Palo Alto Networks firewalls can inspect and enforce
security policy for HTTP/2 traffic, on a stream-by-stream basis.
You can now safely enable applications running
over HTTP/2, without any additional configuration on the firewall.
As more websites continue to adopt HTTP/2, the firewall can enforce
security policy and all threat detection and prevention capabilities
on a stream-by-stream basis. This visibility into HTTP/2 traffic
enables you to secure web servers that provide services over HTTP/2,
and allow your users to benefit from the speed and resource efficiency
gains that HTTP/2 provides.
The firewall
processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
For HTTP/2 inspection to work correctly, the firewall must be enabled
to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm
for SSL sessions. ECDHE is enabled by default, but you can check
to confirm that it’s enabled by selecting ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Protocol Settings.
When the Decryption
logs introduced in PAN-OS 10.1 are enabled, you must enable Tunnel Content Inspection to
obtain the App-ID for HTTP/2 traffic.
You can disable
HTTP/2 inspection for targeted traffic, or globally:
Disable HTTP/2 inspection for targeted
traffic.
You’ll need to specify for the firewall to remove any value
contained in the Application-Layer Protocol Negotiation (ALPN) TLS
extension. ALPN is used to secure HTTP/2 connections—when there
is no value specified for this TLS extension, the firewall either
downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP
traffic.
Select ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Forward Proxy and
then select Strip ALPN.
Attach the decryption profile to a decryption policy
(PoliciesDecryption)
to turn off HTTP/2 inspection for traffic that matches the policy.
Commit your changes.
Disable HTTP/2 inspection globally.
Use the CLI command: set deviceconfig setting
http2 enable no and Commit your
changes. The firewall will classify HTTP/2 traffic as unknown TCP
traffic.