I want to know how the traffic flow between IPI, application security policy, bot detection, DoS protection, irule, and Geolocation (using irule for Geolocation).
I am using Global IPI (mean IPI does not attached to any VS) and have an irule for Geolocation and only have module ASM and LTM (No APM and AFM).
I understand that irule can be arranged by the order.
The application security policy, bot detection, DoS protection, irule are attached to VS.
Here is what I understand the traffic flow.
The traffic hits Global IPI -> reached VS for irules in order (including Geolocation, I always put Geolocation at first place) -> Application security policy -> DoS -> Bot detection.
Is this correct? Or will application security policy , Dos, Bot detection happen at the same time?
What is the best practice for Geolocation? Using an irule for Geolocation or using Geolocation in application security policy?
I think this picture explains it good.
This picture assumes that IPI is working in L3 mode. If IPI is working in L7 mode, it is later in the chain.
iRule are difficult, because they operate on events, which can be IPI events, bot defense actions, ASM events, L7DOS events and so on. So they can happen at every point in this chain.
Does this answer your question?
I found a similiar picture in the labs of F5 Agility 2021 conference. Here: https://clouddocs.f5.com/training/community/waf/html/waf141/waf141.html
Also it can be concluded from reading this: https://support.f5.com/csp/article/K07359270
And since I am used to read from left to right, I adjusted the picture for my convenience.
Attacker on the left, target on the right.