F5 Botdefense behind Cloudflare

Emil · ‎30-Sep-2022

Hi community,

Does anyone know how to fix botdefense protection profile when we have a setup Client > Cloudflare proxied > F5 AWAF.

It seems that botdefense matches the client browser as malicious bot all the time : Non-browser presenting as FireFox -Edge -Chrome.

GET / HTTP/1.1
Host: XXXXXX
Connection: Keep-Alive
CF-RAY: XXXXXXX
CF-Visitor: {"scheme":"https"}
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
accept-language: en-US,en;q=0.5
dnt: 1
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
pragma: no-cache
cache-control: no-cache
cookie: XXXXXX

Bot Name Non-browser presenting as FireFox
Bot Class Malicious Bot
Bot Categories Browser Masquerading

I do not see the X-Forwarded; CF-Connecting-IP, CF-IPCountry: headers in the blocked request. I guess it is not showing them when connection is blocked.

Regards.

Emil · ‎01-Oct-2022

I found the solution to my problem. In case someone else is having the same issue.

https://support.f5.com/csp/article/K58581034?utm_source=f5support&utm_medium=RSS

View solution in original post

James_Jinwon_Lee · ‎01-Oct-2022

Please check whether your configuration is related to the below k article.

https://support.f5.com/csp/article/K07408554

Emil · ‎01-Oct-2022

Hi James,

Thanks for the suggestion. It seems a different scenario. We have suspicious with CAPTCHA and malicious are set to block.

Also the API setting is disabled as per the default config for relaxed bot defense profile.

Regards,
Emil

Emil · ‎01-Oct-2022

I found the solution to my problem. In case someone else is having the same issue.

https://support.f5.com/csp/article/K58581034?utm_source=f5support&utm_medium=RSS

DevCentral

F5 Botdefense behind Cloudflare

MFA required on DevCentral