HTTP header insertion workaround for HTTP/2.0 SaaS applications

16196

Created On 05/24/21 20:48 PM - Last Modified 05/24/21 21:39 PM

HTTP

8.1

9.0

9.1

PAN-OS

Symptom

HTTP header insertion and modification feature allow you to manage HTTP header information, e.g. to restrict access to SaaS consumer accounts while allowing a specific enterprise account or custom access options. HTTP header insertion feature supports only HTTP/1.1 protocol in PAN-OS 9.1 and older, however many SaaS applications now are using HTTP/2.0. Following is a workaround that allows you to downgrade the HTTP version for the specific SaaS to keep your control over SaaS applications.

Problem: HTTP Header insertion feature does not support HTTP/2.0 which means you will not be able to control modern SaaS applications.
Solution: Use ALPN Strip to downgrade the HTTP version for a certain list of URLs/applications to maintain HTTP header insertion. This feature specifies for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension. ALPN is used to secure HTTP/2 connections. With no value specified for this TLS extension, the firewall will downgrade HTTP/2 traffic to HTTP/1.1.

Environment

Palo Alto Firewalls
PAN-OS 9.1 and below.
HTTP Header Insertion

Cause

HTTP Header insertion feature does not support HTTP/2.0.

Resolution

Here are some steps you need to take to enable HTTP header insertion and HTTP version downgrade in PAN-OS. If you already have established HTTP header insertion and want to downgrade HTTP/2.0 to HTTP/1.1 for a certain list of domains, you need only to create a Custom URL Category (step 1), create a Decryption Profile (step 2), and add it to your Decryption Policy (step 4)

In the following example, we will enable HTTP header insertion to restrict access to the Office365 SaaS application, allowing users to login only with enterprise domain accounts.

Custom URL Category:

Create a custom URL category, listing sites for which you want to enable HTTP header insertion and downgrade HTTP version to HTTP/1.1 Navigate to GUI: Objects > Custom Objects > URL Category > and click “Add” Add sites of interest to the list.

Decryption Profile:

There is no need to downgrade the HTTP version for all the traffic. Create a dedicated Decryption Profile for SaaS applications you want to control with HTTP header insertion. Navigate to GUI: Objects > Decryption > Decryption Profile You can clone one of the existing profiles or create a new one. Be sure to check the option “Strip ALPN '' under the Client Extension section.

URL Filtering Profile:

To enable HTTP header insertion, create a dedicated URL Filtering Profile by adding a new or cloning the existing one. Add HTTP Header insertion options in accordance with the SaaS application documentation and Palo Alto Networks documentation. In this example, I’m enabling HTTP Header Insertion for the Office 365 application. Refer to Microsoft documentation for more details. Navigate to GUI: Objects > Security Profiles > URL Filtering

Decryption Policy:

To control the list of sites you want to use HTTP header insertion and downgrade HTTP for, create a dedicated decryption policy.
Navigate to GUI: Policies > Decryption and add a new rule or clone the existing one. Make sure to add your new custom URL Category and Decryption Profile we made on steps 1 and 2 to the rule:

Security Rule:

To make everything work together, create a new Security Rule, allowing your SaaS Applications.

Add your new URL Filtering Profile on the Actions tab. Save the rule and commit changes to the Firewall configuration.

Results:
After committing changes to the Firewall, you will be able to block access to the Office365 SaaS with consumer’s accounts.

HTTP header insertion workaround for HTTP/2.0 SaaS applications

Symptom

Environment

Cause

Resolution

Other users also viewed: