About GlobalProtect Cipher Selection

GlobalProtect supports both IPSec and SSL tunnel modes. GlobalProtect also supports the ability to enable and require the GlobalProtect agent to always attempt to set up IPSec tunnel first before falling back to SSL tunnel. With an IPSec tunnel, the GlobalProtect agent uses SSL/TLS to exchange encryption and authentication algorithms and the keys. The selection of cipher suite that GlobalProtect uses to secure the SSL/TLS tunnel depend on:
  • SSL/TLS versions accepted by the gateway—The GlobalProtect portal and gateways can restrict the list of cipher suites available for the client using SSL/TLS profiles. On the firewall, you create the SSL/TLS profile by specifying the certificate and the allowed protocol versions and associate that to the GlobalProtect portal and gateway.
  • Algorithm of the server certificate of the gateway—The operating system of the endpoint determines what cipher suites the GlobalProtect agent includes in its Client Hello message. As long as the GlobalProtect agent includes the cipher suite that gateway prefers to use, the gateway will select that cipher suite for the SSL session. The order of cipher suites within the Client Hello message does not affect the cipher suite selection: The gateway selects the cipher suite based on the SSL/TLS service profile and the algorithm of the gateway server certificate and its preferred list. You select the service profile from the GlobalProtect gateway authentication configuration.

Related Documentation