Bug ID 824037: Bot Defense whitelists do not apply for IP 'Any' when using route domains

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0, 14.1.2.3

Opened: Sep 08, 2019

Severity: 3-Major

Symptoms

When defining whitelists in bot defense profiles, when the IP is set to 'Any' and route domains are in use, whitelists are not applied.

Impact

Request will be mitigated.

Conditions

-- Bot Defense profile is enabled. -- Whitelist is configured for IP 'Any' (for URL or GEO), -- Sending a request that matches the whitelist using route domains.

Workaround

For url whitelist only: Add micro service to the bot defense profile, configure: 1. Add required URL. 2. Specify service type 'Custom Microservice Protection'. 3. Set the 'Mitigation and Verification' setting as required (relevant for logging only). 4. In 'Automated Threat Detection', set 'Mitigation Action' to 'None'. 5. Set the microservice 'Enforcement Mode' to 'Transparent'. This causes the associated URL to never be blocked (but no 'whitelist' will be seen in reporting).

Fix Information

Enabling IP 'Any' on route domains now works as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips