Alteon-Bot Manager Integration

Overview 

Bot Manager provides comprehensive protection of web applications, mobile apps, and APIs from automated threats like bots. Bot Manager provides precise bot management across all channels by combining behavioral modeling for granular intent analysis, collective bot intelligence, and fingerprinting of browsers, devices, and machines. It protects against all forms of account takeover (such as credential stuffing and brute force), denial of inventory, DDoS, ad and payment fraud, and web scraping to help organizations safeguard and grow their online operations.

When a client request reaches an application in Alteon which is protected by Bot Manager, Alteon extracts information from the request headers such as the user agent header (indicating whether the request comes from a computer, a mobile device, or a script) and the source IP address of the request. Alteon then sends this information in a JSON request via a sideband connection to the Bot Manager endpoint in the cloud and waits for a response. Bot Manager will respond with one of the following instructions:

  • Allow—Alteon allows the request to pass to the server (also, in report-only mode, the bot manager will always respond with allow). 

  • Captcha—Alteon redirects the client to a captcha challenge to which the client must respond. If this requirement is not satisfied, Alteon redirects the client request to a block page and if the challenge is solved, the client request will be forwarded to the server. 

  • Block —Alteon redirects the client to a block page. 

This is brief instruction documentation for Alteon customers.

Prerequisite

  • Alteon Version 32.6.3 or above (Standalone, VA, or vADC)

  • Alteon installed with Perform package license or above.

  • The virtual service that you wish to protect with Bot Manager must already be configured on Alteon.

  • A Standalone Bot Manager license with an active bot manager Account (Global Portal, Europe Portal)

  • On Alteon,

    • Configure the DNS server at Configuration > System > DNS Client.

    • Verify that the device time is accurate. Radware recommends that you manually configure the time date using NTP at Configuration > System > Time and Date.

Note: At any stage, you can contact botmanager_support@radware.com for assistance.

Configuration Steps

  • Configuring the Sideband Connection

  • Bot Manager Onboarding Process

  • Configuring a Bot Manager Policy

  • Associating the Bot Manager Policy to a Virtual Service

Configuring the Sideband Connection

  • Create the FQDN server for the Bot Manager endpoint at Configuration > Application Delivery > Server Resources > FQDN Servers as follows:

    • On the Add New FQDN Servers page, define the FQDN server ID.

    • Set the Bot Manager Endpoint Fully Qualified Domain Name

    • Next to the Template Real Server ID field, click “+” and create a server template with Client NAT as follows:

      • Enable the real server.

      • Define the real server ID.

      • In the Server IP Address field, set any dummy IP address.

      • In the Proxy IP tab, set the Client NAT Mode parameter to Address Subnet and specify the Client NAT IP address and mask.

      • Click Submit

        • (Note-The real server will be set as a server template of the FQDN server)

    • Return to the Add New FQDN Servers page.

    • Next to the Group ID field, click “+” and create a new group as follows:

      • Define the server group ID.

      • Associate the server template created at step c to the server group.

      • Click Submit.

        • (Note- The server group ID will be set as a group of the FQDN server)

    • On the Add New FQDN Servers page, enable the FQDN server

    • Apply and save your configuration changes.

Note: If Client NAT is not assigned to the sideband connection, disable the FQDN server and enable it again (apply and save your configuration changes). Client NAT assignment can be checked using the Command Line Interface /info/slb/sess/dump command which prints the session table. Look for the sessions with the Bot Manager engine as the destination.

  • Create a sideband policy at Application Delivery > Application Services > Sideband Policy as follows:

    • Enable the policy.

    • Define the Sideband Policy ID.

    • Associate the FQDN server group configured at step 1 to the sideband policy.

    • In the Timeout field, use the default value of 100 milliseconds in most cases.

  • (Optionally but Recommended) Set the sideband connection to be encrypted (over HTTPS) as follows:

    • At Configuration > Application Delivery > SSL Policy, create an SSL policy.

      • Enable the policy.

      • Define a policy ID.

      • In the Frontend SSL tab, deselect Frontend SSL Encryption.

      • In the Backend SSL tab, select Backend SSL Encryption.

    • Update the sideband policy with the SSL policy.

    • At Application Delivery > Application Services,> Sideband Policy set the sideband policy port to 443.

    • Optionally, add server authentication to validate the Bot Manager certificate. as described at Adding Bot Manager Endpoint Certificate Authentication.

When a client request requires Bot Manager analytics, Alteon extracts information from the request headers and sends this information in a separate request, via the sideband connection to the Bot Manager endpoint. When Alteon receives the response from Bot Manager it acts accordingly (either allowing the request to be sent to the server or redirecting to a block or Captcha page). If Alteon does not receive a response from Bot Manager within the defined timeout period, it ends the connection with Bot Manager and passes the client request to the server.

View Bot Manager statistics at Monitoring > Security > Bot Manager to monitor the average time for Alteon to receive the response from Bot Manager and the number (percentage) of client requests that were bypassed due to timeout.

Bot Manager Onboarding Process

Each Subscriber ID must pass through the verification stage before switching to production.

  • Verification stage

    • At the bot manager policy configuration in Alteon

      • The subscriber ID is set to the SandBox ID (copied from the bot manager portal Integration > Subscriber ID Details)

      • The mode is set to Report-only

    • Send traffic to the protected application

    • Verify the integration: by accessing the Bot Manager portal and navigate to the Integration >Verify integration page

      • if the integration is verified, proceed to the production stage.

      • if the integration is not verified, contact botmanager_support@radware.com for assistance.

  • Production stage

    • At the bot manager policy configuration in Alteon, change the subscriber ID to be the production id value (bot manager portal> Integration > Subscriber ID details page).

    • Update Botmanager-onboarding on this change and ask to open the dashboard.

    • After 24-48 hours, the bot manager support will open the dashboard at the portal.

  • Whitelist stage:

    • Update Botmanager-onboarding with a list of IP addresses that should be whitelisted from bot manager protection.

    • Once the dashboard is opened, you can also review the analytics and identify IP. Addresses that should be whitelisted or any other false positives that you identify.

  • Move to active mode

    • At the bot manager policy configuration in Alteon, change the mode to Active

    • At the bot manager portal. Navigate to settings > bot management and change the mode from “Monitor” to “Active”

Configuring a Bot Manager Policy

  • Globally enable Bot Manager at Configuration > Security > Bot Manager > Enable Bot Manager Protection.

  • Click “+” and create a Bot Manager policy in the Add New Bot Manager Policy page as follows:

    • Select Enable Bot Manager Policy to enable the policy.

    • In the Bot Manager Policy ID field, define a policy ID.

    • For the Subscriber ID (SID) field, Access the bot manager portal, and under Integration >Subscriber ID Details copy either the SandBox ID or the Production ID

      • Sandbox ID- Your test environment ID. Used during the onboarding stage

      • Production ID - Your live environment ID. Used in Production after
        onboarding finished successfully.

    • From the Sideband Policy ID drop-down list, associate the sideband policy created at Configuring the Sideband Connection.

    • From the Mode drop-down list, select the Report-only Mode during the onboarding stage (once moved to production it is possible to switch to the mode to Active)

    • From the Application Type drop-down list, select the required application type (either WEB or Mobile).

    • Set the IP Address Header filed to the HTTP header used by the Proxy/CDN to hold the original client IP Address

    • All other Bot Manager policy parameters are optional. For more information, see the Alteon Online Help.

Contact botmanager_support@radware.com before setting any of the advanced fields

Associating the Bot Manager Policy to a Virtual Service

To use your Bot Manager policy, you must connect it to the virtual service that you want to protect. You can connect a single Bot Manager policy to multiple virtual services.

Note: In Alteon version 32.6.3, Bot Manager can be associated only at the virtual service level, where a virtual service is identified by IP address and port.

Associate Bot Manager with a virtual service as follows:

  • Select Configuration > Application Delivery > Virtual Services.

  • At the Virtual Services of Selected Virtual Server table, double-click the virtual service that you want to protect.

  • In the HTTP tab, select the policy to add from the Bot Manager Policy drop-down list created at Configuring a Bot Manager Policy.

  • Apply and Save the configuration

Enabling JS injection at the Bot Manager Policy

JS injection – this capability is optional. It allows the detection of sophisticated bots with human-like behavior.

  • Contact Bot Manager support botmanager_support@radware.com before enabling this capacity.

  • A compression policy will be automatically set (if not available already) on the virtual service when JavaScript injection is enabled to enable Alteon to inject the JavaScript into the server response.

The script is available at the Bot Manager portal: Integration > Download Connectors > JS Tag.

  • Set JS injection to enable

  • Copy-paste the script to the text field

  • Add -----END to the end of the script

  • Click on the import button

Viewing Bot Manager Statistics

Access the Bot Manager Portal (https://portal.radwarebotmanager.com/ or http://euportal.radwarebotmanager.com/ for EU users) to get a deeper insight into the bot traffic affecting your site. (the portal link is also available from the Configuration Perspective > Security > Bot Manager Page

Bot manager statistics are also available on Alteon. see Monitoring preferences > Security > Bot Manager. The statistics include current and total statistics as shown below:

Adding Bot Manager Endpoint Certificate Authentication

This is an optional step. It allows Alteon to authenticate the Bot Manager endpoint certificate and to perform this step please shoot an email to botmanager_support@radware.com.

Write to botmanager_support@radware.com for any clarifications on this process.