HTTP/2 Inspection

Community Team Member

HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, your Palo Alto Networks firewall will need to look into the HTTP/2 traffic to perform inspection.

 

Starting with PAN-OS 9.0.0, HTTP/2 inspection is supported on Palo Alto Networks firewalls.

The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. This means that you can safely enable applications running over HTTP/2 without any additional configuration on the firewall.

 

Firewalls processes and inspect HTTP/2 traffic by default. However, you can disable HTTP/2 inspection by changing the firewall settings toStrip ALPN. With this option selected, the firewall removes any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension.

 

Because ALPN is used to secure HTTP/2 connections, when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.

 

SSL Forward Proxy Tab - Strip ALPNSSL Forward Proxy Tab - Strip ALPN

Two types of sessions are generated for decrypted HTTP/2 traffic: connection sessions and stream sessions. HTTP/2 connection sessions map to the TCP connections inside, which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.

By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic. However, the stream sessions, which carry the interesting traffic, are logged in the traffic logs.

To enable logging for the connection sessions, navigate to: Device > Setup > Content-ID > HTTP/2 Settings

 

Content-ID Tab - HTTP/2 SettingsContent-ID Tab - HTTP/2 Settings

 

 

More information on HTTP/2:

Is HTTP version 2 (HTTP/2) supported? 

How to disable HTTP/2 for specific traffic and globally? 

HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated? 

Discussion: ssl-decryption err_http2_inadequate_transport_security 

 

 

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

Stay Secure,
Kiwi out!

2,537 Views
Comments
L1 Bithead

Hi there, 

 

Thanks for the explanation. Could you please clarify if HTTP header insertion is supported with this, within the context of O365 tenant restrictions.

 

Many thanks

2,280 Views
Blog Dashboard
Register or Sign-in
Labels
Top Liked Authors