Showing results for 
Search instead for 
Did you mean: 

F5 Advanced WAF/ASM and Shape intergration is the AWAF Bot defense profile still needed?



As now there are more and more users that use F5 AWAF/ASM and shape together as Shape uses advanced DeviceID+ as described here in this post I had to ask if the F5 Bot defense profile still needed or even recommended as it will insert Javascript to generate DeviceID but so will the SHAPE insert javascript for its DeviceID+ and this may cause issues.


With the SHAPE javascript inserted from the F5 device I think that only F5 Layer 7 DDOS profile and the AWAF policy are needed but I could be wrong 🙂


F5 Big-IP and Shape integration:



Good question indeed! My initial response was that it will still have a place, but as you say, they both now rougly do the same, and with Shape now much better integrated in the system, it makes more sense to use just the one. Would be good to have someone pitch in on this. 

Also, would the same count for brute force mitigation? Or will that stay around as a Shape-lite option maybe? (...or the other way around? 😉 

I have read somewhere that for login web pages/URL and sign-up (account creation web pages) then it is much better to use Shape security but there is not much info if the Advanced WAF bot profile or the Shape security should be used for the other pages. Maybe where we want CAPTCHA (not that advanced bots don't bypass that 🙂 ) the Advanced WAF is needed as Shape can't do that but I am just guessing:


For now I will see it till someone shares more info that more important URL pages like login web pages/URL and sign-up pages to use Shape if the customer wants shape but to maybe pay less and if the custome has no issue to use Shape for everything then only use the Bot profile for the CAPTCHA if it is a requirement.


I am refering to this web page but it is not from F5 and it was made in 2020 but is still a great article: