Hi I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working. I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session. I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops. Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites. Thanks, Shai
... View more