Forum Discussion

Nikoolayy1's avatar
Aug 26, 2022

F5 Advanced WAF/ASM and Shape intergration is the AWAF Bot defense profile still needed?

Hello,

 

As now there are more and more users that use F5 AWAF/ASM and shape together as Shape uses advanced DeviceID+ as described here in this post https://community.f5.com/t5/technical-forum/what-are-the-differences-between-device-id-and-device-id/td-p/214228 I had to ask if the F5 Bot defense profile still needed or even recommended as it will insert Javascript to generate DeviceID but so will the SHAPE insert javascript for its DeviceID+ and this may cause issues.

 

With the SHAPE javascript inserted from the F5 device I think that only F5 Layer 7 DDOS profile and the AWAF policy are needed but I could be wrong 🙂

 

F5 Big-IP and Shape integration:

https://f5cloudservices.zendesk.com/hc/en-us/articles/1500005614802-Integrated-Bot-Defense-Configuration-Guide-for-BIG-IP

  • AubreyKingF5's avatar
    AubreyKingF5
    Oct 06, 2022

    Double-checked. Also, to clarify, definitely not a mirror. Load balanced proxies is probably the best way.

  • Good question indeed! My initial response was that it will still have a place, but as you say, they both now rougly do the same, and with Shape now much better integrated in the system, it makes more sense to use just the one. Would be good to have someone pitch in on this. 

    Also, would the same count for brute force mitigation? Or will that stay around as a Shape-lite option maybe? (...or the other way around? 😉 

    • I have read somewhere that for login web pages/URL and sign-up (account creation web pages) then it is much better to use Shape security but there is not much info if the Advanced WAF bot profile or the Shape security should be used for the other pages. Maybe where we want CAPTCHA (not that advanced bots don't bypass that 🙂 ) the Advanced WAF is needed as Shape can't do that but I am just guessing:

       

      https://support.f5.com/csp/article/K42323285

       

      For now I will see it till someone shares more info that more important URL pages like login web pages/URL and sign-up pages to use Shape if the customer wants shape but to maybe pay less and if the custome has no issue to use Shape for everything then only use the Bot profile for the CAPTCHA if it is a requirement.

       

      I am refering to this web page but it is not from F5 and it was made in 2020 but is still a great article:

       

      https://wtit.com/f5-advanced-waf-and-shape-layered-security-is-best/

       

       

       

       

      • AubreyKingF5's avatar
        AubreyKingF5
        Icon for Moderator rankModerator

        This is a great question! 

         

        So, as someone who sold this stuff for 12 years - both BIG-IP and XC, I can tell you this: Shape is the Cadillac. You will see f5 strive to offer same services everywhere, though. Today, BIG-IP's best Bot option seems to be AWAF Bot defense profile. XC has its own Bot defense.. same signatures as AWAF. Shape is an upgrade option to both AND SHOULD BE USED IN LIEU OF, because of the AI / ML component. Shape is far from a signature based bot defense. Not every customer feels they need that much dynamic bot defense, so we are simply striving to offer options. If you are using Shape for bot, though.. sure turn off the AWAF bot piece. Of course.. the rest of AWAF is genius and should still be used for day to day usage understanding.