Bot Management policy and WAF policy - which runs first?

[Anthony Alarcon]

Hope this is an easy one to answer.  I've looked through documentation on both subjects but couldn't find an answer (or was just not looking hard enough). 

 

So I've got both Bot Management and WAF features enabled on a device.  Let's say I have a Bot Management policy that is bound default globally and has a policy expression of "true".  And I've got a WAF policy bound to a VIP with an expression of "true".  Which will run first?  The Bot Management policy or the WAF policy?  I would imagine the Bot protection would run first to sort of screen the deluge of requests that come from bots of all types?  What if the WAF policy is also bound default globally with an expression of "true"?  Or does that even matter with the run order?

[Marcelo Oguma de Souza1709152865]

Hi,

BOT policies are processed before WAF.

The points where you bind a police (default global, Virtual Server, etc.) only matter (regarding order of processing) for policies of the same type (e.g. a WAF policy bound to the Virtual Server takes precedence over a WAF policy bound to default global)

Please see the NetScaler packet flow in this documentation: https://docs.netscaler.com/en-us/citrix-adc/current-release/getting-started-with-citrix-adc.html

This page explains the order of processing of different bind points: https://docs.netscaler.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/configure-advanced-policy-expressions/bind-policies-using-advanced-policy.html#bind-points-and-order-of-evaluation

 

Hope it helps.

[Anthony Alarcon]

Fantastic!  Thanks @Marcelo Oguma de Souza1709152865!  And the two documents are incredibly helpful!