Advanced Bot Protection 2-27-2023
Uploaded by
Joao MiguelAdvanced Bot Protection 2-27-2023
Uploaded by
Joao MiguelAdvanced Bot Protection
Advanced Bot Protection
Advanced Bot Protection 1
Contents
Contents
Understanding Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Understanding How Advanced Bot Protection Handles Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Understanding the Problem of False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Managing False Positives in Practice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Testing for False Positives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Understanding the "Rate Limiting" and "Identify Eventually" Conditions and False Positives. . . . . . . . . . . . . . . . . . . 19
Understanding How Imperva CloudWAF Integrates with Advanced Bot Protection. . . . . . . . . . . . . . . 20
Getting Started with Imperva Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Getting Started with Advanced Bot Protection - Using a Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring the True Client IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Working with Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Creating a Website Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a Website Group - Using a Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Understanding the Advanced Bot Protection Display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Understanding the Website Groups Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Understanding the Issues Dialog Box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Understanding the Progress Bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Understanding the Policies Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Understanding the Conditions Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Analyzing your Bot Protection Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Understanding the Individual Element Activity Graphs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding the Activity Graphs of Website Groups, Websites, and Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Understanding the Activity Graphs of Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Understanding the Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Accessing the Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Using the Filters in the Standard Dashboard Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Understanding Regions in the Dashboard Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Understanding the Traffic Overview Display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Understanding the Other (non-Traffic Overview) Displays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Understanding the Usage Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Exporting Dashboard Data to a Near Real Time SIEM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Working with Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Working with the Default Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Accessing the Default Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Understanding the Structure of the Policies and the Default Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring per-Path Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Understanding per-Path Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Advanced Bot Protection
Contents
Understanding per-Path Policies and Rate Limiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring per-Path Policies for Endpoints with API Calls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Editing a per-Path Policy Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Deleting a per-Path Policy Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Creating a New per-Path Policy Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Managing Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Creating a New Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Cloning a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Renaming a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Deleting a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Managing Policy Directives and their Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Understanding Directives and Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Inserting a Condition into a Directive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Configuring the Status of a Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Editing a Condition's Tags. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Understanding and Editing Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Moving a Condition to a Different Directive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Adding and Reordering Directives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Managing Conditions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Adding a New Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Adding a Condition Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Deleting a Condition or Condition Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Managing Website Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Adding a Website to a Website Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Adding a Website to a Website Group - Using a Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Editing a Website Group - Default Rate Limiting Values. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Editing a Website. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Understanding the Website Advanced Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Website Advanced Settings - Encryption Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Website Advanced Settings - Data Region. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Website Advanced Settings - Challenge IP Lookup Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Website Advanced Settings - Analysis IP Lookup Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Website Advanced Settings - Unmasked Headers (CloudWAF only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Website Advanced Settings - Cookie Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Website Advanced Settings - Moble SDK Challenge Path (CloudWAF only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Website Advanced Settings - Path Without JS Injection (CloudWAF only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Website Advanced Settings - Captcha Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Renaming a Website Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Deleting a Website Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Managing Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Advanced Bot Protection
Contents
Updating a Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Understanding Snapshot and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Working with Advanced Bot Protection SDK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Understanding Bot Protection with the SDK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Understanding How the SDK Operates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Installing the SDK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Testing the SDK Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Downloading the Advanced Bot Protection SDK Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
SDK Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Why can't Imperva set up the SDK for me?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
What happens if the Imperva ABP service is offline?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
What impact does the SDK have on my application in terms of size?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
What impact does the SDK have on my application in terms of latency and load time?. . . . . . . . . . . . . . . . . . . . . . . . . . . 251
How are jailbroken devices dealt with by the SDK?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
How is the the Advanced Bot Protection SDK actually deployed and what do I need to do from my side?. . . . . . . . . . . 253
How is the token requested?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
What happens if the SDK fails to receive the token?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
What is the estimated latency?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Does the SDK check IP addresses for VPN?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Does the SDK work when a user clicks a certain link, or can it run in "stealth" mode all the time?. . . . . . . . . . . . . . . . . . 258
Does the SDK support Android Widgets?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Does the SDK provide native Xamarin support?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Is the Android variant an AAR or a JAR?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Is the iOS variant a precompiled framework (.framework files) or a plain static library?. . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Will old versions of my app be blocked?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Is the SDK for the iOS app written in Objective-C or Swift?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Does the iOS SDK compile if Bitcode is enabled in the project? This is app thinning related, our builds use Bitcode for
App Store distribution.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
I see the prefix "debug:" on the token value sent by the SDK. What does this prefix mean? Do I need to remove it or do
something? differently?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
What do I need in order to support Android 11?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Integrating Advanced Bot Protection with a Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Understanding the Connector Integration Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Integrating Advanced Bot Protection with Cloudflare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Integrating Advanced Bot Protection with Lambda@Edge on AWS Cloudfront. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Upgrading the Lambda@Edge Runtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Integrating Advanced Bot Protection with F5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Integrating Advanced Bot Protection with Nginx/Openresty. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Configuring the Interstitial Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Testing the Integration of Advanced Bot Protection with a Connector. . . . . . . . . . . . . . . . . . . . . . . . . 284
Advanced Bot Protection
Contents
Testing Integration with Connectors Using the Debug Header. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Testing the Functionality of the Integration of Advanced Bot Protection with Connectors Using the Script. . . . . . . . . 286
Understanding Failure Handling for Advanced Bot Protection with Connectors. . . . . . . . . . . . . . . . . 287
Advanced Bot Protection Integration Libraries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Advanced Bot Protection Use Cases and Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Migrating from Distil Bot Defender to Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Prerequisites for Migrating from Distil Bot Defender. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Understanding the Workflow in Migrating from Distil Bot Defender. . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Recreating the Distil Bot Defender Setup in Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . 309
Recreating the Distil Bot Defender Domains in Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Recreating the Distil Bot Defender Paths and Per-Path Policies in Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . 311
Recreating the Distil Bot Defender Actions in Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Recreating Distil Bot Defender Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Recreating Distil Bot Defender Access Control Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Recreating Distil Bot Defender Custom Rules in Advanced Bot Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Understanding the Results of the fetch Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Distil Bot Defender Migration FAQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Advanced Bot Protection API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Advanced Bot Protection Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Directive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Condition Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Cookie Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Custom Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Flag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Managed Condition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Path. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
per-Path Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Rate Limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Tag. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Website. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Website Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Advanced Bot Protection Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Advanced Bot Protection
Contents
Advanced Bot Protection General Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Advanced Bot Protection Connectors Release Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Advanced Bot Protection
Advanced Bot Protection
Understanding Advanced Bot Protection
The following topics explain the underlying concepts of bot protection, and the mechanism of Imperva's Advanced
Bot Protection service.
• Understanding Bot Protection
• Understanding How Advanced Bot Protection Handles Traffic
• Understanding the Problem of False Positives
• Understanding How Imperva CloudWAF Integrates with Advanced Bot Protection
Advanced Bot Protection 7
Advanced Bot Protection
Understanding Bot Protection
There are good bots and bad bots.
Search engines are good bots. They index all your web pages, enabling your users to do useful searches and find your
content.
Bad bots are run by people who are after the data you wish to protect. For example, price scraping and content bots
give your competitors an unfair advantage by getting them high volumes of pricing data, and then they can pitch
lower.
For bot protection to work well, it needs to do the following:
• Distinguish between legitimate human traffic and bot traffic, and intercept the bad bot traffic reliably.
• Distinguish between good bots and bad bots, and allow the good bots through.
Advanced Bot Protection 8
Advanced Bot Protection
Understanding How Advanced Bot Protection Handles Traffic
A simplified explanation of how Advanced Bot Protection works is presented here.
The basic architecture of a web application and its connection to the outside world is presented below.
Your web application on the right is connected to the outside world via the Imperva CloudWAF.
Traffic flows from the client machines via the CloudWAF. CloudWAF forwards HTTP requests from the client to the web
application, and forwards the returning traffic from the web application back to the client.
Now the Advanced Bot Protection service is enabled for you.
Advanced Bot Protection 9
Advanced Bot Protection
As you can see, the Advanced Bot Protection service communicates with CloudWAF, only. An HTTP request is received
from the client by CloudWAF, and then the Advanced Bot Protection service inspects the request header in order to
determine the source of the request - human or bot. The Advanced Bot Protection service analyzes the request header
and, based on the result of that analysis, sends an instruction back to CloudWAF. It is CloudWAF that carries out the
instruction regarding the HTTP request. If instructed to block the request, it is CloudWAF that blocks the request. If
instructed to serve a captcha page to the client, it is CloudWAF that serves the captcha page, and so on.
The full process is summarized in the images below.
Advanced Bot Protection 10
Advanced Bot Protection
1. The client sends an HTTP request to the web application.
2. The Advanced Bot Protection service inspects the request header.
3. The Advanced Bot Protection service analyzes the request, comparing its data to Conditions in your Policy and
sends its instruction to CloudWAF.
4. CloudWAF acts on the instruction from The Advanced Bot Protection service, allowing the request through, or
blocking it, or taking some other action.
5. CloudWAF additionally sends the web application's html page to the client, with its embedded Javascript tag.
Advanced Bot Protection 11
Advanced Bot Protection
6. The script on the client sends a challenge request.
7. CloudWAF sends that request on to the Advanced Bot Protection service.
8. The Advanced Bot Protection service responds by sending the Javascript to the client.
Advanced Bot Protection 12
Advanced Bot Protection
9. The client's browser executes the Javascript, which interrogates the client's machine and browser,
fingerprinting it, and sending the fingerprint to the Advanced Bot Protection service.
10. The Advanced Bot Protection service analyzes the fingerprint, comparing its richer data to the Conditions in
your Policy, and sends a token to the client via CloudWAF.
11. CloudWAF acts on the instruction from The Advanced Bot Protection service, allowing the request through, or
blocking it, or taking some other action.
12. The client then stores the token as a cookie.
Notes:
▪ If a bad bot does not support Javascript - and some do not - it will be unable to run the initial
script and that inability is recognized by Advanced Bot Protection.
Sometimes, legitimate users appear like bots that do not support Javascript. For example, if a user
has a very slow connection, or is using a browser extension to block most Javascript files, that
user's traffic will appear like that of a bot that does not support Javascript. In these cases, the
Identify Directive redirects the user to an identification page. A bot is stopped right there. A
legitimate user’s browser processes the Javascript as above and is allowed through. Should a user
run a browser extension that blocks the Javascript file, they will eventually see a message on the
Advanced Bot Protection 13
Advanced Bot Protection
Identify page informing them of such. Most users that run these browser extensions recognize what
they are doing and then allow the Javascript to continue browsing your site.
▪ If a bad bot does support javascript, Advanced Bot Protection’s browser automation
detection detects and flags that bot.
▪ The fingerprinting in step 9 and any requests after step 12 above can be understood with the
following analogy. A young person entering a club with an age limit has to show ID. Security
checks the person's ID and allows entry based on age. But the security guard also marks the
young person's arm with an indelible ink stamp. The stamp is like a request with a cookie.
Now a malicious user can tamper with the browser payload returned by the challenge response.
This is like a young person forging their ID card. This is mitigated by Advanced Bot Protection's bad
challenge postback Condition.
A malicious user can also tamper with the cookie. This is like a young person faking the stamp. This
is mitigated by Advanced Bot Protection's invalid token Condition.
Genuine user traffic does not match either of the above two Conditions, so your Policies should
block access when either of them is matched.
Note: If you want to use Imperva Advanced Bot Protection, but you do not want it integrated with
Imperva CloudWAF, you can use a different Integration known as a Connector, instead of
CloudWAF. Currently, Advanced Bot Protection can be integrated with the following Connectors:
• Cloudflare
• F5
• Lambda@Edge on AWS Cloudfront
• Nginx
• Fastly
Advanced Bot Protection 14
Advanced Bot Protection
Understanding the Problem of False Positives
A false positive occurs when a request from a legitimate user is flagged by the system as if it were a bot, and the
system then acts according to the Policies you defined based on the reason the user was flagged, requesting a captcha
from the user or, worse yet, blocking the user.
High rates of false positives are a threat to a healthy website. If a significant number of users are being blocked or sent
to captcha pages too often, those users will be unhappy.
For this reason, you will not want to activate Conditions that produce high rates of false positives. You can identify
those Conditions by analyzing the traffic graphs.
Most customers measure the false positive rate by dividing the total number of captchas attempted by the total
number of captchas served. For customers with bots that ruin the captcha metrics with many obvious failed attempts,
it is better to calculate the false positive rate by dividing the number of successful captchas by the total number
served.
Some bot operators will employ captcha solving services to bypass captchas that you present to their bots. Should
you see a suspicious rise in captcha solves, simply move that Condition to block instead of captcha. If that results in
too many blocks issued to real humans, you must craft a new Condition to better pinpoint the bad bot traffic.
Once you have gained an understanding of the basic workings of Advanced Bot Protection, see Managing False
Positives in Practice.
• Managing False Positives in Practice
Advanced Bot Protection 15
Advanced Bot Protection
Managing False Positives in Practice
For more information on managing false positives in practice, refer to the following sections:
• Testing for False Positives
• Understanding the "Rate Limiting" and "Identify Eventually" Conditions and False Positives
• Testing for False Positives
• Understanding the "Rate Limiting" and "Identify Eventually" Conditions and False Positives
Advanced Bot Protection 16
Advanced Bot Protection
Testing for False Positives
You can test for false positives are as follows:
Captchas
Activate a Condition in the Captcha Directive and see what happens.
If in the traffic graphs you see that those captchas are solved, or you start getting complaints from customers about
excessive captcha references, then you can conclude that this Condition is producing false positives. You must not
move it into the Block Directive, and you should further weigh the damage from keeping it active and annoying
legitimate users with captchas, against the potential damage from deactivating it and allowing that particular bot
attack.
Traffic Graph Analysis
Analyze the traffic graph of the Conditions.
Human traffic is typically cyclic while bot traffic is typically either flat or spiky. If a Condition that you would normally
expect to be triggered by a bot is showing a graph that is similar to human traffic, that indicates false positives. So if
you observe the traffic from the Known violator data centers or the Bad user agents Conditions and you see the
behavior over time is actually cyclic, you may conclude that the one that is cyclic is actually legitimate traffic that you
have triggered incorrectly.
Advanced Bot Protection 17
Advanced Bot Protection
Advanced Bot Protection 18
Advanced Bot Protection
Understanding the "Rate Limiting" and "Identify Eventually" Conditions and False Positives
The Rate limiting Condition should always be in the Captcha Directive and you should tune it for the traffic patterns
of your Website.
Note that the Rate limiting and Identify eventually Conditions may elicit excessive false positives for the following
reason.
Not every URL Path on the your Website returns viewable HTML pages. Some Paths return machine-readable content
which is accessed by Javascripts running on that Webpage. These Paths are API endpoints and some of them generate
a lot of requests, for example, when a text field gives suggestions as the user enters characters, each character entry
generates a request that needs to be processed. The problem here is that if you do not identify these properly, the
request counts will be inflated, and these might trigger Rate Limit or Identify eventually Conditions in
circumstances where such triggers are not needed. (Note also that the captcha and identify Directives do not actually
work with Paths that are API endpoints, and such Paths need their own Policies in which these two Directives are
never used. For more information, see Configuring per-Path Policies for Endpoints with API Calls.)
You can mitigate this effect with the proper use of per-Path Policies in which with Rate Limiting is either disabled, or
the request counts go into a Custom Scope. For more information, see Understanding per-Path Policies and Rate
Limiting.
Advanced Bot Protection 19
Advanced Bot Protection
Understanding How Imperva CloudWAF Integrates with Advanced Bot
Protection
Imperva CloudWAF acts as an Integration. When an activated Directive in Advanced Bot Protection triggers an action,
it is the Integration - Imperva CloudWAF - that actually carries it out.
At the same time and for the same protected assets, CloudWAF acts as an Integration for its other services, for
example Account Takeover. And these services also send instructions to the CloudWAF to act on incoming traffic.
It is quite feasible that an incoming request will elicit a response from more than one CloudWAF service, including
Advanced Bot Protection.
If more than one CloudWAF service gives an instruction to CloudWAF to act on an incoming request, CloudWAF will
always treat any request with the most severe instruction it receives from any of its services.
For example, if a request elicits a captcha instruction from Advanced Bot Protection, but a block instruction from a
different service, then CloudWAF executes the block instruction on that request.
The instructions are, in descending order of severity:
• block
• captcha
• identify
Advanced Bot Protection 20
Advanced Bot Protection
Getting Started with Imperva Advanced Bot Protection
To start using Advanced Bot Protection with the CloudWAF Integration, you must have a CloudWAF account and you
must have acquired the license to use Advanced Bot Protection.
Note: If you want to use Imperva Advanced Bot Protection but you want to use a Connector instead
of CloudWAF for your Integration, see Getting Started with Advanced Bot Protection - Using a
Connector.
To start using Advanced Bot Protection with the CloudWAF Integration:
1. In the CloudWAF account for which to wish to add Advanced Bot Protection, add the website that you wish to
protect. For more information, see Onboarding a Site – Web Protection and CDN.
2. [OPTIONAL] Configure the error page. This is the page that is shown to the users if it appears that they have a
slow connection, or their javscript is disabled, or they have an ad blocker, or their cookies are disabled. For
more information, see Custom Error Pages.
3. Select your captcha provider. For more information, see Web Protection - Security Settings.
4. In the navigation pane, click Advanced Bot Protection The Advanced Bot Protection Launch window appears.
Advanced Bot Protection 21
Advanced Bot Protection
Advanced Bot Protection 22
Advanced Bot Protection
5. Click Launch Advanced Bot Protection. The Advanced Bot Protection window appears.
6. Add a Website Group.
Since many websites have clones that perform identical functions to the "parent website", e.g. for languages,
like acmebooks.com, acmebooks.co.fr, and acmebooks.co.nl, and so on, Advanced Bot Protection allows you to
group your websites into Website Groups and then you apply all your configurations to the Website Group,
saving a lot of time. You cannot apply configurations to an individual Website - only to a Website Group.
For more information, see Creating a Website Group. Your first Website Group contains the Website you wish to
protect, and activates the Default Policy. This provides you with a good out-of-the-box bot protection level for
your Website.
7. Update your configuration. For more information, see Updating a Configuration.
8. If your setup involves a third-party CDN, you may need to configure true client IP. For more information, see
Configuring the True Client IP.
Bot protection is now activated.
Advanced Bot Protection 23
Advanced Bot Protection
• Getting Started with Advanced Bot Protection - Using a Connector
• Configuring the True Client IP
Advanced Bot Protection 24
Advanced Bot Protection
Getting Started with Advanced Bot Protection - Using a Connector
To start using Advanced Bot Protection with a Connector, you must have the appropriate license to use Advanced Bot
Protection.
To start using Advanced Bot Protection with a Connector:
1. Carry out the integration procedure for your chosen Connector. For more information, see Integrating Advanced
Bot Protection with a Connector.
2. In the CloudWAF navigation pane, click Advanced Bot Protection. The Advanced Bot Protection Launch
window appears.
Advanced Bot Protection 25
Advanced Bot Protection
Advanced Bot Protection 26
Advanced Bot Protection
3. Click Launch Advanced Bot Protection. The Advanced Bot Protection window appears.
4. Add a Website Group.
Since many websites have clones that perform identical functions to the "parent website", e.g. for languages,
like acmebooks.com, acmebooks.co.fr, and acmebooks.co.nl, and so on, Advanced Bot Protection allows you to
group your websites into Website Groups and then you apply all your configurations to the Website Group,
saving a lot of time. You cannot apply configurations to an individual Website - only to a Website Group.
For more information, see Creating a Website Group. Your first Website Group contains the Website you wish to
protect, and activates the Default Policy. This provides you with a good out-of-the-box bot protection level for
your Website.
5. Update your configuration. For more information, see Updating a Configuration.
6. If your setup involves a third-party CDN, you may need to configure true client IP. For more information, see
Configuring the True Client IP.
Bot protection is now activated.
Advanced Bot Protection 27
Advanced Bot Protection
Advanced Bot Protection 28
Advanced Bot Protection
Configuring the True Client IP
Imperva allows you to set up CloudWAF and Advanced Bot Protection in conjunction with a third party CDN. For more
information, see Onboarding and Keeping Your Own CDN.
If your setup involves CloudWAF (or a Connector) and Advanced Bot Protection being deployed In Back of Your CDN,
the client IP address that is forwarded to CloudWAF or Advanced Bot Protection is that of the CDN, and not that of the
client machine.
Advanced Bot Protection relies on correct client IP address identification for a number of features, and you must
ensure that you configure Advanced Bot Protection to read the correct true client IP. CDNs are configured to forward
the true client IP in the headers using a parameter like X-Forwarded-For, True-Client-IP, or CF-connecting-ip. Your
CDN and your own setup define the precise parameter used.
You must configure Advanced Bot Protection to read the true client IP as it appears in the headers.
To configure Advanced Bot Protection to read the true client IP:
1. Refer to your CDN's documentation to discover the correct header parameter for true client IP.
2. In Advanced Bot Protection, for a particular Website, go to Advanced Settings. For more information, see
Editing a Website.
3. In Advanced Settings, type or paste into the following fields the true client IP header parameter from Step 1.
▪ Challenge IP Lookup Mode: Header Name
▪ Analysis IP Lookup Mode: Header Name
If there are multiple, comma-separated IP addresses specified in your true client IP header, Reverse Index
specifies the (0) indexed IP to select from the end of the list.
4. Click Save.
Advanced Bot Protection 29
Advanced Bot Protection
Working with Advanced Bot Protection
Working with Advanced Bot Protection for the first time involves following the general procedure below.
Since many websites have clones that perform identical functions to the "parent website", e.g. for languages, like
acmebooks.com, acmebooks.co.fr, and acmebooks.co.nl, and so on, Advanced Bot Protection allows you to group
your websites into Website Groups and then you apply all your configurations to the Website Group, saving a lot of
time. You cannot apply configurations to an individual Website - only to a Website Group.
To work with Advanced Bot Protection:
1. Create your first Website Group. Even if you are protecting a single website, you must use a Website Group
because it is at the Website Group level that you add and configure your Policies. For more information, see
Adding a Website Group.
When you create a Website Group, you are required to add one Website to it. The Default Policy applies to the
Website Group by default until you make changes. The Default Policy provides you with a good out-of-the-box
bot protection level for your Website.
2. With your Website generating traffic, analyze the type of bot attacks your Website is under by looking at the
Dashboard and at the individual Traffic Graphs for each Website Group, Website, Path, Policy, and Condition. For
more information, see Analyzing the Performance of Bot Protection.
3. Based on your analysis of the traffic on your Website Group or Website, make changes to the Policies that define
that Website's or Website Group's defense.
There are many possibilities for configuration here, ranging from activating or deactivating Conditions, to
adding or removing the Flags within an individual Condition. The out-of-the-box Policies and Conditions
provide powerful protection at the basic level, but the system allows for highly sophisticated configurations
with which you will become familiar with greater use.
For more information, see Working with Policies.
4. Update your Configuration. If you have made changes, examine them and then update the system.
For more information, see Updating a Configuration.
Initially, you will probably work with one Website Group, performing actions in steps 2 to 4 above: you examine the
traffic to see the attack patterns, make changes to your Policies and Conditions, update the configuration and start
again. Eventually you will want to expand your system by adding more Websites and more Website Groups.
• Creating a Website Group
• Understanding the Advanced Bot Protection Display
• Analyzing your Bot Protection Activity
• Working with Policies
• Managing Website Groups
• Updating a Configuration
• Understanding Snapshot and Restore
Advanced Bot Protection 30
Advanced Bot Protection
Creating a Website Group
If you want to create a Website Group in Advanced Bot Protection working with the Imperva CloudWAF Integration,
you must first ensure you have added at least one Website to your Imperva CloudWAF account. This is the Website
that Advanced Bot Protection will be protecting.
Note: If you are using a Connector instead of CloudWAF, use the procedure in Creating a Website
Group - Using a Connector.
To create a Website Group in your Advanced Bot Protection account:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
4. Click the Create Website button. The Create Website dialog box appears.
If you are subscribed to CloudWAF only, the Create Website Group dialog box appears as follows:
Advanced Bot Protection 31
Advanced Bot Protection
If you are subscribed to both CloudWAF and Connectors, the Create Website Group dialog box appears as
follows:
Advanced Bot Protection 32
Advanced Bot Protection
5. Type a Website Group Name.
6. If you are subscribed to CloudWAF and Connectors, verify that the Imperva CloudWAF option is selected.
7. From the drop down list Website, select the Website you wish to add.
8. Under Default Rate Limiting Values, type in the values you want based on the table below. For more
information, see Understanding per-Path Policies and Rate Limiting.
9. Click Create.
Advanced Bot Protection 33
Advanced Bot Protection
Note: You may be required to configure one of more of the Website parameters after you have
created the Website Group or added a Website. For more information, see Editing a Website.
Name Description
The maximum number of requests to the site in a minute that is allowable before rate
Max requests per minute
limiting is triggered.
The maximum number of requests to the site in a single session that is allowable
Max requests per session
before rate limiting is triggered.
The maximum length of a session that is allowable before rate limiting is triggered.
Max session length
Select the time units from the adjacent drop-down list.
• Creating a Website Group - Using a Connector
Advanced Bot Protection 34
Advanced Bot Protection
Creating a Website Group - Using a Connector
Before you create your first Website Group when using Advanced Bot Protection with a Connector, make sure that you
have integrated Advanced Bot Protection with your Connector. For more information, see Integrating Advanced Bot
Protection with a Connector.
To create a Website Group in your Advanced Bot Protection account when using a Connector:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
4. Click the Create Website button. The Create Website dialog box appears.
If you are subscribed to Connectors only, the Create Website Group dialog box appears as follows:
Advanced Bot Protection 35
Advanced Bot Protection
If you are subscribed to both CloudWAF and Connectors, the Create Website Group dialog box appears as
follows:
Advanced Bot Protection 36
Advanced Bot Protection
5. Type a Website Group Name.
6. If you are subscribed to CloudWAF and Connectors, verify that the Connectors option is selected.
7. Type the Website Name (FDQN).
8. Under Default Rate Limiting Values, type in the values you want based on the table below. For more
information, see Understanding per-Path Policies and Rate Limiting.
9. Click Create.
Advanced Bot Protection 37
Advanced Bot Protection
Note: You may be required to configure one of more of the Website parameters after you have
created the Website Group or added a Website. For more information, see Editing a Website.
Name Description
The maximum number of requests to the site in a minute that is allowable before rate
Max requests per minute
limiting is triggered.
The maximum number of requests to the site in a single session that is allowable
Max requests per session
before rate limiting is triggered.
The maximum length of a session that is allowable before rate limiting is triggered.
Max session length
Select the time units from the adjacent drop-down list.
Advanced Bot Protection 38
Advanced Bot Protection
Understanding the Advanced Bot Protection Display
Advanced Bot Protection's user interface is divided into the following main sections:
• Dashboard: Displays graphs that show how various aspects of your traffic and your Advanced Bot Protection's
interventions are performing over time. For more information, see Analyzing Your Bot Protection Activity.
• Settings: The windows in Settings allow you to configure Advanced Bot Protection. The following windows are
available:
• Website Groups: Configure your Website Groups, Websites, Default Policy and per-Path Policy
Assignments. For more information, see Understanding the Website Groups Window.
• Policies: Add, rename, configure and delete your Policies. For more information, see Understanding
the Policies Window.
• Conditions: Add, configure and delete your Conditions and Condition Groups. For more information,
see Understanding the Conditions Window.
• Understanding the Website Groups Window
• Understanding the Policies Window
• Understanding the Conditions Window
Advanced Bot Protection 39
Advanced Bot Protection
Understanding the Website Groups Window
The elements of the Website Groups window are summarized in the table below.
The Website Groups Window
Item Description For more information, see...
Publish Configuration Review and publish all the changes you
Updating a Configuration
button have made since your last publication.
Advanced Bot Protection 40
Advanced Bot Protection
Item Description For more information, see...
Create Website Create a new Website Group. Creating a Website Group
Group button
The name of the Website Group. To
Name configure a Website Group, click on the
Website Group's Name.
Outstanding issues with the Website that
Issues you should deal with. Click on the entry for Understanding the Issues Dialog Box
more details.
The progress you have made with the
Progress Understanding the Progress Bar
Website on the onboarding tasks.
Displays a graph showing the traffic for that Analyzing Your Bot Protection
View Activity Graph
Website Group. Activity
Rename Website Group Give your Website Group a different Name. Renaming a Website Group
Delete Website Group Delete your Website Group. Deleting a Website Group
• Understanding the Issues Dialog Box
• Understanding the Progress Bar
Advanced Bot Protection 41
Advanced Bot Protection
Understanding the Issues Dialog Box
The Issues field for each Website indicates how many issues you may want to be aware of regarding your bot
protection.
In the Website Groups window, hover your mouse over the Issues field for any Website to see details regarding the
outstanding issues.
Name Description
You have not published the Website. If you have made changes to your configuration,
Website has never been
you must publish them for them to take effect. For more information, see Updating a
published
Configuration.
No traffic has been
No traffic has been detected for this Website.
detected
You have no active Conditions in the allow Directive. This means that "good" bots
You have not configured
may receive captchas or be blocked. For more information, see Understanding
your allowlist
Directives and Conditions
It takes about four hours after your configuration has been published for the API
paths to be analyzed. For more information, see Configuring per-Path Policies for
API paths have not been Endpoints with API Calls.
analyzed
Note: This applies only to Website Groups that have Websites where US data region
has been selected.
You have not assigned per- You have not configured per-Path Policies for paths that serve APIs. It is
Path Policies to discovered recommended that you do so to avoid technical issues. For more information, see
API paths Configuring per-Path Policies for Endpoints with API Calls.
You have not activated any mitigation. That means that there are no active
Mitigation activated Conditions in Website's block, captcha, tarpit, or delay Directives. For more
information, see Configuring the Status of a Condition.
Advanced Bot Protection 42
Advanced Bot Protection
Understanding the Progress Bar
The Progress bar for each website indicates how much progress you have made in onboarding that Website for a
minimally acceptable level of bot protection.
In the Website Groups window, hover your mouse over the Progress bar for any website to see details regarding its
onboarding status.
Progress Description
Website(s) published You have published the Website.
You have active Conditions in the allow Directive. This means that "good" bots will
Allowlist configured
not receive captchas or be blocked.
Traffic detected Traffic to your website has been detected.
You have configured per-Path Policies for paths that serve APIs.
API paths analyzed and
assigned Note: This applies only to Website Groups that have Websites where US data region
has been selected.
You have active Conditions in your Website's block, captcha, tarpit, or delay
Mitigation activated
Directives.
Advanced Bot Protection 43
Advanced Bot Protection
Understanding the Policies Window
The elements of the Policies window are summarized in the table below.
Advanced Bot Protection 44
Advanced Bot Protection
The Policies Window
Advanced Bot Protection 45
Advanced Bot Protection
Item Description For more information, see...
Publish Configuration Review and publish all the changes you
Updating a Configuration
button have made since your last publication.
Create a new Policy. Creating a New Policy
Create New Policy
The name of the Policy. To configure a
Name Working with Policies
Policy, click on the Policy's Name.
Displays a graph showing the traffic for that
View Activity Graph Analyzing Your Bot Protection Activity
Policy.
Copy the entire Policy and give it a new
Clone Policy Cloning a Policy
name.
Rename Policy Give your Policy a different Name. Renaming a Policy
Delete Policy Delete your Policy. Deleting a Policy
Advanced Bot Protection 46
Advanced Bot Protection
Understanding the Conditions Window
The elements of the Conditions window are summarized in the table below.
Advanced Bot Protection 47
Advanced Bot Protection
The Conditions Window
Advanced Bot Protection 48
Advanced Bot Protection
Item Description For more information, see...
Publish Configuration Review and publish all the changes you
Updating a Configuration
Button have made since your last publication.
Add New Condition Button Add a new Condition. Adding a New Condition
Add New Condition Group
Add new Condition Group Adding a Condition Group
Button
Understanding and Editing
The name of the Condition. To edit a Conditions
Name
Condition, click on the Condition's Name.
Editing a Condition's Tags
Either:
Type Managing Conditions
• Single Condition
• Condition Group
The Policies in which that Condition or
Policies Condition Group has been assigned to Managing Policies
Directives.
Displays a graph showing the traffic for that Analyzing Your Bot Protection
View Activity Graph
Condition or Condition Group. Activity
Delete Website Group/ Deleting a Condition or Condition
Delete your Condition or Condition Group.
Condition Group Group
Advanced Bot Protection 49
Advanced Bot Protection
Analyzing your Bot Protection Activity
In order to configure your Policies, Directives and Conditions so that you can get the best out of Advanced Bot
Protection, you need to monitor and analyze the activity of the traffic and of the various defenses you are using.
There are two general methods for analyzing your bot protection activity:
• Individual element graphs: You can view the protection activity graph of each element in your Advanced Bot
Protection deployment, those elements being Website Group, Website, Policy, and Condition.
• Dashboard: You can view the activity of one or more Websites in your account, over a configurable time period,
using a range of analytical graphs, in the Dashboard.
• Understanding the Individual Element Activity Graphs
• Understanding the Dashboard
• Exporting Dashboard Data to a Near Real Time SIEM
Advanced Bot Protection 50
Advanced Bot Protection
Understanding the Individual Element Activity Graphs
Website Groups, Websites, and Policies
Website Groups, Websites, and Policies have activity graphs that show the mitigation activity (which Directives were
triggered) for that element, over the last seven days, in terms of requests per session (RPS).
Conditions
A Condition has an activity graph that shows the number of requests for the following:
• Decider: The Condition's Directive was the one activated,
• Triggered:There was a match in the request data, whether or not the Directive was activated
• Captcha succeeded: The Condition in the Captcha Directive was triggered and caused the Directive to be
activated, and the captcha was solved.
• Understanding the Activity Graphs of Website Groups, Websites, and Policies
• Understanding the Activity Graphs of Conditions
Advanced Bot Protection 51
Advanced Bot Protection
Understanding the Activity Graphs of Website Groups, Websites, and Policies
Website Groups, Websites, and Policies have activity graphs that show the mitigation activity (which Directives were
triggered) for that element, over the last seven days, in terms of requests per session (RPS).
Note that if a mitigation was not activated, it does not appear on the graph at all.
You can toggle the line for any mitigation by clicking the mitigation's title at the bottom of the graph.
You can collapse a graph by clicking anywhere on the page.
The graphs typically appear as shown in the images below. A mitigation that shows a graph with a cyclic, sinusoidal
shape, indicates that that mitigation might be the result of false positives, and further investigation is required. A
mitigation with spikes indicates a bot attack that triggered that mitigation.
Website Group Graph
Website Graph
Advanced Bot Protection 52
Advanced Bot Protection
Policy Graph
Advanced Bot Protection 53
Advanced Bot Protection
To view the activity graph of a Website Group:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. For the Website Group whose graph you wish to see, click the Graph icon .
To view the activity graph of a Website:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Select a Website Group. The Website Group Configuration window appears.
Advanced Bot Protection 54
Advanced Bot Protection
Advanced Bot Protection 55
Advanced Bot Protection
4. For the Website whose graph you wish to see, click the Graph icon .
To view the activity graph of a policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 56
Advanced Bot Protection
3. For the Policy whose graph you wish to see, click the Graph icon .
Advanced Bot Protection 57
Advanced Bot Protection
Advanced Bot Protection 58
Advanced Bot Protection
Understanding the Activity Graphs of Conditions
A Condition has an activity graph that shows the number of requests for the following:
• Decider: The Condition's Directive was the one activated.
• Triggered: There was a match in the request data, whether or not the Directive was activated
• Captcha succeeded: The Condition in the Captcha Directive was triggered and caused the Directive to be
activated, and the captcha was solved.
You can toggle the line for any of the above results by clicking on its title at the bottom of the graph.
You can collapse a graph by clicking anywhere on the page.
The graph typically appears as shown in the image below.
Note that if there was more than one triggered Condition in the Directive that was activated, they are all considered
Deciders.
Pay particular attention to the Captcha succeeded line. This is often a good indication of false positives. If you
activate a Condition in the Captcha Directive and a lot of captchas are being solved, you are seeing false positives.
To view the activity graph of a Condition:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
Advanced Bot Protection 59
Advanced Bot Protection
2. Select the Conditions tab. The Conditions window appears.
Advanced Bot Protection 60
Advanced Bot Protection
3. For the Condition whose graph you wish to see, click the Graph icon .
Advanced Bot Protection 61
Advanced Bot Protection
Understanding the Dashboard
The dashboard provides you with a range of configurable displays that enable you to perform sophisticated analysis
of the traffic on your Websites and on the defenses you have put up using Advanced Bot Protection, enabling you to
discover attacks and refine your configuration to mitigate those attacks.
The Dashboard is divided into displays, each one showing a different aspect of the traffic or mitigation activity on your
estate.
Looker-powered displays
The following log analysis displays are entirely powered by the Looker business intelligence software. Some of the
proprietary displays have some Looker graphs embedded.
• Explore Connector Access Log
• Explore Connector Error Log
• Explore Connector Aggregated Access Log
Some of the individual graphs in the other displays are also powered by Looker. For more information on how to use
Looker, refer to the Looker documentation.
Standard displays
At the top of each of the other displays there is a filter than allows you to select a wide variety of ways to examine your
data. For more information, see Using the Filters in the Standard Dashboard Displays.
Expanded view
You can access an expanded view of any dashboard window by clicking on the Expand view icon at the top right.
You can collapse the expanded view by clicking on the Collapse view icon at the top right.
• Accessing the Dashboard
• Using the Filters in the Standard Dashboard Displays
• Understanding Regions in the Dashboard Displays
• Understanding the Traffic Overview Display
• Understanding the Other (non-Traffic Overview) Displays
• Understanding the Usage Dashboard
Advanced Bot Protection 62
Advanced Bot Protection
Accessing the Dashboard
You can view the dashboard to analyze the traffic on your Websites and the defenses you have put up to mitigate
attacks.
To access the dashboard:
• In Advanced Bot Protection, select the Dashboard menu item.
Advanced Bot Protection 63
Advanced Bot Protection
Using the Filters in the Standard Dashboard Displays
At the top of all the standard displays is a filter that enables you to determine precisely the data that your display is
based on.
Each filter is made up of a parameter, an operator, and a value or set of values.
You select the operator from a drop down list, for example:
For some filters, you select the values from a drop down list, for others you type in text, and for yet others you do both,
as in the Date example above.
For any parameter you can add another filter condition, logically linked to any previous ones by the Boolean OR
operator, by clicking the icon.
Advanced Bot Protection 64
Advanced Bot Protection
You can remove a filter condition by clicking the icon by that filter condition.
To use the filter in a standard dashboard display:
1. In Advanced Bot Protection, select the Dashboard menu item. The Dashboard display appears.
Advanced Bot Protection 65
Advanced Bot Protection
Advanced Bot Protection 66
Advanced Bot Protection
2. At the top right, select the display from the drop down list. By default, the display selected is Traffic Overview.
3. At the top left, click Filters. The filters appear.
Each display has its own filters.
4. Make your filter selections and entries.
5. Click Run. The display changes in accordance with your filter selections.
Advanced Bot Protection 67
Advanced Bot Protection
Understanding Regions in the Dashboard Displays
Because of compliance requirements regarding the location of Personally Identifiable Information (PII) storage, you
must define for each of your Websites the region in the world in which you want that Website's data to be stored.
For more information on how to configure a Website's Data Region, see Understanding the Website Advanced
Settings and Editing a Website.
For the most part, the PII in the HTTP requests managed by Advanced Bot Protection is IP addresses.
Aggregated Data
Due to those same restrictions, you can view your raw data, or analyses based on all your raw data, that comes from a
single region only.
So that you can view analyses of data from across your entire estate irrespective of regional origin, Imperva provides
two dashboard displays that are based on aggregated data: Traffic Overview and Explore Connector Aggregated
Logs. All of the other displays use regional raw data as their input source.
Custom Dashboards
You can create a Custom Dashboard that is comprised of graphs based on raw data. Each of these graphs can be based
on data from a different region, thus enabling you to analyze traffic based on raw data, from multiple regions, on a
single display.
To create a custom dashboard:
1. In Advanced Bot Protection, select the Dashboard menu item. The Dashboards display appears.
Advanced Bot Protection 68
Advanced Bot Protection
Advanced Bot Protection 69
Advanced Bot Protection
2. In the Regions bar at the top, select any Region except Global or Custom Dashboards.
3. From the drop down list at the top right, select Explore Connector Access Log. A Looker display appears.
4. Create your query and set your display type using the Looker tools. For more information, refer to the Looker
documentation.
5. Click the Settings wheel at the top right.
6. From the drop down menu, select Save > To an existing dashboard. The Add to a Dashboard in this folder
dialog box appears.
7. Type a descriptive Title.
8. Click the account name.
9. Either select an existing dashboard or a new dashboard. If the latter, in the Enter the new Dashboard name
field, type a name for the dashboard.
10. Click OK.
11. Select the new dashboard name and click Save to Dashboard.
Advanced Bot Protection 70
Advanced Bot Protection
Understanding the Traffic Overview Display
The Traffic Overview display shows most of the information you will need to investigate bot attacks and the success of
your defenses against them. In cases where you need more data, it shows you where best to start looking.
Traffic Patterns over Time
The image below shows an example of the Traffic Patterns over Time display.
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
Pay attention to the relationship between Mitigated requests and Suspicious requests. Toward the left at 08:00 there
is a spike in Suspicious requests which is not matched by a similar spike in Mitigated requests indicating that there
might be an attack for which your configuration is not set up to mitigate.
Site Traffic by Requests over Time
The image below shows an example of the Site Traffic by Requests over Time display.
Advanced Bot Protection 71
Advanced Bot Protection
This is a more general overview of the traffic to your site over the designated time period. As always, a sinusoidal
cyclic pattern indicates normal human traffic whereas a flat line and/or spikes indicate bot attacks.
Mitigation Actions
The image below shows an example of the Mitigation Actions display.
Advanced Bot Protection 72
Advanced Bot Protection
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
This display is useful as it shows significant events.
Spikes in block, identify and captcha occur when there is an attack.
For example, if you see captcha mitigations that do not correspond with captcha cleared, that indicates that there is
an attack that is being caught, rather than false positives.
The pie chart to the right is based on the same information, but displays totals for the entire selected time interval,
rather than actions over time. This is for management level analysis that is concerned about about KPI rather than
specific attacks and serves as a value indicator as to the overall effectiveness of the bot protection.
Managed Conditions over Time
The image below shows an example of the Managed Conditions over Time display.
Advanced Bot Protection 73
Advanced Bot Protection
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
This display is useful to see if a single Managed Condition has traffic patterns similar to human traffic (i.e. cyclic) which
would indicate false positives. Spikes and sharp troughs indicate bot traffic.
This is easiest to interpret if you are looking at a single site, as in the above example.
If you do find that there are false positives then you can reflect on the amplitude. If the amplitude is small then the
traffic is probably mainly bot traffic, and you may be willing to pay the price of a small number of captchas for real
users to mitigate that bot traffic.
Custom Tags Over Time
The image below shows an example of the Custom Tags Over Time display.
Advanced Bot Protection 74
Advanced Bot Protection
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
This display is similar to Managed Conditions over Time, but is instead based on tags that you assign to different
Conditions. This enablesyou to track traffic based on your own breakdown.
if you hover your mouse over the top right corner, an ellipsis appears. Hover your mouse over it and click
Explore from here to drill down into the Looker output of this data. For more information about Looker, refer to the
Looker documentation.
Captcha Trend
The image below shows an example of the Captcha Trend display.
Advanced Bot Protection 75
Advanced Bot Protection
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
This is a very useful display for catching false positives. It shows the relationship between captchas served and
captchas solved. (It also shows failed attempts.) A Captcha Attempt is the sum of successful and failed attempts.
Captcha requests are each time a captcha is served. Hypothetically, if the lines of Captcha Requests and Successful
Attempts are equal, you have 100% false positives. In a real scenario, you may get a tiny percentage of false positives,
but even that may too much to maintain active the mitigation(s) that is/are triggering the captchas. You need to weigh
that against the damage that deactivating the mitigation would cause.
Machine Learning Threats over Time (Apollo Models)
The image below shows an example of the Machine Learning Threats over Time (Apollo Models) display.
Advanced Bot Protection 76
Advanced Bot Protection
You can toggle any of the lines on or off by clicking on the title of the line beneath the display.
Advanced Bot Protection provides machine learning algorithms that try to catch various types of suspicious
behaviors. Unlike the graphs based on mitigations, tags, etc. in which detection is based on a single or a small number
of requests, the Machine Learning Threats over Time (Apollo Models) display is based on hourly processing of huge
jobs, analyzing vast swathes of traffic at once, and then looking for things like coordinated behavior where thousands
of IPs are acting together to accomplish some kind of sinister goal. The algorithms then generate large lists of IP
addresses and distribute them out with tagged traffic placed on the lists that they have generated. This can catch bot
attacks that evade other means of detection. This is detection based not on "who you are" but rather "what are you
doing" - behavior- rather than appearance-based detection.
The different methods are summarized in the table below.
Name Description
Tags active IPs which have persisted on a site sending requests over a significant and
frequent_flyer anomalous fraction of the last 24 hours. Targets behavior of IPs that are coming back
over and over.
Advanced Bot Protection 77
Advanced Bot Protection
Name Description
Tags IPs which heavily hit a single URL over the last hour. Targets behavior of abusive
heavy_scraper
volume generators.
Tags active IPs which have generated a very significant volume of traffic during the
high_volume_day
last 24 hours. Targets behavior of abusive volume generators.
Tags IPs which change identifiers, cookies, and tokens in a manner which is
id_ratio_zrt inconsistent with how real single users and proxies/gateways change identifiers over
time. Targets the programmatic use of a large number of identifiers from a single IP.
Tags clusters of high volume IPs closely linked in request frequency, as well as shared
id_ratio_zzr
distribution of platform flags. Targets behavior of IP-distributed activity.
Tags active IPs with traffic patterns that are mostly piecewise flat during the last 24
mesas hours, indicating plateaus of consistent volumes of traffic. Targets behavior of
programmatic request generation.
Tags IPs which have persisted on a site without ever responding to a postback
missing_gen_zid challenge and generating a valid Identifier - ZID. Targets behavior of identification
evasion.
Tags IPs which have persisted on a site, but have not been observed to utilize an
Identifier - ZID (though they may be generating ZIDs). Targets behavior of identifier
missing_util_zid
abuse. The model can be used to identify anomalous behavior from automation or
infrastructure quirks.
Tags IPs which have persisted on a site without ever responding to a postback
no_gen_requests
challenge. Targets behavior of identification evasion.
Tags IPs which change their user agent string and/or various other HTTP headers very
uas_or_pid_churn often, but do not exhibit normal or expected identifier, cookie or token changes.
Targets behavior of identifier manipulation.
Advanced Bot Protection 78
Advanced Bot Protection
Name Description
Tags IPs which have requested a very large number of unique URLs during the last
wide_scraper
hour. Targets behavior of site-indexing and crawler-like activity.
Advanced Bot Protection 79
Advanced Bot Protection
Understanding the Other (non-Traffic Overview) Displays
The non-Traffic Overview displays are summarized in the table below.
You can filter each display by Access Date and Site by using the filter drop-down fields on the top left.
If you click the ellipsis button on the right, you can access the following features:
• Clear cache and refresh: refresh the display
• Download: you an download either a pdf or a csv of the dashboard
• Schedule: you can schedule a variety of jobs, including storing the dashboard data, sending it in an email or
Slack message.
• Reset filters: resets the filters to their default
• Set the time zone: set the time zone either per tile, or as your own, or any world time zone
Name Description
Enabling Protection -
Tools for analyzing the traffic associated with a specific condition before it is enabled.
Condition Analysis
Pages per session Tools for helping you pick an appropriate threshold for the Requests per Session
Exceeded Rate Limiting parameter.
Tools for helping you pick an appropriate threshold for the Session Length Rate
Session Length Exceeded
Limiting parameter.
Aggregator User Agents Information about clients triggering the Aggregator User Agents Condition.
Automation Information about clients triggering the Automation Condition.
Bad User Agents Information about clients triggering the Bad User Agents Condition.
Known Violator Data
Information about clients triggering the Known Violator Data Centers Condition.
Centers
Advanced Bot Protection 80
Advanced Bot Protection
Name Description
Tools for investigating a single client, for instance when you want to understand why
Investigation Dashboard
someone triggered the captcha or block Actions.
Behavioural ML Models Overview of traffic tagged by the Machine Learning Models.
Explore Connector Access
Direct access to the full traffic log (per-region)
Log
Direct access to the error log (per-region).
Explore Connector Error
Log
Explore Connector
Direct access to the aggregated access log (compiled globally across all regions).
Aggregated Access Log
The number of bots vs humans are being served Captchas, and how many are solving
Captcha Effectiveness
or failing them, by the rule or condition that triggered them.
General executive data including: traffic types; mitigation by site; captcha
Executive Report
effectiveness by site; triggered conditions; traffic listing.
Advanced Bot Protection 81
Advanced Bot Protection
Understanding the Usage Dashboard
The Usage Dashboard enables you to view the number of requests that are processed by Advanced Bot Protection.
Note: This dashboard applies only if you are billed per request. If you are billed per bandwidth,
please look at your CloudWAF usage report.
This dashboard does not display your entitled amount of requests. Check your subscription page
for details.
To view the usage dashboard:
1. In Advanced Bot Protection, select the Dashboard menu item.
2. Select the Reporting Data Region from the bar at the top.
3. From the drop down list at the top-right, select Usage Dashboard. The Usage Dashboard for the selected data
region appears.
Advanced Bot Protection 82
Advanced Bot Protection
You can filter the displayed usage requests by access date and by Site (Website).
Advanced Bot Protection 83
Advanced Bot Protection
To filter the usage requests:
1. Click on the Filters link.
2. For Access Date:
▪ Click the first drop down list to select an operator for a range of access dates.
▪ Type in a number for the value.
▪ Click the second drop down list to select the units.
For Site Name:
▪ Click the first drop down list to select an operator for a range of site names to include or exclude.
▪ Type in a name for the value.
You can add another filter of either type.
Use of either filter type is optional.
3. Click Run.
Advanced Bot Protection 84
Advanced Bot Protection
Exporting Dashboard Data to a Near Real Time SIEM
You can export Advanced Bot Protection's dashboard data to a near real time SIEM. This enables you to leverage to
analytical tools of your favourite SIEM.
For more information, see Near Real-Time SIEM log integration.
Advanced Bot Protection 85
Advanced Bot Protection
Working with Policies
As you draw conclusions from your analysis of the bot attacks on your own particular Website Groups and Websites,
you will want to employ counter moves against those attacks to mitigate them.
You do that by working with Policies.
Several approaches are available, as explained in detail in the procedures below.
• Working with the Default Policy
• Configuring per-Path Policies
• Managing Policies
• Managing Policy Directives and their Conditions
• Managing Conditions
Advanced Bot Protection 86
Advanced Bot Protection
Working with the Default Policy
When you add a Website Group, the Default Policy is applied to it.
The Default Policy is designed to provide a powerful, basic protection against the majority of bot attacks.
It can be edited and configured to suit your needs as the bot attacks evolve over time.
• Accessing the Default Policy
• Understanding the Structure of the Policies and the Default Policy
Advanced Bot Protection 87
Advanced Bot Protection
Accessing the Default Policy
There is a Default Policy for each Website Group.
To access a Website Group's Default Policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Select the Website Group whose Default Policy you wish to access. The Website Group Configuration window
appears.
Advanced Bot Protection 88
Advanced Bot Protection
Advanced Bot Protection 89
Advanced Bot Protection
4. Click Edit Default Policy. The Policies window appears.
Advanced Bot Protection 90
Advanced Bot Protection
Advanced Bot Protection 91
Advanced Bot Protection
Advanced Bot Protection 92
Advanced Bot Protection
Understanding the Structure of the Policies and the Default Policy
A Policy is a set of rules that govern the way Advanced Bot Protection handles requests to the protected Path.
The Default Policy is automatically applied whenever a new Website Group is created.
The Default Policy is applied to the entire Website Group, but you can assign it, or any other Policies you create, to
specific Paths in your Websites, so that your bot protection strategies can be tailored to the precise nature of the
pages being protected. For more information, see Configuring per-Path Policies.
Advanced Bot Protection 93
Advanced Bot Protection
Advanced Bot Protection 94
Advanced Bot Protection
A Directive is a container of one or more Conditions. Each Directive is defined by an Action and contains the
Conditions that, when met by a monitored HTTP request, trigger that Action.
A Policy consists of a group of Directives that have a particular order. The Directives define the rules, and the order in
which they appear defines which rules are actually applied in practice.
A Condition is a container of rules, composed of Flags or code, against which the content of incoming requests are
checked. If a match is found, then that Condition has been triggered and its Directive may be acted on.
A request has many characteristics as a function of the array of data that it contains. This data may be part of the
request header or the Advanced Bot Protection token. It is possible that one characteristic will match a Condition in
one Directive, while another characteristic will match a Condition in another Directive. In that case, the Directive that
is actually applied is the one that is higher in the order within the Policy.
For example, a request from a "good" bot, say, a search engine, has typical bot characteristics that might ordinarily
get it blocked. However, if the "good bot" characteristic itself is matched by a Condition in the Allow Directive, and if
the Allow Directive is higher up than the Block directive, then the matched Condition in the higher-placed Directive is
the Decider and the request is allowed.
Thus, the Allow Directive should always be the highest.
There is a set of out-of-the-box Conditions that you can use. Some of these are Managed Conditions which cannot be
changed. Other Conditions have parameters whose values you can edit. You can also create your own Custom
Conditions.
For more information, see Understanding Directives and Conditions.
Advanced Bot Protection 95
Advanced Bot Protection
Configuring per-Path Policies
You can assign different Policies to different Paths or groups of Paths in your Website Groups or Websites, as explained
in the following sections.
• Understanding per-Path Policies
• Understanding per-Path Policies and Rate Limiting
• Configuring per-Path Policies for Endpoints with API Calls
• Editing a per-Path Policy Assignment
• Deleting a per-Path Policy Assignment
• Creating a New per-Path Policy Assignment
Advanced Bot Protection 96
Advanced Bot Protection
Understanding per-Path Policies
A Path is a location or group of locations, within a Website, that is defined by a URL path or by a regular expression
that specifies characteristics of the page or pages.
Because of the varied nature of Paths and web pages in a website, there are some Paths for which you want to apply
one Policy, and there are other Paths for which you want to apply a different Policy, or indeed no Policy at all.
This is best understood with an example. Imagine a website that has some pages that have a large number of images
and nothing else. But elsewhere on the same website, there is a login page. And yet in another area of the website,
there are pages that contain the prices of the goods or services that your Website offers.
For the login page, you may want to apply a Policy that protects against brute-force type bot attacks.
For the prices pages, you may want to apply a Policy that protects against price-scraping bot attacks.
And for the pages that just show images, you may want to apply no Policy at all.
You can configure Advanced Bot Protection such that for any Path or set of Paths, you can assign a particular Policy.
Advanced Bot Protection checks for Path matching, starting at the top of the list of Paths. Therefore more specific
Paths should be at higher up on the list, and the most general Path should be at the bottom.
You can define Paths as they appear in the hierarchical page structure on your Website, or you can use a regular
expression.
The default configuration already contains two Paths that illustrate all of the above concepts.
Advanced Bot Protection 97
Advanced Bot Protection
Note the following:
• There are two per-Path Policy assignments in the default configuration. The user has not added any per-Path
Policies.
• The first per-Path Policy assignment is a regular expression that defines images and pages that have other
extensions that do not really need bot protection, like javascript and css. Hence the word "matches."
• For the first per-Path Policy assignment, no Policies have been assigned.
• The second per-Path Policy assignment defines all the paths in the website.
• The second per-Path Policy assignment has the Default Policy assigned to it.
• Since a request to an image file would be matched by the higher of the two per-Path Policy assignments, which
has No Policy assigned to it, no Policy would be applied to a request to an image file.
• Requests to other pages in the website are dealt with by the Default Policy.
• Each path has a Rate Limiting value, which defines how requests to that path count against Rate Limiting. For
more information, see Understanding per-Path Policies and Rate Limiting.
Advanced Bot Protection 98
Advanced Bot Protection
Understanding per-Path Policies and Rate Limiting
The concept of per-Path Policies and Rate Limiting is best understood with an example.
Imagine you have a website with a selection of books for sale: acmebooks.com. Initially your Website just has some
pages of a general nature about your books, your company, and some pages with explanations as to how to order via
email.
You decide to use Advanced Bot Protection to mitigate bot attacks. You are concerned about bots that send requests
repeatedly to your site's pages, so you use a Policy that has a "lenient" Rate limiting Condition - one that is set up to
serve a captcha if the request rate exceeds more than 12 requests per minute. Such a setup can be illustrated
conceptually with the diagram below:
It is important to understand how this works. Every time there is a request to a page in the Path starting with / (i.e. any
page in the site), the number of requests at the counter is incremented by 1, and the Policy checks to see if the RPM at
the counter has exceeded its limit of 12. If it has, it instructs a captcha to be served. There is one single counter that
is counting all the requests to every page in the site, and it is that total that the Policy reads.
Advanced Bot Protection 99
Advanced Bot Protection
Now imagine that you add a search page to your Website. Your search page uses a machine-readable text field to offer
suggestions each time the user types in a character. You decide that the search page has no value for a bot attack and
so you decide not to assign any Policy to the search page's Path. So that Path has no Policy assigned. This is illustrated
in the diagram below.
But now there is a problem. Since a machine-readable text field generates a request each time the user types in a
character, the expected RPM rate from such a page when in use can be 50 or more RPMs. The problem is that all these
requests are being counted at the one-and-only counter used by the Website. So if a legitimate user types in a search
and then immediately accesses one of the general pages, the rate limit Policy on that general page will refer to the
counter and will find that its limit of 12 RPM has been far exceeded, and it will serve a captcha! Even though the use
was totally legitimate and expected!
You solve this problem by configuring the Rate Limiting value in the per-Path Policy Assignment window (not to be
confused with the Rate limiting Condition inside a Policy). You configure this value to None, in the Assign Policy
window. (For more information, see Creating a New per-Path Policy Assignment.)
The effect of this is to discard all request counts from requests to that Path and is illustrated in the diagram below.
Advanced Bot Protection 100
Advanced Bot Protection
So now, the high number of requests to the machine-readable text field pages are not counted at all, and the rate limit
policy on the general pages works as it should.
This appears in the Advanced Bot Protection UI as in the image below. This is precisely how the Default Policy is
constructed.
Advanced Bot Protection 101
Advanced Bot Protection
Now imagine that you add a login page to your website. Your login page is sensitive to bot attacks that try to steal
account credentials and is thus a high-value target. (For more information, see Advanced Bot Protection Use Cases
and Best Practices.) One of the bot attack mitigations you want to use is also based on rate limiting, but you want a
more stringent RPM value for this more sensitive page, say 5 RPM.
Your new setup now looks like the diagram below.
Advanced Bot Protection 102
Advanced Bot Protection
But now you have a similar problem to the one you had earlier. Requests to both Paths are being counted by the one
and only counter that the site uses. This means that, just like before, if there is legitimate use of the general pages up
to the 12 RPM limit on that path but higher than the 5 RPM for the login page Path, any requests to the login will
exceed the login page Path's rate limit and a captcha will be served.
You solve this problem by assigning a custom scope Rate Limit to that Path. You do this by configuring the Rate
Limiting value in the per-Path Policy Assignment window to Rate limiting by custom scope, and giving that
custom scope a name, in this example: login).
By assigning a custom scope Rate Limit to a path, you are in effect creating a separate request counter for that Path.
This is illustrated in the diagram below.
Advanced Bot Protection 103
Advanced Bot Protection
Now, requests to the general pages are counted by the overall site counter at the bottom, but requests to the login
page are counted by the counter defined by the custom scope login. A request is counted by one counter or the other,
never both. So the stringent rate limit policy refers to the counter defined by the custom scope login and that counter
is not incremented by requests to the general pages. So no undeserved captchas will be served.
This is how you assign this in the Assign Policy window.
Advanced Bot Protection 104
Advanced Bot Protection
Advanced Bot Protection 105
Advanced Bot Protection
The result appears in the Advanced Bot Protection UI as in the image below:
In summary, there are three Rate Limiting options for any Path:
• Per Website: This is the default option. Requests to all Paths in this Website Group are totaled. A Rate Limiting
Condition will use that total, even if that Condition is in a Policy that is assigned to a different Path.
• Rate limit per custom scope: By selecting this option and entering a text string in the field, you define a Custom
Scope for this Path. Requests to this Path (and other Paths with the same Custom Scope) are totaled separately
from requests elsewhere. So you can make sure that requests to a Path where high request rates are legitimate
(like pages with images) will not activate a block or captcha on requests to a Path where high request rates are
suspicious (like a login page).
Enter a text string to define the Custom Scope for this Path.
• No Rate Limiting: Requests to this path are not counted against the rate limit anywhere in the site - including
this path. The request counts are simply discarded.
Advanced Bot Protection 106
Advanced Bot Protection
Note: It should be clear from the above explanation that Rate Limiting and Custom Scope, as
applied to a Path, are a completely separate entity from the Policy assigned to that path. Rate
Limiting and Custom Scope refer to how requests to that Path are counted: they are either
accumulated together with requests to other Paths (default), or accumulated only with requests for
this Path (and any others assigned the same Custom Scope), or not accumulated at all (no Rate
Limiting).
A Policy assigned to a Path defines the actions that will get triggered by requests made to that Path
when the Policy's Conditions are met.
Advanced Bot Protection 107
Advanced Bot Protection
Configuring per-Path Policies for Endpoints with API Calls
When you assign Advanced Bot Protection to protect a new Website, Advanced Bot Protection identifies and displays
those paths in your Website that have pages that have API calls in them.
Advanced Bot Protection 108
Advanced Bot Protection
The following Directives do not work with pages that have API calls in them: captcha and identify.
Advanced Bot Protection 109
Advanced Bot Protection
It is strongly recommended that you configure a per-Path Policy for any path that is shown as having an API call, and
that those per-Path Policies' captcha and identify Directives be empty of Conditions.
To see the paths in your website that have API calls in them:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Click on a Website Group. The Website Group Configuration window appears.
4. Click Edit per-Path Policies. The per-Path Policy Assignments window appears.
5. If Advanced Bot Protections detects that the Website Group has endpoints, the API paths action
recommendation box appears. Click on it. The list of API paths that contain API calls appears.
Advanced Bot Protection 110
Advanced Bot Protection
6. Clicking the relevant Assign new per-Path Policy link for a Path. The Assign per-Path Policy dialog box
appears.
Advanced Bot Protection 111
Advanced Bot Protection
Advanced Bot Protection 112
Advanced Bot Protection
7. Make your selections and/or enter values according to the table below. Note that you should assign Policies
whose captcha and identify Directives are empty of disabled Conditions so that those Directives are never
activated.
8. Click the Assign this Policy button.
9. Repeat steps 6 - 8 until you have assigned appropriate per-Path Policies to all the Paths that have API calls.
Name Description
The type of Path. Values are:
• Path Prefix Match: Allows you to set the prefix that defines the Paths to which
you will assign a Policy.
• Path Regex Match: Allows you to enter a regular expression that defines the
Paths to which you will assign a Policy.
Type • Javascript Challenge: Assigns the Policy to all requests that are from
Javascript.
• iOS Challenge: Assigns the Policy to all requests that are from Apple iOS
machines. This covers bot threats that are unique to the Apple iOS.
• Android Challenge: Assigns the Policy to all requests that are from Android
machines. This covers bot threats that are unique to the Android operating
system.
Type the Path prefix that defines the Path(s) to which the Policy is assigned. Appears
Path Prefix
if you selected the Path Prefix Match Type.
Type the regular expression that defines the Path(s) to which the Policy is assigned.
Path Regex
Appears if you selected the Path Regex Match Type.
Policy Select the Policy you wish to apply to the defined Path(s).
Select one of the Rate Limiting options:
• Per Website: This is the default option. Requests to any path in this Website
Group are totalled. A Rate Limiting Condition will use that total, even if that
Condition is in a Policy that is assigned to a different Path.
Rate Limiting
• Rate Limit per Custom Scope: Setting up a Custom Scope for a particular Path
means that requests to this Path (and other Paths with the same Custom
Scope) are totalled separately from requests elsewhere. This means you can
make sure that requests to a Path where high request rates are legitimate (like
pages with images) will not activate a block or captcha on requests to a Path
where high request rates are suspicious (like a login page).
Advanced Bot Protection 113
Advanced Bot Protection
Name Description
• No Rate Limiting: Requests to this Path do not count at all against Rate
Limiting Conditions in any Policies that apply anywhere in the Website. The
request counts are simply discarded.
Choose between:
• Use the default website group values: For this particular per-Path Policy, use
the default Website Group values. For more information, see Editing a Website
Group - Default Rate Limiting Values
• Custom values: Type your own values for each of the the three rate limiting
Rate Limiting Values
parameters:
• Max requests per minute
• Max requests per session
• Max session length (type in a value and select the units from the next
drop-down list.)
Advanced Bot Protection 114
Advanced Bot Protection
Editing a per-Path Policy Assignment
You can edit the various parameters of a per-Path Policy assignment.
For more information on Paths, see Path and Understanding per-Path Policies.
To edit a per-Path Policy assignment:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Click on a Website Group. The Website Group Configuration window appears.
4. Click Edit per-Path Policies. The per-Path Policy Assignments window appears.
5. Hover your mouse over the assignment you wish to edit and click the Edit per-Path Policy Assignment icon
on the right. The Assign Policy window appears.
Advanced Bot Protection 115
Advanced Bot Protection
Advanced Bot Protection 116
Advanced Bot Protection
6. Make your selections and/or enter values according to the table below.
7. Click the Assign this Policy button.
Name Description
The type of Path. Values are:
• Path Prefix Match: Allows you to set the prefix that defines the Paths to which
you will assign a Policy.
• Path Regex Match: Allows you to enter a regular expression that defines the
Paths to which you will assign a Policy.
Type • Javascript Challenge: Assigns the Policy to all requests that are from
Javascript.
• iOS Challenge: Assigns the Policy to all requests that are from Apple iOS
machines. This covers bot threats that are unique to the Apple iOS.
• Android Challenge: Assigns the Policy to all requests that are from Android
machines. This covers bot threats that are unique to the Android operating
system.
Type the Path prefix that defines the Path(s) to which the Policy is assigned. Appears
Path Prefix
if you selected the Path Prefix Match Type.
Type the regular expression that defines the Path(s) to which the Policy is assigned.
Path Regex
Appears if you selected the Path Regex Match Type.
Policy Select the Policy you wish to apply to the defined Path(s).
Select one of the Rate Limiting options:
• Per Website: This is the default option. Requests to any path in this Website
Group are totalled. A Rate Limiting Condition will use that total, even if that
Condition is in a Policy that is assigned to a different Path.
• Rate Limit per Custom Scope: Setting up a Custom Scope for a particular Path
Rate Limiting means that requests to this Path (and other Paths with the same Custom
Scope) are totalled separately from requests elsewhere. So you can make sure
that requests to a Path where high request rates are legitimate (like pages with
images) will not activate a block or captcha on requests to a Path where high
request rates are suspicious (like a login page).
• No Rate Limiting: Requests to this Path do not count at all against Rate
Limiting Conditions in any Policies that apply anywhere in the Website. The
request counts are simply discarded.
Advanced Bot Protection 117
Advanced Bot Protection
Name Description
Choose between:
• Use the default website group values: For this particular per-Path Policy, use
the default Website Group values. For more information, see Editing a Website
Group - Default Rate Limiting Values.
• Custom values: Type your own values for each of the the three rate limiting
Rate Limiting Values
parameters:
• Max requests per minute
• Max requests per session
• Max session length (type in a value and select the units from the next
drop-down list.)
Advanced Bot Protection 118
Advanced Bot Protection
Deleting a per-Path Policy Assignment
You may want to delete a per-Path Policy assignment that is no longer used.
To delete a per-Path Policy assignment:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Click on a Website Group. The Website Group Configuration window appears.
Advanced Bot Protection 119
Advanced Bot Protection
Advanced Bot Protection 120
Advanced Bot Protection
4. Click Edit per-path Policies. The per-Path Policy Assignments window appears.
5. Hover your mouse over the assignment you wish to edit and click the Delete button. The confirmation dialog
box appears.
6. Click OK.
Advanced Bot Protection 121
Advanced Bot Protection
Creating a New per-Path Policy Assignment
You can create a new per-Path Policy assignment at any time, as part of your response to evolving bot attacks.
To create a new per-Path Policy Assignment:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
3. Click on a Website Group. The Website Group Configuration window appears.
Advanced Bot Protection 122
Advanced Bot Protection
Advanced Bot Protection 123
Advanced Bot Protection
4. Click Edit per-path Policies. The per-Path Policy Assignments window appears.
5. Click the Assign new Per-Path Policy button. The Assign Per-path Policy window appears at the top.
Advanced Bot Protection 124
Advanced Bot Protection
Advanced Bot Protection 125
Advanced Bot Protection
6. Make your selections and/or enter values according to the table below.
7. Click the Assign this Policy button.
Name Description
The type of Path. Values are:
• Path Prefix Match: Allows you to set the prefix that defines the Paths to which
you will assign a Policy.
• Path Regex Match: Allows you to enter a regular expression that defines the
Paths to which you will assign a Policy.
Type • Javascript Challenge: Assigns the Policy to all requests that are from
Javascript.
• iOS Challenge: Assigns the Policy to all requests that are from Apple iOS
machines. This covers bot threats that are unique to the Apple iOS.
• Android Challenge: Assigns the Policy to all requests that are from Android
machines. This covers bot threats that are unique to the Android operating
system.
Type the Path prefix that defines the Path(s) to which the Policy is assigned. Appears
Path Prefix
if you selected the Path Prefix Match Type.
Type the regular expression that defines the Path(s) to which the Policy is assigned.
Path Regex
Appears if you selected the Path Regex Match Type.
Policy Select the Policy you wish to apply to the defined Path(s).
Select one of the Rate Limiting options:
• Per Website: This is the default option. Requests to any path in this Website
Group are totalled. A Rate Limiting Condition will use that total, even if that
Condition is in a Policy that is assigned to a different Path.
• Rate Limit per Custom Scope: Setting up a Custom Scope for a particular Path
Rate Limiting means that requests to this Path (and other Paths with the same Custom
Scope) are totalled separately from requests elsewhere. So you can make sure
that requests to a Path where high request rates are legitimate (like pages with
images) will not activate a block or captcha on requests to a Path where high
request rates are suspicious (like a login page).
• No Rate Limiting: Requests to this Path do not count at all against Rate
Limiting Conditions in any Policies that apply anywhere in the Website. The
request counts are simply discarded.
Advanced Bot Protection 126
Advanced Bot Protection
Name Description
Choose between:
• Use the default website group values: For this particular per-Path Policy, use
the default Website Group values. For more information, see Editing a Website
Group - Default Rate Limiting Values.
• Custom values: Type your own values for each of the the three rate limiting
Rate Limiting Values
parameters:
• Max requests per minute
• Max requests per session
• Max session length (type in a value and select the units from the next
drop-down list.)
Advanced Bot Protection 127
Advanced Bot Protection
Managing Policies
You can perform the following actions with Policies.
• Create a policy from scratch.
• Clone a policy.
• Rename a policy.
• Delete a policy.
• Edit an existing policy. This option has many possibilities and is covered in its own section. For more
information, see Managing Policy Directives and their Conditions.
• Creating a New Policy
• Cloning a Policy
• Renaming a Policy
• Deleting a Policy
Advanced Bot Protection 128
Advanced Bot Protection
Creating a New Policy
You can create a new Policy.
When you create a new Policy, you must decide if it will be based on Standard Directives, or Custom Directives.
• Standard Directives: A Policy with Standard Directives has the six Directives provided by Imperva, in the
recommended order.
• Custom Directives: When you create a Policy with Custom Directives, you can reorder and/or delete the
Directives, or add new Directives with names of your choosing. For more information, see Adding and
Reordering Directives.
Any newly created Policy has no Conditions in any of its Directives. You must add these yourself. For more
information, see Managing Policy Directives and their Conditions.
To create a new Policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 129
Advanced Bot Protection
3. Click the Create New Policy button . The Create Policy window appears.
Advanced Bot Protection 130
Advanced Bot Protection
4. Type a Name for the new Policy.
5. Select either Standard Directives or Custom Directives. For almost all cases, it is recommended that you select
Standard Directives.
6. If you selected Standard Directives, click Create.
If you select Custom Directives, the Directives appear in the dialog box. You can reorder the Directives and add
Directives.
Customize your Directives and click Create.
Advanced Bot Protection 131
Advanced Bot Protection
Cloning a Policy
You can create a new policy from an existing one by cloning an existing policy.
This is particularly useful when you want to start testing variations of the Default Policy.
To clone a policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 132
Advanced Bot Protection
3. Click the Clone Policy button for the Policy you wish to rename. The Clone Policy dialog box appears.
Advanced Bot Protection 133
Advanced Bot Protection
4. Type the new Name.
5. Click Clone.
Advanced Bot Protection 134
Advanced Bot Protection
Renaming a Policy
You can rename any Policy.
To rename a Policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 135
Advanced Bot Protection
3. Click the Rename Policy button for the Policy you wish to rename. The Policy Name becomes editable.
4. Type the new Name.
Advanced Bot Protection 136
Advanced Bot Protection
5. Click anywhere outside the text field.
Advanced Bot Protection 137
Advanced Bot Protection
Deleting a Policy
You can delete any Policy.
To delete a policy:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 138
Advanced Bot Protection
3. Click the Delete Policy button for the Policy you wish to delete.
4. Click OK in the confirmation dialog box.
Advanced Bot Protection 139
Advanced Bot Protection
Advanced Bot Protection 140
Advanced Bot Protection
Managing Policy Directives and their Conditions
The following sections describe the various ways you can manage Directives and Conditions to get the best results
from Advanced Bot Protection.
• Understanding Directives and Conditions
• Inserting a Condition into a Directive
• Configuring the Status of a Condition
• Editing a Condition's Tags
• Understanding and Editing Conditions
• Moving a Condition to a Different Directive
• Adding and Reordering Directives
Advanced Bot Protection 141
Advanced Bot Protection
Understanding Directives and Conditions
Directives are defined by the Actions of their title, and contain one or more Conditions.
Advanced Bot Protection provides six out-of-the-box Directives. They are summarized in the Directives table below.
A Condition is a container of rules, composed of Flags or code, against which the content of incoming requests are
checked. If a match is found, then that Condition has been triggered and its Directive may be acted on.
If data in a request matches one of the Conditions in a Directive, then the Directive is activated and its Action taken.
However, the order of the Directives in a Policy is critical. If data in a request matches a Condition in one Directive, and
other data in the same request matches a different Condition in another Directive, then it is the higher Directive that is
activated and any matches to Conditions in lower Directives are ignored - they may be logged, but their Actions are
not carried out. For more information, see Understanding the Structure of the Policies and the Default Policy.
Activities with Directives
Activity Description For More Information, see...
Add totally new Directives, name them as you wish
and insert whichever Conditions you like. For most
users, the six Directives supplied should be
Add new Directive sufficient. Adding and Reordering Directives
You can add new Directives to non-Default Policies
only.
Insert a Condition Insert a Condition into a Directive to expand the
Adding a Condition to a Directive
into a Directive Directive's match capabilities.
A Condition's Status can be one of the following.
You can toggle between them at any time:
• Active: A request with data that matched the
Condition causes that Directive to be
Configure the status
activated. Configuring the Status of a
of a Condition
• Passive: A request with data that matched Condition
the Condition does not cause that Directive to
be activated, but the match is logged.
• Disabled: A request with data that matched
the Condition does not cause that Directive to
be activated, and the match is not logged.
Advanced Bot Protection 142
Advanced Bot Protection
Activity Description For More Information, see...
You can assign Tags to a Condition. Tags are used
for monitoring as there are graphs that show which
Edit a Condition's
Conditions are activated based on their tags. This Editing a Condition's Tags
Tags
allows the grouping of Conditions in meaningful
ways for monitoring.
Edit the parameters and/or the Flags of certain Understanding and Editing
Edit a Condition
types of Conditions. Conditions
You can move a Condition from one Directive to
another. This is useful, for example, when you have
Moving a Condition to a Different
Move a Condition checked a Condition for false positives in the
Directive.
captcha Directive, and now you want to move it to
the block Directive.
Reorder Directives to change which Directives have
Reorder Directives Adding and Reordering Directives
priority.
Directives
Directive Name Description Recommended Placement in the Order
Always at the top. If you have decided
that a particular characteristic of a
request demands its free passage, then
no other characteristic should impede it.
If a Condition in the allow Directive is matched,
allow
the request is allowed through.
Note that this Action may still be
overridden by a more stringent
instruction from another CloudWAF
service, if active.
block Stop the request from getting to the target. Use
Should be just below allow.
the block Directive for Conditions that causes
Advanced Bot Protection 143
Advanced Bot Protection
Directive Name Description Recommended Placement in the Order
matches from data that cannot be anything but
a bot.
Once a captcha has been resolved, you do not
want a characteristic that matches a Condition
under captcha to activate a captcha afterward
captcha_cleared Always above captcha.
- at least for a time period.
You can configure that time period.
Activates a captcha page. This Directive is used
captcha for the most frequently encountered suspicious Below block and captcha_cleared.
request content.
There are cases where legitimate user traffic
may look like a bot or some malicious
intervention:
• a client has a slow connection
• a user has set the browser to not accept
cookies
• a user has disabled his browser's
javascript, or is using an ad-blocker, thus
preventing Advanced Bot Protection's
javascript challenge from fingerprinting
the client
identify
To avoid impeding legitimate users, you want Below captcha.
to give requests that might fall into the above
categories an additional chance to identify
themselves.
With identify, you replace the page that the
user requested with a page that explains why
the user is getting blocked for a suitable time
period, say 10 seconds.
Thus a client with a slow connection will get
the javascript loaded and then this Directive
will not subsequently be activated. For the
other cases, the users will view an explanation
Advanced Bot Protection 144
Advanced Bot Protection
Directive Name Description Recommended Placement in the Order
that they should either enable cookies, or
disable the ad blocker, or enable javascript.
If the client is a bot, then it can proceed no
further. For a bot, identify is a block.
If a Condition in the tarpit Directive is matched,
the response is never sent.
This confounds attacks by leaving the bot
waiting as long as possible, and thus draining
the resources of the bot, lowering the number
tarpit of requests that the bot is able to make. Below identify.
In contrast to delay, the tarpit Directive would
cause enormous harm to a human user, so the
tarpit Directive should include only those
Conditions that are shown never to produce
false positives.
If a Condition in the delay Directive is matched,
the response is delayed by a few seconds.
This confounds some types of attacks in the
following way:
• A bot cannot be sure if the delay is due to
a slow server or to a defense.
• It reduces the efficiency of attacks that
delay rely on a sequence of requests - and Below identify.
many do. So if each request generates a
second of latency, the advantages of an
automated bot attack are greatly
nullified.
Delay confers these advantages without much
harm to a human user, as a second latency is
not perceived as unusual. So delay can be
applied quite liberally.
If a Condition in the monitor Directive is
monitor
matched, no Action is taken but the match is Always at the bottom.
logged.
Advanced Bot Protection 145
Advanced Bot Protection
Directive Name Description Recommended Placement in the Order
The monitor Directive constitutes a staging
area in which you can test Conditions to see if
they are generating false positives. You can
keep a Condition here, monitor the activity it
generates, and refine it until it no longer
generates false positives. Only then do you
want to promote it to a different Directive and
activate it.
Advanced Bot Protection 146
Advanced Bot Protection
Inserting a Condition into a Directive
You can insert a Condition into a Directive.
When the data in a request matches a Condition in a Directive, that Directive's Action is activated.
There are two types of Conditions that you can insert:
• Existing Condition: This is either a Managed Condition - an Advanced Bot Protection out-of-the-box Condition
that you cannot edit - or any other Condition that you are already using in your account.
• New Condition: A condition that you need to create, based on a given template, or a custom Condition.
A summary of the Existing Conditions is presented in the table below. For a summary of the New Condition templates,
see Creating a New Condition.
To insert a Condition into a Directive:
1. Access the Policy in which you wish to insert a Condition to a Directive, in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
Access any Policy. Follow the procedure below.
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 147
Advanced Bot Protection
3. Select a Policy. The Policy Details window opens for that Policy.
Advanced Bot Protection 148
Advanced Bot Protection
Advanced Bot Protection 149
Advanced Bot Protection
2. Click the Insert Condition button by the Directive to which you wish to add the Condition. The Insert
Condition dialog box appears.
Advanced Bot Protection 150
Advanced Bot Protection
Advanced Bot Protection 151
Advanced Bot Protection
3. Select either Existing Conditions or Condition Templates.
4. If you selected Existing Conditions, click Insert by the Condition you wish to insert. The Condition is inserted.
If you selected Condition Templates:
Advanced Bot Protection 152
Advanced Bot Protection
Advanced Bot Protection 153
Advanced Bot Protection
1. Click Create by the Condition template you wish to use to create your Condition. The Create Condition
dialog box opens.
The Create Condition dialog box is different for each new Condition template.
2. Type in the data for your particular Condition. For more information, see Creating a New Condition.
3. Click Save.
Existing Conditions
Condition Name Description Recommended Directive
The request comes from a known social media
Social media Allow
platform.
Search engines The request comes from a search engine crawler. Allow
Advanced Bot Protection 154
Advanced Bot Protection
Condition Name Description Recommended Directive
The request comes from a known monitoring tool,
Monitoring Tools currently either: Host Tracker, New Relic, Allow
Pingdom, or Uptime Robot.
The request comes from one of the data
Financial Data
aggregator IP ranges attributed to ASNs owned by Allow
Aggregators
financial/fintech organization.
The user failed certain correctness checks when
Bad challenge
submitting the postback. Indicative of tampering Block
postback
with the cookie.
The token stored in the cookie was not
Invalid token decryptable. Indicative of tampering with the Block
initial communication.
Known violator data Malicious data center IPs seen across Imperva’s
Block or captcha
centers entire network.
Bad user agents Standard checks for invalid user agents. Block or captcha
Choose one from a range of parameters to set a
Rate limiting limit on the amount of traffic that an identified Captcha
user can generate.
Browser
Standard checks on the validity of the postback
environment Block or captcha
where a failure is usually indicative of tampering.
anomalies
The user is on the list of known violators, as
tracked using header ID. This identifier is usually
Force identify
not globally unique, and it is therefore Identify
known violators
recommended to require that users on that list
identify themselves by acquiring a token.
Advanced Bot Protection 155
Advanced Bot Protection
Condition Name Description Recommended Directive
Checks for browser automation tools, such as
Automation Block or captcha
Selenium and Web Driver.
Aggregator user
User agents of known crawlers. Block or captcha
agents
Advanced Bot Protection 156
Advanced Bot Protection
Configuring the Status of a Condition
A Condition's Status can be one of the following. You can toggle between them at any time:
• Active: A request with data that matched the Condition causes that Directive to be activated.
• Passive: A request with data that matched the Condition does not cause that Directive to be activated, but the
match is logged.
• Disabled: A request with data that matched the Condition does not cause that Directive to be activated, and the
match is not logged.
To configure the status of a Condition:
1. Access the desired Policy, in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 157
Advanced Bot Protection
3. Select a Policy. The Policy Details window opens for that Policy.
Advanced Bot Protection 158
Advanced Bot Protection
Advanced Bot Protection 159
Advanced Bot Protection
4. Click on the Condition whose status you wish to configure. The Condition's Flags and functionality
buttons appear.
5. Select the desired Status by clicking on either Disable, Passive, or Active.
Advanced Bot Protection 160
Advanced Bot Protection
Editing a Condition's Tags
You can assign Tags to a Condition. Tags are used for monitoring as there are graphs that show which Conditions are
activated based on their tags. This allows the grouping of Conditions in meaningful ways for monitoring.
To edit a Condition's tags:
1. Access the desired Policy in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 161
Advanced Bot Protection
3. Select a Policy. The Policy Details window opens for that Policy.
Advanced Bot Protection 162
Advanced Bot Protection
Advanced Bot Protection 163
Advanced Bot Protection
2. Click on the Condition whose Tags you wish to edit. The Condition's Flags and functionality buttons appear.
3. Click Edit Tags. The Edit Tags dialog box appears.
4. You can do the following:
To delete an unwanted Tag, click the x in its box.
To add a Tag, type in the name of the Tag. You can add more than one Tag, separating them by commas.
5. Click Save.
Advanced Bot Protection 164
Advanced Bot Protection
Understanding and Editing Conditions
There are three types of Conditions and these types affect your editing capabilities for those Conditions.
• Managed Conditions: Prepackaged Advanced Bot Protection Conditions that you cannot edit directly. The code
is managed by Imperva to ensure optimal efficacy as new bot threats emerge.
• Condition Template: A set of prepackaged Advanced Bot Protection Condition templates, each of which has
parameters that you can edit. However, like the Managed Conditions, you cannot edit their code directly, but
must create a Custom Condition, copy over the coded Flags, and modify the Flags there. Again, you are
effectively creating a new Condition based on the non-Managed Condition.
• Custom Conditions: A Condition Template that does allow you to edit the Flags directly. You can use a Custom
condition to create a Condition from scratch, or to create a new Condition based on an existing Condition, by
copying over the existing Condition's code and modifying it.
When you create a Custom Condition from scratch you can use Flags and/or code.
A Condition is made up of one or more of the following:
• Flags: A Flag is a prepackaged test or rule that looks for a specific data item in the incoming request. The
majority of Conditions, and indeed all of the Conditions in the Default Policy, are made of up Flags only. To
create your own Condition that uses one Flag only, use the Flags Condition Template. To create your own
Condition that uses more than one Flag, use the Custom Conditions Template, but there you can also use code
as explained below. When you select the Flags Condition Template, you get access to full documentation for all
the Flags.
• Code: Advanced Bot Protection offers you the use of a proprietary language called Moi to create your own
Conditions. You must use the Custom Conditions Template to create a Condition that is based on Moi code. (It
can also contain Flags and/or Properties.)
• Properties: Moi uses a set of Properties whose values that can be matched by an incoming request. To create
your own Condition that uses one Property only, use the Property Field Condition Template. To create your
own Condition that uses more than one Property, use the Custom Conditions Template, but there you can also
use code as explained below. When you select the Property Field Condition Template, you get access to full
documentation for all the Properties.
You can edit the Tags for any type of Condition. For more information, see Editing a Condition's Tags.
To edit a Templated Condition:
1. Access the desired Policy in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 165
Advanced Bot Protection
4. Select a Policy. The Policy Details window opens for that Policy.
Advanced Bot Protection 166
Advanced Bot Protection
Advanced Bot Protection 167
Advanced Bot Protection
2. Click on the Condition whose parameters you wish to edit. The Condition's Flags and functionality buttons
appear.
3. Click Edit. The Edit Condition dialog box appears.
4. Enter values for the parameters. The exact parameters are different for each Condition. For more information,
see the table in Adding a New Condition.
5. Click Save.
To edit a Custom Condition:
1. Access the desired Policy in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
Advanced Bot Protection 168
Advanced Bot Protection
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Select the Policies tab.
4. Select a Policy. The Policies window opens for that Policy.
2. Click on the Custom Condition whose parameters you wish to edit. The Condition's Flags and functionality
buttons appear.
1. Click Edit. The Edit Condition dialog box appears.
Advanced Bot Protection 169
Advanced Bot Protection
3. Enter values for the Name and Description parameters. In the Code text field, enter the Flags you wish to make
up your Condition.
4. Click Save.
Advanced Bot Protection 170
Advanced Bot Protection
Note: You can also edit a non-Managed or Custom Condition from the Conditions tab. For more
information, see Managing Conditions.
Advanced Bot Protection 171
Advanced Bot Protection
Moving a Condition to a Different Directive
You can move a Condition from one Directive to another. This is useful, for example, when you have checked a
Condition for false positives in the captcha Directive, and now you want to move it to the block Directive.
To move a Condition to a different Directive:
1. Access the desired Policy in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 172
Advanced Bot Protection
3. Select a Policy. The Policy Details window appears for that Policy.
Advanced Bot Protection 173
Advanced Bot Protection
Advanced Bot Protection 174
Advanced Bot Protection
2. Click on the Condition you wish to move. The Condition's Flags and functionality buttons appear.
3. Click Move. The Move Condition dialog box appears.
4. Select the Target Directive (to where you want to move the Condition).
5. Click Move.
Advanced Bot Protection 175
Advanced Bot Protection
Adding and Reordering Directives
You can add Directives to a Policy and change the order of the Directives in a Policy.
You can perform these actions only for Policies that you yourself have created. You cannot add and/or reorder
Directives in the Default Policy.
To add/reorder Directives:
1. Access the desired Policy in either of the following ways:
Access the Default Policy. For more information, see Accessing the Default Policy.
or
Access any Policy. Follow the procedure below:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Policies tab. The Policies window appears.
Advanced Bot Protection 176
Advanced Bot Protection
3. Select a Policy. The Policy Details window appears for that Policy.
Advanced Bot Protection 177
Advanced Bot Protection
Advanced Bot Protection 178
Advanced Bot Protection
2. Click Add/Reorder Directives. The Add/Reorder Directives dialog box appears.
3. To reorder Directives:
▪ Click on a Directive and drag-and-drop it to the desired place in the list.
To add a Directive:
1. Type the name of the new Directive in the text field.
2. Click Add New Directive.
4. Click Apply.
Advanced Bot Protection 179
Advanced Bot Protection
Managing Conditions
You can configure Conditions individually. Or you can configure Conditions together, as a group. For this latter task,
create a Condition Group of the Conditions you wish to configure together.
The Conditions tab enables you to view all the Conditions in your account, edit them, delete them, analyze the
matches they generate, and create new ones. It also shows which Policies are using each Condition.
• Adding a New Condition
• Adding a Condition Group
• Deleting a Condition or Condition Group
Advanced Bot Protection 180
Advanced Bot Protection
Adding a New Condition
When you add a new Condition in the Conditions tab, you are not immediately placing it in a Directive. You are simply
creating a Condition for future use.
For more information, see Understanding and Editing Conditions.
To create a new Condition:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Conditions tab. The Conditions window appears.
Advanced Bot Protection 181
Advanced Bot Protection
3. Click the Add New Condition button. The Add New Condition window appears.
Advanced Bot Protection 182
Advanced Bot Protection
1. Click Create beside the template of the Condition you wish to add. The Create Condition dialog box
opens.
The Create Condition dialog box is different for each new Condition template.
Advanced Bot Protection 183
Advanced Bot Protection
4. Type in the data for your particular Condition. For more information, see the table below.
5. Click Save.
New Conditions
Condition Name Field Description
IP Set IP Addresses A list of IPv4, IPv6 or CIDR patterns that can be mixed freely.
The name of the HTTP header. Dashes (-) are automatically
Header Name substituted for (_) in the generated code. The header name is case
insensitive.
Header
The regular expression that should match the value of the specified
Header pattern
header.
Tag Tag The name of the tag that should be present in the token.
Advanced Bot Protection 184
Advanced Bot Protection
Condition Name Field Description
Select from one of the Flags that is in your account. You can only
select one Flag.
Flag Flag
You can access full documentation of the Flags from this option.
The property to retrieve.
Field
Property Field You can access full documentation of the Properties from this option.
Pattern The pattern that the property should match.
Custom Rate Field The rate limiting counter to retrieve.
Limiting
Limit The limit or duration for the specified field.
Duration for which the
Captcha Cleared The duration for which a captcha solution is considered valid.
captcha is valid
Compound Rate
Requests per Minute Maximum number of requests per minute allowed.
Limiting
Maximum number of requests allowed during a single browsing
Requests per Session
session.
Session Length Maximum duration of a single session.
Requests without
Maximum number of requests allowed without a token.
Token
Identify eventually
Requests with Expired
Maximum number of requests allowed with an expired token
Token
Advanced Bot Protection 185
Advanced Bot Protection
Condition Name Field Description
Flags and/or code of your choice.
Custom Condition Code
You can access full documentation of the Moi code from this option.
Advanced Bot Protection 186
Advanced Bot Protection
Adding a Condition Group
A Condition Group is a group of Conditions under a single name. By using a Condition Group, you can manipulate a
large number of Conditions that you normally use together, all at once: adding them to Directives, moving them from
Directive to Directive, configuring their status, etc.
To add a Condition Group:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Select the Conditions tab. The Conditions window appears.
Advanced Bot Protection 187
Advanced Bot Protection
3. Click the Add New Condition Group button. The Create Condition Group window appears.
Advanced Bot Protection 188
Advanced Bot Protection
4. Type a Name and a Description for the new Condition Group.
5. Click Add Condition. The Insert Condition dialog box appears. It contains only the Existing Conditions. For
more information, see Inserting a Condition into a Directive.
Advanced Bot Protection 189
Advanced Bot Protection
6. By the Condition you wish to add, click Insert. The Condition appears in the Condition Group, together with the
Condition's Flags and functionality buttons .
This enables you to configure the Condition. Changes you make to the Condition apply to it within the
Condition Group only.
7. Repeat the above step for each Condition you wish to add.
8. Click Save.
Advanced Bot Protection 190
Advanced Bot Protection
Deleting a Condition or Condition Group
You can delete a Condition or a Condition Group at any time.
To delete a Condition or Condition Group:
1. In Advanced Bot Protection, verify that the Settings menu item is selected
2. Select the Conditions tab. The Conditions window appears.
Advanced Bot Protection 191
Advanced Bot Protection
3. Click the Delete button by the Condition or Condition Group you wish to delete. The confirmation dialog box
appears.
Advanced Bot Protection 192
Advanced Bot Protection
4. Click OK.
Advanced Bot Protection 193
Advanced Bot Protection
Managing Website Groups
You can create a new Website Group. For more information, see Creating a Website Group.
You can also add a new Website to a Website Group, rename, or delete any Website Group.
• Adding a Website to a Website Group
• Editing a Website Group - Default Rate Limiting Values
• Editing a Website
• Understanding the Website Advanced Settings
• Renaming a Website Group
• Deleting a Website Group
• Managing Encryption Keys
Advanced Bot Protection 194
Advanced Bot Protection
Adding a Website to a Website Group
You can add additional Websites to a Website Group at any time.
Note: If you are using a Connector instead of CloudWAF, use the procedure in Adding a Website to a
Website Group - Using a Connector.
When you add a Website, you can also define a Cookie Scope for that Website and related Websites.
When you add a Website, a cookie is created for that Website's Path, for example. www.example.com. However, by
default it is only visible there. You can use the Cookie Scope to expand the coverage of a cookie set up for one Website.
Set a path in Cookie Scope to define other paths that can use the same cookie. Note that his can only go as far as the
apex domain and all its subdomains.
e.g. if you want the cookie to be visible for aaa.example.com and bbb.example.com type example.com in the
Cookie Scope.
Note: If you do not set the cookie scope, the domain for the cookie will be empty. Due to
inconsistent browser handling of cookies with no domain or an empty domain, it is strongly
recommended that you do not leave the cookie scope empty.
To add a Website to a Website Group:
1. In CloudWAF, add the website that you wish to protect. For more information, see Onboarding a Site – Web
Protection and CDN.
2. In Advanced Bot Protection, verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
Advanced Bot Protection 195
Advanced Bot Protection
4. Select the Website Group whose Default Policy you wish to access. The Website Group Configuration window
appears.
Advanced Bot Protection 196
Advanced Bot Protection
Advanced Bot Protection 197
Advanced Bot Protection
5. Click Add Website. The Add Website dialog box appears.
If you are subscribed to CloudWAF only, the Add Website dialog box appears as follows:
Advanced Bot Protection 198
Advanced Bot Protection
Advanced Bot Protection 199
Advanced Bot Protection
If you are subscribed to both CloudWAF and Connectors, the Add Website dialog box appears as follows:
Advanced Bot Protection 200
Advanced Bot Protection
Advanced Bot Protection 201
Advanced Bot Protection
6. Verify that Imperva CloudWAF is selected.
7. From the Select Website drop down list, select the Website you added to CloudWAF.
8. Optionally, define a Cookie Scope.
9. Click Save.
Advanced Bot Protection 202
Advanced Bot Protection
Adding a Website to a Website Group - Using a Connector
You can add additional Websites to a Website Group at any time.
When you add a Website, you can also define a Cookie Scope for that Website and related Websites.
When you add a Website, a cookie is created for that Website's Path, for example. www.example.com. However, by
default it is only visible there. You can use the Cookie Scope to expand the coverage of a cookie set up for one Website.
Set a path in Cookie Scope to define other paths that can use the same cookie. Note that his can only go as far as the
apex domain and all its subdomains.
e.g. if you want the cookie to be visible for aaa.example.com and bbb.example.com type example.com in the
Cookie Scope.
Note: If you do not set the cookie scope, the domain for the cookie will be empty. Due to
inconsistent browser handling of cookies with no domain or an empty domain, it is strongly
recommended that you do not leave the cookie scope empty.
To add a Website to a Website Group using a Connector:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
Advanced Bot Protection 203
Advanced Bot Protection
3. Select the Website Group whose Default Policy you wish to access. The Website Group Configuration window
appears.
Advanced Bot Protection 204
Advanced Bot Protection
Advanced Bot Protection 205
Advanced Bot Protection
4. Click Add Website. The Add Website dialog box appears.
If you are subscribed to Connectors only, the Add Website dialog box appears as follows:
Advanced Bot Protection 206
Advanced Bot Protection
If you are subscribed to both CloudWAF and Connectors, the Add Website dialog box appears as follows:
Advanced Bot Protection 207
Advanced Bot Protection
Advanced Bot Protection 208
Advanced Bot Protection
5. If you are subscribed to CloudWAF and Connectors, verify that the Connectors option is selected.
6. Add a Website or a number of Websites as follows:
▪ If you want to add a single Website, select Exact match, and then type the Domain Name (FQDN).
▪ If you want to add Websites with the same prefix, select Prefix match and then type the Domain Prefix
(this field appears when you make this selection).
This is commonly used for defining whitelabeling services.
▪ If you want to add Websites with the same suffix, select Suffix match and then type the Domain Suffix
(this field appears when you make this selection).
This can be used for groups of social websites, where a name precedes a common suffix and you want to
add all those Websites. For example, to include both bob.fancypage.com and
jim.fancypage.com, you would type fancypage.com.
7. Optionally, define a Cookie Scope.
8. Click Save.
Advanced Bot Protection 209
Advanced Bot Protection
Editing a Website Group - Default Rate Limiting Values
You can edit a Website Group in the following ways:
• Editing the Default Policy: For more information, see Working with the Default Policy.
• Creating a per-Path Policy Assignment: For more information, see Creating a New per-Path Policy Assignment.
• Adding a Website: For more information, see Adding a Website.
• Editing the default Rate Limiting values: For more information, see below.
A Website Group has default Rate Limiting values that are applied by default to all the per-Path Policies in that
Website Group that that use Rate Limiting.
If you want a certain per-Path Policy to have values that are different from the default, you can configure them so. For
more information, see Configuring per-Path Policies for Endpoints with API Calls, Editing a per-Path Policy
Assignment, and Creating a New per-Path Policy Assignment.
You can define the default Rate Limiting values for any Website Group.
To define the default Rate Limiting values for a Website Group:
1. In Advanced Bot Protection, verify that the Settings menu item is selected.
2. Verify that the Website Groups tab is selected.
Advanced Bot Protection 210
Advanced Bot Protection
3. Select the Website Group whose Default Policy you wish to access. The Website Group Configuration window
appears.
Advanced Bot Protection 211
Advanced Bot Protection
Advanced Bot Protection 212
Advanced Bot Protection
4. Under Default Rate Limiting Values, type in the values you want based on the table below.
5. Click Save.
Name Description
The maximum number of requests to the site in a minute that is allowable before rate
Max requests per minute
limiting is triggered.
The maximum number of requests to the site in a single session that is allowable
Max requests per session
before rate limiting is triggered.
The maximum length of a session that is allowable before rate limiting is triggered.
Max session length
Select the time units from the adjacent drop-down list.
Advanced Bot Protection 213
Advanced Bot Protection
Editing a Website
You can edit the Cookie Scope and any of the Advanced Configuration options of a Website.
To edit a Website:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
4. Click on a Website Group. The Websites window appears.
Advanced Bot Protection 214
Advanced Bot Protection
Advanced Bot Protection 215
Advanced Bot Protection
5. Under Websites, click the Website you want to edit. The Edit Website window appears.
Advanced Bot Protection 216
Advanced Bot Protection
Advanced Bot Protection 217
Advanced Bot Protection
6. Make your edits. If necessary, expand the Advanced Settings. For more information, see Cookie Scope and
Understanding the Website Advanced Settings.
7. Click Save.
Advanced Bot Protection 218
Advanced Bot Protection
Understanding the Website Advanced Settings
To access a website's advanced settings, see Editing a Website.
Each of the advanced settings parameters is described in the topics below. Some of the advanced settings apply to
CloudWAF only. Others apply to Connectors only. And yet others apply to both.
Advanced Bot Protection 219
Advanced Bot Protection
Website Advanced Settings - Encryption Key
The key used to encrypt the token. By default a single Encryption Key is assigned per Website Group but here you can
assign a different, unique Encryption Key to a particular Website. The drop down list displays all the Encryption Keys
added to that Website Group so far.
This is useful if you are managing security for different Websites and you do not want them to share an encryption
key.
The drop down list offers an account default encryption key. It is highly recommended that you use the account
default encryption key so that the token can be shared across all Website Groups in an account.
Note the following:
• Only Websites that have the same key can share tokens. Note other restrictions here: Cookie Scope.
• Website Groups created after this release have the default key but Website Groups created before this release
retain their original non-default encryption keys until you change them.
• You can assign the account default key to CloudWAF websites.
Advanced Bot Protection 220
Advanced Bot Protection
Website Advanced Settings - Data Region
The AWS data region where you would like to save data. This is for compliance purposes. This appears in both
CloudWAF and Connector, but is only configurable in Connector.
For CloudWAF, the default Data Region for a Website Group is determined by the data region in your CloudWAF
settings.
For Connector, the default Data Region for a Website Group is United States. When you add another Website, you can
set the Data Region. If you want to change the Data Region for the original Website, edit that Website. For more
information, see Editing a Website.
Advanced Bot Protection 221
Advanced Bot Protection
Website Advanced Settings - Challenge IP Lookup Mode
Controls how Advanced Bot Protection determines the IP of the end user for challenge requests.
• Header Name: If no name is specified, the IP as seen by Advanced Bot Protection is used.
• Reverse Index: If there are multiple, comma-separated IP addresses specified, this specified the zero (0)
specified IP to select from the end of the list.
Advanced Bot Protection 222
Advanced Bot Protection
Website Advanced Settings - Analysis IP Lookup Mode
Controls how Advanced Bot Protection determines the IP of the end user on analysis requests.
• Header Name: If no name is specified, the IP as seen by the Integration is used.
• Reverse Index: If there are multiple, comma-separated IP addresses specified, this specified the zero (0)
specified IP to select from the end of the list.
Advanced Bot Protection 223
Advanced Bot Protection
Website Advanced Settings - Unmasked Headers (CloudWAF only)
Enter a list of header names whose content you want CloudWAF to send to Advanced Bot Protection without masking
them. These headers can then be used as identifiers within conditions.
The header names are case-insensitive (as per the HTTP standard) but the entered capitalization is preserved.
Advanced Bot Protection 224
Advanced Bot Protection
Website Advanced Settings - Cookie Modes
You can configure up to two different SameSite cookies to store the Advanced Bot Protection token.
• If your website only uses HTTPS: prefer SameSite=None; Secure
• If it uses HTTP (or a mix of HTTP and HTTPS): prefer SameSite=Lax
• If you need to support certain older browser-based solutions such as UIWebView on iOS: prefer Legacy
The secondary cookie exists for exceptional cases. Since using it doubles the amount of cookie data sent on each
request it is recommend that you use only one cookie unless two are necessary.
See the SameSite cookies documentation on the Mozilla website for more information.
The full list of cookie options is currently:
• SameSite=Lax (this is the default)
• SameSite=None; Secure
• Legacy (Without SameSite)
• SameSite=Lax & SameSite=None; Secure
• SameSite=None; Secure & SameSite=Lax
• SameSite=Lax & Legacy (Without SameSite)
Note: The cookie mode options are only supported for the following:
• CloudWAF
• Cloudflare connector version 1.21.0 and later
• Lambda@Edge connector version 1.20.0 and later
• Fastly connector version 1.1.2 and later
• Nginx/Openresty connector version 0.9.2 and later
The cookie mode options are currently unsupported on F5 connector.
Advanced Bot Protection 225
Advanced Bot Protection
Website Advanced Settings - Moble SDK Challenge Path (CloudWAF only)
This is not configurable, but is display only. This is the path where the mobile SDK can communicate with Advanced
Bot Protection.
Advanced Bot Protection 226
Advanced Bot Protection
Website Advanced Settings - Path Without JS Injection (CloudWAF only)
You can enter Paths for which you do not want the Javascript tag sent to clients. For more information, see
Understanding How Advanced Bot Protection Handles Traffic.
Advanced Bot Protection 227
Advanced Bot Protection
Website Advanced Settings - Captcha Settings
Select the desired captcha services, if you want one. The options are:
• Geetest: This uses the Imperva CloudWAF captcha keys. Select either Easy, Normal, or Hard.
• Recaptcha v2: You can generate your own free keys from the Recaptcha pages on Google's website.
• Custom Geetest: Use your own keys for Custom Geetest.
Advanced Bot Protection 228
Advanced Bot Protection
Renaming a Website Group
You can rename a Website Group at any time.
To rename a Website Group:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
4. Click the Rename button by the Website Group you want to rename. The Website Group's Name becomes a
text entry field.
5. Type in the new Name.
6. Hit Enter.
Advanced Bot Protection 229
Advanced Bot Protection
Deleting a Website Group
You can delete a Website Group at any time. When you do so, all its Websites are deleted as well.
To delete a Website Group:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
4. Click the Delete button by the Website Group you wish to delete.
5. Click OK in the confirmation dialog box.
Advanced Bot Protection 230
Advanced Bot Protection
Managing Encryption Keys
When you create a new website, it is by default given the account default encryption key but you can choose a
different encryption key if you like.
For an existing Website that using CloudWAF, if the Website doesn't have the account default encryption key, you can
configure it so that it does. If the website already used the account default encryption key, you cannot change the
encryption key.
For an existing Website using a Connector, whatever key the Website is using, you can change it. The account default
key is among those offered.
To configure the encryption key of a Website:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. Verify that the Website Groups tab is selected.
Advanced Bot Protection 231
Advanced Bot Protection
4. Select the Website Group for whose Website you want to configure the encrption key. The Website Group
Configuration window appears.
Advanced Bot Protection 232
Advanced Bot Protection
Advanced Bot Protection 233
Advanced Bot Protection
5. Under Websites, click the Encryption Key icon of the Website whose encryption key you wish to
configure.
▪ If your Website is configured with CloudWAF, the following window appears:
If you want to set your encryption keys to the account default encryption key, click Set encryption keys
to account default.
▪ If your Website is configured with a Connector, the following window appears:
Advanced Bot Protection 234
Advanced Bot Protection
Advanced Bot Protection 235
Advanced Bot Protection
From the Select a key from this account drop down list, select an encryption key and click the Add
button.
You can use the trash can icon to remove the current encryption key from the list of keys.
Advanced Bot Protection 236
Advanced Bot Protection
Updating a Configuration
When you make changes to your Advanced Bot Protection, these changes do not take place until you review them and
publish them.
If you have made changes, the main windows inAdvanced Bot Protection display this warning at the top right:
To update a configuration:
1. Log in to your Advanced Bot Protection account.
2. Verify that the Settings menu item is selected.
3. If you have changes pending, you see You have unpublished changes and the Review changes button in all of
the main windows.
4. Click Review changes. The Publish Configuration summary appears.
Advanced Bot Protection 237
Advanced Bot Protection
The Publish Configuration summary displays all the unpublished changes that are pending, together with any
warnings that may be appropriate.
5. Review the changes and click Publish. The changes you have made become operative.
Advanced Bot Protection 238
Advanced Bot Protection
Understanding Snapshot and Restore
You can take a snapshot of the status of your account and then restore it. This is so that, if you make changes in your
account and want to roll them back, you can do so easily.
Notes:
• Snapshot and restore functionality is available via the API only. For more information, see
Advanced Bot Protection API.
• A snapshot is valid for 180 days after creation only.
• A snapshot includes:
• Sites (with per-path policies/selectors)
• Domains (with domain token encryption keys)
• Conditions
• Policies (with policy directives)
• A snapshot does not include:
• Your API credentials
• Publish your configuration before making a snapshot in order to make sure that it is working.
• After performing a restore, publish the account so that the restored state takes effect.
• When you use the snapshot feature in combination with Imperva CloudWAF, the restoration
of a snapshot will be refused if one of the CloudWAF websites in the snapshot has been either
deleted or moved to a different account. If you wish to restore the snapshot, you must first
add the website again, or move it back to the original account.
Advanced Bot Protection 239
Advanced Bot Protection
Working with Advanced Bot Protection SDK
The sections below explain how to work with Advanced Bot Protection's SDK, for mobile apps.
• Understanding Bot Protection with the SDK
• Understanding How the SDK Operates
• Installing the SDK
• Testing the SDK Installation
• Downloading the Advanced Bot Protection SDK Software
• SDK Frequently Asked Questions
Advanced Bot Protection 240
Advanced Bot Protection
Understanding Bot Protection with the SDK
Bot protection is designed to protect your web application and APIs from malicious bots by distinguishing between
bots and users, and then distinguishing between good bots and bad bots. Scripts, automated browsers, and mobile
emulation tools are the primary means by which bots operators perform their malicious activities: credential stuffing,
web scraping, carding, inventory and ticket scalping, etc. Imperva's Advanced Bot Protection's processes distinguish
those tools from good bots and from normal web browsers and allow you to act on them without affecting your
human visitors. For more information, see Understanding Advanced Bot Protection.
In order to identify web browsers, Advanced Bot Protection uses HTTP metadata checks, browser challenges, machine
learning algorithms, and enforces the presence and validity of a token generated with JavaScript in order to detect the
difference between bots and humans. However, native mobile applications generally communicate via API calls.
Because most native mobile apps do not load web pages and execute JavaScript, they would appear malicious
without a special way to identify them.
Imperva’s Advanced Bot Protection SDK is purpose-built to both identify native mobile applications as well as provide
security controls around their use, much like our web protection mentioned above.
Advanced Bot Protection 241
Advanced Bot Protection
Understanding How the SDK Operates
The SDK functions similarly to our JavaScript challenge on the web. It identifies and profiles the device sending in
requests to your APIs. The SDK performs the following tasks:
• generates a unique, ephemeral token to identify end devices
• profiles devices and applications to ensure that requests are coming from a real device that is not controlled by
automation, hosted in a cloud environment, or subject to a debugger for reverse engineering
• wraps the above two features into simple function calls in order to make it quick and easy to integrate for any
mobile app developer
As a result, only real devices with your real mobile applications used by real humans are allowed to interact with your
mobile API endpoints, as well as any traffic you have allow listed.
Advanced Bot Protection 242
Advanced Bot Protection
Installing the SDK
To install the SDK, program your application to carry out the following:
1. Initialize the SDK's Protection object somewhere near the start of the mobile application: Specify the full
protocol, FQDN, and challenge path (found in your domain advanced settings - For more information, see
Understanding the Website Advanced Settings) in the string passed to the initialization call. Create one
Protection object for every FQDN you are communicating with.
For example, let's assume your application makes requests to www.example.com, api.example.com, and
static.example.com. In this example, assume both www.example.com and api.example.com are protected by
Advanced Bot Protection. However, static.example.com is not. You should create two Protection objects, one for
www.example.com and one for api.example.com.
If you have initialized the Protection object successfully, at application startup the SDK (running inside your
application) automatically carries out the following:
1. Requests a challenge from the Imperva service
Note: If you are using version 3.x of the SDK, do not supply the challenge path. If
you are using version 2.x of the SDK, you need to supply the challenge path.
2. Completes the challenge and profiles the Imperva device
3. POSTs the results back to the Imperva service
4. Caches the resulting response containing the token for later access.
2. Call the getToken() function: Before your application makes any HTTP calls to your API server, call the
getToken() function to retrieve the cached token from the SDK.
Never cache the token locally; the SDK takes care of this for you and automatically refreshes the token if need
be.
Use the initialized object you created in step 1 for the specific FQDN you are communicating with. Do not create
a new object for every HTTP request.
3. Add the token as either a header or cookie: Add the token with name X-D-Token and the value received from
the getToken() function to the HTTP request and send the HTTP request as normal.
Notes:
▪ The SDK includes documentation in the form of an INSTALL.md file as well as documentation
in the zip files.
▪ The SDK includes a minimal application that shows examples of the above process.
Advanced Bot Protection 243
Advanced Bot Protection
Advanced Bot Protection 244
Advanced Bot Protection
Testing the SDK Installation
It is recommended that you test the SDK against a non-production environment prior to releasing your application in
the app stores. During testing with desktop emulators, you should expect to be flagged with violations pursuant to
Advanced Bot Protection's emulation detection checks. Simply place those checks in Passive mode so that testing
can continue as normal.
Note: there is a debug key available for more verbose testing (please see the included HTML documentation inside the
SDK zip files for more information on the constructor to use with the debug key); however, you should NEVER release
your application with the debug key active.
Test for the following items once the SDK is bundled into your application:
1. Ensure all calls from your mobile app to the protected API have a token appended.
You can view this in the Get Logs for an IP dashboard. If any API calls do not have the token, you will see
no_token in the flags field of this dashboard. You may not be adding the token to all requests on purpose, e.g.
you request an application settings / feature flags object before SDK initialization. Naturally, that request would
not have a token yet, and you should allow list that path in the Advanced Bot Protection console. To allow list an
entire path and exempt it from Advanced Bot Protection, create a new per-path policy and select no policy and
no rate limiting for the values in the per-path policy dialog box. For more information on adding a per-path
policy, see Creating a New per-Path Policy Assignment.
2. Additionally in the Get Logs for an IP dashboard:
1. Test whether or not you see the correct true client IP address in the logs under the IP column.
2. Ensure that you see both the get_challenge and post_challenge request types during your testing, as
this is the challenge/response of the SDK initialization.
If either of these tests fails, contact Imperva support.
3. Test your app when your policy is in active mode. You should see requests fail to load if you move the debugger/
emulator condition to active while using a debug build or desktop emulator in this test scenario. To ensure the
debugger/emulator condition exists in your policy, contact Imperva support.
Advanced Bot Protection 245
Advanced Bot Protection
Downloading the Advanced Bot Protection SDK Software
You can download versions and patches from the FTP. To do so you require an FTP account. You receive an FTP
account as part of your software purchase. For more details on obtaining an FTP account please contact Imperva
Support.
You can use one of the following Imperva FTP sites according to your geographical location:
• USA: ftp://ftp-us.imperva.com
• Europe: ftp://ftp-eu.imperva.com
The files are located under /Downloads/ABP SDK. The SDK is separate for iOS and Android. You will need the
respective version of each SDK for each operating system.
Advanced Bot Protection 246
Advanced Bot Protection
SDK Frequently Asked Questions
• Why can't Imperva set up the SDK for me?
• What happens if the Imperva ABP service is offline?
• What impact does the SDK have on my application in terms of size?
• What impact does the SDK have on my application in terms of latency and load time?
• How are jailbroken devices dealt with by the SDK?
• How is the the Advanced Bot Protection SDK actually deployed and what do I need to do from my side?
• How is the token requested?
• What happens if the SDK fails to receive the token?
• What is the estimated latency?
• Does the SDK check IP addresses for VPN?
• Does the SDK work when a user clicks a certain link, or can it run in "stealth" mode all the time?
• Does the SDK support Android Widgets?
• Does the SDK provide native Xamarin support?
• Is the Android variant an AAR or a JAR?
• Is the iOS variant a precompiled framework (.framework files) or a plain static library?
• Will old versions of my app be blocked?
• Is the SDK for the iOS app written in Objective-C or Swift?
• Does the iOS SDK compile if Bitcode is enabled in the project? This is app thinning related, our builds use
Bitcode for App Store distribution.
• I see the prefix "debug:" on the token value sent by the SDK. What does this prefix mean? Do I need to remove it
or do something? differently?
• What do I need in order to support Android 11?
Advanced Bot Protection 247
Advanced Bot Protection
Why can't Imperva set up the SDK for me?
On the web version of Advanced Bot Protection, browsers execute the Imperva JavaScript tag on the page like any
other first party JavaScript tag. In many cases, Imperva can add the tag to the page on your behalf without any
changes to your application. However, there is no way for Imperva to ask your native mobile application to perform
any extra challenges because it is a pre-compiled application, there is no way to modify it in real time, and every
application is different. Therefore, your application must include the SDK that generates the token and profiles the
device, and you must add the SDK to your application yourself before your users download it from their respective
app store.
Advanced Bot Protection 248
Advanced Bot Protection
What happens if the Imperva ABP service is offline?
What happens if I receive a blank string back from getToken()?
The SDK uses the same communications channel as the mobile app. As long as the Imperva service is online, it will
retrieve the token. If the Imperva service is offline, chances are all traffic is sent directly to the customer’s origin
server. Therefore, the app should not catastrophically fail in the presence of a blank token returned from the SDK, as
the requests will simply go to the origin and the app will work anyway. At worst, the bot protection is actually offline in
this scenario. It is also recommended that you employ a circuit-breaker that backs off from calling getToken() when in
prolonged error state.
The getToken() method can fail to fetch a token due to various reasons such as lack of network connectivity, internal
errors etc. You should catch these standard error types in your application, and the application should handle these
errors with a similar strategy as for the connections to the API server. For example, the application shows a dialog to
the user requesting them to check their connectivity status. Please refer to our sample applications bundled in the
SDK zip files for examples of catching network exceptions.
The exception types are documented through the function signature on Android, and on iOS the errors are in the doc
comment on getToken(). There is also method level documentation in the header file.
Advanced Bot Protection 249
Advanced Bot Protection
What impact does the SDK have on my application in terms of size?
The SDK adds less than 1 megabyte to your application.
Advanced Bot Protection 250
Advanced Bot Protection
What impact does the SDK have on my application in terms of latency and load time?
Because the SDK has a small footprint, load time and memory impact is minimal. In terms of latency, there are only
two extra round trips required for token generation every 10 minutes. The token is then cached locally, and there is no
additional latency impact.
Advanced Bot Protection 251
Advanced Bot Protection
How are jailbroken devices dealt with by the SDK?
Jailbroken devices are not necessarily bad actors. Jailbroken devices are indicated as such in the logs, but they are
not blocked from accessing API servers by default.
Advanced Bot Protection 252
Advanced Bot Protection
How is the the Advanced Bot Protection SDK actually deployed and what do I need to do from
my side?
The SDK uses the existing Advanced Bot Protection platform and is deployed with those deployment options. You only
need an instance of Advanced Bot Protection protecting your domain, in addition to integration of the SDK library
with your app.
For more information, see Getting Started with Imperva Advanced Bot Protection and Installing the SDK.
Advanced Bot Protection 253
Advanced Bot Protection
How is the token requested?
Token requests are completely transparent and are handled by the Advanced Bot Protection SDK when your code calls
the getToken() function.
Advanced Bot Protection 254
Advanced Bot Protection
What happens if the SDK fails to receive the token?
See What happens if the Imperva ABP service is offline?.
Advanced Bot Protection 255
Advanced Bot Protection
What is the estimated latency?
The SDK requests a new token every ten (10) minutes to prevent each API request from requesting a token. Therefore,
there is no latency — unless an API request happens when a new token is required. The entire challenge<>response
and token request process takes well below one (1) second.
Advanced Bot Protection 256
Advanced Bot Protection
Does the SDK check IP addresses for VPN?
Advanced Bot Protection checks traffic against its list of known threats. Known threats include a mix of known
violators, data centers, identities, aggregator user agents, and automated browsers. For example, if Advanced Bot
Protection has detected a known violator on another site, your own site is automatically protected from that threat.
VPN exit nodes usually come from data centers, so Advanced Bot Protection would detect those with this check.
Advanced Bot Protection 257
Advanced Bot Protection
Does the SDK work when a user clicks a certain link, or can it run in "stealth" mode all the
time?
The SDK is in constant operation. Every few minutes, the SDK automatically does a full check of the device it is
running on and reports back to the Advanced Bot Protection instance on the threats it has detected (emulators, device
farms, jailbroken devices, etc). Advanced Bot Protection then tracks violations by issuing a temporary token, which is
included on each request back to origin for each API call.
Advanced Bot Protection 258
Advanced Bot Protection
Does the SDK support Android Widgets?
Yes.
Advanced Bot Protection 259
Advanced Bot Protection
Does the SDK provide native Xamarin support?
No.
However, Xamarin appears to have support for binding to Objective-C and Java code. Thus Xamarin seems likely to
work with some effort. For more information, see Microsoft's documentation on Objective-C and Android-callable
wrappers.
Advanced Bot Protection 260
Advanced Bot Protection
Is the Android variant an AAR or a JAR?
AAR.
Advanced Bot Protection 261
Advanced Bot Protection
Is the iOS variant a precompiled framework (.framework files) or a plain static library?
Plain static library.
Advanced Bot Protection 262
Advanced Bot Protection
Will old versions of my app be blocked?
Yes, if care is not taken. This is normally handled in one of three different ways:
• Allow list the user agent of old versions (if the version is in the user agent) until you reach a critical mass of users
on the new platform.
• Create new API endpoints for the version of the app with the SDK (e.g api2.example.com) and protect that
version only.
• Force the end-users to upgrade once your new application containing the SDK is launched.
Advanced Bot Protection 263
Advanced Bot Protection
Is the SDK for the iOS app written in Objective-C or Swift?
Objective-C.
Advanced Bot Protection 264
Advanced Bot Protection
Does the iOS SDK compile if Bitcode is enabled in the project? This is app thinning related, our
builds use Bitcode for App Store distribution.
Yes, but there can be incompatibilities in the bitcode depending on which XCode (LLVM) version is used. The version of
XCode Imperva uses to compile the SDK is documented in the README.
Advanced Bot Protection 265
Advanced Bot Protection
I see the prefix "debug:" on the token value sent by the SDK. What does this prefix mean? Do I
need to remove it or do something? differently?
An internal error may prompt the SDK to return a debug: prefixed token instead. This token contains extra error
information and should be sent with the request same as the normal token. Please open a support ticket in order for
us to investigate the root cause of the internal error.
Advanced Bot Protection 266
Advanced Bot Protection
What do I need in order to support Android 11?
Verify that you are using a recent version (2.x or 3.x) of the Advanced Bot Protection SDK. The SDK follows Google’s
guidance for SDKs to target API 29.
Advanced Bot Protection 267
Advanced Bot Protection
Integrating Advanced Bot Protection with a Connector
The instructions below show how to integrate Advanced Bot Protection with each of the supported Connectors, and
provide additional configuration and testing information for all the Connectors.
• Understanding the Connector Integration Procedures
• Configuring the Interstitial Page
• Testing the Integration of Advanced Bot Protection with a Connector
• Understanding Failure Handling for Advanced Bot Protection with Connectors
• Advanced Bot Protection Integration Libraries
Advanced Bot Protection 268
Advanced Bot Protection
Understanding the Connector Integration Procedures
If you are not using Advanced Bot Protection with Imperva's CloudWAF, you must integrate Advanced Bot Protection
with a Connector.
The instructions on how to do so are given here.
Note: These instructions include procedures for actions in non-Imperva proxies. While these
procedures were tested and found correct at the time of writing, they may change without
Imperva's knowlege and thus Imperva cannot take responsibility for their accuracy. For more
information, see the relevant documentation.
• Integrating Advanced Bot Protection with Cloudflare
• Integrating Advanced Bot Protection with Lambda@Edge on AWS Cloudfront
• Integrating Advanced Bot Protection with F5
• Integrating Advanced Bot Protection with Nginx/Openresty
Advanced Bot Protection 269
Advanced Bot Protection
Integrating Advanced Bot Protection with Cloudflare
Follow the procedure below to integrate Advanced Bot Protection with Cloudflare.
Notes:
• These instructions include procedures for actions in Cloudflare. While these procedures were
tested and found correct at the time of writing, they may change without Imperva's
knowlege and thus Imperva cannot take responsibility for their accuracy. For more
information, see the Cloudflare documentation.
• The machine on which you build the integration package must have Node.js installed.
• On every page in your web domain that you want to protect, you must add the following line
in the html header section:
<script type="text/javascript" src="<challenge-path-value>" async></
script>
where challenge-path-value is the same text string that you enter into the CHALLENGE_PATH=
statement in the config.js file.
It is recommended that you create a name for the challenge path that looks as if it is part of your
own web application. This will decrease the likelihood that the protection is blocked by
adblockers.
To integrate Imperva Advanced Bot Protection with Cloudflare:
1. Configure the javascript file:
1. Get the example integration code - the Reference Implementation - by clicking on the appropriate link in
the Advanced Bot Protection Integration Library. Download the zip file to a location on your computer.
2. Unzip/unpack the zip file to a location on your computer.
3. Log into your Advanced Bot Protection account in your browser.
4. In your Advanced Bot Protection account, select Settings > Website Groups and select the Website whose
bot protection you wish to configure. The Websites window for that Website Group appears.
If you have not yet added a Website, add one by referring to Creating a Website Group and Adding a
Website.
5. Under Credentials, there is a block of code. Select it and copy it.
6. In your unzipped/unpacked folder/directory that contains the Reference Implementation, locate the file
src/config.js and open it using a text editor like Notepad++.
7. Paste the copied block of code from Credentials immediately after the CONFIGURATION= statement in
the config.js file.
For example:
CONFIGURATION=
Advanced Bot Protection 270
Advanced Bot Protection
analysisHost: "https://bon-staging.distil.ninja",
apiKeyId: "0068595c-9a8e-567o-2hrt-e3f32729ccbe",
apiSecretKey: "vB3xdfnedieufskHsbp/+7PnakbRbI4BNS3",
debugHeaderValue: "4286e123456789fd077d4720f85e72c7bdcc",
tokenEncryptionKey: "xmvbtv/abcDEfGRFIfBN/
XdPQTsYv7PpmF6GRJOF7ZpMbRCw7BUphPPuumxMleE/+QbUFTfXysCpHNELjmP3FA=="
8. After the CHALLENGE_PATH= statement, paste the text string that represents the challenge path as you
entered it into your web pages. See the notes, above.
9. Save the config.js file.
2. If you want to change the default setting for failure handling to a more rigorous setting at a cost of greater user
latency, configure failure handling. For more information, see Understanding Failure Handling for Advanced Bot
Protection with Third Party Products.
3. Build the integration package:
1. Verify that you have Node.js and npm installed. For more information, see the npm documentation.
2. Open a CLI application like Terminal or Command Prompt.
3. Navigate to the unzipped/unpacked folder/directory that contains the Reference Implementation.
4. Run the command npm install. npm fectches additional dependencies in order to work.
5. Run the command npx webpack. The dist/index.js file is created.
6. Open the dist/index.js file in a text editor.
7. In your Cloudflare account, create a new Worker and assign a Route.
8. In the Cloudflare editor, delete the sample Cloudflare code in your new Worker.
9. Copy the content of your dist/index.js file and paste it into the new Cloudflare Worker.
10. Save the Worker.
11. Add a Route and assign your new Worker to the Route. This Route should encompass all the pages you
wish to protect. The most straightforward and easy route is of the form *.example.com/* .
12. Save the Route.
4. Test your integration. For more information, see Testing the Integration of Advanced Bot Protection with Third
Party Products.
Advanced Bot Protection 271
Advanced Bot Protection
Integrating Advanced Bot Protection with Lambda@Edge on AWS Cloudfront
Follow the procedure below to integrate Advanced Bot Protection with Lambda@Edge on AWS Cloudfront.
Notes:
• These instructions include procedures for actions in Lambda@Edge on AWS Cloudfront.
While these procedures were tested and found correct at the time of writing, they may
change without Imperva's knowlege and thus Imperva cannot take responsibility for their
accuracy. For more information, see the AWS documentation.
• The machine on which you build the integration package must have Node.js installed.
• On every page in your web domain that you want to protect, you must add the following line
in the html header section:
<script type="text/javascript" src="<challenge-path-value>" async></
script>
where challenge-path-value is the same text string that you enter into the CHALLENGE_PATH=
statement in the config.js file.
It is recommended that you create a name for the challenge path that looks as if it is part of your
own web application. This will decrease the likelihood that the protection is blocked by
adblockers.
• The most robust strategy for bot protection involves inspecting all requests to your site. In
order to inspect all requests to your site, add the Lambda function to all dynamic content
Behaviors, including the default Behavior, in step 5, below.
To integrate Imperva Advanced Bot Protection with Lambda@Edge:
1. Configure the javascript file:
1. Get the example integration code - the Reference Implementation - by clicking on the appropriate link in
the Advanced Bot Protection Integration Library. Download the zip file to a location on your computer.
2. Unzip/unpack the zip file to a location on your computer.
3. Log into your Advanced Bot Protection account in your browser.
4. In your Advanced Bot Protection account, select Settings > Website Groups and select the Website whose
bot protection you wish to configure. The Websites window for that Website Group appears.
If you have not yet added a Website, add one by referring to Creating a Website Group and Adding a
Website.
5. Under Credentials, there is a block of code. Select it and copy it.
6. In your unzipped/unpacked folder/directory that contains the Reference Implementation, locate the file
scr/config.js and open it using a text editor like Notepad++.
7. Paste the copied block of code from Credentials immediately after the CONFIGURATION= statement in
the config.js file.
Advanced Bot Protection 272
Advanced Bot Protection
For example:
CONFIGURATION=
analysisHost: "https://bon-staging.distil.ninja",
apiKeyId: "0068595c-9a8e-567o-2hrt-e3f32729ccbe",
apiSecretKey: "vB3xdfnedieufskHsbp/+7PnakbRbI4BNS3",
debugHeaderValue: "4286e123456789fd077d4720f85e72c7bdcc",
tokenEncryptionKey: "xmvbtv/abcDEfGRFIfBN/
XdPQTsYv7PpmF6GRJOF7ZpMbRCw7BUphPPuumxMleE/+QbUFTfXysCpHNELjmP3FA=="
8. After the CHALLENGE_PATH= statement, paste the text string that represents the challenge path as you
entered it into your web pages. See the notes, above.
9. Save the config.js file.
2. If you want to change the default setting for failure handling to a more rigorous setting at a cost of greater user
latency, configure failure handling. For more information, see Understanding Failure Handling for Advanced Bot
Protection with Third Party Products.
3. Build the integration package:
1. Verify that you have version 14 of Node.js and npm installed. For more information, see the npm
documentation.
2. Open a CLI application like Terminal or Command Prompt.
3. Navigate to the unzipped/unpacked folder/directory that contains the Reference Implementation.
4. Run the command npm install. npm fetches additional dependencies in order to work.
5. Run the command npm run build:package. The lambda-function.zip file is created.
4. Create a Lambda@Edge function:
1. Log into your AWS console.
2. Select Services > Lambda. Note that you must be in the US East Coast (N. Virginia) Region.
3. Click Create function. The Create function window appears.
4. Type a Function name, for example, distil.
5. Verify that the Runtime option is Node.js. 14.x.
6. Expand Choose or create an execution role.
7. Select Create a new role from AWS templates.
8. Type a Role name, for example, distilrole.
9. Under Policy templates, select a policy that can invoke Lambda function at Cloudfront edges, for
example, Basic Lambda@Edge permissions.
10. Click Create function. The Functions window for your new function appears.
11. Under Function code > Code entry type, select Upload a .zip file.
12. Under Function package, click Upload. In the dialog box, navigate to the lambda-function.zip file you
created in Step 2.
13. Click Open. The dialog box closes.
14. Click Save.
15. Select Actions > Publish new version.
Advanced Bot Protection 273
Advanced Bot Protection
16. Leave Version description blank, and click Publish.
17. The Functions window for your new function appears.
18. Select the ARN string at the top right. You will need it for the next stage.
5. Add the Lambda function to a Cloudfront distribution:
1. Select Services > Cloudfront.
2. Verify that Distributions is selected.
3. Click the Distribution which you wish to protect. The General tab of the distribution settings appears.
4. Click the Behaviors tab.
5. For every dynamic content behavior, potentially also including the default behavior.
If you are using AWS's Legacy cache settings, perform the following steps:
▪ Click Edit.
▪ Set Headers to All.
▪ Set Query Strings to All.
▪ Set Cookies to All.
▪ Under Lambda Function Associations, verify that the CloudFront Event is set to Viewer Request,
and paste the ARN that you copied earlier into the Lambda Function ARN field.
▪ Click Include Body.
▪ Click Yes, Edit.
If you are using AWS's Cache policy and origin request policy (recommended):
If you are an existing Advanced Bot Protection user with an existing policy, select your existing policy from
the Cache policy drop down list, then:
▪ Under Lambda Function Associations, verify that the CloudFront Event is set to Viewer Request,
and paste the ARN that you copied earlier into the Lambda Function ARN field.
▪ Click Include Body.
▪ Click Yes, Edit.
Otherwise, if you are a new user:
▪ Click Edit. The Edit behavior window appears.
▪ Select Create Policy. The Create cache policy window appears.
▪ Type in a Name.
▪ Add the following headers:
• cf-connecting-ip
• content-length
• content-type
• host
• referer
• user-agent
• x-forwarded-for
• x-forwarded-host
• x-d-action
• x-d-domain
▪ Set Query Strings to All.
▪ Set Cookies to All.
▪ Click Create. A new window opens.
Advanced Bot Protection 274
Advanced Bot Protection
▪ Return to the Edit behavior window.
▪ Under Cache and key origin requests, by the Cache policy entry, click the Refresh button. The
updated policies are reloaded.
▪ Select the policy you just created.
▪ Under Lambda Function Associations, verify that the CloudFront Event is set to Viewer Request,
and paste the ARN that you copied earlier into the Lambda Function ARN field.
▪ Click Include Body.
▪ Click Yes, Edit.
6. Allow ten minutes to fully distribute the function.
6. Add a new origin to your Cloudfront distribution:
1. In the Origin Domain Name field, type the value of the analysisHost field as it appears in the config.js
file.
2. In the Origin Path field, type /v6/challenge/<your-api-id-key> where <your-api-id-
key> is the value of apiKeyId from the Website Group's Credentials.
3. In the Origin ID field, type challenge-origin.
4. For Minimum Origin SSL Protocol, select TLSv1.2.
5. For Origin Protocol Policy, select HTTPS Only.
7. Add a new Behavior for your website challenge path:
1. Select the new Origin.
2. In the Path Pattern field, type the value of the CHALLENGE_PATH as it appears in your webpages and
configuration file followed by an asterisk. For example, if the value of CHALLENGE_PATH is /my-
challenge-path, then type /my-challenge-path* into the Path Pattern field.
3. For Allowed HTTP Methods verify that GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE is selected.
4. For Forward Cookies, select All.
5. Set Cache Based on Request Headers to All.
6. For Query String Forwarding and Caching, select Forward all, cache based on all.
7. Under Lambda Function Associations, verify that the CloudFront Event is set to Viewer Request, and
paste the ARN that you copied earlier into the Lambda Function ARN field.
8. If you are utilizing the Imperva SDK, add a new Behavior for your SDK challenge path:
1. Select the new Origin.
2. In the Path Pattern field, type the value of the CHALLENGE_PATH as it appears in your configuration file.
3. For Allowed HTTP Methods verify that GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE is selected.
4. For Forward Cookies, select All.
5. Set Cache Based on Request Headers to All.
6. For Query String Forwarding and Caching, select Forward all, cache based on all.
7. Under Lambda Function Associations, verify that the CloudFront Event is set to Viewer Request, and
paste the ARN that you copied earlier into the Lambda Function ARN field.
8. Click Include Body.
9. Click Yes, Edit.
9. Test your integration. For more information, see Testing the Integration of Advanced Bot Protection with Third
Party Products.
• Upgrading the Lambda@Edge Runtime
Advanced Bot Protection 275
Advanced Bot Protection
Upgrading the Lambda@Edge Runtime
Since the introduction of Node.js 14.x, Amazon Web Services no longer supports Node.js 10.x. If you originally set up
your Advanced Bot Protection environment to work with Node.js 10.x, you must do one of the following:
• Deploy your current lambda function (built with node 10) to Cloudfront, specifying node 14 as the runtime
• Rebuild the ABP Connector 1.21.2 release package (with your personalized config.js) using node 14 and deploy
the resulting Lambda function, specifying node 14 as the runtime
To deploy your current lambda function (built with node 10) to Cloudfront, specifying node 14 as the runtime
1. In AWS, select Lambda > Functions.
2. Select your function and verify that the Code tab is selected.
3. Under Runtime settings, click Edit.
4. Under Runtime, select Node.js 14.x.
5. Click Save.
6. At the top tight, select Actions > Publish new version.
7. In AWS, select Services > Lambda > Functions > Copy ARN.
8. In AWS, select Services > Lambda > Cloudfront.
9. Select the distribution and click the Behaviors tab.
10. Select the first behavior and click Edit.
11. Under Function associations > Viewer request, replace the Function ARN / Name with the new ARN that you
copied.
12. Click Save changes.
13. Repeat steps 9 - 11 for the second (Default) behavior.
The above procedure should work without error. However, a more certain but more involved method is as follows:
To rebuild the ABP Connector 1.21.2 release package (with your personalized config.js), using node 14 and deploy the
resulting Lambda function specifying node 14 as the runtime:
1. In Integrating Imperva Advanced Bot Protection with Lambda@Edge on AWS Cloudfront, carry out Step 3 in its
entirety.
2. In AWS, select Services > Lambda > Functions.
3. Select your existing function.
4. Select Code Source > Upload from and select .zip file.
5. Navigate to the file you just created in Step 1 and click OK.
6. Under Runtime, select Node.js 14.x.
7. Click Save.
8. At the top tight, select Actions > Publish new version.
9. In AWS, select Services > Lambda > Functions > Copy ARN.
10. In AWS, select Services > Lambda > Cloudfront.
11. Select the distribution and click the Behaviors tab.
12. Select the first behavior and click Edit.
13. Under Function associations > Viewer request, replace the Function ARN / Name with the new ARN that you
copied.
14. Click Save changes.
15. Repeat steps 11 - 13 for the second (Default) behavior.
Advanced Bot Protection 276
Advanced Bot Protection
Advanced Bot Protection 277
Advanced Bot Protection
Integrating Advanced Bot Protection with F5
Follow the procedure below to integrate Advanced Bot Protection with F5.
Verify that you meet the following prerequisites:
• F5 LTM running 13.1.0 or later with iRules LX provisioned
• Ability to run Docker containers
Notes:
• These instructions include procedures for actions in F5. While these procedures were tested
and found correct at the time of writing, they may change without Imperva's knowlege and
thus Imperva cannot take responsibility for their accuracy. For more information, see the F5
documentation.
• On every page that you want to protect in your web site, you must add the following line in
the html header section:
<script type="text/javascript" src="<challenge-path-value>" async></
script>
where challenge-path-value is the same text string that you enter into the
CHALLENGE_PATH= statement in the settings.js file.
It is recommended that you create a name for the challenge path that looks as if it is part of your
own web application. This will decrease the likelihood that the protection is blocked by
adblockers.
• The file `imperva.tcl` contains an example integration which will work out-of-the-box. It can
be modified based on your requirements, however Imperva cannot guarantee functionality if
the rule is modified.
To integrate Imperva Advanced Bot Protection with F5:
1. Configure the javascript and tcl files:
1. Get the example integration code - the Reference Implementation - by clicking on the appropriate link in
the Advanced Bot Protection Integration Library. Download the zip file to a location on your computer.
2. Unzip/unpack the zip file to a location on your computer.
3. Log into your Advanced Bot Protection account in your browser.
4. In your Advanced Bot Protection account, select Settings > Website Groups and select the Website whose
bot protection you wish to configure. The Websites window for that Website Group appears.
If you have not yet added a Website, add one by referring to Creating a Website Group and Adding a
Website.
5. Under Credentials, select and copy the block of code.
Advanced Bot Protection 278
Advanced Bot Protection
6. In your unzipped/unpacked folder/directory that contains the Reference Implementation, locate the file
credentials.js and open it using a text editor like Notepad++.
7. Paste the copied block of code from Credentials as the entire content of the credentials.js file. Save the
file
8. Open the settings.js file using a text editor and edit it as follows:
"CHALLENGE_PATH": "/my-challenge-path",
"SDK_CHALLENGE_PATH": "/my-sdk/v1/challenge",
"TLS_TO_ORIGIN": "false"
where
▪ </my-challenge-path> is the path that the Connector will use to inspect traffic. It is
recommended that you make this path look like part of your website so that it is not blocked by end
user's addons and adblockers.
▪ </my-sdk/v1/challenge> is the path that the Imperva Advanced Bot Protection Mobile SDK
will use to transmit challenge data to the Imperva backend.
▪ TLS_TO_ORIGIN - If your load balancer uses HTTPS to communicate with your backend pools, set
this value to the string "true". If not, leave it as "false", in order to have the load balancer
offload SSL and communicate with the backend pools via HTTP.
9. Save the settings.js file.
2. Create the F5 plugin:
Note: Since the Advanced Bot Protection plugin requires the f5-nodejs library which is provided by
F5, you must provide an exported workspace to be repackaged. If you do not have such a plugin
you may create one with the following steps.
1. Login to your F5 instance.
2. Navigate to Local Traffic > iRules > LX Workspaces.
3. Click Create. The Workspace window appears.
4. Type a Name for the Workspace.
5. Click Finished.
6. Click Add Extension. The Extension window appears.
7. Type a Name for the Extension and click OK.
8. Navigate to Local Traffic > iRules > LX Workspaces.
9. Check the newly-created Workspace.
10. Click Export… The Workspace is downloaded to your computer to your default download location as an
archive.
11. Copy the downloaded LX workspace archive into the config_gen folder in the extracted Reference
Implementation directory. Do not extract the LX workspace archive.
Advanced Bot Protection 279
Advanced Bot Protection
12. Using the command line, navigate to the directory where you extracted the Imperva provided Reference
Implementation.
13. Build the config generator docker container by running the following command:
docker build -t imperva-config .
14. Run the container sharing the current directory with the container's /usr/imperva-f5 directory. Examples
for various shells are as follows:
▪ bash: docker run -it --rm -v $(realpath .):/usr/imperva-f5 imperva-
config
▪ fish: docker run -it --rm -v $PWD:/usr/imperva-f5 imperva-config
▪ powershell: docker run -it --rm -v ${pwd}:/usr/imperva-f5 imperva-config
Notes:
▪ If you see a pop-up about sharing your filesystem with the container, select
allow.
▪ If no pop-up appears and the container gives an error about lack of filesystem
permissions, open your Docker settings, go to Resources > File Sharing and
click on the + icon to add a new directory. Add the directory from step 1 where
you extracted the Imperva provided archive and click on Apply & Restart.
▪ If your shell is not one of those in the above examples, refer to the Docker
documentation to see how to share your local fileystem with the container.
After the container runs, there will be a new file in your directory imperva-f5.tgz. You will use this file in the next
section to install the integration.
3. Upload the archive to the workspace:
1. Login to your F5 instance.
2. Select Local Traffic > iRules > LX Workspace. The LX Workspaces window appears.
3. Click Import. The New Workspace… window appears.
4. Under Name, type imperva-f5.
5. Check the Archive File option.
6. Click Choose File. In the dialog box, navigate to the generated packaged plugin that you created in Step 3
above.
7. Click Import. The new Workspace appears in your Workspaces.
4. Create the imperva-f5 LX Plugin:
1. Select Local Traffic > iRules > LX Plugins.
2. Click Create...
3. Under Name, type imperva-f5.
4. Under From Workspace, click the drop down menu and select imperva-f5.
5. Click Finished.
5. Create a new pool for the analysis request:
1. Select Local Traffic > Pools > Pool List. The Pool List window appears.
2. Click Create. The New Pool window appears.
Advanced Bot Protection 280
Advanced Bot Protection
3. Under Name, type imperva.
4. Under New Members:
▪ Select New FQDN Node.
▪ Under Node Name, give it a name of your choice.
▪ Under Address, copy and paste the analysisHost value from the credentials.js file.
▪ Under Service Port. Select HTTPS.
▪ Ensure that the Auto Populate drop down is set to Enabled.
5. Under Health Monitors, use the buttons to move tcp_half_open from Available to Active.
6. Click Add.
7. Click Finished.
6. Enable protection on a virtual server:
1. Select Local Traffic > Virtual Servers > Virtual Server List. The Virtual Server List window appears.
2. Select one of the servers that you want to protect. Verify that in Configuration > SSL Server, serverssl is
in the Selected box.
Note: The default serverssl profile is acceptable if none is already in use. Click update if adding
the server SSL profile
Adding this profile when offloading SSL on the load balancer and sending HTTP requests to the
origin (TLS_TO_ORIGIN: "false") may cause an outage until the integration is activated. Be
sure to activate this profile during a scheduled maintenance window only.
3. Under the server's Resources tab, under iRules, click Manage.
4. Use the buttons to move imperva-f5 to Enabled.
5. Repeat for each virtual server you want to protect.
7. Test your integration. For more information, see Testing the Integration of Advanced Bot Protection with Third
Party Products.
Advanced Bot Protection 281
Advanced Bot Protection
Integrating Advanced Bot Protection with Nginx/Openresty
The following instructions explain setup of the Imperva OpenResty connector.
The intended audience for these particular instructions is seasoned Linux engineers familiar with the command line
and capable of debugging and troubleshooting. Please contact your Imperva Sales Engineer and Account Executive if
you are unsure about utilizing the OpenResty connector.
Notes:
• These instructions include procedures for actions in Nginx/Openresty. While these
procedures were tested and found correct at the time of writing, they may change without
Imperva's knowlege and thus Imperva cannot take responsibility for their accuracy. For more
information, see the Nginx/Openresty documentation.
To integrate Imperva Advanced Bot Protection with Nginx/Openresty:
1. Get the example integration code - the Reference Implementation - by clicking on the appropriate link in the
Advanced Bot Protection Integration Library. Download the zip file to a location on your computer.
2. Unzip/unpack the zip file to a location on your computer.
3. Follow the instructions in the example given in the readme file from the Nginx/Openresty integration library.
Advanced Bot Protection 282
Advanced Bot Protection
Configuring the Interstitial Page
The Connector integration is designed to show an interstitial page whenever traffic from a bot is detected.
By default, the interstitial page is the following:
• for Lambda@Edge, Cloudfront, and F5: interstitial.hbs
• for Nginx: interstitial.html
• for Fastly: interstitial_page.html
This file is located as follows:
• for Lambda@Edge and Cloudfront: in the src/ directory
• for F5: in the /extensions/imperva-f5/ directory
• for Nginx: in the lua/imperva/ directory
• for Fastly: in the default or current directory
You can customize this page as you wish.
Edit this file, and those edits are shown on the page to bots (or humans, in the case of a false positive). It may be
helpful to include javascript to display the local time, IP address, and other debug information.
You can configure the language for the captcha itself via the window.geetestLang and window.recaptchaLang
variables by specifying the desired language. For more information, see each captcha provider's documentation.
Note: In the interstitial page there are several fields surrounded by the {{ and }} characters. These
are template strings for the integration and should remain in the page.
Advanced Bot Protection 283
Advanced Bot Protection
Testing the Integration of Advanced Bot Protection with a Connector
There are two tests that you can run to verify the integration of Advanced Bot Protection with the Connectors.
• Testing Integration with Connectors Using the Debug Header
• Testing the Functionality of the Integration of Advanced Bot Protection with Connectors Using the Script
• Testing Integration with Connectors Using the Debug Header
• Testing the Functionality of the Integration of Advanced Bot Protection with Connectors Using the Script
Advanced Bot Protection 284
Advanced Bot Protection
Testing Integration with Connectors Using the Debug Header
This procedure test for the minimum backend connectivity and confirms that the Advanced Bot Protection API is
indeed accessible to requests on the protected web server.
To test minimum backend connectivity of the Advanced Bot Protection integration with Connectors using the debug
header:
1. Verify that the config.js file that you use in the integration has a value for the parameter x-distil-debug. This
should have been done during the integration process.
2. Either:
User the debug header extension of your browser to send the test value to the ABP server:
1. In the extension to your browser that can add or modify http request headers, set a parameter x-distil-
debug as the same value that x-distil-debug has in the config.js file.
2. Use the browser to make the specific x-distil-debug request. For more information, see your browser's
documentation.
or:
Use a curl command to send the test value to the ABP server:
1. Run a CLI program.
2. Type:
Curl -H 'x-distil-debug: <value-as-entered-in-the-js-file> <website-URL>
and hit Enter.
Advanced Bot Protection 285
Advanced Bot Protection
Testing the Functionality of the Integration of Advanced Bot Protection with Connectors Using
the Script
This procedure tests that that basic action functionality of Advanced Bot Protection is working properly on the
protected web server.
The procedure tests the functionality of these basic actions, with the following results if working:
• Allow, Monitor, NULL (no action): should result in 200
• Block: should result in 403
• Captcha: should return a captcha URL
• Identify: should return the website's Force Identify HTML page which tells the user to activate Javascript, etc.
Note: Verify that you have Python 3 installed on your machine.
To test the functionality of the integration of Advanced Bot Protection with Connectors using the script:
1. Download the test_integration.py script from here.
2. Run a CLI program.
3. Type:
./test_integration.py --url <url-of-protected-website> --key <encryption-key>
where <encryption-key> is the tokenEncryptionKey from your Website Group's Credentials.
and hit Enter.
Notes:
▪ Verify that captcha is enabled for the site you are testing or the captcha checks will not work.
For more information regarding cptcha on CloudWAF, see Web Protection - Security Settings.
▪ For more information regarding captcha on the Connectors, see Understanding the Website
Advanced Settings.
▪ When using Lamba@Edge, verify that the lambda function is associated with the path you
are testing or add it to all the non-static behaviors For more information, see Integrating
Imperva Advanced Bot Protection with Lambda@Edge on AWS Cloudfront.
Advanced Bot Protection 286
Advanced Bot Protection
Understanding Failure Handling for Advanced Bot Protection with
Connectors
By default, every time that a request is passed to the Advanced Bot Protection server, the integration calls out to the
analysis API seeking a direction.
If the API was down causing an error on timeout, no traffic would be allowed into the website and the website would
be effectively disabled. To avoid this situation, you can employ one of two available strategies for dealing with API
failure:
• Maximum Efficacy: This strategy strives to process the maximum number of requests, even at the expense of
latency experienced by end-users.
You instruct Advanced Bot Protection to process all requests. If after the user-configurable timeout, say, 2
seconds, the a request is not being handled by the API, the system allows that request to go direct to the origin.
And so on with subsequent requests. Once the problem is resolved and requests are again being processed, all
requests are routed through the API and bot protection in optimized.
• Minimum Latency:
This is the default option.
This strategy disengages protection after a certain number of requests have failed, thus resulting in requests not
going to the API at all.
You instruct Advanced Bot Protection not to process any requests if there is any latency at all. Then, after the
user-configurable timeout, Advanced Bot Protection attempts to process another request. If successful, all
requests are routed through the API and bot protection is optimized.
To configure a failure handling strategy for Advanced Bot Protection with Connectors:
1. After you have downloaded the third party Reference Implementation package to your machine and before you
execute the integration, navigate to the src folder in the unzipped/unpacked folders.
2. Open the index.ts file in a text editor.
3. In the subsection about fetcher, edit the newDistil.<failure-handling-strategy-parameter> as
follows:
If you want Maximum Efficacy, change the <failure-handling-strategy-parameter> to BackoffStrategy.
So the line reads:
new Distil.BackoffStrategy(), // The strategy to use
If you want Minimum Latency, change the <failure-handling-strategy-parameter> to
HealthcheckStrategy (or leave it that way, as it is the default value). So the line reads:
new.Distil.HealthcheckStrategy(), // The strategy to use
4. If you like, you can also change the timeout value in the line below.
5. Save the file.
Advanced Bot Protection 287
Advanced Bot Protection
6. Continue with the integration.
Advanced Bot Protection 288
Advanced Bot Protection
Advanced Bot Protection Integration Libraries
Use the following links to access the appropriate Reference Implemention for your CDN:
• Cloudflare: Cloudflare Integration Library
• Lambda@Edge on AWS Cloudfront: Lambda@Edge on AWS Integration Library
• F5: F5 Integration Library
• Openresty: Openresty Integraton Library
• Fastly: Fastly Integration Library
Advanced Bot Protection 289
Advanced Bot Protection
Advanced Bot Protection Use Cases and Best Practices
Bot Protection is a Complex Issue
The positive value or negative utility of a bot is a complex issue, and is not a function of the bot and how it functions,
but of the following:
• What it is designed to do
• How it impacts a business
• The perspective of the organization on the bot’s activity – as will be seen, not everyone in an organization has
the same view regarding a particular bot.
This means that there is no simple binary block/allow choice when a certain type of traffic is identified. Indeed, there
are good bots that everybody knows about, but there are many bots which lie in a gray area and so you must very
carefully examine the effects of such a bot, and understand how it impacts your particular business, to intelligently
tailor your defense against it.
To illustrate this complexity:
• Obvious good bot: A search engine crawler is a bot that crawls your website in order to index it and rank it on
search engines. This is universally regarded as a good bot – everyone wants their business’s website to place
high on searches.
• Obvious bad bot 1: An Account Takeover attack uses bots to bombard a website login form in order to try to
crack user credentials. This is generally regarded as a bad bot – no-one wants the reputation as a website from
which user data can be easily stolen.
• Obvious bad bot 2: A price scraper is a bot that takes pricing data from a website and uses it elsewhere. This
involves massive amounts of data. In the case of one seller of car parts and service, a bot added every single
item in the inventory to a shopping cart. The downside of that was load. This amount of activity created load
that crashed the website.
• Complex bot: What about a bot that buys tickets from a vendor – say for an event – and then relists them for a
much higher price? This is called snatching limited availability inventory. Here things get complicated.
The Sales department is happy as their tickets get sold. However, Customer Service and Marketing are unhappy
because of upset customers complaining about the inflated prices of the resold tickets and the unavailability of
tickets at the advertised price – denial of inventory.
The organization needs to decide if the activity that is driving sales is worth the brand damage. You may have
already decided to take action against this type of abuse. If so, the instructions below show you how.
The significance of the dilemma from this last cannot be overstated. It illustrates a vital principle here and that is that
you must carefully tailor and focus your bot solution to your precise business needs.
Further, bot attacks are not always security threats. For example, imagine a company whose business is a global
distribution system (GDS) for the airlines industry – a clearing house for flight sales. The airlines’ customers use the
GDS service to search for complex flight combinations and the airlines pay the GDS company for each search. The
price is based on a presumed ratio of look-to-book. But a bot that is price scraping on the GDS website increases the
"looks" without altering the "books", thus inflating the airlines’ overage fees for using the GDS service. The presumed
ratio, together with the entire business model, is ruined.
Advanced Bot Protection 290
Advanced Bot Protection
In summary, with Advanced Bot Protection, you want to deploy protection narrowly to solve a specific problem or use
case that is meaningful to your business, one that eases a measurable and felt pain. Remember that blocking bots
means blocking traffic, and traffic is one of your most valuable assets, one you have invested much resources to
generate.
What Bad Bots Do
Bad bot problem How it hurts the business Signs you have a problem Industries targeted
Competitors scrape your prices
to beat you in the marketplace. All businesses that show
Declining conversion rates.
prices
You lose business because
Unexplained website
Price Scraping your competitor wins the SEO • Retail
slowdowns and downtime,
search on price. • Gambling
usually caused by
• Airlines
aggressive scrapers.
Lifetime value of customers • Travel
worsens.
Your content appears on
Similar to Price Scraping,
Proprietary content is your other sites.
but in addition:
business. When others steal
your content they are a Your SEO rankings drop.
• Job boards
Content Scraping parasite on your efforts.
• Classifieds
Unexplained website
• Marketplaces
Duplicate content damages slowdowns and downtime,
• Finance
your SEO rankings. usually caused by
• Ticketing
aggressive scrapers.
Increase in failed login.
Increase in customer
Stolen credentials tested on
account lockouts and
your site. If successful, the
customer service tickets.
Account Takeover (aka ramifications are account Any business with a login
Credential Stuffing, lockouts, financial fraud, and page requiring username
Increase in fraud (lost
Credential Cracking) increased customer and password
loyalty points, stolen credit
complaints affecting customer
cards, unauthorized
loyalty and future revenues.
purchases).
Increase in chargebacks.
Advanced Bot Protection 291
Advanced Bot Protection
Bad bot problem How it hurts the business Signs you have a problem Industries targeted
Messaging platforms
Abnormal increases in new
Free accounts used to spam
account creation.
messages or amplify • Social media
propaganda. • Dating sites
Account Creation (aka Increased comment spam.
• Communities
Account Aggregation)
Exploit any new account
Drop in conversion rates
promotion credits (money, Sign-up promotion abuse
from new accounts to
points, free plays).
paying customers.
• Gambling
Criminals testing credit cards Any site with a payment
numbers to identify missing processor
Rise in credit card fraud.
data (exp. date, CVV).
• Retail
Credit card fraud (aka Increase in customer
Damages the fraud score of the • Nonprofit/Charities
Carding, Card support calls.
business. • Airlines
Cracking)
• Travel
Increased chargebacks
Increases customer service • Ticketing
processed.
costs to process fraudulent • Financial
chargebacks • Gambling
Slows the website
Abnormal and unexplained
performance causing
spikes in traffic on
brownouts or downtime.
particular resources (login,
signup, product pages,
Denial of service Lost revenue from All industries
etc.).
unavailability of websites.
Increase in customer
Damaged customer
service complaints.
reputation.
Steal money from gift card Spike in requests to the gift
accounts that contain a card balance page.
Gift card balance balance.
Retail
checking Increase in customer
Poor customer reputation and service calls about lost
loss of future sales. balances.
Advanced Bot Protection 292
Advanced Bot Protection
Bad bot problem How it hurts the business Signs you have a problem Industries targeted
Increase in abandoned
Bots hold items in shopping items held in shopping
Scarce or time-sensitive
carts, preventing access by carts.
items
valid customers.
Decrease in conversion
Denial of inventory • Airlines
Damaged customer reputation rates.
• Tickets
because unscrupulous middle
• Retail
men hold all inventory until Increase in customer
• Healthcare
resold elsewhere. service calls about lack of
availability of inventory.
Website slowdowns, Similar to Denial of
Bots are used to obtain potentially even Denial of Inventory:
limited-availability and/or Service as a side effect of
preferred goods/services. the many requests to the • Airlines
Scalping (aka web server • Tickets
Grinchbots, Sneaker Damaged customer reputation • Retail
Bots, Ticket Bots, Decrease in conversion
Vaccine Bots) Slows the website rates (Sneakers, Consoles,
performance causing Computer hardware,
brownouts or downtime, Increase in customer Limited Edition items)
leading to loss of revenue. service calls about lack of
availability of inventory. • Healthcare
Bad Bots by Industry
Industry What businesses are included? What bad bots do?
Manufacturers, dealerships, vehicle Price Scraping, Data Scraping, Inventory
Automotive
marketplaces Checking
Real estate, third party vendors like Retail Attacks on the API layer, Data Scraping,
Business Services
platforms, CRM systems, business metrics Account Takeover
IT services, IT providers, services and
Computing & IT Account Takeover, Scraping
technology providers
Advanced Bot Protection 293
Advanced Bot Protection
Industry What businesses are included? What bad bots do?
Account Takeover for students and faculty,
online learning platforms, schools,
Education class availability, scraping proprietary
colleges, universities
research papers and data
Streaming services, ticketing platforms, Account Takeover, Price Scraping, Inventory
Entertainment & Arts
production companies, venues Checking, Scalping.
Banking, insurance, investments, Account Takeover, Carding, Card Cracking,
Financial Services
cryptocurrency custom Content Scraping,
Food delivery services, online grocery Credit Card Fraud, Gift Card Fraud, Account
Food & Beverages
shopping, food & beverage brand sites Takeover
Account Takeover, Odds Scraping, account
Gaming & Gambling Online gaming, casinos, sport betting
creation for promotion abuse
Account Takeover, Content Scraping, Helpful
Healthcare Health services, pharmacies bots - vaccine availability, Inventory
Checking, vaccine appt availability
Law & government websites, citizen
Account Takeover, Data Scraping of business
Government services, states, municipalities,
registrations listings, voter registration
metropolitans
Custom Content Scraping, ad fraud, denial
Marketing Marketing agencies, advertising agencies
of service, skewing
Custom Content Scraping, ad fraud,
News News sites, online magazines
comment spam
Retail e-commerce, marketplaces, classifieds Denial of inventory (Grinchbots, sneakerbots
etc.), Credit Card Fraud, Gift Card Fraud,
Advanced Bot Protection 294
Advanced Bot Protection
Industry What businesses are included? What bad bots do?
Account Takeover, Data and Price Scraping,
skewing
Nonprofits, faith and beliefs, romance and Data Scraping, Account Takeover, account
Society relationships, online communities, LGBTQ, creation, testing stolen credit cards on
genealogy donation pages
Sports Sports updates, news, live score services Data Scraping (live scores, odds etc.)
Telecommunications providers, mobile Account Takeover, competitive Price
Telecom & ISPs
ISPs, hosting providers Scraping
Price and Data Scraping, skewing of look-to-
Travel Airlines, hotels, holiday booking book ratio, denial of service, Price Scraping,
Account Takeover
Setting Up Protection in Five Strategic Steps
1. Identify your ABP use case
2. Find the paths on your applications that are associated with the use case
3. Define and scope the High Value Target (HVT) paths on ABP
4. Enable protection on the HVT paths
5. Build reporting views that show detected bots on these HVT paths
Here are the details:
1. Identifying your ABP use case
You may have a very strong idea of what your organization’s bot problem is. On the other hand, you may simply
be responding to a general "get bot protection" instruction with only a vague concept of what it means. If you
fall in the latter camp, use the above table as your starting point, identifying the vertical which defines your
business, and the bot vectors that that vertical is likely to attract.
2. Finding the paths on the application that are associated with the use case
Bot writers spend enormous effort studying their targets so that their bots get right to the vulnerable points as
efficiently as possible. This reconnaissance includes creating fake accounts to study the target paths, studying
the target’s javascript tags, analyzing the target’s cookies and, most importantly, identifying the URLs and APIs
that are pertinent to their objective.
Advanced Bot Protection 295
Advanced Bot Protection
Understanding this last point is critical. Bots target particular URLs, those that suit their objectives. A credential
stuffing bot focuses on the URL that submits and validates credentials. A flight data scraping bot targets the URL
that sends the search query to the origin that returns the flight search results. And so it goes. Bots do not waste
their time on other parts of the application. They go directly to where the value is.
Once you have identified your use case, find the paths on your application that are associated with that use
case. Those paths are where you are going to set up your defenses.
Be aware that a common mistake is using the page of the form and not the true submission request. For
example, a user goes to www.website.com and clicks on "Login", which takes the user to the page
www.website.com/Login with a form to submit their sign-in credentials. You might might think this needs to
be protected. However, on inspection with browser tools, you click "Log Me In" after typing in credentials and
you see that it sends a POST to www.website.com/authenticate. This is the path you need to focus on. A bot
might hit the /login page, depending on the application and how they script their bot, but the end target is
really /authenticate, and is what you want to be zeroed in on in protection tuning and reporting.
3. Defining and scoping the HVT paths on ABP
You know your use case, and you know the paths on your application that are associated with it. How do you
proceed?
Imagine you are setting up protection against credential stuffing/cracking, i.e. account takeover (ATO). The login
endpoints that you have are as follows:
Used by the website:
POST to www.website.com/login (text/html)
POST to www.website.com/authenticate (application/json)
POST to secure.website.com/signin (application/json)
Used by the mobile application:
POST to m.website.com/signin (application/json)
Bots, especially advanced bots, are persistent by nature and will quickly move to the other endpoints on the
application that allow them to accomplish the same goal, but that have weaker defenses in place. Thus it is not
sufficient to onboard just the www endpoints to your ABP protection. You need to onboard them all, including
secure.website.com/signin and m.website.com/signin. It is important that you think ahead.
Be thorough. Make sure that you have covered all your endpoints including those on legacy applications. If your
APIs are used by native mobile applications, you will require Imperva's Mobile SDK to adequately defend those
APIs. For now, you may get by allow listing them if they are not abused. Contact your Imperva account
executive, sales engineer, or customer success manager if you have any question about what is necessary.
4. Enabling protection on these HVT paths
You know the use case, you know the paths, now you need to enable protection for those paths, and those
paths only.
Advanced Bot Protection 296
Advanced Bot Protection
The reasons are as follows:
▪ It is easier to show your organization’s leadership the value of ABP if you can show specific examples of,
"we got attacked here, we applied appropriate protection, and here we can show that that attack vector
has been mitigated."
▪ It promotes a prioritization focus and learning function. Catch-all processes often do not work or cause
excessive attention to attack vectors that have marginal effect. Focusing protection on the HVT paths only
is much more cost effective.
▪ It reduces the damaging effects of false positives. Since blocking bots means blocking traffic, and traffic is
your website’s asset, it is of critical importance to block only where absolutely necessary. Start at your
main pain point. See from the dashboard how successful that is, from the points of view of blocking bots
and keeping false positives low. Then you can begin to experiment with expanding coverage to the less
important paths.
5. Building reporting views that show detected bots on these HVT paths
When creating dashboards that are designed to show the effectiveness of the bot protection, the rate of false
positives and other data, a common user error that causes much data to be buried is to pull site-wide statistics.
You must focus on the use case in order to really understand the effects of your ABP intervention.
This is where the value of having specific paths defined at the very beginning comes full circle. It becomes a lot
easier to show traffic charts, % bot traffic detected, and generally building a more focused understanding of
what ABP is (and, possibly, is not) detecting. Often, addressing a false negative can be as powerful to proving
legitimacy as speaking to the true positives.
The easiest approach here is grouping sections by use case, and bundling all the paths to those use cases. From
there, you can show time series charts that clearly label the detected bot vs other traffic. You can give overall
statistics and percentages that you can use in your organization, and lastly couple it with data like "top
offenders."
Understanding Best Practices in Enabling Bot Protection
When you are ready to begin with ABP, you should have a Website or set of Websites you are looking to onboard. If you
are using CloudWAF you first need to onboard the Website to CloudWAF. For more information see Getting Started
with Imperva Advanced Bot Protection. If you are using a standalone Connector, follow the steps here Getting Started
with Advanced Bot Protection - Using a Connector for your respective integration point.
Next you want to enter Advanced Bot Protection’s settings, and from there set up a Website Group.
Understanding Website Groups
Setting up Website Groups is intuitive when you have only one or two Websites. It can become trickier if you intend to
put lots of distinctive Websites on ABP, or lots of Websites fronting the same underlying application (for example:
site.com, site.co.uk, site.de, site.fr, etc)
The main advantage to Website Groups is that you are grouping Websites so that changes to protection configurations
will apply to all Websites under that Website Group. For example, if you create a Website Group called My Website
Group and add website1.com, website2.com, and website3.com to it, when you add a Condition to block IP =
1.1.1.1, that Condition will apply to all three of those Websites.
The main considerations lie in the answers to the following questions:
Advanced Bot Protection 297
Advanced Bot Protection
1. Does your organization have very strict change control processes, where they have to run changes
through a lower environment?
Many organizations use a testing or staging environment on which added features, bug fixes and other changes
are tested before being deployed to the production environment. Such testing or staging environments are
called "lower" environments.
With bot protection, the test results on a lower environment do not necessarily carry over into the production
environment. First, you may have automated testing in the lower environment that you do not have in
production. Further, the production environment, with its greater number and variety of real clients, simply
cannot be mimicked by the lower environment.
Resist the temptation to create a Website Group for each environment. Each additional Website adds more
complexity and overhead. Additionally, think of ABP Conditions as traffic signatures, not code deployments.
Enabling these Conditions in lower environments is a fundamental miss when the intent is to mitigate against
false positives. The safest way to mitigate false positives is to measure what traffic the Condition is tagging on
actual production traffic in Passive mode by using the ABP reports. The thinking, "I enabled it on my QA site and
we tested it, so let’s enable it on Production since no issues came back," is fundamentally wrong. These are
traffic signatures that can and should be measured against production traffic.
2. How many Websites do you intend to protect? One? A few? 10-20? Or hundreds?
The number of Websites you want to add can change how to set up Website Groups. The main benefit to
grouping Websites into a single Website Group is that it allows for bulk management. The main benefit to
breaking out Websites into multiple Website Groups is the ability to get granular with protection settings for any
given Website. When you have lots of Websites, it tends to be the case that maybe one or a few of them drive the
majority of the business revenue. Then the rest fall into a long tail of less impact/importance. In that case, it
might make sense to group that long tail into a single Website Group, while the main business-driving Websites
are broken out, for more fine-tuned control. Those higher value target Websites are also the more likely to get
targeted, where the fine-tuning will be required.
If you intend to onboard many domains, are they entirely different applications (abc.com and xyz.com) or the
same application segmented by geography or business sector (bank1.com, bank2.com, bank3.com, etc or
site.com, site.de, site.fr, etc ).
When you have a large number of distinctive sites, you must understand that there are going to be limitations in
how effective and fine-tuned the protection can be. If you are looking for more of a checkbox solution, you
could group all the distinctive Websites into a single Website Group and keep things simple. But this approach
begins to unravel when individual Websites have issues with the blanketed protection setup. However, if you
have many Websites that are all the same underlying application, then this is a perfect use case for Website
Groups (Website Group name = "MySite", Websites include: mysite.com, mysite.co.uk, mysite.ie, etc.) This is
particularly useful if you have a single application that is skinned and hosted for all the respective countries in
which it operates (.co.uk, .ie, .de, .com, etc.).
3. Does your user’s journey traverse a number of Websites?
If this is the case, it is best to group those Websites into a single Website Group. For example: The user types text
in site.com, gets redirected to www.site.com, and goes to log in. They click on Sign In, fill out their credentials,
and this fires off an API call to signin.site.com. In this case, it makes sense to have a Website Group called
"site.com" and put in it all the pertinent Websites: site.com, www.site.com, and signin.site.com.
Advanced Bot Protection 298
Advanced Bot Protection
Per-Path Policy Assignments, Policies, Directives and Conditions
Once you have your Website Group, you step into the next parts of ABP which allow you to define "what protection to
apply" and "how/where to apply it".
Per-Path Policy Assignments
When you onboard a Website to ABP out of the box, it has two Per-Path Policy Assignments (for more information, see
Understanding per-Path Policies):
(?i)\.(gif|png|jpe?g|css|js|ico|svg|swf|webp|otf|woff2?|ttf|eot|txt)$
This is a path match regexp for catching static assets that most customers do not wish to protect. If you need to
protect some of these assets, remove an extension from the list. If you need to add a static asset to ignore, add its
extension to the list along with a 'pipe' operator |."
This is a path match catch-all for all other requests, since every URL has a "/".
Advanced Bot Protection 299
Advanced Bot Protection
If you think about all of your Website’s traffic as a pie, think of per-Path Policy Assignments as your way to carve it into
individual slices. Out of the box, there are two slices: static assets and everything else.
Let’s say you want to carve out one more slice, for your Login traffic. You can add a per-Path Policy Assignment, using
either a prefix match or regexp match, to scope /Login (for example).
Per-Path Policy Assignments provide two values. Firstly, per-Path Policy Assignments take in a Policy assignment. This
means you can have your login traffic protected by a different Policy from everything else, perhaps more rigorous
checks versus the broader website. Secondly, per-Path Policy Assignments add value on the Reporting side. They help
classify and categorize traffic in clean buckets, so that you can see traffic broken down by these per-Path Policy
Assignments. Extending that concept out, think of per-Path Policy Assignments as your use case classifier. This helps
promote the narrative within your organization. If you are concerned about ATO, you can scope a per-Path Policy
Assignment that maps out your login traffic, and then you can build reports specific to that per-Path Policy
Assignment to show proof of value very quickly and intuitively.
For ABP, per-Path Policy Assignments address "how/where to apply my protection". Policies are the containers that
hold the individual protection rules and "actions to take".
By scoping per-Path Policy Assignments and then assigning them a Policy, we create the ability to say "For this subset
of traffic (a per-Path Policy Assignment), apply these protection settings (a Policy)."
Policies
Think of Policies as a container that groups individual rules - Conditions. It is our "protection profile". A Policy comes
standard with the following Directives (for more information see Understanding the Structure of the Policies and the
Default Policy):allow , block, captcha_cleared, captcha, identify, tarpit, delay, and monitor.
Advanced Bot Protection 300
Advanced Bot Protection
Advanced Bot Protection 301
Advanced Bot Protection
Directives
These Directives are hardened "instructions", or "actions to take" that the platform understands. When a request
comes in, the platform compares the request’s URL against the defined per-Path Policy Assignments in a top-down
fashion (the first match wins). When it finds the winning per-Path Policy Assignment, it looks to the Policy assigned to
that per-Path Policy Assignment. It steps into that Policy and, again, processes it top down.
For this reason, the out-of-the-box order of these directives is very deliberate.
• Allow: For allow-listing requests
• Block: Serves a static "block" page, similar to the CloudWAF block page
• captcha_cleared: Where captcha immunity is defined and how long to set the immunity window
• captcha: Serves a captcha challenge. If the client completes it, they are allowed through under the Condition
set in the captcha_cleared directive
• identify: Triggers the identification process. It serves an interstitial page to the user that has the ABP javascript,
as a last ditch effort to get them to identify, i.e. fingerprint.
• tarpit: No response is sent. Keeps the bot waiting, sucking up its resources.
• delay: Adds a few seconds of response time to the request. This might not even be noticed by a human user, but
greatly reduces bot efficiency.
• monitor: This directive is redundant and can be ignored. Conditions now have ability to set to Active/Passive in
the mitigation-based Directives.
Directives contain Conditions. Think of Directives as the "action to take" and the Condition as "the signal to take that
action".
Conditions
Conditions are the building blocks of ABP protection.
You might think of a rule/rule engine in the structure of if this then do that. Here, the condition logic is the "if this" and
the directive you place the condition under as the " then do that".
A Condition can be written using many various elements. See an example below:
Advanced Bot Protection 302
Advanced Bot Protection
A single Condition houses any number of individual Signatures. Signatures can be written using:
• HTTP Headers
• Flags: think of these as the underlying client interrogation challenges of ABP
• ABP Metadata like rate limit counters and platform fingerprints/identifiers
Understanding Managed Conditions
When you create a new Website Group on ABP, it comes by default with two per-Path Policy Assignments: static assets
(no Policy applied to these assets – i.e. allow-listed), and a catch-all "contains /" per-Path Policy Assignment which has
the Website Group's Default Policy.
The standard Default Policy comes with the five standard Directives discussed above, and there are several Conditions
pre-inserted into those Directives. These pre-inserted Conditions are Managed Conditions. Think of them as your out-
of-the-box, product-endorsed rule sets, i.e. "These are the settings you should enable, and you should enable them in
the Directives in which they have already been placed, because that is the recommended action to take for that
respective threat."
All Conditions fall into one of two categories: Managed Conditions and Custom Conditions. The Conditions that are
present in the Default Policy are Managed Conditions. Every new Condition you create is considered a Custom/Other
Condition. If you want to block an IP, you use a Custom Condition. Managed Conditions are further distinguished by
the italicized annotation " Managed Condition " at the bottom of the Condition block (see the screenshot above).
Many of the Managed Conditions are simply composites of platform Flags. Remember, Flags are the core client
interrogation checks of ABP. For example, there is a Flag that checks if the browser is running Selenium. That Flag is
part of the Automation Managed Condition that checks for various automation tools. That list of flags under the
Automation Managed Condition is:
(any
Advanced Bot Protection 303
Advanced Bot Protection
flags.automation_casper_js
flags.automation_chrome_driver
flags.automation_firefox_driver_1
flags.automation_firefox_driver_2
flags.automation_firefox_driver_6
flags.automation_ie_driver
flags.automation_phantom_js
flags.automation_selenium_ide
flags.automation_unknown_driver
flags.automation_visual_web_ripper
flags.script_dict_shell_ui_automation
flags.web_driver
While Custom Conditions are as simple to understand as "any condition that is not a Managed Condition", note that
most of the Custom Conditions that get added are going to be to meet your specific needs. ("I need to allow-list my
office IPs." "I have to allow-list this header for our pentest." "This organization needs to be blocked from accessing the
site." And so on.)
The most important thing about the Managed Conditions is their innate synergy. When combating bots, there is no
single silver bullet. Tools and advanced software can bypass many checks, and any single powerful check may also
leave backdoors open. This means that you need a layer of rule sets that target and look for specific things that
collectively come together as a single powerful defense policy.
Imagine you are running a bar. You do not want to let anyone in who is underage. You also do not want to let anyone in
who is acting reckless and possibly endangering those around them. If all you did was an ID check and then allow
individuals in on that single yes/no, you will eventually let reckless people in. If all you did was run some quick
cognizance checks on people, and ignore IDs, you would miss the underage individuals. So there is a need for multiple
checks. Bot detection follows this same idea. Layering in interrogation rulesets that evaluate the full spectrum of
browser/client details allows you to still catch bad actors, even when they circumvent one or many of the checks.
Managed Conditions collectively look for:
• Malicious User Agent Structures, Characters, and Strings
• Known Malicious IP Sources (KVDC)
• Common Automation Tools
• Running a Valid JS Engine
• Browser Postback Data Validity (JSATs, "Is who you say you are even possible?")
• Content Access Rate (Rate Limiting)
Advanced Bot Protection 304
Advanced Bot Protection
Any of these checks on their own merit can eventually be circumvented but the synergistic nature of all of these
pieces creates a narrow enough of a lane that bad actors have to behave within that either their operation will
become more and more costly, or they’ll be deterred in their pursuit and give up or move to another target.
Advanced Bot Protection 305
Advanced Bot Protection
Migrating from Distil Bot Defender to Advanced Bot
Protection
The topics below provide the required steps for you to activate Advanced Bot Protection and migrate the relevant
elements from your current Distil Bot Defender setup.
This is for the most part done manually, by examining your setup in Distil Bot Defender and creating a similar one in
Advanced Bot Protection.
• Prerequisites for Migrating from Distil Bot Defender
• Understanding the Workflow in Migrating from Distil Bot Defender
• Recreating the Distil Bot Defender Setup in Advanced Bot Protection
• Distil Bot Defender Migration FAQ
Advanced Bot Protection 306
Advanced Bot Protection
Prerequisites for Migrating from Distil Bot Defender
Before you actually start the migration process, verify the following:
• You have agreed upon a deployment topology for your migration with your Imperva Sales Engineer. If you have
not already done so, contact your Imperva Account Executive to schedule a call with a Sales Engineer.
• You have added your first website in CloudWAF. This applies only if you are migrating to CoudWAF. The Website
should be the same website you have with the Distil Bot Defender. For more information, see Onboarding a Site
– Web Protection and CDN.
• You have set up your Website and created a Default Policy in Advanced Bot Protection. For more information,
see Getting Started with Imperva Advanced Bot Protection and Creating a Website Group. This sets up your
Default Policy. The Website should be the same website you have with the Distil Bot Defender, the one you
already added to CloudWAF.
Advanced Bot Protection 307
Advanced Bot Protection
Understanding the Workflow in Migrating from Distil Bot Defender
When you execute the migration, your overall workflow should be as follows:
• Verify that all the prerequisites are met. For more information, see Prerequisites for Migrating from Distil Bot
Defender.
• In order to maintain protection of your assets during the migration process, as you perform the migration, it is
recommended that you use both your Distil Bot Defender environment and Advanced Bot Protection in series.
How to place Advanced Bot Protection inline with your traffic will depend on your deployment model: Consult
with your Imperva Sales Engineer should you have any questions.
• In Advanced Bot Protection, recreate the elements in order. For more information, see Recreating the Distil Bot
Defender Setup in Advanced Bot Protection.
• When all the elements have been migrated and are recreated in Advanced Bot Protection, remove Distil Bot
Defender from the request flow by pointing the Advanced Bot Protection integration point at your origin.
Consult with your Imperva Sales Engineer should you have any questions.
Advanced Bot Protection 308
Advanced Bot Protection
Recreating the Distil Bot Defender Setup in Advanced Bot Protection
In Advanced Bot Protection, you need to recreate the following Distil Bot Defender elements:
1. Domains: You set up the same Websites in Advanced Bot Protection that you have in Distil Bot Defender. You
may want to group similar Websites under the same Website Group. Grouping Websites of similar form and
function together allows you control your settings with a single Policy.
For more information, see Recreating the Distil Bot Defender Domains in Advanced Bot Protection.
2. Per-Path Policy Assignments for each domain (website): You set up Paths in Advanced Bot Protection that
mimic the paths you have in Distil Bot Defender. Where those Paths have different Policies assigned, you assign
per-Path Policies in Advanced Bot Protection.
For more information, see Recreating the Distil Bot Defender Paths and Per-Path Policies in Advanced Bot
Protection .
Note: Once you have done these first steps, you are at least in a monitor-only mode in Advanced
Bot Protection. If you have set up Distil Bot Defender and Advanced Bot Protection in series, your
estate is still protected by your Distil Bot Defender policies.
3. Actions: You set up Policies with their Directive and Conditions in Advanced Bot Protection that mimic the
policies you have in Distil Bot Defender.
For more information, see Recreating the Distil Bot Defender Actions in Advanced Bot Protection.
4. Custom allow list rules: You set up allow list rules in Advanced Bot Protection. These may or may not mimic the
custom allow list rules you have in Distil Bot Defender.
For more information, see Recreating Distil Bot Defender Custom Rules in Advanced Bot Protection.
• Recreating the Distil Bot Defender Domains in Advanced Bot Protection
• Recreating the Distil Bot Defender Paths and Per-Path Policies in Advanced Bot Protection
• Recreating the Distil Bot Defender Actions in Advanced Bot Protection
• Recreating Distil Bot Defender Custom Rules in Advanced Bot Protection
• Understanding the Results of the fetch Script
Advanced Bot Protection 309
Advanced Bot Protection
Recreating the Distil Bot Defender Domains in Advanced Bot Protection
You should recreate each Distil Bot Defender domain in Advanced Bot Protection.
Each Distil Bot Defender domain is really an Advanced Bot Protection Website. However, the common policy approach
facilitated by Advanced Bot Protection's Website Groups enables a simpler management of domains that once had to
be managed individually in Distil Bot Defender, even if they had the same structure and rules.
So for domains in Distil Bot Defender that have the same structure and rules, you should create a Website Group and
add a Website for each domain.
For domains in Distil Bot Defender that are unique, add a Website Group with a single Website.
For more information, see Creating a Website Group and Adding a Website.
Advanced Bot Protection 310
Advanced Bot Protection
Recreating the Distil Bot Defender Paths and Per-Path Policies in Advanced Bot Protection
For each Website Group that corresponds to a domain or group of domains in Legacy Distil Reverse Proxy, you need to
add the Paths and a per-Path Policy for each Path.
To recreate Distil Bot Defender in Advanced Bot Protection:
1. Discover the paths in your Distil Bot Defender deployment. You have two options:
1. If your deployment is very simple and contains a very small number of paths, then select Settings > Edit
Settings by Path in Distil Bot Defender. The paths are displayed. Make a note of them.
2. If your deployment is more complex, contact Imperva Support and ask to run a fetch script on your
Legacy Distil Reverse Proxy deployment. The fetch script provides all the information you need regarding
the paths. For more information, see Understanding the Results of the fetch Script.
2. For each discovered path in Legacy Distil Reverse Proxy, clone the Default Policy, and rename it. For more
information, see Cloning a Policy.
3. For each discovered path in Distil Bot Defender, create a corresponding path in Advanced Bot Protection and
assign a cloned Policy. For more information, see Creating a New per-Path Policy Assignment. Each path should
be defined in the Path Prefix field and the Policy for each path should be the cloned Policy you created in step 2
above.
Advanced Bot Protection 311
Advanced Bot Protection
Recreating the Distil Bot Defender Actions in Advanced Bot Protection
You recreate the Distil Bot Defender actions in Advanced Bot Protection in the following ways:
• For Automated Threats Policies, Machine Learning Policies, and Rate Limiting Policies, use the results of the
fetch script to direct you as to how to configure your Policies in Advanced Bot Protection. For more information,
see Recreating Distil Bot Defender Policies.
• For Access Control Lists, create your allow lists manually in Advanced Bot Protection. For more information, see
Recreating Distil Bot Defender Access Control Lists.
• Recreating Distil Bot Defender Policies
• Recreating Distil Bot Defender Access Control Lists
Advanced Bot Protection 312
Advanced Bot Protection
Recreating Distil Bot Defender Policies
The actions in Distil Bot Defender have approximate equivalents in Advanced Bot Protection. You recreate them by
following the procedure below.
To recreate Distil Bot Defender policies:
1. Contact Imperva Support and ask to run a fetch script on your Distil Bot Defender deployment, or use the results
of the fetch script that you already have from setting up your paths. For more information, see Understanding
the Results of the fetch Script.
2. For each per-Path Policy that you cloned and created in Advanced Bot Protection, set up your Directives and
Conditions so that they recreate the setup that is presented in the fetch script results.
For example, say in one of your Distil Bot Defender deployment domains, there is a path for which all of the
conditions elicit the captcha action, except for Known Violators which elicits the monitor action. For this Path's
per-Path Policy in Advanced Both Protection, you may want to place Aggregate user agents, Known violator
data centers, Automation, Identify eventually, and Rate Limiting in the Captcha Directive, and Bad user
agents in the Monitor Directive. Force Identify known violators goes in the Identify Directive, always. Use the
table in Understanding the Results of the fetch Script.
Advanced Bot Protection 313
Advanced Bot Protection
Recreating Distil Bot Defender Access Control Lists
The fetch script does not provide data for Access Control Lists. You must manually examine the Access Control Lists in
your Distil Bot Defender deployment and recreate these allow lists as Conditions in the Allow Directive of the relevant
per-Path Policy. You can export your Access Control Lists to a csv file if you want.
To recreate Distil Bot Defender Access Control Lists:
1. In your Distil Bot Defender deployment, select Access Control Lists.
2. Examine and make a note of the precise parameters (IP addresses, header names, user agents, etc.) and their
values and whether they are in the allow list of the deny list. Note too the path to which they apply. In the
majority of situations, they will apply to the root path only.
3. If an allow list or a deny list consists of a single parameter with multiple values (i.e. they are IP addresses only or
they are all header names only), create a new Condition in Advanced Bot Protection that specifies that same
parameter and lists the same values and add it to the Allow (for allow list) or Block (for deny list) Directives of
the pertinent Policy. For more information, see Adding a New Condition.
If an allow list or a deny list consists of multiple parameters (i.e. there is a mix of IP addresses, header names,
user agents and so), create a new Condition Group in Advanced Bot Protection that contains Conditions each of
which specifies a parameter and lists the same values, and add it to the Allow (for allow list) or Block (for deny
list) Directives of the pertinent Policy. For more information, see Adding a Condition Group.
Advanced Bot Protection 314
Advanced Bot Protection
Recreating Distil Bot Defender Custom Rules in Advanced Bot Protection
Over the years of creating support tickets for Distil Bot Defender, Distil support may have created many custom allow
list and deny list rules.
Generally, it is recommended that you do not recreate these custom deny list rules in Advanced Bot Protection but
rather that you allow those bots be caught retested by the Advanced Bot protection mechanism, before recreating
them manually.
Discuss this with your Imperva sales engineer.
To recreate custom allow list rules you need to use the Advanced Bot Protection Custom Condition, and be familiar
with the Moi language. Because you do not have access to view the custom allow list rules on your account, it is
recommended that you request Imperva Support to perform this task for you.
Advanced Bot Protection 315
Advanced Bot Protection
Understanding the Results of the fetch Script
Your Imperva support engineer can run a fetch script on your Distil Bot Defender deployment at any time.
The fetch script returns a table which shows the following:
• The paths in your domain
• The actions assigned, per path, on the occurrence of particular traffic elements found in the requests
Note: The fetch script provides results only for Automated Threats Policies, Machine Learning
Policies, and Rate Limiting Policies. The fetch script does not provide results for Access Control
Lists.
The fetch script returns data in the form of a csv file, which looks like this:
Note the following:
• This one account under account_id has three domains. Each of these would be a Website in Advanced Bot
Protection.
• www.myfirstsite.com and www.myecomdemo.com have similar path protection policies so you could put them
in the same Website Group.
• The path column provides the paths for different policies for each domains. These are the paths you recreate in
Advanced Both Protection.
• The FID column determines for that path if Force Identity is enabled or disabled.
• The remaining columns show the actions that are taken for any condition on that path. The actions are:
• monitor: recreated by monitor in Advanced Bot Protection
• captcha: recreated by captcha in Advanced Bot Protection
• drop: recreated by block in Advanced Bot Protection
Advanced Bot Protection 316
Advanced Bot Protection
The conditions are summarized in the table below.
fetch Script Column (from Legacy Distil Reverse Proxy) Advanced Bot Protection Equivalent
Bad user agents and Force identify known
KV: Known Violators
violators
ID: Identities Bad user agents
AUA: Aggregator User Agents Aggregator user agents
KVDC: Known Violator Data Centers Known violator data centers
AB: Automatic Browsers Automation and Identify eventually
ML: Machine Learning New machine learning conditions
RPM: Requests per Minute Rate limiting (per minute)
RPS: Requests per Session Rate Limiting (per session)
SL: Session Length Rate Limiting (session length)
Advanced Bot Protection 317
Advanced Bot Protection
Distil Bot Defender Migration FAQ
Q1. Why is the Distil legacy platform (Distil Bot Defender) being phased out?
Prior to the acquisition of Distil Networks by Imperva, Distil was working on a new Bot Mitigation platform that offered
better scalability, customizable rules and policies, significantly better bot efficacy and much easier integrations into
your environment. This product, now called Imperva Advanced Bot Protection (ABP) was released last May and over
the course of several months has really widened the gap between itself and Distil Bot Defender.
Imperva feels very strongly that ABP provides the best bot mitigation Imperva has to offer with the greatest degree of
scalability and flexibility.
Q2. What am I expected to do and what type of support does Imperva provide as part of the migration process?
Imperva provides you with:
• Product documentation
• A migration guide
• Walk through video
• A migration webinar
• Assistance with and validation of your first onboarded site
• Two additional progress checkpoints
• Support using our support system
You are expected to:
• Commit to a migration path and timeline
• Migrate your sites with in the committed timeline
Imperva anticipates that no more than two progress checkpoints are required.
Q3. How long does it take to migrate?
• Migrating to one of the available integrations is a very straightforward process. Getting an Advanced Bot
Protection account setup takes a few minutes and the available integrations are designed so that they can be
implemented by your teams.
• Additionally, migrating to CloudWAF requires very little effort on your end. Our team will create your account for
you, and all you would need to do is issue a new SSL for your domains (which you can do through the Imperva
portal) and migrate traffic on to the appropriate CNAMEs.
Q4. Will Imperva continue to update the Distil Bot Defender up until the EOL date?
Imperva provides updates under the following circumstances only:
• Security patch deployments for critical security notices for which a configuration-based work around is
unavailable
• New compliance or legal requirements for which a configuration-based work around is unavailable - on a case
by case basis
• Browser changes/updates that require modification of some part of Distil Bot Defender and for which a
configuration-based work around is unavailable - on a case by case basis
Advanced Bot Protection 318
Advanced Bot Protection
Q5. Should I add new domains to Distil Bot Defender?
Any new domain should be added to the new platform, Advanced Bot Protection (ABP).
Q6. Why should I add new domains to the new platform, Advanced Bot Protection (ABP)?
The new ABP platform provides better protection, a faster onboarding experience, and is fully supported.
Advanced Bot Protection 319
Advanced Bot Protection
Advanced Bot Protection API
Advanced Bot Protection 320
Advanced Bot Protection
Advanced Bot Protection Glossary
• Action
• Directive
• Condition
• Condition Template
• Connector
• Cookie Scope
• Custom Scope
• Flag
• Integration
• Managed Condition
• Path
• per-Path Policy
• Policy
• Rate Limit
• Tag
• Website
• Website Group
Advanced Bot Protection 321
Advanced Bot Protection
Action
An Action is the title of a Directive, and describes the actual action that Advanced Bot Protection will take, should one
of the Conditions in that Directive be met by the incoming traffic. For example, the Directive called Block will block
requests should any of that Block's Conditions be met.
Advanced Bot Protection 322
Advanced Bot Protection
Directive
A Directive is a container of one or more Conditions. Each Directive is defined by an Action and contains the
Conditions that, when met by a monitored request, trigger that action.
Advanced Bot Protection 323
Advanced Bot Protection
Condition
A Condition is a container of rules, composed of Flags or code, against which the content of incoming requests are
checked. If a match is found, then that Condition has been triggered and its Directive may be acted on.
Advanced Bot Protection 324
Advanced Bot Protection
Condition Template
A Condition Template is the basis for the creation of a new Condition. The basic rule is given. That is the template. You
then fill in values for parameters in the Condition, to tailor it to your needs.
Advanced Bot Protection 325
Advanced Bot Protection
Connector
A Connector is an Integration that you can use instead of CloudWAF, if you are not using any of CloudWAF's other
services. The Connectors currently supported are:
• Cloudflare
• F5
• Lambda@Edge on AWS Cloudfront
• Nginx
Advanced Bot Protection 326
Advanced Bot Protection
Cookie Scope
When you add a Website, you can also define a Cookie Scope for that Website and related Websites.
When you add a Website, a cookie is created for that Website's Path, for example. www.example.com. However, by
default it is only visible there. You can use the Cookie Scope to expand the coverage of a cookie set up for one Website.
Set a path in Cookie Scope to define other paths that can use the same cookie. Note that his can only go as far as the
apex domain and all its subdomains.
e.g. if you want the cookie to be visible for aaa.example.com and bbb.example.com type example.com in the
Cookie Scope.
Note: If you do not set the cookie scope, the domain for the cookie will be empty. Due to
inconsistent browser handling of cookies with no domain or an empty domain, it is strongly
recommended that you do not leave the cookie scope empty.
Advanced Bot Protection 327
Advanced Bot Protection
Custom Scope
When assigning per-Path Policies, you can configure an assignment Path with a Custom Scope.
Requests to this Path (and other Paths with the same Custom Scope) are totaled separately from requests elsewhere.
So you can make sure that requests to a Path where high request rates are legitimate (like pages with images) will not
activate a block or captcha on requests to a Path where high request rates are suspicious (like a login page).
Advanced Bot Protection 328
Advanced Bot Protection
Flag
A Flag is a single building block of a Condition. It is a single "check" of an incoming request to see if that request
contains whatever code the Flag defines. One or more Flags constitute a Condition.
Advanced Bot Protection 329
Advanced Bot Protection
Integration
Integration is the term used for the layer normally occupied by CloudWAF in the architecture - the layer that receives
communications from the client and from Advanced Bot protection, and executes the Advanced Bot Protection
actions.
Advanced Bot Protection 330
Advanced Bot Protection
Managed Condition
A Managed Condition is a Condition supplied by Imperva. You can only edit its tags.
Advanced Bot Protection 331
Advanced Bot Protection
Path
A Path is a location or group of locations, within a Website, that is defined by a URL path or by a regular expression
that specifies characteristics of the page or pages.
Advanced Bot Protection 332
Advanced Bot Protection
per-Path Policy
You can assign a Policy to a certain Path in your Website, so that it is active for that Path but it is not active for other
Paths. This is a per-Path Policy, also known as a per-Path Policy Assignment.
Advanced Bot Protection 333
Advanced Bot Protection
Policy
A Policy is a single bot protection approach, characterized by a group of Directives. Different Policies have Directives
that are configured differently, to cater for the particular Website or Website Group they are protecting.
Advanced Bot Protection 334
Advanced Bot Protection
Rate Limit
Some Conditions are Rate Limit Conditions in that they are triggered when a certain action (access, for example) takes
place at higher than a certain rate or frequency, or a session lasts longer than a certain period.
Advanced Bot Protection 335
Advanced Bot Protection
Tag
A Tag is an identifier you give a Condition. In the graph analyses, Conditions with the same Tags can be displayed
together, enabling you to draw meaningful conclusions about the effectiveness of Conditions that share Tags.
Advanced Bot Protection 336
Advanced Bot Protection
Website
A Website is a single website protected by Advanced Bot Protection. It may consist of multiple Paths in which different
areas of the website are located.
Advanced Bot Protection 337
Advanced Bot Protection
Website Group
A Website Group is a group of websites to which the same Advanced Bot Protection Policies are applied.
Since many websites have clones that perform identical functions to the "parent website", e.g. for languages, like
acmebooks.com, acmebooks.co.fr, and acmebooks.co.nl, and so on, Advanced Bot Protection allows you to group
your websites into Website Groups and then you apply all your configurations to the Website Group, saving a lot of
time. You cannot apply configurations to an individual Website - only to a Website Group.
Advanced Bot Protection 338
Advanced Bot Protection
Advanced Bot Protection Release Notes
• Advanced Bot Protection General Release Notes
• Advanced Bot Protection Connectors Release Notes
Advanced Bot Protection 339
Advanced Bot Protection
Advanced Bot Protection General Release Notes
Note: From December 2021, the Advanced Bot Protection release notes are included in the Cloud
Application Security Release Notes, and are no longer published on this page. For more
information, see the Cloud Application Security Release Notes page from the Imperva Cloud
Application and Network Security guide.
Our release notes provide information on changes and enhancements in each release.
December 2021
New Directives now available
There are two new Directives that you can use in your Policies:
• delay: If a Condition in the delay Directive is matched, the response is delayed by a few seconds. This reduces
the efficiency of attacks that rely on a fast sequence of requests.
• tarpit: If a Condition in the tarpit Directive is matched, the response is never sent. This leaves bots waiting
endlessly, but is riskier than delay as it has severe impact on human users and must be applied carefully.
For more information, see Understanding Directives and Conditions.
November 2021
Role Based Access Control (RBAC) now applies to Advanced Bot Protection
From November 30 2021, Advanced Bot Protection is subject to RBAC in the Cloud Security Console.
Roles and permissions for non-admin users must be configured by an admin user for the non-admin users to be able
to perform any configuration actions in Advanced Bot Protection. This is done by checking the new Can edit ABP
configuration checkbox in the Cloud Security Console.
If this checkbox is not checked for a role that is applied to a user, or the user is not an admin, the user is considered to
be in read only mode.
For more information, see Manage Roles and Permissions in the Cloud Application and Edge Security
documentation.
Note that the limitations for a user in read only mode apply to the settings windows and not to the dashboards.
October 2021
New External API for Configuration Snapshot and Restore
There are API endpoints which offer the following functionality:
• Create a snapshot of the Advanced Bot Protection configuration
Advanced Bot Protection 340
Advanced Bot Protection
• Restore an Advanced Bot Protection configuration from a previously created snapshot
• Delete previous created snapshots
New External API for Policy and Condition management
There are API endpoints which offer the following functionality:
• Policy Management
• Add, delete and modify ABP Policies
• Condition Management
• Add, delete and modify managed conditions
• Create, modify and delete custom conditions and condition groups
For more information, see Advanced Bot Protection API.
New Traffic Overview dashboard
There are new dashboards:
• Traffic Insights v2 dashboard: Uses aggregates which facilitates far faster loading
• Usage Report for Connectors: Shows number of requests which facilitates identification of overages
August 2021
New Advanced Bot Protection flag
The new flag cloud_service_provider identifies major cloud service providers. For more information, see
Understanding and Editing Conditions.
New Advanced Bot Protection Model Release
The new model identifies IPs responsible for unexpected variations in captcha solving traffic.
To use: create a new Condition containing the model identifier apollo.captcha_harvest_top_account. It is
recommended that you use the Block directive. For more information, see Understanding and Editing Conditions.
June 2021
New External API for Advanced Bot Protection site management
There are API endpoints which offer the following functionality:
• Add, edit and delete Website Groups
• Add edit and delete Websites
• Account management
For more information, see Advanced Bot Protection API.
March 2021
Advanced Bot Protection 341
Advanced Bot Protection
New Traffic Overview dashboard
There is a new Traffic Overview dashboard that uses aggregates which allows the reports to load very quickly.
Advanced Bot Protection 342
Advanced Bot Protection
Advanced Bot Protection Connectors Release Notes
These release notes show the changes made in the latest versions of each of the Connector integration packages.
October 2021
Connector Enhancements Bug Fixes
• Can now add multiple token encryption
Lambda@Edge keys
• Ensures captcha works for POST
• Allows non-form POST resubmissions
requests with an empty body
v1.23.0 • Added handling of the delay policy to delay
delivery of requests
• Can now add multiple token encryption
Cloudflare
keys
N/A
• Added handling of the delay policy to delay
v1.24.0
delivery of requests
• Can now add multiple token encryption
F5 keys
• Allows non-form POST resubmissions N/A
v1.20.0 • Added handling of the delay policy to delay
delivery of requests
• Can now add multiple token encryption
Openresty
keys
N/A
• Added handling of the delay policy to delay
v1.1.0
delivery of requests
August 2021
Connector Enhancements Bug Fixes
• Dependency and documentation updates
Lambda@Edge • Improved logging
• Updated interstitial text to inform user to
N/A
v1.22.1 unblock JS before completing the captcha
• JavaScript code was added to check the
browsers language setting and replace the
Advanced Bot Protection 343
Advanced Bot Protection
Connector Enhancements Bug Fixes
English text with language specific text in
the interstitial page. It is up to the customer
to supply the non English text but direct
translation examples for Italian and German
are included for guidance
• Dependency and documentation updates
• Improved logging
• Updated interstitial text to inform user to
unblock JS before completing the captcha
Cloudflare • JavaScript code was added to check the
browsers language setting and replace the N/A
v1.23.1 English text with language specific text in
the interstitial page. It is up to the customer
to supply the non English text but direct
translation examples for Italian and German
are included for guidance.
• Dependency and documentation updates
• Improved logging
• Updated interstitial text to inform user to
unblock JS before completing the captcha
F5 • JavaScript code was added to check the
browsers language setting and replace the N/A
v1.19.4 English text with language specific text in
the interstitial page. It is up to the customer
to supply the non English text but direct
translation examples for Italian and German
are included for guidance.
• Documentation updates
• Improved logging
• Updated interstitial text to inform user to
unblock JS before completing the captcha
Fastly
• JavaScript code was added to check the
browsers language setting and replace the N/A
v1.2.1
English text with language specific text in
the interstitial page. It is up to the customer
to supply the non English text but direct
translation examples for Italian and German
are included for guidance.
Advanced Bot Protection 344
Advanced Bot Protection
Connector Enhancements Bug Fixes
• X-D-headers now sent to origin
• Dependency and documentation updates
• Improved logging
• Stop variables being leaked to the
• Updated interstitial text to inform user to
origin
unblock JS before completing the captcha
• Prevent client hostname from being
Openresty* • JavaScript code was added to check the
overridden
browsers language setting and replace the
• Protect against customer restarting
v1.0.1 English text with language specific text in
Fastly before our code
the interstitial page. It is up to the customer
to supply the non English text but direct
translation examples for Italian and German
are included for guidance.
July 2021
Connector Enhancements Bug Fixes
Lambda@Edge • Configure headers to be masked from the Safeguard against modification to the
config.js interstitial causing the help message to
v1.22.0 • Updated dependencies to latest versions display immediately
Cloudflare Safeguard against modification to the
• Configure headers to be masked from the
interstitial causing the help message to
config.js
v1.23.0 display immediately
F5 Safeguard against modification to the
• Enabled TLS to origin
interstitial causing the help message to
• Can configure headers to be masked
v1.19.3 display immediately
• Separate build and deploy actions into
Fastly
different scripts
N/A
• Add configurable list of headers which are
v1.2.0
forwarded to the analysis host
Advanced Bot Protection 345
Advanced Bot Protection
Connector Enhancements Bug Fixes
• Added request id to request log lines.
Openresty* Safeguard against modification to the
• Configure headers to be masked from the
interstitial causing the help message to
settings.lua
v1.0.0 display immediately
• Settings validation on startup
* Openresty breaking changes:
• The connector is now shipped as two files, imperva.lua and settings.lua to simplify the installation and
upgrade process.
• set $template_path is no longer required in Openresty *.conf files. interstitial_template_path in settings.lua
must be used instead. See USAGE.md for more details. Note: If a custom value for $template_path is currently
in use, then you must add it to interstitial_template_path in settings.lua for the Connector to continue to
work
Advanced Bot Protection 346
You might also like
- GUIDE How To Prevent A Disabled Ad Account From Ruining Your Business.No ratings yetGUIDE How To Prevent A Disabled Ad Account From Ruining Your Business.3 pages
- Create A Simple Calculator Application Using ServletNo ratings yetCreate A Simple Calculator Application Using Servlet45 pages
- How To Install macOS High Sierra On VirtualBox PCNo ratings yetHow To Install macOS High Sierra On VirtualBox PC16 pages
- Cookies and Sessions Maintaining State in HTTPNo ratings yetCookies and Sessions Maintaining State in HTTP47 pages
- Experiment No. 4 Title: Cookies and Session Handling Using PHPNo ratings yetExperiment No. 4 Title: Cookies and Session Handling Using PHP12 pages
- Jolly Rogers Security Guide For BeginnersNo ratings yetJolly Rogers Security Guide For Beginners59 pages
- How To Setup OpenVPN On AsusWRT Merlin - NordVPNNo ratings yetHow To Setup OpenVPN On AsusWRT Merlin - NordVPN10 pages
- How Can Email Verification Change The World?No ratings yetHow Can Email Verification Change The World?2 pages
- Practice of Ethical Hacking in The Banking SectorNo ratings yetPractice of Ethical Hacking in The Banking Sector8 pages
- Selected Advanced Themes in Ethical Hacking and Penetration Testing100% (1)Selected Advanced Themes in Ethical Hacking and Penetration Testing7 pages
- Spycloud Report Fortune 1000 Identity Exposure ReportNo ratings yetSpycloud Report Fortune 1000 Identity Exposure Report51 pages
- Account Activations Via SMS Receive SMS Online SmspvaNo ratings yetAccount Activations Via SMS Receive SMS Online Smspva1 page
- EBC - Transaction Management - Transaction Details (00 IDR)No ratings yetEBC - Transaction Management - Transaction Details (00 IDR)4 pages
- New Dedicated Server Information: 1 MensajeNo ratings yetNew Dedicated Server Information: 1 Mensaje2 pages
- CEIR Based Smartphones Anti-Stolen System: Sassceir: Arun Kumar Bediya, Rajendra KumarNo ratings yetCEIR Based Smartphones Anti-Stolen System: Sassceir: Arun Kumar Bediya, Rajendra Kumar5 pages
- List of Banks, EMI's, Payment Processors and BTC To FIAT Institutions. - Page 3 - OffshoreCorpTalkNo ratings yetList of Banks, EMI's, Payment Processors and BTC To FIAT Institutions. - Page 3 - OffshoreCorpTalk10 pages
- Bug Bytes #71 - 20K Facebook XSS, LevelUp 0x06 & Naffy's NotesNo ratings yetBug Bytes #71 - 20K Facebook XSS, LevelUp 0x06 & Naffy's Notes16 pages
- Advanced - Bot - Protection - 2024 08 26 09 45 23No ratings yetAdvanced - Bot - Protection - 2024 08 26 09 45 23322 pages
- MOTOLUX 2020 29 Dec Single Page VersionNo ratings yetMOTOLUX 2020 29 Dec Single Page Version95 pages
- Microsoft Internal Network Active Directory DesignNo ratings yetMicrosoft Internal Network Active Directory Design35 pages
- SYBSC SEMIII Labbook 2020 21 Final VersionNo ratings yetSYBSC SEMIII Labbook 2020 21 Final Version56 pages
- Configure BKP Exec Agent For Oracle On Linux ServersNo ratings yetConfigure BKP Exec Agent For Oracle On Linux Servers3 pages
- MAPP65-EnG - V2.30 RDM Tensile Tester ScreenNo ratings yetMAPP65-EnG - V2.30 RDM Tensile Tester Screen112 pages
- Unit 2: Online Buying Behaviour and Models: Topic: Managing The Online Customer ExperienceNo ratings yetUnit 2: Online Buying Behaviour and Models: Topic: Managing The Online Customer Experience10 pages
- Santa Monica Institute of Technology: Midterm ExamNo ratings yetSanta Monica Institute of Technology: Midterm Exam2 pages
- Savitribaiphule Pune University Third Year of Computer Engineering (2015 Course) 410247:laboratory Practice Ii0% (1)Savitribaiphule Pune University Third Year of Computer Engineering (2015 Course) 410247:laboratory Practice Ii3 pages
- Comparative Analysis of Microstrip Patch Antenna and Observe Effect of Changing Parameter at 5.4GhzNo ratings yetComparative Analysis of Microstrip Patch Antenna and Observe Effect of Changing Parameter at 5.4Ghz6 pages
- Installing The Safe Exam Browser (SEB) : If You Have AnyNo ratings yetInstalling The Safe Exam Browser (SEB) : If You Have Any2 pages
