Unencrypted cookie persistence profiles found-f5-all
According to best practices, cookies should be encrypted when persisting to client browser to avoid security issues. indeni will alert when this is not the case.
Review these instructions on how to enable persistence cookie encryption: \nhttps://support.f5.com/csp/article/K14784\n\nIt is best not to change the default profiles. Instead, create a new persistence profile with the default profile as parent. Cookie Encryption Use Policy should be set to Required in order for this alert not to be triggered.
How does this work?
indeni uses the iControl REST interface to extract the persistence profile configuration.
Why is this important?
Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Local Traffic” -> “Profile” -> “Persistence”. This would show a list of the configured persistence profiles, their members and their availability. Look for profiles of the type “cookie” and verify that each of them has cookie entryption enabled. In case the configuration is divided in multiple partitions changing to the “All [Read-only]” partition is recommended. This information is also available by logging into the device through SSH, enter TMSH and executing the command “cd /;list ltm persistence cookie recursive”.
name: f5-rest-mgmt-tm-ltm-persistence-cookie description: Track cookie persistence profiles without encryption type: monitoring monitoring_interval: 60 minutes requires: vendor: f5 product: load-balancer rest-api: 'true' comments: f5-cookied-persistence-encrypted: why: | Not encrypting persistence cookies discloses internal information such as internal IP, port and pool name. This information could be used by an attacker to gather information about your environment. how: | indeni uses the iControl REST interface to extract the persistence profile configuration. can-with-snmp: true can-with-syslog: false steps: - run: type: HTTP command: /mgmt/tm/ltm/persistence/cookie?$select=fullPath,cookieEncryption,cookieEncryptionPassphrase parse: type: JSON file: rest-mgmt-tm-ltm-persistence-cookie.parser.1.json.yaml
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/f5/f5_cookie_persistence.scala