>
    Reference: GlobalProtect App Cryptographic Functions
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Cryptography
    4. GlobalProtect Cryptography References
    5. Reference: GlobalProtect App Cryptographic Functions
    Download PDF
    GlobalProtect

    Reference: GlobalProtect App Cryptographic Functions

    Table of Contents

    Reference: GlobalProtect App Cryptographic Functions

    The GlobalProtect app uses the OpenSSL library 1.0.1h to establish secure communication with the GlobalProtect portal and GlobalProtect gateways. The following table lists each GlobalProtect app function that requires a cryptographic function and the cryptographic keys the GlobalProtect app uses:
    Crypto Function
    Key
    Usage
    Winhttp (Windows) and NSURLConnection (macOS)
    aes256-sha
    Dynamic key negotiated between the GlobalProtect app and the GlobalProtect portal and/or gateway for establishing the HTTPS connection.
    Used to establish the HTTPS connection between the GlobalProtect app and the GlobalProtect portal and GlobalProtect gateway for authentication.
    OpenSSL
    aes256-sha
    Dynamic key negotiated between the GlobalProtect app and the GlobalProtect gateway during the SSL handshake.
    Used to establish the SSL connection between the GlobalProtect app and the GlobalProtect gateway for HIP report submission, SSL tunnel negotiation, and network discovery.
    IPSec encryption and authentication
    aes-128-sha1, aes-128-cbc, aes-128-gcm, and aes-256-gcm
    The session key sent from the GlobalProtect gateway.
    Used to establish the IPSec tunnel between the GlobalProtect app and the GlobalProtect gateway. Use the strongest algorithm supported by your network (AES-GCM is recommended).
    To provide data integrity and authenticity protection, the aes-128-cbc cipher requires the sha1 authentication algorithm. Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP integrity protection, the sha1 authentication algorithm is ignored for these ciphers even though it is required during configuration.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.