What cookies are injected by F5 Distributed Cloud WAAP?

Description

The first 4 characters ("xxxx" in the following codes) of each cookie are taken from the vHost ID of the HTTP Load-Balancer:

Cookie with names ending in xxxx1: transaction ID
Cookie with names ending in xxxx03: security tokens, encrypted and signed
Cookie with names ending in xxxx5: tracking cookie for stateful analysis
Cookie with name X-VOLTERRA-JS-CHL: Javascript challenge cookie
Cookie with name X-VOLTERRA-RECAPTCHA: CAPTCHA challenge cookie (see step 5.7 in the link)
Cookie with name like TS01xxxx aka "The ASM Main cookie": more details on this cookie here: Overview of ASM cookies.

Q: What I would like to know is what kind of client requests or responses from the server will XC insert (set-cookies) these cookies into?
- A: Generally the cookies will be set in all responses whose request has produced a waf security event. It might also set the cookies in responses for requests which haven't produced a waf security event, but will not always do so. The decision whether to set the cookie or not is based on waf security heuristics.
Q:If you skip WAF processing with the Service Policy below, cookies will no longer be set (Set-Cookie) in XC.
- A: Skipping WAF will skip setting those cookies too.
Q: Is the cookie set by XC not set "when XC's WAF function is enabled" but "when XC performs WAF processing"?
- A: Yes
Q: When the above Service Policy is applied and XC does not set cookies, what will happen if the client's request includes a cookie used by XC such as "TS01dc4fc6="?
- A: Specifically overriding TS01... is not supposed to damage the security flow. But, in general, it is not recommended to override the internal cookies of the WAF.
Q: I understand that F5 XC inserts "TS01xxxxxx" when the origin server inserts the cookie.
Are there any other conditions to insert?
- A: It will only insert this cookie when there's cookies coming from origin server.