How to disable HTTP/2 inspection for specific traffic and globally?
54372
Created On 04/28/19 10:14 AM - Last Modified 01/30/24 02:10 AM
Objective
- Starting PANOS 9.0.0, HTTP/2 inspection is supported on Palo alto Networks firewalls.
- The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
- This article outlines the procedure of disabling HTTP/2 inspection for selective traffic and on global level.
Environment
- PANOS 9.0.0 and above
- Decryption
Procedure
Following options are available to disable HTTP/2 inspection selectively for specific traffic (decryption profile) and globally :
For specific traffic :
Step 1 : Identify the Decryption policy for the traffic which needs HTTP/2 to be disabled.
Step 2 : Navigate to the "Decryption profile" used on the Decryption Policy and check the "Strip ALPN" box under "Client Extention":
Global :
Step 1 : Run the following command on CLI :
> set deviceconfig setting http2 enable no
Step 2 : Commit the configuration :
> configure
# commit
# exit