F5 AWAF/ASM Bot protection custom signature does not allow the traffic
Hello To All,
I wanted to enable "curl" for a customer just to particular URL and I made custom Bot Signature that matches the "curl" for User-Agent and has the URL and it is using Custom Category that in the Trusted Bot Class.
From the Bot logs I see that my signature is matched but also the normal curl signature is matched and I am still blocked ? I changed the signature to different categories that are in different classes and still the same.
I tested and it is the same on versions 22.214.171.124 and 126.96.36.199. I managed to use an iRule like the one at https://community.f5.com/t5/codeshare/proactive-bot-defense-bypass-by-bot-signature/ta-p/282254 but this seems stupid to need irules for this and to not be able to just make a custom signature in the Trusted Bot class.
Bot Defense will prefer it's own curl signature over your custom signature.
iRule is the way.
Funny note on the side - in September or October I had the exact same issue and got the answer from an F5 engineer... from Spain if I'm not mistaken. Can't find my notes from back then right now.