topic Re: Add HTTP/2 in Application/site service in Firewall and Security Management

Add HTTP/2 in Application/site service

ebeaulieu — Mon, 27 Sep 2021 11:44:16 GMT

Hello,

We had a rule to allow some web site with the object : Application/site and add the domain in the URL List. I have a Firewall rule (Blade Firewall + App & URL filtering) ;

Src: My_server Dst: Any_except_my_network Service&App: (Application/site - My_remote_domain) Action: Allow

I just realized that the "HTTP/2 over TLS" application, to this allowed domain, was drop by my default rule. So I try to add in "Manage & site > application Control & URL Filtering > Advanced settings" but I can't add in addition to HTTP and HTTPs the application HTTP/2.

So I add the "HTTP/2 over TLS" in the Service&App in addition to my Allowed remote domain (Application/site - My_remote_domain). But now I suppose will have access to all Internet with HTTP/2, not only my allowed domain.

Do you know if it is possible to add HTTP/2 in the default Service "Web Browsing" ?

Best regards

Eric

Re: Add HTTP/2 in Application/site service

PhoneBoy — Mon, 27 Sep 2021 15:07:16 GMT

If you want to allow websites over HTTP/2, you need to be on R80.40 and above.
No special configuration is needed here as the normal App Control categories and your custom application/sites should just work.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116022&partition=Advanced&product=Quantum

Re: Add HTTP/2 in Application/site service

ebeaulieu — Tue, 28 Sep 2021 08:14:57 GMT

Hello,

Thanks @PhoneBoy for the reply. But event if I am in R80.40, I think I can't restrict HTTP/2 for some domain. For that, I use the CP object Application/Site and by defaut it only use HTTP & HTTPs it will not match HTTP/2 over TLS.

Eric

Re: Add HTTP/2 in Application/site service

PhoneBoy — Tue, 28 Sep 2021 15:22:08 GMT

As far as I know, that should work.
If it’s not, then we probably need a TAC case to investigate.