Most engineers think…
"To block bots, I just blocklist the bad User-Agent strings and known bad IPs."
Wrong — and that instinct is exactly why your scraper problem never goes away. A serious bot sends a perfectly normal Chrome User-Agent and rotates through thousands of residential IPs, so header- and IP-based filters wave it straight through. F5 Bot Defense flips the question: instead of asking "does this claim to be a browser?", it asks "can it prove it's a real browser?" — by making the client run a JavaScript challenge and carry a Device ID. A header can be faked. Running JavaScript and surviving anomaly checks cannot be faked cheaply. This lesson builds that instinct.
① Where Bot Defense lives — its own profile, no security policy needed
Picture a nightclub door. A weak bouncer checks the name on the guest list (the User-Agent) — easy to fake. A real bouncer makes you do something a gate-crasher can't: show ID, answer a question, walk in a straight line. F5 Bot Defense is that real bouncer. It doesn't trust what the client says; it tests what the client can do.
First, scope. Bot Defense is enforced through a dedicated Bot Defense profile — and crucially, it does not require a security policy. You can protect an app from bots without ever building an ASM positive-security policy. The profile is created under Security ▸ Bot Defense ▸ Bot Defense Profiles and attached to a virtual server, exactly like any other profile. (Older BIG-IP versions configured "Proactive Bot Defense" inside the DoS profile; modern versions consolidate everything into this unified Bot Defense profile.)
Bot Defense decides using three layered techniques: Proactive Bot Defense (challenge the client), bot signatures (match known patterns), and anomaly detection (catch automation tells). Together they sort every client into one of six classes, and each class gets its own mitigation. The art is knowing which technique catches which bot.
Sneha at Infosys faces this
Sneha enabled a Bot Defense profile, but a scraper is still copying the entire product catalog every night. The bot sends a normal Chrome User-Agent, so her old header blocklist never matched it.
She's relying on bot signatures alone (header matching). The scraper fakes a real browser header, so no signature fires. Proactive Bot Defense is Off, so the client is never actually challenged.
Open the profile and check whether proactive verification is enabled.
Security ▸ Bot Defense ▸ Bot Defense Profiles ▸ profile ▸ Mitigation SettingsEnable Proactive Bot Defense (Browser Verification = Verify After Access, Device ID Mode = Generate After Access). Now the scraper must run JavaScript to prove it's a browser — and it can't.
Re-run the scrape. Security ▸ Reporting ▸ Bot Defense ▸ Bot Traffic now shows the client classified as a bot and the action that fired.
▶ Watch a scraper hit Proactive Bot Defense — then watch what a header-only filter does
Rahul at TCS turns on Proactive Bot Defense. Press Play for the healthy challenge-and-classify path, then Break it to see why a header blocklist alone fails.
A simple Python scraper using the requests library hammers a Flipkart product page. The team enables Proactive Bot Defense. Why does the scraper get blocked while real shoppers don't notice anything?
requests script can't run JS, so it's classified as a bot. A faked User-Agent (c) doesn't help it pass.Pause & Predict
Proactive Bot Defense gives every verified client a fingerprint cookie. Why does that cookie matter when the same attacker keeps switching to a new IP address on every request? Type your guess.
② Proactive Bot Defense — make the client prove it's a browser
The strongest weapon in the profile is Proactive Bot Defense. Instead of waiting to recognise a bad bot, it challenges every new client up front. Two things happen before the app ever sees the request:
- JavaScript challenge — BIG-IP injects a small piece of JavaScript the client must run and return a valid token for. A real browser executes it in milliseconds, invisibly. A
curl, arequestsscript, or a basic bot has no JavaScript engine, so it simply can't answer. - Device ID — BIG-IP fingerprints the verified client and issues a Device ID cookie. From then on, that exact client is recognised across requests — even if it rotates through a thousand IPs.
This is why it's "proactive": the verdict is reached before a single request hits your application logic. Web scraping, credential stuffing, and L7 floods all rely on clients that can't run JavaScript or won't carry a consistent Device ID — and they're filtered at the door.
You tune when the challenge happens with Browser Verification: Challenge-free (no proactive challenge — basic), Verify After Access (challenge after the first request — lower latency, the Balanced default), or Verify Before Access (challenge before any request reaches the app — strongest, the Strict default). Device ID Mode mirrors this with None / Generate After Access / Generate Before Access.
Analogy: a bouncer who doesn't read the guest list at all. He hands you a puzzle at the door. Real guests solve it without thinking; a gate-crasher who only memorised a name on the list is stuck on the step.
If your app is browser-only (a login page, a checkout), Verify Before Access is gold — bots die before touching the app. But if real non-browser clients hit the same virtual server (a mobile app's API, server-to-server calls), proactive verification will block them too — they can't run JS. Carve those paths out with the Whitelist or Microservice/URL exceptions, or rely on signatures + anomaly detection there instead. The challenge that stops bots also stops anything that legitimately isn't a browser.
Priya at Flipkart faces this
Priya turned on Strict (Verify Before Access). It killed the scrapers — but the company's mobile app, which calls a REST API on the same virtual server, suddenly started failing for every user.
Proactive Bot Defense expects a browser that can run JavaScript. A legitimate non-browser API client can't solve the JS challenge, so it's treated like a bot and blocked.
Carve the API paths out: add the API URLs to the Whitelist or a Microservice exception so they skip proactive verification, and rely on signatures + anomaly detection there. Keep Strict on the browser pages.
Re-test the mobile app and the scraper together. Security ▸ Reporting ▸ Bot Defense ▸ Bot Traffic shows the API allowed and the scraper still blocked.
What is the core difference between a bot signature and Proactive Bot Defense in F5 Bot Defense?
Pause & Predict
A headless Chrome bot (Puppeteer) can run JavaScript, so it passes the proactive challenge. What else could BIG-IP look at to catch it anyway? Type your guess.
③ Signatures, anomalies & the six client classes
Proactive Bot Defense asks "can you prove you're a browser?". The other two techniques answer "which bot are you, and are you a good one?".
Bot signatures — recognise the known, good and bad
Bot signatures look for known patterns in the request — primarily the headers — to identify a bot by name. They come in two flavours, and you can write your own:
- Benign / known-good categories — Search Bot, Crawler, HTTP Library, Headless Browser, RSS Reader, Site Monitor, Social Media Agent, Service Agent. Googlebot and Bingbot land here.
- Malicious categories — DOS Tool, Vulnerability Scanner, Network Scanner, Web Spider, Spam Bot, Spyware, E-Mail Collector, Exploit Tool.
Signatures are updated by F5's Live Update. Newly updated signatures go into staging first — requests that match a staged signature are logged but not mitigated, so you can review for false positives before it enforces. Move it out of staging to start blocking.
Anomaly detection — catch the automation tells
Signatures miss two things: a brand-new bot with no signature, and a bot that fakes a normal browser header. Anomaly detection closes that gap with behavioural categories like Browser Automation, Headless Browser Anomalies, Browser Masquerading, Search Engine Masquerading (a bot pretending to be Googlebot), and Mobile App Automation. This is what catches a Puppeteer bot that survived the JS challenge.
The six client classes — who gets what
Everything above feeds one decision: which class is this client, and therefore what action applies?
- Browser — a verified real browser. Usually allowed (or CAPTCHA'd in Balanced, Verify-Before in Strict).
- Trusted Bot — a verified good bot (search engine, monitor). Default action is Alarm only — never blocked. (Note: there is no anomaly detection for Trusted Bots — even if anomalies are found, the request passes.)
- Untrusted Bot — a known automated client that isn't on the trusted list — Alarm / Rate limit / Block depending on template.
- Suspicious Browser — looks browser-ish but failed verification or tripped anomalies — Alarm / CAPTCHA / Block.
- Malicious Bot — matched a malicious signature or category — Blocked in every template.
- Unknown — unclassified — None / Rate limit / Block depending on template.
Analogy: the bouncer has a colour-coded wristband for everyone. Green for guests (Browser), blue for the catering staff he knows (Trusted Bot), red for the guy with the crowbar (Malicious Bot). The action follows the band, not a gut feeling.
▶ Watch a Puppeteer bot run all three checks — signature, proactive, then anomaly
Karthik at Wipro faces a headless-Chrome credential-stuffing bot. Play the layered-detection flow, then Break it to see what happens with signatures alone.
The Bot Defense techniques & key controls — tap each card
Each card front names the control; the back gives you the "so what" — when it earns its place.
JS challenge + Device ID, tuned by Browser Verification (Challenge-free / After / Before access). So what: catches any bot that can't run JS — scrapers, cred-stuffing. Trap: it also blocks legit non-browser APIs.
Header-based patterns for known good (Search Bot, Crawler) and bad (DOS Tool, Scanner) bots; Live Update + staging. So what: fast known-bot triage — but blind to new bots and faked headers.
Behavioural tells: Browser Automation, Headless Browser Anomalies, Browser/Search-Engine Masquerading. So what: catches a Puppeteer bot that passed the JS challenge — the clever automation.
Fingerprints the client, not the IP (None / Generate After / Before Access). So what: tracks the same automated client across a rotating-IP botnet that defeats per-IP limits.
Googlebot is being blocked by a new Strict Bot Defense profile. Which client class should Googlebot fall into, and what is the correct fix?
Pause & Predict
You're about to enable a brand-new Bot Defense profile on a production Flipkart virtual server that also serves a mobile-app REST API. Before you pick a template — what one thing could it silently break, and how do you protect it? Type your guess.
④ Templates & build — pick a starting point, then tune
You don't build the per-class action matrix from scratch. F5 ships three profile templates that set sensible defaults; you pick the closest one to your risk, then tune. They differ mainly in Browser Verification strictness and the actions for the in-between classes.
- Relaxed — challenge-free browser verification, Device ID Mode None. Blocks malicious bots (mostly via signatures), alarms the rest. Lowest false-positive risk, lightest protection.
- Balanced — Verify After Access, Generate Device ID After Access. Advanced browser verification with lower latency: blocks malicious bots, CAPTCHAs suspicious browsers, and rate-limits unknown bots.
- Strict — Verify Before Access, Generate Device ID After Access. Strongest: blocks all non-trusted bots, and browsers must pass proactive verification before any request reaches the app.
The per-class action — same six classes, different verdicts
Whichever template you pick, the action attaches to the client class. Read this matrix top-to-bottom — the further right you go, the more aggressive the verdict:
- Trusted Bot — Alarm in all three (a search engine is never blocked).
- Malicious Bot — Block in all three (no template lets a scanner through).
- Suspicious Browser — Alarm (Relaxed) → CAPTCHA (Balanced) → Block (Strict).
- Untrusted Bot / Unknown — Alarm or None (Relaxed) → Rate limit (Balanced) → Block (Strict).
- Browser — Challenge-free (Relaxed) → CAPTCHA (Balanced) → Verify Before Access (Strict).
CAPTCHA & the actions you can attach
The actions available per class are None, Alarm (log only), Slowdown / Rate Limit, CAPTCHA (a human-verification step for clients that look suspicious but might be real), and Block. CAPTCHA is the polite middle ground — it gives a real-but-flagged user a way through instead of a hard block.
The strict-enforcement & API knobs
Two settings matter most when real non-browser traffic shares the virtual server:
- API Access for Browsers — requires a valid cookie for a browser's AJAX/XHR calls to your REST API, so a verified browser's API calls keep working while raw bots don't.
- DoS Attack Mitigation Mode — during a detected attack, escalates to "block all bots, Verify Before Access for browsers" for the duration.
- Whitelist / Microservice — exempt specific sources or URLs (your server-to-server API, a trusted partner) from proactive verification, so you don't block legitimate non-browser clients.
The screen you'll live in — the Bot Defense profile
Here's the exact form. You create the profile, pick the template, and set Browser Verification + Device ID Mode + the per-class Mitigation. The four numbered pins are the fields this lesson changes.
After you save and attach the profile, you don't trust the config — you read the report. This is where you confirm what actually fired:
tmsh — the same profile from the CLI
The GUI is the day-job, but the same settings exist in tmsh. Useful for review, automation, and the 303 exam. Confirm the Device ID mode and the profile binding:
root@(bigip-flipkart)(cfg-sync)(tmos)# list ltm virtual vs_shop_443 profiles root@(bigip-flipkart)(cfg-sync)(tmos)# list security bot-defense profile bot-flipkart-shop deviceid-mode root@(bigip-flipkart)(cfg-sync)(tmos)# list security bot-defense profile bot-flipkart-shop template
ltm virtual vs_shop_443 {
profiles { bot-flipkart-shop { } http { } }
}
security bot-defense profile bot-flipkart-shop {
deviceid-mode generate-after-access
}
security bot-defense profile bot-flipkart-shop {
template balanced
}Don't jump straight to Strict on a virtual server that serves more than browsers. Your mobile app's REST API, a partner integration, or a server-to-server call can't run JavaScript — Proactive Bot Defense will block them like any other bot, and you'll get a flood of "the app is down" tickets. Start in a Balanced template, review the Bot Traffic report for legit non-browser clients, carve those out with the Whitelist / Microservice exceptions, then tighten to Strict on the browser-only pages. The challenge that stops bots stops anything that genuinely isn't a browser.
▶ Watch the per-class action — alarm the good, CAPTCHA the maybe, block the bad
Three clients hit a Balanced profile at once. Play to see each get its own action, then Break it to see the cost of a too-strict profile on an API.
Aditya at HCL faces this
Aditya tuned a great Bot Defense profile in the lab, but in production a scraper still gets through — Bot Traffic shows it classified as a bot, yet no block fired.
The matched signature is in staging. After a Live Update, new signatures only log matching traffic — they don't mitigate — so you can review for false positives first.
Review the staged signature, confirm it isn't catching anything legitimate, then move it out of staging so it enforces. Confirm the profile is bound to the correct virtual server.
Re-run the scrape; Bot Traffic now shows the client Blocked by that signature instead of merely logged.
Never claim a Bot Defense profile works from the config screen. Send both a real browser and a scripted client (a curl / headless run) at the virtual server, then open Security ▸ Reporting ▸ Bot Defense ▸ Bot Traffic, filter on the virtual server + last hour, and read the client class, the action that fired, and which technique detected it. If a known-bad client shows up logged but not blocked, your signature is in staging or the template is too loose — not the cloud, not the bot.
root@(bigip-flipkart)(tmos)# show security bot-defense profile bot-flipkart-shop root@(bigip-flipkart)(tmos)# show analytics dos-l7 report view-by device-id
Security::Bot Defense Profile bot-flipkart-shop (VS: vs_shop_443) Browser 41802 action allow (proactive: JS + Device ID) Trusted Bot 2140 action alarm (signature: Search Bot / Googlebot) Suspicious Browser 658 action captcha (anomaly: Headless Browser) Malicious Bot 9317 action block (signature: Web Spider / DOS Tool) # Bad client "alarm" not "block" → signature in staging, or template too loose. # No bot rows at all → profile not bound to the virtual server.
A headless Chrome instance driven by Puppeteer passes the JavaScript challenge but still gets caught. Which Bot Defense mechanism stopped it?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from F5 techdocs + DevCentral, scoped to BIG-IP Advanced WAF Bot Defense. For a live prod issue, paste your Bot Traffic export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why does Proactive Bot Defense catch a scraper that a User-Agent blocklist lets through? Then compare to the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- BIG-IP Advanced WAF (formerly ASM)
- F5's web application firewall. Advanced WAF = ASM plus L7 Behavioral DoS, Bot Defense, credential-stuffing/brute-force protection and DataSafe. ASM went End-of-Sale 01-Apr-2021; existing ASM customers on BIG-IP ≥14.1 under support can reactivate to Advanced WAF free.
- Bot Defense profile
- The BIG-IP object that detects and mitigates automated traffic, attached to a virtual server. It does NOT require a security policy. Path: Security ▸ Bot Defense ▸ Bot Defense Profiles.
- Proactive Bot Defense
- Challenges every new client with a JavaScript challenge + Device ID before requests reach the app, to verify a real browser. Tuned by Browser Verification: Challenge-free / Verify After Access / Verify Before Access.
- Device ID
- A fingerprint/cookie BIG-IP issues to a verified client so the same client is recognised across requests and IPs — defeats rotating-IP botnets that beat per-IP limits. Modes: None / Generate After Access / Generate Before Access.
- Bot signatures
- Header-based patterns identifying known bots — benign (Search Bot, Crawler, HTTP Library) and malicious (DOS Tool, Vulnerability Scanner, Web Spider). Updated via Live Update; new signatures enter staging first (log only).
- Anomaly detection
- Behavioural detection of automation even when the client looks like a browser: Browser Automation, Headless Browser Anomalies, Browser Masquerading, Search Engine Masquerading. Catches a headless bot that passed the JS challenge.
- Client classes
- Browser, Trusted Bot, Untrusted Bot, Suspicious Browser, Malicious Bot, Unknown. The mitigation action attaches to the class. Trusted Bot = Alarm only; Malicious Bot = Block in every template.
- Profile templates
- Relaxed (challenge-free, Device ID None), Balanced (Verify After Access, CAPTCHA suspicious browsers, rate-limit unknown bots), Strict (Verify Before Access, block all non-trusted bots).
- Signature staging
- Newly Live-Updated signatures log matching requests without blocking, so you can review for false positives before they enforce. Move a signature out of staging to start blocking.
- 303 — BIG-IP ASM Specialist
- The F5 certification this series maps to: 90 minutes, 80 questions, pass 245/350. Validates design, implementation, maintenance and troubleshooting of BIG-IP ASM / Advanced WAF, including Bot Defense.
📚 Sources
- F5 techdocs — Configuring Bot Defense (BIG-IP 17.5 ASM implementations): GUI path Security ▸ Bot Defense ▸ Bot Defense Profiles, Relaxed/Balanced/Strict templates, Browser Verification, Device ID Mode, the per-class mitigation matrix, Whitelist / Microservice / API Access for Browsers / DoS Attack Mitigation Mode. techdocs.f5.com/en-us/bigip-17-5-0/big-ip-asm-implementations/configuring-bot-defense.html
- F5 — K42323285: Overview of the unified Bot Defense profile: client classes, enforcement actions, browser verification and Device ID options. my.f5.com/manage/s/article/K42323285
- F5 techdocs — Creating Bot Defense Profiles & Assigning Bot Signatures to Security Policies: benign categories (Crawler, HTTP Library, Headless Browser, RSS Reader, Search Bot, Site Monitor, Social Media Agent) and malicious categories (DOS Tool, Network Scanner, Spam Bot, Spyware, Vulnerability Scanner, Web Spider); anomaly categories (Browser Automation, Headless Browser Anomalies, Browser/Search-Engine Masquerading); staging behaviour. techdocs.f5.com
- F5 DevCentral / F5 Agility WAF labs — Proactive Bot Defense Using BIG-IP ASM & Lab 3.1 Bot Protection: the JavaScript challenge + Device ID mechanism, the API/non-browser trap, and CAPTCHA escalation. community.f5.com · f5-agility-labs-waf.readthedocs.io
- F5 clouddocs (tmsh reference) — security bot-defense profile:
deviceid-mode,template, and verification commands (tmsh list /security bot-defense profile … deviceid-mode,tmsh show /analytics dos-l7 report view-by device-id). clouddocs.f5.com/cli/tmsh-reference - F5 — K000147283: Bot defense features for BIG-IP ASM/AWAF and the BIG-IP Advanced WAF product page (Advanced WAF = ASM + Bot Defense + L7 Behavioral DoS + brute-force + DataSafe; ASM EoS 01-Apr-2021). my.f5.com · f5.com
- F5 Certification — 303 — BIG-IP ASM Specialist Exam Blueprint (90 min, 80 questions; design/implement/maintain/troubleshoot ASM/Advanced WAF, incl. Bot Defense). education.f5.com/exams/big-ip-asm-specialist-303
What's next?
You can now find the Bot Defense profile, tell Proactive Bot Defense from signatures from anomaly detection, classify clients into the six classes, and pick the right template without blocking Googlebot or your API. The next lesson zooms into the bot problem that hits login pages hardest: brute-force and credential-stuffing protection — and how it overlaps with what you just learned.