Bug ID 824037: Bot Defense whitelists do not apply for IP 'Any' when using route domains

Last Modified: Nov 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 15.0.0, 15.0.1

Opened: Sep 08, 2019
Severity: 3-Major

Symptoms

When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Impact

Request will be mitigated.

Conditions

-- Bot Defense profile is enabled. -- Whitelist is configured for IP 'Any' (for URL or GEO), -- Sending a request that matches the whitelist using route domains.

Workaround

For url whitelist only: Add micro service to the bot defense profile, configure: 1. Add required URL. 2. Specify service type 'Custom Microservice Protection'. 3. Set the 'Mitigation and Verification' setting as required (relevant for logging only). 4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'. 5. Set the microservice 'Enforcement Mode' to 'Transparent'. This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

Fix Information

None

Behavior Change