F5 Bot Defense for Salesforce Commerce Cloud – Protect Your E-Commerce Site From Unwanted Bots and Illegitimate Traffic (2 of 2)

This article is the second in a two-part series. Go to Part 1 here.

Step 2: Setup the Integration

You will identify the endpoints and customize several settings in the F5 cartridge.

Custom Objects

The integration uses custom objects to configure endpoints that should be protected. Custom objects are stored locally (per Site).

  • Navigate to Merchant Tools > Custom Objects > Manage Custom Objects
  • There are three custom object types.
  1. BotProtectedEndpoints - describes the protected endpoint behavior
  2. SAFEEndpoints - describes the protected endpoint behavior for SAFE mode
  3. GETScrapingEndpoints - describes the protected endpoint behavior ISTL

BotProtectedEndpoints and GETScrapingEndpoints have the same structure. SAFEEndpoints have only ‘id’ and ‘paths’ fields. The custom object stores a list of all protected endpoints and describes their behavior for different F5 Shape solutions. The example below outlines how to configure the account-login-post object as a protected endpoint.

  • Select the object type based on the subscribed mode and click on the Find button.
  • In the results, click on the account-login-post object id and select a Mitigation Action.

Figure 6: Sample configuration to define a protected endpoint

Custom Site Preference Groups.

Here, you will specify the values of various options to customize the F5 integration.

  • Navigate to Merchant Tools > Custom Site Preferences Groups > Site Preferences > Custom Preferences and click on Shape.
  • Enter the values for Telemetry Header Prefix, F5 Shape API hostname, and API key, obtained from F5.

Figure 7: Sample configuration to specify the values for connecting to the F5 Bot Defense back-end engine

  • Scroll down to Specify F5 Shape JS URL or Path. Enter the JS URL.
  • In the Select location for JS tag(s) option, you will choose one of the following, based on your preferred location to insert the JS tag:
  1. After head (head)
  2. After tail (tail)
  3. Before script (script)

Figure 8: Sample configuration to specify the values for F5 Shape JS URL and its path

  • In the Insert JS tag(s) in only specific web pages (entry pages) option, select either Yes/ No.  
  1. The No choice will insert the JS tag to all the webpages
  2. The Yes choice will provide an additional option to specify the web pages for which the JS tag needs to be inserted.

Figure 9: Sample configuration to assign the JS tag to specific entry pages

This completes the F5 cartridge configuration. When done, click on the Save button at the top right-hand cover of the web page.

Step 3: Verification

To test the F5 Bot Defense integration with SFCC, emulate a malicious request from a client machine to your e-commerce website.

From Browser

Access and log in to your SFCC site from the browser. Inspect the web page source; you will notice the JS inserted by the SFCC.

Figure 10: JS insertion

You will also notice the prefix string and the telemetry headers passed in the HTTP POST.

Figure 11: Telemetry headers inserted in the HTTP POST

Now, disable the JavaScript support in the setting of the client browser and log in to your site. The F5 Bot Defense will identify this HTTP request as malicious web traffic and will block the request ('Block' is the migration action selected for the account-login-post in the custom objects)

Figure 12: F5 Bot Defense blocked the request from the JS disabled browser

F5 Bot Protection Manager

Access your F5 Bot Protection Manager portal to see all the client requests to your e-commerce site. You will notice all the shoppers' traffic to the storefront, the login request from the JavaScript disabled browser that was used to emulate bot traffic will be flagged by F5 Bot Defense in red as malicious.

Figure 13: Malicious bot traffic detection by F5 Bot Defense

The F5 Bot Defense integration with SFCC using the certified cartridge is an easy-to-deploy solution that seamlessly works with the Storefront Reference Architecture. With this industry-leading MI-driven security, your digital business is safeguarded in real-time with superior accuracy & long-term efficacy. Deploy the cartridge from the SFCC Link Marketplace to minimize the impact of Bots on your business, confidently.

Additional Resources

F5 Bot Defense integration for SFRA sites: Configuration Guide

F5 Bot Defense integration for SiteGenesis sites: Configuration Guide

Solution Lightboard: YouTube Video

Salesforce partnership: Technology Alliance on F5.com

Published Nov 10, 2021
Version 1.0
No CommentsBe the first to comment