HTTP/2 Inspection
You can now safely enable applications running over HTTP/2,
without any additional configuration on the firewall.
You can now safely enable applications running
over HTTP/2, without any additional configuration on the firewall.
As more websites continue to adopt HTTP/2, the firewall can enforce
security policy and all threat detection and prevention capabilities
on a stream-by-stream basis. This visibility into HTTP/2 traffic
enables you to secure web servers that provide services over HTTP/2, and
allow your users to benefit from the speed and resource efficiency
gains that HTTP/2 provides.
The firewall
processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
All firewall platforms support HTTP/2 inspection. Except for PA-3000
Series firewalls, HTTP/2 inspection includes support for the HTTP/2
server push feature, where a server can send multiple resources
in response to a single client request, instead of requiring the
client to explicitly request each resource.
For HTTP/2 inspection
to work correctly, the firewall must be enabled to use ECDHE (elliptic
curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE
is enabled by default, but you can check to confirm that it’s enabled
by selecting .
To
identify if traffic used an HTTP/2 connection, select Monitor >
Logs and check the HTTP/2 Connection field.
Here’s
how to enable HTTP/2 inspection for targeted traffic, or globally:
Make
sure that you're running Applications and Threats content version
8202 or later if you're performing Safe Search Enforcement with
HTTP/2 Inspection. This content release makes it possible to enforce
Safe Search while HTTP/2 Inspection is enabled.
- Disable HTTP/2 inspection for targeted traffic.You’ll need to specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
- Select and then selectStrip ALPN.
- Attach the decryption profile to a decryption policy () to turn off HTTP/2 inspection for traffic that matches the policy.
- Commityour changes.
- Disable HTTP/2 inspection globally.Use the CLI command:set deviceconfig setting http2 enable noandCommityour changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.
