Configure Distributed Cloud Bot Defense Advanced in Web App & API Protection

Published January 13, 2026 | Last modified January 7, 2026

Bot Defense protects your web and mobile application endpoints from automated attacks by identifying and mitigating malicious or bad bots. For more information about Bot Defense capabilities and features, see Bot Defense Overview.

The following information explains how to configure Bot Defense Advanced in Web App & API Protection.

Important: Bot Defense Self-Service Policy Management is an Early Access feature.

Step 1: Sign Up for Bot Defense

To enable Bot Defense Advanced, contact your F5 account team. Once enabled, your F5 team can help you quickly get your Bot Defense infrastructure and policies configured to protect your applications from automated attacks, such as credential stuffing, denial of service, web scraping and so on.

As your applications change and you add new endpoints to your environment, you can use Bot Defense Self-Service Policy Management to make changes to your policies. Bot Defense Self-Service Policy Management is available from the Distributed Cloud Console. You must have one or more of the following permissions:

  • f5xc-bot-defense-admin role: Provides advanced administrative access, including service activation.
  • f5xc-bot-defense-user role: Provides read and write access to bot policies and read access to bot infrastructure. This role also grants permission to deploy new bot policy versions.
  • f5xc-bot-defense-monitor role: Provides read-only access to bot infrastructure, bot policies and dashboards.
  • f5xc-bot-defense-report role: Provides permissions to create and manage monthly Bot Defense reports.

If you do not have any of these roles, contact your Distributed Cloud administrator or F5 Support.

Step 2: Decide What You Want to Protect

You must decide which endpoints you want to protect with Bot Defense. For information about what to consider when you configure web and mobile endpoints, see the following information:

Step 3: Configure Your Bot Defense Infrastructure

Use the F5 Distributed Cloud Console to add and configure your Bot Defense infrastructures in the F5 Hosted Cloud. Bot Defense infrastructures are the virtual machines that host the Bot Defense components that process and evaluate your traffic to determine what traffic is human and what is automated.

Important: If F5 Operations has already configured your Bot Defense infrastructure, go to Step 4: Configure Your Bot Policies.

A typical Bot Defense deployment can consist of multiple Test and Production infrastructures. You can add as many Production and Test infrastructures as your subscription limit allows.

To configure a Bot Defense infrastructure, you must configure the following settings:

  • Traffic type: Whether you want the infrastructure to process mobile or web-based traffic.
  • Infrastructure type: Whether the infrastructure is for production traffic or is for testing.
  • Region: The geographic region where you want your infrastructure located. For production infrastructures, you must choose two regions.
  • Access control list: The list of IP addresses from which traffic can access the new infrastructure.

To configure your Bot Defense infrastructure in Web App & API Protection, from the Web App & API Protection navigation menu, select Bot Defense Management > Bot Infrastructure. For instructions, see Configure the Bot Defense Infrastructure.

Step 4: Configure Your Bot Policies

Bot Defense provides three system policies that allow you to control system configuration settings:

Bot Defense Self-Service Policy Management allows you to make and deploy any necessary changes to your policies, for example, to protect new endpoints, update mitigation actions, add new clients to the allowlist or to add new network routes.

Important: F5 strongly recommends that you deploy and thoroughly test policy updates in the Test infrastructure provided to you by F5 before you deploy in your Production infrastructure.

To configure Bot Defense policies in Web App & API Protection, from the Web App & API Protection navigation menu, select Bot Defense Management > Bot Policies.

For instructions, see the following information:

Step 5: Test Your Configuration

Deploy your policies in the Test infrastructure provided to you by F5 to test your Bot Defense deployment and help ensure that Bot Defense policies are properly configured, that JavaScript tags are injected in your application pages correctly, or that you have correctly integrated the F5 Distributed Cloud Mobile SDK.

For information about how to deploy your Bot Defense policies, see Deploy Policy Updates.

For information about how to test Bot Defense, see Test Your Bot Defense Configuration.

Step 6: Deploy Policies in Your Production Environment

Important: F5 strongly recommends that you deploy and thoroughly test policy updates in the Test infrastructure provided to you by F5 before you deploy in your Production infrastructure.

After you verify in your Test infrastructure that Bot Defense is configured correctly and correctly identifies automated traffic, you can deploy your policies in your Production infrastructure.

To deploy Bot Defense policy updates in Web App & API Protection, from the Web App & API Protection navigation menu, select Bot Defense Management > Bot Infrastructure. For instructions, see Deploy Policy Updates.

Step 7: Enable Bot Defense Advanced on an HTTP Load Balancer

You can enable Bot Defense Advanced on one or more HTTP load balancers that you have configured in Web App & API Protection. To configure Bot Defense on an HTTP load balancer, you must complete the following tasks on each HTTP load balancer where you want to enable Bot Defense:

  1. Enable Bot Defense on one or more HTTP load balancers.
  2. Configure how you want Bot Defense to inject JavaScript tags in the HTTP pages in your application. Bot Defense adds JavaScript, which runs in your users' browsers and collects data that distinguishes between traffic from human visitors and automated traffic.
  3. To protect mobile endpoints, enable and configure the F5 Distributed Cloud Mobile SDK. The Mobile SDK collects telemetry that is then inspected by Bot Defense to determine if requests initiated from legitimate mobile devices.

For instructions, see Configure Bot Defense on an HTTP Load Balancer.

Step 8: Deploy Bot Detection Rules

Important: Bot detection rule self-service management is a limited availability feature. Contact your F5 account team for information.

When you first configure Bot Defense, F5 supplies you with a set of bot detection rules. A bot detection rule contains criteria that Bot Defense uses to determine whether a transaction is from a human or automated source. A subset of rules is turned on by default. The remaining rules are turned off.

Monitor your traffic for approximately two weeks to see how rules that are turned on affect your traffic. After this initial two weeks, you can use the Distributed Cloud Console to turn rules on and off to make changes to how Bot Defense handles your traffic.

Important: F5 recommends that you deploy each rule in a Test infrastructure before you deploy in your production infrastructure.

To configure Bot Defense bot detection rules in Web App & API Protection, from the Web App & API Protection navigation menu, select Bot Defense Management > Bot Policies > Bot Detection Rules. For information about bot detection rules, see Bot Detection Rules Overview.

On this page: