Use the GlobalProtect IPSec Crypto Profiles page to specify algorithms for authentication and encryption in VPN tunnels between a GlobalProtect gateway and clients. The order in which you add algorithms is the order in which the firewall applies them, and can affect tunnel security and performance. To change the order, select an algorithm and Move Up or Move Down.
For VPN tunnels between GlobalProtect gateways and satellites (firewalls), see Network > Network Profiles > IPSec Crypto.
GlobalProtect IPSec Crypto Profile Setting Description
Name Enter a name to identify the profile. The name is case-sensitive, must be unique, and can have up to 31 characters. Use only letters, numbers, spaces, hyphens, and underscores.
Encryption Click Add and select the desired encryption algorithms. If you are not certain of what the VPN peers support, you can add multiple encryption algorithms in top-to-bottom order of most-to-least secure, as follows— aes-256-gcm, aes-128-gcm, and aes-128-cbc. The peers negotiate the strongest algorithm to establish the tunnel.
Authentication Click Add and select the authentication algorithm to provide data integrity and authenticity protection. Currently, the only option is sha1. Although the authentication algorithm is required for the profile, this setting only applies to the AES-CBC cipher ( aes-128-cbc). If you use an AES-GCM encryption algorithm ( aes-256-gcm or aes-128-gcm), the setting is ignored because these ciphers natively provide ESP integrity protection.

Related Documentation