Bot Manager provides comprehensive protection of web applications, mobile apps, and APIs from automated threats like bots. Bot Manager provides precise bot management across all channels by combining behavioral modeling for granular intent analysis, collective bot intelligence, and fingerprinting of browsers, devices, and machines. It protects against all forms of account takeover (such as credential stuffing and brute force), denial of inventory, DDoS, ad and payment fraud, and web scraping to help organizations safeguard and grow their online operations.
When a client request reaches an application in Alteon which is protected by Bot Manager, Alteon extracts information from the request headers such as the user agent header (indicating whether the request comes from a computer, a mobile device, or a script) and the source IP address of the request. Alteon then sends this information in a JSON request via a sideband connection to the Bot Manager endpoint in the cloud and waits for a response. Bot Manager will respond with one of the following instructions:
Allow—Alteon allows the request to pass to the server (also, in report-only mode, the bot manager will always respond with allow).
Captcha—Alteon redirects the client to a captcha challenge to which the client must respond. If this requirement is not satisfied, Alteon redirects the client request to a block page and if the challenge is solved, the client request will be forwarded to the server.
Block —Alteon redirects the client to a block page.
This is brief instruction documentation for Alteon customers.
Alteon Version 32.6.3 or above (Standalone, VA, or vADC)
Alteon installed with Perform package license or above.
The virtual service that you wish to protect with Bot Manager must already be configured on Alteon.
For Bot Manager PoC/Demo purposes, sign-up to the bot manager portal (write to the Radware Bot Manager support team for the same) and approve the account verification email sent to your registered email address.
Configure the DNS server at Configuration > System > DNS Client.
Verify that the device time is accurate. Radware recommends that you manually configure the time date using NTP at Configuration > System > Time and Date.
Next to the Template Real Server ID field, click “+” and create a server template with Client NAT as follows:
Enable the real server.
Define the real server ID.
In the Server IP Address field, set any dummy IP address.
In the Proxy IP tab, set the Client NAT Mode parameter to Address Subnet and specify the Client NAT IP address and mask.
(Note-The real server will be set as a server template of the FQDN server)
Return to the Add New FQDN Servers page.
Next to the Group ID field, click “+” and create a new group as follows:
Define the server group ID.
Associate the server template created at step c to the server group.
(Note- The server group ID will be set as a group of the FQDN server)
On the Add New FQDN Servers page, enable the FQDN server
Apply and save your configuration changes.
Note: If Client NAT is not assigned to the sideband connection, disable the FQDN server and enable it again (apply and save your configuration changes). Client NAT assignment can be checked using the Command Line Interface /info/slb/sess/dump command which prints the session table. Look for the sessions with the Bot Manager engine as the destination.
Create a sideband policy at Application Delivery > Application Services > Sideband Policy as follows:
Enable the policy.
Define the Sideband Policy ID.
Associate the FQDN server group configured at step 1 to the sideband policy.
In the Timeout field, use the default value of 100 milliseconds in most cases.
(Optionally but Recommended) Set the sideband connection to be encrypted (over HTTPS) as follows:
At Configuration > Application Delivery > SSL Policy, create an SSL policy.
Enable the policy.
Define a policy ID.
In the Frontend SSL tab, deselect Frontend SSL Encryption.
In the Backend SSL tab, select Backend SSL Encryption.
Update the sideband policy with the SSL policy.
At Application Delivery > Application Services,> Sideband Policy set the sideband policy port to 443.
Optionally, add server authentication to validate the Bot Manager certificate. as described at Adding Bot Manager Endpoint Certificate Authentication.
When a client request requires Bot Manager analytics, Alteon extracts information from the request headers and sends this information in a separate request, via the sideband connection to the Bot Manager endpoint. When Alteon receives the response from Bot Manager it acts accordingly (either allowing the request to be sent to the server or redirecting to a block or Captcha page). If Alteon does not receive a response from Bot Manager within the defined timeout period, it ends the connection with Bot Manager and passes the client request to the server.
View Bot Manager statistics at Monitoring > Security > Bot Manager to monitor the average time for Alteon to receive the response from Bot Manager and the number (percentage) of client requests that were bypassed due to timeout.
Bot Manager Onboarding Process
Each Subscriber ID must pass through the verification stage before switching to production.
At the bot manager policy configuration in Alteon
The subscriber ID is set to the SandBox ID (copied from the bot manager portal Integration > Subscriber ID Details)
The mode is set to Report-only
Send traffic to the protected application
Verify the integration: by accessing the Bot Manager portal and navigate to the Integration >Verify integration page
if the integration is verified, proceed to the production stage.
The script is available at the Bot Manager portal: Integration > Download Connectors > JS Tag.