Proactive Bot Defense Using BIG-IP ASM

Hi,

 

Great article! I am a bit confused by description of options in CORS section (Allow configured domains; validate in bulk, Allow configured domains; validate upon request). To my understanding those are different from description in build in help on BIG-IP v13. On BIG-IP all descriptions starts with the same sentence as in first option (Allow all requests). Maybe I am wrong but for me CORS configuration on BIG-IP controls source domains that can send request to VS on BIG-IP. Mentioned descriptions in article seems to suggest that it's control for domains to which request can be send from content served by VS on BIG-IP: "This setting allows requests to other related internal or external domains that are configured in this section and validates the related domains in advance." Am I wrong here?

 

Another description that is a bit unclear is Grace Period. Did it changed in v13? In old article (https://devcentral.f5.com/s/articles/more-web-scraping-bot-detection) description of Grace Period is like that:

 

"If, during the Grace Interval, the system determines that the client is a human, it does not check the subsequent requests at all (during the Safe Interval). Once the Safe Interval is complete, the system moves back into the Grace Interval and the process continues.

 

Notice that the ASM is able to detect a bot before the Grace Interval is complete (as shown in the latter part of the diagram below). As soon as the system detects a bot, it immediately moves into the Unsafe Interval...even if the Grace Interval has not reached its set threshold."

 

Definition from this article suggest that there is no bot detection performed at all during Grace Period - quite opposite to info from old article. Piotr