Security functions are enforced for the GlobalProtect
app when you enable FIPS-CC mode.
When you enable FIPS-CC mode for GlobalProtect,
the following security functions are enforced for all GlobalProtect
apps on Windows and macOS endpoints:
You must encrypt all VPN tunnels between the GlobalProtect
app and gateways using TLS or IPSec.
When you configure an IPSec VPN tunnel, you must select a
cipher suite option presented during IPSec setup.
When you configure an IPSec VPN tunnel, you can specify one
of the following encryption algorithms:
AES-CBC-128
(with the SHA1 authentication algorithm)
AES-GCM-128
AES-GCM-256
Both server and client certificates must use one of the following signature
algorithms:
RSA 2048 bit (or greater)
ECDSA P-256
ECDSA P-384
ECDSA P-521
In addition, you must use a signature
hash algorithm of SHA256, SHA384, or SHA512.