We have discovered that after Samsungs latest upgrade of the built in "Internet" (Samsung Internet Browser) 18.104.22.168, the bot protection both in transparent and blocking mode adds the cookie who is responsible for marking the device as malicious.
When logging, we can see that first visit it is just a regular device. No bot, no malicious activity and so on. Next refresh of the site will immediately make a Connection Reset. Dumping pcap shows that handshake is done and Application data begins then it stops.
With that said. If you remove this cookie, everything works fine again. It is a TS****** with a expire date seven weekdays of the first visit. Then you need to clear cache and cookies on the device to get it to happen again.
We are still looking for a solution, adding the browsers user agent will not fix the issue for us.
Hope that this will help anybody in our seat looking for a solution. I will keep you updated if we find anything that will solve the issue,
We have done this both with contains SamsungBrowser/17.0 and added it as exception. We can't whitelist on IP unfortunately. I will however look into the article again if i have missed something.
Your Bot Protection is the F5 Advanced WAF (ASM) Bot protection right? You do not use Shape security with F5 Big-IP?
Also from some bugs in the bug tracker you may try stopping the browser verification or Change browser_legit_min_score_drop sys db to be higher value.
As I see many issues with different browsers better open F5 case so they can add this to the Bug tracker for Samsung.
The Bot protection is seperate from the F5 ASM security policies and they being in Transperant mode does not affect the Bot Protection as the Bot Protection has its own Transperant mode:
Maybe you need to test if the two bot protection profiles are in transperant mode if the issue will be still there as in Transperant mode the Bot is still marked and maybe the othe Bot Protection is stopping it.
Yes better see with F5 TAC but it is strange if you are still blocked in everything in transperant mode as it seems as another bug except if for some reason it is the DDOS profile blocking you by device id or the Bot protection has created a dynamic ddos signature or "DoS Attack Mitigation Mode" on the Bot profile to activate DDOS profile:
Looks like this Solved: Device ID - Bot/Dos Profile - DevCentral (f5.com) Device ID Mode : Generate After Access solves the issue. 🙂
After that change, i can also see the logs. Bot protection thinks this:
We are having a case with TAC. See if we can solve this.
Thanks for all help!
Hello, It is good that now you can stop the Bot protection from blocking the traffic in transperant mode so we can consider one of the issues solved. If possible mark the question as completed but after F5 has provided the fix for the bad bot categorization share it with us.