App-ID and HTTP/2 Inspection
Focus
Focus

App-ID and HTTP/2 Inspection

Table of Contents

App-ID and HTTP/2 Inspection

Palo Alto Networks firewalls can inspect and enforce security policy for HTTP/2 traffic, on a stream-by-stream basis.
You can now safely enable applications running over HTTP/2, without any additional configuration on the firewall. As more websites continue to adopt HTTP/2, the firewall can enforce security policy and all threat detection and prevention capabilities on a stream-by-stream basis. This visibility into HTTP/2 traffic enables you to secure web servers that provide services over HTTP/2, and allow your users to benefit from the speed and resource efficiency gains that HTTP/2 provides.
The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled. For HTTP/2 inspection to work correctly, the firewall must be enabled to use ECDHE (elliptic curve Diffie-Hellman) as a key exchange algorithm for SSL sessions. ECDHE is enabled by default, but you can check to confirm that it’s enabled by selecting ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Protocol Settings.
When the Decryption logs introduced in PAN-OS 10.1 are enabled, you must enable Tunnel Content Inspection to obtain the App-ID for HTTP/2 traffic.
You can disable HTTP/2 inspection for targeted traffic, or globally:
  • Disable HTTP/2 inspection for targeted traffic.
    You’ll need to specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
    1. Select ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Forward Proxy and then select Strip ALPN.
    2. Attach the decryption profile to a decryption policy (PoliciesDecryption) to turn off HTTP/2 inspection for traffic that matches the policy.
    3. Commit your changes.
  • Disable HTTP/2 inspection globally.
    Use the CLI command: set deviceconfig setting http2 enable no and Commit your changes. The firewall will classify HTTP/2 traffic as unknown TCP traffic.