Forum Discussion

Nimbostratus

3 years ago

Modified domain cookie

Receive some blocked event about "modified domain cookie". After some research , a cookie "TSxxxxxxxx" is generated by F5 ASM and it used to hash the enforce cookie. When user got blocked, I found ...

security

Nikoolayy1

MVP

3 years ago

This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something. Also if just one browser has the issue is interesting as if you have AD an the user is internal there could be some rules that the AD enforces on the browser (also the users shouldn't be using incognito mode 🙂 )

Maybe see the links below as the ASM cookie is generated for every domain and path and maybe something happens on the browser that does not send the cookie. Also if it was API traffic/Bot traffic they normally do not support cookies.

https://support.f5.com/csp/article/K72137013

https://support.f5.com/csp/article/K54905165

https://support.f5.com/csp/article/K5907

Other thing is if you maybe enabled some flags:

https://support.f5.com/csp/article/K13787

KF2
Nimbostratus
3 years ago
The user is not internal.
"This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something" <-- You mean the proxy device will modify or delete the cookie?
All the links you posts i have already read before I post this question in this forum.
- Nikoolayy1
  MVP
  3 years ago
  I admit that are all my suggestions as if the F5 is sending the cookie what happens on the client device, I can't tell 🙂
  
  My final suggestion could be to also use One Connect profile as it helps with cookies and upstream proxy devices but outside of that I am out of ideas.
  
  https://support.f5.com/csp/article/K7964