GlobalProtect
Cipher Exchange Between the GlobalProtect App and Gateway
Table of Contents
Cipher Exchange Between the GlobalProtect App and Gateway
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The following figure displays the exchange of ciphers
between GlobalProtect gateways and GlobalProtect apps when creating
the VPN tunnel.
The following table describes these stages in more detail.
Communication Stage | Description |
|---|---|
1. Client Hello | The app proposes a list of cipher suites
depending on the OS of the endpoint. |
2. Server Hello | The gateway selects the cipher suite proposed by the app. When selecting the ciphers to set up
the tunnel, the gateway ignores both the number and order of cipher
suites proposed by the app and instead relies on the SSL/TLS
versions and algorithm of the gateway server certificate and its
preferred list (as described in About GlobalProtect Cipher
Selection). |
3. Optional Client Certificate | The gateway can optionally request a client
certificate from the app to use to trust the identity of the user
or endpoint. |
4. SSL Session | After setting up the SSL/TLS session, the app authenticates with the gateway and requests the
gateway configuration (Get-Config-Request). To request the
configuration, the app proposes the encryption and authentication
algorithms and other settings such as preferred IP address for the
tunnel interface. The gateway responds to the request and selects
the encryption and authentication algorithm to use based on the
configuration of the GlobalProtect IPSec Crypto Profile
(Get-Config-Response) for an IPSec protocol and IKE Crypto Profile
for an IKEv2 protocol. |
The following table displays an example of the cipher exchange
between an app on a macOS endpoint and the gateway.
Communication Stage | Example: macOS Endpoints |
|---|---|
1. Client Hello | TLS 1.2 37 Cipher Suites () |
2. Server Hello |
|
3. Optional Client Certificate | Client certificates signed with ECDSA or
RSA and using SHA1, SHA256, or SHA384 |
4. SSL Session |
|