Security functions are enforced for the GlobalProtect
app when you enable FIPS-CC mode.
Where Can I Use This?
What Do I Need?
NGFW (managed by Panorama)
GlobalProtect™ Subscription License
PAN-OS 8.1 or a later PAN-OS version.
GlobalProtect app 6.0.7 or a later 6.0.x version. For iOS and
Android, GlobalProtect for Governments app 6.0.7 or a later
GlobalProtect for Governments app 6.0.x version.
FIPS-CC Mode for GlobalProtect on Windows and macOS, ARM-based
devices running on Windows and macOS, iOS, Android, and
Linux.
When you enable FIPS-CC mode for GlobalProtect, the following security functions are
applied to all managed GlobalProtect apps on Windows and macOS, iOS, Android, and Linux endpoints:
You must configure the gateway to encrypt all VPN tunnels between the GlobalProtect app and
gateways using TLS or IPSec.
When you configure an IPSec VPN tunnel on the gateway, you must select a cipher suite option
presented during IPSec setup.
When you configure an IPSec VPN tunnel on the gateway, you can specify one of the following
encryption algorithms:
AES-CBC-128
(with the HMAC-SHA-1
authentication algorithm)
AES-GCM-128
AES-GCM-256
Both server and client certificates must use one of the following signature
algorithms:
RSA 2048 bit (or greater)
ECDSA P-256
ECDSA P-384
ECDSA P-521
In addition, you must use a signature
hash algorithm of SHA-256, SHA-384, or SHA-512.
GlobalProtect app will
enforce strict X.509v3 verification checks on the server certificate.
The verifications checks are based on NIAP's FIA_X509_EXT.1
and FIA_X509_EXT.2 certificate validation and authentication requirements.
