Is HTTP version 2 (HTTP/2) supported?

Is HTTP version 2 (HTTP/2) supported?

39091
Created On 01/19/19 01:33 AM - Last Modified 05/29/20 04:08 AM


Question


HTTP/2 (also known as HTTP/2.0) is a revision of the HTTP network protocol. As browsers such as Chrome, Firefox, and Edge start to support HTTP/2, the firewall will need to be able to look into the HTTP/2 traffic to perform inspection. 

Environment


  • PANOS 9.0
  • Firewall


Answer


Yes, starting in PAN-OS 9.0 HTTP version 2 (HTTP/2) is supported

HTTP/2 inspection is supported in the following use cases:
  • SSL Forward Proxy Mode
  • SSL Inbound Inspection Mode with PFS ciphers.
  • Firewall in a security service chain where an upstream device sends it post-decrypted cleartext HTTP/2 traffic.
  • As part of a security chain in the decryption broker functionality where firewall sends decrypted HTTP/2 traffic to a device in the security chain.

Pre PAN-OS 9.0 
  • With inbound inspection the traffic is identified as unknown-tcp. 
  • With forward proxy, if the client sends an ALPN extension with h2 then the firewall, as client, strips the ALPN extension in the crafted Client Hello to the server. 
  • As a result the connection is negotiated as HTTP/1.1.


Additional Information


Refer to the 9.0 PAN-OS® New Features Guide for more information 
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdQCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language