Forum Discussion
F5 AWAF/ASM Bot protection custom signature does not allow the traffic
Hello To All,
I wanted to enable "curl" for a customer just to particular URL and I made custom Bot Signature that matches the "curl" for User-Agent and has the URL and it is using Custom Category that in the Trusted Bot Class.
From the Bot logs I see that my signature is matched but also the normal curl signature is matched and I am still blocked ? I changed the signature to different categories that are in different classes and still the same.
I tested and it is the same on versions 15.1.8.1 and 16.1.3.2. I managed to use an iRule like the one at https://community.f5.com/t5/codeshare/proactive-bot-defense-bypass-by-bot-signature/ta-p/282254 but this seems stupid to need irules for this and to not be able to just make a custom signature in the Trusted Bot class.
Hi Nikoolayy1,
Bot Defense will prefer it's own curl signature over your custom signature.
iRule is the way.Funny note on the side - in September or October I had the exact same issue and got the answer from an F5 engineer... from Spain if I'm not mistaken. Can't find my notes from back then right now.
KR
Daniel
Hi Nikoolayy1,
Bot Defense will prefer it's own curl signature over your custom signature.
iRule is the way.Funny note on the side - in September or October I had the exact same issue and got the answer from an F5 engineer... from Spain if I'm not mistaken. Can't find my notes from back then right now.
KR
DanielThanks for confirming what I suspected Daniel_Wolf but it is still funny 😁
Also too bad the Local traffic policies can only be used to change or disable the Bot profile for a URL and not just to bypass for specific signature as they only work for the HTTP_REQUEST event and not the Bot events after that as I wanted to make the life of my customer easier. I know one of the small F5 experts that likes the Local policies but just don't kill me with stones 😃
It is funny how I did write the iRule after testing this on 15.1x and 16.1x and I was going to make a code share post and I saw the post was made a long time ago about with version 13.x.
For the sake of completeness, I found my notes on that matter.
If the BIG-IP finds more than one signature matching the request, it will enforce the more severe action.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com