HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated?

HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated?

21669
Created On 01/19/19 01:55 AM - Last Modified 09/27/23 11:15 AM


Environment


  • Firewall
  • PANOS 9.0 and above


Answer


Two types of sessions are generated for decrypted HTTP/2 traffic - connection sessions and stream sessions.
HTTP/2 connection sessions map to the TCP connections within which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.

By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic.
However the stream sessions, which carry the interesting traffic, are logged in the traffic logs.

To enable logging for the connection sessions:
  • GUI, navigate to Device > Setup > Content-ID > HTTP/2 Settings
HTTP2 setting
  • CLI, command to enable logging 
set deviceconfig setting http2 connection-logging yes

Once enabled, sessions are logged under Tunnel Inspection logs.
Tunnel Inspection log

Note: HTTP/2 stream sessions that end normally are currently logged with the session end reason aged-out because a more specific reason is not set. Only when a threat is detected we set the end-reason as threat.


Additional Information


Refer to the 9.0 PAN-OS® New Features Guide for more information 
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdVCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language