https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67387#M2592 <P>I do not think that&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116022" target="_blank" rel="noopener nofollow noopener noreferrer">SK116022</A><SPAN>&nbsp;was valid for 77.20.8x SMB appliances. Also, it suggests to either downgrade the traffic to http/1.1 for SSL Inspection or either drop or allow http/2 without SSL inspection. So it seems there currently is no&nbsp;inspection of&nbsp;HTTP/2 over TLS possible...</SPAN></P> Thu, 14 Nov 2019 10:27:34 GMT G_W_Albrecht 2019-11-14T10:27:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67376#M2591 <P>Regarding inspection of&nbsp;<SPAN>HTTP/2 over TLS there is the&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116022" target="_blank" rel="noopener">SK116022</A>&nbsp;but what do you say? Is it valid for 77.20.87 ? Because I have HTTPS Inspection enabled and it does not look like it is inspecting that kind of traffic.</SPAN></P> Thu, 14 Nov 2019 07:00:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67376#M2591 HristoGrigorov 2019-11-14T07:00:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67387#M2592 <P>I do not think that&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk116022" target="_blank" rel="noopener nofollow noopener noreferrer">SK116022</A><SPAN>&nbsp;was valid for 77.20.8x SMB appliances. Also, it suggests to either downgrade the traffic to http/1.1 for SSL Inspection or either drop or allow http/2 without SSL inspection. So it seems there currently is no&nbsp;inspection of&nbsp;HTTP/2 over TLS possible...</SPAN></P> Thu, 14 Nov 2019 10:27:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67387#M2592 G_W_Albrecht 2019-11-14T10:27:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67404#M2593 <P>How do I "downgrade" HTTP/2 to HTTP/1.1 ?</P> Thu, 14 Nov 2019 12:35:34 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67404#M2593 HristoGrigorov 2019-11-14T12:35:34Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67454#M2596 Enable HTTPS Inspection.<BR />Otherwise you block it using App Control.<BR /><BR />Note that HTTP/2 support is planned for R80.40, not sure when it is planned for SMB. Thu, 14 Nov 2019 17:40:14 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67454#M2596 PhoneBoy 2019-11-14T17:40:14Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67459#M2597 <P>Hmm, I am a bit confused here. I have HTTPS Inspection enabled and it still logs application name as "HTTP/2 over TLS". Isn't it supposed to recognize the actual app encapsulated inside it ?</P> <P>Also, what will happen (from user point of view) if I block it?&nbsp;</P> Thu, 14 Nov 2019 18:12:38 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67459#M2597 HristoGrigorov 2019-11-14T18:12:38Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67464#M2598 Are you sure you are HTTPS Inspecting the traffic in question?<BR />We don't yet parse inside HTTP/2 over TLS yet.<BR />The browser should be smart enough to realize HTTP/2 over TLS isn't supported and downgrade to HTTP/1.1 if you block it.<BR /> Thu, 14 Nov 2019 19:19:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67464#M2598 PhoneBoy 2019-11-14T19:19:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67488#M2601 <P>Yes, I am sure HTTPS Inspection is in use. But you are most certainly right. It is decrypting but not parsing it inside. I will block it and see what happens. Thank you.</P> Fri, 15 Nov 2019 03:34:01 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67488#M2601 HristoGrigorov 2019-11-15T03:34:01Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67491#M2603 <P>No, Blocking does just that. Blocks it. For the connection to be downgraded to HTTP/1.1, SMB must tell the browser HTTP/2 is not supported for this connection. And it is not doing that. So, that's not an option really. Too bad because HTTP/2 connections are becoming more and more common.</P> Fri, 15 Nov 2019 05:04:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/67491#M2603 HristoGrigorov 2019-11-15T05:04:31Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/128999#M5703 <P>Hi! Want to revive this old topic <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> We are running R80.40 T120 and most HTTP/2 logs show no actual resource. HTTPS interception is enabled as per my screenshot. Anyone has had better answers than sk116022?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13644i61B81EB0BC879697/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> Thu, 09 Sep 2021 07:15:05 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/HTTP-2-over-TLS/m-p/128999#M5703 Kaspars_Zibarts 2021-09-09T07:15:05Z