Cipher Exchange Between the GlobalProtect Agent and Gateway
The following figure displays the exchange of ciphers
between GlobalProtect gateways and GlobalProtect agents when creating
the VPN tunnel.
The following table describes these stages in more detail.
Cipher Exchange Between
the Agent and Gateway
1. Client Hello
The agent proposes a list of cipher suites
depending on the OS of the endpoint.
2. Server Hello
The gateway selects the cipher suite proposed
by the agent. When selecting the ciphers to set up the tunnel, the
gateway ignores both the number and order of cipher suites proposed
by the agent and instead relies on the SSL/TLS versions and algorithm
of the gateway server certificate and its preferred list (as described
GlobalProtect Cipher Selection).
3. Optional Client Certificate
The gateway can optionally request a client
certificate from the agent to use to trust the identity of the user
4. SSL Session
After setting up the SSL/TLS session, the
agent authenticates with the gateway and requests the gateway configuration (Get-Config-Request).
To request the configuration, the agent proposes the encryption
and authentication algorithms and other settings such as preferred
IP address for the tunnel interface. The gateway responds to the
request and selects the encryption and authentication algorithm
to use based on the configuration of the GlobalProtect IPSec Crypto
The following table displays an example of the cipher exchange
between an agent on a Mac endpoint and the gateway.