Forum Discussion
NacreousAnomaly detection ASM
We want to use anomaly detection feature of ASM protecting from Bot attack. we would like to configure based on client side integrity based and rate limiting on session. We would use web scraping and DOS profile options.
However, application uses Akamai caching proxy, so all requests which comes to F5 see source IP as Akamai IP.
Question is how blocking happens in Anomaly detection, is it based on client IP address?
If yes, in case anomaly detection is detected we don't want Akamai IP to get blocked as this would result in blocking legitimate requests.
1 Reply
natheCirrocumulus
If the ASM sees the same IP address then it will trigger the anomaly detection based on the IP metrics e.g. in DOS the Suspicious IP setting. It will then trigger the protections based on what you select e.g. Source IP Rate Limiting or Source IP Client Side Integrity. Rate Limiting is not an option as it'll affect all clients. Client Side Integrity checking will inject Javascript in the responses so, in that case, whilst all clients will be affected, only clients that cannot process javascript (e.g. a BOT) will fail and, hence, be blocked.
Does Akamai not pass the client's source IP address? I thought it used the True-Client-IP header? If so then you can configure ASM to trust either this header, or perhaps it might use the X-Forwarded-For header. If the former then configure the Custom XFF Header in the ASM policy.
This way ASM will see the true client IP and enable protections based on this.
Hope this helps,
N
