ASM bot detection

Question

Folks&nbsp;
I have requirement to enable bot detection in F5 ASM policy for my application access via only mobile browsers or PC browsers not through mobile app, how i can avoid false positive here which detect by ASM.
I understand that f5 inject java script in order to verify client integrity, what is the best practice here to achieve my goal.  
&nbsp;
any input appreciated.&nbsp;

dfff_314403 · Answer

ErkkiS, won't this defeat only primitive bots? &nbsp;

samstep · Answer

You need to have 2 separate ASM policies - one for browsers and a separate one for the smartphone app. The browser policy will have full bot detection features enabled and the smartphone app policy will have JavaScript-requiring options in bot/anomaly detection switched off and relying more on IP-based anomaly detection features of ASM. &nbsp;
I assume you already have a separate Virtual Server for the mobile app, but if not then you can easily route the incoming traffic to two different ASM policies depending on the User-Agent header using Local Traffic Policy. &nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

Forum Discussion

ASM bot detection

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

can you help with getting a BigIP virtual edition serial key

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

More Web Scraping - Bot Detection

Proactive Bot Defense Using BIG-IP ASM

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

F5 Distributed Cloud JA4 detection for enhanced performance and detection

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS