FIPS-CC Security Functions
Focus
Focus
GlobalProtect

FIPS-CC Security Functions

Table of Contents

FIPS-CC Security Functions

Security functions are enforced for the GlobalProtect app when you enable FIPS-CC mode.
When you enable FIPS-CC mode for GlobalProtect, the following security functions are applied to all managed GlobalProtect apps on Windows and macOS, iOS, Android, and Linux endpoints:
  • You must configure the gateway to encrypt all VPN tunnels between the GlobalProtect app and gateways using TLS or IPSec.
  • When you configure an IPSec VPN tunnel on the gateway, you must select a cipher suite option presented during IPSec setup.
  • When you configure an IPSec VPN tunnel on the gateway, you can specify one of the following encryption algorithms:
    • AES-CBC-128 (with the HMAC-SHA-1 authentication algorithm)
    • AES-GCM-128
    • AES-GCM-256
  • Both server and client certificates must use one of the following signature algorithms:
    • RSA 2048 bit (or greater)
    • ECDSA P-256
    • ECDSA P-384
    • ECDSA P-521
    In addition, you must use a signature hash algorithm of SHA-256, SHA-384, or SHA-512.
  • GlobalProtect app will enforce strict X.509v3 verification checks on the server certificate.
    • The verifications checks are based on NIAP's FIA_X509_EXT.1 and FIA_X509_EXT.2 certificate validation and authentication requirements.