Focus

GlobalProtect

FIPS-CC Security Functions

Table of Contents

Filter

Expand All | Collapse All

GlobalProtect Docs

Administration
Version
- 10.1 & Later
- 9.1 (EoL)
User Guide
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
New Feature
Version
- 6.1
- 6.0
- 5.1
Release Notes
Version
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1

Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints

Resolve FIPS-CC Mode Issues

FIPS-CC Security Functions

Security functions are enforced for the GlobalProtect app when you enable FIPS-CC mode.

When you enable FIPS-CC mode for GlobalProtect, the following security functions are applied to all managed GlobalProtect apps on Windows and macOS, iOS, Android, and Linux endpoints:

You must configure the gateway to encrypt all VPN tunnels between the GlobalProtect app and gateways using TLS or IPSec.
When you configure an IPSec VPN tunnel on the gateway, you must select a cipher suite option presented during IPSec setup.
When you configure an IPSec VPN tunnel on the gateway, you can specify one of the following encryption algorithms:
- AES-CBC-128 (with the HMAC-SHA-1 authentication algorithm)
- AES-GCM-128
- AES-GCM-256
Both server and client certificates must use one of the following signature algorithms:
- RSA 2048 bit (or greater)
- ECDSA P-256
- ECDSA P-384
- ECDSA P-521
In addition, you must use a signature hash algorithm of SHA-256, SHA-384, or SHA-512.
GlobalProtect app will enforce strict X.509v3 verification checks on the server certificate.
- The verifications checks are based on NIAP's FIA_X509_EXT.1 and FIA_X509_EXT.2 certificate validation and authentication requirements.

Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints

Resolve FIPS-CC Mode Issues

GlobalProtect Docs

FIPS-CC Security Functions

GlobalProtect Docs

FIPS-CC Security Functions

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Experts Corner