Forum Discussion

Nikoolayy1's avatar
Feb 15, 2023
Solved

F5 AWAF/ASM Bot protection custom signature does not allow the traffic

Hello To All,

 

I wanted to enable "curl" for a customer just to particular URL and I made custom Bot Signature that matches the "curl" for User-Agent and has the URL and it is using Custom Category that in the Trusted Bot Class.

 

From the Bot logs I see that my signature is matched but also the normal curl signature is matched and I am still blocked ? I changed the signature to different categories that are in different classes and still the same.

 

I tested and it is the same on versions 15.1.8.1 and 16.1.3.2. I managed to use an iRule like the one at https://community.f5.com/t5/codeshare/proactive-bot-defense-bypass-by-bot-signature/ta-p/282254 but this seems stupid to need irules for this and to not be able to just make a custom signature in the Trusted Bot class.

 

 

  • Hi Nikoolayy1,

    Bot Defense will prefer it's own curl signature over your custom signature.
    iRule is the way.

    Funny note on the side - in September or October I had the exact same issue and got the answer from an F5 engineer... from Spain if I'm not mistaken. Can't find my notes from back then right now.

    KR
    Daniel

3 Replies

  • Hi Nikoolayy1,

    Bot Defense will prefer it's own curl signature over your custom signature.
    iRule is the way.

    Funny note on the side - in September or October I had the exact same issue and got the answer from an F5 engineer... from Spain if I'm not mistaken. Can't find my notes from back then right now.

    KR
    Daniel

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      Thanks for confirming what I suspected Daniel_Wolf  but it is still funny 😁

       

      Also too bad the Local traffic policies can only be used to change or disable the Bot profile for a URL and not just to bypass for specific signature as they only work for the HTTP_REQUEST event and not the Bot events after that as I wanted to make the life of my customer easier. I know  one of the small F5 experts that likes the Local policies but just don't kill me with stones 😃

       

      It is funny how I did write the iRule after testing this on 15.1x and 16.1x and I was going to make a code share post and  I saw the post was made a long time ago about with version 13.x.

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        For the sake of completeness, I found my notes on that matter.
        If the BIG-IP finds more than one signature matching the request, it will enforce the more severe action.