How to implement Device ID+ with BIG-IP ASM/AWAF

Question

Hello Everyone,&nbsp;I'm trying to test out Device ID+ with BIG-IP AWAF, I followed this: Click&nbsp;here&nbsp;for more information on comprehensive BIG-IP iApp deployment and configuration options.&nbsp;i configured all required firewall rules to allow BIG-IP to connect to (us.gimp.zeronaught.com)&nbsp;Note: i have ASM/AWAF lic only&nbsp;&nbsp;&nbsp;&nbsp;I tired to access the website many times to check if the BIGIP will inject the JS and get the Device ID, before i allow the BIGIP to connect to (us.gimp.zeronaught.com) the script was failing, now status code is 200 &nbsp;&nbsp;&nbsp;&nbsp;This is ASM event log&nbsp;&nbsp;&nbsp;Still Device ID field is N/A, Device ID+ configuration should reflect to Device ID field?? &nbsp;&nbsp;Anyone can help what's wrong?I tired Online verification tool from F5&nbsp;Thanks,Mohanad

daniel_wolf · Answer

Hi ,&nbsp;Device ID and Device ID+ are two different features. By enabling Device ID+ you will not get any data into the Device ID field. Take a look here: https://devcentral.f5.com/s/feed/0D51T00008nulFuSAI.&nbsp;I explained the differences between the two.&nbsp;KRDaniel

mohanad · Answer

Hello Daniel,&nbsp;Thank for your reply, i read your explanation while im learning about Device ID+  and it's really good...&nbsp;what i need for next step, to match this data diA &amp; diB and do something with it, i want to use it for brute force protection, Bot defense Dos etc.. but i will keep search

mohanad · Answer

i'm able to log diA &amp; diB using irule provided by Anulfo Hernandez&nbsp;when HTTP_REQUEST {
    if [HTTP::cookie exists _imp_apg_r_] {
        set deviceid [URI::decode [HTTP::cookie _imp_apg_r_]]
        log local0. "URL Decoded cookie is $deviceid"
        set deviceida [lindex [regexp -inline -- (?:"diA":")(.*?)(?:") $deviceid] 1]
        log local0. "diA = $deviceida"
        set deviceidb [lindex [regexp -inline -- (?:"diB":")(.*?)(?:") $deviceid] 1]
        log local0. "diB = $deviceidb"
        log local0. "IP is [IP::client_addr]"
        log local0. "Path os [HTTP::path]"
    } else {
    log local0. "No cookie"
    }
}now i want to use it with bot defense how to match on diA? when BOTDEFENSE_ACTION {
     if {[$diA equals {"[AYrQyWEAAAAACxF5RBPJyPdDICteKxbw"}]} {
         set res [BOTDEFENSE::action block]
		 log local0. "Mohanad is Blocked"
     }
 }&nbsp;

daniel_wolf · Answer

How do you want to identify a bot by only looking at diA? You would need to have a list of known good identifiers (maybe all devices belonging to your company?) and then make an iRule action based on this list.

Or you could store Device ID+ identifiers and build a custom solution that would, for example, rate limit this device, or block the device if it appears from different geolocations within unreasonable time (now in USA, 10 seconds later in Sweden or so).

What I want to say is, that the device identifier from DID+ does not mean anything to Bot Defense. You will have to build a custom solution and "business logic" around it.

mohanad · Answer

Thank you Daniel, You are absolutely right about build a custom solution and "business logic", i realized that DID+ not fully integrated with F5 BIGIP, all i want to test out the feature with ASM like a PoC.

Forum Discussion

How to implement Device ID+ with BIG-IP ASM/AWAF

6 Replies

Recent Discussions

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Related Content

Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

F5 BIG-IP Automatic email notification for system update events (ASM/AWAF)

CORS implementation

Exporting and importing ASM/AWAF security policies with Ansible and Terraform