Configuring Bot Management in the Portal

There are two Bot Management configuration tasks that you can now self-service using the portal:

  • Specify protected paths for Bot Management
  • Set custom security rules that use the presence of certain "bot signals" as rule criteria

Protected paths

If Bot Management were to fully process every request to a website, it would be overly compute-intensive. In real-world applications you typically need to worry about bots that are attempting to do things like credential stuffing or account takeover attacks at a login page, or brute-force attempts to guess valid gift card codes on checkout pages.

To set up Bot Management, you label the appropriate paths to these parts of the web app as protected paths.

To configure protected paths:

Note

Once you add or edit a protected path, the validation might take 10-15 minutes, but overall time until the protected path takes effect for using with Bot Management rules might be as long as 30 minutes.

  1. From the navigation panel, click Bot – Protected Paths:
  2. This opens the Bot  – Protected Paths screen:
  3. Click Add Protected Path. This opens the Add Protected Path screen:
  4. Select the domain you want to specify protected paths for from the Domain pulldown:
  5. Enter the desired path in the Path field, and identify the Path type: either
    - API endpoint: only loaded from a base page, so it would always have bot signals; not having any is a sign of tampering.
    - Web page: assumes this could be a first visit without bot detection cookies present. Will send an empty page to test "botness" and load the full page after.

  6. Click the plus sign at the right to add an additional path, and repeat as needed.

    You can also delete a path before saving the list by clicking the x at the right.
  7. Click Save. A Change Reason dialog box appears:
  8. Add a note about the reasons for this configuration change change and click Save.
  9. The Protected Path screen appears with the added path listed at the bottom of the list, with a status of Validating - Add. The validation might take up to 10 minutes. When complete, the status will change to Submitted

To edit protected paths:

  1. From the navigation panel, click Bot – Protected Paths to open the Bot  – Protected Paths screen:
  2. Click on the path you want to edit in the list. This opens the Edit Protected Path screen for the selected path:
  3. You can
    - click the + at the last entry to add additional paths to this group
    - click the x at the end of any of the paths to remove them
    - change the Path type for any of the paths
    - edit the text in any of the Path fields

  4. When you finish making the desired changes, click Save.
  5. A Change Reason dialog box appears. Add a note about why we are editing this group of paths and click Save.
  6. The Protected Path screen appears with the added path listed at the bottom of the list, with a status of Validating - Add. The validation might take up to 10 minutes. When complete, the status will change to Submitted

To delete protected paths:

  1. Follow the same steps as above for editing a group of paths.
  2. Click Delete at the bottom of the screen.
  3. A Warning dialog box appears. Add a note about why we are editing this group of paths and click Save.
  4. The Protected Path screen appears with the added path listed at the bottom of the list, with a status of Validating - Add. The validation might take up to 10 minutes. When complete, the status will change to Submitted

Setting up Bot Management security rules

Once you have some protected paths defined for Bot Management, you can create rules that trigger on requests to these paths based on a set of selectable "bot signals," which are received and analyzed by the bot defense system, some of which come from the Nanovisor, and some of which show the Nanovisor is not present when it should be.

Note

Once you add or edit a protected path, the validation might take 10-15 minutes, but the overall time until the protected path takes effect for using with Bot Management rules might be as long as 30 minutes. Be sure to wait long enough to test if the rule is taking action.

To create a Bot Management security rule:

  1. Refer to the steps for creating a Custom rule in the Configuring Security Rules in the Portal document.
  2. When you select rule criteria for the rule, select Bot signal from the Client subsection of the criteria list:
  3. This will display the following additional fields to define the criterion:


    The match condition can either be equals or does not equal.
    There are four bot signals you can specify, which have possible values as defined in the table below. Select the desired combination of signals.
  4. Click the Action tab and select Warn or Block.
  5. Click Save. A Change Reason dialog box appears. Add a note about the purpose of this rule and click Save.

Possible selections for Bot signal

Bot signalDescriptionPossible values
Automation FrameworkThe client is recognized as a known automation framework

PhantomJS

Chrome Headless

Inconsistent BrowserThe client is not behaving like a real browser: either the DOM engine and JavaScript engine are inconsistent with each other, the user agent is inconsistent with the engines, or an expected security cookie is missing.

Inconsistent Engine

Inconsistent User Agent

Missing security cookie

Tampering DetectedBot Management has been explicitly tampered with

No JavaScript Executed

No JavaScript was running