FIPS-CC Security Functions

• You must configure the gateway to encrypt all VPN tunnels between the GlobalProtect app and gateways using TLS or IPSec.
• When you configure an IPSec VPN tunnel on the gateway, you must select a cipher suite option presented during IPSec setup.
• When you configure an IPSec VPN tunnel on the gateway, you can specify one of the following encryption algorithms:
  • AES-CBC-128 (with the HMAC-SHA-1 authentication algorithm)
  • AES-GCM-128
  • AES-GCM-256
• Both server and client certificates must use one of the following signature algorithms:
  • RSA 2048 bit (or greater)
  • ECDSA P-256
  • ECDSA P-384
  • ECDSA P-521
  In addition, you must use a signature hash algorithm of SHA-256, SHA-384, or SHA-512.
• GlobalProtect app will enforce strict X.509v3 verification checks on the server certificate.
  • The verifications checks are based on NIAP's FIA_X509_EXT.1 and FIA_X509_EXT.2 certificate validation and authentication requirements.