App-ID and HTTP/2 Inspection
Palo Alto Networks firewalls can inspect and enforce security policy for HTTP/2 traffic, on a stream-by-stream basis.
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and all threat detection and prevention capabilities on a stream-by-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. For HTTP/2 inspection to work correctly, the firewall must be enabled to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE is enabled by default, but you can check to confirm that it’s enabled by selecting ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Protocol Settings.
You can disable HTTP/2 inspection for targeted traffic, or globally:
- Disable HTTP/2 inspection for targeted traffic.You’ll need to specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
- Select ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Forward Proxy and then select Strip ALPN.
- Attach the decryption profile to a decryption policy (PoliciesDecryption) to turn off HTTP/2 inspection for traffic that matches the policy.
- Commit your changes.
- Disable HTTP/2 inspection globally.Use the CLI command: set deviceconfig setting http2 enable no and Commit your changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. ...
Settings to Control Decrypted SSL Traffic
Settings to Control Decrypted SSL Traffic The following table describes the settings you can use to control SSL traffic that has been decrypted using either ...
App-ID Features Policy Optimizer Optimize security policy by migrating legacy rules to application-based rules and removing unused applications from rules, without compromising availability. HTTP/2 Inspection ...
SSL Protocol Settings Decryption Profile
The SSL Protocol Settings define the protocols and the key exchange, encryption, and authentication algorithms that the firewall accepts for outbound SSL Forward Proxy and ...
Configure SSL Inbound Inspection
Configure SSL Inbound Inspection Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound ...
App-ID To safely enable applications on your network, the Palo Alto Networks next-generation firewalls provide both an application and web perspective—App-ID and URL Filtering—to protect ...
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...