About GlobalProtect Cipher Selection

GlobalProtect supports both IPsec and SSL tunnel modes. GlobalProtect also supports the ability to enable and require the GlobalProtect app to always attempt to set up an IPsec tunnel first before falling back to an SSL tunnel. With an IPsec tunnel, the GlobalProtect app uses SSL/TLS to exchange encryption and authentication algorithms and the keys. The selection of cipher suite that GlobalProtect uses to secure the SSL/TLS tunnel depend on:
  • SSL/TLS versions accepted by the gateway—The GlobalProtect portal and gateways can restrict the list of cipher suites available for the app using SSL/TLS profiles. On the firewall, you create the SSL/TLS profile by specifying the certificate and the allowed protocol versions and associate that to the GlobalProtect portal and gateway.
  • Algorithm of the server certificate of the gateway—The operating system of the endpoint determines what cipher suites the GlobalProtect app includes in its Client Hello message. As long as the GlobalProtect app includes the cipher suite that the gateway prefers to use, the gateway will select that cipher suite for the SSL session. The order of cipher suites within the Client Hello message does not affect the cipher suite selection: The gateway selects the cipher suite based on the SSL/TLS service profile and the algorithm of the gateway server certificate and its preferred list. You select the service profile from the GlobalProtect gateway authentication configuration.

Related Documentation