Is HTTP version 2 (HTTP/2) supported?
39921
Created On 01/19/19 01:33 AM - Last Modified 05/29/20 04:08 AM
Question
HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, the firewall will need to be able to look into the HTTP/2 traffic to perform inspection.
Environment
- PANOS 9.0
- Firewall
Answer
Yes, starting in PAN-OS 9.0 HTTP version 2 (HTTP/2) is supported
HTTP/2 inspection is supported in the following use cases:
- SSL Forward Proxy Mode
- SSL Inbound Inspection Mode with PFS ciphers.
- Firewall in a security service chain where an upstream device sends it post-decrypted cleartext HTTP/2 traffic.
- As part of a security chain in the decryption broker functionality where firewall sends decrypted HTTP/2 traffic to a device in the security chain.
Pre PAN-OS 9.0
- With inbound inspection the traffic is identified as unknown-tcp.
- With forward proxy, if the client sends an ALPN extension with h2 then the firewall, as client, strips the ALPN extension in the crafted Client Hello to the server.
- As a result the connection is negotiated as HTTP/1.1.
Additional Information
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html