cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1340
Views
0
Helpful
2
Replies

ASA 5585-X supports HTTP/2

maria.sousa
Level 1
Level 1

Hi,

we are starting to plan to introduce a new ASA 5585-X firewall, and i tried to discover if it supports HTTP/2.0 version but without success!!!

Could you help me to understand if the ASA 5585-X supports or not this protocol?

Thanks in advance

Maria

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

View solution in original post

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

When you say support - are you referring to accessing its admin interface, http inspection, Firepower, or something else?

On the whole, I don't think it has HTTP/2.0 support.

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

Review Cisco Networking for a $25 gift card