- Does Distributed Cloud WAF or other of its security solutions inject cookies?
- F5® Distributed Cloud WAF
- F5® Distributed Cloud Bot Defense
- Yes, WAF injects a few response cookies.
- WAF inspection is skipped on these cookies, by default.
The first 4 characters ("xxxx" in the following codes) of each cookie are taken from the vHost ID of the HTTP Load-Balancer:
- Cookie with names ending in xxxx1: transaction ID
- Cookie with names ending in xxxx03: security tokens, encrypted and signed
- Cookie with names ending in xxxx5: tracking cookie for stateful analysis
- Cookie with name X-VOLTERRA-RECAPTCHA: CAPTCHA challenge cookie (see step 5.7 in the link)
- Cookie with name like TS01xxxx aka "The ASM Main cookie": more details on this cookie here: Overview of ASM cookies.
Q: What I would like to know is what kind of client requests or responses from the server will XC insert (set-cookies) these cookies into?
- A: Generally the cookies will be set in all responses whose request has produced a waf security event. It might also set the cookies in responses for requests which haven't produced a waf security event, but will not always do so. The decision whether to set the cookie or not is based on waf security heuristics.
Q:If you skip WAF processing with the Service Policy below, cookies will no longer be set (Set-Cookie) in XC.
- A: Skipping WAF will skip setting those cookies too.
Q: Is the cookie set by XC not set "when XC's WAF function is enabled" but "when XC performs WAF processing"?
- A: Yes
Q: When the above Service Policy is applied and XC does not set cookies, what will happen if the client's request includes a cookie used by XC such as "TS01dc4fc6="?
- A: Specifically overriding TS01... is not supposed to damage the security flow. But, in general, it is not recommended to override the internal cookies of the WAF.
Q: I understand that F5 XC inserts "TS01xxxxxx" when the origin server inserts the cookie.
Are there any other conditions to insert?
- A: It will only insert this cookie when there's cookies coming from origin server.