Forum Discussion
After some tests switching the Bot protection profiles with Local Traffic policies (for the web form login url the bot profile uses the javascript based browser verification ) it seems the feature browser verification does not work even when from the local traffic policy and the logs the URL is matching the Bot protection profile that has browser verification enabled. I tested switching with verify before and after access but it does not work on 15.1.8.1 😀
Do you also see the same issue lnxgeek ?
- lnxgeekMar 14, 2023MVP
Nikoolayy1 I have bellow LTM policy on my VS:
for bw_botd I have these settings to accomodate the app:
and this to go more aggressively on the browser:
Btw I think enabling SPA does make it work more smoothly - thanks 🙂
I'm using 16.1.3.3.
- Nikoolayy1Mar 14, 2023MVP
And you have tested that something like curl, browser where cookies are or apache benchmark are blocked when accessing urls that are protected with bot profile that has "Verify After Access" and it is the javascript checks not the signatures that block them?
This can be seen in the traffic logs for bot or just opening browser and blocking it to accept cookies and you will see if you are truly blocked and you will also see the javascript message.
- Nikoolayy1Mar 14, 2023MVP
I am asking as I think on 16.1.3.2 I think that had seen the same limitation and this means that the identification and fingerprinting are little bit more limited and it could be related also to your issue as I think the fingerprinting is less accurate.
https://cdn.f5.com/product/bugtracker/ID703129.html
You can also update the Bot signatures just in case as many such issues are solved with signature upgrade.
Also the workarounds like modify sys db botdefense.suspicious_js_score value 60 or dosl7.browser_legit_min_score can be done till F5 maybe fixes the signatures.
https://cdn.f5.com/product/bugtracker/ID1029373.html
https://cdn.f5.com/product/bugtracker/ID699772.html