Troubleshooting HTTP/2 traffic in Cloud SWG
search cancel

Troubleshooting HTTP/2 traffic in Cloud SWG

book

Article ID: 253017

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

How do I troubleshoot HTTP/2 issues in Cloud SWG (formerly known as WSS)?

How can I disable HTTP2 for a specific website?

Resolution

Collect data: 

 

Depending on whether you manage WSS policy with UPE (Management Center) or from the WSS Portal, you can disable HTTP/2 in one of the following ways: 


(A) UPE: Disable SSL Inspection (disable HTTP/2 for a specific website)

With UPE-managed policy

1. Create a CPL layer

2. Add this CPL policy (this will disable SSL interception): 

#if enforcement=wss
<ssl-intercept>
  url.domain="testsite.com" ssl.forward_proxy(no)
#endif

 

(B) UPE: Disable HTTP/2 (downgrade the connections to HTTP/1.1)

With UPE-managed policy: 

1. Create a CPL layer

2. Add this CPL policy (SSL interception still works): 

#if enforcement=wss
  <proxy> client.connection.ssl_server_name.substring=testsite.com http2.client.accept(no) http2.server.request(no)
#endif

 

(C) Portal: Disable SSL Inspection (disable HTTP/2 for a specific website)

With WSS Portal-managed policy: 

1. Add an SSL interception bypass rule for the domain: 

WSS Portal: Policy
->TLS / SSL Interception
-> TLS / SSL Interception Policy
-> Add rule where 'Destination' is the problem domain and 'Verdict' is 'Do not intercept'

 

(D) Portal: Disable HTTP/2 (downgrade the connections to HTTP/1.1)

With WSS Portal-managed policy: If SSL interception bypass is not feasible and you want to keep the SSL interception enable for the domain

To disable HTTP2 for specific domain open a case with Broadcom technical support team via the Broadcom Support Portal.

Additional Information

If using UPE, be aware of this SGOS 6.x limitation: Cannot apply HTTP/2 CPL to Cloud SWG tenant via Management Center


====
The quickest way of validating whether the issue is related to the HTTP/2 protocol or not is to disable HTTP/2 from the browser side.

If you suspect that HTTP/2 is the source of the problem, run Chrome with HTTP/2 disabled using the command below, confirm that all requests are sent with HTTP/1.1 (Developer tool HAR file) and that all works as expected.

C:\Program Files (x86)\Google\Chrome\Application> chrome.exe --disable-http2

Powered by Wolken Software