Wiki: iRules API




Triggered immediately prior to taking an action on a transaction. The event may be used to override the default behavior, and/or to log the action taken.

This event is always triggered when Proactive Bot Defense is enabled on the DOS profile, unless the request is mitigated by dosl7 attack. The event will also be triggered if Proactive Bot Defense is disabled, but a Bot Signature was detected on the request, whether for blocking or for reporting.

Most of the command that are available on the HTTP_REQUEST event are also available on the BOTDEFENSE_ACTION event.

Note that commands which may suspend iRule processing are currently not supported in this event and should not be used. Partial list of these commands: after, persist, session, table, and RESOLV::lookup.


Example 1: Send parsed Bot Defense data and action to High Speed Logging

     set log "BOTDEFENSE:"
     append log " uri [HTTP::uri]"
     append log " cs_possible [BOTDEFENSE::cs_possible]"
     append log " cs_allowed [BOTDEFENSE::cs_allowed]"
     append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
     append log " cookie_status [BOTDEFENSE::cookie_status]"
     append log " cookie_age [BOTDEFENSE::cookie_age]"
     append log " device_id [BOTDEFENSE::device_id]"
     append log " support_id [BOTDEFENSE::support_id]"
     append log " previous_action [BOTDEFENSE::previous_action]"
     append log " previous_support_id [BOTDEFENSE::previous_support_id]"
     append log " previous_request_age [BOTDEFENSE::previous_request_age]"
     append log " bot_signature [BOTDEFENSE::bot_signature]"
     append log " bot_signature_category [BOTDEFENSE::bot_signature_category]"
     append log " captcha_status [BOTDEFENSE::captcha_status]"
     append log " captcha_age [BOTDEFENSE::captcha_age]"
     append log " default action [BOTDEFENSE::action]"
     append log " reason \"[BOTDEFENSE::reason]\""
     log local0. $log
     HSL::send $hsl $log

Example 2: Bypassing enforcement on URL pattern

     if {[HTTP::uri] starts_with "/t/"} {
         log local0. "bypassing enforcement for URI [HTTP::uri]"
         set res [BOTDEFENSE::action allow]
         log local0. "set action to allow, result \"$res\""
         log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""

Change Log

  • First introduced the event.