security bot-defense profile
security bot-defense profile(1BIG-IP TMSH Manuasecurity bot-defense profile(1)
NAME
profile - Configures a Bot Defense profile.
MODULE
security bot defense
SYNTAX
Configure the profile component within the security bot defense module
using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
api-access-strict-mitigation [enabled | disabled]
anomaly-category-overrides [none | add | delete | modify | replace-all-with] {
[anomaly-category-name] ... {
options:
action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
app-service [[string] | none]
}
}
anomaly-overrides [none | add | delete | modify | replace-all-with] {
[anomaly-name] {
options:
action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
}
}
app-service [[string] | none]
blocking-page {
body [string]
headers [string]
status-code [integer]
type [custom | default]
}
captcha-response {
failure {
body [string]
type [custom | default]
}
first {
body [string]
type [custom | default]
}
class-overrides [none | add | delete | modify | replace-all-with] {
[class-name] {
options:
mitigation {
action [alarm | block | captcha | none | rate-limit | tcp-reset | redirect-to-pool | honeypot-page]
rate-limit-tps [integer]
}
verification {
action [browser-challenge-free-verification | browser-verify-after-access-detection | mobile-verify-integrity browser-verify-after-access-blocking | browser-verify-before-access | none]
}
}
}
cross-domain-requests [allow-all | validate-bulk | validate-upon-request]
defaults-from [profile-name]
description [[string] | none]
deviceid-mode [generate-after-access | generate-before-access | none]
dos-attack-strict-mitigation [enabled | disabled]
enforcement-mode [blocking | transparent]
enforcement-readiness-period [integer]
external-domains [none | add | delete | modify | replace-all-with] { [string] ... }
grace-period [integer]
micro-services [none | add | delete | modify | replace-all-with] {
action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
class-overrides [none | add | delete | modify | replace-all-with] {
[class-name] {
options:
mitigation {
action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
}
verification {
action [browser-captcha | browser-challenge-free-verification | browser-verify-after-access-detection | mobile-verify-integrity browser-verify-after-access-blocking | browser-verify-before-access | none]
}
}
}
description [[string] | none]
detection-threshold [integer]
detection-time [integer]
enforcement-mode [blocking | profile-default | transparent]
hostname [string]
match-order [integer]
mitigation-time [integer]
type [micro-service-type]
urls [none | add | delete | modify | replace-all-with] {
match-order [integer]
url [string]
}
}
mobile-detection {
allow-android-rooted-device [enabled | disabled]
allow-any-android-package [enabled | disabled]
allow-any-ios-package [enabled | disabled]
allow-emulators [enabled | disabled]
allow-jailbroken-devices [enabled | disabled]
android-publishers [none | add | delete | modify | replace-all-with] { [string] ... }
block-debugger-enabled-device [enabled | disabled]
client-side-challenge-mode [cshui | pass]
ios-allowed-packages [none | add | delete | modify | replace-all-with] { [string] ... }
signatures [none | add | delete | modify | replace-all-with] { [signature-name] ... }
}
perform-challenge-in-transparent [enabled | disabled]
signature-category-overrides [none | add | delete | modify | replace-all-with] {
[signature-category] ... {
options:
action [alarm | block | captcha | none | tcp-reset | redirect-to-pool | honeypot-page]
}
}
signature-overrides [none | add | delete | modify | replace-all-with] {
[signature-name] ... {
options:
action [alarm | block | captcha | none | rate-limit | tcp-reset | redirect-to-pool | honeypot-page]
rate-limit-tps [integer]
}
}
signature-staging-upon-update [enabled | disabled]
single-page-application [enabled | disabled]
site-domains [none | add | delete | modify | replace-all-with] { [string] ... }
staged-signatures [none | add | delete | modify | replace-all-with] { [signature-name] ... }
template [balanced | relaxed | strict]
whitelist [none | add | delete | modify | replace-all-with] {
disable-mitigation [no | yes]
disable-verification [no | yes]
geolocation [country-name]
match-order [integer]
source-address [ip-address]
url [string]
}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
show profile [ [ [name] | [glob] | [regex] ] ... ]
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete
a Bot Defense profile for use with Bot Defense Protection
functionality.
EXAMPLES
create profile my_bot_profile
Creates a custom Bot Defense profile named my_bot_profile with initial
settings.
list profile
Displays the properties of all Bot Defense profiles.
OPTIONS
api-access-strict-mitigation
Determines, when enabled, whether to apply the strict mitigation
settings on API access requests.
anomaly-category-overrides
List or define anomaly categories that have mitigation settings
overriding the defaults determined by the template.
action
The overriding mitigation action for the anomaly category.
The options are:
alarm
Mark the request log entry with the alarm flag. Request
passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user solves
the challenge successfully the requests from this user
are passed to the server for a limited period of time.
none The category will not be detected. This may affect the
classification of the client and hence the action based
on that classification.
tcp-reset
Discard the request by resetting the TCP connection it
was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response page in
response.
anomaly-overrides
List or define anomalies that have mitigation settings overriding
the defaults determined by the template.
action
The overriding mitigation action for the anomaly. The
options are:
alarm
Mark the request log entry with the alarm flag. Request
passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user solves
the challenge successfully the requests from this user
are passed to the server for a limited period of time.
none The anomaly will not be detected. This may affect the
classification of the client and hence the action based
on that classification.
tcp-reset
Discard the request by resetting the TCP connection it
was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response page in
response.
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
blocking-page
body Configures the body of the blocking page response.
headers
Configures the HTTP headers of the blocking page response.
status-code
Configures the HTTP status code of the blocking page
response.
type Configures a type of the blocking page response.
captcha-response
Specifies properties of the CAPTCHA response in Application
Security. You can configure the following options for CAPTCHA
Response Settings:
failure
Specifies properties of a failed CAPTCHA response. You can
configure the following options for a failed CAPTCHA
response:
body Configures a failed CAPTCHA response body.
type Configures a type of a failed CAPTCHA response body. You
can configure the following options for a failed CAPTCHA
response type:
custom
Configures a custom failed CAPTCHA response type.
default
Configures a default failed CAPTCHA response type.
first
Specifies properties of the first CAPTCHA response. You can
configure the following options for the first CAPTCHA
response:
body Configures the first CAPTCHA response body.
type Configures a type of the first CAPTCHA response body.
You can configure the following options for the first
CAPTCHA response type:
custom
Configures a custom first CAPTCHA response type.
default
Configures a default first CAPTCHA response type.
class-overrides
List or define classes that have settings overriding the defaults
determined by the template.
mitigation
These set which type of mitigation to take for each type of
bot.
action
The overriding mitigation action for the class. The
options are:
alarm
Mark the request log entry with the alarm flag.
Request passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user
solves the challenge successfully the requests from
this user are passed to the server for a limited
period of time.
none The class will not be detected. This may affect the
classification of the client and hence the action
based on that classification.
rate-limit
Traffic from this source will be limited to a given
transaction rate. Relevant only to classes and
signature categories.
tcp-reset
Discard the request by resetting the TCP connection
it was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response
page in response.
rate-limit-tps
The TPS limit for the signature Relevant only if the
action is rate limit.
verification
action
The overridden verification action for the class.
Relevant only to Browser and Mobile Application classes.
The options are:
browser-challenge-free-verification
Verify the browser authenticity by examining the
request header without sending any JavaScript
challenge to the client.
browser-verify-after-access-detection
Verify the browser authenticity by examining the
request header and by a JavaScript challenge
injected to the server response after letting the
request to the server. The request is not
mitigated even if the JavaScript challenge failed,
rather, it is only reported, classifying the client
as a Bot.
browser-verify-after-access-blocking
Verify the browser authenticity by examining the
request header and by a JavaScript challenge
injected to the server response after letting the
request to the server. Upon challenge failure, the
request is mitigated according to the respective
mitigation settings.
browser-verify-before-access
Verify the browser authenticity by examining the
request header and by responding with a JavaScript
challenge before letting the request to the server.
Request is sent to the server only upon successful
completion of the challenge.
mobile-verify-integrity
Enable verification of mobile applications with
Anti-Bot mobile SDK.
none No verification action taken. This may affect the
classification of the client and hence the action
based on that classification.
cross-domain-requests
Specifies a cross-domain requests handling mode. The options are:
allow-all
Allows all cross-domain requests. This is the default value.
validate-bulk
System validates domains in bulk: the cookies for the related
domains are created together with the cookie for the current
domain, by generating challenges in iframes - one per each
domain.
validate-upon-request
System validates domains upon request: the cookie for the
related domain is generated when a request arrives to an
unqualified URL without a cookie.
defaults-from
Specifies the profile that you want to use as the parent profile.
description
User textual description of the profile.
deviceid-mode
Specifies how the Device ID will be collected.
The options are:
generate-after-access
Device ID is collected by injecting a JavaScript in the
response. This is less intrusive and has less of a latency
impact. Use when sensitive to response time or time-to-first-
byte. Note that some requests at the beginning of the
session will have no Device ID until the handshake is
complete and the Device ID is generated.
generate-before-access
Device ID is collected by generating a JavaScript challenge
before forwarding the HTTP request to the application. This
guarantees that every request that reaches the application
has a Device ID. This has more of a latency impact that
Generate After Access. Bots that present as browsers and are
unable to execute JavaScript will be blocked.
none Device ID will not be collected.
dos-attack-strict-mitigation
Determines, when enabled, whether to apply strict mitigation
settings during DoS attacks.
enforcement-mode
Specifies whether to execute the mitigation actions or just report
the detection results.
blocking
The system will replace responses with client side JavaScript
and if the client cannot run JavaScript, it will not be able
to receive the server responses.
transparent
The system logs all mitigation and verification actions but
no action is taken on the traffic.
enforcement-readiness-period
How many days, since the bot defense profile was last changed,
that the profile remains in staging mode before the system
suggests you enforce. The system does not enforce profile entities
and attack signatures in staging. Staging allows you to test the
bot defense profile entities and the attack signatures for false
positives without enforcing them. The default is 604800 seconds (7
days).
external-domains
List of external domain names that may refer to resources on the
application. Used for handling cross-domain requests.
grace-period
The period in seconds during which requests for resources are not
required to have browser verification cookies.
micro-services
List of microservices for which there exists specialized detection
and mitigation behavior.
action
The mitigation action for the anomaly of the microservice.
The options are:
alarm
Mark the request log entry with the alarm flag. Request
passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user solves
the challenge successfully the requests from this user
are passed to the server for a limited period of time.
none Microservice anomaly will not be detected. This may
affect the classification of the client and its
mitigation action.
tcp-reset
Discard the request by resetting the TCP connection it
was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response page in
response.
class-overrides
The list of classes for which the settings override the ones
determined by the microservice type.
mitigation
These set which type of mitigation to take for each type
of bot.
action
The name of the overriding mitigation action for
the class in the scope of the microservice. The
options are:
alarm
Mark the request log entry with the alarm
flag. Request passes through.
block
Block the request and send the blocking page
in response.
captcha
Send a CAPTCHA challenge in response. If the
user solves the challenge successfully the
requests from this user are passed to the
server for a limited period of time.
none The class will not be detected. This may
affect the classification of the client and
hence the action based on that classification.
rate-limit
Traffic from this source will be limited to a
given transaction rate. Relevant only to
classes and signature categories.
tcp-reset
Discard the request by resetting the TCP
connection it was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot
response page in response.
verification
action
The name of the overriding verification action for
the class in the scope of the microservice.
Relevant only to Browser class. The options are:
browser-captcha
Send a CAPTCHA challenge response on each
request with Browser User-Agent. The request
is passed to the server only if the CAPTCHA
was successfully solved.
browser-challenge-free-verification
Verify the browser authenticity by examining
the request header without sending any
JavaScript challenge to the client.
browser-verify-after-access-detection
Verify the browser authenticity by examining
the request header and by a JavaScript
challenge injected to the server response
after letting the request to the server. The
request is not mitigated even if the
JavaScript challenge failed, rather, it is
only reported, classifying the client as a
Bot.
browser-verify-after-access-blocking
Verify the browser authenticity by examining
the request header and by a JavaScript
challenge injected to the server response
after letting the request to the server. Upon
challenge failure, the request is mitigated
according to the respective mitigation
settings.
browser-verify-before-access
Verify the browser authenticity by examining
the request header and by responding with a
JavaScript challenge before letting the
request to the server. Request is sent to the
server only upon successful completion of the
challenge.
none No verification action taken. This may affect
the classification of the client and hence the
action based on that classification.
description
User textual description of the microservice.
detection-threshold
The number of times the microservice was accessed by a client
after which the microservice anomaly is declared.
detection-time
The period in seconds during which the microservice anomaly
threshold is tested.
enforcement-mode
Determines the enforcement mode for the microservice, or use
the default one from the profile settings.
blocking
The system will replace responses with client side
JavaScript and if the client cannot run JavaScript, it
will not be able to receive the server responses.
profile-default
The enforcement mode (transparent or blocking) for the
microservice is determined by the profile setting.
transparent
The system logs all mitigation and verification actions
but no action is taken on the traffic.
hostname
The host domain name used to access the microservice.
Wildcards are supported.
match-order
Ordinal number (1,2,3...) specifying the order that the
microservice entries are checked for matches.
mitigation-time
The time in seconds for the microservice anomaly mitigation
duration.
type The type of the microservice.
urls
match-order
Ordinal number (1,2,3...) specifying the order that the
URL entries in the microservice are checked for matches.
url The URL entry in the microservice. Wildcards are
supported.
mobile-detection
This feature detects mobile applications built with the Anti-Bot
Mobile SDK and defines how requests from these mobile application
clients are handled. This feature requires an Anti-Bot Mobile SK
license to be operational.
allow-android-rooted-device
Specifies, when enabled, whether to allow mobile applications
from Android rooted devices.
allow-any-android-package
Specifies, when enabled, whether to allow any mobile
applications from Android devices.
allow-any-ios-package
Specifies, when enabled, whether to allow any mobile
applications from iOS devices.
allow-emulators
Specifies, when enabled, whether to allow mobile applications
running on emulators.
allow-jailbroken-devices
Specifies, when enabled, whether to allow mobile applications
from iOS jailbroken devices.
android-publishers
List of allowed publisher certificates for Android mobile
applications.
block-debugger-enabled-device
Specifies, when enabled, whether to allow mobile applications
from devices with debugger enabled.
client-side-challenge-mode
Determines the substitute action for CAPTCHA or client-side
integrity check for mobile applications. In those cases, the
options for the mobile applications are:
cshui
The SDK checks for human interactions with the screen in
the last few seconds. If none are detected, the traffic
is blocked.
pass The traffic is passed without incident.
ios-allowed-packages
List of fully qualified iOS mobile application package names
that will be allowed.
signatures
List of signature names for detecting mobile applications
without Anti-Bot Mobile SDK.
perform-challenge-in-transparent
Determines, when enabled, whether browser challenges are still
executed in transparent enforcement mode.
signature-category-overrides
List of signature categories that have mitigation settings
overriding the defaults determined by the template.
action
The overriding mitigation action for the Bot signature
category. The options are:
alarm
Mark the request log entry with the alarm flag. Request
passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user solves
the challenge successfully the requests from this user
are passed to the server for a limited period of time.
none The category will not be detected. This may affect the
classification of the client and hence the action based
on that classification.
tcp-reset
Discard the request by resetting the TCP connection it
was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response page in
response.
signature-overrides
List of signatures that have mitigation settings overriding the
defaults determined by the template.
action
The overriding mitigation action for the Bot signature. The
options are:
alarm
Mark the request log entry with the alarm flag. Request
passes through.
block
Block the request and send the blocking page in
response.
captcha
Send a CAPTCHA challenge in response. If the user solves
the challenge successfully the requests from this user
are passed to the server for a limited period of time.
none The signature will not be detected. This may affect the
classification of the client and hence the action based
on that classification.
rate-limit
Traffic from this source will be limited to a given
transaction rate. Relevant only to classes and signature
categories.
tcp-reset
Discard the request by resetting the TCP connection it
was sent on.
redirect-to-pool
Send the request to the configured pool.
honeypot-page
Block the request and send the Honeypot response page in
response.
rate-limit-tps
The TPS limit for the signature Relevant only if the action
is rate limit.
signature-staging-upon-update
In staging, the system does not block the request, but logs the
request. When not in staging, the system enforces the mitigation
action configured for the signature in Mitigation Settings.
single-page-application
Enable if your website is a Single Page Application, meaning a web
application that loads new content without triggering a full page-
reload. The system will inject JavaScript code to every HTML
response. This will allow handling browser challenges and CAPTCHA
without requiring page reloading. The default is Disabled.
site-domains
Configures a list of domains that are part of the website.
staged-signatures
List of signatures that are put in staging.
template
Specifies the template for the profile. The template determines
default values for the mitigation settings and some other
settings. The options are:
balanced
Allow limited access to non-malicious bots and verify
browsers without affecting the user experience.
relaxed
Allow full access to non-malicious bots and perform non-
intrusive browser verification.
strict
Allow only fully verified browsers, mobile applications and
trusted bots and block the rest. User experience may be
affected.
whitelist
These are the whitelisted sources. A source can be an IP address
or a geolocation.
disable-mitigation
Specifies whether to exempt the whitelist entry from
mitigation actions.
disable-verification
Specifies whether to exempt the whitelist entry from browser
verification actions.
geolocation
The name of the source geolocation that is whitelisted.
match-order
Ordinal number (1,2,3...) specifying the order that the
whitelist entries are checked for matches.
source-address
The name of the source IP address that is whitelisted.
url The name of the URL (wildcard supported) that is whitelisted.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security,
security bot-defense, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015, 2018. All rights
reserved.
BIG-IP 2019-02-10 security bot-defense profile(1)