Cipher Exchange Between the GlobalProtect App and Gateway
The following figure displays the exchange of ciphers
between GlobalProtect gateways and GlobalProtect apps when creating
the VPN tunnel.
Cipher Exchange Between the App
and the Gateway
The following table describes these stages in more detail.
Communication Stage | Description |
|---|---|
1. Client Hello | The app proposes a list of cipher suites
depending on the OS of the endpoint. |
2. Server Hello | The gateway selects the cipher suite proposed
by the app. When selecting the ciphers to set up the tunnel, the
gateway ignores both the number and order of cipher suites proposed
by the app and instead relies on the SSL/TLS versions and algorithm
of the gateway server certificate and its preferred list (as described
in About
GlobalProtect Cipher Selection). |
3. Optional Client Certificate | The gateway can optionally request a client
certificate from the app to use to trust the identity of the user
or endpoint. |
4. SSL Session | After setting up the SSL/TLS session, the
app authenticates with the gateway and requests the gateway configuration (Get-Config-Request).
To request the configuration, the app proposes the encryption and
authentication algorithms and other settings such as preferred IP
address for the tunnel interface. The gateway responds to the request
and selects the encryption and authentication algorithm to use based
on the configuration of the GlobalProtect IPSec Crypto Profile (Get-Config-Response). |
The following table displays an example of the cipher exchange
between an app on a macOS endpoint and the gateway.
Communication Stage | Example: macOS Endpoints |
|---|---|
1. Client Hello | TLS 1.2 37 Cipher Suites (Reference:
TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints) |
2. Server Hello |
|
3. Optional Client Certificate | Client certificates signed with ECDSA or
RSA and using SHA1, SHA256, or SHA384 |
4. SSL Session |
|
