system logs all mitigation and verification actions but
		 no action is taken on the traffic.

       enforcement-readiness-period
	    How many days, since the bot defense profile was last changed,
	    that the profile remains in staging mode before the system
	    suggests you enforce. The system does not enforce profile entities
	    and attack signatures in staging. Staging allows you to test the
	    bot defense profile entities and the attack signatures for false
	    positives without enforcing them. The default is 604800 seconds (7
	    days).

       external-domains
	    List of external domain names that may refer to resources on the
	    application. Used for handling cross-domain requests.

       grace-period
	    The period in seconds during which requests for resources are not
	    required to have browser verification cookies.

       micro-services
	    List of microservices for which there exists specialized detection
	    and mitigation behavior.

	    action
		 The mitigation action for the anomaly of the microservice.
		 The options are:

		 alarm
		      Mark the request log entry with the alarm flag. Request
		      passes through.

		 block
		      Block the request and send the blocking page in
		      response.

		 captcha
		      Send a CAPTCHA challenge in response. If the user solves
		      the challenge successfully the requests from this user
		      are passed to the server for a limited period of time.

		 none Microservice anomaly will not be detected. This may
		      affect the classification of the client and its
		      mitigation action.

		 tcp-reset
		      Discard the request by resetting the TCP connection it
		      was sent on.

		 redirect-to-pool
		      Send the request to the configured pool.

		 honeypot-page
		      Block the request and send the Honeypot response page in
		      response.

	    class-overrides
		 The list of classes for which the settings override the ones
		 determined by the microservice type.

		 mitigation
		      These set which type of mitigation to take for each type
		      of bot.

		      action
			   The name of the overriding mitigation action for
			   the class in the scope of the microservice. The
			   options are:

			   alarm
				Mark the request log entry with the alarm
				flag. Request passes through.

			   block
				Block the request and send the blocking page
				in response.

			   captcha
				Send a CAPTCHA challenge in response. If the
				user solves the challenge successfully the
				requests from this user are passed to the
				server for a limited period of time.

			   none The class will not be detected. This may
				affect the classification of the client and
				hence the action based on that classification.

			   rate-limit
				Traffic from this source will be limited to a
				given transaction rate. Relevant only to
				classes and signature categories.

			   tcp-reset
				Discard the request by resetting the TCP
				connection it was sent on.

			   redirect-to-pool
				Send the request to the configured pool.

			   honeypot-page
				Block the request and send the Honeypot
				response page in response.

		 verification
		      action
			   The name of the overriding verification action for
			   the class in the scope of the microservice.
			   Relevant only to Browser class. The options are:

			   browser-captcha
				Send a CAPTCHA challenge response on each
				request with Browser User-Agent. The request
				is passed to the server only if the CAPTCHA
				was successfully solved.

			   browser-challenge-free-verification
				Verify the browser authenticity by examining
				the request header without sending any
				JavaScript challenge to the client.

			   browser-verify-after-access-detection
				Verify the browser authenticity by examining
				the request header and by a JavaScript
				challenge injected to the server response
				after letting the request to the server.  The
				request is not mitigated even if the
				JavaScript challenge failed, rather, it is
				only reported, classifying the client as a
				Bot.

			   browser-verify-after-access-blocking
				Verify the browser authenticity by examining
				the request header and by a JavaScript
				challenge injected to the server response
				after letting the request to the server.  Upon
				challenge failure, the request is mitigated
				according to the respective mitigation
				settings.

			   browser-verify-before-access
				Verify the browser authenticity by examining
				the request header and by responding with a
				JavaScript challenge before letting the
				request to the server.	Request is sent to the
				server only upon successful completion of the
				challenge.

			   none No verification action taken. This may affect
				the classification of the client and hence the
				action based on that classification.

	    description
		 User textual description of the microservice.

	    detection-threshold
		 The number of times the microservice was accessed by a client
		 after which the microservice anomaly is declared.

	    detection-time
		 The period in seconds during which the microservice anomaly
		 threshold is tested.

	    enforcement-mode
		 Determines the enforcement mode for the microservice, or use
		 the default one from the profile settings.

		 blocking
		      The system will replace responses with client side
		      JavaScript and if the client cannot run JavaScript, it
		      will not be able to receive the server responses.

		 profile-default
		      The enforcement mode (transparent or blocking) for the
		      microservice is determined by the profile setting.

		 transparent
		      The system logs all mitigation and verification actions
		      but no action is taken on the traffic.

	    hostname
		 The host domain name used to access the microservice.
		 Wildcards are supported.

	    match-order
		 Ordinal number (1,2,3...) specifying the order that the
		 microservice entries are checked for matches.

	    mitigation-time
		 The time in seconds for the microservice anomaly mitigation
		 duration.

	    type The type of the microservice.

	    urls
		 match-order
		      Ordinal number (1,2,3...) specifying the order that the
		      URL entries in the microservice are checked for matches.

		 url  The URL entry in the microservice. Wildcards are
		      supported.

       mobile-detection
	    This feature detects mobile applications built with the Anti-Bot
	    Mobile SDK and defines how requests from these mobile application
	    clients are handled.  This feature requires an Anti-Bot Mobile SK
	    license to be operational.

	    allow-android-rooted-device
		 Specifies, when enabled, whether to allow mobile applications
		 from Android rooted devices.

	    allow-any-android-package
		 Specifies, when enabled, whether to allow any mobile
		 applications from Android devices.

	    allow-any-ios-package
		 Specifies, when enabled, whether to allow any mobile
		 applications from iOS devices.

	    allow-emulators
		 Specifies, when enabled, whether to allow mobile applications
		 running on emulators.

	    allow-jailbroken-devices
		 Specifies, when enabled, whether to allow mobile applications
		 from iOS jailbroken devices.

	    android-publishers
		 List of allowed publisher certificates for Android mobile
		 applications.

	    block-debugger-enabled-device
		 Specifies, when enabled, whether to allow mobile applications
		 from devices with debugger enabled.

	    client-side-challenge-mode
		 Determines the substitute action for CAPTCHA or client-side
		 integrity check for mobile applications.  In those cases, the
		 options for the mobile applications are:

		 cshui
		      The SDK checks for human interactions with the screen in
		      the last few seconds. If none are detected, the traffic
		      is blocked.

		 pass The traffic is passed without incident.

	    ios-allowed-packages
		 List of fully qualified iOS mobile application package names
		 that will be allowed.

	    signatures
		 List of signature names for detecting mobile applications
		 without Anti-Bot Mobile SDK.

       perform-challenge-in-transparent
	    Determines, when enabled, whether browser challenges are still
	    executed in transparent enforcement mode.

       signature-category-overrides
	    List of signature categories that have mitigation settings
	    overriding the defaults determined by the template.

	    action
		 The overriding mitigation action for the Bot signature
		 category.  The options are:

		 alarm
		      Mark the request log entry with the alarm flag. Request
		      passes through.

		 block
		      Block the request and send the blocking page in
		      response.

		 captcha
		      Send a CAPTCHA challenge in response. If the user solves
		      the challenge successfully the requests from this user
		      are passed to the server for a limited period of time.

		 none The category will not be detected. This may affect the
		      classification of the client and hence the action based
		      on that classification.

		 tcp-reset
		      Discard the request by resetting the TCP connection it
		      was sent on.

		 redirect-to-pool
		      Send the request to the configured pool.

		 honeypot-page
		      Block the request and send the Honeypot response page in
		      response.

       signature-overrides
	    List of signatures that have mitigation settings overriding the
	    defaults determined by the template.

	    action
		 The overriding mitigation action for the Bot signature. The
		 options are:

		 alarm
		      Mark the request log entry with the alarm flag. Request
		      passes through.

		 block
		      Block the request and send the blocking page in
		      response.

		 captcha
		      Send a CAPTCHA challenge in response. If the user solves
		      the challenge successfully the requests from this user
		      are passed to the server for a limited period of time.

		 none The signature will not be detected. This may affect the
		      classification of the client and hence the action based
		      on that classification.

		 rate-limit
		      Traffic from this source will be limited to a given
		      transaction rate. Relevant only to classes and signature
		      categories.

		 tcp-reset
		      Discard the request by resetting the TCP connection it
		      was sent on.

		 redirect-to-pool
		      Send the request to the configured pool.

		 honeypot-page
		      Block the request and send the Honeypot response page in
		      response.

	    rate-limit-tps
		 The TPS limit for the signature Relevant only if the action
		 is rate limit.

       signature-staging-upon-update
	    In staging, the system does not block the request, but logs the
	    request.  When not in staging, the system enforces the mitigation
	    action configured for the signature in Mitigation Settings.

       single-page-application
	    Enable if your website is a Single Page Application, meaning a web
	    application that loads new content without triggering a full page-
	    reload.  The system will inject JavaScript code to every HTML
	    response.  This will allow handling browser challenges and CAPTCHA
	    without requiring page reloading. The default is Disabled.

       site-domains
	    Configures a list of domains that are part of the website.

       staged-signatures
	    List of signatures that are put in staging.

       template
	    Specifies the template for the profile. The template determines
	    default values for the mitigation settings and some other
	    settings.  The options are:

	    balanced
		 Allow limited access to non-malicious bots and verify
		 browsers without affecting the user experience.

	    relaxed
		 Allow full access to non-malicious bots and perform non-
		 intrusive browser verification.

	    strict
		 Allow only fully verified browsers, mobile applications and
		 trusted bots and block the rest. User experience may be
		 affected.

       whitelist
	    These are the whitelisted sources. A source can be an IP address
	    or a geolocation.

	    disable-mitigation
		 Specifies whether to exempt the whitelist entry from
		 mitigation actions.

	    disable-verification
		 Specifies whether to exempt the whitelist entry from browser
		 verification actions.

	    geolocation
		 The name of the source geolocation that is whitelisted.

	    match-order
		 Ordinal number (1,2,3...) specifying the order that the
		 whitelist entries are checked for matches.

	    source-address
		 The name of the source IP address that is whitelisted.

	    url  The name of the URL (wildcard supported) that is whitelisted.

       glob Displays the items that match the glob expression. See help glob
	    for a description of glob expression syntax.

       name Specifies a unique name for the component. This option is required
	    for the commands create, delete, and modify.

       partition
	    Displays the administrative partition within which the component
	    resides.

       regex
	    Displays the items that match the regular expression. The regular
	    expression must be preceded by an at sign (@[regular expression])
	    to indicate that the identifier is a regular expression. See help
	    regex for a description of regular expression syntax.

SEE ALSO
       create, delete, edit, glob, list, ltm virtual, modify, regex, security,
       security bot-defense, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015, 2018. All rights
       reserved.



BIG-IP				  2019-02-10   security bot-defense profile(1)