Cipher Exchange Between the GlobalProtect App and Gateway
The following figure displays the exchange of ciphers
between GlobalProtect gateways and GlobalProtect apps when creating
the VPN tunnel.
The following table describes these stages in more detail.
Between the App and Gateway
1. Client Hello
The app proposes a list of cipher suites
depending on the OS of the endpoint.
2. Server Hello
The gateway selects the cipher suite proposed
by the app. When selecting the ciphers to set up the tunnel, the
gateway ignores both the number and order of cipher suites proposed
by the app and instead relies on the SSL/TLS versions and algorithm
of the gateway server certificate and its preferred list (as described
GlobalProtect Cipher Selection).
3. Optional Client Certificate
The gateway can optionally request a client
certificate from the app to use to trust the identity of the user
4. SSL Session
After setting up the SSL/TLS session, the
app authenticates with the gateway and requests the gateway configuration (Get-Config-Request).
To request the configuration, the app proposes the encryption and
authentication algorithms and other settings such as preferred IP
address for the tunnel interface. The gateway responds to the request
and selects the encryption and authentication algorithm to use based
on the configuration of the GlobalProtect IPSec Crypto Profile (Get-Config-Response).
The following table displays an example of the cipher exchange
between an app on a macOS endpoint and the gateway.