Anti-Bot Challenge Rules

Overview

Anti-Bot rules allow you to Detect, Challenge, or Prevent traffic that matches specific criteria in order to mitigate automated abuse such as:

• Credential stuffing

• Brute-force attacks

• Account enumeration

• Bot Driven DDoS

Action Modes

• Detect – Logs matching traffic only. Recommended first step to validate impact before enforcement.

• Challenge (captcha) – Requires the client to pass a browser challenge before access is granted. Use to stop automation while allowing legitimate users.

• Prevent – Blocks matching requests. Use after validation or during active attacks.

Best practice: Start with Detect, then move to Challenge

How to Configure Anti Bot Rules

Add Rules

1. Navigate to Anti-Bot Tab → Challenge Rules SubPractice → Add Rule

1. Select the desired Action (Detect, Challenge, or Prevent).

2. Enter the target URI (e.g., /login).

3. (Optional) Add Additional Conditions to narrow the scope. You may choose one of the following:

   • Source Identifier

   • Source IP

   • URI

   • Country Code

   • Country Name

4. Save the rule.

Add a Captcha Challenge

1. Navigate to the "Behaviors" Tab and create a new captcha object

1. Configure the Captcha object that will be used when a rule triggers a challenge:

   • Name: Enter a friendly name for the Captcha object, or keep the default.

   • Captcha Type: Select the challenge mechanism. (Currently set by default to Proof of Power.)

   • TTL: The time-to-live (in minutes) for the successful challenge. During this period, the user will not be required to complete a new challenge.

   • Message Title (optional): The title shown on the challenge HTML page presented to the end user.

   • Message Body (optional): The text displayed on the challenge HTML page presented to the end user.

   

1. Connect the Captcha object to the practice:

1. Enforce policy