BotProtectedEndpoints - describes the protected endpoint behavior
SAFEEndpoints - describes the protected endpoint behavior for SAFE mode
GETScrapingEndpoints - describes the protected endpoint behavior ISTL
BotProtectedEndpoints and GETScrapingEndpoints have the same structure. SAFEEndpoints have only ‘id’ and ‘paths’ fields. The custom object stores a list of all protected endpoints and describes their behavior for different F5 Shape solutions. The example below outlines how to configure the account-login-post object as a protected endpoint.
Select the object type based on the subscribed mode and click on the Find button.
In the results, click on the account-login-post object id and select a Mitigation Action.
Figure 6: Sample configuration to define a protected endpoint
Custom Site Preference Groups.
Here, you will specify the values of various options to customize the F5 integration.
Navigate to Merchant Tools > Custom Site Preferences Groups > Site Preferences > Custom Preferences and click on Shape.
Enter the values for Telemetry Header Prefix, F5 Shape API hostname, and API key, obtained from F5.
Figure 7: Sample configuration to specify the values for connecting to the F5 Bot Defense back-end engine
Scroll down to Specify F5 Shape JS URL or Path. Enter the JS URL.
In the Select location for JS tag(s) option, you will choose one of the following, based on your preferred location to insert the JS tag:
After head (head)
After tail (tail)
Before script (script)
Figure 8: Sample configuration to specify the values for F5 Shape JS URL and its path
In the Insert JS tag(s) in only specific web pages (entry pages) option, select either Yes/ No.
The No choice will insert the JS tag to all the webpages
The Yes choice will provide an additional option to specify the web pages for which the JS tag needs to be inserted.
Figure 9: Sample configuration to assign the JS tag to specific entry pages
This completes the F5 cartridge configuration. When done, click on the Save button at the top right-hand cover of the web page.
Step 3: Verification
To test the F5 Bot Defense integration with SFCC, emulate a malicious request from a client machine to your e-commerce website.
Access and log in to your SFCC site from the browser. Inspect the web page source; you will notice the JS inserted by the SFCC.
Figure 10: JS insertion
You will also notice the prefix string and the telemetry headers passed in the HTTP POST.
Figure 11: Telemetry headers inserted in the HTTP POST
Figure 12: F5 Bot Defense blocked the request from the JS disabled browser
F5 Bot Protection Manager
Figure 13: Malicious bot traffic detection by F5 Bot Defense
The F5 Bot Defense integration with SFCC using the certified cartridge is an easy-to-deploy solution that seamlessly works with the Storefront Reference Architecture. With this industry-leading MI-driven security, your digital business is safeguarded in real-time with superior accuracy & long-term efficacy. Deploy the cartridge from the SFCC Link Marketplace to minimize the impact of Bots on your business, confidently.