You can now safely enable applications running over HTTP/2,
without any additional configuration on the firewall.
You can now safely enable applications running
over HTTP/2, without any additional configuration on the firewall.
As more websites continue to adopt HTTP/2, the firewall can enforce
security policy and all threat detection and prevention capabilities
on a stream-by-stream basis. This visibility into HTTP/2 traffic
enables you to secure web servers that provide services over HTTP/2, and
allow your users to benefit from the speed and resource efficiency
gains that HTTP/2 provides.
processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
All firewall platforms support HTTP/2 inspection. Except for PA-3000
Series firewalls, HTTP/2 inspection includes support for the HTTP/2
server push feature, where a server can send multiple resources
in response to a single client request, instead of requiring the
client to explicitly request each resource.
For HTTP/2 inspection
to work correctly, the firewall must be enabled to use ECDHE (elliptic
curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE
is enabled by default, but you can check to confirm that it’s enabled
SSL Protocol Settings
identify if traffic used an HTTP/2 connection, select Monitor >
Logs and check the HTTP/2 Connection field.
disable HTTP/2 inspection for targeted traffic, or globally:
Disable HTTP/2 inspection for targeted traffic.
You’ll need to specify for the firewall to remove any value
contained in the Application-Layer Protocol Negotiation (ALPN) TLS
extension. ALPN is used to secure HTTP/2 connections—when there
is no value specified for this TLS extension, the firewall either
downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown
SSL Forward Proxy
Attach the decryption profile to a decryption policy (
to turn off HTTP/2 inspection for traffic that matches the policy.
Disable HTTP/2 inspection globally.
Use the CLI command:
set deviceconfig setting
http2 enable no
changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.