- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-03-2022 10:56 PM
Hi
I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working.
I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session.
I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops.
Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites.
Thanks,
Shai
01-04-2022 01:57 PM
Hi @ShaiW
It seems you have figure it out by yourself.
Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.
It is better to configure your profile to use max version with "max" and set the min version to specific version
This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)
01-04-2022 07:04 AM
EDIT: This web site starts working if I change max version to TLS 1.3 (under decryption profile) and stops working when I set it at TLS 1.2. No other changes are made.
This feels like a specific web-site issue more than a firewall one.
01-04-2022 01:57 PM
Hi @ShaiW
It seems you have figure it out by yourself.
Strip-ALPN will basically dowgrade HTTP/2 to HTTP/1.1 and if I understand you correctly your decryption profile is configured with max version TLS 1.2. It sounds like removing the "strip ALPN" will leave HTTP/2, but it is failing because your decryption does not support TLS 1.3.
It is better to configure your profile to use max version with "max" and set the min version to specific version
This will make sure that when new TLS version is supported by the PanOS, you don't have to update your configuration (like in this case)
01-04-2022 11:36 PM
Hi
The customer is still on PAN-OS 9 which does not support TLS 1.3 and all other web sites work fine. Its just yandex.com that does not.
I am pretty sure it is not firewall related, more like a web-site issue.
Shai
08-15-2022 12:23 AM
Hi,
Use with caution- at 3430 pair the workaround Min=TLS1.2 and Max=Max crashed firewall. Used PanOS 10.2.1
For the issue with ERR_HTTP2_PROTOCOL_ERROR the config change fixed it but just for a minute between commiting the change and till the FW crashed into maint mode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!