Cipher Exchange Between the GlobalProtect Agent and Gateway
The following figure displays the exchange of ciphers
between GlobalProtect gateways and GlobalProtect agents when creating
the VPN tunnel.
Cipher Exchange Between the Agent
and the Gateway
The following table describes these stages in more detail.
Communication Stage | Description |
|---|---|
1. Client Hello | The agent proposes a list of cipher suites
depending on the OS of the endpoint. |
2. Server Hello | The gateway selects the cipher suite proposed
by the agent. When selecting the ciphers to set up the tunnel, the
gateway ignores both the number and order of cipher suites proposed
by the agent and instead relies on the SSL/TLS versions and algorithm
of the gateway server certificate and its preferred list (as described
in About
GlobalProtect Cipher Selection). |
3. Optional Client Certificate | The gateway can optionally request a client
certificate from the agent to use to trust the identity of the user
or endpoint. |
4. SSL Session | After setting up the SSL/TLS session, the
agent authenticates with the gateway and requests the gateway configuration (Get-Config-Request).
To request the configuration, the agent proposes the encryption
and authentication algorithms and other settings such as preferred
IP address for the tunnel interface. The gateway responds to the
request and selects the encryption and authentication algorithm
to use based on the configuration of the GlobalProtect IPSec Crypto
Profile (Get-Config-Response). |
The following table displays an example of the cipher exchange
between an agent on a Mac endpoint and the gateway.
Communication Stage | Example: Mac Endpoints |
|---|---|
1. Client Hello | TLS 1.2 37 Cipher Suites (Reference:
TLS Ciphers Supported by GlobalProtect Agents on Mac Endpoints) |
2. Server Hello |
|
3. Optional Client Certificate | Client certificates signed with ECDSA or
RSA and using SHA1, SHA256, or SHA384 |
4. SSL Session |
|
