GlobalProtect Agent Cryptographic Functions
The GlobalProtect agent uses the OpenSSL library 1.0.1h to establish secure communication with the GlobalProtect portal and GlobalProtect gateways. The following table lists each GlobalProtect agent function that requires a cryptographic function and the cryptographic keys the GlobalProtect agent uses:
Winhttp (Windows) and NSURLConnection (MAC)
Dynamic key negotiated between the GlobalProtect agent and the GlobalProtect portal and/or gateway for establishing the HTTPS connection.
Used to establish the HTTPS connection between the GlobalProtect agent and the GlobalProtect portal and GlobalProtect gateway for authentication.
Dynamic key negotiated between the GlobalProtect agent and the GlobalProtect gateway during the SSL handshake.
Used to establish the SSL connection between the GlobalProtect agent and the GlobalProtect gateway for HIP report submission, SSL tunnel negotiation, and network discovery.
IPSec encryption and authentication
aes-128-sha1, aes-128-cbc, aes-128-gcm, and aes-256-gcm
The session key sent from the GlobalProtect gateway.
Used to establish the IPSec tunnel between the GlobalProtect agent and the GlobalProtect gateway. Use the strongest algorithm supported by your network (AES-GCM is recommended).
To provide data integrity and authenticity protection, the aes-128-cbc cipher requires the sha1 authentication algorithm. Because AES-GCM encryption algorithms (aes-128-gcm and aes-256-gcm) natively provide ESP integrity protection, the sha1 authentication algorithm is ignored for these ciphers even though it is required during configuration.
GlobalProtect Cryptography References
GlobalProtect Cryptography References Reference: GlobalProtect Agent Cryptographic Functions TLS Cipher Suites Supported by GlobalProtect Agents TLS Cipher Suites Supported by GlobalProtect Gateways in PAN-OS 8.0 ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...
Determine the Ciphers Used to Setup IPSec Tunnels
Ciphers Used to Set Up IPSec Tunnels GlobalProtect can restrict and/or set preferential order for what encryption and authentication algorithm the GlobalProtect agent can use ...
Cipher Exchange Between the GlobalProtect Agent and Gateway
Cipher Exchange Between the GlobalProtect Agent and Gateway The following figure displays the exchange of ciphers between GlobalProtect gateways and GlobalProtect agents when creating the ...
About GlobalProtect Cipher Selection
About GlobalProtect Cipher Selection GlobalProtect supports both IPSec and SSL tunnel modes. GlobalProtect also supports the ability to enable and require the GlobalProtect agent to ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
OSPFv3 Auth Profiles Tab
OSPFv3 Auth Profiles Tab Network > Virtual Router > OSPFv3 > Auth Profiles Use the following fields to configure authentication for OSPFv3. OSPFv3 – Auth ...
PAN-OS 8.0 Cipher Suites Supported in FIPS-CC Mode
List of cipher suites supported on firewalls running PAN-OS® 8.0 in FIPS-CC mode. ...