HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, your Palo Alto Networks firewall will need to look into the HTTP/2 traffic to perform inspection.
Starting with PAN-OS 9.0.0, HTTP/2 inspection is supported on Palo Alto Networks firewalls.
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. This means that you can safely enable applications running over HTTP/2 without any additional configuration on the firewall.
Firewalls processes and inspect HTTP/2 traffic by default. However, you can disable HTTP/2 inspection by changing the firewall settings toStrip ALPN. With this option selected, the firewall removes any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension.
Because ALPN is used to secure HTTP/2 connections, when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
SSL Forward Proxy Tab - Strip ALPN
Two types of sessions are generated for decrypted HTTP/2 traffic: connection sessions and stream sessions. HTTP/2 connection sessions map to the TCP connections inside, which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.
By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic. However, the stream sessions, which carry the interesting traffic, are logged in the traffic logs.
To enable logging for the connection sessions, navigate to: Device > Setup > Content-ID > HTTP/2 Settings