Why Is Clear Text HTTP2 Traffic Being Decrypted By Other SSL Proxy Vendor Not Working?

Why Is Clear Text HTTP2 Traffic Being Decrypted By Other SSL Proxy Vendor Not Working?

7221
Created On 05/31/21 21:10 PM - Last Modified 07/16/24 13:41 PM


Question


Why is clear text http2 traffic being decrypted by other SSL vendor not working?


Topology

Environment


  • Palo Alto Networks Firewall
  • PAN-OS: 9.0.x, 9.1.x, 10.0.x, 10.1.x
  • No Decryption Profile configured
  • 3rd Party Decryption Device (ex. Symantec SSLV Proxy Appliance)

Answer


Proxy is needed to process http2 traffic. By default, no decryption profile needed, and it's enabled by default for clear text http2 traffic.  Since the clear text http2 traffic is already being proxied/decrypted by other proxy device before entering Palo Alto Firewall, the default proxy for clear text http2 traffic need to set to off.  This can be done by CLI command below
  
admin@PA> configure
admin@PA# set deviceconfig setting ctd http2-cleartext-proxy no
admin@PA# commit force
admin@PA# end

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VWECA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language