Forum Discussion

cd_312641's avatar
cd_312641
Icon for Nimbostratus rankNimbostratus
Jan 04, 2019

Exchange (OWA) ASM Template and Cookie Violation

Hello,

 

I have a Portal Access VS which allow to access multiple applications (URIs). One of those is an OWA Exchange 2010. All is working fine.

 

I am now trying to secure the OWA application with the ASM module. I crated an ASM policy using the latest exchange ASM template (https://devcentral.f5.com/d/new-asm-templates). I then applied a LTM policy to my Portal Access VS, which says that if the URI contains */owa, then it must applies the ASM policy I created. All is working fine.

 

Now what I don't understand with that given ASM template, is that I trigger a Modified Domain Cookie Violation for the following cookies:

 

- tzid

 

- UserContext

 

Reason says "New". Both those cookies are set in the Enforced Cookie section of the ASM policy. I did not put them here, it is the template that did so. Why am I triggering this violation ? Is the template wrong and should have put those cookies in the Allowed cookie section ?

 

Thanks

 

ASM Advanced WAF
BIG-IP
security

3 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jan 04, 2019

    The template probably comes with a list of predefined cookies, and those 2 new cookies were not present.

     

    Just add enforce/allow them.

     

    If you want to double check, access the site directly and see if those cookies are sent by the server.

     

    Add a comment in the template post, so the owner can update the template.

     

  • cd's avatar
    cd
    Icon for Cirrus rankCirrus
    Jan 07, 2019

    The two cookies I mentioned are present in the template. My understanding is that Allowed cookies are cookies authorized and that can be modified by user. Enforced cookies are cookies authorized but that shouldn't be modified by user.

     

    Both UserContext and tzid cookies are in the Enforced section, and flagged as changed by user which triggers the violation.

     

    Both cookies are indeed sent by server.