Configure the cookie persistence profile
Modern traffic management systems offer a wide variety of policies to enable session persistence, and it is important to know which policy is right for your system. Cookie Persistence is the most popular policy for the majority of web applications, as cookie data is highly configurable, robust, and is typically unaffected by network policies that modify packet data. The main drawback to cookie persistence is that applications must be capable of sending the cookie with every request; a situation that is not always feasible.
For the F5 LTM, Bravura Security recommends the HTTP Cookie Insert policy of cookie persistence. When using the HTTP Cookie Insert policy, the F5 LTM will insert a browser cookie into any traffic that does not already have that cookie defined; if the cookie exists in subsequent request or response headers, the F5 LTM uses the cookie data to associate requests to a server and maintain session persistence.
By default, the F5 LTM cookie uses the following format:
BIGipServer<Pool name>=<Cookie data>
where <Pool name> is the server pool defined on the F5 LTM, and <Cookie Data> is the uniquely identifying information for this session.
See more information on available session persistence strategies for the F5 LTM.
To configure the cookie persistence profile.
Log in to the BIGIP F5 LTM as an administrator.
Navigate to Main > Local Traffic > Profiles > Persistence.
If you want to use the default cookie profile for managing Bravura Security Fabric session persistence, select cookie from this list, and skip to Step 8 below.
If you want to create a custom persistence profile for Bravura Security Fabric traffic, click Create... and proceed from Step 4.
In the Name field, input a unique name for this profile.
In the Persistence Type drop-down list, select cookie.
The Configuration options table appears, with values disabled by default. The Parent Profile field also appears.
In the Parent Profile field, select Cookie.
Review the Configuration table, and enable fields that need to be modified.
To modify these settings, you must specify which options will not be inherited from the parent profile. Click the checkboxes on the right to enable modification for individual fields you wish to update, or click the checkbox labeled Custom to enable all fields for editing.
Under Cookie Method, select HTTP Cookie Insert.
Under Expiration, enable Session Cookie.
Click Finished or Update to commit your changes.
In order to ensure that a load-balanced environment does not disrupt the normal operation of the Bravura Security Fabric , the load balancer must have session persistence enabled for the services that need a predictable connection to a single node. A detailed outline of BIG-IP’s supported persistence profiles is available in:
A summary is provided here:
Cookie Persistence Cookie persistence uses the HTTP cookie header to ensure session persistence. This method is more robust than other persistence options, but requires that client applications are prepared to handle these cookies. More details on cookie persistence in the F5 LTM environment are available in the manual at https://support.f5.com/csp/article/K83419154 .
Cookie Hash This method maps a specific cookie value to a specific node, allowing granular control of how traffic is routed. This requires that the web server creates the web cookie, and send it when new sessions are created.
HTTP Cookie Insert In this method, the BIG-IP injects an HTTP Cookie header into new sessions. Requests that include this header are directed to their respective nodes.
HTTP Cookie Passive In this method, BIG-IP does not interact with cookie data. Instead, the server creates the cookie, which includes the server information and timeout. This method is not recommended for most environments.
HTTP Cookie Rewrite This method intercepts the Set-Cookie header created by the web server, and overwrites its name and content to contain the address and port information needed for persistence.
Destination Address This method directs traffic to the same server based on the destination IP of the incoming packets.
Hash This method uses the data from request and response traffic to generate a hashed value that is used to associate sessions to a specific server.
Host Host persistence uses the HTTP Host header to determine which server to direct traffic to.
Microsoft Remote Desktop This method tracks sessions between clients and servers running the Mi crosoft RDP service to ensure persistence.
SIP SIP persistence is an application-specific protocol that tracks Session Initiation Protocol messages exchanged by applications who employ this protocol.
Source Address Referred to as "simple persistence", this method routes traffic based on the source IP of a packet.
SSL This method uses the SSL session ID to ensure persistence to a server.
Warning
If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details.
Universal This method uses data extracted from request and response packets to establish persistence, but requires that the BIG-IP is able to inspect the packet data in detail.