HTTP/2 Inspection

You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall.
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and all threat detection and prevention capabilities on a stream-by-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.
http2-inspection.png
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. All firewall platforms support HTTP/2 inspection. Except for PA-3000 Series firewalls, HTTP/2 inspection includes support for the HTTP/2 server push feature, where a server can send multiple resources in response to a single client request, instead of requiring the client to explicitly request each resource.
For HTTP/2 inspection to work correctly, the firewall must be enabled to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE is enabled by default, but you can check to confirm that it’s enabled by selecting
Objects
Decryption
Decryption Profile
SSL Decryption
SSL Protocol Settings
.
To identify if traffic used an HTTP/2 connection, select Monitor > Logs and check the HTTP/2 Connection field.
ecdhe.png
You can disable HTTP/2 inspection for targeted traffic, or globally:
  • Disable HTTP/2 inspection for targeted traffic.
    You’ll need to specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
    strip-alpn.png
    1. Select
      Objects
      Decryption
      Decryption Profile
      SSL Decryption
      SSL Forward Proxy
      and then select
      Strip ALPN
      .
    2. Attach the decryption profile to a decryption policy (
      Policies
      Decryption
      ) to turn off HTTP/2 inspection for traffic that matches the policy.
    3. Commit
      your changes.
  • Disable HTTP/2 inspection globally.
    Use the CLI command:
    set deviceconfig setting http2 enable no
    and
    Commit
    your changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.

Related Documentation