ltm rule event BOTDEFENSE ACTION
iRule(1) BIG-IP TMSH Manual iRule(1)
BOTDEFENSE_ACTION
Bot Defense event upon HTTP request, after action is decided.
DESCRIPTION
Triggered immediately prior to taking an action on a transaction. The event may be used to override the
default behavior, and/or to log the action taken.
This event is always triggered when a Bot Defense profile is attached to the Virtual Server, unless the
request is mitigated by dosl7 attack.
Most of the commands that are available on the HTTP_REQUEST event are also available on the BOTDEFENSE_ACTION
event.
Note that commands which may suspend iRule processing are currently not supported in this event and should not
be used. Partial list of these commands: after, persist, session, table, and RESOLV::lookup.
Examples
# EXAMPLE 1: Send parsed Bot Defense data and action to High Speed Logging
when BOTDEFENSE_ACTION {
set log "BOTDEFENSE:"
append log " uri [HTTP::uri]"
append log " cs_possible [BOTDEFENSE::cs_possible]"
append log " cs_allowed [BOTDEFENSE::cs_allowed]"
append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
append log " cookie_status [BOTDEFENSE::cookie_status]"
append log " cookie_age [BOTDEFENSE::cookie_age]"
append log " device_id [BOTDEFENSE::device_id]"
append log " support_id [BOTDEFENSE::support_id]"
append log " previous_action [BOTDEFENSE::previous_action]"
append log " previous_support_id [BOTDEFENSE::previous_support_id]"
append log " previous_request_age [BOTDEFENSE::previous_request_age]"
append log " bot_signature [BOTDEFENSE::bot_signature]"
append log " bot_signature_category [BOTDEFENSE::bot_signature_category]"
append log " captcha_status [BOTDEFENSE::captcha_status]"
append log " captcha_age [BOTDEFENSE::captcha_age]"
append log " default action [BOTDEFENSE::action]"
append log " reason \"[BOTDEFENSE::reason]\""
log local0. $log
HSL::send $hsl $log
}
# EXAMPLE 2: Bypassing enforcement on URL pattern
when BOTDEFENSE_ACTION {
if {[HTTP::uri] starts_with "/t/"} {
log local0. "bypassing enforcement for URI [HTTP::uri]"
set res [BOTDEFENSE::action allow]
log local0. "set action to allow, result \"$res\""
log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-12.1 --First introduced the event.
BIG-IP 2020-06-23 iRule(1)