Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0, 14.1.2.3
Opened: Sep 08, 2019 Severity: 3-Major
When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.
Request will be mitigated.
-- Bot Defense profile is enabled. -- Whitelist is configured for IP 'Any' (for URL or GEO), -- Sending a request that matches the whitelist using route domains.
For url whitelist only: Add micro service to the bot defense profile, configure: 1. Add required URL. 2. Specify service type 'Custom Microservice Protection'. 3. Set the 'Mitigation and Verification' setting as required (relevant for logging only). 4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'. 5. Set the microservice 'Enforcement Mode' to 'Transparent'. This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).
Enabling IP 'Any' on route domains now works as expected.