HTTP version 2: Why are traffic logs for HTTP/2 connection sessions not being generated?
26851
Created On 01/19/19 01:55 AM - Last Modified 09/27/23 11:15 AM
Environment
- Firewall
- PANOS 9.0 and above
Answer
Two types of sessions are generated for decrypted HTTP/2 traffic - connection sessions and stream sessions.
HTTP/2 connection sessions map to the TCP connections within which are HTTP/2 stream sessions. HTTP/2 stream sessions carry the actual HTTP/2 traffic.
By default, HTTP/2 connection sessions are not logged because they do not carry any application traffic.
However the stream sessions, which carry the interesting traffic, are logged in the traffic logs.
To enable logging for the connection sessions:
- GUI, navigate to Device > Setup > Content-ID > HTTP/2 Settings
- CLI, command to enable logging
set deviceconfig setting http2 connection-logging yes
Once enabled, sessions are logged under Tunnel Inspection logs.
Note: HTTP/2 stream sessions that end normally are currently logged with the session end reason aged-out because a more specific reason is not set. Only when a threat is detected we set the end-reason as threat.
Additional Information
Refer to the 9.0 PAN-OS® New Features Guide for more information
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html