Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

renaud-gaspard's avatar
renaud-gaspard
Icon for Nimbostratus rankNimbostratus
Apr 03, 2026

Bot Defense causing a lot of false positives

Hello DevCentral Community,

 

While configuring a Bot Defense profile for our websites, we noticed a lot of false positives, where legitimate browsers are flagged as Malicious Bots to a point where we cannot safely enable Malicious Bot blocking.

The detected anomalies are mostly :

  • Device ID Deletion (can be worked around by raising the threshold from 3 to ~10)
  • Resource request without browser verification cookie
  • Session Opening
  • Browser Verification Timed out (more rarely)

We have tried various configuration, none of which worked properly.

Currently, our test bot defense profile is as follows :

  • DoS Attack Mitigation Mode : Enabled
  • API Access for Browsers and Mobile Applications : Enabled
  • Exceptions:
    • Device ID Deletions : Block for 600s Detect after 10 (instead of 3) access attemps in 600s
  • No microservice
  • Browser Access : Allow
  • Browser Verification : Verify After Access (Blocking) / 300s grace perdiod (we also tried verify before, but the white challenge page isn't acceptable for our users)
  • Device ID mode : Generate After Access (we also tried Generate Before access)
  • Single page application : Enabled (we also tried to disable it)
  • Cross Domain Requests : Allow configured domains; validate upon request (with all of our websites added in related site domains)
    We also tried with allow all requests

After a bit of digging around, we noticed the following :

  • The false positives often happen after visiting a website that loads various resources from other domains, and we believe the issue might be linked to cross domain requests
  • Google Chrome (and derivatives) are dropping the TS* cookies for cross domain requests, even with the domains added in the related domain list
  • After creating an iRule that updates TS* cookies with SameSite=None; Secure, some previously blocked requests were now allowed but not all

Disabling the check for the detected anomalies feel like it would severely affect the bot defense effectiveness.

We have opened a support ticket related to this is issue over a year ago and haven't found any solution yet.

Has anyone faced a similar problem before, and has managed to solve it ?

If so, how ?

Thank you for any help.

Regards

application delivery
bot defense
security
No RepliesBe the first to reply