HTTP2 allowed without strip alpn enable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HTTP2 allowed without strip alpn enable

L3 Networker

Dear Team One of my customers wants  HTTP2 benefits with decryption enable.

The customer don't want to enable the strip ALPN because it Downgrades to HTTP1.1 

Can we do decryption with HTTP2 Downgrade with decryption? 

5 REPLIES 5

Cyber Elite
Cyber Elite

@FarhanKoujalgi,

Your question isn't exactly clear. The firewall can decrypt HTTP/2 traffic as long as you are running PAN-OS 9.0 or higher. The Strip ALPN option is used to optionally downgrade that connection to HTTP/1.1, but would generally only be done for websites that you can't decrypt properly when using HTTP/2. By default, if you simply enable decryption you'll have the ability to decrypt all traffic using HTTP/2 without downgrading the connection. 

@BPry Thanks for the reply as you didn't get my concern,

The thing is when I enable decryption I cant able get access to that website URL link the link redirects

for example URL:Paloalto/eqd/qdq/jfw09efns/googledrive.

and the error display is HTTP2 "ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY" THIS ONE

and when I enable the strip alpn its able to access or disable the decryption ?

Cyber Elite
Cyber Elite

@FarhanKoujalgi,

When you enable strip ALPN for that URL the firewall will still decrypt the traffic, it'll just downgrade the connection down to HTTP/1.1. You can verify that through looking at your traffic logs. The firewall records whether or not it actually decrypted the traffic or not. 

Dear @BPry I know that the customer wants the benefit of http2 so when he enable the strip alpn the HTTP2 goes down to http1.1 so he wants the traffic should decrypted with http2 without enable the strip alpn.

is there any other method to access that redirect URL without enable strip alpn.

There are two methods is see here to access that http2 redirect url

1) Bypass that URL Without decryption.

2) Enable the Strip ALPN and get access.

Is there any other method in which my customer is able to access the URL without enabling strip alpn with decryption?

@BPry  I know after enable strip alpn the traffic is decrypt but the customer want the http2 benefit with decrypted traffic.

Cyber Elite
Cyber Elite

@FarhanKoujalgi,

You can't. If HTTP/2 decryption on the site isn't working your only options are what you have listed; you either bypass that particular resource and don't decrypt the traffic, or you utilize the Strip ALPN option to downgrade the connection to HTTP/1.1 so that decryption functions properly. There's no in-between option here; if the firewall could decrypt the traffic over HTTP/2 you wouldn't have run into the issue, so you either don't decrypt that particular traffic or downgrade it. 

  • 10973 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!