- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, your Palo Alto Networks firewall will need to look into the HTTP/2 traffic to perform inspection.
Starting with PAN-OS 9.0.0, HTTP/2 inspection is supported on Palo Alto Networks firewalls.
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. This means that you can safely enable applications running over HTTP/2 without any additional configuration on the firewall.
Firewalls processes and inspect HTTP/2 traffic by default. However, you can disable HTTP/2 inspection by changing the firewall settings toStrip ALPN. With this option selected, the firewall removes any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension.
Because ALPN is used to secure HTTP/2 connections, when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
Two types of sessions are generated for decrypted HTTP/2 traffic: connection sessions and stream sessions. HTTP/2 connection sessions map to the TCP connections inside, which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.
By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic. However, the stream sessions, which carry the interesting traffic, are logged in the traffic logs.
To enable logging for the connection sessions, navigate to: Device > Setup > Content-ID > HTTP/2 Settings
Is HTTP version 2 (HTTP/2) supported?
How to disable HTTP/2 for specific traffic and globally?
HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated?
Discussion: ssl-decryption err_http2_inadequate_transport_security
Thanks for taking time to read this blog.
Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.
Stay Secure,
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
3 Likes | |
2 Likes | |
2 Likes | |
2 Likes |
User | Likes Count |
---|---|
6 | |
4 | |
3 | |
2 | |
2 |