How to disable HTTP/2 inspection for specific traffic and globally?

How to disable HTTP/2 inspection for specific traffic and globally?

55546
Created On 04/28/19 10:14 AM - Last Modified 01/30/24 02:10 AM


Objective


  • Starting PANOS 9.0.0, HTTP/2 inspection is supported on Palo alto Networks firewalls.
  • The firewall processes and inspects HTTP/2 traffic by default when SSL decryption is enabled.
  • This article outlines the procedure of  disabling HTTP/2 inspection for selective traffic and  on global level.

Environment


  • PANOS 9.0.0 and above
  • Decryption

Procedure


Following options are available to disable HTTP/2 inspection selectively for specific traffic (decryption profile) and globally :

For specific traffic :

Step 1 : Identify the Decryption policy for the traffic which needs HTTP/2 to be disabled.
Step 2 : Navigate to the "Decryption profile" used on the Decryption Policy and check the "Strip ALPN" box under "Client Extention":

User-added image

Global :

Step 1 : Run the following command on CLI : 
> set deviceconfig setting http2 enable no
Step 2 : Commit the configuration :

> configure
# commit
# exit

 


 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLpSCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail