ASM bot detection

Question

Folks&nbsp;
I have requirement to enable bot detection in F5 ASM policy for my application access via only mobile browsers or PC browsers not through mobile app, how i can avoid false positive here which detect by ASM.
I understand that f5 inject java script in order to verify client integrity, what is the best practice here to achieve my goal.  
&nbsp;
any input appreciated.&nbsp;

dfff_314403 · Answer

ErkkiS, won't this defeat only primitive bots? &nbsp;

samstep · Answer

You need to have 2 separate ASM policies - one for browsers and a separate one for the smartphone app. The browser policy will have full bot detection features enabled and the smartphone app policy will have JavaScript-requiring options in bot/anomaly detection switched off and relying more on IP-based anomaly detection features of ASM. &nbsp;
I assume you already have a separate Virtual Server for the mobile app, but if not then you can easily route the incoming traffic to two different ASM policies depending on the User-Agent header using Local Traffic Policy. &nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

Forum Discussion

ASM bot detection

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

Bot defence profile on F5 ASM

Proactive Bot Defense Using BIG-IP ASM

Bot Defense for Mobile Apps in XC WAAP Part 1: The Bot Defense Mobile SDK

More Web Scraping - Bot Detection