APM cookie - F5_ST

The good news it that this is completely possible. The bad news is that, event with ACCESS::restrict_irule_events disabled, you cannot see the F5_ST cookie being sent to the client from APM. The only way that I know of, and have used, to alter this and the other APM session cookies is to layer an LTM VIP in front of your APM VIP. Your external LTM VIP would consume the addressable IP, the APM VIP could use an inaccessible internal IP/port, and your LTM iRule could rewrite cookie headers in both directions and then send traffic to the APM VIP using the virtual command. I actually just did this for someone else, so let me know if you want to see that iRule.

Give this a whirl:

when RULE_INIT {
     user-defined: APM virtual server to forward traffic to
    set static::LOCAL_APM_VIP "access-test-internal-vs"
}
when HTTP_REQUEST {
    if { [HTTP::cookie exists F5_ST_ALT] } {
        HTTP::cookie insert name F5_ST value [string map {"@" ","} [HTTP::cookie value F5_ST_ALT]]
        HTTP::cookie remove F5_ST_ALT
    }

    virtual $static::LOCAL_APM_VIP
}
when HTTP_RESPONSE {
    if { [HTTP::cookie exists F5_ST] } {
        HTTP::cookie insert name F5_ST_ALT value [string map {"," "@"} [HTTP::cookie value F5_ST]] path [HTTP::cookie path F5_ST]
        HTTP::cookie remove F5_ST
    }
}

The above basically removes the F5_ST cookie from the response and creates a new version, F5_ST_ALT, with the comma mapped to an ampersand. The request event then does the same thing in reverse. The external LTM VIP has this iRule and calls the internal APM VIP by name.

virtual $static::LOCAL_APM_VIP

If you're doing client side SSL, you'll want the client SSL profile on the LTM VIP. If you're doing server side SSL, you'll want the server SSL profile on the APM VIP. Now to just change the F5_ST value, the iRule might more appropriately look like this:

1.) TCL error: /Common/irule-performance - unable to find virtual 'access-performance' (line 1) invoked from within "virtual $static::LOCAL_APM_VIP" 2.) If i already have an iRule to switch based of specific paths, i think i would need to put that on the APM vip right..

Any application logic would need to go inside your APM VIP. The LTM VIP is simply there to manage cookies and pass the requests to the APM VIP.

Kevin.. what is the F5_ST cookie used for??

The replacing of the comman to a @ works fine but now our application is acting weird...

i am trying to figure out what this one cookie would do that would cause that..

Kevin.. what is the F5_ST cookie used for??

The replacing of the comman to a @ works fine but now our application is acting weird...

i am trying to figure out what this one cookie would do that would cause that..

The F5_ST cookie is used exclusively to keep the client (ie. APM JavaScript in the browser) informed about session-timeout and inactivity timeout.

What anomalies are you seeing?

i did the following to remove the cookie and the app works normal

when RULE_INIT {
     user-defined: APM virtual server to forward traffic to
    set static::LOCAL_APM_VIP "vs_server-apm"
}
when HTTP_REQUEST {
    virtual $static::LOCAL_APM_VIP
}
when HTTP_RESPONSE {
    if { [HTTP::cookie exists F5_ST] } {
        HTTP::cookie remove F5_ST
        }
}