Reference: GlobalProtect Agent Cryptographic Functions
The GlobalProtect agent uses the OpenSSL library 1.0.1h to establish secure communication with the GlobalProtect portal and GlobalProtect gateways. The following table lists each GlobalProtect agent function that requires a cryptographic function and the cryptographic keys the GlobalProtect agent uses:
Winhttp (Windows) and NSURLConnection (MAC)
Dynamic key negotiated between the GlobalProtect agent and the GlobalProtect portal and/or gateway for establishing the HTTPS connection.
Used to establish the HTTPS connection between the GlobalProtect agent and the GlobalProtect portal and GlobalProtect gateway for authentication.
Dynamic key negotiated between the GlobalProtect agent and the GlobalProtect gateway during the SSL handshake.
Used to establish the SSL connection between the GlobalProtect agent and the GlobalProtect gateway for HIP report submission, SSL tunnel negotiation, and network discovery.
IPsec encryption and authentication
aes-128-sha1, aes-128-cbc, aes-128-gcm, and aes-256-gcm
The session key sent from the GlobalProtect gateway.
Used to establish the IPSec tunnel between the GlobalProtect agent and the GlobalProtect gateway. Use the strongest algorithm supported by your network (AES-GCM is recommended).
To provide data integrity and authenticity protection, the aes-128-cbc cipher requires the sha1 authentication algorithm. Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP integrity protection, the sha1 authentication algorithm is ignored for these ciphers even though it is required during configuration.
Set Up the GlobalProtect Infrastructure
Set Up the GlobalProtect Infrastructure For GlobalProtect to work, you must set up the infrastructure that allows all of the components to communicate. At a ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: GlobalProtect Certificate Requirements ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect Gateway After you have completed the prerequisite tasks, configure the GlobalProtect Gateways : Add a gateway. Select Network GlobalProtect Gateways and click ...
Network > Network Profiles > GlobalProtect IPSec Crypto
Network > Network Profiles > GlobalProtect IPSec Crypto Use the GlobalProtect IPSec Crypto Profiles page to specify algorithms for authentication and encryption in VPN tunnels ...
Define Cryptographic Profiles
Define Cryptographic Profiles A cryptographic profile specifies the ciphers used for authentication and/or encryption between two IKE peers, and the lifetime of the key. The ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Deploy User-Specific Client Certificates for Authentication
Deploy User-Specific Client Certificates for Authentication To authenticate individual users, you must issue a unique client certificate to each GlobalProtect user and deploy the client ...
Keys and Certificates
Keys and Certificates To ensure trust between parties in a secure communication session, Palo Alto Networks firewalls and Panorama use digital certificates. Each certificate contains ...
Site-to-Site VPN Concepts
Site-to-Site VPN Concepts A VPN connection provides secure access to information between two or more sites. In order to provide secure access to resources and ...