How to Validate F5 BIG-IP Anti-Bot Configuration
A web application firewall (WAF) protects web applications from various application layer attacks. Such attacks to apps – for example, cross-site scripting (XSS), SQL injection, and cookie poisoning – are the major cause of breaches, as they are the gateway to your valuable data
Due to the crucial role of the WAF, it is mandatory to verify its configuration to ensure no errors exist. Errors can stop the configuration from loading after an upgrade or license reactivation.
To facilitate the task of verifying your F5 Advanced WAF Antibot BigIP Setup, Appdome has created a simple verification app to validate F5 Big IP Mobile Anti-Bot configuration.
The Anti Bot verification app is manually integrated with the F5 Anti-Bot SDK. This app diagnoses your Anti-Bot policy on your F5 BIG-IP and indicates if your F5 Anti-Bot SDK has initialized successfully. In addition, when connecting to the protected hosts, the app still displays the HTTP responses before/ after the SDK initialization.
The Anti Bot verification app is manually integrated with the F5 Anti-Bot SDK. This app will diagnose your Anti-Bot policy on your F5 BIG-IP and indicate if your F5 Anti-Bot SDK has initialized successfully. In addition, When upon connecting to the protected hosts, the app still displays the HTTP responses before/ after the SDK initialization.
The Anti Bot verification is available for free download from Google store or from the Mobile Threat tab in the Appdome platform.
This Knowledge Base article describes how to install and use Appdome’s Anti Bot verification app.
Before using the F5 Anti-Bot verification app, it is worthwhile to check that your protected resource is accessible from your network. You can try to access the resource either with your computer-based or your mobile-based browser.
Note: if Anti-Bot is properly applied, the mobile browser might not be able to access the server.
In addition, if you set up a Bot Defense logging profile assigned to the resource, you might also want to check your BIG-IP logs..
If you fail to access your app-protected resource through the network (even if the request is blocked), you will not be able to access it with the F5 Anti-Bot verification app..
Prerequisites to Validate F5 BIG-IP Mobile App Anti-Bot Configuration
In order to use the F5 Anti-Bot verification app, you’ll need:
- The F5 Anti-Bot verification App (.apk for Android)
- A configured and accessible BIG-IP server
- A server protected by F5’s BIG-IP
- An Android device
6 Easy Steps to Validate F5 BIG-IP Mobile App Anti-Bot Configuration
Once you have the app installed on your mobile device, follow these steps:
- Launch the app.
- Enter the hostname of your protected resource in the Protected Host field. The value you enter must be a hostname that resolves to the address on a Virtual Server on the BIG-IP, which has an Anti-Bot policy enabled.
- If certificate pinning is needed in your configuration, enter your F5 certificate Hash generated in the F5 Anti-Bot SDK Process.
- If you have protected subdomains that resolve to your protected Virtual Server, enable (toggle on) Support multiple Domains and enter those additional domains. You can enter full FQDN or wildcard by replacing the subdomain with a period; for example, www.company.com, .company.com.
- Enable (toggle on) Deactivate Anti Bot SSL if your server configuration is set to use plain HTTP traffic when communicating with Big-IP.
- Click Verify.
If your server is accessible, your Anti Bot is set up and configured correctly, and you entered the correct data in the app, the initialization of the SDK should succeed and you will receive a verification PIN. Enter this verification PIN on our platform and continue to build your app with F5 AntiBot SDK.
Failure to initialize can indicate either an issue in the Anti-Bot policy configuration on your BIG-IP or using the wrong data in the app, as shown in the image below.
Using the Anti Bot Verification App to Access the Resource
At any point, regardless of whether the SDK successfully initialized, you can verify the access to your resource URL:
- (optional) Add your configured connection header name and value by clicking on Input Header.
- Enter your resource URL
- Click GO.
If the Anti-Bot SDK is initialized successfully, and your URL is in the list of subdomains, the app will engage the Anti-Bot SDK cookies for the request. In this case, you will successfully reach your protected host. You can view the connection details by clicking on “See Details” at the bottom of the screen.
How Can I Share the Results?
If the Anti Bot SDK initialization failed for the Anti Bot Verification app, which is manually integrated with SDK, it will also fail with your target app when built with the SDK automatically by Appdome.
The most likely misconfigurations are:
- Incorrect routing from the hostname to the BIG-IP virtual server
- Misconfigured policy on the BIG-IP
- Using the wrong hostname, portת or protocol for initialization
- Using a network that can’t access the virtual server
We recommend contacting F5 support to troubleshoot the BIG-IP configuration issue, but you are welcome to contact Appdome’s support team with any questions. In addition, you are advised to verify first that your BIG-IP is correctly handling requests from a computer-based browser (if possible).
To share your results, click on the Share icon on the top right corner. If you have a configured email Client on your device, select it and email the app logs to the Appdome support team.
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.