Bot Management

Fastly's Bot Management product provides you with visibility into bot traffic, allowing you to identify bots and automations directly at Fastly's network edge, closer to where requests arrive and further away from your application layer. Using the knowledge you gain from this detection, you can enforce rulesets and policies in the Bot Management console as part of your web asset and application protection measures. Because not all bots are malicious, Bot Management offers controls that can help you decrease unwanted bot activity by allowing you to customize your interactions and automatically decide which bots are safe to interact with in your ecosystem.

Client fingerprinting

Client fingerprinting incorporates JA3 fingerprinting and allows you to identify client types as long as that information is available as part of the TLS encrypted communication between a specific client and its server. This feature can help you detect bots designed for malicious activities such as credential stuffing, credential cracking, or IP rotation attacks.

Client challenges

Client challenges allow you to require users to prove that they are human or that a connection is happening via a full-fledged browser. For each service, you choose whether these challenges are interactive or non-interactive. Interactive challenges use configurable CAPTCHA-like challenge-response tests that human users must respond to. Non-interactive challenges get sent automatically to each client as JavaScript code embedded in a web page.

To identify when challenges have been initiated and solved, cookies are issued from the customer domain in which the challenges are issued. Specifically:

• the _fs_ch_st_<RANDOM STRING> challenge start cookie signals the initiation of the challenge and helps mitigate trivial replay of challenge flows by your service
• the _fs_ch_cp_<RANDOM_STRING> challenge complete cookie signals the completion of the challenge and communicates to your service that access to a resource should be permitted

Verified bots

Verified bots allow you to add a Next-Gen WAF signal to the logic of your active configuration rules that will help validate self-identified bots and thereby allow or block them as appropriate as requests arrive to the web applications you're protecting.

Prerequisites

To purchase Bot Management, you must purchase Fastly's Next-Gen WAF at the Professional or Premier level for deployment on Fastly's Edge Cloud platform. This requires a paid account with a contract for Fastly's services.

Limitations and considerations

Keep in mind the following limitations and considerations:

• The client challenges feature must be enabled for each individual service using your service ID via an API call.
• When using the client challenges feature, you must choose between either interactive or non-interactive challenges for each service. Both cannot be active on a single service at the same time.
• Using client challenges for multiple hostnames requires creating a rule that restricts the challenge to a specific hostname. If, for example, a service includes both www.example.com and api.example.com as hosts, client challenges will not behave as expected.
• Exceptions to client challenges can be used to allow some bots access to your site. These exceptions must be explicitly included in any rule that would otherwise exclude them.

Billing

Fastly charges for Bot Management based on the volume of requests (per millions) processed per month. These charges are separate from and do not include charges associated with the Fastly Full Site Delivery service nor with usage of the Fastly Next-Gen WAF.