F5 ASM/AWAF Bot Defense Logging

Question

Hello,short question, in a F5 ASM/AWAF under Secureity -&gt; Event Logs -&gt; Bot Defense -&gt; Bot Requests, I see a lot of requests from my google loadbalancer which is in from of the F5. Ther is the request info "ALARMED" and the Mitigation Action "Alarm (Untrusted Bot) this are just healthchecks from the google loadbalancer and iit is coming always from the same IP range, is it possibel to exclude that range from the Bot Defense Request Logging ? For example, inside the WAF Policie I can care a IP Address exception list to do no Logs from a specific range but how can I do that for the Bot Defense ?

joshbecigneul · Answer

Hi&nbsp;eLeCtRoN&nbsp;,
Please check this article which has two sections that discuss adding exceptions by either:

the matched mitigation type, or
via allowlist using one of the&nbsp;specific IP address,&nbsp;geolocation, and/or URL.

https://support.f5.com/csp/article/K42323285
Thanks.Josh

electron · Answer

Hi Josh,thank you for your response, I explained I have in front google LBs in a specific range, I did already that range on the whitelist at the bot defense profile but I see it at the described log location always it is not a log exclusion list, mitigation action is not possible because I want to see in the log mitigation action but just not from a specific range otherwise I have to see whats going on, the google LBs triggering so much requests in some case it is heavy to analyses the log because it is to much rubbish inside !&nbsp;

joshbecigneul · Answer

Another option could be to create an iRule to match the criteria the Google LB uses and then trigger a the BOTDEFENSE::disable command https://clouddocs.f5.com/api/irules/BOTDEFENSE__disable.html&nbsp;

Forum Discussion

F5 ASM/AWAF Bot Defense Logging

3 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device

OWASP Tactical Access Defense Series: How BIG-IP APM Strengthens Defenses Against OWASP Top 10