http2 clear-text sessions are listed in the command output of "show session all filter ssl-decrypt yes"
927
Created On 07/29/22 19:06 PM - Last Modified 04/25/25 20:31 PM
Symptom
- http2 clear-text sessions are listed the 'show session all' filter with ssl-decrypt : "show session all filter ssl-decrypt yes"
Environment
Firewall with no ssl decryption configured however listing sessions in the output of the command "show session all filter ssl-decrypt yes" :
> show session all filter ssl-decrypt yes
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
75054346 web-browsing ACTIVE FLOW * 10.174.253.60[43784]/untrust/6 (10.174.253.60[43784])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
76647546 web-browsing ACTIVE FLOW * 10.174.253.84[57978]/untrust/6 (10.174.253.84[57978])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
7786948
75998109 web-browsing ACTIVE FLOW * 10.175.192.19[5524]/untrust/6 (10.175.192.19[5524])
vsys1 10.254.252.189[11983]/trust (10.254.252.189[11983])> show running decryption-policy
DP s1dp0:
DP s1dp1:
DP s1dp2:Cause
- This behaviour is seen because the command "show session all filter ssl-decrypt yes" shows the sessions which are proxy sessions whether decrypted or not.
- The below output shows the http2 cleartext proxy sessions in the output of "show session all filter ssl-decrypt yes" even there are no ssl decrypted sessions :
> show session all filter ssl-decrypt yes
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
75054346 web-browsing ACTIVE FLOW * 10.174.253.60[43784]/untrust/6 (10.174.253.60[43784])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
76647546 web-browsing ACTIVE FLOW * 10.174.253.84[57978]/untrust/6 (10.174.253.84[57978])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
7786948
75998109 web-browsing ACTIVE FLOW * 10.175.192.19[5524]/untrust/6 (10.175.192.19[5524])
vsys1 10.254.252.189[11983]/trust (10.254.252.189[11983]) > show session all filter http2-connection yes
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
73441871 web-browsing ACTIVE FLOW * 10.174.251.43[55308]/untrust/6 (10.174.251.43[55308])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
68201151 web-browsing ACTIVE FLOW * 10.174.250.136[50530]/untrust/6 (10.174.250.136[50530])
vsys1 10.254.252.33[7442]/trust (10.254.252.33[7442])
76694385 web-browsing ACTIVE FLOW * 10.175.192.18[48784]/untrust/6 (10.175.192.18[48784])
vsys1 > show counter global filter delta yes | match "http\|clear"
ctd_cleartext_proxy_start 2 0 info ctd pktproc Ctd session with cleartext proxy
proxy_cleartext_ingress 2 0 info proxy pktproc Number of cleartext proxy session started with proxy ingress
http2_process 2 0 info http2 pktproc Number of http2 connection processResolution
Note that this observation may cause confusion since there is no ssl decryption and no active running ssl decryption policy but we still see the session in the output of the command "show session all filter ssl-decrypt yes".
As per the current design, it is expected behaviour to see the http2 clear-text proxy sessions in the output of the command "show session all filter ssl-decrypt yes".
There is an internal request open to review this behaviour and consider a possible change.