Forum Discussion

islam_nadim's avatar
Oct 25, 2022

Bot defense profile

Hello,

 

Can someone explain the difference between the bot defence relaxed and balanced templates. As far as I understand, the balanced template detects based on anomalies alongside with the signature, but the relaxed relys onlies only on signature.

If this is correct, why do I see anomaly detection when using relaxed template?

  • Hi islam_nadim,

    This may be a better question for F5 Support.
    At a high level, from: 
    https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_bot-defense_profile.html

     balanced
             Allow limited access to non-malicious bots and verify
             browsers without affecting the user experience.
    
     

    relaxed          Allow full access to non-malicious bots and perform non-          intrusive browser verification.

    From https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-asm-implementations/configuring-bot-defense.html

     

    "Bot defense relaxed template
    A relaxed bot defense profile defines a permissive security policy that performs basic non-intrusive verification of browsers; strong verification of mobile apps using Anti-Bot Mobile Security SDK; blocks malicious bots and allows all other clients. Malicious bots are detected mostly by using bot signatures. This template provides basic protection with very low risk of false positives.


    Bot defense balanced template
    A bot defense balanced template defines a moderate security policy that performs advanced verification of browsers; strong verification of mobile apps using Anti-bot Mobile Security SDK; blocks malicious bots; initiates a CAPTCHA challenge for suspicious browsers; limits the total request rate produced by unknown bots and allows trusted and untrusted bots. Malicious bots and suspicious browsers are identified by using both anomaly detection algorithms and bot signatures. This template provides an advanced protection level with reduced latency impact because browser verification is performed by injecting the challenge in the HTTP response."

     

    If you have any follow up questions, I'd recommend reaching out to F5 Support, since the answer to your question depends on several things, and they'll be able to do more with more information/context from you.