Palo Alto Networks firewalls can inspect and enforce
security policy for HTTP/2 traffic, on a stream-by-stream basis.
You can now safely enable applications running
over HTTP/2, without any additional configuration on the firewall.
As more websites continue to adopt HTTP/2, the firewall can enforce
security policy and all threat detection and prevention capabilities
on a stream-by-stream basis. This visibility into HTTP/2 traffic
enables you to secure web servers that provide services over HTTP/2, and
allow your users to benefit from the speed and resource efficiency
gains that HTTP/2 provides.
processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
For HTTP/2 inspection to work correctly, the firewall must be enabled
to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm
for SSL sessions. ECDHE is enabled by default, but you can check
to confirm that it’s enabled by selecting
SSL Protocol Settings
You can disable HTTP/2
inspection for targeted traffic, or globally:
Disable HTTP/2 inspection for targeted traffic.
You’ll need to specify for the firewall to remove any value
contained in the Application-Layer Protocol Negotiation (ALPN) TLS
extension. ALPN is used to secure HTTP/2 connections—when there
is no value specified for this TLS extension, the firewall either
downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown
SSL Forward Proxy
Attach the decryption profile to a decryption policy (
to turn off HTTP/2 inspection for traffic that matches the policy.
Disable HTTP/2 inspection globally.
Use the CLI command:
set deviceconfig setting
http2 enable no
changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.