Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology
  2. Virtual Servers and Their Behavior with Different Profiles in BIG-IP

Persistence Profile in BIG-IP

Persistence profiles in BIG-IP manage how the system maintains connections between clients and servers to ensure consistent behavior. Below is a detailed breakdown of persistence types, behaviors, and advanced options.

General Features

  • Connection Limit Overrides:

    • Pool member connection limits can be overridden for persisted clients.

    • Virtual server connection limits remain strict and are not overridden.

Persistence Types

  1. Cookie Persistence:

    • Designed for HTTP connections.

    • Tracks sessions by inserting or handling cookies between clients and servers.

    • Options:

      • Insert (Default):

        • BIG-IP inserts a custom cookie in server responses.

        • Encodes the server's IP and port in the cookie (BIGipServer<pool_name>).

        • Enabling Always Send Cookie ensures all F5 responses include the cookie (performance impact).

      • Rewrite:

        • Modifies cookies sent by the server (BIGipCookie=<120-zeroes> format) into F5's encoded cookie format.

      • Passive:

        • Forwards all cookies from the server without inserting or modifying them.

        • Server is responsible for persistence management.

      • Hash:

        • Server provides a cookie, and BIG-IP consistently maps it to a specific node.

        • Requires specifying the cookie name in the persistence profile.

  1. Source Address Persistence:

    • Tracks clients based on their IP address.

    • Supports TCP and UDP for host or network-based virtual servers.

  2. SSL Persistence:

    • Uses the SSL Session-ID to maintain persistence for non-terminated SSL connections.

  3. Destination Address Persistence:

    • For TCP/UDP connections to network-based virtual servers (supports /0 to /31 subnet masks).

  4. Hash Persistence:

    • Uses an iRule to create persistence records based on a hash value.

      • Example: persist hash <session-key>

  5. Universal Persistence:

    • Flexible; persistence records are created based on specific header values.

      • Example: persist uie <session-key>

  6. Microsoft RDP Persistence:

    • Tracks sessions using RDP Session-ID.

  7. SIP Persistence:

    • Tracks sessions using Caller-ID for SIP over TCP, UDP, or SCTP.

CARP (Cache Array Routing Protocol) Hash Algorithm

  • Stateless load balancing for HTTP or compatible protocols.

  • Key Features:

    • No persistence table required.

    • Automatic load redistribution between members.

    • Suitable for HTTP cache proxies, HTTP traffic, and OneConnect configurations.

    • Commands like tmsh show /ltm persistence persist-records and bigpipe persist show all cannot be used.

    • Excellent for stateless persistence scenarios.

Advanced Persistence Options

Criteria for Session Persistence

  • For cookie profiles, "Cookie Hash" settings apply when VS → Pool → Node mappings include the same member addresses.

"Match Across Services"

  • Port-based matching.

  • Used when multiple VSs share the same virtual IP but have different ports.

    • Example:

      • VS1: 192.168.0.2:80

      • VS2: 192.168.0.2:443

"Match Across Virtual Servers"

  • Allows persistence across virtual servers with different virtual IPs and ports.

  • Useful when multiple VSs point to the same backend pool or node.

"Match Across Pools"

  • Enables persistence across multiple pools.

  • The system uses any pool containing a persistence record for the client.

    • Caution: Can redirect traffic to a pool not explicitly configured for the virtual server.

Summary of Use Cases

Persistence Type

Use Case

Cookie

HTTP traffic with client-side tracking via cookies.

Source Address

Sessions requiring IP-based tracking (e.g., stateless clients).

SSL

Non-terminated SSL traffic with session consistency.

Destination Address

Network-based load balancing scenarios.

Hash / Universal

Custom iRule-driven persistence logic.

Microsoft RDP

Microsoft Remote Desktop Protocol sessions.

SIP

Caller-ID-based SIP traffic.

CARP Hash

Stateless, HTTP cache proxies, and OneConnect configurations.

PreviousLoad-balancing Methods in BIG-IP LTMNextCMP vs. SMP in BIG-IP Systems

Last updated 3 months ago