Manual Chapter : Configuring Advanced Cookie Protection

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring advanced cookie protection

Many of the Application Security Manager (ASM) security features store ASM cookies on clients as part of the traffic security enforcement. Examples of security features that use cookies for validation are cookie enforcement, parameter enforcement, CSRF protection, login enforcement, session tracking, and anomaly detection. Cookie enforcement is also called domain cookies; cookies for the other features are called other ASM cookies.

The system applies a random security key unique to each deployment and uses it in conjunction with an encryption algorithm. The combination of the randomly generated key and the selected algorithms is called the security context. Normally, you do not have to change the cookie protection settings. However, in cases where you suspect a security breach has occurred, or if you want a different balance between speed and security, you can reconfigure cookie protection.

By default, when you initially start the system, it automatically generates a security key and sets the cookie security level to secure. You can change the encryption schema to provide faster cookie protection by reconfiguring cookie protection.

If you want to use the same security context on other systems, you can set up advanced cookie configuration settings on one BIG-IP system and export them. You can then import the settings on the other systems. You can configure all your systems to use the same cookie protection, or apply different settings to the systems. However, if you have multiple ASM-enabled devices that share traffic (and are not synchronized using device groups), it is recommended that those systems should all use the same cookie protection settings.

If synchronizing multiple ASM systems using device groups, you can configure the settings you want to use for all systems on one and then synchronize the systems.

Reconfiguring cookie protection

Application Security Manager (ASM) automatically configures cookie protection. If you need to adjust cookie protection due to a security breach or because you want to change the current protection level, you can reconfigure cookie protection.
Note: This is an advanced configuration task that is required only in special circumstances.
  1. On the Main tab, click Security > Options > Application Security > Advanced Configuration > Cookie Protection. The Cookie Protection screen opens.
  2. Review the data and time specified in the Latest Generation/Import Configuration Time setting to see when cookie protection was last configured.
  3. To review the details of the cookie protection, click View Algorithms Configuration. The screen shows the specific algorithms the system uses to protect domain and other ASM cookies.
  4. If you decide that you want to change the cookie configuration, click Reconfigure Cookie Protection. The Reconfigure Cookie Protection screen opens.
  5. For Grace Period Until signing with new Security Context, type the amount of time in minutes that must pass before the system begins signing ASM cookies with the new key and algorithm that you are configuring. The default value is 30 minutes. Initially when you start the system, this is the period the system waits to apply the new security context for the new release.
  6. For Grace Period To Accept Old Cookies, type the amount of time in minutes that must pass before the system stops accepting traffic with ASM cookies that use the old key and algorithm. The default value is 2880 minutes (48 hours).
  7. For Algorithm Selection, select the overall cookie security level to apply: Secure or Fast.
    Tip: The Secure setting uses more system resources.
    Changing this setting changes the Scramble and Mac algorithms used for cookie protection.
  8. If you want to review the actual algorithms used for the cookies, you can do this:
    1. For the Cookie Protection Configuration setting, select Advanced. The screen shows additional settings.
    2. Review the scramble and Mac algorithms used for the domain cookies and other ASM cookies, and adjust them if needed. If you use settings other than the defaults, the Algorithm Selection changes to Custom.
  9. Click Reconfigure. The system regenerates a new security context but waits to start using it until it surpasses the grace period until signing value.
  10. If you need to extend either of the grace periods, click Extend and type the number of minutes to add and click Save.

Importing cookie protection configuration

If you want to use the same cookie configuration settings on more than one Application Security Manager (ASM) system (especially systems that share traffic), you can export the settings from one system and import them onto another one. This task explains how to import the settings.
  1. On the Main tab, click Security > Options > Application Security > Advanced Configuration > Cookie Protection. The Cookie Protection screen opens.
  2. Click Import. The Import Cookie Protection Configuration screen opens.
  3. From the Import Method list, select Upload file and locate the previously exported configuration file. The exported file has a name such as ASM_Cookie_Protection_Configuration_2013-08-15_08-22.txt.
  4. To review the details of the cookie protection, click View Algorithms Configuration. The screen shows the specific algorithms the system uses to protect domain and other ASM cookies.
  5. For Grace Period Until signing with new Security Context, type the amount of time in minutes that must pass before the system begins signing ASM cookies with the new key and algorithm that you are configuring. The default value is 30 minutes. Initially when you start the system, this is the period the system waits to apply the new security context for the new release.
  6. For Grace Period To Accept Old Cookies, type the amount of time in minutes that must pass before the system stops accepting traffic with ASM cookies that use the old key and algorithm. The default value is 2880 minutes (48 hours).
  7. Click Import. The system imports the security context but waits to start using it until the grace period until signing is up.
  8. If you need to extend either of the grace periods, click Extend and type the number of minutes to add and click Save.

Exporting cookie protection configuration

If you want to use the same cookie configuration settings on more than one Application Security Manager system, you can export the settings from one system and import them onto another one. This task explains how to export the settings to a file.
  1. On the Main tab, click Security > Options > Application Security > Advanced Configuration > Cookie Protection. The Cookie Protection screen opens.
  2. Click Export. The system exports the cookie protection configuration to a file with a name such as ASM_Cookie_Protection_Configuration_2013-08-15_08-22.txt.