How to Validate F5 BIG-IP Anti Bot Configuration
Web application firewall (WAF) protects web applications from various application layer attacks. Because such attacks on apps – for example, cross-site scripting (XSS), SQL injection, and cookie poisoning – are the major cause of breaches, the WAF’s role is crucial, and you are strongly advised to protect it by enabling F5 Anti Bot protection (under the Mobile Threat tab in the Appdome platform(.
To ensure that the F5 Anti Bot can be implemented in your mobile app, you need to verify that F5 BIG-IP’s configuration does not contain any errors, which can prevent the F5 Anti Bot SDK from initializing after an upgrade or license reactivation. Because the SDK authenticates your application with BIG-IP® SYSTEM security, failure to load it means that you cannot use F5’s solution and your app will be unable to access your environment.
To facilitate the verification, Appdome has created a simple verification app to validate F5 Big IP Mobile Anti Bot configuration. This app, which is manually integrated with the F5 Anti Bot SDK, diagnoses your Anti Bot policy on your F5 BIG-IP and indicates if your F5 Anti Bot SDK will be able to initialize successfully. In addition, when connecting to the protected hosts, the app still displays the HTTP responses before/ after the SDK initialization.
The Anti Bot verification app is available for free download from Google store or from the Mobile Threat tab in the Appdome platform.
This Knowledge Base article describes how to install and use Appdome’s Anti Bot verification app.
Before using the F5 Anti Bot verification app, you are strongly recommended to check that your protected resource is accessible from your network. You can try to access the resource through either your computer-based or your mobile-based browser.
Note: If Anti Bot is properly applied, the mobile browser might not be able to access the server.
In addition, if you set up a Bot Defense logging profile assigned to the resource, you might also want to check your BIG-IP logs.
If you fail to access your app-protected resource through the network (even if the request is blocked), you will not be able to access it with the F5 Anti Bot verification app.
Prerequisites to Validate F5 BIG-IP Mobile App Anti Bot Configuration
In order to use the F5 Anti Bot verification app, you’ll need:
- The F5 Anti Bot verification App (.apk for Android)
- A configured and accessible BIG-IP server
- A server protected by F5’s BIG-IP
- An Android device
6 Easy Steps to Validate F5 BIG-IP Mobile App Anti Bot Configuration
Once you have the app installed on your mobile device, follow these steps:
- Launch the app.
- Enter the hostname of your protected resource in the Protected Host field.
The value you enter must be a hostname that resolves to the address on a Virtual Server on the BIG-IP, which has an Anti Bot policy enabled.
- If certificate pinning is needed in your configuration, enter your F5 certificate Hash generated in the F5 Anti Bot SDK Process.
- If you have protected subdomains that resolve to your protected Virtual Server, enable (toggle on) Support multiple Domains and enter those additional domains.
You can enter full FQDN or wildcard by replacing the subdomain with a period; for example, www.company.com, .company.com.
- Enable (toggle on) Deactivate Anti Bot SSL if your server configuration is set to use plain HTTP traffic when communicating with Big-IP.
- Click Verify.
If your server is accessible, your Anti Bot is set up and configured correctly, and you entered the correct data in the app, the initialization of the SDK should succeed and you will receive a verification PIN. Enter this verification PIN on our platform and proceed to build your app with F5 AntiBot SDK.
Failure to initialize can indicate either an issue in the Anti Bot policy configuration on your BIG-IP or using the wrong data in the app, as shown in the image below.
Using the Anti Bot Verification App to Access the Resource
At any point, regardless of whether the SDK successfully initialized, you can verify the access to your resource URL:
- (optional) Add your configured connection header name and value by clicking on Input Header.
- Enter your resource URL.
- Click GO.
If the Anti Bot SDK is initialized successfully, and your URL is in the list of subdomains, the app will engage the Anti Bot SDK cookies for the request. In this case, you will successfully reach your protected host. You can view the connection details by clicking on See Details at the bottom of the screen.
How Can I Share the Results?
If the Anti Bot SDK initialization failed for the Anti Bot Verification app, which is manually integrated with SDK, it will also fail with your target app when built with the SDK automatically by Appdome.
The most likely misconfigurations are:
- Incorrect routing from the hostname to the BIG-IP virtual server
- Misconfigured policy on the BIG-IP
- Using the wrong hostname, port, or protocol for initialization
- Using a network that cannot access the virtual server
We recommend contacting F5 support to troubleshoot the BIG-IP configuration issue, but you are welcome to contact Appdome’s support team with any questions. In addition, you are advised to verify first that your BIG-IP system is correctly handling requests from a computer-based browser (if possible).
To share your results, click on the Share icon on the top right corner. If you have a configured email Client on your device, select it and email the app logs to the Appdome support team.
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.