>
    FIPS-CC Security Functions
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect FIPS-CC Certification
    4. FIPS-CC Security Functions
    Download PDF

    GlobalProtect

    FIPS-CC Security Functions

    Table of Contents

    FIPS-CC Security Functions

    Security functions are enforced for the GlobalProtect app when you enable FIPS-CC mode.
    When you enable FIPS-CC mode for GlobalProtect, the following security functions are applied to all managed GlobalProtect apps on Windows and macOS,
    iOS, Android,
     and Linux endpoints:
    • You must configure the gateway to encrypt all VPN tunnels between the GlobalProtect app and gateways using TLS or IPSec.
    • When you configure an IPSec VPN tunnel on the gateway, you must select a cipher suite option presented during IPSec setup.
    • When you configure an IPSec VPN tunnel on the gateway, you can specify one of the following encryption algorithms:
      • AES-CBC-128 (with the
        HMAC-
        SHA-1 authentication algorithm)
      • AES-GCM-128
      • AES-GCM-256
    • Both server and client certificates must use one of the following signature algorithms:
      • RSA 2048 bit (or greater)
      • ECDSA P-256
      • ECDSA P-384
      • ECDSA P-521
      In addition, you must use a signature hash algorithm of SHA-256, SHA-384, or SHA-512.
    • GlobalProtect app will enforce strict X.509v3 verification checks on the server certificate.
      • The verifications checks are based on NIAP's FIA_X509_EXT.1 and FIA_X509_EXT.2 certificate validation and authentication requirements.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.