Unencrypted cookie persistence profiles found for F5

Vendor

F5

Description

According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. Indeni will alert when this is not the case.

Remediation Steps

Review these instructions on how to enable persistence cookie encryption:

https://support.f5.com/csp/article/K14784

It is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.

How does this work?

indeni uses the iControl REST interface to extract the persistence profile configuration.

Why is this important?

indeni uses the iControl REST interface to extract the persistence profile configuration.

Without Indeni how would you find this?

Login to the device's web interface and click on "Local Traffic" -> "Profile" -> "Persistence". This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type "cookie" and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the "All [Read-only]" partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command "cd /;list ltm persistence cookie recursive".


View Source Code