HTTP/2 Inspection

You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall.
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and all threat detection and prevention capabilities on a stream-by-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. All firewall platforms support HTTP/2 inspection. Except for PA-3000 Series firewalls, HTTP/2 inspection includes support for the HTTP/2 server push feature, where a server can send multiple resources in response to a single client request, instead of requiring the client to explicitly request each resource.
For HTTP/2 inspection to work correctly, the firewall must be enabled to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE is enabled by default, but you can check to confirm that it’s enabled by selecting
Decryption Profile
SSL Decryption
SSL Protocol Settings
To identify if traffic used an HTTP/2 connection, select Monitor > Logs and check the HTTP/2 Connection field.
Here’s how to enable HTTP/2 inspection for targeted traffic, or globally:
Make sure that you're running Applications and Threats content version 8202 or later if you're performing Safe Search Enforcement with HTTP/2 Inspection. This content release makes it possible to enforce Safe Search while HTTP/2 Inspection is enabled.
  • Disable HTTP/2 inspection for targeted traffic.
    You’ll need to specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
    1. Select
      Decryption Profile
      SSL Decryption
      SSL Forward Proxy
      and then select
      Strip ALPN
    2. Attach the decryption profile to a decryption policy (
      ) to turn off HTTP/2 inspection for traffic that matches the policy.
    3. Commit
      your changes.
  • Disable HTTP/2 inspection globally.
    Use the CLI command:
    set deviceconfig setting http2 enable no
    your changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.

Recommended For You