AppFirewall needs to modify packets in order to detect any sort of tampering. In addition to this, enabling certain protections requires AppFirewall to drop parts of the Server response (such as credit cards and other sensitive data) or alternatively transform them (such as keywords) so that special characters are rendered harmless. In this section, let's examine these changes:
One of the first changes you will notice if using features that require sessionization is that AppFirewall adds session cookies to the application's own cookies.
AppFirewall Session Cookie when using Advanced Profiles
When Advanced Protections are enabled, AppFirewall also removes caching headers so that instead of a conditional response, a full response is received. This is needed to allow AppFirewall to understand the context of the data being exchanged and drop the response if needed. This does however mean that you will see more requests to the backend servers when using Advanced Protections.
Note
Note that images are exempt from this behavior.
When forwarding the Server's response back to the client, the Content Length header is dropped. Instead a new Transfer-Encoding: chunked header is added. This is a process called chunking, and indicates to the client that the exact size of the response is not known in advance. This step is necessary because the AppFirewall might have to introduce changes of its own to the response (such as drop sensitive data in the response), thereby impacting the size of the response. In such cases, the end of data is indicated by a zero-sized chunk:
Note
Citrix article CTX131488 is an excellent source for more on this topic; I highly encourage reading it as it is quite comprehensive in explaining the packet changes involved.