>
    About GlobalProtect Cipher Selection
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Cryptography
    4. About GlobalProtect Cipher Selection
    Download PDF
    GlobalProtect

    About GlobalProtect Cipher Selection

    Table of Contents
    End-of-Life (EoL)

    About GlobalProtect Cipher Selection

    GlobalProtect supports both IPsec and SSL tunnel modes. GlobalProtect also supports the ability to enable and require the GlobalProtect app to always attempt to set up an IPsec tunnel first before falling back to an SSL tunnel. With an IPsec tunnel, the GlobalProtect app uses SSL/TLS to exchange encryption and authentication algorithms and the keys. The selection of cipher suite that GlobalProtect uses to secure the SSL/TLS tunnel depend on:
    • SSL/TLS versions accepted by the gateway—The GlobalProtect portal and gateways can restrict the list of cipher suites available for the app using SSL/TLS profiles. On the firewall, you create the SSL/TLS profile by specifying the certificate and the allowed protocol versions and associate that to the GlobalProtect portal and gateway.
    • Algorithm of the server certificate of the gateway—The operating system of the endpoint determines what cipher suites the GlobalProtect app includes in its Client Hello message. As long as the GlobalProtect app includes the cipher suite that the gateway prefers to use, the gateway will select that cipher suite for the SSL session. The order of cipher suites within the Client Hello message does not affect the cipher suite selection: The gateway selects the cipher suite based on the SSL/TLS service profile and the algorithm of the gateway server certificate and its preferred list. You select the service profile from the GlobalProtect gateway authentication configuration.

    © 2024 Palo Alto Networks, Inc. All rights reserved.