cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

605
Views
0
Helpful
2
Replies
maria.sousa
Beginner

ASA 5585-X supports HTTP/2

Hi,

we are starting to plan to introduce a new ASA 5585-X firewall, and i tried to discover if it supports HTTP/2.0 version but without success!!!

Could you help me to understand if the ASA 5585-X supports or not this protocol?

Thanks in advance

Maria

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
VIP Community Legend

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

View solution in original post

2 REPLIES 2
Philip D'Ath
Advisor

When you say support - are you referring to accessing its admin interface, http inspection, Firepower, or something else?

On the whole, I don't think it has HTTP/2.0 support.

Marvin Rhoads
VIP Community Legend

The ASA itself sees it at the TCP layer as tcp/80 and tcp/443 traffic (assuming continued use of default ports for unencrypted and encrypted traffic respectively). So no change or particular support is necessary there. Similarly the basic http operators (GET, POST etc. ) are unchanged so we can contiinue to look for those and detect, for instance, non-http operators embedded in an http request as, say, an attack targeting a web server.

I don't believe that protocol layer inspection, either in the base ASA of a FirePOWER module is aware of the http/2 binary framing layer (reference https://hpbn.co/http2/). So in that respect we cannot do any advanced inspection of http/2 traffic at this time (i.e. as of February 2017 with ASA 9.7 and/or FirePOWER 6.2 releases).

View solution in original post

Content for Community-Ad