HTTP/2 Inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, your Palo Alto Networks firewall will need to look into the HTTP/2 traffic to perform inspection.


Starting with PAN-OS 9.0.0, HTTP/2 inspection is supported on Palo Alto Networks firewalls.

The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. This means that you can safely enable applications running over HTTP/2 without any additional configuration on the firewall.


Firewalls processes and inspect HTTP/2 traffic by default. However, you can disable HTTP/2 inspection by changing the firewall settings toStrip ALPN. With this option selected, the firewall removes any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension.


Because ALPN is used to secure HTTP/2 connections, when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.


SSL Forward Proxy Tab - Strip ALPNSSL Forward Proxy Tab - Strip ALPN

Two types of sessions are generated for decrypted HTTP/2 traffic: connection sessions and stream sessions. HTTP/2 connection sessions map to the TCP connections inside, which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.

By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic. However, the stream sessions, which carry the interesting traffic, are logged in the traffic logs.

To enable logging for the connection sessions, navigate to: Device > Setup > Content-ID > HTTP/2 Settings


Content-ID Tab - HTTP/2 SettingsContent-ID Tab - HTTP/2 Settings



More information on HTTP/2:

Is HTTP version 2 (HTTP/2) supported? 

How to disable HTTP/2 for specific traffic and globally? 

HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated? 

Discussion: ssl-decryption err_http2_inadequate_transport_security 



Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.


Stay Secure,
Kiwi out!

1 Comment
Register or Sign-in
Top Liked Authors