Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
0
Helpful
2
Replies

ASA 5585-X supports HTTP/2

Go to solution
maria.sousa
Level 1
Level 1

‎02-21-2017 08:27 AM - edited ‎03-12-2019 01:57 AM

Hi,

we are starting to plan to introduce a new ASA 5585-X firewall, and i tried to discover if it supports HTTP/2.0 version but without success!!!

Could you help me to understand if the ASA 5585-X supports or not this protocol?

Thanks in advance

Maria

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-21-2017 11:05 PM

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-21-2017 06:27 PM

When you say support - are you referring to accessing its admin interface, http inspection, Firepower, or something else?

On the whole, I don't think it has HTTP/2.0 support.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-21-2017 11:05 PM

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card